Skip to content

Commit

Permalink
bib: disable --tls-verify flag
Browse files Browse the repository at this point in the history
Since all containers are coming from local storage and require the user
to pull in the container before-hand, we can disable the `--tls-verify`
flag. The containers will not be resolved from a remote registry but
rather from the local container store.
  • Loading branch information
kingsleyzissou authored and achilleas-k committed Dec 17, 2024
1 parent fb94560 commit 9c6b865
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 43 deletions.
2 changes: 0 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -126,7 +126,6 @@ Usage:

Flags:
--chown string chown the ouput directory to match the specified UID:GID
--tls-verify require HTTPS and verify certificates when contacting registries (default true)
--type string image type to build [qcow2, ami] (default "qcow2")
--target-arch string architecture to build image for (default is the native architecture)
```
Expand All @@ -137,7 +136,6 @@ Flags:
|-------------------|-----------------------------------------------------------------------------------------------------------|:-------------:|
| **--chown** | chown the output directory to match the specified UID:GID ||
| **--rootfs** | Root filesystem type. Overrides the default from the source container. Supported values: ext4, xfs, btrfs ||
| **--tls-verify** | Require HTTPS and verify certificates when contacting registries | `true` |
| **--type** | [Image type](#-image-types) to build | `qcow2` |
| **--target-arch** | [Target arch](#-target-architecture) to build ||

Expand Down
17 changes: 6 additions & 11 deletions bib/cmd/bootc-image-builder/image.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,6 @@ type ManifestConfig struct {
// CPU architecture of the image
Architecture arch.Arch

// TLSVerify specifies whether HTTPS and a valid TLS certificate are required
TLSVerify bool

// The minimum size required for the root fs in order to fit the container
// contents
RootfsMinsize uint64
Expand Down Expand Up @@ -316,10 +313,9 @@ func manifestForDiskImage(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest
return nil, fmt.Errorf("pipeline: no base image defined")
}
containerSource := container.SourceSpec{
Source: c.Imgref,
Name: c.Imgref,
TLSVerify: &c.TLSVerify,
Local: true,
Source: c.Imgref,
Name: c.Imgref,
Local: true,
}

var customizations *blueprint.Customizations
Expand Down Expand Up @@ -432,10 +428,9 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro
}

containerSource := container.SourceSpec{
Source: c.Imgref,
Name: c.Imgref,
TLSVerify: &c.TLSVerify,
Local: true,
Source: c.Imgref,
Name: c.Imgref,
Local: true,
}

// The ref is not needed and will be removed from the ctor later
Expand Down
7 changes: 4 additions & 3 deletions bib/cmd/bootc-image-builder/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -179,7 +179,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string) ([]byte, *mTLSConfig,
imgTypes, _ := cmd.Flags().GetStringArray("type")
rpmCacheRoot, _ := cmd.Flags().GetString("rpmmd")
targetArch, _ := cmd.Flags().GetString("target-arch")
tlsVerify, _ := cmd.Flags().GetBool("tls-verify")
rootFs, _ := cmd.Flags().GetString("rootfs")

// If --local was given, warn in the case of --local or --local=true (true is the default), error in the case of --local=false
Expand Down Expand Up @@ -286,7 +285,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string) ([]byte, *mTLSConfig,
Config: config,
ImageTypes: imageTypes,
Imgref: imgref,
TLSVerify: tlsVerify,
RootfsMinsize: cntSize * containerSizeToDiskSizeMultiplier,
DistroDefPaths: distroDefPaths,
SourceInfo: sourceinfo,
Expand Down Expand Up @@ -574,7 +572,10 @@ func buildCobraCmdline() (*cobra.Command, error) {
rootCmd.AddCommand(versionCmd)

rootCmd.AddCommand(manifestCmd)
manifestCmd.Flags().Bool("tls-verify", true, "require HTTPS and verify certificates when contacting registries")
manifestCmd.Flags().Bool("tls-verify", false, "DEPRECATED: require HTTPS and verify certificates when contacting registries")
if err := manifestCmd.Flags().MarkHidden("tls-verify"); err != nil {
return nil, fmt.Errorf("cannot hide 'tls-verify' :%w", err)
}
manifestCmd.Flags().String("rpmmd", "/rpmmd", "rpm metadata cache directory")
manifestCmd.Flags().String("target-arch", "", "build for the given target architecture (experimental)")
manifestCmd.Flags().StringArray("type", []string{"qcow2"}, fmt.Sprintf("image types to build [%s]", imagetypes.Available()))
Expand Down
27 changes: 0 additions & 27 deletions test/test_opts.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,33 +76,6 @@ def test_opts_arch_is_same_arch_is_fine(tmp_path, build_fake_container, target_a
assert expected_err in res.stderr


@pytest.mark.parametrize("tls_opt,expected_cmdline", [
([], "--tls-verify=true"),
(["--tls-verify"], "--tls-verify=true"),
(["--tls-verify=true"], "--tls-verify=true"),
(["--tls-verify=false"], "--tls-verify=false"),
(["--tls-verify=0"], "--tls-verify=false"),
])
def test_bib_tls_opts(tmp_path, container_storage, build_fake_container, tls_opt, expected_cmdline):
output_path = tmp_path / "output"
output_path.mkdir(exist_ok=True)

container_ref = "quay.io/centos-bootc/centos-bootc:stream9"
testutil.pull_container(container_ref)

subprocess.check_call([
"podman", "run", "--rm",
"--privileged",
"--security-opt", "label=type:unconfined_t",
"-v", f"{container_storage}:/var/lib/containers/storage",
"-v", f"{output_path}:/output",
build_fake_container,
container_ref,
] + tls_opt)
podman_log = output_path / "podman.log"
assert expected_cmdline in podman_log.read_text()


@pytest.mark.parametrize("with_debug", [False, True])
def test_bib_log_level_smoke(tmp_path, container_storage, build_fake_container, with_debug):
output_path = tmp_path / "output"
Expand Down

0 comments on commit 9c6b865

Please sign in to comment.