Bumping to v1.20 to align with Buildah v1.41 and Podman v5.6
now that Skopeo has the same c/* libraries vendored in.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Rely on "$@" to allow passing options with spaces, like SKOPEO_LDFLAGS.
Then pass SKOPEO_LDFLAGS.
Also fix the documentation of TESTFLAGS.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This updates github.com/opencontainers/image-spec/schema subpackage from an obsolete
.../jsonschema/v5 to /v6 .
We use these dependencies only in tests, so it doesn't matter that much,
but removing references to years-old unmaintained versions makes it easier to check
/ remove other such cases.
(This is test-only, so the added files in vendor/ do not mean a larger binary
size; it's almost exactly unchanged.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add some test coverage, but not full - the previous code
did not have any.
Should not change behavior, other than some help texts.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
AddFlagSet silently ignores conflicting flags, whereas individual
flag definitions panic on (simple) conflicts; so, to detect ambiguities,
prefer to use AddFlagSet first.
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sequoia-PGP does not accept SHA-1 by default; update
to avoid that.
Both the keys and the signatures come from c/image commit
70dbc81047f63a68130a5bdf1bfaee43db39746d .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We're currently not updating official CentOS Stream packages via Packit.
So, this commit disables the downstream PR update job.
No noticeable effect upstream. Safe to merge.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
- Changed GitHub username from 'Neil-Smith' to 'actionmancan'
- Fixed GitHub URL from https://github.com/Neil-Smith to https://github.com/actionmancan
- Corrected column alignment for consistent formatting
- Maintains Neil Smith's role as Community Manager
Does this PR introduce a user-facing change?
```release-note
None
```
Signed-off-by: G A Neil Smith <nesmith@redhat.com>
bats isn't shipped on ELN, RHEL and CentOS Stream. Enabling EPEL is also
problematic on internal testing farm environments.
This commit fetches and installs bats from source on RHEL and CentOS
Stream so we don't have to worry about EPEL enablement anymore.
We also aren't doing any ELN testing on TMT currently, so we don't need
any additional configuration for it and the current config should work
across the board.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Unfortunately on a number of occasions, Skopeo has been released
officially with a `-dev` suffix in the version number. Assist in
catching this mistake at release time by the addition of a simple
conditional test. Note that it must be positively enabled by a
magic env. var. before executing the system tests.
Also (as suggested by @lsm5) update the TMT test to trigger the new
condition for future Fedora releases.
Signed-off-by: Chris Evich <cevich@redhat.com>
Dynamically link sqlite3 when installed, the main motivation is that we
reduce the podman binary size with that. I see about 3.3 MB savings.
But also dynamically linking it means if there a vulnerabilities only
the sqlite3 distro package needs updating and we don't have to make a
new podman release with the vendored update.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
- Don't claim that Windows uses XDG_RUNTIME_DIR, defer to the authoritative
man page.
- Consistently document the (regrettable?) REGISTRY_AUTH_FILE environment
variable.
- Consistently refer to "registry credentials file", not "authentication file".
- (Also deemphasizes (docker login), I'm not sure we want that.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Some container storage operations (e.g., mounting the home directory
for containers/storage) require CAP_SYS_ADMIN.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
I'm thinking about making it un-experimental. Having docs
is a step towards that.
Co-authored-by: Gemini Code Assist (which basically got this right)
Co-authored-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Colin Walters <walters@verbum.org>
F40 is now EOL and all current Fedora releases have Go 1.23. So, we're
safe to re-enable fedora-all.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The original model the idea here is the proxy centralizes
verification of things like digest. However in practice,
this causes reading to be seriously awkward; ref
https://github.com/containers/containers-image-proxy-rs/issues/79
(Basically `FinishPipe` blocks the metadata channel)
Also, I have a project to implement a registry frontend to
`containers-storage:` and a core problem with `GetBlob` right
now is it *requires* the blob size up front even though the
underlying Go logic doesn't.
Moving to a "raw" interface solves that too. In this new
raw API, we return two file descriptors, one for the data
and one for the error channel, which contains a JSON
serialization of an error.
For the error type we reuse the existing "is error retryable"
and expose that back to the client.
We also (backwards compatibly) add this new error code
for the existing APIs.
Signed-off-by: Colin Walters <walters@verbum.org>
This removes a safety mechanism, but it's better than
inventing a dummy tag value (both here and in c/image).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Sometimes running golangci-lint with --tests=false helps to uncover some
unused code which was not removed because it has unit tests. Since
everything is already cached, this additional run doesn't take much
time.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Before commit d4bd787e this script used to contain some logic,
but now it's just a wrapper that does nothing useful and stands in the
way. Remove it, and call golangci-lint directly.
This slightly changes the way the linting is done, because BUILDTAGS
was empty before, and now they it contains libsubid.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Some files in integration did not have _test, resulting in lots of
complains when running golangci-lint with --tests=false.
Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
So I wondered why our email workflow only reported things for podman...
It seems the secrets: inherit is broken and no longer working, I see all
jobs on all repos failing with:
Error when evaluating 'secrets'. .github/workflows/check_cirrus_cron.yml (Line: 19, Col: 11): Secret SECRET_CIRRUS_API_KEY is required, but not provided while calling.
This makes no sense to me I doubled checked the names, nothing changed
on our side and it is consistent for all projects. Interestingly this
same thing passed on March 10 and 11 (on all repos) but failed before
and after this as well.
Per[1] we are not alone, anyway let's try to get this working again even
if it means more duplication.
[1] actions/runner#2709
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This was added earlier as part of PR label-based triggering of Packit
jobs. But we decided not to go ahead with that approach, thus keeping
only a single set of tests. This file should've been removed during the
revert, but better late than never.
Ref: https://github.com/containers/skopeo/pull/2558
FWIW, this yaml file doesn't work by itself without the corresponding
GHA which was never included. So, this yaml config was pretty much a NOP
anyway.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Many of the people in OWNERS no longer contribute to the project,
so clean the file and restrict to those who are still active.
Alongside this, add our core maintainers who have merge authority
on all repos.
Governance is a simple link to the Podman governance model, and
MAINTAINERS.md mirrors the new OWNERS.
Signed-off-by: Matt Heon <mheon@redhat.com>
Switch to keeping TMT tests independent of PR labels for now.
In order to keep PR-label dependent tests, Packit UI would need
improvement making it clear that some tests are not meant to run,
perhaps also changing the status to `ignore` or `neutral`.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
> QF1008: could remove embedded field "dockerImageOptions" from selector (staticcheck)
Should not change behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
I was experimenting with images with lots of layers (> 200) and
this invocation was incorrectly adding the entire response
into what was intended as the metadata plane.
`GetManifest` and `GetConfig` (even those are relatively small)
still always return their data over a pipe, same as blobs.
Add a new `GetLayerInfoPiped` that does the same so we
can easily get this information for images with a lot of layers.
Signed-off-by: Colin Walters <walters@verbum.org>
This updates from a release to a commit, but the release
is very old, and we get to remove a technically-obsolete dependency.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
As pointed out in buildah[1] the action is broken in bad ways where it can
trigger 1000+ rerun wasting our cloud resources.
Get rid of it for now until we find something better or can properly
identify and fix the root cause.
[1] https://github.com/containers/buildah/issues/6035
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
This commit enables TMT jobs triggered by Packit to run system tests.
2 set of jobs `dev` and `release` have been added. `dev` jobs are meant
to run on main PRs with additional package updates fetched from
podman-next copr while `release` jobs are meant to run on release-
branch PRs using only the dependencies present in the official distro.
Packit checks PR labels (see previous commit) to filter out
the jobs that get run.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
This will be useful in the followup commit that enables TMT test jobs on
PRs.
PRs on `main` branch should be tested with bleeding-edge dependencies
from the podman-next COPR while PRs on `release` branches should be
tested only with the official distro packages. Packit will run/skip the
relevant set of tests based on this label.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
The default gobuild macro on CentOS Stream now accounts for `BUILDTAGS`,
so we don't need to redefine the macro in rpm spec.
The `libtrust_openssl` has been set in the spec for RHEL
environments.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
- Add option to set a fixed delay between retries.
- Clarify that if delay is unset, skopeo uses an exponential delay for
retries.
Fixes#2476
Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
The "2" tag is very old and not a multi arch manifest. As such testing
on aarch64 failed because it pulled and x86_64 image instead. This was
found in downstream RHEL testing.
