summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2023-02-09 07:30:59 +0100
committerGitHub <noreply@github.com>2023-02-09 07:30:59 +0100
commit10ab68a018dd137ee9a6350c131f65ec6e12e446 (patch)
treef8949f3e65c3772599eabe4bf219d60d22d6709c /src
parent707688894c1a02953b62eadb318b0ee398c799dd (diff)
parentb17251334c57c2f6875c19ad4e6c6127aa9e1811 (diff)
downloadvyos-1x-10ab68a018dd137ee9a6350c131f65ec6e12e446.tar.gz
vyos-1x-10ab68a018dd137ee9a6350c131f65ec6e12e446.zip
Merge pull request #1790 from Zen3515/current-add-container-login
container: T4959: Add container registry authentication config for containers
Diffstat (limited to 'src')
-rwxr-xr-xsrc/conf_mode/container.py27
-rwxr-xr-xsrc/op_mode/container.py4
2 files changed, 29 insertions, 2 deletions
diff --git a/src/conf_mode/container.py b/src/conf_mode/container.py
index 08861053d..8d2e1afec 100755
--- a/src/conf_mode/container.py
+++ b/src/conf_mode/container.py
@@ -18,8 +18,8 @@ import os
from ipaddress import ip_address
from ipaddress import ip_network
-from time import sleep
from json import dumps as json_write
+from json import dump as json_write_file
from vyos.base import Warning
from vyos.config import Config
@@ -28,6 +28,7 @@ from vyos.configdict import node_changed
from vyos.util import call
from vyos.util import cmd
from vyos.util import run
+from vyos.util import rc_cmd
from vyos.util import write_file
from vyos.template import inc_ip
from vyos.template import is_ipv4
@@ -40,6 +41,7 @@ airbag.enable()
config_containers_registry = '/etc/containers/registries.conf'
config_containers_storage = '/etc/containers/storage.conf'
+config_containers_auth = '/etc/containers/auth.json'
systemd_unit_path = '/run/systemd/system'
def _cmd(command):
@@ -218,6 +220,10 @@ def verify(container):
if v6_prefix > 1:
raise ConfigError(f'Only one IPv6 prefix can be defined for network "{network}"!')
+ if 'registry' in container:
+ for registry, registry_config in container['registry'].items():
+ if ('username' in registry_config) != ('password' in registry_config):
+ raise ConfigError(f'Must either not defined username and password, or defined both for registry {registry}')
# A network attached to a container can not be deleted
if {'network_remove', 'name'} <= set(container):
@@ -300,6 +306,12 @@ def generate(container):
os.unlink(config_containers_storage)
return None
+ # no matter we configure container registry or not, auth file is needed
+ if os.path.exists(config_containers_auth):
+ os.unlink(config_containers_auth)
+ with open(config_containers_auth, "w") as f:
+ json_write_file({}, f)
+
if 'network' in container:
for network, network_config in container['network'].items():
tmp = {
@@ -331,6 +343,19 @@ def generate(container):
write_file(f'/etc/cni/net.d/{network}.conflist', json_write(tmp, indent=2))
+ if 'registry' in container:
+ for registry, registry_config in container['registry'].items():
+ if 'disable' in registry_config:
+ continue
+
+ if 'username' in registry_config and 'password' in registry_config:
+ login_username = registry_config['username']
+ login_password = registry_config['password']
+ cmd = f'podman login --authfile {config_containers_auth} --username {login_username} --password {login_password} {registry}'
+ rc, out = rc_cmd(cmd)
+ if rc != 0:
+ raise ConfigError(out)
+
render(config_containers_registry, 'container/registries.conf.j2', container)
render(config_containers_storage, 'container/storage.conf.j2', container)
diff --git a/src/op_mode/container.py b/src/op_mode/container.py
index d48766a0c..e7f4b0813 100755
--- a/src/op_mode/container.py
+++ b/src/op_mode/container.py
@@ -23,6 +23,8 @@ from vyos.util import cmd
import vyos.opmode
+config_containers_auth = '/etc/containers/auth.json'
+
def _get_json_data(command: str) -> list:
"""
Get container command format JSON
@@ -38,7 +40,7 @@ def _get_raw_data(command: str) -> list:
def add_image(name: str):
from vyos.util import rc_cmd
- rc, output = rc_cmd(f'podman image pull {name}')
+ rc, output = rc_cmd(f'podman image pull --authfile {config_containers_auth} {name}')
if rc != 0:
raise vyos.opmode.InternalError(output)