Merge pull request #4554 from QiWang19/policy-nosigstoresigned

OCPBUGS-38809: Update machine-config-daemon-pull.service to use custom policy for Podman < 4.4.1

Author: openshift-merge-bot[bot]

pkg/daemon/update.go

@@ -14,10 +14,12 @@ import (
 	goruntime "runtime"
 	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 	"time"
 
 	"github.com/clarketm/json"
+	"github.com/coreos/go-semver/semver"
 	ign3types "github.com/coreos/ignition/v2/config/v3_4/types"
 	corev1 "k8s.io/api/core/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
@@ -2548,7 +2550,11 @@ func (dn *Daemon) InplaceUpdateViaNewContainer(target string) error {
 
 	systemdPodmanArgs := []string{"--unit", "machine-config-daemon-update-rpmostree-via-container", "-p", "EnvironmentFile=-/etc/mco/proxy.env", "--collect", "--wait", "--", "podman"}
 	pullArgs := append([]string{}, systemdPodmanArgs...)
-	pullArgs = append(pullArgs, "pull", "--authfile", "/var/lib/kubelet/config.json", target)
+	pullArgs = append(pullArgs, "pull", "--authfile", "/var/lib/kubelet/config.json")
+	if !podmanSupportsSigstore() {
+		pullArgs = append(pullArgs, "--signature-policy", "/etc/machine-config-daemon/policy-for-old-podman.json")
+	}
+	pullArgs = append(pullArgs, target)
 	err = runCmdSync("systemd-run", pullArgs...)
 	if err != nil {
 		return err
@@ -2684,6 +2690,35 @@ func runCmdSync(cmdName string, args ...string) error {
 	return nil
 }
 
+var (
+	podmanSigstoreSupported      sync.Once
+	podmanSigstoreSupportedValue bool
+)
+
+func podmanSupportsSigstore() bool {
+	podmanSigstoreSupported.Do(func() {
+		// https://issues.redhat.com/browse/OCPBUGS-38809 failed for base image 4.11 or older, OCP 4.12 is with podman 4.4.1
+		// returns false if podman version is less than 4.4.1
+		cmd := exec.Command("podman", "version", "-f", "{{.APIVersion}}")
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			klog.Errorf("failed to run podman version: %v", err)
+			podmanSigstoreSupportedValue = false
+			return
+		}
+		sigstorePodman := "4.4.1"
+		// Example version format: 5.3.0-rc1
+		imgPodmanVersion, err := semver.NewVersion(strings.TrimSpace(string(out)))
+		if err != nil {
+			klog.Errorf("failed to parse podman version: %v", err)
+			podmanSigstoreSupportedValue = false
+			return
+		}
+		podmanSigstoreSupportedValue = imgPodmanVersion.Compare(*semver.New(sigstorePodman)) >= 0
+	})
+	return podmanSigstoreSupportedValue
+}
+
 // Log a message to the systemd journal as well as our stdout
 func logSystem(format string, a ...interface{}) {
 	message := fmt.Sprintf(format, a...)

templates/common/_base/files/podman-policy-args.yaml

@@ -0,0 +1,23 @@
+mode: 0755
+path: "/etc/machine-config-daemon/generate_podman_policy_args.sh"
+contents:
+  inline: |
+    #!/bin/bash
+    
+    # Extract Podman version and determine the signature policy
+    /usr/bin/podman -v | /bin/awk '{
+        split($3, version, "-");
+        clean_version = version[1];
+    
+        split(clean_version, current, /\./);
+        split("4.4.1", target, /\./);
+    
+        for (i = 1; i <= 3; i++) {
+            if ((current[i] + 0) < (target[i] + 0)) {
+                print "--signature-policy /etc/machine-config-daemon/policy-for-old-podman.json";
+                exit;
+            } else if ((current[i] + 0) > (target[i] + 0)) {
+                exit;
+            }
+        }
+    }' > /tmp/podman_policy_args

templates/common/_base/units/machine-config-daemon-pull.service.yaml

@@ -15,7 +15,9 @@ contents: |
   [Service]
   Type=oneshot
   RemainAfterExit=yes
-  ExecStart=/bin/sh -c "while ! /usr/bin/podman pull --authfile=/var/lib/kubelet/config.json '{{ .Images.machineConfigOperator }}'; do sleep 1; done"
+  ExecStartPre=/etc/machine-config-daemon/generate_podman_policy_args.sh
+  ExecStart=/bin/sh -c "while ! /usr/bin/podman pull $(cat /tmp/podman_policy_args) --authfile=/var/lib/kubelet/config.json '{{ .Images.machineConfigOperator }}'; do sleep 1; done"
+  
   {{if .Proxy -}}
   EnvironmentFile=/etc/mco/proxy.env
   {{end -}}

templates/master/01-master-container-runtime/_base/files/policy-no-sigstoresigned.yaml

@@ -0,0 +1,18 @@
+mode: 0644
+path: "/etc/machine-config-daemon/policy-for-old-podman.json"
+contents:
+  inline: |
+    {
+        "default": [
+            {
+                "type": "insecureAcceptAnything"
+            }
+        ],
+        "transports":
+            {
+                "docker-daemon":
+                    {
+                        "": [{"type":"insecureAcceptAnything"}]
+                    }
+            }
+    }

templates/worker/01-worker-container-runtime/_base/files/policy-no-sigstoresigned.yaml

@@ -0,0 +1,18 @@
+mode: 0644
+path: "/etc/machine-config-daemon/policy-for-old-podman.json"
+contents:
+  inline: |
+    {
+        "default": [
+            {
+                "type": "insecureAcceptAnything"
+            }
+        ],
+        "transports":
+            {
+                "docker-daemon":
+                    {
+                        "": [{"type":"insecureAcceptAnything"}]
+                    }
+            }
+    }