grammarly/rocker

Support for --no-tls-verify or --tlsverify false (v1.3.0)

Closed this issue · 1 comments

Tzrlk commented

I've been attempting a rocker build which needs to contact my local docker registry. Unfortunately, the registry uses a self-signed certificate, so when I run my rocker build script, I get the following output:

INFO[0000] FROM [redacted]/[redacted]/alpine
FATA[0000] FROM error: Failed to list tags of image [redacted]/[redacted]/alpine:latest from the remote registry, error: Request to https://[redacted]/v2/[redacted]/alpine/tags/list?page_size=9999&page=1 failed with Get https://[redacted]/v2/[redacted]/alpine/tags/list?page_size=9999&page=1: x509: certificate signed by unknown authority

The build script I'm using is as follows:

#!/bin/bash -e

DOCKER_REGISTRY=${DOCKER_REGISTRY:-[redacted]}
HTTP_PROXY=${HTTP_PROXY:-[redacted]}
GIT_HOST=${GIT_HOST:-[redacted]}
DOCKER_CACHE=${DOCKER_CACHE:-~/.docker}
ROCKER_CACHE=${ROCKER_CACHE:-~/.rocker_cache}
DOCKER_USER=${DOCKER_USER:-[redacted]}
DOCKER_PASS=${1}
WORKDIR=$(pwd)

RUN_OPTS=""
RUN_OPTS="${RUN_OPTS} -it --rm"
RUN_OPTS="${RUN_OPTS} -v /var/run/docker.sock:/var/run/docker.sock"
RUN_OPTS="${RUN_OPTS} -v ${DOCKER_CACHE}:/root/.docker"
RUN_OPTS="${RUN_OPTS} -v ${ROCKER_CACHE}:/root/.rocker_cache"
RUN_OPTS="${RUN_OPTS} -v ${WORKDIR}:/work"
RUN_OPTS="${RUN_OPTS} -e HTTP_PROXY=${HTTP_PROXY}"
RUN_OPTS="${RUN_OPTS} -e HPWD=/work"
RUN_OPTS="${RUN_OPTS} -w /work"

BUILD_OPTS=""
BUILD_OPTS="${BUILD_OPTS} --var DOCKER_REGISTRY=${DOCKER_REGISTRY}"
BUILD_OPTS="${BUILD_OPTS} --var HTTP_PROXY=${HTTP_PROXY}"
BUILD_OPTS="${BUILD_OPTS} --var GIT_HOST=${GIT_HOST}"
BUILD_OPTS="${BUILD_OPTS} --var BUILD_DATE=latest"

if [ ! -z "${DOCKER_PASS}" ]; then
        BUILD_OPTS="${BUILD_OPTS} --auth ${DOCKER_USER}:${DOCKER_PASS}"
fi

docker run ${RUN_OPTS} segfly/rocker:latest build ${BUILD_OPTS}

Granted, it's running in a container, but that it's what's throwing the error.
Version output: rocker version 1.3.0 - 30ec46f (master) 2017-01-14_18:37_GMT

I've attempted the following workarounds with no results:

  • Installed the local cert in the container (add to /usr/local/share/ca-certificates/ or /usr/local/share/ca-certificates/extra/, run update-ca-certificates)
  • passed it to rocker with --tlscacert (completely ignored)
  • Same as above, but also added --tls / --tlsverify (complained it couldn't find the other cert/key files)

I really just want the build to work, so having a switch that lets me ignore validation until I can get a proper cert installed would be great.

ybogdanov commented

Thanks for requesting. Unfortunately, we are discontinuing this project. See the notice here: https://github.com/grammarly/rocker/blob/master/README.md

Closing this issue as we are not able to implement it. Sorry.