The "2.8.2" is multi arch and used in podman testing were we
successfully run aarch64 based testing.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
RHEL targets are often out of date with respect to golang and other
important dependencies leading to frequent failures. CentOS Stream moves
faster and helps to ensure whatever eventually enters RHEL has been
tested upstream at some point.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
As the title says. In preparation of Skopeo v1.17.0 to go
out with Podman v5.3, this gets the c/* projects to:
containers/storage: v1.56.0
containers/image: v5.33.0
containers/common: v0.61.0
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
dnf erase was removed from dnf5 in f41, AFAIK remove does the same thing
and erase was just a removed alias.
Signed-off-by: Paul Holzinger <pholzing@redhat.com>
* Digest file output would have docker reference of source
and sha of of the mainfest sync'd with the target. This
file would not be created if dry-run flag is enabled
* improved the sync document to include the correct output for manifest file.
* added new line for the manifest file once all images are sync'd
* Ensuring we log on manifest digest if the copy operation was successful.
* Check for errors if any once sync process is complete.
* Ensure to capture the failure when closing the manifest file.
* Ensure we are not writing manifest sha for failed copy of imagesand aborting the process in case write to file fails
Signed-off-by: Ankit Agarwal <aagarwal@cloudsmith.io>
This constraint helps to avoid duplicate Packit jobs. The effect will
only be seen at the time of Fedora koji build and not on upstream. This
doesn't affect upstream.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
ELN is kind of a midway between Fedora and RHEL, so it's best to mention
ELN jobs separately. This will also allow reusing fedora targets using
YAML anchors for TMT tests.
This commit also mentions fedora-40 targets separately for copr_build
jobs so that once fedora-41 is released, fedora-40 jobs continue to
trigger.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Packit now has sidetag support for adding multiple builds into a single
bodhi update.
Since we release c/ccommon, skopeo, buildah and podman often
almoost simultaneously, we should release them to Fedora in a single
bodhi update using sidetags so all builds can be tested together.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Bump Skopeo to v1.16.0 in preparation for
RHEL 9.5/10.0 Beta and Podman's bump to v5.2
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
All our supported distros except CentOS Stream 9 support autochangelog
and we currently build rpms for CentOS Stream 9 only on the podman-next
copr, where we don't really care much about changelog.
So, there's no need for this conditional to exist.
Podman Ref: https://github.com/containers/podman/pull/23110
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Previously this task ran using the Cirrus-CI compute service, consuming
compute credits. However, since podman is already using a persistent
worker pool for CI, it can also be leveraged for use here. Since Mac
resources are relatively expensive, it also makes financial sense to
re-use infrastructure where possible.
Notes:
- This change also restricts the cross-build task to only running on
the default branch. This is necessary because the PW Pool environment
is always rolling forward and may not match what was in place at the
time a release-branch was created.
- This changes the test from an install + run, to just a build + run.
This is required because the task is running as a regular user w/o
permissions to install anything system-wide, on a host shared with
other CI tasks.
Signed-off-by: Chris Evich <cevich@redhat.com>
Without this change, packit will trigger duplicate jobs on podman-next
for `skopeo-fedora`, `skopeo-centos` etc, which essentially point to the
same file.
1 job triggered builds packages for all environments enabled on the
COPR, so simply `skopeo-fedora` should suffice.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Until now `cc' was hard-coded as the only compiler used. Supporting selecting
the compiler and preprocessor to be used via environment variables makes life
easier for distributors, so this commit mimics how podman does it in its hack/*
scripts.
Signed-off-by: Tomas Volf <~@wolfsden.cz>
The bats package is not available on RHEL. It's in Fedora and EPEL.
Having bats as a requirement for the `skopeo-tests` subpackage will
cause installibility test failures for RHEL 10 / C10S gating tests.
This commit makes `bats` a requirement only on Fedora. RHEL and CentOS
Stream gating will need to fetch bats through separately enabling EPEL
or other means.
Podman PR with similar change: https://github.com/containers/podman/pull/22632
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
This commit will enable downstream syncing to CentOS Stream 10. The
centos maintainer will need to manually run `packit propose-downstream`
and `centpkg build` until better centos integration is in place.
This commit also builds both rhel9 and centos9 copr rpms so we can check
for things like differences in golang compiler.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
In the Buildah repo, we had a request for a ptr to the container image
location in the docs. We've added similar to Podman and Buildah.
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Correct the summary for standalone-sign. The old summary appears to be a
bad copy-and-paste from "skopeo copy".
Clarify that both of these tools are debugging tools, only operating on
local files.
Signed-off-by: Ken Dreyer <kdreyer@ibm.com>
This is needed on the off-chance that some tool or a human suggests
updating the minimum version to 1.21 or later. Since doing so would
cause Fedora and Debian to start behaving differently WRT builds.
Signed-off-by: Chris Evich <cevich@redhat.com>
This commit makes skopeo return a different exit code when an
input is not found. The use case is `osbuild` which uses skopeo
to inspect images and it would be nice to differenciate between
an image that is not found and general skopeo errors (or errors
like network issues etc).
I picked exit code `2` for `not found` because it is also the value
of `ENOENT`.
Man page and a test are added.
Signed-off-by: Michael Vogt <mvogt@redhat.com>
This removes the need for any `Provides: bundled()` we needed in spec
files.
The updated Provides will be visible in the build logs and can also be
verified with `rpm -q --provides $RPM_FILE`.
Signed-off-by: Lokesh Mandvekar <lsm5@redhat.com>
Given the big changes in c/common, c/image and c/storage, I think
it makes sense to create Skopeo v1.15.0 now to go out with Podman v5.0
and Buildah v1.35.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
Move docs under "Building without a container".
Check instead of setting env variable.
Provide alternative approach.
Signed-off-by: Miltiadis Kallianis <miltiadis.kallianis@asml.com>
... and c/image/v5 to main
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
As the title says. Bumping to v1.15.0-dev. We'll be using 1.14 in
RHEL 8.10/9.4, and v1.15 of Skopeo will be targeted for a later RHEL
version.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
As the title says. Bumping now in preparation for RHEL 8.10/9.4.
Once merged, I will create release-1.14 branch based on this commit.
[NO NEW TESTS NEEDED]
Signed-off-by: tomsweeneyredhat <tsweeney@redhat.com>
ENTRYPOINT was incorrectly documented to be set to /
(which doesn't even make sense).
Stop mentioning PATH and WORKDIR in the top-level README,
typical users of the container shouldn't need to care,
and it's already somewhat implied by "built using the latest Fedora".
Fixes#2134.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Some other containers/* repos use these values in test names;
we don't, so remove them so that we don't have to worry
about keeping them up to date.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
These jobs have been failing since early August due to
technical/scripting problems. Disable/remove entirely since a fix
is unlikely to be implemented anytime soon.
Signed-off-by: Chris Evich <cevich@redhat.com>
The lowercase `and` in the License field isn't compatible with spdx
license format.
This commit replaces all `and` with `AND` in the License field in spec.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Building all PRs of all container projects into the same COPR does not
properly isolate PRs from each other.
To avoid that, change the copr_build configuration to use the packit
default COPRs, which are specific to the particular PR, and disappear
after a few weeks. Depending projects should only run against what
landed in skopeo/main i.e. the podman-next COPR.
Signed-off-by: Martin Pitt <mpitt@redhat.com>
We already require it, because docker/credential-helpers uses Go 1.19
os/exec.Cmd.Environ(). So make that official.
> go mod tidy -go=1.19
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> go mod tidy && go mod vendor
This updates c/image with a new version of x/exp.
That package has changed API in an incompatible way,
so just bumping x/exp (as in https://github.com/containers/skopeo/pull/2060 )
would break Skopeo builds.
This updates both c/image and x/exp in lockstep (and nothing
needs updating in Skopeo itself for the x/exp breakage).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This automatically the global --policy-path and --insecure-policy options,
which don't affect h.sysctx.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The pre-sync action constantly breaks and is currently not possible to
reliably test until the subsequent upstream release due to limitations
in packit.
The lines being added by the action script to the downstream Fedora spec
were only meant to keep Fedora happy. But given that they provide
no tangible benefit as github notifies us of security
issues in libraries mentioned in go.mod and go.sum, along with redhat
prodsec's own magic for creating security alerts, there's absolutely
no point to having the pre-sync action run and add a layer of uncertainty.
This commit removes the pre-sync action and
`rpm/update-spec-provides.sh`.
Ref: https://github.com/containers/podman/issues/19232
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
In PR review for a different issue, the question of what happens
if we hit overflow for the imageid serial was hit. This feels
pretty unlikely; if I did the math right, it'd require opening
an average of 136 images per second to overflow it in a year.
