Correctly set DockerInsecureSkipTLSVerify when pulling images

The image library's copy routine doesn't itself consult the registries configuration in order to decide whether or not to disable TLS verification when communicating with a registry, so it's on us to use the name of a source or destination image to decide whether to set the flag for that behavior. Signed-off-by: Nalin Dahyabhai <nalin@redhat.com> Closes: #1056 Approved by: rhatdan
2025-07-31 15:24:26 +03:00 · 2018-10-02 13:48:45 -04:00
parent 0a971ebeec
commit 62c01da3e4
6 changed files with 89 additions and 6 deletions
--- a/commit.go
+++ b/commit.go
@ -120,7 +120,7 @@ func (b *Builder) Commit(ctx context.Context, dest types.ImageReference, options
 		return imgID, errors.Wrapf(err, "error computing layer digests and building metadata")
 	}
 	// "Copy" our image to where it needs to be.
-	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, ""))
+	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, ""))
 	if err != nil {
 		return imgID, errors.Wrapf(err, "error copying layers and metadata")
 	}
@ -176,7 +176,7 @@ func Push(ctx context.Context, image string, dest types.ImageReference, options
 		return err
 	}
 	// Copy everything.
-	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, nil, systemContext, options.ManifestType))
+	err = cp.Image(ctx, policyContext, dest, src, getCopyOptions(options.ReportWriter, src, nil, dest, systemContext, options.ManifestType))
 	if err != nil {
 		return errors.Wrapf(err, "error copying layers and metadata")
 	}
--- a/common.go
+++ b/common.go
@ -3,7 +3,10 @@ package buildah
 import (
 	"io"

+	"github.com/sirupsen/logrus"
+
 	cp "github.com/containers/image/copy"
+	"github.com/containers/image/transports"
 	"github.com/containers/image/types"
 )

@ -14,11 +17,35 @@ const (
 	DOCKER = "docker"
 )

-func getCopyOptions(reportWriter io.Writer, sourceSystemContext *types.SystemContext, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
+func getCopyOptions(reportWriter io.Writer, sourceReference types.ImageReference, sourceSystemContext *types.SystemContext, destinationReference types.ImageReference, destinationSystemContext *types.SystemContext, manifestType string) *cp.Options {
+	sourceCtx := &types.SystemContext{}
+	if sourceSystemContext != nil {
+		*sourceCtx = *sourceSystemContext
+	}
+	sourceInsecure, err := isReferenceInsecure(sourceReference, sourceCtx)
+	if err != nil {
+		logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(sourceReference), err)
+	} else if sourceInsecure {
+		sourceCtx.DockerInsecureSkipTLSVerify = true
+		sourceCtx.OCIInsecureSkipTLSVerify = true
+	}
+
+	destinationCtx := &types.SystemContext{}
+	if destinationSystemContext != nil {
+		*destinationCtx = *destinationSystemContext
+	}
+	destinationInsecure, err := isReferenceInsecure(destinationReference, destinationCtx)
+	if err != nil {
+		logrus.Debugf("error determining if registry for %q is insecure: %v", transports.ImageName(destinationReference), err)
+	} else if destinationInsecure {
+		destinationCtx.DockerInsecureSkipTLSVerify = true
+		destinationCtx.OCIInsecureSkipTLSVerify = true
+	}
+
 	return &cp.Options{
 		ReportWriter:          reportWriter,
-		SourceCtx:             sourceSystemContext,
-		DestinationCtx:        destinationSystemContext,
+		SourceCtx:             sourceCtx,
+		DestinationCtx:        destinationCtx,
 		ForceManifestMIMEType: manifestType,
 	}
 }
--- a/imagebuildah/build.go
+++ b/imagebuildah/build.go
@ -1131,6 +1131,7 @@ func (b *Executor) Commit(ctx context.Context, ib *imagebuilder.Builder, created
 		AdditionalTags:        b.additionalTags,
 		ReportWriter:          writer,
 		PreferredManifestType: b.outputFormat,
+		SystemContext:         b.systemContext,
 		IIDFile:               b.iidfile,
 		Squash:                b.squash,
 		Parent:                b.builder.FromImageID,
--- a/pkg/parse/parse.go
+++ b/pkg/parse/parse.go
@ -283,6 +283,8 @@ func SystemContextFromOptions(c *cli.Context) (*types.SystemContext, error) {
 	}
 	if c.IsSet("tls-verify") {
 		ctx.DockerInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+		ctx.OCIInsecureSkipTLSVerify = !c.BoolT("tls-verify")
+		ctx.DockerDaemonInsecureSkipTLSVerify = !c.BoolT("tls-verify")
 	}
 	if c.IsSet("creds") {
 		var err error
--- a/pull.go
+++ b/pull.go
@ -190,7 +190,7 @@ func pullImage(ctx context.Context, store storage.Store, imageName string, optio
 	}()

