Added documentation for containers-storage transport. #1500
Conversation
It is important to mention it when the default policy is in restrictive mode. During push operation image is being copied from local storage to the docker transport. This action should be allowed for a successfull push. Signed-off-by: Ina Panova <ipanova@redhat.com>
There was a problem hiding this comment.
Thanks!
I’m afraid we have not kept this documentation up, I have at least filed #1501 for that.
It’s admittedly unfair to block this PR (documenting the important podman push case) on getting the containers-storage: scopes exactly right. I guess I could live with a cop-out “documentation of scopes TBD”, if no-one has time to document it correctly now.
|
|
||
| The `containers-storage` transport refers to the image location in a local containers storage. | ||
|
|
||
| Supported scopes are for a specific image(s) or `""` for all images located in the containers-storage. |
There was a problem hiding this comment.
The supported scopes are actually quite different (notably they always start with a […] store specification), see storageReference.PolicyConfiguration{Identity,Namespaces}.
| @@ -110,6 +110,12 @@ The `tarball:` transport refers to tarred up container root filesystems. | |||
|
|
|||
| Scopes are ignored. | |||
|
|
|||
| ### `containers-storage:` | |||
There was a problem hiding this comment.
Please keep the transports in alphabetical order.
| @@ -305,6 +311,9 @@ selectively allow individual transports and scopes as desired. | |||
| } | |||
| } | |||
| ] | |||
| }, | |||
| "containers-storage": { | |||
| "": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage */ | |||
There was a problem hiding this comment.
Maybe
| "": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage */ | |
| "": [{"type": "insecureAcceptAnything"}] /* Allow copy operations on any images stored in containers storage (e.g. podman push) */ |
|
|
||
| The `containers-storage` transport refers to the image location in a local containers storage. | ||
|
|
||
| Supported scopes are for a specific image(s) or `""` for all images located in the containers-storage. |
There was a problem hiding this comment.
The "" special case is not a feature of the transport, but a generic mechanism (documented in “A default policy for a single transport…”)
It is important to mention it when the default policy is in restrictive
mode.
During push operation image is being copied from local storage to the
docker transport. This action should be allowed for a successfull push.