bootc icon indicating copy to clipboard operation
bootc copied to clipboard
verified publisher icon containers

support insecure registries

Open cgwalters opened this issue 1 year ago • 5 comments

I'd resisted doing this a lot, but there are enough local dev/test scenarios where it'd be useful to be able to fetch from an insecure registry.

This would probably be a simple new insecure: true flag in the host image spec which we end up passing down into the ostree-ext/skopeo stack.

cgwalters avatar Apr 05 '24 13:04 cgwalters

@ravanelli is going to look at this during the sprint. Let us know if that is ok.

jmarrero avatar Apr 10 '24 18:04 jmarrero

Awesome :tada: Happy to join a call and talk about it/mentor

cgwalters avatar Apr 10 '24 18:04 cgwalters

Thanks @cgwalters, I'm totally new to bootc and also to Rust. I was looking around and seems you mentioned this part: https://github.com/containers/bootc/blob/main/lib/src/spec.rs#L63 Is it correct? If so, I will take the time to do the change and understand how to properly test it.

ravanelli avatar Apr 10 '24 19:04 ravanelli

That's signature verification which is different from TLS. I stubbed this out to start

diff --git a/lib/src/deploy.rs b/lib/src/deploy.rs
index 3eb31a8..c35a001 100644
--- a/lib/src/deploy.rs
+++ b/lib/src/deploy.rs
@@ -121,6 +121,7 @@ pub(crate) async fn pull(
     quiet: bool,
 ) -> Result<Box<ImageState>> {
     let repo = &sysroot.repo();
+    // MODIFY HERE to eventually pass things down to the `skopeo` process with --src-tls-verify=false
     let ostree_imgref = &OstreeImageReference::from(imgref.clone());
     let mut imp = new_importer(repo, ostree_imgref).await?;
     let prep = match imp.prepare().await? {
diff --git a/lib/src/spec.rs b/lib/src/spec.rs
index 5f6df93..fbf2d44 100644
--- a/lib/src/spec.rs
+++ b/lib/src/spec.rs
@@ -74,6 +74,9 @@ pub struct ImageReference {
     /// Signature verification type
     #[serde(skip_serializing_if = "Option::is_none")]
     pub signature: Option<ImageSignature>,
+    /// Skip TLS and certificate verification; this is very insecure and
+    /// should only be used in testing environments.
+    pub disable_tls_verification: bool,
 }
 
 /// The status of the booted image

This will also likely require a change to...oh no wait we already have https://github.com/containers/containers-image-proxy-rs/blob/28155f45bf635edcbaf5b4e3540f3e3c54a13bd2/src/imageproxy.rs#L127

(Edit yeah let's also call it insecure_disable_tls_verification here too to emphasize)

cgwalters avatar Apr 10 '24 20:04 cgwalters

@cgwalters I wonder if you could clarify if the path I'm going is the right one? Seems we don't need to change the the pull function as you mentioned here:

diff --git a/lib/src/deploy.rs b/lib/src/deploy.rs
index 3eb31a8..c35a001 100644
--- a/lib/src/deploy.rs
+++ b/lib/src/deploy.rs
@@ -121,6 +121,7 @@ pub(crate) async fn pull(
     quiet: bool,
 ) -> Result<Box<ImageState>> {
     let repo = &sysroot.repo();
+    // MODIFY HERE to eventually pass things down to the `skopeo` process with --src-tls-verify=false
     let ostree_imgref = &OstreeImageReference::from(imgref.clone());
     let mut imp = new_importer(repo, ostree_imgref).await?;
     let prep = match imp.prepare().await? {

If I understood it, I need to pass the new insecure_disable_tls_verification to OstreeImageReference that eventually will be used to ImageProxyConfig. The issue I'm getting now is: I probably need to get it added as part of the ostree-res-ext first, around here. Can I say is it the right path to go? You can see what I already did in my branch here

ravanelli avatar Apr 18 '24 12:04 ravanelli

Hey, has any progress happened on this topic?

We are looking into local insecure registries for E2E testing a fleet management system based on bootc.

mangelajo avatar Jun 03 '24 16:06 mangelajo