it allows to select a different OCI runtime to use with atomic run.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1196
Approved by: rhatdan
If specified, pull the latest version for all the images in a
storage.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #1136
Approved by: baude
In the case of some scanners, they generate a script to remediate the
images|containers they have scanned. We needed to provide a hook
for this ability. We now read the scanner's configuration file looking
for a "remediation_script" key, whose value should be a fq path to the
remediation script. The remediation script should be delivered via
the scanning image via atomic install.
As of now, we pass the id of the scanned object and its results directory
as named arguments to the remediation script.
Signed-off-by: baude <bbaude@redhat.com>
Closes: #1090
Approved by: baude
Commissaire project has halted development. Remove the integration
points so as not to accumulate cruft in the "atomic" subcommands.
Closes: #1046
Approved by: rhatdan
This commit enables scanning images and containers
for configuration compliance with security profiles
provided by SCAP Security Guide.
Note: This feature requires latest OpenSCAP Daemon from upstream
installed in the underlying "rhel7/openscap" container.
Closes: #1027
Approved by: baude
There were two primary cases where a secondary atomic run with a command
would trigger an exception. The first was reported in
https://github.com/projectatomic/atomic/issues/1006. Basically it can
be summarized as:
```
atomic run registry.fedoraproject.org/fedora:25 date # works fine
atomic run registry.fedoraproject.org/fedora:26 date # tries to run in the existing f25 container
```
The second case is as simple as:
```
atomic run registry.fedoraproject.org/fedora:25 date # works fine
atomic run registry.fedoraproject.org/fedora:25 date # fails
```
This fails because atomic starts the stopped f25 container and then attempts a docker exec. The
exec fails because the 'date' command is short-lived and the container exits prior to the exec
being run.
We now catch those exceptions and notify the user. We added a `--replace` option to run where
atomic will now delete the container in question and re-run it from the correct image.
Closes: #1019
Approved by: baude
Added an --anonymous switch to the push command to allow users
to push anonymously without having to be prompted for a username
and password.
Closes: #964
Approved by: rhatdan
If HTTP[S]_PROXY is defined, honor it in python requests usage
as well as pass it on to skopeo.
If http[s]_proxy is defined in atomic.conf, use it; however, environment
variables will override these if defined.
Added --insecure to Atomic push so the user can override the logic
(or lack thereof) around deducing if a registry is insecure. Also
needed for integration tests.
Closes: #964
Approved by: rhatdan
When installing an image, we now write a small bit of json
to /var/lib/atomic/install.json. The json format is:
{
<image_name>: {
id: <image_id>,
install_date: <install_date_in_utc
}
}
This will be used in update, run, etc to ensure that any image
with an INSTALL label is first installed.
Closes: #950
Approved by: giuseppe
Drop the hidden option ---generate-rpm in favor of --system-package.
The new option controls how a system container is installed to the host:
--generate-rpm=build build the rpm file without installing it.
--generate-rpm=yes build the rpm and install it, the rpm is deleted.
--generate-rpm=no do not attempt to build and install an rpm file.
--generate-rpm=auto install the rpm only if a .spec file is defined in
the image. This is the default.
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Closes: #767
Approved by: rhatdan
Change the format of "Created" for images to match containers,
fix filtering for partial keywords, and update auto-complete
and man pages.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #923
Approved by: giuseppe
Use default storage if user does not specify, so it doesn't output
"Unable to associate string 'None' with backend".
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #933
Approved by: baude
BZ #1422448 actually points out one regression and one
bug related to atomic stop. The BZ itself points out
a TypeError exception in the code when trying to glue
together a python list and str.
Then the atomic stop command was failling in the case where a
STOP label was defined and it uses the variable $NAME resulting
in a subprocess exception.
The self.name variable was not being set by set_args after
refactoring occured. Ideally, this should all be moved
into the image|container object handling but for now we
just handle it in set_args.
Also added a test in test_display to catch any future
regressions.
Closes: #899
Approved by: rhatdan
Refactor the uninstall class to use the backends, container and image
objects.
Add --display so one can run atomic uninstall --display <image>
and see what the outcome would be. This will be helpful in integration
testing and was discussed in BZ https://bugzilla.redhat.com/show_bug.cgi?id=1248038.
Add --storage option so users can dictate priority when uninstalling
an image. This also mimics the newest install class as well.
