Story #1773
closed
No "unprotected/http" option available for ostree repos
0%
Description
Its likely katello might need http based ostree stuff in the future given the KS config file is going to look like this
lang en_US.UTF-8
...
ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=http://<ostree repo url> --ref=rhel-atomic-host/7/x86_64/standard
services --disabled cloud-init,cloud-config,cloud-final,cloud-init-local
.....
.....
Anaconda only likes http more than https. We likely need it to be unprotected..
Updated by mhrivnak over 8 years ago
Have you verified that it fails over https?
Updated by jortel@redhat.com over 8 years ago
Partha, where do we stand on this?
Updated by paji@redhat.com over 8 years ago
Sorry for the delay. Answer to your question is we might need pulp to provide us facility to publish CDN content via HTTP.
Look at the TLS cert error -> http://i.imgur.com/FdFOsiW.png
I tried running the following kickstart file to get the above error->
ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=https://<sat-fqdn>/pub/atomicos/
Updated by paji@redhat.com over 8 years ago
Ok we would definitely need this for fedora. Unless Jeff/Michael can come up with an alternate solution. Idea is this we want to use pulp to store fedora ostree repo and have it be used in fedora cloud image to updgrade via the following commands. We are unable to get this to work in the present setup with repo protection. It only seems to work for subscription-manager with an entitlement certificate.
ostree remote add --set=gpg-verify=false MyRepo https://<sat-fqdn>/pulp/ostree/web/<repo>
rpm-ostree rebase MyRepo:rhel-atomic-host/7/x86_64/standard
systemctl reboot
Updated by dkliban@redhat.com over 8 years ago
- Tracker changed from Issue to Story
- Groomed set to No
- Sprint Candidate set to No
Updated by paji@redhat.com over 7 years ago
I finally figured out an easy way to reproduce this issue in standalone pulp.
-
set "enabled" to true in /etc/pulp/repo_auth.conf
-
make sure SSLVerifyClient is set to optional/optional_no_ca in /etc/httpd/conf.d/pulp_ostree.conf
-
service httpd restart
-
create the pulp repo
$ pulp-admin ostree repo create --repo-id=gatsby --feed=https://partha.fedorapeople.org/test-repos/ostree-zoo $ pulp-admin sync run --repo-id=gatsby $ mkdir /tmp/repo $ cd /tmp/repo $ ostree init --repo=. $ ostree --repo=. remote add --set=tls-permissive=true --set=gpg-verify=false all https://localhost/pulp/ostree/web/test-repos/ostree-zoo fedora-atomic/f21/x86_64/updates-testing/docker-host $ ostree pull all --repo=. -v --depth=-1 error: Server returned status 403: Forbidden
-
set "enabled" to false in /etc/pulp/repo_auth.conf
-
service httpd restart
-
rerun the pull
$ ostree pull all --repo=. --depth=-1 257 metadata, 660 content objects fetched; 228 KiB transferred in 3 seconds
Basically this tells us that pulp is requiring a client certificate to pull ostree content. We need the ability to turn off repo auth for some ostree repos.
For custom repos we do not care about protection and more over anaconda ostreesetup command does not have a way to specify client certificate and hence a katello user will not be able to provision an ostree based OS under the current setup.
My suggestion would be either
- Provide an http out OR
- Provide a way to turn off repo authorization on a per repo basis.
I feel ability to turn off repo auth is more appropriate and will help us in the long run
Updated by dkliban@redhat.com over 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
This will not be addressed in Pulp 2. Content guards can be used selectively to achieve this in Pulp 3.
.