From d7bc7b7b410fd70052073103e6b9e367e28af8ba Mon Sep 17 00:00:00 2001 From: Brent Baude Date: Mon, 11 Mar 2024 13:49:50 -0500 Subject: [PATCH] do not require policy.json we are having second thoughts about *requiring* a policy.json on podman machine hosts. we are concerned that we need to work out some more use cases to be sure we do not make choices now that limit us in the near term future. for example, should the policy files be the same for container images and machine images? And should one live on the host machine and the other live in the machine? therefore, if a policy.json *is* present in the correct location, we will use and honor it; however, if it does not, we will allow the machine image to be pulled without a policy. Signed-off-by: Brent Baude Co-authored-by: Paul Holzinger <45212748+Luap99@users.noreply.github.com> Signed-off-by: Brent Baude --- Makefile | 6 ---- contrib/pkginstaller/Makefile | 5 +-- contrib/pkginstaller/package.sh | 2 +- contrib/win-installer/build.ps1 | 14 ++++----- contrib/win-installer/podman.wxs | 13 -------- contrib/win-installer/process-release.ps1 | 13 ++++---- pkg/machine/ocipull/policy.go | 30 +++++------------- pkg/machine/ocipull/pull.go | 37 +++++++++++++++++++---- 8 files changed, 57 insertions(+), 63 deletions(-) diff --git a/Makefile b/Makefile index 5b1ffcd2d3..6ea712b216 100644 --- a/Makefile +++ b/Makefile @@ -103,7 +103,6 @@ FISHINSTALLDIR=${PREFIX}/share/fish/vendor_completions.d SELINUXOPT ?= $(shell test -x /usr/sbin/selinuxenabled && selinuxenabled && echo -Z) -MACHINE_POLICY_JSON_DIR ?= . COMMIT_NO ?= $(shell git rev-parse HEAD 2> /dev/null || true) GIT_COMMIT ?= $(if $(shell git status --porcelain --untracked-files=no),$(call err_if_empty,COMMIT_NO)-dirty,$(COMMIT_NO)) @@ -121,7 +120,6 @@ LDFLAGS_PODMAN ?= \ -X $(LIBPOD)/config._installPrefix=$(PREFIX) \ -X $(LIBPOD)/config._etcDir=$(ETCDIR) \ -X $(PROJECT)/v5/pkg/systemd/quadlet._binDir=$(BINDIR) \ - -X $(PROJECT)/v5/pkg/machine/ocipull.DefaultPolicyJSONPath=$(MACHINE_POLICY_JSON_DIR) \ -X github.com/containers/common/pkg/config.additionalHelperBinariesDir=$(HELPER_BINARIES_DIR)\ $(EXTRA_LDFLAGS) LDFLAGS_PODMAN_STATIC ?= \ @@ -782,10 +780,6 @@ podman-remote-release-%.zip: test/version/version ## Build podman-remote for %=$ cp -r ./docs/build/remote/$(GOOS) "$(tmpsubdir)/$(releasedir)/docs/" cp ./contrib/remote/containers.conf "$(tmpsubdir)/$(releasedir)/" $(MAKE) $(GOPLAT) $(_dstargs) SELINUXOPT="" install.remote - # Placing the policy file in the bin directory is intentional This - # could be changed in the future to mirror LSB on Linux/Unix but would - # require path resolution logic changes to sustain the Win flat model - cp ./pkg/machine/ocipull/policy.json "$(tmpsubdir)/$(releasedir)/$(RELEASE_PREFIX)/bin" cd "$(tmpsubdir)" && \ zip --recurse-paths "$(CURDIR)/$@" "./$(releasedir)" if [[ "$(GOARCH)" != "$(NATIVE_GOARCH)" ]]; then $(MAKE) clean-binaries; fi diff --git a/contrib/pkginstaller/Makefile b/contrib/pkginstaller/Makefile index 3f0722b1e6..a742bfe0e1 100644 --- a/contrib/pkginstaller/Makefile +++ b/contrib/pkginstaller/Makefile @@ -47,8 +47,9 @@ package_root: clean-pkgroot $(TMP_BIN)/gvproxy $(TMP_BIN)/vfkit cp $(TMP_BIN)/gvproxy $(PACKAGE_ROOT)/podman/bin/ cp $(TMP_BIN)/vfkit $(PACKAGE_ROOT)/podman/bin/ chmod a+x $(PACKAGE_ROOT)/podman/bin/* - mkdir $(PACKAGE_ROOT)/podman/config - cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json + # Leaving for future considerations + # mkdir $(PACKAGE_ROOT)/podman/config + # cp ../../pkg/machine/ocipull/policy.json $(PACKAGE_ROOT)/podman/config/policy.json %: %.in podman_version @sed -e 's/__VERSION__/'$(shell ../../test/version/version)'/g' $< >$@ diff --git a/contrib/pkginstaller/package.sh b/contrib/pkginstaller/package.sh index 09111f812a..8a3496beeb 100755 --- a/contrib/pkginstaller/package.sh +++ b/contrib/pkginstaller/package.sh @@ -41,7 +41,7 @@ function build_podman() { } function build_podman_arch(){ - make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" MACHINE_POLICY_JSON_DIR="${MACHINE_POLICY_JSON_DIR}" + make -B GOARCH="$1" podman-remote HELPER_BINARIES_DIR="${HELPER_BINARIES_DIR}" make -B GOARCH="$1" podman-mac-helper mkdir -p "${tmpBin}" cp bin/darwin/podman "${tmpBin}/podman-$1" diff --git a/contrib/win-installer/build.ps1 b/contrib/win-installer/build.ps1 index 8764a78149..6c5189d7f9 100644 --- a/contrib/win-installer/build.ps1 +++ b/contrib/win-installer/build.ps1 @@ -144,13 +144,13 @@ if ($gvExists) { $env:UseGVProxy = "Skip" } -$pExists = Test-Path "artifacts/policy.json" -if ($pExists) { - Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue -} else { - $env:IncludePolicyJSON = "Skip" -} - +# Retaining for possible future additions +# $pExists = Test-Path "artifacts/policy.json" +# if ($pExists) { +# Remove-Item Env:\IncludePolicyJSON -ErrorAction SilentlyContinue +# } else { +# $env:IncludePolicyJSON = "Skip" +# } .\build-msi.bat $ENV:INSTVER; ExitOnError SignItem @("podman.msi") diff --git a/contrib/win-installer/podman.wxs b/contrib/win-installer/podman.wxs index 85b206a918..84db5e1cc9 100644 --- a/contrib/win-installer/podman.wxs +++ b/contrib/win-installer/podman.wxs @@ -12,11 +12,6 @@ - - - - - @@ -47,11 +42,6 @@ - - - - - @@ -85,9 +75,6 @@ - - - diff --git a/contrib/win-installer/process-release.ps1 b/contrib/win-installer/process-release.ps1 index d9fb0a86c0..230ad7a43b 100644 --- a/contrib/win-installer/process-release.ps1 +++ b/contrib/win-installer/process-release.ps1 @@ -135,12 +135,13 @@ try { Copy-Artifact("gvproxy.exe") } - $loc = Get-ChildItem -Recurse -Path . -Name policy.json - if (!$loc) { - Write-Host "Skipping policy.json artifact" - } else { - Copy-Artifact("policy.json") - } + # Retaining for future additions + # $loc = Get-ChildItem -Recurse -Path . -Name policy.json + # if (!$loc) { + # Write-Host "Skipping policy.json artifact" + # } else { + # Copy-Artifact("policy.json") + # } $docsloc = Get-ChildItem -Path . -Name docs -Recurse $loc = Get-ChildItem -Recurse -Path . -Name podman-for-windows.html diff --git a/pkg/machine/ocipull/policy.go b/pkg/machine/ocipull/policy.go index 62ebcdd2ab..d2f929e70b 100644 --- a/pkg/machine/ocipull/policy.go +++ b/pkg/machine/ocipull/policy.go @@ -1,9 +1,10 @@ package ocipull import ( - "fmt" "os" "path/filepath" + + "github.com/sirupsen/logrus" ) // DefaultPolicyJSONPath should be overwritten at build time with the real path to the directory where @@ -15,33 +16,18 @@ var DefaultPolicyJSONPath = "" const policyfile = "policy.json" -type defaultPolicyError struct { - errs []error -} - -func (e *defaultPolicyError) Error() string { - return fmt.Sprintf("no DefaultPolicyJSONPath defined and no local overwrites found: %q", e.errs) -} - -func policyPath() (string, error) { +// policyPaths returns a slice of possible directories where a policy.json might live +func policyPaths() []string { paths := localPolicyOverwrites() - errs := make([]error, 0, len(paths)) - for _, path := range paths { - _, err := os.Stat(path) - if err == nil { - return path, nil - } - errs = append(errs, err) - } if DefaultPolicyJSONPath != "" { if filepath.IsAbs(DefaultPolicyJSONPath) { - return filepath.Join(DefaultPolicyJSONPath, policyfile), nil + return append(paths, filepath.Join(DefaultPolicyJSONPath, policyfile)) } p, err := os.Executable() if err != nil { - return "", fmt.Errorf("could not resolve relative path to binary: %w", err) + logrus.Warnf("could not resolve relative path to binary: %q", err) } - return filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile), nil + paths = append(paths, filepath.Join(filepath.Dir(p), DefaultPolicyJSONPath, policyfile)) } - return "", &defaultPolicyError{errs: errs} + return paths } diff --git a/pkg/machine/ocipull/pull.go b/pkg/machine/ocipull/pull.go index dce8147d9d..0822578e8a 100644 --- a/pkg/machine/ocipull/pull.go +++ b/pkg/machine/ocipull/pull.go @@ -2,7 +2,9 @@ package ocipull import ( "context" + "errors" "fmt" + "io/fs" "os" "github.com/containers/buildah/pkg/parse" @@ -13,6 +15,7 @@ import ( "github.com/containers/image/v5/transports/alltransports" "github.com/containers/image/v5/types" "github.com/containers/podman/v5/pkg/machine/define" + "github.com/sirupsen/logrus" ) // PullOptions includes data to alter certain knobs when pulling a source @@ -26,8 +29,17 @@ type PullOptions struct { Quiet bool } +var ( + // noSignaturePolicy is a default policy if policy.json is not found on + // the host machine. + noSignaturePolicy string = `{"default":[{"type":"insecureAcceptAnything"}]}` +) + // Pull `imageInput` from a container registry to `sourcePath`. func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *define.VMFile, options *PullOptions) error { + var ( + policy *signature.Policy + ) destRef, err := layout.ParseReference(localDestPath.GetPath()) if err != nil { return err @@ -44,15 +56,28 @@ func Pull(ctx context.Context, imageInput types.ImageReference, localDestPath *d sysCtx.DockerAuthConfig = authConf } - path, err := policyPath() - if err != nil { - return err + // Policy paths returns a slice of directories where the policy.json + // may live. Iterate those directories and try to see if any are + // valid ignoring when the file does not exist + for _, path := range policyPaths() { + policy, err = signature.NewPolicyFromFile(path) + if err != nil { + if errors.Is(err, fs.ErrNotExist) { + continue + } + return fmt.Errorf("reading signature policy: %w", err) + } } - policy, err := signature.NewPolicyFromFile(path) - if err != nil { - return fmt.Errorf("obtaining signature policy: %w", err) + // If no policy has been found yet, we use a no signature policy automatically + if policy == nil { + logrus.Debug("no signature policy file found: using default allow everything signature policy") + policy, err = signature.NewPolicyFromBytes([]byte(noSignaturePolicy)) + if err != nil { + return fmt.Errorf("obtaining signature policy: %w", err) + } } + policyContext, err := signature.NewPolicyContext(policy) if err != nil { return fmt.Errorf("creating new signature policy context: %w", err)