buildah icon indicating copy to clipboard operation
buildah copied to clipboard

Published 20 hours ago verified publisher icon containers

Using $XDG_CONFIG_HOME To Locate "policy.json"

Open 0x0D15 opened this issue 3 years ago • 11 comments

Description

Currently it is not possible to commit a image without having a policy.json in the /etc/containers directory, even if you have a policy.json in $XDG_CONFIG_HOME/containers. Would you consider also checking $XDG_CONFIG_HOME/containers for a policy.json before erroring? Podman also seems to support this behavior as "SignaturePolicyPath" always is correctly set to the policy.json in $XDG_CONFIG_HOME/containers.

0x0D15 avatar Jul 10 '22 22:07 0x0D15

Hi @p0da Thanks for creating the issue :)

I think bug persists in both podman and buildah reason that c/image does not uses or inherits the same logic as c/common for defaults so it does not honors policy.json for rootless users. See https://github.com/containers/common/blob/main/pkg/config/default.go#L171 and https://github.com/containers/image/blob/main/signature/policy_config.go#L64 . The issue seems to be with c/image I think this can be fixed there but tagging @vrothberg @mtrmac for views on this.

flouthoc avatar Jul 11 '22 10:07 flouthoc

If Podman/Buildah are supposed to behave the same, and both are intended to interpret containers.conf, to me at a first glance that looks like a Podman/Buildah inconsistency where c/image has no say. At least on some paths both Podman and buildah seem to call c/common/config.Default, so isn’t that the expected behavior everywhere?

(As usual, I think it’s universally problematic when Podman/Buildah override c/image defaults like this, instead of working in c/image to change them there for all users.)

Actually, let’s not just guess. @p0da , can you provide a specific reproducer, please?

mtrmac avatar Jul 11 '22 14:07 mtrmac

Sure so with no /etc/containers dir at all and a $XDG_CONFIG_HOME/containers with a policy.json in it (along with other configs):

$ buildah commit --rm $(buildah from scratch) test
error committing container "working-container" to "test": error obtaining default signature policy: open /etc/containers/policy.json: no such file or directory

With /etc/containers with policy.json:

$ buildah commit --rm $(buildah from scratch) test
Getting image source signatures
Copying blob 5f70bf18a086 done  
Copying config 12e0339397 done  
Writing manifest to image destination
Storing signatures
12e033939785a6fec8371dad9361f19d4842f58be54ecb59b121ec22496997d4

I was under the impression that this is intended behavior as the buildah-commit doc only specifies /etc/containers/policy.json as the signature policy path.

0x0D15 avatar Jul 12 '22 15:07 0x0D15

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Aug 12 '22 00:08 github-actions[bot]

@flouthoc @mtrmac Any update on this?

0x0D15 avatar Aug 21 '22 01:08 0x0D15

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Nov 15 '22 00:11 github-actions[bot]

@vrothberg @mtrmac WDYT?

rhatdan avatar Nov 15 '22 14:11 rhatdan

https://github.com/containers/buildah/issues/4100#issuecomment-1180464191

mtrmac avatar Nov 15 '22 15:11 mtrmac

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Dec 16 '22 00:12 github-actions[bot]

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Jan 17 '23 00:01 github-actions[bot]

A friendly reminder that this issue had no activity for 30 days.

github-actions[bot] avatar Feb 19 '23 00:02 github-actions[bot]