From 9099ac036d55fc7c0f926c98c4a14dc8fc12d8f5 Mon Sep 17 00:00:00 2001 From: Gianluca Zuccarelli Date: Tue, 3 Sep 2024 12:45:43 +0100 Subject: [PATCH] bib: disable `--tls-verify` flag Since all containers are coming from local storage and require the user to pull in the container before-hand, we can disable the `--tls-verify` flag. The containers will not be resolved from a remote registry but rather from the local container store. --- README.md | 2 -- bib/cmd/bootc-image-builder/image.go | 17 ++++++----------- bib/cmd/bootc-image-builder/main.go | 7 ++++--- test/test_opts.py | 27 --------------------------- 4 files changed, 10 insertions(+), 43 deletions(-) diff --git a/README.md b/README.md index 3ee83bf9..053c3e7f 100644 --- a/README.md +++ b/README.md @@ -131,7 +131,6 @@ Flags: --progress string type of progress bar to use (e.g. verbose,term) (default "auto") --rootfs string Root filesystem type. If not given, the default configured in the source container image is used. --target-arch string build for the given target architecture (experimental) - --tls-verify require HTTPS and verify certificates when contacting registries (default true) --type stringArray image types to build [ami, anaconda-iso, gce, iso, qcow2, raw, vhd, vmdk] (default [qcow2]) --version version for bootc-image-builder @@ -148,7 +147,6 @@ Global Flags: | --output | output the artifact into the given output directory | `.` | | --progress | Show progress in the given format, supported: verbose,term,debug. If empty it is auto-detected | `auto` | | **--rootfs** | Root filesystem type. Overrides the default from the source container. Supported values: ext4, xfs, btrfs | ❌ | -| --tls-verify | Require HTTPS and verify certificates when contacting registries | `true` | | **--type** | [Image type](#-image-types) to build (can be passed multiple times) | `qcow2` | | --target-arch | [Target arch](#-target-architecture) to build | ❌ | | --log-level | Change log level (debug, info, error) | `error` | diff --git a/bib/cmd/bootc-image-builder/image.go b/bib/cmd/bootc-image-builder/image.go index 4d0d362f..91f53ebc 100644 --- a/bib/cmd/bootc-image-builder/image.go +++ b/bib/cmd/bootc-image-builder/image.go @@ -47,9 +47,6 @@ type ManifestConfig struct { // CPU architecture of the image Architecture arch.Arch - // TLSVerify specifies whether HTTPS and a valid TLS certificate are required - TLSVerify bool - // The minimum size required for the root fs in order to fit the container // contents RootfsMinsize uint64 @@ -319,10 +316,9 @@ func manifestForDiskImage(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest return nil, fmt.Errorf("pipeline: no base image defined") } containerSource := container.SourceSpec{ - Source: c.Imgref, - Name: c.Imgref, - TLSVerify: &c.TLSVerify, - Local: true, + Source: c.Imgref, + Name: c.Imgref, + Local: true, } var customizations *blueprint.Customizations @@ -427,10 +423,9 @@ func manifestForISO(c *ManifestConfig, rng *rand.Rand) (*manifest.Manifest, erro } containerSource := container.SourceSpec{ - Source: c.Imgref, - Name: c.Imgref, - TLSVerify: &c.TLSVerify, - Local: true, + Source: c.Imgref, + Name: c.Imgref, + Local: true, } // The ref is not needed and will be removed from the ctor later diff --git a/bib/cmd/bootc-image-builder/main.go b/bib/cmd/bootc-image-builder/main.go index 4edcbfa5..cd1f9476 100644 --- a/bib/cmd/bootc-image-builder/main.go +++ b/bib/cmd/bootc-image-builder/main.go @@ -194,7 +194,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progress imgTypes, _ := cmd.Flags().GetStringArray("type") rpmCacheRoot, _ := cmd.Flags().GetString("rpmmd") targetArch, _ := cmd.Flags().GetString("target-arch") - tlsVerify, _ := cmd.Flags().GetBool("tls-verify") rootFs, _ := cmd.Flags().GetString("rootfs") useLibrepo, _ := cmd.Flags().GetBool("use-librepo") @@ -305,7 +304,6 @@ func manifestFromCobra(cmd *cobra.Command, args []string, pbar progress.Progress Config: config, ImageTypes: imageTypes, Imgref: imgref, - TLSVerify: tlsVerify, RootfsMinsize: cntSize * containerSizeToDiskSizeMultiplier, DistroDefPaths: distroDefPaths, SourceInfo: sourceinfo, @@ -653,7 +651,10 @@ func buildCobraCmdline() (*cobra.Command, error) { rootCmd.AddCommand(versionCmd) rootCmd.AddCommand(manifestCmd) - manifestCmd.Flags().Bool("tls-verify", true, "require HTTPS and verify certificates when contacting registries") + manifestCmd.Flags().Bool("tls-verify", false, "DEPRECATED: require HTTPS and verify certificates when contacting registries") + if err := manifestCmd.Flags().MarkHidden("tls-verify"); err != nil { + return nil, fmt.Errorf("cannot hide 'tls-verify' :%w", err) + } manifestCmd.Flags().String("rpmmd", "/rpmmd", "rpm metadata cache directory") manifestCmd.Flags().String("target-arch", "", "build for the given target architecture (experimental)") manifestCmd.Flags().StringArray("type", []string{"qcow2"}, fmt.Sprintf("image types to build [%s]", imagetypes.Available())) diff --git a/test/test_opts.py b/test/test_opts.py index 0827392e..c12a8a76 100644 --- a/test/test_opts.py +++ b/test/test_opts.py @@ -76,33 +76,6 @@ def test_opts_arch_is_same_arch_is_fine(tmp_path, build_fake_container, target_a assert expected_err in res.stderr -@pytest.mark.parametrize("tls_opt,expected_cmdline", [ - ([], "--tls-verify=true"), - (["--tls-verify"], "--tls-verify=true"), - (["--tls-verify=true"], "--tls-verify=true"), - (["--tls-verify=false"], "--tls-verify=false"), - (["--tls-verify=0"], "--tls-verify=false"), -]) -def test_bib_tls_opts(tmp_path, container_storage, build_fake_container, tls_opt, expected_cmdline): - output_path = tmp_path / "output" - output_path.mkdir(exist_ok=True) - - container_ref = "quay.io/centos-bootc/centos-bootc:stream9" - testutil.pull_container(container_ref) - - subprocess.check_call([ - "podman", "run", "--rm", - "--privileged", - "--security-opt", "label=type:unconfined_t", - "-v", f"{container_storage}:/var/lib/containers/storage", - "-v", f"{output_path}:/output", - build_fake_container, - container_ref, - ] + tls_opt) - podman_log = output_path / "podman.log" - assert expected_cmdline in podman_log.read_text() - - @pytest.mark.parametrize("with_debug", [False, True]) def test_bib_log_level_smoke(tmp_path, container_storage, build_fake_container, with_debug): output_path = tmp_path / "output"