Nevertheless, in practice what we're sending on the wire is just a JSON
number, and if we extend this to the "max safe JSON number" of 2^53,
it'd take 285,616,414 images per second to overflow in a year, going
from implausible to probably impossible.
With a bit more work of course, we could make this a sparse mapping
and reuse freed numbers, but eh.
Signed-off-by: Colin Walters <walters@verbum.org>
The default Packit sandbox environment that runs Packit tasks for
downstream Fedora does not have golist installed by default and can't
run superuser tasks.
This commit will download and extract the golist binary from the Fedora
rpm and use it to provide golist.
The GOPATH mention in `rpm/update-spec-provides.sh` is only required for
golist to generate the gopaths and doesn't affect upstream or the rpm spec.
Currently, the only way to reliably test this is on an open github issue by running
`/packit propose-downstream`. This can't be run on an open PR.
The job-specific packit actions can only be tested via the packit
service and not via packit cli.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Distro conditionals have been rewritten in a cleaner
and easier to read way.
All `bcond` macros have been replaced with friendlier alternatives.
Also removed macros related to `import_path` as they are no longer
necessary.
update-spec-provides.sh has been updated to account for possible build
issues in downstream tasks which won't be noticed until a downstream
release.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
It's a bit cumbersome to manage a tooling version buried deep in a
command, let alone one also buried deep in a `Makefile`. Add a
variable to hold the version number so renovate can easily manage it.
This happens via a `regex` manager in the shared configuration
include `containers/automation//renovate/defaults.json5`. Also add a
helpful note/reminder to humans who may want to manually change the
version for some reason.
Depends on: https://github.com/containers/automation/pull/145
Signed-off-by: Chris Evich <cevich@redhat.com>
Assigning to a group isn't supported in github. Renove this section and
the golang section (all options moved into defaults.json5).
Signed-off-by: Chris Evich <cevich@redhat.com>
Get rid of `skopeo.spec.rpkg` in favour of
`rpm/skopeo.spec` which gets synced with fedora dist-git on every
upstream release. The version in the new spec file is set to `0` by
default and gets updated by packit automatically on every packit task.
Packit will automatically create a PR on fedora dist-git on every new
upstream release. A sample PR will look like:
https://src.fedoraproject.org/rpms/container-selinux/pull-request/10#
A dry run for this can be triggered using:
`$ packit propose-downstream --local-content`
To run this command locally, you would need to have your packit
user-configuration-file set.
Ref: https://packit.dev/docs/configuration/#user-configuration-file
along with a fedora api key created at:
https://src.fedoraproject.org/settings#nav-api-tab with sufficient ACLs.
This patch incurs zero additional cost to upstream as the downstream
tasks occur only after upstream release and do not block anything
upstream.
[NO NEW TESTS NEEDED]
Co-authored-by: Miloslav Trmač <mitr@redhat.com>
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Currently it uses golang-1.18.7-1.fc36.x86_64 ; we need 1.19,
and the current version of the base image has golang-1.20.3-1.fc38.x86_64
.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Accurately document the effect of GO_DYN_FLAGS
- Fix a typo
- Remove a shell script example; removes a docker command,
we don't care to maintain it to run correctly,
and anyone knowledgeable enough to understand the
trade-offs of static linking can almost certainly create that from scratch.
Fixes#1700
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
More template functions available in (skopeo inspect --format)
Adds new ways to supply trusted keys to (skopeo standalone-verify).
Now requires Go 1.18.
- [CI:DOCS] Fix up language in README
- Add unit tests for tlsVerifyConfig's yaml.Unmarshaler
- Cirrus: Use human-readable CI VM Images
- [CI:BUILD] copr: fix el8 build and enable debuginfo
- [CI:BUILD] enable debuginfo for el8 copr builds
- Update to use, and benefit from, Go 1.18
- [CI:DOCS] Disable dependabot
- Renovate: c/common rule moved to defaults
- [CI:BUILD] Packit: initial enablement
- Replace gopkg.in/check.v1 by github.com/stretchr/testify/suite/
- Corrected typo in skopeo-sync and updated description
- Fix tabelating output in (skopeo inspect --format)
- Use common library reporter
- Fix formatting of inspect examples
- Use io.WriteString
- Factor out the output of data in (skopeo inspect)
- Simplify inspectOptions.writeOutput a bit more
- Cirrus: Update CI VM images
- Make the installation instructions more prominent in README.md
- [CI:BUILD] Packit: trigger builds on commit to main branch
- systemtests: Fix 040-local-registry-auth about XDG_RUNTIME_DIR
- Verify signatures from a trust store
- Rename argument. Only use any with public key file. Double check fingerprint is in public key file.
- Use multiple fingerprint function Allow comma separated fingerprint list
- Avoid use of a deprecated capability.NewPid
- Fix error handling of signature.NewEphemeralGPGSigningMechanism
- Cross-link the top-level and subcommand option lists
- Use golangci-lint instead of golint
- Add (make tools) to install (for now only) golangci-lint, use it in Cirrus
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The only thing hack/make.sh is now really doing is the
warning + sleep without SKOPEO_CONTAINER_TESTS .
So, make that a separate script, and eliminate the
hack/make directory.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This is simpler to do, cheap enough for our repo size, and it
does not require a network access to see which files to check.
And it's the last user of hack/make/.validate, which I wanted to
remove in the first place.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Always lint everything, not just changed files;
that means that if we upgrade the linter, we will
need to clean everything up, but that's a good thing
for contributors who come after that linter upgrade.
- Don't skip linting the integration tests, there's no
good reason to skip them.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
We now require Go 1.18. As of that version:
- GO111MODULE=on is implied by having a go.mod file
- -mod=vendor is implied by having a vendor directory
so just remove both options everywhere
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
signature.NewEphemeralGPGSigningMechanism is called in an if branch
where the previous err := introduces a "new" err variable, which means
the failure isn't visible after the if.
So, do the dumb thing and just check on both branches explicitly.
(We still need to worry about correctly setting "mech" and
"publicKeyfingerprints" to persist after the if.)
How I hate Go sometimes. And this shows we really should update
the linter.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Add the ability to use an on-disk trust store to verify signatures. Also allow the user to trust any known fingerprint instead of having to specify one.
Signed-off-by: James Hewitt <james.hewitt@uk.ibm.com>
This commit lets packit trigger builds on
`rhcontainerbot/podman-next` copr after a commit to the main branch
instead of the current github webhook trigger.
The builds triggered via packit also provide more information in their
`version-release`:
Current webhook triggered build:
`101:0.0.git.2460.cfd6f20f-1`.
Ref: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/package/skopeo/
Packit triggered build for another package (netavark) on podman-next:
101:1.6.0~dev-1.20230321121647013339.main.61.gd6f0352
Ref: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/package/netavark/
The packit triggered build correctly shows the upstream branch name,
commit id, timestamp as well as the upstream version.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
... mostly so that I get practice and remember this exists in the future.
(This saves one allocation & copy when the target implements
io.StringWriter. And that makes absolutely no relevant difference
on this path.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
tabwriter buffers lines that contain \t in memory, and only
writes them out on a .Flush(). So actually call that.
Without this, things like
> --format 'name\tdigest\tlabels\n{{.Name}}\t{{.Digest}}\t{{.Labels}}\n'
result in no output at all.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
gopkg.in/check.v1 hasn't had any commit since Nov 2020.
That's not a immediate issue for a test-only dependency, but
because it hides access to the standard library *testing.T,
eventually it will become limiting.
Also, using the same framework for unit and integration tests
seems practical.
This is mostly a batch copy&paste job, with a fairly high risk
of unexpected breakage.
Also, I didn't take much time at all to carefully choose between
assert.* and require.*; we can tune that as failures show up.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit will run COPR builds on every PR against all active
releases of CentOS Stream and Fedora, thus allowing buildability checks before the
PR merges.
Builds are done on a custom COPR project:
`rhcontainerbot/packit-builds`.
Ref: https://copr.fedorainfracloud.org/coprs/rhcontainerbot/packit-builds/
The build targets are set in the copr itself, so we don't need to
explicitly mention them in `.packit.yaml`, making upstream configuration
a lot simpler.
The `spec.rpkg` file meant for rpm builds post-pr-merge at
`rhcontainerbot/podman-next` copr gets reused for packit builds, so the
packit jobs are independent of Fedora / CentOS dist-git.
