Open kquinsland opened 1 month ago
I have a fix but it's currently only applied to the various apt
calls. I am not currently in a good position to figure out the -o Acquire::https::Verify-Peer=false
equivalent for the other package managers.
The .patch
containing the fix is attached.
My question: Should I open a PR with just this fix or not bother until similar is implemented for the other package managers, too?
Description of Issue/Question
Neither of the "insecure DL" options (
-I
and-l
) are carried over toapt
in most cases.In corporate environments it is common to both a) have all traffic go through a MITM proxy and b) not be able to get the MITM root CA loaded in some environments.
Because of this, it's common to see errors like this:
This is - unfortunately - expected. The man in the middle isn't trusted so
apt
- rightfully - refuses to pull.The simplest way to work around this is by adding a
-o Acquire::https::Verify-Peer=false
to theapt ...
command. Yes, I know that this can be put into the/etc/apt/config
but when that happens, it applies to everything everywhere all the time which isn't making an already sub-optimal situation better.In any case, the multiple
apt ...
calls inbootstrap.sh
don't immediately or explicitly fail in this case; bootstrapping does not report errors.Only after bootstrap is done and
salt-call
is run do I hit an error:While not ideal, a manual
pip install ...
should work, right?Nope, because
pip
never got installed becauseapt
skipped pulling packages for thehttps
repos.Setup
I am using the bootstrap.sh script with a ubuntu2204 container image. The specific args being fed are:
Steps to Reproduce Issue
I am using
kitchen
but the gist isubuntu:2204
container image withsalt-bootstrap.sh -l -I -X -P -D -p git -p nano stable
being run on a host where all traffic goes through a MITM proxy.Critically, the CA root for the MITM proxy is not loaded into the container environment so all
https
traffic appears to have a cert mis-match error.Versions and Systems