Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tls verification for buildah command #2251

Closed
aadeshpa opened this issue Mar 26, 2020 · 2 comments
Closed

Tls verification for buildah command #2251

aadeshpa opened this issue Mar 26, 2020 · 2 comments
Labels
locked - please file new issue/PR

Comments

@aadeshpa
Copy link

Description
How does buildah commands verify the certificates of the docker registry during pull and push.

We tried running buildah pull command buildah pull --debug docker.io/alpine , and there was no certificates in the location /etc/docker/certs.d, still it allowed the pull of the image. We are running this on a container built on top of the image quay.io/buildah/stable:v1.9.0.

Can you explain how tls verify happened in this case ?

Is there an alternated trust store where buildah looks for the certificates ?

DEBU[0000] Trying to pull "docker.io/library/alpine:latest" 
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration 
DEBU[0000]  Using "default-docker" configuration        
DEBU[0000]  No signature storage configuration found for docker.io/library/alpine:latest 
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/docker.io 
DEBU[0000] GET https://registry-1.docker.io/v2/         
DEBU[0000] Ping https://registry-1.docker.io/v2/ status 401 

.
.
.

Writing manifest to image destination
Storing signatures
DEBU[0002] Applying tar in /var/lib/containers/storage/overlay/beee9f30bc1f711043e78d4a2be0668955d4b761d587d6f60c2c8dc081efb203/diff 
DEBU[0002] setting image creation date to 2020-03-23 21:19:34.196162891 +0000 UTC 
DEBU[0002] created new image ID "a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72" 
DEBU[0002] set names of image "a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72" to [docker.io/library/alpine:latest] 
DEBU[0002] saved image metadata "{}"                    
a187dde48cd289ac374ad8539930628314bc581a481cdb41409c9289419ddb72

Steps to reproduce the issue:
1.
2.
3.

Describe the results you received:

Describe the results you expected:

Output of rpm -q buildah or apt list buildah:

[root@dbeb751c1c59 certs]# rpm -q buildah
buildah-1.9.0-1.git00eb895.fc30.x86_64

(paste your output here)

Output of buildah version:

[root@dbeb751c1c59 certs]# buildah version
Version: 1.9.0
Go Version: go1.12.5
Image Spec: 1.0.0
Runtime Spec: 1.0.0
CNI Spec: 0.4.0
libcni Version:
Git Commit:
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/amd64

(paste your output here)

Output of podman version if reporting a podman build issue:

(paste your output here)

Output of cat /etc/*release:

[root@dbeb751c1c59 certs]# cat /etc/*release
Fedora release 30 (Thirty)
NAME=Fedora
VERSION="30 (Container Image)"
ID=fedora
VERSION_ID=30
VERSION_CODENAME=""
PLATFORM_ID="platform:f30"
PRETTY_NAME="Fedora 30 (Container Image)"
ANSI_COLOR="0;34"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:30"
HOME_URL="https://fedoraproject.org/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f30/system-administrators-guide/"
SUPPORT_URL="https://fedoraproject.org/wiki/Communicating_and_getting_help"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=30
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=30
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="Container Image"
VARIANT_ID=container
Fedora release 30 (Thirty)
Fedora release 30 (Thirty)

(paste your output here)

Output of uname -a:

[root@dbeb751c1c59 certs]# uname -a
Linux dbeb751c1c59 4.9.184-linuxkit #1 SMP Tue Jul 2 22:58:16 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

(paste your output here)

Output of cat /etc/containers/storage.conf:

(paste your output here)
@vrothberg
Copy link
Member

How does buildah commands verify the certificates of the docker registry during pull and push.

We tried running buildah pull command buildah pull --debug docker.io/alpine , and there was no certificates in the location /etc/docker/certs.d, still it allowed the pull of the image. We are running this on a container built on top of the image quay.io/buildah/stable:v1.9.0.

Can you explain how tls verify happened in this case ?

It uses the host's CA bundle. The path varies across Linux distributions. On Fedora it's /etc/pki/tls/certs/ca-bundle.crt.

Is there an alternated trust store where buildah looks for the certificates ?

Buidah will look at /etc/containers/certs.d and /etc/docker/certs.d.

@rhatdan
Copy link
Member

rhatdan commented Aug 5, 2020

Seems like this is answered, Reopen if more information is necessary or not documented properly.

@rhatdan rhatdan closed this as completed Aug 5, 2020
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
locked - please file new issue/PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rhatdan @vrothberg @aadeshpa