diff options
author | Christian Breunig <christian@breunig.cc> | 2023-02-09 07:30:59 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-09 07:30:59 +0100 |
commit | 10ab68a018dd137ee9a6350c131f65ec6e12e446 (patch) | |
tree | f8949f3e65c3772599eabe4bf219d60d22d6709c /src | |
parent | 707688894c1a02953b62eadb318b0ee398c799dd (diff) | |
parent | b17251334c57c2f6875c19ad4e6c6127aa9e1811 (diff) | |
download | vyos-1x-10ab68a018dd137ee9a6350c131f65ec6e12e446.tar.gz vyos-1x-10ab68a018dd137ee9a6350c131f65ec6e12e446.zip |
Merge pull request #1790 from Zen3515/current-add-container-login
container: T4959: Add container registry authentication config for containers
Diffstat (limited to 'src')
-rwxr-xr-x | src/conf_mode/container.py | 27 | ||||
-rwxr-xr-x | src/op_mode/container.py | 4 |
2 files changed, 29 insertions, 2 deletions
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py index 08861053d..8d2e1afec 100755 --- a/src/conf_mode/container.py +++ b/src/conf_mode/container.py @@ -18,8 +18,8 @@ import os from ipaddress import ip_address from ipaddress import ip_network -from time import sleep from json import dumps as json_write +from json import dump as json_write_file from vyos.base import Warning from vyos.config import Config @@ -28,6 +28,7 @@ from vyos.configdict import node_changed from vyos.util import call from vyos.util import cmd from vyos.util import run +from vyos.util import rc_cmd from vyos.util import write_file from vyos.template import inc_ip from vyos.template import is_ipv4 @@ -40,6 +41,7 @@ airbag.enable() config_containers_registry = '/etc/containers/registries.conf' config_containers_storage = '/etc/containers/storage.conf' +config_containers_auth = '/etc/containers/auth.json' systemd_unit_path = '/run/systemd/system' def _cmd(command): @@ -218,6 +220,10 @@ def verify(container): if v6_prefix > 1: raise ConfigError(f'Only one IPv6 prefix can be defined for network "{network}"!') + if 'registry' in container: + for registry, registry_config in container['registry'].items(): + if ('username' in registry_config) != ('password' in registry_config): + raise ConfigError(f'Must either not defined username and password, or defined both for registry {registry}') # A network attached to a container can not be deleted if {'network_remove', 'name'} <= set(container): @@ -300,6 +306,12 @@ def generate(container): os.unlink(config_containers_storage) return None + # no matter we configure container registry or not, auth file is needed + if os.path.exists(config_containers_auth): + os.unlink(config_containers_auth) + with open(config_containers_auth, "w") as f: + json_write_file({}, f) + if 'network' in container: for network, network_config in container['network'].items(): tmp = { @@ -331,6 +343,19 @@ def generate(container): write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2)) + if 'registry' in container: + for registry, registry_config in container['registry'].items(): + if 'disable' in registry_config: + continue + + if 'username' in registry_config and 'password' in registry_config: + login_username = registry_config['username'] + login_password = registry_config['password'] + cmd = f'podman login --authfile {config_containers_auth} --username {login_username} --password {login_password} {registry}' + rc, out = rc_cmd(cmd) + if rc != 0: + raise ConfigError(out) + render(config_containers_registry, 'container/registries.conf.j2', container) render(config_containers_storage, 'container/storage.conf.j2', container) diff --git a/src/op_mode/container.py b/src/op_mode/container.py index d48766a0c..e7f4b0813 100755 --- a/src/op_mode/container.py +++ b/src/op_mode/container.py @@ -23,6 +23,8 @@ from vyos.util import cmd import vyos.opmode +config_containers_auth = '/etc/containers/auth.json' + def _get_json_data(command: str) -> list: """ Get container command format JSON @@ -38,7 +40,7 @@ def _get_raw_data(command: str) -> list: def add_image(name: str): from vyos.util import rc_cmd - rc, output = rc_cmd(f'podman image pull {name}') + rc, output = rc_cmd(f'podman image pull --authfile {config_containers_auth} {name}') if rc != 0: raise vyos.opmode.InternalError(output) |