Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Building Custom Image with Secureboot Microsoft (from talos v1.8.x) behind Internet Proxy #9911

Open
flpajany opened this issue Dec 10, 2024 · 2 comments
Open

Building Custom Image with Secureboot Microsoft (from talos v1.8.x) behind Internet Proxy #9911

flpajany opened this issue Dec 10, 2024 · 2 comments

Comments

@flpajany
Copy link

Bug Report

Description

I am building custom image of talos behind a internet proxy to include private CA certificates in talos image.

I managed to do it with version 1.6.8 (by changing Dockerfile) and version 1.7.7 by using make variable.

I tried to do it with version 1.8.3 and I am stuck with a bug with buildkit (moby) : even if proxy parameters are set (https_proxy, http_proxy, no_proxy, etc.), buildkit does not take that into account for the ADD command in Dockerfile.

There is an issue already logged there but it is not taken into account for now :
moby/buildkit#5329

So I found an ugly hack by not using ADD command but un curl command :

diff --git a/Dockerfile b/Dockerfile
index 56d90ab2b..35c6aae15 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -337,9 +337,10 @@ FROM scratch AS ipxe-generate
 COPY --from=pkg-ipxe-amd64 /usr/libexec/snp.efi /amd64/snp.efi
 COPY --from=pkg-ipxe-arm64 /usr/libexec/snp.efi /arm64/snp.efi

-FROM scratch AS microsoft-secureboot-database
+FROM alpine/curl AS microsoft-secureboot-database
 ARG MICROSOFT_SECUREBOOT_RELEASE
-ADD https://github.com/microsoft/secureboot_objects.git#${MICROSOFT_SECUREBOOT_RELEASE}:PreSignedObjects /
+#ADD https://github.com/microsoft/secureboot_objects.git#${MICROSOFT_SECUREBOOT_RELEASE}:PreSignedObjects /
+RUN curl -L https://github.com/microsoft/secureboot_objects/archive/refs/tags/v1.1.3.tar.gz | tar -xz secureboot_objects-1.1.3/PreSignedObjects ; mv secureboot_objects-1.1.3/PreSignedObjects/* / ; rm -rf  secureboot_objects-1.1.3

 FROM scratch AS microsoft-key-keys
 COPY --from=microsoft-secureboot-database /KEK/Certificates/*.der /kek/
diff --git a/Makefile b/Makefile

Is it possible to include something similar (with a parameter instead of an hardcoded version, sorry) to workaround this bug and let me compiled talos behind a proxy ?

Logs

moby/buildkit#5329 (comment)

Environment

  • Talos version: 1.8.x and up
  • Kubernetes version: Unrelevant
  • Platform: amd64 (but should be the same for arm64 and others)
@smira
Copy link
Member

smira commented Dec 10, 2024

This change would break proper caching and verification on buildkit level, so you can make this as a local change, but we don't want this to be upstreamed.

Proper path is to fix the buildkit itself.

@flpajany
Copy link
Author

This change would break proper caching and verification on buildkit level, so you can make this as a local change, but we don't want this to be upstreamed.

Proper path is to fix the buildkit itself.

Alright. Hoping this will be fixed soon (even if it has not been taken into account for 3 months now)...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@smira @flpajany