NOTE: The Packit copr_build tasks help to check if every commit builds on
supported Fedora and CentOS Stream arches. They do not block the current
Cirrus-based workflow.
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Fedora 35 builds are disabled, so remove fedora 35
conditionals while we're at it.
Bump containers-common dependency to match with that in
podman.spec.rpkg.
TODO: fix debuginfo for rhel8
Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Image content hasn't changed much, the biggest thing here is the
`$IMAGE_SUFFIX` value. This new schema is also fully manageable
by renovate. Allowing a tag-push to c/automation_images to create image
update PRs in all repos automatically.
Signed-off-by: Chris Evich <cevich@redhat.com>
- Add a prompt to the skopeo commands.
- Add a "console" identifier to fenced code
blocks which has a prompt, not "sh".
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
Use (podman unshare) as already suggested, it is necessary for an unprivileged
user to remove the temporary c/storage state. OTOH it doesn't work with Docker at all.
Don't use the - prefix, it only works at the _start_ of a rule, not in the middle of
a multi-line shell script.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- Don't do it at all for the CI VM: We can use the
VM's global Podman configuration, and use faster overlay
instead of vfs, so let's do that.
- For the developer-run (make test-system):
- Add graphroot and runroot paths to make the configuration minimally valid
- Explicitly point CONTAINERS_STORAGE_CONF at the configutation
to be certain it will get used.
Then drop the (podman pull ...) in runner.sh:_podman_reset that seemed to
previously workaround the invalid /etc/containers/storage.conf .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The containers/image CI setup reuses the runner script from this repo to
execute the skopeo tests. However, an env. var. is being taken out of
context in that environment, leading to failure. Fix this by
hard-coding an image-name which will always be available in both
environments.
Signed-off-by: Chris Evich <cevich@redhat.com>
This is necessary, since running the skopeo tests modifies the host
environment. This can result in some warning messages the first time
a container is started. These messages can interfere with tests which
are sensitive to stdout/stderr. Since many/most tests require a local
image registry, launch it with `/bin/true` after doing a system reset
to clear away any pesky warning messages.
Signed-off-by: Chris Evich <cevich@redhat.com>
For whatever reasons, the podman configuration in CI results in the
inspect test throwing the following error:
```
not ok 4 inspect: image manifest list w/ diff platform
125
configuration is unset - using hardcoded default graph root
\"/var/lib/containers/storage\""
configuration is unset - using hardcoded default graph root
\"/var/lib/containers/storage\""
StoreOptions
```
Fix this by not using `podman`. It's unnecessary, since all the test
needs is the golang-flavor of the current system's architecture name.
That can easily be obtained by asking the go tool directly.
Signed-off-by: Chris Evich <cevich@redhat.com>
These are already present in the VM images. These instructions only
cause the DNF cache to be refreshed, wasting precious developer time.
Signed-off-by: Chris Evich <cevich@redhat.com>
(skopeo copy) and (skopeo sync) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This task does not make sense to maintain long-term on release
branches. Its intent is always/only to test the latest/greatest code
and environment. After release, it's simply too difficult to maintain
functioning CI with a constantly changing (Cirrus-managed) OSX environment.
Ensure the task only runs for PRs targeted at the default branch, or if
the current branch is the default branch.
Signed-off-by: Chris Evich <cevich@redhat.com>
Should not change behavior - it would matter for unit tests
which don't exist.
Also, promptForPassphrase must continue to hard-code "real" os.Stdin and os.Stdout.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Missing `.Close()` on the blob currently leaks a temporary
file. Noticed this when doing repeated pulls.
Signed-off-by: Colin Walters <walters@verbum.org>
Fairly universally, the last Cirrus-Cron job is set to fire off at
22:22 UTC. However, the re-run of failed jobs GHA workflow was
scheduled for 22:05, meaning it will never re-run the last cirrus-cron
job should it fail.
Re-arrange the execution order so as to give plenty of time between the
last cirrus-cron job starting, the auto-re-run attempt, and the final
failure-check e-mail.
Signed-off-by: Chris Evich <cevich@redhat.com>
Patch created by re-running the two example commands and manually
abbreviating long lists in the output.
Fixes#1766.
Signed-off-by: Fabian P. Schmidt <kerel@mailbox.org>
Since d9dfc44 the 'skopeo inspect' command exposes the LayerData
which often contains the layer size. This is a very useful feature
so we mentioned it in the README now.
Signed-off-by: Fabian P. Schmidt <kerel@mailbox.org>
This does reverse-dependency testing, verifying `proxy.go` using
the ostree-rs-ext Rust code's unit tests.
Based on #1781 by @cgwalters
Signed-off-by: Chris Evich <cevich@redhat.com>
The `behind-base-branch` setting means:
Renovate will rebase whenever the branch falls 1 or more
commit behind its base branch
Signed-off-by: Chris Evich <cevich@redhat.com>
> go get github.com/containers/image/v5@main
> make vendor
... to make sure that we don't regress against Skopeo 1.9.3.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
In some code I'm writing I want to be able to cleanly test if an
image exists, as distinguished from other errors like authentication
problems, network flakes etc.
As best I can tell, the containers/image abstraction doesn't
offer a clean way to do this.
For now, I chose the route of adding the ugly string error matching
here for the two cases I care about (docker v2s2 registry and oci
directories), so my Rust code can operate in terms of clean
`Option<Image>`.
Signed-off-by: Colin Walters <walters@verbum.org>
FIXME: This is not actually tested against a representative
error; we basically assume generic "scope is not sufficient" handling.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
AFAICT, “IBM Bluemix” has become “IBM Cloud”, and the “Bluemix” registry
is now (somehow related to?) icr.io; e.g.
https://cloud.ibm.com/docs/Registry?topic=Registry-registry_overview
lists bluemix.net and icr.io host names.
Randomly looking for a public image hosted on that registry, at least
> skopeo list-tags docker://icr.io/codeengine/firstjob
now succeeds.
So I’m assuming that at least the current cloud deployment now allows
listing tags, and does not need special handling. (It's unclear if
that is true for all existing deployments.)
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
- It's unclear why it exists in the first place
- Looking at callers of imagesToCopyFromRepo, the only caller of this:
either the input is a single repo, in which case the failure to
list tags clearly results in a no-op and a "No images to sync" fatal
failure ...
- ... or the input is YAML, and in that case the caller is already
skipping the repo on a failure.
Either way, it's unclear why we would have a special "Registry disallows
tag retrieval" error special case instead of the generic text.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
They were useful before assertSkopeoSucceeds/assertSkopeoFails,
when they were used multiple times. Now, they don't
make the code any shorter.
Should not change (test) behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
(skopeo inspect) now provides more information about individual layers.
The default /etc/containers/registries.d/default.yaml now has all entries
commented-out, to use built-in defaults; that can change the default for lookaside-staging
to use an unprivileged users' home directory instead of a path in /var/.
- GHA: Re-use identical workflow from buildah repo
- Optimize upstream skopeo container image build
- Fix running tests on macOS
- Reformat with Go 1.19's gofmt
- Fix a comment
- Fix looking for commands with GNU make 4.2.1
- Talk about "registry repositories" in (skopeo sync) documentation
- Point at --all in the --preserve-digests option documentation
- Remove unused GIT_BRANCH definition
- Don't include git commit from a parent directory in the --version output
- Update for c/image's update of github.com/gobuffalo/pop
- Merge pull request #1737 from mtrmac/pop-v5-override
- Stop using docker/docker/pkg/homedir in tests
- add inspect layersData
- Don't abort sync if the registry returns invalid tags
- warn users about --dest-compress and --dest-decompress misuse
- document imageDestOptions.warnAboutIneffectiveOptions()
- warn about ineffective destination opts in sync cmd
- default.yaml should have all options commented
- Fix documentation in the default registries.d content.
- [CI:DOCS] Add quay-description update reminder
- Revert addition of -compat=1.17 to (go mod tidy)
- Update for https://github.com/klauspost/pgzip/pull/50
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
... to fix reads of compressed data by docker-archive:
> go get github.com/klauspost/pgzip@master
> make vendor
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Typically, the compat with earlier versions causes us to use
newer versions of dependencies, which can only be a good thing.
Over time, the 1.17 version reference is just going to become obsolete.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The user is not very likely to be able to do anything about that,
and we have no other way to read those images - so just skip them;
we already skip image copies in much more directly user-caused
situations, including invalid user-provided strings.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
> go get github.com/containers/image/v5@main
> go mod tidy -go=1.16 && go mod tidy -go=1.17
> make vendor
The (go mod tidy) pair is necessary to keep c/image CI working.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This can happen when building RPMs out of tarballs (which don't contain
the .git repository).
