search

rpm-software-management / microdnf

Lightweight implementation of dnf in C
GNU General Public License v2.0
217 stars 34 forks source link

Does microdnf support to skip ssl certification validation? #136

Open ooooona opened 1 year ago

ooooona commented 1 year ago

Hi team,

For some reason, I have to skip ssl certification validation when using microdnf, but I failed to find the usage. But I know that dnf supports by setting sslverify=False. How about microdnf?

Looking forward to your response, thanks very much!

j-mracek commented 1 year ago

May I ask you to verify the requested functionality with DNF5 (DNF5 already replaced microdnf in Fedora 38). May I ask you for your distribution that you use? I am asking because we limit number of new features for microdnf in favor of DNF5.

ooooona commented 1 year ago

Hi @j-mracek, I was trying to build MLServer Image, which will use microdnf of base image registry.access.redhat.com/ubi9/ubi-minimal. So currently, I have got to faced with microdnf.

The problem I met with microdnf is that when I was trying to build MLServer Image, I met the problem with ssl ca:

(microdnf:13): librhsm-WARNING **: 12:58:28.507: Found 0 entitlement certificates

(microdnf:13): librhsm-WARNING **: 12:58:28.511: Found 0 entitlement certificates
Downloading metadata...
error: cannot update repo 'ubi-9-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (60): SSL peer certificate or SSH remote key was not OK for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/repodata/repomd.xml [SSL certificate problem: self-signed certificate in certificate chain]

It's because the firewall policy, which I have no permission to add whitelist. Hence, I have 2 solution:

  1. The first is to install the self-signed ca, after install to '/etc/pki/ca-trust/source/anchors/' and execute with update-ca-trust, I got another error:

(microdnf:67): librhsm-WARNING **: 13:02:22.988: Found 0 entitlement certificates

(microdnf:67): librhsm-WARNING **: 13:02:22.991: Found 0 entitlement certificates Downloading metadata... error: cannot update repo 'ubi-9-baseos-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried; Last error: Curl error (28): Timeout was reached for https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/repodata/repomd.xml [Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds]


2. The second is to skip the ssl ca verification. But I failed to find the right way to skip.

Do you have any good suggestion?  Thanks!
inknos commented 1 year ago

hi @ooooona ,

Could you try to rebuild with fedora:latest image? I tried to build the container with this Dockerfile:

@@ -24,7 +24,7 @@ RUN pip install poetry==$POETRY_VERSION && \
         -o /opt/mlserver/dist/constraints.txt && \
     sed -i 's/\[.*\]//g' /opt/mlserver/dist/constraints.txt

-FROM registry.access.redhat.com/ubi9/ubi-minimal
+FROM registry.fedoraproject.org/fedora:latest
 SHELL ["/bin/bash", "-c"]

 ARG PYTHON_VERSION=3.10.11
@@ -46,8 +46,9 @@ ENV MLSERVER_MODELS_DIR=/mnt/models \
     NUMBA_CACHE_DIR=/opt/mlserver/.cache

 # Install some base dependencies required for some libraries
-RUN microdnf update -y && \
-    microdnf install -y \
+RUN dnf install microdnf -y
+RUN microdnf update -y --setopt=sslverify=False && \
+    microdnf install -y --setopt=sslverify=False \
         tar \
         gzip \
         libgomp \

it worked for me until step 15/20, which is past microdnf commands (I didn't attempt to debug it further).

teixi commented 1 month ago

Because found same error as OP, but in ubi9-minimal 9.4 just added this issue: (https://issues.redhat.com/browse/RHEL-52230)

microdnf --help output lists at the bottom the allowed --setopt options, but doesn't include sslverify

Thus my temporary workaround: add line sslverify = 0 after line gpgcheck = 1 for the repos in file: /etc/yum.repos.d/ubi.repo via sed command:

sed -i -e 's/gpgcheck = 1/gpgcheck = 1\nsslverify = 0/g' /etc/yum.repos.d/ubi.repo

misaya98 commented 4 days ago

Because found same error as OP, but in ubi9-minimal 9.4 just added this issue: (https://issues.redhat.com/browse/RHEL-52230)

microdnf --help output lists at the bottom the allowed --setopt options, but doesn't include sslverify

Thus my temporary workaround: add line sslverify = 0 after line gpgcheck = 1 for the repos in file: /etc/yum.repos.d/ubi.repo via sed command:

sed -i -e 's/gpgcheck = 1/gpgcheck = 1\nsslverify = 0/g' /etc/yum.repos.d/ubi.repo

thanks, it works for me. I also use the readhat base image