Download binaries more securely

Obtain binaries from encrypted source when we're unable to check for
their signatures. This should provide better security than downloading
the files over HTTP but does not replace signature verification or file
integrity check.

Related-Bug: #1791674
Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
This commit is contained in:
Martin André 2018-09-10 18:49:02 +02:00
parent a4187d9d02
commit 27bab79096
6 changed files with 12 additions and 7 deletions

View File

@ -1,5 +1,6 @@
[opendaylight]
name=CentOS CBS OpenDaylight Release Repository
baseurl=http://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
# opendaylight package is not signed, so download from HTTPS source at least
baseurl=https://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
enabled=1
gpgcheck=0

View File

@ -55,7 +55,8 @@ ENV helm_arch={{ base_arch }}
{% endif %}
{% block helm_repository_install_kubernetes_helm %}
RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz http://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
&& sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
&& sudo chmod 755 /usr/bin/helm \
&& rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz

View File

@ -84,7 +84,8 @@ RUN apt-get update \
&& /bin/false
{% endif %}
RUN curl -o /usr/bin/kubectl http://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
RUN curl -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
&& chmod 755 /usr/bin/kubectl
{% endmacro %}

View File

@ -22,7 +22,7 @@ RUN curl -ssL -o /opt/cadvisor https://github.com/google/cadvisor/releases/downl
{% set cadvisor_packages = [
'libjs-bootstrap',
'libjs-jquery',
'http://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
'https://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
] %}
{{ macros.install_packages(cadvisor_packages | customizable("packages")) }}

View File

@ -27,7 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
] %}
{% else %}
{% set rabbitmq_packages = rabbitmq_packages + [
'http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
'https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
] %}
{% endif %}
@ -52,7 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
RUN rm -rf /var/lib/rabbitmq/* \
&& ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
&& curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
&& curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez https://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
&& /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
rabbitmq_management \
rabbitmq_clusterer

View File

@ -43,7 +43,9 @@ DELOREAN_DEPS = "https://trunk.rdoproject.org/centos7/delorean-deps.repo"
INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
TARBALLS_BASE = "http://tarballs.openstack.org"
# TODO(mandre) check for file integrity instead of downloading from an HTTPS
# source
TARBALLS_BASE = "https://tarballs.openstack.org"
_PROFILE_OPTS = [
cfg.ListOpt('infra',