To test:
> make -n /bin/skopeo; mv .git ../.git ; make -n bin/skopeo
Fixes#1707 .
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Running cross-platform compiles using emulation is a painfully
slow process. Since CI-runtime is limited, improve image build time
by leveraging the automatic RPM builds occurring for the podman-next
COPR repo. This adds build-time efficiency by offloading the
compilation task. Note: These RPMs are built any time the 'main'
branch changes, so they'll still be very recent.
https://copr.fedorainfracloud.org/coprs/rhcontainerbot/podman-next/
Signed-off-by: Chris Evich <cevich@redhat.com>
It's a PITA to maintain duplicate code across repos. Relatively
github-actions added a feature that allows re-using workflows
from other repos. Use that here to reduce duplication.
Signed-off-by: Chris Evich <cevich@redhat.com>
The skopeo project follows the [Containers Community Code of Conduct](https://github.com/containers/common/blob/main/CODE-OF-CONDUCT.md).
The skopeo project, as part of Podman Container Tools, follows the [CNCF Code of Conduct](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
The Skopeo project, as part of Podman Container Tools, follows the [Podman Project Governance](https://github.com/containers/podman/blob/main/GOVERNANCE.md)
except sections found in this document, which override those found in Podman's Governance.
---
# Maintainers File
The definitive source of truth for maintainers of this repository is the local [MAINTAINERS.md](./MAINTAINERS.md) file. The [MAINTAINERS.md](https://github.com/containers/podman/blob/main/MAINTAINERS.md) file in the main Podman repository is used for project-spanning roles, including Core Maintainer and Community Manager. Some repositories in the project will also have a local [OWNERS](./OWNERS) file, which the CI system uses to map users to roles. Any changes to the [OWNERS](./OWNERS) file must make a corresponding change to the [MAINTAINERS.md](./MAINTAINERS.md) file to ensure that the file remains up to date. Most changes to [MAINTAINERS.md](./MAINTAINERS.md) will require a change to the repository’s [OWNERS](.OWNERS) file (e.g., adding a Reviewer), but some will not (e.g., promoting a Maintainer to a Core Maintainer, which comes with no additional CI-related privileges).
Any Core Maintainers listed in Podman’s [MAINTAINERS.md](https://github.com/containers/podman/blob/main/MAINTAINERS.md) file should also be added to the list of “approvers” in the local [OWNERS](./OWNERS) file and as a Core Maintainer in the list of “Maintainers” in the local [MAINTAINERS.md](./MAINTAINERS.md) file.
| Neil Smith | [actionmancan](https://github.com/actionmancan) | Community Manager | [Red Hat](https://github.com/RedHatOfficial) |
| Tom Sweeney | [TomSweeneyRedHat](https://github.com/TomSweeneyRedHat/) | Maintainer and Community Manager | [Red Hat](https://github.com/RedHatOfficial) |
The structure of this document was based off of the equivalent one in the [CRI-O Project](https://github.com/cri-o/cri-o/blob/main/MAINTAINERS.md).
## Note
If there is a discrepancy between the [MAINTAINERS.md](https://github.com/containers/podman/blob/main/MAINTAINERS.md) file in the main Podman repository and this file regarding Core Maintainers or Community Managers, the file in the Podman Repository is considered the source of truth.
[](https://www.bestpractices.dev/projects/10516)
`skopeo` is a command line utility that performs various operations on container images and image repositories.
@@ -42,6 +45,14 @@ Skopeo works with API V2 container image registries such as [docker.io](https://
* oci:path:tag
An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
[Obtaining skopeo](./install.md)
-
For a detailed description how to install or build skopeo, see
[install.md](./install.md).
Skopeo is also available as a Container Image on [quay.io](https://quay.io/skopeo/stable). For more information, see the [Skopeo Image](https://github.com/containers/image_build/blob/main/skopeo/README.md) page.
## Inspecting a repository
`skopeo` is able to _inspect_ a repository on a container registry and fetch images layers.
The _inspect_ command fetches the repository's manifest and it is able to show you a `docker inspect`-like
Skopeo intends to mostly continue to be a very thin CLI wrapper over the [https://github.com/containers/image](containers/image) library, with most features being added there, not to this repo. A typical new Skopeo feature would only add a CLI for a recent containers/image feature.
## Future feature focus (most of the work must be done in the containers/image library)
* OCI artifact support.
* Integration of composefs.
* Partial pull support (zstd:chunked).
* Performance and stability improvements.
* Reductions to the size of the Skopeo binary.
*`skopeo sync` exists, and bugs in it should be fixed, but we don’t have much of an ambition to compete with much larger projects like [https://github.com/openshift/oc-mirror](oc-mirror).
// Both directory and oci should have ShellCompDirectiveFilterDirs to complete only directories, but it doesn't currently work in bash: https://github.com/spf13/cobra/issues/2242
flags.BoolVarP(&opts.quiet,"quiet","q",false,"Suppress output information when copying images")
flags.BoolVarP(&opts.all,"all","a",false,"Copy all images if SOURCE-IMAGE is a list")
flags.Var(commonFlag.NewOptionalStringValue(&opts.multiArch),"multi-arch",`How to handle multi-architecture images (system, all, or index-only)`)
flags.BoolVar(&opts.preserveDigests,"preserve-digests",false,"Preserve digests of images and lists")
flags.BoolVar(&opts.removeSignatures,"remove-signatures",false,"Do not copy signatures from SOURCE-IMAGE")
flags.StringVar(&opts.signByFingerprint,"sign-by","","Sign the image using a GPG key with the specified `FINGERPRINT`")
flags.StringVar(&opts.signBySigstorePrivateKey,"sign-by-sigstore-private-key","","Sign the image using a sigstore private key at `PATH`")
flags.StringVar(&opts.signPassphraseFile,"sign-passphrase-file","","Read a passphrase for signing an image from `PATH`")
flags.StringVar(&opts.signIdentity,"sign-identity","","Identity of signed image, must be a fully specified docker reference. Defaults to the target docker reference.")
flags.StringVar(&opts.digestFile,"digestfile","","Write the digest of the pushed image to the specified file")
flags.VarP(commonFlag.NewOptionalStringValue(&opts.format),"format","f",`MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
flags.StringSliceVar(&opts.encryptionKeys,"encryption-key",[]string{},"*Experimental* key with the encryption protocol to use needed to encrypt the image (e.g. jwe:/path/to/key.pem)")
flags.IntSliceVar(&opts.encryptLayer,"encrypt-layer",[]int{},"*Experimental* the 0-indexed layer indices, with support for negative indexing (e.g. 0 is the first layer, -1 is the last layer)")
flags.StringSliceVar(&opts.decryptionKeys,"decryption-key",[]string{},"*Experimental* key needed to decrypt the image")
flags.UintVar(&opts.imageParallelCopies,"image-parallel-copies",0,"Maximum number of image layers to be copied (pulled/pushed) simultaneously. Not setting this field will fall back to containers/image defaults.")
}// opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
scopedbool// When true, namespace copied images at destination using the source repository name
allbool// Copy all of the images if an image in the source is a list
dryRunbool// Don't actually copy anything, just output what it would have done
keepGoingbool// Whether or not to abort the sync if there are any errors during syncing the images
appendSuffixstring// Suffix to append to destination image tag
}
// repoDescriptor contains information of a single repository used as a sync source.
@@ -66,6 +64,7 @@ type tlsVerifyConfig struct {
typeregistrySyncConfigstruct{
Imagesmap[string][]string// Images map images name to slices with the images' references (tags, digests)
ImagesByTagRegexmap[string]string`yaml:"images-by-tag-regex"`// Images map images name to regular expression with the images' tags
ImagesBySemvermap[string]string`yaml:"images-by-semver"`// ImagesBySemver maps a repository to a semver constraint (e.g. '>=3.14') to match images' tags to
Credentialstypes.DockerAuthConfig// Username and password used to authenticate with the registry
TLSVerifytlsVerifyConfig`yaml:"tls-verify"`// TLS verification mode (enabled by default)
CertDirstring`yaml:"cert-dir"`// Path to the TLS certificates of the registry
@@ -104,33 +105,30 @@ See skopeo-sync(1) for details.
