coreos-assembler icon indicating copy to clipboard operation
coreos-assembler copied to clipboard
verified publisher icon coreos

Support HTTPS Proxies in the Container builds

Open mtalexan opened this issue 3 years ago • 0 comments

Feature Request

It's common for users to be behind corporate firewalls that include HTTPS proxies, or need to pull packages from a private corporate server. Allowing the coreos-assembler tool to reach the internet from behind the HTTPS proxy or on a private corporate server requires additional custom certificates to be installed in the container.
It cannot be assumed the host system is Fedora or Fedora-like in all situations, a common CI build node configuration for example is an Ubuntu based host. Therefore one of the frequent solutions of over-mounting the compiled certificate database with the one from the host isn't compatible/sufficient.
Building new images that extend existing public upstream images just to add corporate CA certificates adds excessive overhead and maintenance costs and usually results in out-of-date containers.

The request is to add native support to the container images that supports custom CAs being added to the container at run-time.

Desired Feature

Support an environment variable or a mount point whose contents are copied into /usr/share/pki/ca-trust-source/anchors and then have update-ca-trust run before anything else on the system. If done right, the copy command can be only on update (only overwrite if the source is newer) and the update-ca-trust is only run if something is copied.

In a very simple case, this could be a matter of changing the entrypoint in the container from being ["/usr/bin/dumb-init", "/usr/bin/coreos-assembler"], to being dumb-init and a shell script that does the following (assumes any certs needing installation are manually mounted to /custom-certs already):

#!/bin/bash

if [ -d /custom-certs ]; then
  # copy only newer files, and print verbose, one file per line, what was copied so we can count it
  files_copied=$(sudo cp -uv -t /usr/share/pki/ca-trust-source/anchors /custom-certs/* | wc -l)
  if [ ${files_copied} -eq 0 ]; then
    echo "No CA updates needed"
  else
    echo "${files_copied} CAs modified." 
    update-ca-trust
  fi
fi

/usr/bin/coreos-assembler "$@"

Example Usage

Assuming providing a /custom-certs optional mountpoint instead of an environment variable:

podman --rm -it \
    -v ${HOME}/my-ca-certs:/custom-certs \
    ...other normal args...

Other Information

Given the usage restrictions:

  • New container images starting from the provided one as a base is not an option
  • The host system isn't necessarily Fedora-like

The current workaround solution for users is to create a directory with the wrapper script in it, mount the script folder into the container, and override the entrypoint to use the script from the mounted folder instead of coreos-assembler directly.

EDIT: Corrected the names of what is called, and clarified how it fit with the 2-part entrypoint in the Dockerfile.

mtalexan avatar Nov 30 '22 19:11 mtalexan