base
base copied to clipboard
containerbase
Allow all external download URLs to be aliased
Some users need to build their own containerbase-derived images in their product environments which do not have direct internet access. Instead, they need to set up generic proxies on Artifactory for each distinct external host which is approved, such as github.com, nodejs.org, etc.
Here's some examples used by containerbase:
| Host | Tool(s) |
|---|---|
| https://nodejs.org | node |
| https://api.adoptium.net | java |
| https://downloads.lightbend.com | scala |
| https://github.com | sbt, python, php, |
| https://dot.net | dotnet |
| https://cache.ruby-lang.org/ | ruby |
We can assume for now that such users can already redirect common registries like apt, npm, pip, etc - the primary concern is on arbitrary URLs like the above.
The best way to test this would be to have a build environment with external URLs blocked by default and then try to build a "full" image with all tools and find the missing URLs one by one.
The next thing we'd want is a simple way of defining alternative URLs using env.
One possibility would be to have a syntax where the full from/to is specified in separate, related variables. e.g.
URL_REPLACE_0_FROM=https://node.org
URL_REPLACE_0_TO=https://artifactory.company.com/something/nested
Such a syntax is verbose but then at least should cover every case.
A higher level approach would be like JAVA_BASE_URL=https://artifactory.company.com/something/java but has the downsides:
- One tool might try multiple hosts, and
- Multiple tools might use the same host (e.g. github.com)
Missing Tools
- [x]
bundler(gem) #1355 - [x]
cocoapods(gem) #1355 - [x]
dotnet#1347 - [x]
hashin(pip) 6b8670c2b542e9990056b84d361b21978e61a89e - [x]
pdm(pip) 6b8670c2b542e9990056b84d361b21978e61a89e - [x]
pip-tool(pip) 6b8670c2b542e9990056b84d361b21978e61a89e - [x]
pipenv(pip) 6b8670c2b542e9990056b84d361b21978e61a89e - [x]
poetry(pip) 6b8670c2b542e9990056b84d361b21978e61a89e
will do this after conversation to higher level, as it's much easier to implement in typescript.
I need this within maximum 4 weeks :-/
I think longer term we should take all these URLs and proxy them ourselves through our own CDN/host so that the user only needs to alias one or a few URLs and not 10+
working
npmcan be configured vianpm_config_registryenv or~/.npmrcpipcan be configured viaPIP_INDEX_URLenv or~/.config/pip/pip.confgemcan be configured viaRUBYGEMS_HOSTenv or~/.gemrc^1 ^2
Is it sufficient to replace just base urls or will the entire url path need to be set, perhaps minus the artifact file name/ext?
An alternate/simple way to test this is to add /etc/hosts entries for each default hostname to point back to localhost, vs actually blocking the outbound traffic.
Is it sufficient to replace just base urls or will the entire url path need to be set, perhaps minus the artifact file name/ext?
By base URL I'm not meaning only the host, I mean it could be like https://host.com/some/path too. Is that what you're worried about?
Yes. Good deal.
Randy Geyer | Principal Solutions Architect, Mend | +1 214 926-4907 | @.***
On Wed, Jun 21, 2023 at 12:44 AM Rhys Arkins @.***> wrote:
Is it sufficient to replace just base urls or will the entire url path need to be set, perhaps minus the artifact file name/ext?
By base URL I'm not meaning only the host, I mean it could be like https://host.com/some/path too. Is that what you're worried about?
— Reply to this email directly, view it on GitHub https://github.com/containerbase/base/issues/1067#issuecomment-1600154131, or unsubscribe https://github.com/notifications/unsubscribe-auth/ASV56G6L2IEPAAUNZAOVNBTXMKC4FANCNFSM6AAAAAAZI77INE . You are receiving this because you commented.Message ID: @.***>
The linked PR above will fix this issue for all tools beside the tools installed via gem, npm or pip. Those would need more effort to override the registry urls.
Would it be enough to document how to use the specific package manager environment variables?
Otherwise i would convert those tools and update the default registry urls on the fly, but that needs some more time to implement.
I think those tools hopefully have their own way of using own registries. I was after examples of redirecting URLs like GitHub and downloads.apache.org
please support redirect/replace https://dl.google.com/go
in some company intranet,unable to access dl.google.com directly
please support redirect/replace
https://dl.google.com/goin some company intranet,unable to access
dl.google.comdirectly
already supported
when this build is done, we should have all tools compatible with url replace
https://github.com/containerbase/base/actions/runs/5964382723
We should mention the abilllity to change the default corepack registry (can only be done at runtime)
- https://github.com/nodejs/corepack/tree/main#environment-variables
Hello, as far as I can see this should already work for "node". After encountering issues and some debugging I noticed that there is still a hardcoded nodejs.org value here: https://github.com/containerbase/base/blob/b9ffa658baca6b27ac1d687919b10c08a55c0989/src/cli/tools/node/resolver.ts#L14
Access to the "https://nodejs.org/dist/index.json" can't be overwritten as far as I can see even at runtime when it is needed to figure out the correct node version if "no version" or "latest" is passed.
Is it planned to be fixed within this issue or would you like me to create a new issue?
@pmaieref Please open a new discussion. that should already support replacement, see https://github.com/containerbase/base/blob/c2a72c60e04d08b2527f264c4ff8fd30dd4cea7a/src/cli/services/http.service.ts#L167