bootc icon indicating copy to clipboard operation
bootc copied to clipboard
verified publisher icon containers

Add support for insecure registries (Fix: #461)

Open ravanelli opened this issue 1 year ago • 1 comments

  • Introduce 'insecure-disable-tls-verification' parameter for skipping TLS verification;
  • Fix Issue: #461.

ravanelli avatar Apr 22 '24 16:04 ravanelli

It still depends on https://github.com/containers/bootc/issues/461#issuecomment-2063710854

ravanelli avatar Apr 22 '24 16:04 ravanelli

Just highlighting here

Although...wait...actually, can we handle this by just telling the admin to add to the /etc/containers/registries.conf.d with the [insecure] flag?

Let's test this first

cgwalters avatar May 30 '24 19:05 cgwalters

Let's test this first

Not sure if this is the expected local dev/test workflow specified in https://github.com/containers/bootc/issues/461#issue-2228037745, but the following seems to work without any changes to the bootc code:

Create local registry

$ sudo mkdir -p /var/lib/registry
$ sudo podman run --privileged -d --name registry -p 5000:5000 -v /var/lib/registry:/$ var/lib/registry --restart=always registry:2

Disable TLS verification for the local registry

# create a new config file
$ sudo vi /etc/containers/registries.conf.d/001-localhost.conf
[[registry]]
location="localhost:5000"
insecure=true

Build and push image to local container registry

# create a simple Containerfile that is just the base fcos image
$ sudo vi Containerfile
FROM quay.io/fedora/fedora-coreos:stable

# build image
$ podman build -t localhost/fcos

# tag image so that it can be pushed to local registry
$ podman tag localhost/fcos:latest localhost:5000/fcos:latest

# push to local registry
$ podman push localhost:5000/fcos:latest

Test that TLS verification is disabled

$ sudo bootc switch localhost:5000/fcos:latest
$ sudo systemctl reboot

Verify that bootc switch worked

$ sudo bootc status
apiVersion: org.containers.bootc/v1alpha1
kind: BootcHost
metadata:
  name: host
spec:
  image:
    image: localhost:5000/fcos:latest
    transport: registry
  bootOrder: default
status:
  staged: null
  booted:
    image:
      image:
        image: localhost:5000/fcos:latest
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:2f7207cddc3b01ee0980a4c8152d1277e0a0b5fe0ebff27bcc5e9b101e08d7ce
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 05b704430628019881d929c204ad4293230dc34d7df962428268faf145be8ac7
      deploySerial: 0
  rollback:
    image:
      image:
        image: quay.io/luyang/fcos-karg-test2
        transport: registry
      version: 40.20240504.3.0
      timestamp: null
      imageDigest: sha256:d5d43c888d3017c19ee912714ce206716dd56564eea5818e5b2f32f6e74feae5
    cachedUpdate: null
    incompatible: false
    pinned: false
    ostree:
      checksum: 6f3d22c95edbd7257e5de1a6dcd88e31c4536031776230e4daa1629f679cc098
      deploySerial: 0
  rollbackQueued: false
  type: bootcHost

lukewarmtemp avatar Jun 03 '24 16:06 lukewarmtemp

Thanks for testing this @lukewarmtemp ! https://github.com/containers/bootc/pull/580

cgwalters avatar Jun 03 '24 18:06 cgwalters