Learn more about these different git repos.
Other Git URLs
When using koji image-build, a kickstart template and URLs are provided to the process in order to build qcow2 images.
The generated kickstart file contains "repo" lines. In the case that the URLs have certificates which are self-signed or signed by a non-public CA, there is no way to tell Koji:
I assume that Anaconda has no way to reference a non-public CA's certificate, either.
Metadata Update from @tkopecek: - Custom field Size adjusted to None - Issue tagged with: discussion
FYI it's important to delete non-public CAs from images, or we can face some issues like these:
https://www.infoworld.com/article/3008422/security/what-you-need-to-know-about-dells-root-certificate-security-debacle.html https://www.computerworld.com/article/3008521/security/a-second-dangerous-dell-root-certificate-discovered.html
Even if we don't include the private key for the CA, it's still important that we don't ship images with non-public CAs.
The OSBS project handles this by deleting the files during the build, https://github.com/containerbuildsystem/atomic-reactor/pull/1597
if self._builder_ca_bundle: lines.append(f'RUN rm -f /tmp/{self._ca_bundle_pem}')
Metadata Update from @tkopecek: - Issue set to the milestone: 1.26
https://pagure.io/koji/pull-request/2860
Metadata Update from @jcupova: - Issue tagged with: testing-ready
Commit d5d7c1a fixes this issue
Metadata Update from @julian8628: - Issue status updated to: Open (was: Closed)
a small fix: #2945
Metadata Update from @mfilip: - Issue tagged with: testing-done
Commit 53e3b88 fixes this issue
Commit cf2a9cf fixes this issue
Login to comment on this ticket.