Story #1773

No "unprotected/http" option available for ostree repos

Added by over 5 years ago. Updated about 2 years ago.

Start date:
Due date:
% Done:


Estimated time:
Platform Release:
Target Release - OSTree:
Sprint Candidate:
Pulp 2


Its likely katello might need http based ostree stuff in the future given the KS config file is going to look like this

lang en_US.UTF-8

ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=http://<ostree repo url> --ref=rhel-atomic-host/7/x86_64/standard
services --disabled cloud-init,cloud-config,cloud-final,cloud-init-local

Anaconda only likes http more than https. We likely need it to be unprotected..


#1 Updated by mhrivnak over 5 years ago

Have you verified that it fails over https?

#2 Updated by over 5 years ago

Partha, where do we stand on this?

#3 Updated by over 5 years ago

Sorry for the delay. Answer to your question is we might need pulp to provide us facility to publish CDN content via HTTP.
Look at the TLS cert error ->

I tried running the following kickstart file to get the above error->

ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=https://<sat-fqdn>/pub/atomicos/

#4 Updated by over 5 years ago

Ok we would definitely need this for fedora. Unless Jeff/Michael can come up with an alternate solution. Idea is this we want to use pulp to store fedora ostree repo and have it be used in fedora cloud image to updgrade via the following commands. We are unable to get this to work in the present setup with repo protection. It only seems to work for subscription-manager with an entitlement certificate.

    ostree remote add --set=gpg-verify=false MyRepo  https://<sat-fqdn>/pulp/ostree/web/<repo>
    rpm-ostree rebase MyRepo:rhel-atomic-host/7/x86_64/standard
    systemctl reboot

#5 Updated by over 5 years ago

  • Tracker changed from Issue to Story
  • Groomed set to No
  • Sprint Candidate set to No

#7 Updated by over 4 years ago

I finally figured out an easy way to reproduce this issue in standalone pulp.

  • set "enabled" to true in /etc/pulp/repo_auth.conf

  • make sure SSLVerifyClient is set to optional/optional_no_ca in /etc/httpd/conf.d/pulp_ostree.conf

  • service httpd restart

  • create the pulp repo

    $ pulp-admin ostree repo create --repo-id=gatsby --feed=
    $ pulp-admin sync run --repo-id=gatsby
    $ mkdir /tmp/repo
    $ cd /tmp/repo
    $ ostree init --repo=.
    $ ostree --repo=. remote add --set=tls-permissive=true --set=gpg-verify=false all https://localhost/pulp/ostree/web/test-repos/ostree-zoo fedora-atomic/f21/x86_64/updates-testing/docker-host
    $ ostree pull all --repo=. -v --depth=-1
    error: Server returned status 403: Forbidden
  • set "enabled" to false in /etc/pulp/repo_auth.conf

  • service httpd restart

  • rerun the pull

    $ ostree pull all --repo=. --depth=-1
    257 metadata, 660 content objects fetched; 228 KiB transferred in 3 seconds

Basically this tells us that pulp is requiring a client certificate to pull ostree content. We need the ability to turn off repo auth for some ostree repos.

For custom repos we do not care about protection and more over anaconda ostreesetup command does not have a way to specify client certificate and hence a katello user will not be able to provision an ostree based OS under the current setup.

My suggestion would be either

  1. Provide an http out OR
  2. Provide a way to turn off repo authorization on a per repo basis.
    I feel ability to turn off repo auth is more appropriate and will help us in the long run

#8 Updated by bmbouter over 2 years ago

  • Tags Pulp 2 added

#9 Updated by over 2 years ago

  • Status changed from NEW to CLOSED - WONTFIX

This will not be addressed in Pulp 2. Content guards can be used selectively to achieve this in Pulp 3.

Also available in: Atom PDF