summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJean-Philippe Evrard <jean-philippe@evrard.me>2019-02-19 19:30:16 +0100
committerJean-Philippe Evrard <jean-philippe@evrard.me>2019-03-06 11:23:55 +0100
commitcc50c3048b6e72c516caf6e73b03c782faa489ff (patch)
treec213153b56edea9609f1e04701607e75ac12b2a7
parent64de1b386999a2c13e9040bcc6ff69724427af1d (diff)
Support self-signed certificates docker registry
If you want to run a docker registry for development purposes with self-signed certificates, and use this registry to push your requirements wheel, the loci build process would fail at fetching the wheels. This brings support for self-signed certificates registries by: - Allowing to skip protocol_detection: If protocol_detection happens on a https registry, urllib2 would not throw an HTTPError or URLError, and protocol returned by default would be HTTP, which would then cause issues by not using SSL to fetch data. There is no point to "detect" things if we provide an argument to the users. - If the protocol is correctly given as HTTPs, no certificate is passed into the urllib ssl contexts by default, which would only work with globally valid certificates. This patch also adds an option to bypass the verification of certificates when the user provides `REGISTRY_SSL_NOVERIFY`. Change-Id: Ib00bbc9cc63d70a88dbf8b23a518553d6134d332
Notes
Notes (review): Code-Review+1: Joshua Hesketh <josh@nitrotech.org> Code-Review+1: Jiri Suchomel <jiri.suchomel@suse.com> Code-Review+2: Chris Hoge <chris@openstack.org> Workflow+1: Chris Hoge <chris@openstack.org> Verified+2: Zuul Submitted-by: Zuul Submitted-at: Fri, 08 Mar 2019 15:52:32 +0000 Reviewed-on: https://review.openstack.org/637963 Project: openstack/loci Branch: refs/heads/master
-rw-r--r--Dockerfile2
-rw-r--r--README.md6
-rwxr-xr-xscripts/fetch_wheels.py29
3 files changed, 32 insertions, 5 deletions
diff --git a/Dockerfile b/Dockerfile
index 3d8faf5..7d86934 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,6 +16,8 @@ ARG PLUGIN=no
16ARG PYTHON3=no 16ARG PYTHON3=no
17ARG EXTRA_BINDEP="" 17ARG EXTRA_BINDEP=""
18ARG EXTRA_PYDEP="" 18ARG EXTRA_PYDEP=""
19ARG REGISTRY_PROTOCOL="detect"
20ARG REGISTRY_INSECURE="False"
19 21
20ARG UID=42424 22ARG UID=42424
21ARG GID=42424 23ARG GID=42424
diff --git a/README.md b/README.md
index dac9810..be7dac1 100644
--- a/README.md
+++ b/README.md
@@ -100,6 +100,12 @@ For more advanced building you can use docker build arguments to define:
100 be considered next to the default bindep.txt. 100 be considered next to the default bindep.txt.
101 * `EXTRA_PYDEP` Specify a pydep-* file to add in the container. It would 101 * `EXTRA_PYDEP` Specify a pydep-* file to add in the container. It would
102 be considered next to the default pydep.txt. 102 be considered next to the default pydep.txt.
103 * `REGISTRY_PROTOCOL` Set this to `https` if you are running your own
104 registry on https, `http` if you are running on http, or leave it as
105 `detect` if you want to re-use existing protocol detection.
106 * `REGISTRY_INSECURE` Set this to `True` if your image registry is
107 running on HTTPS with self-signed certificates to ignore SSL verification.
