Prototype: Add --tls-details, only for non-remote pulling for now

cmd/podman/common/build.go

@@ -15,6 +15,7 @@ import (
 
 	buildahDefine "github.com/containers/buildah/define"
 	buildahCLI "github.com/containers/buildah/pkg/cli"
+	"github.com/containers/buildah/pkg/download"
 	"github.com/containers/buildah/pkg/parse"
 	buildahUtil "github.com/containers/buildah/pkg/util"
 	encconfig "github.com/containers/ocicrypt/config"
@@ -30,6 +31,7 @@ import (
 	"go.podman.io/common/pkg/completion"
 	"go.podman.io/common/pkg/config"
 	"go.podman.io/image/v5/docker/reference"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -192,7 +194,11 @@ func ParseBuildOpts(cmd *cobra.Command, args []string, buildOpts *BuildFlagsWrap
 	)
 	if len(args) > 0 {
 		// The context directory could be a URL.  Try to handle that.
-		tempDir, subDir, err := buildahDefine.TempDirForURL("", "buildah", args[0])
+		baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+		if err != nil {
+			return nil, err
+		}
+		tempDir, subDir, err := download.TempDirForURL("", "buildah", args[0], baseTLSConfig.TLSConfig())
 		if err != nil {
 			return nil, fmt.Errorf("prepping temporary context directory: %w", err)
 		}

cmd/podman/images/load.go

@@ -15,6 +15,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.podman.io/common/pkg/completion"
 	"go.podman.io/common/pkg/download"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/storage/pkg/fileutils"
 	"golang.org/x/term"
 )
@@ -76,7 +77,13 @@ func load(_ *cobra.Command, _ []string) error {
 			if err != nil {
 				return err
 			}
-			tmpfile, err := download.FromURL(tmpdir, loadOpts.Input)
+			baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+			if err != nil {
+				return err
+			}
+			tmpfile, err := download.FromURL(registry.Context(), tmpdir, loadOpts.Input, download.Options{
+				BaseTLSConfig: baseTLSConfig.TLSConfig(),
+			})
 			if err != nil {
 				return err
 			}

cmd/podman/images/pull.go

@@ -16,6 +16,7 @@ import (
 	"go.podman.io/common/pkg/auth"
 	"go.podman.io/common/pkg/completion"
 	"go.podman.io/common/pkg/config"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -149,6 +150,11 @@ func imagePull(cmd *cobra.Command, args []string) error {
 	if cmd.Flags().Changed("tls-verify") {
 		pullOptions.SkipTLSVerify = types.NewOptionalBool(!pullOptions.TLSVerifyCLI)
 	}
+	baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+	if err != nil {
+		return err
+	}
+	pullOptions.BaseTLSConfig = baseTLSConfig
 
 	pullPolicy, err := config.ParsePullPolicy(pullOptions.PolicyCLI)
 	if err != nil {

cmd/podman/kube/play.go

@@ -26,6 +26,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.podman.io/common/pkg/auth"
 	"go.podman.io/common/pkg/completion"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -383,10 +384,26 @@ func readerFromArgsWithStdin(args []string, stdin io.Reader) (*bytes.Reader, err
 		return bytes.NewReader(data), nil
 	}
 
+	basetls, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+	if err != nil {
+		return nil, err
+	}
+	baseTLSConfig := basetls.TLSConfig()
+	var transport *http.Transport // nil means http.DefaultTransport
+	if baseTLSConfig != nil {
+		transport = &http.Transport{
+			TLSClientConfig: baseTLSConfig,
+		}
+		defer transport.CloseIdleConnections()
+	}
+	httpClient := &http.Client{
+		Transport: transport,
+	}
+
 	var combined bytes.Buffer
 
 	for i, arg := range args {
-		reader, err := readerFromArg(arg)
+		reader, err := readerFromArg(arg, httpClient)
 		if err != nil {
 			return nil, err
 		}
@@ -406,10 +423,10 @@ func readerFromArgsWithStdin(args []string, stdin io.Reader) (*bytes.Reader, err
 	return bytes.NewReader(combined.Bytes()), nil
 }
 