 	logrus.Debugf("copying %q to %q", spec, destName)
-	pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, sc, nil, ""))
+	pullError := cp.Image(ctx, policyContext, destRef, srcRef, getCopyOptions(options.ReportWriter, srcRef, sc, destRef, nil, ""))
 	if pullError == nil {
 		return destRef, nil
 	}
--- a/util.go
+++ b/util.go
@ -7,6 +7,7 @@ import (
 	"sync"

 	"github.com/containers/image/docker/reference"
+	"github.com/containers/image/pkg/sysregistries"
 	"github.com/containers/image/pkg/sysregistriesv2"
 	"github.com/containers/image/types"
 	"github.com/containers/storage"
@ -184,6 +185,58 @@ func getRegistries(sc *types.SystemContext) ([]string, error) {
 	return searchRegistries, nil
 }

+// isRegistryInsecure checks if the named registry is marked as not secure
+func isRegistryInsecure(registry string, sc *types.SystemContext) (bool, error) {
+	registries, err := sysregistriesv2.GetRegistries(sc)
+	if err != nil {
+		return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
+	}
+	if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
+		return reginfo.Insecure, nil
+	}
+	return false, nil
+}
+
+// isRegistryBlocked checks if the named registry is marked as blocked
+func isRegistryBlocked(registry string, sc *types.SystemContext) (bool, error) {
+	registries, err := sysregistriesv2.GetRegistries(sc)
+	if err != nil {
+		return false, errors.Wrapf(err, "unable to parse the registries configuration (%s)", sysregistries.RegistriesConfPath(sc))
+	}
+	if reginfo := sysregistriesv2.FindRegistry(registry, registries); reginfo != nil {
+		return reginfo.Blocked, nil
+	}
+	return false, nil
+}
+
+// isReferenceSomething checks if the registry part of a reference is insecure or blocked
+func isReferenceSomething(ref types.ImageReference, sc *types.SystemContext, what func(string, *types.SystemContext) (bool, error)) (bool, error) {
+	if ref != nil && ref.DockerReference() != nil {
+		if named, ok := ref.DockerReference().(reference.Named); ok {
+			if domain := reference.Domain(named); domain != "" {
+				return what(domain, sc)
+			}
+		}
+	}
+	return false, nil
+}
+
+// isReferenceInsecure checks if the registry part of a reference is insecure
+func isReferenceInsecure(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
+	return isReferenceSomething(ref, sc, isRegistryInsecure)
+}
+
+// isReferenceBlocked checks if the registry part of a reference is blocked
+func isReferenceBlocked(ref types.ImageReference, sc *types.SystemContext) (bool, error) {
+	if ref != nil && ref.Transport() != nil {
+		switch ref.Transport().Name() {
+		case "docker":
+			return isReferenceSomething(ref, sc, isRegistryBlocked)
+		}
+	}
+	return false, nil
+}
+
 // hasRegistry returns a bool/err response if the image has a registry in its
 // name
 func hasRegistry(imageName string) (bool, error) {