From 4fba9d854535cc923bad8f32bebd8f0a2aa41030 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 6 Jul 2017 15:52:54 +0100 Subject: [PATCH 1/2] pkg: Update content trust handling. Firstly add option to disable content trust, for the use of e.g. projects which are pushing to the linuxkitprojects org (which has no trust setup) rather than the main linuxkit org. Secondly, when trust _is_ enabled then enable it globally, in particular it is now active for the `docker build` and hence containers referenced in Dockerfiles via "FROM" will be checked. Signed-off-by: Ian Campbell --- pkg/package.mk | 14 +++++++++----- projects/swarmd/swarmd/Makefile | 1 + 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/pkg/package.mk b/pkg/package.mk index 350846778..d55c8fee9 100644 --- a/pkg/package.mk +++ b/pkg/package.mk @@ -24,20 +24,24 @@ else NET_OPT=--network=none endif +ifeq ($(DOCKER_CONTENT_TRUST),) +ifndef NOTRUST +export DOCKER_CONTENT_TRUST=1 +endif +endif + show-tag: @echo $(TAG) tag: $(BASE_DEPS) $(DEPS) - DOCKER_CONTENT_TRUST=1 docker pull $(TAG) || \ - docker build $(NET_OPT) -t $(TAG) . + docker pull $(TAG) || docker build $(NET_OPT) -t $(TAG) . push: tag ifneq ($(DIRTY),) $(error Your repository is not clean. Will not push package image.) endif - DOCKER_CONTENT_TRUST=1 docker pull $(TAG) || \ - DOCKER_CONTENT_TRUST=1 docker push $(TAG) + docker pull $(TAG) || docker push $(TAG) ifneq ($(RELEASE),) docker tag $(TAG) $(ORG)/$(IMAGE):$(RELEASE) - DOCKER_CONTENT_TRUST=1 docker push $(ORG)/$(IMAGE):$(RELEASE) + docker push $(ORG)/$(IMAGE):$(RELEASE) endif diff --git a/projects/swarmd/swarmd/Makefile b/projects/swarmd/swarmd/Makefile index 9550aeffe..f57b5fc59 100644 --- a/projects/swarmd/swarmd/Makefile +++ b/projects/swarmd/swarmd/Makefile @@ -1,5 +1,6 @@ ORG?=linuxkitprojects IMAGE=swarmd NETWORK=1 +NOTRUST=1 include ../../../pkg/package.mk From aee080f621d79462d72209f02581cb857668bfb6 Mon Sep 17 00:00:00 2001 From: Ian Campbell Date: Thu, 6 Jul 2017 16:33:08 +0100 Subject: [PATCH 2/2] pkg: Reduce the number of times variables containing `$(shell...)` are invoked. For DIRTY and RELEASED this means simply performing a static assignment with `:=`. For HASH it is a little more complex since it is (and we want/need it to be) a conditional assigment. However it is only used for defining TAG, so make that a static assignment. This reduces the number of times the complex DIRTY shell command in particular is evaluated. Signed-off-by: Ian Campbell --- pkg/package.mk | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/package.mk b/pkg/package.mk index d55c8fee9..79af74f06 100644 --- a/pkg/package.mk +++ b/pkg/package.mk @@ -7,16 +7,16 @@ HASH_COMMIT?=HEAD # Setting this is only really useful with the show-tag target HASH?=$(shell git ls-tree --full-tree $(HASH_COMMIT) -- $(CURDIR) | awk '{print $$3}') ifneq ($(HASH_COMMIT),HEAD) # Others can't be dirty by definition -DIRTY=$(shell git update-index -q --refresh && git diff-index --quiet HEAD -- $(CURDIR) || echo "-dirty") +DIRTY:=$(shell git update-index -q --refresh && git diff-index --quiet HEAD -- $(CURDIR) || echo "-dirty") endif endif -TAG=$(ORG)/$(IMAGE):$(HASH)$(DIRTY) +TAG:=$(ORG)/$(IMAGE):$(HASH)$(DIRTY) BASE_DEPS=Dockerfile Makefile # Get a release tag, if present -RELEASE=$(shell git tag -l --points-at HEAD) +RELEASE:=$(shell git tag -l --points-at HEAD) ifdef NETWORK NET_OPT=