Skip to content
Permalink
Browse files
feat(buildah): communication with insecure registries
When $WERF_SKIP_TLS_VERIFY_REGISTRY or $WERF_INSECURE_REGISTRY
enabled, then buildah container runtime allows HTTP and unverified HTTPS
communication with registry
  • Loading branch information
ilya-lesikov authored and alexey-igrychev committed Oct 19, 2021
1 parent 15f32a3 commit e0502c28b37939bc86362f8fa644f007a71b4421
Showing with 44 additions and 11 deletions.
  1. +6 −1 cmd/werf/common/container_runtime.go
  2. +9 −3 pkg/buildah/base.go
  3. +2 −1 pkg/buildah/buildah.go
  4. +10 −5 pkg/buildah/docker_with_fuse_buildah.go
  5. +17 −1 pkg/buildah/native_rootless_buildah_linux.go
@@ -43,7 +43,12 @@ func InitProcessContainerRuntime(ctx context.Context, cmdData *CmdData) (contain
ctx = newCtx
}

b, err := buildah.NewBuildah(resolvedMode, buildah.BuildahOpts{})
insecure := *cmdData.InsecureRegistry || *cmdData.SkipTlsVerifyRegistry
b, err := buildah.NewBuildah(resolvedMode, buildah.BuildahOpts{
CommonBuildahOpts: buildah.CommonBuildahOpts{
Insecure: insecure,
},
})
if err != nil {
return nil, ctx, fmt.Errorf("unable to get buildah client: %s", err)
}
@@ -11,12 +11,18 @@ import (
)

type BaseBuildah struct {
TmpDir string
TmpDir string
Insecure bool
}

func NewBaseBuildah(tmpDir string) (*BaseBuildah, error) {
type BaseBuildahOpts struct {
Insecure bool
}

func NewBaseBuildah(tmpDir string, opts BaseBuildahOpts) (*BaseBuildah, error) {
b := &BaseBuildah{
TmpDir: tmpDir,
TmpDir: tmpDir,
Insecure: opts.Insecure,
}

if err := os.MkdirAll(b.TmpDir, os.ModePerm); err != nil {
@@ -84,7 +84,8 @@ func ProcessStartupHook(mode Mode) (bool, error) {
}

type CommonBuildahOpts struct {
TmpDir string
TmpDir string
Insecure bool
}

type NativeRootlessModeOpts struct{}
@@ -8,6 +8,7 @@ import (
"fmt"
"io"
"os"
"strconv"
"strings"
"time"

@@ -26,7 +27,7 @@ type DockerWithFuseBuildah struct {
func NewDockerWithFuseBuildah(commonOpts CommonBuildahOpts, opts DockerWithFuseModeOpts) (*DockerWithFuseBuildah, error) {
b := &DockerWithFuseBuildah{}

baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir)
baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir, BaseBuildahOpts{Insecure: commonOpts.Insecure})
if err != nil {
return nil, fmt.Errorf("unable to create BaseBuildah: %s", err)
}
@@ -40,7 +41,9 @@ func (b *DockerWithFuseBuildah) Tag(ctx context.Context, ref, newRef string, opt
return err
}
func (b *DockerWithFuseBuildah) Push(ctx context.Context, ref string, opts PushOpts) error {
_, _, err := b.runBuildah(ctx, []string{}, []string{"push", ref, fmt.Sprintf("docker://%s", ref)}, opts.LogWriter)
_, _, err := b.runBuildah(ctx, []string{}, []string{
"push", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), ref, fmt.Sprintf("docker://%s", ref),
}, opts.LogWriter)
return err
}