}
adjustUsage(cmd)
flags:=cmd.Flags()
flags.BoolVar(&opts.removeSignatures,"remove-signatures",false,"Do not copy signatures from SOURCE images")
flags.StringVar(&opts.signByFingerprint,"sign-by","","Sign the image using a GPG key with the specified `FINGERPRINT`")
flags.StringVar(&opts.signBySigstorePrivateKey,"sign-by-sigstore-private-key","","Sign the image using a sigstore private key at `PATH`")
flags.StringVar(&opts.signPassphraseFile,"sign-passphrase-file","","File that contains a passphrase for the --sign-by key")
flags.VarP(commonFlag.NewOptionalStringValue(&opts.format),"format","f",`MANIFEST TYPE (oci, v2s1, or v2s2) to use when syncing image(s) to a destination (default is manifest type of source, with fallbacks)`)
flags.StringVarP(&opts.source,"src","s","","SOURCE transport type")
flags.StringVarP(&opts.destination,"dest","d","","DESTINATION transport type")
flags.BoolVar(&opts.scoped,"scoped",false,"Images at DESTINATION are prefix using the full source image path as scope")
flags.BoolVarP(&opts.all,"all","a",false,"Copy all images if SOURCE-IMAGE is a list")
flags.BoolVar(&opts.dryRun,"dry-run",false,"Run without actually copying data")
flags.BoolVar(&opts.preserveDigests,"preserve-digests",false,"Preserve digests of images and lists")
flags.BoolVarP(&opts.keepGoing,"keep-going","",false,"Do not abort the sync if any image copy fails")
flags.StringVarP(&opts.source,"src","s","","SOURCE transport type")
flags.StringVarP(&opts.destination,"dest","d","","DESTINATION transport type")
flags.BoolVar(&opts.scoped,"scoped",false,"Images at DESTINATION are prefix using the full source image path as scope")
flags.StringVar(&opts.appendSuffix,"append-suffix","","String to append to DESTINATION tags")
flags.StringVar(&opts.digestFile,"digestfile","","Write the digests and Image References of the resulting images to the specified file, separated by newlines")
flags.BoolVarP(&opts.all,"all","a",false,"Copy all images if SOURCE-IMAGE is a list")
flags.BoolVar(&opts.dryRun,"dry-run",false,"Run without actually copying data")
flags.BoolVarP(&opts.keepGoing,"keep-going","",false,"Do not abort the sync if any image copy fails")
returncmd
}
// UnmarshalYAML is the implementation of the Unmarshaler interface method
// method for the tlsVerifyConfig type.
// for the tlsVerifyConfig type.
// It unmarshals the 'tls-verify' YAML key so that, when they key is not
fs.StringVar(&opts.authFilePath,"authfile",os.Getenv("REGISTRY_AUTH_FILE"),"path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
fs.StringVar(&opts.authFilePath,"authfile",os.Getenv("REGISTRY_AUTH_FILE"),"path of the registry credentials file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
// the non-prefixed flag is handled by a shared flag.
fs.Var(commonFlag.NewOptionalStringValue(&flags.authFilePath),flagPrefix+"authfile","path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
fs.Var(commonFlag.NewOptionalStringValue(&flags.authFilePath),flagPrefix+"authfile","path of the registry credentials file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json")
}
fs.Var(commonFlag.NewOptionalStringValue(&flags.credsOption),flagPrefix+"creds","Use `USERNAME[:PASSWORD]` for accessing the registry")
fs.Var(commonFlag.NewOptionalStringValue(&flags.userName),flagPrefix+"username","Username for accessing the registry")
fs.BoolVar(&opts.dirForceCompression,flagPrefix+"compress",false,"Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)")
fs.BoolVar(&opts.removeSignatures,"remove-signatures",false,"Do not copy signatures from source")
fs.StringVar(&opts.signByFingerprint,"sign-by","","Sign the image using a GPG key with the specified `FINGERPRINT`")
fs.StringVar(&opts.signBySigstoreParamFile,"sign-by-sigstore","","Sign the image using a sigstore parameter file at `PATH`")
fs.StringVar(&opts.signBySigstorePrivateKey,"sign-by-sigstore-private-key","","Sign the image using a sigstore private key at `PATH`")
fs.StringVar(&opts.signPassphraseFile,"sign-passphrase-file","","Read a passphrase for signing an image from `PATH`")
fs.VarP(commonFlag.NewOptionalStringValue(&opts.format),"format","f",`MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of source, with fallbacks)`)
fs.BoolVar(&opts.preserveDigests,"preserve-digests",false,"Preserve digests of images and lists")
returnfs,&opts
}
// copyOptions interprets opts, returns a partially-filled *copy.Options,
// and a function that should be called to clean up.
}// opts.signByFingerprint triggers a GPG-agent passphrase prompt, possibly using a more secure channel, so we usually shouldn’t prompt ourselves if no passphrase was explicitly provided.
skopeo-experimental-image-proxy - API server for fetching container images (EXPERIMENTAL)
# SYNOPSIS
**skopeo experimental-image-proxy** [*options*]
# DESCRIPTION
**EXPERIMENTAL COMMAND**: This command is experimental, and its API is subject to change. It is currently hidden from the main help output and not supported on Windows.
`skopeo experimental-image-proxy` exposes core container image fetching APIs via custom JSON+fd-passing protocol. This provides a lightweight way to fetch container image content (manifests and blobs). This command is primarily intended for programs that want to operate on a storage type that skopeo doesn't natively handle. For example, the bootc project currently has a custom ostree-based container storage backend.
The client process that invokes `skopeo experimental-image-proxy` is responsible for creating a socket pair and passing one of the file descriptors to the proxy. By default, the proxy expects this file descriptor to be its standard input (fd 0), but a different fd can be specified using the **--sockfd** option.
**Protocol Overview**
The protocol requires a `socketpair(2)` of type `SOCK_SEQPACKET`, over which a single JSON message is sent per packet. Large data payloads, such as image manifests and blobs, are transferred over separate pipes (`pipe(2)`), with the read-ends of these pipes passed to the client via file descriptor (FD) passing.
*`success`: `true` if the call succeeded, `false` otherwise.
*`value`: The return value of the method, if any.
*`pipeid`: An integer identifying a pipe for data transfer. This ID is used with the `FinishPipe` method.
*`error_code`: A string indicating the type of error if `success` is `false` (e.g., "EPIPE", "retryable", "other"). (Introduced in protocol version 0.2.8)
*`error`: A string describing the error if `success` is `false`.
The current protocol version is `0.2.8`.
**Supported Protocol Methods**
The server supports the following methods:
***Initialize**: Initializes the proxy. This method must be called before any other method.
* Args: `[]` (empty array)
* Returns: `string` (the protocol version, e.g., "0.2.8")
***OpenImage**: Opens an image reference (e.g., `docker://quay.io/example/image:latest`).
* Args: `[string imageName]`
* Returns: `uint64` (an opaque image ID to be used in subsequent calls)
***OpenImageOptional**: Similar to `OpenImage`, but if the image is not found, it returns `0` (a sentinel image ID) instead of an error.
* Args: `[string imageName]`
* Returns: `uint64` (opaque image ID, or `0` if the image is not found)
***CloseImage**: Closes a previously opened image, releasing associated resources.
* Args: `[uint64 imageID]`
* Returns: `null`
***GetManifest**: Retrieves the image manifest. If the image is a manifest list, it is resolved to an image matching the proxy's current OS and architecture. The manifest is converted to OCI format if it isn't already. The `value` field in the reply contains the original digest of the manifest (if the image is a manifest list, this is the digest of the list, not the per-platform instance). The manifest content is streamed over a pipe.
* Args: `[uint64 imageID]`
* Returns: `string` (manifest digest in `value`), manifest data via pipe.
***GetFullConfig**: Retrieves the full image configuration, conforming to the OCI Image Format Specification. Configuration data is streamed over a pipe.
* Args: `[uint64 imageID]`
* Returns: `null`, configuration data via pipe.
***GetBlob**: Fetches an image blob (e.g., a layer) by its digest and expected size. The proxy performs digest verification on the blob data. The `value` field in the reply contains the blob size. Blob data is streamed over a pipe.
* Returns: `int64` (blob size in `value`, `-1` if unknown), blob data via pipe.
***GetRawBlob**: Fetches an image blob by its digest. Unlike `GetBlob`, this method does not perform server-side digest verification. It returns two file descriptors to the client: one for the blob data and another for reporting errors that occur during the streaming. This method does not use the `FinishPipe` mechanism. The `value` field in the reply contains the blob size. (Introduced in protocol version 0.2.8)
* Args: `[uint64 imageID, string digest]`
* Returns: `int64` (blob size in `value`, `-1` if unknown), and *two* file descriptors: one for the blob data, one for errors. The error is a `ProxyError` type, see below.