-func readerFromArg(fileOrURL string) (io.ReadCloser, error) {
+func readerFromArg(fileOrURL string, httpClient *http.Client) (io.ReadCloser, error) {
 	switch {
 	case parse.ValidWebURL(fileOrURL) == nil:
-		response, err := http.Get(fileOrURL)
+		response, err := httpClient.Get(fileOrURL)
 		if err != nil {
 			return nil, err
 		}

cmd/podman/login.go

@@ -12,6 +12,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.podman.io/common/pkg/auth"
 	"go.podman.io/common/pkg/completion"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -65,11 +66,15 @@ func init() {
 // Implementation of podman-login.
 func login(cmd *cobra.Command, args []string) error {
 	var skipTLS types.OptionalBool
-
 	if cmd.Flags().Changed("tls-verify") {
 		skipTLS = types.NewOptionalBool(!loginOptions.tlsVerify)
 	}
 
+	baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+	if err != nil {
+		return err
+	}
+
 	secretName := cmd.Flag("secret").Value.String()
 	if len(secretName) > 0 {
 		if len(loginOptions.Password) > 0 {
@@ -97,6 +102,7 @@ func login(cmd *cobra.Command, args []string) error {
 
 	sysCtx := &types.SystemContext{
 		DockerInsecureSkipTLSVerify: skipTLS,
+		BaseTLSConfig:               baseTLSConfig.TLSConfig(),
 	}
 	common.SetRegistriesConfPath(sysCtx)
 	loginOptions.GetLoginSet = cmd.Flag("get-login").Changed

cmd/podman/logout.go

@@ -8,6 +8,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.podman.io/common/pkg/auth"
 	"go.podman.io/common/pkg/completion"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -48,7 +49,15 @@ func init() {
 
 // Implementation of podman-logout.
 func logout(_ *cobra.Command, args []string) error {
-	sysCtx := &types.SystemContext{}
+	// This is not expected to be used, but it's easier to handle it than to worry about missing something.
+	baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+	if err != nil {
+		return err
+	}
+
+	sysCtx := &types.SystemContext{
+		BaseTLSConfig: baseTLSConfig.TLSConfig(),
+	}
 	common.SetRegistriesConfPath(sysCtx)
 	return auth.Logout(sysCtx, &logoutOptions, args)
 }

cmd/podman/machine/init.go

@@ -20,6 +20,7 @@ import (
 	"github.com/spf13/cobra"
 	"go.podman.io/common/pkg/completion"
 	"go.podman.io/common/pkg/strongunits"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 	"go.podman.io/image/v5/types"
 )
 
@@ -268,6 +269,12 @@ func initMachine(cmd *cobra.Command, args []string) error {
 		initOpts.SkipTlsVerify = types.NewOptionalBool(!initOptionalFlags.tlsVerify)
 	}
 
+	baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(registry.PodmanConfig().TLSDetailsFile)
+	if err != nil {
+		return err
+	}
+	initOpts.BaseTLSConfig = baseTLSConfig.TLSConfig()
+
 	// TODO need to work this back in
 	// if finished, err := vm.Init(initOpts); err != nil || !finished {
 	// 	// Finished = true,  err  = nil  -  Success! Log a message with further instructions

cmd/podman/root.go

@@ -547,6 +547,10 @@ func rootFlags(cmd *cobra.Command, podmanConfig *entities.PodmanConfig) {
 	lFlags.StringVar(&podmanConfig.TLSCAFile, tlsCAFileFlagName, podmanConfig.TLSCAFile, "path to TLS certificate Authority PEM file for remote.")
 	_ = cmd.RegisterFlagCompletionFunc(tlsCAFileFlagName, completion.AutocompleteDefault)
 
