Story #1773

No "unprotected/http" option available for ostree repos

Added by almost 4 years ago. Updated 3 months ago.

Start date:
Due date:
% Done:


Platform Release:
Blocks Release:
Target Release - OSTree:
Backwards Incompatible:
Sprint Candidate:
Pulp 2
QA Contact:
Smash Test:
Verification Required:


Its likely katello might need http based ostree stuff in the future given the KS config file is going to look like this

lang en_US.UTF-8

ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=http://<ostree repo url> --ref=rhel-atomic-host/7/x86_64/standard
services --disabled cloud-init,cloud-config,cloud-final,cloud-init-local

Anaconda only likes http more than https. We likely need it to be unprotected..


#1 Updated by mhrivnak almost 4 years ago

Have you verified that it fails over https?

#2 Updated by almost 4 years ago

Partha, where do we stand on this?

#3 Updated by almost 4 years ago

Sorry for the delay. Answer to your question is we might need pulp to provide us facility to publish CDN content via HTTP.
Look at the TLS cert error ->

I tried running the following kickstart file to get the above error->

ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=https://<sat-fqdn>/pub/atomicos/

#4 Updated by almost 4 years ago

Ok we would definitely need this for fedora. Unless Jeff/Michael can come up with an alternate solution. Idea is this we want to use pulp to store fedora ostree repo and have it be used in fedora cloud image to updgrade via the following commands. We are unable to get this to work in the present setup with repo protection. It only seems to work for subscription-manager with an entitlement certificate.

    ostree remote add --set=gpg-verify=false MyRepo  https://<sat-fqdn>/pulp/ostree/web/<repo>
    rpm-ostree rebase MyRepo:rhel-atomic-host/7/x86_64/standard
    systemctl reboot

#5 Updated by almost 4 years ago

  • Tracker changed from Issue to Story
  • Groomed set to No
  • Sprint Candidate set to No

#7 Updated by almost 3 years ago

I finally figured out an easy way to reproduce this issue in standalone pulp.

  • set "enabled" to true in /etc/pulp/repo_auth.conf

  • make sure SSLVerifyClient is set to optional/optional_no_ca in /etc/httpd/conf.d/pulp_ostree.conf

  • service httpd restart

  • create the pulp repo

    $ pulp-admin ostree repo create --repo-id=gatsby --feed=
    $ pulp-admin sync run --repo-id=gatsby
    $ mkdir /tmp/repo
    $ cd /tmp/repo
    $ ostree init --repo=.
    $ ostree --repo=. remote add --set=tls-permissive=true --set=gpg-verify=false all https://localhost/pulp/ostree/web/test-repos/ostree-zoo fedora-atomic/f21/x86_64/updates-testing/docker-host
    $ ostree pull all --repo=. -v --depth=-1
    error: Server returned status 403: Forbidden
  • set "enabled" to false in /etc/pulp/repo_auth.conf

  • service httpd restart

  • rerun the pull

    $ ostree pull all --repo=. --depth=-1
    257 metadata, 660 content objects fetched; 228 KiB transferred in 3 seconds

Basically this tells us that pulp is requiring a client certificate to pull ostree content. We need the ability to turn off repo auth for some ostree repos.

For custom repos we do not care about protection and more over anaconda ostreesetup command does not have a way to specify client certificate and hence a katello user will not be able to provision an ostree based OS under the current setup.

My suggestion would be either

  1. Provide an http out OR
  2. Provide a way to turn off repo authorization on a per repo basis.
    I feel ability to turn off repo auth is more appropriate and will help us in the long run

#8 Updated by bmbouter 11 months ago

  • Tags Pulp 2 added

#9 Updated by 8 months ago

  • Status changed from NEW to CLOSED - WONTFIX

This will not be addressed in Pulp 2. Content guards can be used selectively to achieve this in Pulp 3.

#10 Updated by pari098 7 months ago

There is lots of function will be upgrade in the latest windows and you have to get help with the all latest function that how it will be manage.

#11 Updated by rosie 3 months ago

Much thanks to you for your enthusiasm for Satellite 6. We have assessed this solicitation, and we don't anticipate that this should be actualized in the item within a reasonable time-frame. We are along these help with assignment uk linesfinishing this off as WONTFIX. In the event that you have any worries about this, if it's not too much trouble don't hesitate to contact Rich Jerrido or Bryan Kearney. Much obliged to you.

Please register to edit this issue

Also available in: Atom PDF