From a02aa8f6a295f0572735a53b8e984184aaf4e66a Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 20 Feb 2024 14:47:22 +0100 Subject: [PATCH 1/5] pkg/machine/ocipull: add custom policy.json location The default policy file /etc/containers/policy.json location does not work on windows and for packages that ship a default. Now we search for the policy.json in the following overwrite locations: macos and linux: - ~/.config/containers/policy.json - /etc/containers/policy.json windows: - %APPDATA%\containers\policy.json Also it offers an additional DefaultPolicyJSONPath var that should be overwritten at built time with the path of the file that is shipped by packagers. Thile file is used when none of the overwrite paths exist. [NO NEW TESTS NEEDED] Signed-off-by: Paul Holzinger --- pkg/machine/ocipull/policy.go | 47 +++++++++++++++++++++++++++ pkg/machine/ocipull/policy_unix.go | 19 +++++++++++ pkg/machine/ocipull/policy_windows.go | 10 ++++++ pkg/machine/ocipull/pull.go | 9 +++-- 4 files changed, 83 insertions(+), 2 deletions(-) create mode 100644 pkg/machine/ocipull/policy.go create mode 100644 pkg/machine/ocipull/policy_unix.go create mode 100644 pkg/machine/ocipull/policy_windows.go diff --git a/pkg/machine/ocipull/policy.go b/pkg/machine/ocipull/policy.go new file mode 100644 index 0000000000..aab3b81dda --- /dev/null +++ b/pkg/machine/ocipull/policy.go @@ -0,0 +1,47 @@ +package ocipull + +import ( + "fmt" + "os" + "path/filepath" +) + +// DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where +// the shipped policy.json file is located. This can either be absolute path or a relative path. If it +// is relative it will be resolved relative to the podman binary and NOT the CWD. +// +// use "-X github.com/containers/podman/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=/somepath" in go ldflags to overwrite this +var DefaultPolicyJSONPath = "" + +const policyfile = "policy.json" + +type defaultPolicyError struct { + errs []error +} + +func (e *defaultPolicyError) Error() string { + return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs) +} + +func policyPath() (string, error) { + paths := localPolicyOverwrites() + errs := make([]error, 0, len(paths)) + for _, path := range paths { + _, err := os.Stat(path) + if err == nil { + return path, nil + } + errs = append(errs, err) + } + if DefaultPolicyJSONPath != "" { + if filepath.IsAbs(DefaultPolicyJSONPath) { + return filepath.Join(DefaultPolicyJSONPath, policyfile), nil + } + p, err := os.Executable() + if err != nil { + return "", fmt.Errorf("could not resolve relative path to binary: %w", err) + } + return filepath.Join(p, DefaultPolicyJSONPath, policyfile), nil + } + return "", &defaultPolicyError{errs: errs} +} diff --git a/pkg/machine/ocipull/policy_unix.go b/pkg/machine/ocipull/policy_unix.go new file mode 100644 index 0000000000..2fd0443583 --- /dev/null +++ b/pkg/machine/ocipull/policy_unix.go @@ -0,0 +1,19 @@ +//go:build !windows + +package ocipull + +import ( + "path/filepath" + + "github.com/containers/common/pkg/config" + "github.com/containers/storage/pkg/homedir" +) + +func localPolicyOverwrites() []string { + var dirs []string + if p, err := homedir.GetConfigHome(); err == nil { + dirs = append(dirs, filepath.Join(p, "containers", policyfile)) + } + dirs = append(dirs, config.DefaultSignaturePolicyPath) + return dirs +} diff --git a/pkg/machine/ocipull/policy_windows.go b/pkg/machine/ocipull/policy_windows.go new file mode 100644 index 0000000000..3a1c31932c --- /dev/null +++ b/pkg/machine/ocipull/policy_windows.go @@ -0,0 +1,10 @@ +package ocipull + +import ( + "os" + "path/filepath" +) + +func localPolicyOverwrites() []string { + return []string{filepath.Join(os.Getenv("APPDATA"), "containers", policyfile)} +} diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go index e484964da7..dce8147d9d 100644 --- a/pkg/machine/ocipull/pull.go +++ b/pkg/machine/ocipull/pull.go @@ -44,9 +44,14 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d sysCtx.DockerAuthConfig = authConf } - policy, err := signature.DefaultPolicy(sysCtx) + path, err := policyPath() if err != nil { - return fmt.Errorf("obtaining default signature policy: %w", err) + return err + } + + policy, err := signature.NewPolicyFromFile(path) + if err != nil { + return fmt.Errorf("obtaining signature policy: %w", err) } policyContext, err := signature.NewPolicyContext(policy) if err != nil { From f5a26831922139399a14acfb49eac45cd25fa90f Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 20 Feb 2024 15:11:41 +0100 Subject: [PATCH 2/5] Makefile: add MACHINE_POLICY_JSON_DIR option Allow users to set MACHINE_POLICY_JSON_DIR to the policy.json directory which is used for podman machine pulls. Signed-off-by: Paul Holzinger --- Makefile | 1 + 1 file changed, 1 insertion(+) diff --git a/Makefile b/Makefile index ad9986aa06..c46b8eca33 100644 --- a/Makefile +++ b/Makefile @@ -119,6 +119,7 @@ LDFLAGS_PODMAN ?