108 (defaults to False)
103 109
104This makes it really easy to integrate LOCI images into your development or 110This makes it really easy to integrate LOCI images into your development or
105CI/CD workflow, for example, if you wanted to build an image from [this 111CI/CD workflow, for example, if you wanted to build an image from [this
diff --git a/scripts/fetch_wheels.py b/scripts/fetch_wheels.py
index dadc645..1fe9af6 100755
--- a/scripts/fetch_wheels.py
+++ b/scripts/fetch_wheels.py
@@ -3,6 +3,8 @@
3import json 3import json
4import os 4import os
5import re 5import re
6import ssl
7from distutils.util import strtobool
6 8
7try: 9try:
8 import urllib2 10 import urllib2
@@ -24,7 +26,10 @@ def get_token(protocol, registry, repo):
24 print(url) 26 print(url)
25 try: 27 try:
26 r = urllib2.Request(url=url) 28 r = urllib2.Request(url=url)
27 resp = urllib2.urlopen(r) 29 if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
30 resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
31 else:
32 resp = urllib2.urlopen(r)
28 resp_text = resp.read().decode('utf-8').strip() 33 resp_text = resp.read().decode('utf-8').strip()
29 return json.loads(resp_text)['token'] 34 return json.loads(resp_text)['token']
30 except urllib2.HTTPError as err: 35 except urllib2.HTTPError as err:
@@ -37,7 +42,10 @@ def get_sha(repo, tag, registry, protocol, token):
37 r = urllib2.Request(url=url) 42 r = urllib2.Request(url=url)
38 if token: 43 if token:
39 r.add_header('Authorization', 'Bearer {}'.format(token)) 44 r.add_header('Authorization', 'Bearer {}'.format(token))
40 resp = urllib2.urlopen(r) 45 if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
46 resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
47 else:
48 resp = urllib2.urlopen(r)
41 resp_text = resp.read().decode('utf-8').strip() 49 resp_text = resp.read().decode('utf-8').strip()
42 return json.loads(resp_text)['fsLayers'][0]['blobSum'] 50 return json.loads(resp_text)['fsLayers'][0]['blobSum']
43 51
@@ -49,7 +57,10 @@ def get_blob(repo, tag, protocol, registry=DOCKER_REGISTRY, token=None):
49 r = urllib2.Request(url=url) 57 r = urllib2.Request(url=url)
50 if token: 58 if token:
51 r.add_header('Authorization', 'Bearer {}'.format(token)) 59 r.add_header('Authorization', 'Bearer {}'.format(token))
52 resp = urllib2.urlopen(r) 60 if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
61 resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
62 else:
63 resp = urllib2.urlopen(r)
53 return resp.read() 64 return resp.read()
54 65
55def protocol_detection(registry, protocol='http'): 66def protocol_detection(registry, protocol='http'):
@@ -73,7 +84,10 @@ def protocol_detection(registry, protocol='http'):
73 84
74def get_wheels(url): 85def get_wheels(url):
75 r = urllib2.Request(url=url) 86 r = urllib2.Request(url=url)
76 resp = urllib2.urlopen(r) 87 if strtobool(os.environ.get('REGISTRY_INSECURE', "False")):
88 resp = urllib2.urlopen(r, context=ssl._create_unverified_context())
89 else:
90 resp = urllib2.urlopen(r)
77 return resp.read() 91 return resp.read()
78 92
79def parse_image(full_image): 93def parse_image(full_image):
@@ -106,7 +120,12 @@ def main():
106 data = get_wheels(wheels) 120 data = get_wheels(wheels)
107 else: 121 else:
108 registry, image, tag = parse_image(wheels) 122 registry, image, tag = parse_image(wheels)
109 protocol = protocol_detection(registry) 123 if os.environ.get('REGISTRY_PROTOCOL') in ['http','https']:
124 protocol = os.environ.get('REGISTRY_PROTOCOL')
125 elif os.environ.get('REGISTRY_PROTOCOL') == 'detect':
126 protocol = protocol_detection(registry)
127 else:
128 raise ValueError("Unknown protocol given in argument")
110 kwargs = dict() 129 kwargs = dict()
111 if registry: 130 if registry:
112 kwargs.update({'registry': registry}) 131 kwargs.update({'registry': registry})