No "unprotected/http" option available for ostree repos
Its likely katello might need http based ostree stuff in the future given the KS config file is going to look like this
lang en_US.UTF-8 ... ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=http://<ostree repo url> --ref=rhel-atomic-host/7/x86_64/standard services --disabled cloud-init,cloud-config,cloud-final,cloud-init-local ..... .....
Anaconda only likes http more than https. We likely need it to be unprotected..
#3 Updated by email@example.com almost 4 years ago
Sorry for the delay. Answer to your question is we might need pulp to provide us facility to publish CDN content via HTTP.
Look at the TLS cert error -> http://i.imgur.com/FdFOsiW.png
I tried running the following kickstart file to get the above error->
ostreesetup --nogpg --osname=rhel-atomic-host --remote=rhel-atomic-host --url=https://<sat-fqdn>/pub/atomicos/
#4 Updated by firstname.lastname@example.org almost 4 years ago
Ok we would definitely need this for fedora. Unless Jeff/Michael can come up with an alternate solution. Idea is this we want to use pulp to store fedora ostree repo and have it be used in fedora cloud image to updgrade via the following commands. We are unable to get this to work in the present setup with repo protection. It only seems to work for subscription-manager with an entitlement certificate.
ostree remote add --set=gpg-verify=false MyRepo https://<sat-fqdn>/pulp/ostree/web/<repo> rpm-ostree rebase MyRepo:rhel-atomic-host/7/x86_64/standard systemctl reboot
#7 Updated by email@example.com almost 3 years ago
I finally figured out an easy way to reproduce this issue in standalone pulp.
set "enabled" to true in /etc/pulp/repo_auth.conf
make sure SSLVerifyClient is set to optional/optional_no_ca in /etc/httpd/conf.d/pulp_ostree.conf
service httpd restart
create the pulp repo
$ pulp-admin ostree repo create --repo-id=gatsby --feed=https://partha.fedorapeople.org/test-repos/ostree-zoo $ pulp-admin sync run --repo-id=gatsby $ mkdir /tmp/repo $ cd /tmp/repo $ ostree init --repo=. $ ostree --repo=. remote add --set=tls-permissive=true --set=gpg-verify=false all https://localhost/pulp/ostree/web/test-repos/ostree-zoo fedora-atomic/f21/x86_64/updates-testing/docker-host $ ostree pull all --repo=. -v --depth=-1 error: Server returned status 403: Forbidden
set "enabled" to false in /etc/pulp/repo_auth.conf
service httpd restart
rerun the pull
$ ostree pull all --repo=. --depth=-1 257 metadata, 660 content objects fetched; 228 KiB transferred in 3 seconds
Basically this tells us that pulp is requiring a client certificate to pull ostree content. We need the ability to turn off repo auth for some ostree repos.
For custom repos we do not care about protection and more over anaconda ostreesetup command does not have a way to specify client certificate and hence a katello user will not be able to provision an ostree based OS under the current setup.
My suggestion would be either
- Provide an http out OR
- Provide a way to turn off repo authorization on a per repo basis.
I feel ability to turn off repo auth is more appropriate and will help us in the long run
Much thanks to you for your enthusiasm for Satellite 6. We have assessed this solicitation, and we don't anticipate that this should be actualized in the item within a reasonable time-frame. We are along these help with assignment uk linesfinishing this off as WONTFIX. In the event that you have any worries about this, if it's not too much trouble don't hesitate to contact Rich Jerrido or Bryan Kearney. Much obliged to you.
Please register to edit this issue