search

rancher / os

Tiny Linux distro that runs the entire OS as Docker containers
https://rancher.com/docs/os/v1.x/en/
Apache License 2.0
6.44k stars 655 forks source link

ros install V.S wget "certificate signed by unknown authority" #2864

Open axi92 opened 5 years ago

axi92 commented 5 years ago

RancherOS Version: 1.5.3

**Where are you running RancherOS: baremetal, vmware

When I do: sudo ros install -c https://domain.cloud/cloud-config.yml -d /dev/sda -f I get an error with the certificate. That is ok because it is a self signed one. But how do I overrule this and ignore the certificate check?

I also make my rancher-vmware.iso with some changes in the os-config.tpl.yml I add rancher.cloud_init.datasources: - url:https://domaincloud/cloud-config.yml

Maybe there is also the problem that at first boot from the iso this cloud-config.yml can not be properly loaded. Because rancher do not trust the cert.

On the other side wget works. So I tried this in my os-config.tpl.yml

rancher:
  write_files:
    - path: /etc/rc.local
      permissions: "0777"
      owner: root
      content: |
        #!/bin/bash
        if ! blkid | grep -q "RANCHER_STATE"; then wget https://domain.cloud/cloud-config.yml; sudo ros install -c cloud-config.yml -d /dev/sda -f; fi

That should be only run on first boot from iso to write in on the disk.

The purpose of this is to change the cloud-config.yml but just only need to make the iso not every time I need changes.

Edit: The complete process that I try to build is an unattended setup like this:

  1. Edit os-config.tpl.yml add cloud-config.yml
  2. Create VM with iso
  3. Boot from iso - cloud-config gets executed with ros install
  4. Reboot and load docker images + run container
niusmallnan commented 5 years ago

We have a tool(flush_crt_iso.sh) which can flush the certs to the iso file, please refer to this doc. https://rancher.com/docs/os/v1.x/en/installation/configuration/airgap-configuration/

axi92 commented 5 years ago

If I follow the instructions it wants to create a /build dir. As I see in the script the ${DAPPER_SOURCE} is missing there https://github.com/rancher/os/blob/eccf9554c86ffa33057027610b015337c05f2a5a/scripts/tools/flush_crt_iso.sh#L20

When I run it with sudo it works but on line https://github.com/rancher/os/blob/eccf9554c86ffa33057027610b015337c05f2a5a/scripts/tools/flush_crt_iso.sh#L40 console gives a warning that the drive is only in read mode. Is there a way to verify if the script worked? I still get the certificate error.

niusmallnan commented 5 years ago

Booting from your new ISO, and check this file:

cat /proc/1/root/etc/ssl/certs/ca-certificates.crt

You custom cert should be appended to this file.

axi92 commented 5 years ago

There is no path like this: cat /proc/1/e and then autocomplete gives me just those 2: environ exe