= \ -X $(LIBPOD)/config._installPrefix=$(PREFIX) \ -X $(LIBPOD)/config._etcDir=$(ETCDIR) \ -X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \ + -X $(PROJECT)/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=$(MACHINE_POLICY_JSON_DIR) \ -X github.com/containers/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\ $(EXTRA_LDFLAGS) LDFLAGS_PODMAN_STATIC ?= \ From bed61806c86a798f80e70690a6f2533de81cc930 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 20 Feb 2024 15:39:57 +0100 Subject: [PATCH 3/5] pkg/machine/ocipull: add default policy.json file So that this file can be inculded in our windows/macos packages and also by other packagers. Right now the default policy is allow everything but we plan to add signing in the future. Signed-off-by: Paul Holzinger --- pkg/machine/ocipull/policy.json | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 pkg/machine/ocipull/policy.json diff --git a/pkg/machine/ocipull/policy.json b/pkg/machine/ocipull/policy.json new file mode 100644 index 0000000000..bb26e57ff2 --- /dev/null +++ b/pkg/machine/ocipull/policy.json @@ -0,0 +1,7 @@ +{ + "default": [ + { + "type": "insecureAcceptAnything" + } + ] +} From 1e5b5a88926cd9ca90f7a6e701b70295a6e38979 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Tue, 20 Feb 2024 15:38:04 +0100 Subject: [PATCH 4/5] macos installer: install default policy.json file Include a default policy.json file in the macos package so users do not have to add this manually. Signed-off-by: Paul Holzinger --- contrib/pkginstaller/Makefile | 2 ++ contrib/pkginstaller/package.sh | 3 ++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile index c335dc194c..35a86c9a66 100644 --- a/contrib/pkginstaller/Makefile +++ b/contrib/pkginstaller/Makefile @@ -47,6 +47,8 @@ package_root: clean-pkgroot $(TMP_DOWNLOAD)/gvproxy $(TMP_DOWNLOAD)/vfkit cp $(TMP_DOWNLOAD)/gvproxy $(PACKAGE_ROOT)/podman/bin/ cp $(TMP_DOWNLOAD)/vfkit $(PACKAGE_ROOT)/podman/bin/ chmod a+x $(PACKAGE_ROOT)/podman/bin/* + mkdir $(PACKAGE_ROOT)/podman/config + cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json %: %.in podman_version @sed -e 's/__VERSION__/'$(shell ../../test/version/version)'/g' $< >$@ diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index 6c75ca562d..493e64fe2d 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -8,6 +8,7 @@ CODESIGN_IDENTITY=${CODESIGN_IDENTITY:-mock} PRODUCTSIGN_IDENTITY=${PRODUCTSIGN_IDENTITY:-mock} NO_CODESIGN=${NO_CODESIGN:-0} HELPER_BINARIES_DIR="/opt/podman/bin" +MACHINE_POLICY_JSON_DIR="/opt/podman/config" binDir="${BASEDIR}/root/podman/bin" @@ -16,7 +17,7 @@ arch=$(cat "${BASEDIR}/ARCH") function build_podman() { pushd "$1" - make GOARCH="${goArch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" + make GOARCH="${goArch}" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" MACHINE_POLICY_JSON_DIR="${MACHINE_POLICY_JSON_DIR}" make GOARCH="${goArch}" podman-mac-helper cp bin/darwin/podman "contrib/pkginstaller/out/packaging/${binDir}/podman" cp bin/darwin/podman-mac-helper "contrib/pkginstaller/out/packaging/${binDir}/podman-mac-helper" From e32c9bb5e949f44f98b4cddbffdae755ed390580 Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Wed, 21 Feb 2024 15:50:43 +0100 Subject: [PATCH 5/5] Makefile: add machine policy.json to podman-remote.zip This config needs to be included for podman machine pulls to work and set MACHINE_POLICY_JSON_DIR so that the file should be located next to the binary. Signed-off-by: Paul Holzinger --- Makefile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index c46b8eca33..06112dd1c2 100644 --- a/Makefile +++ b/Makefile @@ -763,10 +763,10 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$ $(MAKE) GOOS=$(GOOS) GOARCH=$(GOARCH) \ clean-binaries podman-remote-$(GOOS)-docs if [[ "$(GOARCH)" != "$(NATIVE_GOARCH)" ]]; then \ - $(MAKE) CGO_ENABLED=0 $(GOPLAT) BUILDTAGS="$(BUILDTAGS_CROSS)" \ + $(MAKE) CGO_ENABLED=0 $(GOPLAT) BUILDTAGS="$(BUILDTAGS_CROSS)" MACHINE_POLICY_JSON_DIR="." \ clean-binaries podman-remote; \ else \ - $(MAKE) $(GOPLAT) podman-remote; \ + $(MAKE) $(GOPLAT) MACHINE_POLICY_JSON_DIR="." podman-remote; \ fi if [[ "$(GOOS)" == "windows" ]]; then \ $(MAKE) $(GOPLAT) TMPDIR="" win-gvproxy; \ @@ -776,6 +776,7 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$ fi cp -r ./docs/build/remote/$(GOOS) "$(tmpsubdir)/$(releasedir)/docs/" cp ./contrib/remote/containers.conf "$(tmpsubdir)/$(releasedir)/" + cp ./pkg/machine/ocipull/policy.json "$(tmpsubdir)/$(releasedir)/" $(MAKE) $(GOPLAT) $(_dstargs) SELINUXOPT="" install.remote cd "$(tmpsubdir)" && \ zip --recurse-paths "$(CURDIR)/$@" "./$(releasedir)"