summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMartin André <m.andre@redhat.com>2018-09-10 18:49:02 +0200
committerMartin André <m.andre@redhat.com>2018-09-10 19:19:16 +0200
commit27bab79096584b50947f0d81d41ad2e143c1041e (patch)
treed5d4a04a1b8bfe4ac9554e9f954748ece2ab06e1
parenta4187d9d021c3c38c11c709435c0c69fee5e5a43 (diff)
Download binaries more securely
Obtain binaries from encrypted source when we're unable to check for their signatures. This should provide better security than downloading the files over HTTP but does not replace signature verification or file integrity check. Related-Bug: #1791674 Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
Notes
Notes (review): Code-Review+2: Mark Goddard <mark@stackhpc.com> Code-Review+2: Jeffrey Zhang <zhang.lei.fly@gmail.com> Workflow+1: Jeffrey Zhang <zhang.lei.fly@gmail.com> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Tue, 11 Sep 2018 03:46:21 +0000 Reviewed-on: https://review.openstack.org/601322 Project: openstack/kolla Branch: refs/heads/master
-rw-r--r--docker/base/opendaylight.repo3
-rw-r--r--docker/helm-repository/Dockerfile.j23
-rw-r--r--docker/macros.j23
-rw-r--r--docker/prometheus/prometheus-cadvisor/Dockerfile.j22
-rw-r--r--docker/rabbitmq/Dockerfile.j24
-rwxr-xr-xkolla/common/config.py4
6 files changed, 12 insertions, 7 deletions
diff --git a/docker/base/opendaylight.repo b/docker/base/opendaylight.repo
index 8c0c299..44c1eb2 100644
--- a/docker/base/opendaylight.repo
+++ b/docker/base/opendaylight.repo
@@ -1,5 +1,6 @@
1[opendaylight] 1[opendaylight]
2name=CentOS CBS OpenDaylight Release Repository 2name=CentOS CBS OpenDaylight Release Repository
3baseurl=http://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/ 3# opendaylight package is not signed, so download from HTTPS source at least
4baseurl=https://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
4enabled=1 5enabled=1
5gpgcheck=0 6gpgcheck=0
diff --git a/docker/helm-repository/Dockerfile.j2 b/docker/helm-repository/Dockerfile.j2
index 45772bc..1b1acbb 100644
--- a/docker/helm-repository/Dockerfile.j2
+++ b/docker/helm-repository/Dockerfile.j2
@@ -55,7 +55,8 @@ ENV helm_arch={{ base_arch }}
55{% endif %} 55{% endif %}
56 56
57{% block helm_repository_install_kubernetes_helm %} 57{% block helm_repository_install_kubernetes_helm %}
58RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz http://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \ 58# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
59RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
59 && sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \ 60 && sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
60 && sudo chmod 755 /usr/bin/helm \ 61 && sudo chmod 755 /usr/bin/helm \
61 && rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz 62 && rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz
diff --git a/docker/macros.j2 b/docker/macros.j2
index d017092..aa9c097 100644
--- a/docker/macros.j2
+++ b/docker/macros.j2
@@ -84,7 +84,8 @@ RUN apt-get update \
84 && /bin/false 84 && /bin/false
85 {% endif %} 85 {% endif %}
86 86
87 RUN curl -o /usr/bin/kubectl http://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \ 87 # TODO(mandre) check for file integrity instead of downloading from an HTTPS source
88 RUN curl -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
88 && chmod 755 /usr/bin/kubectl 89 && chmod 755 /usr/bin/kubectl
89{% endmacro %} 90{% endmacro %}
90 91
diff --git a/docker/prometheus/prometheus-cadvisor/Dockerfile.j2 b/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
index c4b1886..427961f 100644
--- a/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
+++ b/docker/prometheus/prometheus-cadvisor/Dockerfile.j2
@@ -22,7 +22,7 @@ RUN curl -ssL -o /opt/cadvisor https://github.com/google/cadvisor/releases/downl
22 {% set cadvisor_packages = [ 22 {% set cadvisor_packages = [
23 'libjs-bootstrap', 23 'libjs-bootstrap',
24 'libjs-jquery', 24 'libjs-jquery',
25 'http://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb' 25 'https://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
26 ] %} 26 ] %}
27 27
28{{ macros.install_packages(cadvisor_packages | customizable("packages")) }} 28{{ macros.install_packages(cadvisor_packages | customizable("packages")) }}
diff --git a/docker/rabbitmq/Dockerfile.j2 b/docker/rabbitmq/Dockerfile.j2
index 6c9f3a8..b737941 100644
--- a/docker/rabbitmq/Dockerfile.j2
+++ b/docker/rabbitmq/Dockerfile.j2
@@ -27,7 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
27 ] %} 27 ] %}
28 {% else %} 28 {% else %}
29 {% set rabbitmq_packages = rabbitmq_packages + [ 29 {% set rabbitmq_packages = rabbitmq_packages + [
30 'http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb', 30 'https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
31 ] %} 31 ] %}
32 {% endif %} 32 {% endif %}
33 33
@@ -52,7 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
52 52
53RUN rm -rf /var/lib/rabbitmq/* \ 53RUN rm -rf /var/lib/rabbitmq/* \
54 && ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \ 54 && ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
55 && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \ 55 && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez https://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
56 && /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \ 56 && /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
57 rabbitmq_management \ 57 rabbitmq_management \
58 rabbitmq_clusterer 58 rabbitmq_clusterer
diff --git a/kolla/common/config.py b/kolla/common/config.py
index a6bdbc0..18cfe9e 100755
--- a/kolla/common/config.py
+++ b/kolla/common/config.py
@@ -43,7 +43,9 @@ DELOREAN_DEPS = "https://trunk.rdoproject.org/centos7/delorean-deps.repo"
43 43
44INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos'] 44INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
45 45
46TARBALLS_BASE = "http://tarballs.openstack.org" 46# TODO(mandre) check for file integrity instead of downloading from an HTTPS
47# source
48TARBALLS_BASE = "https://tarballs.openstack.org"
47 49
48_PROFILE_OPTS = [ 50_PROFILE_OPTS = [
49 cfg.ListOpt('infra', 51 cfg.ListOpt('infra',