Closes: #888
Approved by: giuseppe
To have parity function with pull, we need to add --storage
to install and run. This allows for overriding when atomic.type
is defined. For example, if you pull an image that has
atomic.type=system but you really want to store it
on the docker backend.
Closes: #861
Approved by: baude
Ideally, the atomic CLI should be able to operate independently
of the backends it supports. For example, if dockerd is inactive,
the ostree backend and atomic cli should still work.
This requires some tweaking to the backendutils code and the work
flow. We also need to specifically know if the user passes
--storage so that we treat that as an explicit override. The work
flow is now roughly:
* a default storage can be defined in atomic.conf (was always this way)
* if not defined, defaults to docker.
* if --storage is passed, treat explictly and fail if cannot execute
* if no --storage is specified, use default. if default is not available, move
onto the next backend.
Refactor:
`atomic update`
`atomic update --container`
`atomic update --container --rollback`
To:
`atomic images update`
`atomic containers update`
`atomic containers rollback`
And update corresponding tests, docs and auto-complete. Much like
other image commands (info, verify), the base verb is hidden but
still available for use.
Move update functionality from atomic.py to update.py, and use
new backendutils to abstract.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #773
Approved by: rhatdan
This patch will allow user to specify the graphdriver on atomic reset
If /var/lib/docker or /var/lib/docker-latest is the only thing installed
it will reset the correct path. If both exists or the user as chosen
a different location, the --graph option must be specified.
Closes: #745
Approved by: rhatdan
The previous algorithm for comparing files used python's
dircmp and is considered to be a shallow comparision. This
allowed distinctly small possibilities that two files being
compared could be different but not caught.
We now use go-mtree to do the comparison. This can emulate the
shallow comparison we had before but we can also adding a
sha256digest as part of the comparison using the new --keywords
option.
Also, made slight tweaks to gomtree functions in Atomic.util
so we debug and influence the return of JSON data.
This solves https://github.com/projectatomic/atomic/issues/761
Closes: #777
Approved by: rhatdan
Covers all but verify and generate. This is a refactoring of the
images subverbs (i.e. info, version, delete, ...)
Added in a unittest for list and info.
Closes: #771
Approved by: baude
Add --rollback flag to atomic update, which switches a system
container to the other deployment if one exists.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #762
Approved by: rhatdan
With the -m switch, we can now compare the metadata between
the two diff objects. We report only the differences between them. All
common data is deleted from the object structures.
This solves --> https://github.com/projectatomic/atomic/issues/760
Closes: #764
Approved by: baude
Add an optional --storage flag to the following commands:
- images delete
- info
- mount
- verify
- version
If specified, the command will only look at the specified storage
(ostree/docker) for the image to perform the action. If not
specified, the command will look through both ostree/docker for
the image (as it was before). However, if the storage is not
specified and the image exists in both ostree and docker, the
command will error and prompt the user to specify. Image inspection
also no longer forces the user to delete/rename one or the other.
This is meant to address the duplicate naming issue (where a user
can have an image in both ostree and docker with the same name).
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #720
Approved by: giuseppe
In order to cleanup code and simplify interface, i
move help, info, verify and version to the images subcommand.
Remove man pages for these atomic commands and add info to images subcommand.
Since these have been previously documented we will continue to support
atomic help
atomic info
atomic verify
atomic version
But we will not document them.
Closes: #676
Approved by: rhatdan
Image names are stored differently in ostree, and thus cannot be
directly used as we used to.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #681
Approved by: rhatdan
Save labels from docker manifest into ostree, so when a user invokes
'atomic version' on a system image, the metadata info is displayed,
same as docker images.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #679
Approved by: giuseppe
We need to default the gnukeyring to the users login directory. To
make it easier for the user.
Also add bash completions for -g option
Closes: #671
Approved by: rhatdan
Wrap atomic run/stop with systemctl start/stop for system
containers. This way the user can directly use the atomic
CLI for the full container cycle. In addition, the equivalent
functionality already exists for docker containers, so it
makes sense to allow system containers to start/stop in a
similar fashion.
Signed-off-by: Yu Qi Zhang <jerzhang@redhat.com>
Closes: #651
Approved by: rhatdan
We want to be able to delete containers from the system, using the
new atomic containers delete call.
atomic containers delete --all
Comes in handy.
Closes: #598
Approved by: giuseppe
