From ab1c6d001218576d8dbdabd91638fb8524f6e8ad Mon Sep 17 00:00:00 2001 From: Davlet Panech Date: Mon, 24 Jun 2024 12:08:26 -0400 Subject: [PATCH] stx-debian: install SSL certs early The base image needs apt install packages from HTTPS repos, including the ca-certificates package & its dependencies (openssl etc). This creates a chicken and egg problem: we need to install ca-certificates over HTTPS (from https://mirror.starlingx.windriver.com/mirror/), yet we can't access it because there are no SSL certs installed yet. Workaround: use a multi-stage build, 1st stage installs latest ca-certs from upstream debian, then copies the cert bundle into the main stage. The main stage then installs ca-certs & its dependencies from the managed repos. TESTS ============================== * Set mirror URLs to mirror.starlingx.windriver.com and build the base image * Build 2 other images that inherit from stx-base: stx-aodh and stx-nova-api-proxy Story: 2011159 Task: 50404 Signed-off-by: Davlet Panech Change-Id: Id5540673c52e34fe8c59d1e05fdd988ee27c17d8 --- .../build-docker-images/build-stx-base.sh | 2 + .../stx-debian/Dockerfile.stable | 38 ++++++++++++++++++- 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/build-tools/build-docker-images/build-stx-base.sh b/build-tools/build-docker-images/build-stx-base.sh index 8d447484..acb60a00 100755 --- a/build-tools/build-docker-images/build-stx-base.sh +++ b/build-tools/build-docker-images/build-stx-base.sh @@ -415,6 +415,8 @@ declare -a BUILD_ARGS BUILD_ARGS+=(--build-arg RELEASE=${OS_VERSION}) if [[ "$OS" == "centos" ]] ; then BUILD_ARGS+=(--build-arg "REPO_OPTS=${REPO_OPTS}") +else + BUILD_ARGS+=(--build-arg "DIST=${DEBIAN_DISTRIBUTION}") fi # Add proxy to docker build diff --git a/build-tools/build-docker-images/stx-debian/Dockerfile.stable b/build-tools/build-docker-images/stx-debian/Dockerfile.stable index d4395637..90549049 100644 --- a/build-tools/build-docker-images/stx-debian/Dockerfile.stable +++ b/build-tools/build-docker-images/stx-debian/Dockerfile.stable @@ -1,7 +1,31 @@ +# These are overridden by build-stx-debian.sh +ARG DIST=bullseye +ARG RELEASE=11.2 + +################################################ +# ca_certs build stage +################################################ + +# We need up-to-date SSL certs, otherwise we won't be able to access +# mirror.starlingx.windriver.com; yet the ca-certificates package is +# behind that URL. As a workaround: install ca-certificates from +# upstream debian, then copy the (generated) CA bundle into the. +# main build stage. + +FROM debian:${DIST} as ca_certs + +ENV DEBIAN_FRONTEND=noninteractive + +RUN apt-get update -y && \ + apt-get -y install --no-install-recommends ca-certificates + +################################################ +# main build stage +################################################ + # Start with an the old-ish bullseye release (11.2), then upgrade -- # to make sure packages that come pre-installed in the debian:XXX image # are older than anything in StarlingX. -ARG RELEASE=11.2 FROM debian:${RELEASE} ENV DEBIAN_FRONTEND=noninteractive @@ -52,6 +76,18 @@ RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \ # loci/docker/stx-scripts/ # +# +# Copy CA certs from the "ca_certs" build stage. The bundle file was generated +# by ca-certificates in that stage, and will be re-generated when we install +# that package again in the main stage below. That version may be *older* than +# the certs that we are copying here. We assume ca-certificates is regularly +# updated in stx-tools' package download lists, or it is built by us, and contains +# all the certs we might need during docker images build, such as the intermidate +# cert used by mirror.starlingx.windriver.com . +# +RUN mkdir -p /etc/ssl/certs +COPY --from=ca_certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt + # # Upgrade base packages to versions in managed repos #