使用来自主机的 CA Trust Bundle 构建 Docker [英] Docker Build using CA Trust Bundle from Host
问题描述
给定一个从网络上安装的简单 Dockerfile,我正在尝试找出一种优雅的方法来允许构建过程信任 HTTPS 端点,当构建既在公司代理之后又不在公司代理之后.最好不要更改 Dockerfile.
Dockerfile:
来自高山运行 apk 更新 -v;apk 添加 -v curl错误:
$ docker build .将构建上下文发送到 Docker 守护进程 83.97kB第 1/2 步:来自高山--->e50c909a8df2第 2/2 步:运行 apk update -v;apk 添加 -v curl--->运行于 983ed3885376获取 https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz140566353398600:错误:1416F086:SSL 例程:tls_process_server_certificate:证书验证失败:ssl/statem/statem_clnt.c:1913:错误:https://dl-cdn.alpinelinux.org/alpine/v3.13/main:权限被拒绝警告:忽略 https://dl-cdn.alpinelinux.org/alpine/v3.13/main:没有这样的文件或目录获取 https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz140566353398600:错误:1416F086:SSL 例程:tls_process_server_certificate:证书验证失败:ssl/statem/statem_clnt.c:1913:错误:2 个错误;提供 14 种不同的包装https://dl-cdn.alpinelinux.org/alpine/v3.13/community:权限被拒绝警告:忽略 https://dl-cdn.alpinelinux.org/alpine/v3.13/community:没有这样的文件或目录获取 https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz139846303062856:错误:1416F086:SSL 例程:tls_process_server_certificate:证书验证失败:ssl/statem/statem_clnt.c:1913:获取 https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz错误:https://dl-cdn.alpinelinux.org/alpine/v3.13/main:权限被拒绝警告:忽略 https://dl-cdn.alpinelinux.org/alpine/v3.13/main:没有这样的文件或目录139846303062856:错误:1416F086:SSL 例程:tls_process_server_certificate:证书验证失败:ssl/statem/statem_clnt.c:1913:错误:https://dl-cdn.alpinelinux.org/alpine/v3.13/community:权限被拒绝警告:忽略 https://dl-cdn.alpinelinux.org/alpine/v3.13/community:没有这样的文件或目录错误:无法选择包:curl(没有这样的包):要求:世界[卷曲]命令'/bin/sh -c apk update -v;apk add -v curl' 返回非零代码:1这里的问题是,我的开发人员机器位于公司网络上的流量拦截代理后面,从 Docker 构建内部的 apk 的角度来看,中间人连接的含义是,它看到的证书具有由我们不信任的代理签署.
来自主机的信任不是问题 - 当我获取构建中请求的文件时,它可以工作:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz连接到 10.0.2.2:9000... 已连接.代理请求已发送,正在等待响应... 200 OK长度:631235 (616K) [应用程序/八位字节流]保存到:'APKINDEX.tar.gz'当我在构建服务器上运行它时,它通过很好,因为没有转发代理.
有没有办法在不修改 Dockerfile 的情况下将具有代理 CA(例如 /etc/ssl/certs/ca-certificates)的 Ubuntu 信任包传递到构建过程?
谢谢!
我的解决方案.创建存储库"文件.内容是:
http://dl-cdn.alpinelinux.org/alpine/v3.13/mainhttp://dl-cdn.alpinelinux.org/alpine/v3.13/community在 Docker 文件中,在RUN apk update"之前,添加以下内容:
复制存储库/etc/apk/repositories
谢谢.
Given a simple Dockerfile that installs from something from the net, I'm trying to work out an elegant way to allow the build process to trust HTTPS endpoints when the build is both behind a corporate proxy and when it is not. Ideally without making changes to the Dockerfile.
Dockerfile:
FROM alpine
RUN apk update -v; apk add -v curl
Error:
$ docker build .
Sending build context to Docker daemon 83.97kB
Step 1/2 : FROM alpine
---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
curl (no such package):
required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1
The issue here is that my developer machine is on the corporate network behind a traffic-intercepting proxy that man-in-the-middles the connection meaning from apk's point of view inside the Docker build, it is seeing a cert which has been signed by our proxy that it doesn't trust.
Trust from the host machine is not an issue - when I wget the file requested in the build it works:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’
When I run it on the build server it passes fine cause no forward proxy.
Is there a way to pass in the Ubuntu trust bundle which has the proxy CA's (e.g. /etc/ssl/certs/ca-certificates) to the build process without modifying the Dockerfile?
Thanks!
my solution. create "repositories" file. contents is :
http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community
in Docker file, before "RUN apk update", add the followings:
COPY repositories /etc/apk/repositories
thanks.
这篇关于使用来自主机的 CA Trust Bundle 构建 Docker的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
