container-layer-sizes icon indicating copy to clipboard operation
container-layer-sizes copied to clipboard

Published 20 hours ago verified publisher icon dcermak

Supporting insecure registries

Open leonardoheld opened this issue 3 years ago • 3 comments

When trying to pull images from insecure registries, I got the well known error

http: server gave HTTP response to HTTPS client

because of the missing insecure tag on daemon.json. Could we do something like passing the insecure registry as a build arg or runtime arg? I already build the image echoing the needed options, but it would be nice to support out-of-the-box =)

Thanks (and thanks for the free software)!

leonardoheld avatar Feb 07 '22 12:02 leonardoheld

Thanks for giving the analyzer a try!

Yes, it would be certainly possible to do something like that, both at runtime and at buildtime and actually even on a per image basis.

I think that the place that needs changing is the default policy used in PullImageToLocalStorage: https://github.com/dcermak/container-layer-sizes/blob/dda2df382fd6149ae22fa44adace6334694fcec7/main.go#L361

It needs to include a PolicyRequirement that allows it to accept anything (named quite to the point exactly that): https://github.com/containers/image/blob/ac2483ecd4b6cdf67d1eb0505a9a638c27ed1b8c/signature/policy_types.go#L56

Just glancing over this, I unfortunately don't see a convenient option how to set this via the API, except to provide a custom json…

Anyway, the technical details aside: what's your take on this? Would you consider a global switch or a per image switch to be more useful? And would you like to give implementing this a try? I think this shouldn't be too much work and I'd be more than willing to help you around the code.

dcermak avatar Feb 07 '22 15:02 dcermak

No problem! Deploying embedded containers right now (extremely size-constrained) and this tool is for sure a must-have. Having a visualization for the layers is awesome!

I wouldn't mind a custom json. There are some internal services I run that do just that (I have a buildx CI that just has the buildkit.toml file automatically included. No biggie.). I think a per-registry option is best, to avoid pulling from unknown, unsecure registries.

About implementing as a feature, I can't code Go, but I can absolutely make time and try! :)

leonardoheld avatar Feb 07 '22 16:02 leonardoheld

Hey @leonheld, apologies for the long radio silence from my side. I haven't really had the time to work on this yet, but I just realized that the container image that is available from the github registry should be configured to accept insecure transports: https://github.com/dcermak/container-layer-sizes/blob/574e0400598ae135c7f4719baa364bedcb4c86fb/Dockerfile#L27

Have you tried that one or have you built the analyzer on your local machine?

dcermak avatar Mar 05 '22 17:03 dcermak