New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Added documentation for containers-storage transport. #1500
base: main
Are you sure you want to change the base?
Conversation
It is important to mention it when the default policy is in restrictive mode. During push operation image is being copied from local storage to the docker transport. This action should be allowed for a successfull push. Signed-off-by: Ina Panova <ipanova@redhat.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
I’m afraid we have not kept this documentation up, I have at least filed #1501 for that.
It’s admittedly unfair to block this PR (documenting the important podman push
case) on getting the containers-storage: scopes exactly right. I guess I could live with a cop-out “documentation of scopes TBD”, if no-one has time to document it correctly now.
|
||
The `containers-storage` transport refers to the image location in a local containers storage. | ||
|
||
Supported scopes are for a specific image(s) or `""` for all images located in the containers-storage. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The supported scopes are actually quite different (notably they always start with a […]
store specification), see storageReference.PolicyConfiguration{Identity,Namespaces}
.
@@ -110,6 +110,12 @@ The `tarball:` transport refers to tarred up container root filesystems. | |||
|
|||
Scopes are ignored. | |||
|
|||
### `containers-storage:` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please keep the transports in alphabetical order.
@@ -305,6 +311,9 @@ selectively allow individual transports and scopes as desired. | |||
} | |||
} | |||
] | |||
}, | |||
"containers-storage": { | |||
"": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage */ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe
"": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage */ | |
"": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage (e.g. podman push) */ |
|
||
The `containers-storage` transport refers to the image location in a local containers storage. | ||
|
||
Supported scopes are for a specific image(s) or `""` for all images located in the containers-storage. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ""
special case is not a feature of the transport, but a generic mechanism (documented in “A default policy for a single transport…”)
It is important to mention it when the default policy is in restrictive
mode.
During push operation image is being copied from local storage to the
docker transport. This action should be allowed for a successfull push.