@@ -65,7 +68,7 @@ func (b *DockerWithFuseBuildah) BuildFromDockerfile(ctx context.Context, dockerf
"--volume", fmt.Sprintf("%s:/.werf/buildah/tmp", sessionTmpDir),
"--workdir", "/.werf/buildah/tmp/context",
},
[]string{"bud", "-f", "/.werf/buildah/tmp/Dockerfile"}, opts.LogWriter,
[]string{"bud", "--format=docker", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), "-f", "/.werf/buildah/tmp/Dockerfile"}, opts.LogWriter,
)
if err != nil {
return "", err
@@ -82,7 +85,9 @@ func (b *DockerWithFuseBuildah) RunCommand(ctx context.Context, container string
}

func (b *DockerWithFuseBuildah) FromCommand(ctx context.Context, container string, image string, opts FromCommandOpts) error {
_, _, err := b.runBuildah(ctx, []string{}, []string{"from", "--name", container, image}, opts.LogWriter)
_, _, err := b.runBuildah(ctx, []string{}, []string{
"from", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), "--name", container, image,
}, opts.LogWriter)
return err
}

@@ -105,7 +110,7 @@ func (b *DockerWithFuseBuildah) Inspect(ctx context.Context, ref string) (*types
}

func (b *DockerWithFuseBuildah) Pull(ctx context.Context, ref string, opts PullOpts) error {
_, _, err := b.runBuildah(ctx, []string{}, []string{"pull", ref}, opts.LogWriter)
_, _, err := b.runBuildah(ctx, []string{}, []string{"pull", fmt.Sprintf("--tls-verify=%s", strconv.FormatBool(!b.Insecure)), ref}, opts.LogWriter)
return err
}

@@ -19,6 +19,7 @@ import (
"github.com/containers/image/v5/manifest"
is "github.com/containers/image/v5/storage"
"github.com/containers/image/v5/transports/alltransports"
imgtypes "github.com/containers/image/v5/types"
"github.com/containers/storage"
"github.com/containers/storage/pkg/reexec"
"github.com/containers/storage/pkg/unshare"
@@ -57,7 +58,7 @@ type NativeRootlessBuildah struct {
func NewNativeRootlessBuildah(commonOpts CommonBuildahOpts, opts NativeRootlessModeOpts) (*NativeRootlessBuildah, error) {
b := &NativeRootlessBuildah{}

baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir)
baseBuildah, err := NewBaseBuildah(commonOpts.TmpDir, BaseBuildahOpts{Insecure: commonOpts.Insecure})
if err != nil {
return nil, fmt.Errorf("unable to create BaseBuildah: %s", err)
}
@@ -117,6 +118,11 @@ func (b *NativeRootlessBuildah) Push(ctx context.Context, ref string, opts PushO
ManifestType: manifest.DockerV2Schema2MediaType,
MaxRetries: MaxPullPushRetries,
RetryDelay: PullPushRetryDelay,
SystemContext: &imgtypes.SystemContext{
OCIInsecureSkipTLSVerify: b.Insecure,
DockerInsecureSkipTLSVerify: imgtypes.NewOptionalBool(b.Insecure),
DockerDaemonInsecureSkipTLSVerify: b.Insecure,
},
}

if opts.LogWriter != nil {
@@ -142,6 +148,11 @@ func (b *NativeRootlessBuildah) BuildFromDockerfile(ctx context.Context, dockerf
CommonBuildOpts: &define.CommonBuildOptions{
ShmSize: DefaultShmSize,
},
SystemContext: &imgtypes.SystemContext{
OCIInsecureSkipTLSVerify: b.Insecure,
DockerInsecureSkipTLSVerify: imgtypes.NewOptionalBool(b.Insecure),
DockerDaemonInsecureSkipTLSVerify: b.Insecure,
},
}

errLog := &bytes.Buffer{}
@@ -214,6 +225,11 @@ func (b *NativeRootlessBuildah) Pull(ctx context.Context, ref string, opts PullO
MaxRetries: MaxPullPushRetries,
RetryDelay: PullPushRetryDelay,
PullPolicy: define.PullIfNewer,
SystemContext: &imgtypes.SystemContext{
OCIInsecureSkipTLSVerify: b.Insecure,
DockerInsecureSkipTLSVerify: imgtypes.NewOptionalBool(b.Insecure),
DockerDaemonInsecureSkipTLSVerify: b.Insecure,
},
}

if opts.LogWriter != nil {

0 comments on commit e0502c2

Please sign in to comment.