fix: disable SSL cert verification for Pulp self-signed certificate#4837
Closed
j0hnL wants to merge 1 commit into
Closed
fix: disable SSL cert verification for Pulp self-signed certificate#4837j0hnL wants to merge 1 commit into
j0hnL wants to merge 1 commit into
Conversation
Pulp generates a self-signed SSL certificate for its HTTPS content server. Multiple download mechanisms fail because they verify the certificate against the system CA store. Changes: - download_common.py: use verify=False instead of verify=PULP_SSL_CA_CERT for Python requests downloads from Pulp - process_rpm_config.py: add sslverify=0 to generated pulp.repo entries so dnf makecache succeeds on the OIM host - software_utils.py: add 'rancher' to URL reachability skip list (rpm.rancher.io returns 403 to Python urllib User-Agent) - base_image_template.j2, compute_images_templates.j2: add sslverify: false to repo entries used by image-build container All affected downloads target the local Pulp mirror only. Fixes: dell#4836 Signed-off-by: John Lockman <jlockman3@gmail.com>
Collaborator
|
@j0hnL is this issus specific to 2.1, if yes, we can merge to main. For 2.2, we need to merge changes to staging branch |
Collaborator
Author
|
which branch should i use? |
Collaborator
|
For omnia 2.2 changes, please use |
Collaborator
Author
|
Closing in favor of PR #4566 which includes these same SSL fixes and targets staging. When staging merges to main, all fixes will be included. The 5 changes in this PR are covered by PR #4566:
Issue #4836 remains open for tracking. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Disable SSL certificate verification for downloads from the local Pulp mirror, which uses a self-signed certificate.
Fixes #4836
Problem
Pulp generates a self-signed SSL certificate for its HTTPS content server (port 2225). Three download mechanisms fail during the Omnia pipeline because they attempt to verify this certificate against the system CA store:
requestslibrary indownload_common.py— usesverify=PULP_SSL_CA_CERTwhich fails because the self-signed cert isn't a proper CA certpulp.repofile lackssslverify=0, causingdnf makecacheto fail after repo syncimage-buildcontainer — build image config templates generate repo entries withoutsslverify: falserpm.rancher.ioreturns HTTP 403 to Python's default User-Agent, blocking the pre-sync validationChanges
common/library/module_utils/local_repo/download_common.pyverify=PULP_SSL_CA_CERT→verify=Falsecommon/library/modules/process_rpm_config.pysslverify=0to generatedpulp.repotemplatecommon/library/module_utils/local_repo/software_utils.py"rancher"to URL reachability skip listbuild_image_x86_64/.../base_image_template.j2sslverify: falseto repo entriesbuild_image_x86_64/.../compute_images_templates.j2sslverify: falseto repo entries5 files changed, 5 insertions, 4 deletions
Safety
All affected downloads target the local Pulp mirror (
192.168.x.x:2225) only. No external URL verification is changed. The existingPULP_SSL_CA_CERTapproach doesn't work with self-signed certificates because Python'srequestslibrary expects the CA cert to be a proper root CA, not a self-signed server cert.Testing
Tested on RHEL 10.0 OIM with Pulp 3.80 (HTTPS, self-signed cert):
local_repo.yml— all packages sync successfullybuild_image_x86_64.yml— 11 images built successfullyprovision.yml— manifest/tarball downloads complete