Pulp_container 2.11.0 is GA!

pulp_container 2.11.0 has been released. In this release have been added a number of features:

• container registry image signing
• container registry extensions API signature store
• mirror of container signatures from other registry signature stores
• push of manifest list
• cross repo blob mount
• push of non-distributable image layers
• redis caching of the registry responses
• RBAC roles

Also a number of important bugfixes went into this release

2.11.0 release
changelog

Important information for the Pulp Registry deployments that prior to the 2.11 upgrade had custom access policy and permissions added outside of default [0][1] groups that are created during push operation.

Such deployments need manual intervention, since the migration can map only default groups to roles.
There an issue filed we are going to work on to facilitate such situations [2]

[0] Role Based Access Control — Pulp Container Support 2.11.0 documentation
[1] Role Based Access Control — Pulp Container Support 2.11.0 documentation
[2] https://github.com/pulp/pulp_container/issues/641

A user who had custom permissions and upgraded to 2.11, post-upgrade performed the following steps he has shared with us:

Hello,

I am a pulp-container user and I have some finding I’d like to share.
I’m in the following situation:

• there are several users in my setup
• there are users who can do “podman push” or “docker push”
• there are other users who can only pull. Some users can pull some images others can pull other images.

Until pulp-container v2.10.2 I set the user permissions on the django-admin page.

But when I updated to v2.11.0 (when RBAC was implemented) I had to make some adjustments for the “puller” users.

As documented here: Role Based Access Control — Pulp Container Support 2.11.0 documentation there are several roles you can assign.

So what I need is basically this:

• make all repositories private
• assign “Namespace Consumer” permission to specific users to specific namespaces.

To make things easier I wrote two scripts for these tasks that loop through the list of repositories.
This script makes all repositories private (more information about private repositories: Role Based Access Control — Pulp Container Support 2.11.0 documentation):

#!/bin/bash

admin_password=< add your admin password >

for pulp_href in $(http --auth admin:"${admin_password}" --auth-type basic localhost:24817/pulp/api/v3/distributions/container/container/ | jq -re '.results[].pulp_href')
do
  http --quiet --auth admin:"${admin_password}" --auth-type basic PATCH localhost:24817$pulp_href private=true
  printf "Name: "
  http --body --auth admin:"${admin_password}" --auth-type basic localhost:24817$pulp_href | jq ".name"
  printf "Private: "
  http --body --auth admin:"${admin_password}" --auth-type basic localhost:24817$pulp_href | jq ".private"
done

And this one assigns “Namespace Consumer” permissions to a specific user to a list of repositories:

#!/bin/bash

admin_password=< add your admin password >
username=< username >

echo "${username} user HREF:"
http --auth admin:"${admin_password}" --auth-type basic "localhost:24817/pulp/api/v3/users/?username=${username}" | jq ".results[].pulp_href" -re

USER_HREF=$(http --auth admin:"${admin_password}" --auth-type basic "localhost:24817/pulp/api/v3/users/?username=${username}" | jq ".results[].pulp_href" -re)

for namespace in \
  container_repo1 \
  container_repo2 \
  container_repo3
do
  NAMESPACE_HREF=$(http --auth admin:"${admin_password}" --auth-type basic "localhost:24817/pulp/api/v3/distributions/container/container/?name=${namespace}" | jq ".results[].pulp_href" -re)
  http --auth admin:"${admin_password}" --auth-type basic "localhost:24817${USER_HREF}roles/" role=container.containerdistribution_consumer content_object=${NAMESPACE_HREF}
done

More information about roles here: Pulp 3 REST API documentation
And roles assigned to each user here: Pulp 3 REST API documentation

I hope it helps if you are facing similar challenges.