+	tlsDetailsFlagName := "tls-details"
+	lFlags.StringVar(&podmanConfig.TLSDetailsFile, tlsDetailsFlagName, "", "Path to a containers-tls-details.yaml(5) file")
+	_ = cmd.RegisterFlagCompletionFunc(tlsDetailsFlagName, completion.AutocompleteDefault)
+
 	// Flags that control or influence any kind of output.
 	outFlagName := "out"
 	lFlags.StringVar(&useStdout, outFlagName, "", "Send output (stdout) from podman to a file")

cmd/podman/system/dial_stdio.go

@@ -12,6 +12,7 @@ import (
 	"github.com/containers/podman/v6/pkg/bindings"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
+	"go.podman.io/image/v5/pkg/cli/basetls/tlsdetails"
 )
 
 var dialStdioCommand = &cobra.Command{
@@ -37,7 +38,14 @@ func runDialStdio() error {
 	cfg := registry.PodmanConfig()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	bindCtx, err := bindings.NewConnection(ctx, cfg.URI)
+	baseTLSConfig, err := tlsdetails.BaseTLSFromOptionalFile(cfg.TLSDetailsFile)
+	if err != nil {
+		return err
+	}
+	bindCtx, err := bindings.NewConnectionWithOptions(ctx, bindings.Options{
+		URI:           cfg.URI,
+		BaseTLSConfig: baseTLSConfig.TLSConfig(),
+	})
 	if err != nil {
 		return fmt.Errorf("failed to open connection to podman: %w", err)
 	}

docs/source/markdown/podman.1.md

@@ -177,6 +177,15 @@ Path to a PEM file containing the certificate authority bundle to verify the ser
 
 Path to a PEM file containing the TLS client certificate to present to the server. `--tls-key` must also be provided.
 
+#### **--tls-details**=*path*
+
+Path to a `containers-tls-details.yaml(5)` file, affecting TLS behavior throughout the program.
+
+If not set, defaults to a reasonable default that may change over time (depending on system’s global policy,
+version of the program, version of the Go language, and the like).
+
+Users should generally not use this option unless they have a process to ensure that the configuration will be kept up to date.
+
 #### **--tls-key**=*path*
 
 Path to a PEM file containing the private key matching `--tls-cert`. `--tls-cert` must also be provided.

go.mod

@@ -64,8 +64,8 @@ require (
 	github.com/vbauerster/mpb/v8 v8.11.3
 	github.com/vishvananda/netlink v1.3.1
 	go.podman.io/common v0.66.2-0.20260204175822-4e7127fdc31f
-	go.podman.io/image/v5 v5.38.1-0.20260204175822-4e7127fdc31f
-	go.podman.io/storage v1.61.1-0.20260204175822-4e7127fdc31f
+	go.podman.io/image/v5 v5.39.1
+	go.podman.io/storage v1.62.1-0.20260210183841-0a0387fb27a4
 	golang.org/x/crypto v0.48.0
 	golang.org/x/net v0.50.0
 	golang.org/x/sync v0.19.0
@@ -88,6 +88,7 @@ require (
 	github.com/VividCortex/ewma v1.2.0 // indirect
 	github.com/acarl005/stripansi v0.0.0-20180116102854-5a71ef0e047d // indirect
 	github.com/aead/serpent v0.0.0-20160714141033-fba169763ea6 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chzyer/readline v1.5.1 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect
@@ -129,7 +130,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.8 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/copier v0.4.0 // indirect
-	github.com/klauspost/compress v1.18.3 // indirect
+	github.com/klauspost/compress v1.18.4 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
 	github.com/manifoldco/promptui v0.9.0 // indirect
@@ -175,14 +176,14 @@ require (
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.63.0 // indirect
-	go.opentelemetry.io/otel v1.38.0 // indirect
-	go.opentelemetry.io/otel/metric v1.38.0 // indirect
-	go.opentelemetry.io/otel/trace v1.38.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.64.0 // indirect
+	go.opentelemetry.io/otel v1.40.0 // indirect
+	go.opentelemetry.io/otel/metric v1.40.0 // indirect
+	go.opentelemetry.io/otel/trace v1.40.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.32.0 // indirect
-	golang.org/x/oauth2 v0.34.0 // indirect
+	golang.org/x/oauth2 v0.35.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.41.0 // indirect
@@ -191,3 +192,9 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	tags.cncf.io/container-device-interface/specs-go v1.1.0 // indirect
 )
+
+replace go.podman.io/image/v5 => github.com/mtrmac/container-libs/image/v5 v5.0.0-20260213005719-c3460ce139bc
+
+replace go.podman.io/common => github.com/mtrmac/container-libs/common v0.0.0-20260213005719-c3460ce139bc
+
+replace github.com/containers/buildah => github.com/mtrmac/buildah v0.0.0-20260213012313-57992428adc9