Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support HTTPS Proxies in the Container builds #3251

Open
mtalexan opened this issue Nov 30, 2022 · 0 comments
Open

Support HTTPS Proxies in the Container builds #3251

mtalexan opened this issue Nov 30, 2022 · 0 comments

Comments

@mtalexan
Copy link
Contributor

mtalexan commented Nov 30, 2022
edited
Loading

Feature Request

It's common for users to be behind corporate firewalls that include HTTPS proxies, or need to pull packages from a private corporate server. Allowing the coreos-assembler tool to reach the internet from behind the HTTPS proxy or on a private corporate server requires additional custom certificates to be installed in the container.
It cannot be assumed the host system is Fedora or Fedora-like in all situations, a common CI build node configuration for example is an Ubuntu based host. Therefore one of the frequent solutions of over-mounting the compiled certificate database with the one from the host isn't compatible/sufficient.
Building new images that extend existing public upstream images just to add corporate CA certificates adds excessive overhead and maintenance costs and usually results in out-of-date containers.

The request is to add native support to the container images that supports custom CAs being added to the container at run-time.

Desired Feature

Support an environment variable or a mount point whose contents are copied into /usr/share/pki/ca-trust-source/anchors and then have update-ca-trust run before anything else on the system. If done right, the copy command can be only on update (only overwrite if the source is newer) and the update-ca-trust is only run if something is copied.

In a very simple case, this could be a matter of changing the entrypoint in the container from being ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"], to being dumb-init and a shell script that does the following (assumes any certs needing installation are manually mounted to /custom-certs already):

#!/bin/bash

if [ -d /custom-certs ]; then
  # copy only newer files, and print verbose, one file per line, what was copied so we can count it
  files_copied=$(sudo cp -uv -t /usr/share/pki/ca-trust-source/anchors /custom-certs/* | wc -l)
  if [ ${files_copied} -eq 0 ]; then
    echo "No CA updates needed"
  else
    echo "${files_copied} CAs modified." 
    update-ca-trust
  fi
fi

/usr/bin/coreos-assembler "$@"

Example Usage

Assuming providing a /custom-certs optional mountpoint instead of an environment variable:

podman --rm -it \
    -v ${HOME}/my-ca-certs:/custom-certs \
    ...other normal args...

Other Information

Given the usage restrictions:

  • New container images starting from the provided one as a base is not an option
  • The host system isn't necessarily Fedora-like

The current workaround solution for users is to create a directory with the wrapper script in it, mount the script folder into the container, and override the entrypoint to use the script from the mounted folder instead of coreos-assembler directly.

EDIT: Corrected the names of what is called, and clarified how it fit with the 2-part entrypoint in the Dockerfile.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mtalexan