Image discovery process does not support https:// URLs

[cbrune]

It would be nice if ONIE supported https:// , but it does not.

The wget provided by busybox does not support https and it probably never will.

It gets a little complicated about what to do with certificates.

In a data center environment most certs would likely be self signed anyway and would need to use the "no-cehck-certificate" option.

This could be addressed by adding the real wget and removing the busybox version. Or using curl.

[nshopik]

I'd go with curl and leaving wget in busybox. Standalone wget seems much bigger than curl.

[dorkmatt]

+1 for curl, I do wonder about the trusted cert issue. What's the point of doing HTTPS is we just blindly accept any cert?

[nshopik]

@dorkmatt There is only one scenario I think of. Images served by clueless guys at another department and they only run https, because whatever reasons. And you just want get job done w/o hastle deploying your own http/tftp server.

So https here not for security but for more like another type of transport, since discover process isn't trully fully secure.

Once we can get DNSSEC support in busybox, we could call it fully secure, as there is DANE patch for curl. No ca-certificate management hell.

[david56]

Are these tools able to support fetch ONIE image via FTP over IPv6? This feature is mentioned in ONIE's document.

[dorkmatt]

That's support, in theory - I don't know how much testing FTPv6 has been given - most users seem interested in HTTP v4 or v6. If it's broken, please report it to us! Thanks.

--Matt

On Tue, Nov 18, 2014 at 2:52 AM, david56 notifications@github.com wrote:

Are these tools able to support fetch ONIE image via FTP over IPv6? This feature is mentioned in ONIE's document.

— Reply to this email directly or view it on GitHub https://github.com/opencomputeproject/onie/issues/68#issuecomment-63452741 .

[lakesh-sharma]

ONIE would require a static version of Curl ? Let me know if any one knows the procedure to build static binary of curl or wget.

[ArKam]

Any news regarding this issue?

What does it take to use cURL on ONIE instead of wget?

[cbrune]

the first step would be to incorporate curl (and any requisite libraries) into the build system. For example see how gptfdisk is handled. This gets the curl binary and associated libraries installed in the image.

The next step is to change the call to wget into the corresponding curl call in the rootconf/default/bin/exec_installer script. The various wget options need to be mapped to the corresponding curl options.

[bloggins666]

to compile curl as a static application you need to use the following make line:

make curl_LDFLAGS=-all-static

Cheers!!

[idefixcert]

Is there a chance to get this implemented?

[jmessenger51]

+1 - bumping this request for HTTPS support.

When I receive a white box switch we normally have it shipped with ONIE and no NOS installed. When the field technician unboxes, racks, and cables the switch our process only requires they inform us of the room/rack/rack unit and serial number. From there our ZTP provisioning process builds the various json files for the switch to boot. However, we have to maintain a pair of http server whose only job is to serve the Network Operating System (NOS).

We use DHCP options to pass the URL to ONIE such that ONIE can download the NOS. It would be great if ONIE supported HTTPS as we can then leverage a package management system (harbor, git package registry, etc.) such that when the NOS is built the CI/CD can store it in a single location for version control rather than having to also copy to separate servers.

CURL is not a viable option when using DHCP options. Unless ONIE translates the DHCP option into a curl request. Also the other DHCP options that pass a provisioning script is not viable as we use those options to configure the NOS once its loaded.

DHCP options used are: 77 & 114 - URL with NOS binary such that ONIE can pull down the image 239 - URL for NOS provisioning script. Once the NOS is installed and boots it pulls from our git repository URL

If there is a better process where ONIE & the NOS can be configured with ZTP I'm game. Though using FTP / TFTP / or other such protocols have the same issue as http where separate servers are required simply for the purpose of holding the NOS binary and it removes the ability to easily manage binary versions in a single location.

[nshopik]

CURL is not a viable option when using DHCP options. Unless ONIE translates the DHCP option into a curl request.

Curl will only serve as backend as there need utility which have HTTPS.

Is there a chance to get this implemented?

Absolutely but someone had write code. It seems there not enough interest for it. Most are happy with HTTP as HTTPS doesn't add much more value for ZTP, thus not patches.