Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change Container Linux etcd-member to fetch with docker:// #659

Merged
merged 1 commit into from
Mar 3, 2020
Merged

Change Container Linux etcd-member to fetch with docker:// #659

merged 1 commit into from
Mar 3, 2020

Conversation

dghubble
Copy link
Member

@dghubble dghubble commented Mar 2, 2020
edited
Loading

  • Quay has historically generated ACI signatures for images to facilitate rkt's notions of verification (it allowed authors to actually sign images, though --trust-keys-from-https is in use since etcd and most authors don't sign images). OCI standardization didn't adopt verification ideas and checking signatures has fallen out of favor.
  • Fix rkt is unable to fetch etcd:v3.4.4 from quay.io due to missing signature #658 where Quay no longer seems to be generating ACI signatures for new images (e.g. quay.io/coreos/etcd:v.3.4.4)
  • Don't be alarmed by rkt --insecure-options=image. It refers to disabling image signature checking (i.e. docker pull doesn't check signatures either)
  • System containers for Kubelet and bootstrap have transitioned to the docker:// transport, so there is precedent and this brings all the system containers on Container Linux controllers into alignment

@dghubble dghubble force-pushed the cl-etcd-image-transport branch from 1d2a070 to 053dd01 Compare March 2, 2020 16:51
@dghubble dghubble mentioned this pull request Mar 2, 2020
Closed
@dghubble
Change Container Linux etcd-member to fetch with docker://
51cee6d 
* Quay has historically generated ACI signatures for images to
facilitate rkt's notions of verification (it allowed authors to
actually sign images, though `--trust-keys-from-https` is in use
since etcd and most authors don't sign images). OCI standardization
didn't adopt verification ideas and checking signatures has fallen
out of favor.
* Fix an issue where Quay no longer seems to be generating ACI
signatures for new images (e.g. quay.io/coreos/etcd:v.3.4.4)
* Don't be alarmed by rkt `--insecure-options=image`. It refers
to disabling image signature checking (i.e. docker pull doesn't
check signatures either)
* System containers for Kubelet and bootstrap have transitioned
to the docker:// transport, so there is precedent and this brings
all the system containers on Container Linux controllers into
alignment
@dghubble dghubble force-pushed the cl-etcd-image-transport branch from 053dd01 to 51cee6d Compare March 3, 2020 03:58
@dghubble dghubble merged commit 51cee6d into master Mar 3, 2020
@dghubble dghubble deleted the cl-etcd-image-transport branch March 3, 2020 04:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

rkt is unable to fetch etcd:v3.4.4 from quay.io due to missing signature
1 participant
@dghubble