***GetLayerInfoPiped**: Retrieves information about image layers. This replaces `GetLayerInfo`. Layer information data is streamed over a pipe, which makes it more reliable for images with many layers that would exceed message size limits with `GetLayerInfo`. The returned data is a JSON array of `{digest: string, size: int64, media_type: string}`. (Introduced in protocol version 0.2.7)
* Args: `[uint64 imageID]`
* Returns: `null`, layer information data via pipe.
***FinishPipe**: Signals that the client has finished reading all data from a pipe associated with a `pipeid` (obtained from methods like `GetManifest` or `GetBlob`). This allows the server to close its end of the pipe and report any pending errors (e.g., digest verification failure for `GetBlob`). This method **must** be called by the client after consuming data from a pipe, except for pipes from `GetRawBlob`.
* Args: `[uint32 pipeID]`
* Returns: `null`
***Shutdown**: Instructs the proxy server to terminate gracefully.
* Args: `[]` (empty array)
* Returns: `null`
The following methods are deprecated:
***GetConfig**: (deprecated) Retrieves the container runtime configuration part of the image (the OCI `config` field). **Note**: This method returns only a part of the full image configuration due to a historical oversight. Use `GetFullConfig` for the complete image configuration. Configuration data is streamed over a pipe.
* Args: `[uint64 imageID]`
* Returns: `null`, configuration data via pipe.
***GetLayerInfo**: (deprecated) Retrieves an array of objects, each describing an image layer (digest, size, mediaType). **Note**: This method returns data inline and may fail for images with many layers due to message size limits. Use `GetLayerInfoPiped` for a more robust solution.
* Args: `[uint64 imageID]`
* Returns: `array` of `{digest: string, size: int64, media_type: string}`.
**Data Transfer for Pipes**
When a method returns a `pipeid`, the server also passes the read-end of a pipe via file descriptor (FD) passing. The client reads the data (e.g., manifest content, blob content) from this FD. After successfully reading all data, the client **must** call `FinishPipe` with the corresponding `pipeid`. This signals to the server that the transfer is complete, allows the server to clean up resources, and enables the client to check for any errors that might have occurred during the data streaming process (e.g., a digest mismatch during `GetBlob`). The `GetRawBlob` method is an exception; it uses a dedicated error pipe instead of the `FinishPipe` mechanism.
**ProxyError**
`GetBlobRaw` returns a JSON object of the following form in the error pipe where:
```
{
"code": "EPIPE" | "retryable" | "other",
"message": "error message"
}
```
- EPIPE: The client closed the pipe before reading all data.
- retryable: The operation failed but might succeed if retried.
- other: A generic error occurred.
# OPTIONS
**--sockfd**=*fd*
Serve on the opened socket passed as file descriptor *fd*. Defaults to 0 (standard input).
The command also supports common skopeo options for interacting with image registries and local storage. These include:
**--authfile**=*path*
Path of the primary registry credentials file. On Linux, the default is ${XDG\_RUNTIME\_DIR}/containers/auth.json.
See **containers-auth.json**(5) for more details about the credential search mechanism and defaults on other platforms.
Use `skopeo login` to manage the credentials.
The default value of this option is read from the `REGISTRY\_AUTH\_FILE` environment variable.
**--cert-dir**=*path*
Use certificates at *path* (\*.crt, \*.cert, \*.key) to connect to the registry.
**--creds** _username[:password]_
Username and password for accessing the registry.
**--daemon-host** _host_
Use docker daemon host at _host_ (`docker-daemon:` transport only)
**--no-creds**
Access the registry anonymously.
**--password**=*password*
Password for accessing the registry. Use with **--username**.
**--registry-token**=*token*
Provide a Bearer *token* for accessing the registry.
**--shared-blob-dir** _directory_
Directory to use to share blobs across OCI repositories.
**--tls-verify**=_bool_
Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
**--username**=*username*
Username for accessing the registry. Use with **--password**.
# REFERENCE CLIENT LIBRARIES
- Rust: The [containers-image-proxy-rs project](https://github.com/containers/containers-image-proxy-rs) serves
as the reference Rust client.
# PROTOCOL HISTORY
- 0.2.1: Initial version
- 0.2.2: Added support for fetching image configuration as OCI
- 0.2.3: Added GetFullConfig
- 0.2.4: Added OpenImageOptional
- 0.2.5: Added LayerInfoJSON
- 0.2.6: Policy Verification before pulling OCI
- 0.2.7: Added GetLayerInfoPiped
- 0.2.8: Added GetRawBlob and error_code to replies
Container images can also be partially encrypted by specifying the index of the layer. Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first layer, -1 is the last layer.
Let's say out of 3 layers that the image `docker.io/library/nginx:1.17.8` is made up of, we only want to encrypt the 2nd layer,
@@ -12,10 +12,16 @@ Return a list of tags from _source-image_ in a registry or a local docker-archiv
## OPTIONS
See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
**--authfile** _path_
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
Path of the updated registry credentials file. On Linux, the default is ${XDG\_RUNTIME\_DIR}/containers/auth.json.
See **containers-auth.json**(5) for more details about the credential search mechanism and defaults on other platforms.
Use `skopeo login` to manage the credentials.
The default value of this option is read from the `REGISTRY\_AUTH\_FILE` environment variable.
**--creds** _username[:password]_ for accessing the registry.
@@ -37,7 +43,11 @@ Bearer token for accessing the registry.
**--retry-times**
The number of times to retry. Retry wait time will be exponentially increased based on the number of failed attempts.
The number of times to retry.
**--retry-delay**
Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
**--tls-verify**=_bool_
@@ -58,7 +68,7 @@ Repository names are transport-specific references as each transport may have it
This commands refers to repositories using a _transport_`:`_details_ format. The following formats are supported:
**docker://**_docker-repository-reference_
A repository in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(skopeo login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
A repository in a registry implementing the "Docker Registry HTTP API V2".
A _docker-repository-reference_ is of the form: **registryhost:port/repositoryname** which is similar to an _image-reference_ but with no tag or digest allowed as the last component (e.g no `:latest` or `@sha256:xyz`)
Examples of valid docker-repository-references:
@@ -79,7 +89,7 @@ This commands refers to repositories using a _transport_`:`_details_ format. The
### Docker Transport
To get the list of tags in the "fedora" repository from the docker.io registry (the repository name expands to "library/fedora" per docker transport canonical form):
Synchronize images between container registries and local directories.
The synchronization is achieved by copying all the images found at _source_ to _destination_.
Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.
Synchronize images between registry repositories and local directories. Synchronization is achieved by copying all the images found at _source_ to _destination_ - useful when synchronizing a local container registry mirror or for populating registries running inside of air-gapped environments.
Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from _source_ and _destination_.
One of the problems of prefixing a destination with its transport is that, the registry `docker://hostname:port` would be wrongly interpreted as an image reference at a non-fully qualified registry, with `hostname` and `port` the image name and tag.
@@ -32,6 +29,9 @@ When the `--scoped` option is specified, images are prefixed with the source ima
name can be stored at _destination_.
## OPTIONS
See also [skopeo(1)](skopeo.1.md) for options placed before the subcommand name.
**--all**, **-a**
If one of the images in __src__ refers to a list of images, instead of copying just the image which matches the current OS and
architecture (subject to the use of the global --override-os, --override-arch and --override-variant options), attempt to copy all of
@@ -39,16 +39,20 @@ the images in the list, and the list itself.
**--authfile** _path_
Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using `skopeo login`.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using `docker login`.
Path of the primary registry credentials file. On Linux, the default is ${XDG\_RUNTIME\_DIR}/containers/auth.json.
See **containers-auth.json**(5) for more details about the credential search mechanism and defaults on other platforms.
Use `skopeo login` to manage the credentials.
The default value of this option is read from the `REGISTRY\_AUTH\_FILE` environment variable.
**--src-authfile** _path_
Path of the authentication file for the source registry. Uses path given by `--authfile`, if not provided.
Path of the primary registry credentials file for the source registry. Uses path given by `--authfile`, if not provided.
**--dest-authfile** _path_
Path of the authentication file for the destination registry. Uses path given by `--authfile`, if not provided.
Path of the primary registry credentials file for the destination registry. Uses path given by `--authfile`, if not provided.
**--dry-run**
@@ -66,7 +70,23 @@ Print usage statement.
**--scoped** Prefix images with the source image path, so that multiple images with the same name can be stored at _destination_.
**--preserve-digests** Preserve the digests during copying. Fail if the digest cannot be preserved.
**--append-suffix** _tag-suffix_ String to append to destination tags.
**--digestfile** _path_
After copying the images from source, write the digest of the resulting images along with Image Reference.
Preserve the digests during copying. Fail if the digest cannot be preserved.
This option does not change what will be copied; consider using `--all` at the same time.
**--remove-signatures** Do not copy signatures, if any, from _source-image_. This is necessary when copying a signed image to a destination which does not support signatures.
@@ -74,6 +94,11 @@ Print usage statement.
Add a “simple signing” signature using that key ID for an image name corresponding to _destination-image_
**--sign-by-sigstore** _param-file_
Add a sigstore signature based on the options in the specified containers sigstore signing parameter file, _param-file_.
See containers-sigstore-signing-params.yaml(5) for details about the file format.
**--sign-by-sigstore-private-key** _path_
Add a sigstore signature using a private key at _path_ for an image name corresponding to _destination-image_
@@ -102,7 +127,13 @@ The passphare to use when signing with `--sign-by` or `--sign-by-sigstore-privat
**--dest-registry-token** _Bearer token_ for accessing the destination registry.
**--retry-times** the number of times to retry, retry wait time will be exponentially increased based on the number of failed attempts.
**--retry-times**
The number of times to retry.
**--retry-delay**
Fixed delay between retries. If not set (or set to 0s), retry wait time will be exponentially increased based on the number of failed attempts.
**--keep-going**
If any errors occur during copying of images, those errors are logged and the process continues syncing rest of the images and finally fails at the end.
@@ -126,7 +157,7 @@ The password to access the destination registry.
## EXAMPLES
### Synchronizing to a local directory
```
```console
$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
```
Images are located at:
@@ -144,7 +175,7 @@ Images are located at:
/media/usb/busybox:1-glibc
```
Sync run
```
```console
$ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
- Repository `registry.example.com/busybox`: all images, as no tags are specified.
- Repository `registry.example.com/redis`: images tagged "1.0" and "2.0" along with image with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111".
- Repository `registry.example.com/nginx`: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
- Repository `registry.example.com/alpine`: all images with tags match the semantic version constraint ">= 3.12.0" ("3.12.0, "3.12.1", ... ,"4.0.0", ...)
The full list of possible semantic version comparisons can be found in the
Version ordering and precedence is understood as defined here:
https://semver.org/#spec-item-11.
For the registry `registry.example.com`, the "john"/"this is a secret" credentials are used, with server TLS certificates located at `/home/john/certs`.
@@ -33,7 +33,9 @@ Most commands refer to container images, using a _transport_`:`_details_ format.
An existing local directory _path_ storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
**docker://**_docker-reference_
An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in either `$XDG_RUNTIME_DIR/containers/auth.json`, which is set using `(skopeo login)`. If the authorization state is not found there, `$HOME/.docker/config.json` is checked, which is set using `(docker login)`.
An image in a registry implementing the "Docker Registry HTTP API V2".
Credentials are typically managed using `(skopeo login)`;
see **containers-auth.json**(5) for more details about the credential search mechanism.
| [skopeo-copy(1)](skopeo-copy.1.md) | Copy an image (manifest, filesystem layers, signatures) from one location to another. |
| [skopeo-delete(1)](skopeo-delete.1.md) | Mark the _image-name_ for later deletion by the registry's garbage collector. |
| [skopeo-generate-sigstore-key(1)](skopeo-generate-sigstore-key.1.md) | Generate a sigstore public/private key pair. |
| [skopeo-inspect(1)](skopeo-inspect.1.md) | Return low-level information about _image-name_ in a registry. |
| [skopeo-list-tags(1)](skopeo-list-tags.1.md) | List image names in a transport-specific collection of images.|
| [skopeo-login(1)](skopeo-login.1.md) | Login to a container registry. |
| [skopeo-logout(1)](skopeo-logout.1.md) | Logout of a container registry. |
| [skopeo-manifest-digest(1)](skopeo-manifest-digest.1.md) | Compute a manifest digest for a manifest-file and write it to standard output. |
| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md) | Debugging tool - Publish and sign an image in one step. |
| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Verify an image signature. |
| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between container registries and local directories. |
| [skopeo-standalone-sign(1)](skopeo-standalone-sign.1.md) | Debugging tool - Sign an image locally without uploading. |
| [skopeo-standalone-verify(1)](skopeo-standalone-verify.1.md)| Debugging tool - Verify an image signature from local files. |
| [skopeo-sync(1)](skopeo-sync.1.md)| Synchronize images between registry repositories and local directories. |
## EXIT STATUS
`skopeo` exits with status 0 on success, non-zero on error.
Details about the exit statuses:
**1** Generic error, details can be found in the error message.
**2** The input image cannot be found. Note that this is best effort and for remote registries the status often cannot be reliably reported.
## FILES
**/etc/containers/policy.json**
Default trust policy file, if **--policy** is not specified.
The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md) .
The policy format is documented in [containers-policy.json(5)](https://github.com/containers/image/blob/main/docs/containers-policy.json.5.md) .
**/etc/containers/registries.d**
Default directory containing registry configuration, if **--registries.d** is not specified.
The contents of this directory are documented in [containers-policy.json(5)](https://github.com/containers/image/blob/master/docs/containers-policy.json.5.md).
The contents of this directory are documented in [containers-registries.d(5)](https://github.com/containers/image/blob/main/docs/containers-registries.d.5.md).
Make sure to clone this repository in your `GOPATH` - otherwise compilation fails.
@@ -174,6 +195,22 @@ document generation can be skipped by passing `DISABLE_DOCS=1`:
DISABLE_DOCS=1 make
```
#### Additional prerequisites
In order to dynamically link against system libraries and avoid compilation errors the ```CGO_ENABLED='1'``` flag must be enabled. You can easily check by ```go env | grep CGO_ENABLED```.
An alternative would be to set the `BUILDTAGS=containers_image_openpgp` (this removes the dependency on `libgpgme` and its companion libraries).
### Cross-compilation
For cross-building skopeo, use the command `make bin/skopeo.OS.ARCH`, where OS represents
the target operating system and ARCH stands for the desired architecture. For instance,
to build skopeo for RISC-V 64-bit Linux, execute:
```bash
make bin/skopeo.linux.riscv64
```
### Building documentation
To build the manual you will need go-md2man.
@@ -230,20 +267,13 @@ sudo make install
### Building a static binary
There have been efforts in the past to produce and maintain static builds, but the maintainers prefer to run Skopeo using distro packages or within containers. This is because static builds of Skopeo tend to be unreliable and functionally restricted. Specifically:
- Some features of Skopeo depend on non-Go libraries like `libgpgme` and `libdevmapper`.
- Some features of Skopeo depend on non-Go libraries like `libgpgme`.
- Generating static Go binaries uses native Go libraries, which don't support e.g. `.local` or LDAP-based name resolution.
That being said, if you would like to build Skopeo statically, you might be able to do it by combining all the following steps.
- Export environment variable `CGO_ENABLED=0` (disabling CGO causes Go to prefer native libraries when possible, instead of dynamically linking against system libraries).
- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this remove the dependency on `libgpgme` and its companion libraries).
- Clear the `GO_DYN_FLAGS` Make variable (which otherwise seems to force the creation of a dynamic executable).
The following command implements these steps to produce a static binary in the `bin` subdirectory of the repository:
```bash
docker run -v $PWD:/src -w /src -e CGO_ENABLED=0 golang \
make BUILDTAGS=containers_image_openpgp GO_DYN_FLAGS=
```
- Set the `BUILDTAGS=containers_image_openpgp` Make variable (this removes the dependency on `libgpgme` and its companion libraries).
- Clear the `GO_DYN_FLAGS` Make variable if even a dependency on the ELF interpreter is undesirable.
Keep in mind that the resulting binary is unsupported and might crash randomly. Only use if you know what you're doing!
// startRegistry starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
// startRegistryProcess starts the OpenShift registry with configPart on port, waits for it to be ready, and returns the process object, or terminates on failure.
// The default configuration currently already contains acceptschema2: false
})
// Make sure the configuration contains "acceptschema2: false", because eventually it will be enabled upstream and this function will need to be updated.
err=fmt.Errorf("Testing GetBLob for %s: %v",knownListImage,err)
}
assert.NoError(t,err)
}
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
