You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It's common for users to be behind corporate firewalls that include HTTPS proxies, or need to pull packages from a private corporate server. Allowing the coreos-assembler tool to reach the internet from behind the HTTPS proxy or on a private corporate server requires additional custom certificates to be installed in the container.
It cannot be assumed the host system is Fedora or Fedora-like in all situations, a common CI build node configuration for example is an Ubuntu based host. Therefore one of the frequent solutions of over-mounting the compiled certificate database with the one from the host isn't compatible/sufficient.
Building new images that extend existing public upstream images just to add corporate CA certificates adds excessive overhead and maintenance costs and usually results in out-of-date containers.
The request is to add native support to the container images that supports custom CAs being added to the container at run-time.
Desired Feature
Support an environment variable or a mount point whose contents are copied into /usr/share/pki/ca-trust-source/anchors and then have update-ca-trust run before anything else on the system. If done right, the copy command can be only on update (only overwrite if the source is newer) and the update-ca-trust is only run if something is copied.
In a very simple case, this could be a matter of changing the entrypoint in the container from being ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"], to being dumb-init and a shell script that does the following (assumes any certs needing installation are manually mounted to /custom-certs already):
#!/bin/bashif [ -d /custom-certs ];then# copy only newer files, and print verbose, one file per line, what was copied so we can count it
files_copied=$(sudo cp -uv -t /usr/share/pki/ca-trust-source/anchors /custom-certs/*| wc -l)if [ ${files_copied}-eq 0 ];thenecho"No CA updates needed"elseecho"${files_copied} CAs modified."
update-ca-trust
fifi
/usr/bin/coreos-assembler "$@"
Example Usage
Assuming providing a /custom-certs optional mountpoint instead of an environment variable:
podman --rm -it \
-v ${HOME}/my-ca-certs:/custom-certs \
...other normal args...
Other Information
Given the usage restrictions:
New container images starting from the provided one as a base is not an option
The host system isn't necessarily Fedora-like
The current workaround solution for users is to create a directory with the wrapper script in it, mount the script folder into the container, and override the entrypoint to use the script from the mounted folder instead of coreos-assembler directly.
EDIT: Corrected the names of what is called, and clarified how it fit with the 2-part entrypoint in the Dockerfile.
The text was updated successfully, but these errors were encountered:
Feature Request
It's common for users to be behind corporate firewalls that include HTTPS proxies, or need to pull packages from a private corporate server. Allowing the coreos-assembler tool to reach the internet from behind the HTTPS proxy or on a private corporate server requires additional custom certificates to be installed in the container.
It cannot be assumed the host system is Fedora or Fedora-like in all situations, a common CI build node configuration for example is an Ubuntu based host. Therefore one of the frequent solutions of over-mounting the compiled certificate database with the one from the host isn't compatible/sufficient.
Building new images that extend existing public upstream images just to add corporate CA certificates adds excessive overhead and maintenance costs and usually results in out-of-date containers.
The request is to add native support to the container images that supports custom CAs being added to the container at run-time.
Desired Feature
Support an environment variable or a mount point whose contents are copied into
/usr/share/pki/ca-trust-source/anchors
and then haveupdate-ca-trust
run before anything else on the system. If done right, the copy command can be only on update (only overwrite if the source is newer) and theupdate-ca-trust
is only run if something is copied.In a very simple case, this could be a matter of changing the entrypoint in the container from being
["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"]
, to beingdumb-init
and a shell script that does the following (assumes any certs needing installation are manually mounted to/custom-certs
already):Example Usage
Assuming providing a
/custom-certs
optional mountpoint instead of an environment variable:Other Information
Given the usage restrictions:
The current workaround solution for users is to create a directory with the wrapper script in it, mount the script folder into the container, and override the entrypoint to use the script from the mounted folder instead of
coreos-assembler
directly.EDIT: Corrected the names of what is called, and clarified how it fit with the 2-part entrypoint in the Dockerfile.
The text was updated successfully, but these errors were encountered: