-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for insecure registries (Fix: #461) #483
Conversation
ravanelli
commented
Apr 22, 2024
- Introduce 'insecure-disable-tls-verification' parameter for skipping TLS verification;
- Fix Issue: support insecure registries #461.
- Introduce 'insecure-disable-tls-verification' parameter for skipping TLS verification; - Fix Issue: containers#461. Signed-off-by: Renata <rravanel@redhat.com>
It still depends on #461 (comment) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It still depends on #461 (comment)
OK yes...right. This is harder than I thought because basically all of the existing logic is really assuming that it can serialize and deserialize the source image reference into a single string.
Which is basically not how docker (and podman) work; one is required to pass --tls-verify=false
externally around.
Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d
with the [insecure]
flag?
/// Skip TLS and certificate verification. | ||
/// This is very insecure and should only be used in testing environments | ||
#[clap(long)] | ||
pub(crate) insecure_disable_tls_verification: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should always be part of the source spec; unlike podman
I'm trying here to be declarative where we can.
This means that once you do a bootc switch --insecure-disable-tls-verification
, it is "sticky" and applied automatically on subsequent bootc upgrade
s.
So we can just drop this hunk I believe.
/// Skip TLS and certificate verification. | ||
/// This is very insecure and should only be used in testing environments | ||
#[clap(long)] | ||
pub(crate) insecure_disable_tls_verification: bool, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this one makes sense; edit just lets you edit the spec directly.
Just highlighting here
Let's test this first |
Not sure if this is the expected local dev/test workflow specified in #461 (comment), but the following seems to work without any changes to the Create local registry
Disable TLS verification for the local registry
Build and push image to local container registry
Test that TLS verification is disabled
Verify that bootc switch worked
|
Thanks for testing this @lukewarmtemp ! #580 |