Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for insecure registries (Fix: #461) #483

Closed
wants to merge 1 commit into from
Closed

Add support for insecure registries (Fix: #461) #483

wants to merge 1 commit into from

Conversation

ravanelli
Copy link

@ravanelli
Add support for insecure registries (Fix: containers#461)
6ef369a 
- Introduce 'insecure-disable-tls-verification' parameter for
skipping TLS verification;
- Fix Issue: containers#461.

Signed-off-by: Renata <rravanel@redhat.com>
@github-actions github-actions bot added the area/install Issues related to `bootc install` label Apr 22, 2024
@ravanelli
Copy link
Author

It still depends on #461 (comment)

cgwalters
cgwalters reviewed Apr 22, 2024
View reviewed changes
Copy link
Collaborator

@cgwalters cgwalters left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It still depends on #461 (comment)

OK yes...right. This is harder than I thought because basically all of the existing logic is really assuming that it can serialize and deserialize the source image reference into a single string.

Which is basically not how docker (and podman) work; one is required to pass --tls-verify=false externally around.

Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d with the [insecure] flag?

lib/src/cli.rs
/// Skip TLS and certificate verification.
/// This is very insecure and should only be used in testing environments
#[clap(long)]
pub(crate) insecure_disable_tls_verification: bool,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should always be part of the source spec; unlike podman I'm trying here to be declarative where we can.

This means that once you do a bootc switch --insecure-disable-tls-verification, it is "sticky" and applied automatically on subsequent bootc upgrades.

So we can just drop this hunk I believe.

lib/src/cli.rs
/// Skip TLS and certificate verification.
/// This is very insecure and should only be used in testing environments
#[clap(long)]
pub(crate) insecure_disable_tls_verification: bool,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this one makes sense; edit just lets you edit the spec directly.

@cgwalters
Copy link
Collaborator

Just highlighting here

Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d with the [insecure] flag?

Let's test this first

@lukewarmtemp
Copy link
Contributor

Let's test this first

Not sure if this is the expected local dev/test workflow specified in #461 (comment), but the following seems to work without any changes to the bootc code:

Create local registry

$ sudo mkdir -p /var/lib/registry
$ sudo podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/$ var/lib/registry --restart=always registry:2

Disable TLS verification for the local registry

# create a new config file
$ sudo vi /etc/containers/registries.conf.d/001-localhost.conf
[[registry]]
location="localhost:5000"
insecure=true

Build and push image to local container registry

# create a simple Containerfile that is just the base fcos image
$ sudo vi Containerfile
FROM quay.io/fedora/fedora-coreos:stable

# build image
$ podman build -t localhost/fcos

# tag image so that it can be pushed to local registry
$ podman tag localhost/fcos:latest localhost:5000/fcos:latest

# push to local registry
$ podman push localhost:5000/fcos:latest

Test that TLS verification is disabled

$ sudo bootc switch localhost:5000/fcos:latest
$ sudo systemctl reboot

Verify that bootc switch worked

$ sudo bootc status
apiVersion: org.containers.bootc/v1alpha1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: localhost:5000/fcos:latest
    transport: registry
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: localhost:5000/fcos:latest
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:2f7207cddc3b01ee0980a4c8152d1277e0a0b5fe0ebff27bcc5e9b101e08d7ce
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 05b704430628019881d929c204ad4293230dc34d7df962428268faf145be8ac7
      deploySerial: 0
  rollback:
    image:
      image:
        image: quay.io/luyang/fcos-karg-test2
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:d5d43c888d3017c19ee912714ce206716dd56564eea5818e5b2f32f6e74feae5
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 6f3d22c95edbd7257e5de1a6dcd88e31c4536031776230e4daa1629f679cc098
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

@cgwalters
Copy link
Collaborator

Thanks for testing this @lukewarmtemp ! #580

@cgwalters cgwalters closed this Jun 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters cgwalters left review comments

Assignees
No one assigned
Labels
area/install Issues related to `bootc install`
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ravanelli @cgwalters @lukewarmtemp