openstack
/
kolla
Code Issues
Browse Source

Download binaries more securely 

Obtain binaries from encrypted source when we're unable to check for
their signatures. This should provide better security than downloading
the files over HTTP but does not replace signature verification or file
integrity check.

Related-Bug: #1791674
Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
tags/8.0.0.0b1
Martin André 10 months ago
parent
a4187d9d02
commit
27bab79096
6 changed files with 12 additions and 7 deletions
Split View Show Diff Stats
  1. 2
    1
      docker/base/opendaylight.repo
  2. 2
    1
      docker/helm-repository/Dockerfile.j2
  3. 2
    1
      docker/macros.j2
  4. 1
    1
      docker/prometheus/prometheus-cadvisor/Dockerfile.j2
  5. 2
    2
      docker/rabbitmq/Dockerfile.j2
  6. 3
    1
      kolla/common/config.py

+ 2
- 1
docker/base/opendaylight.repo View File 

@@ -1,5 +1,6 @@
1 1 
 [opendaylight]
2 2 
 name=CentOS CBS OpenDaylight Release Repository
3 
-baseurl=http://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
3 
+# opendaylight package is not signed, so download from HTTPS source at least
4 
+baseurl=https://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
4 5 
 enabled=1
5 6 
 gpgcheck=0

+ 2
- 1
docker/helm-repository/Dockerfile.j2 View File 

@@ -55,7 +55,8 @@ ENV helm_arch={{ base_arch }}
55 55 
 {% endif %}
56 56
57 57 
 {% block helm_repository_install_kubernetes_helm %}
58 
-RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz  http://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
58 
+# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
59 
+RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz  https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
59 60 
     && sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
60 61 
     && sudo chmod 755 /usr/bin/helm \
61 62 
     && rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz

+ 2
- 1
docker/macros.j2 View File 

@@ -84,7 +84,8 @@ RUN apt-get update \
84 84 
             && /bin/false
85 85 
     {% endif %}
86 86
87 
-    RUN curl -o /usr/bin/kubectl http://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
87 
+    # TODO(mandre) check for file integrity instead of downloading from an HTTPS source
88 
+    RUN curl -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
88 89 
         && chmod 755 /usr/bin/kubectl
89 90 
 {% endmacro %}
90 91

+ 1
- 1
docker/prometheus/prometheus-cadvisor/Dockerfile.j2 View File 

@@ -22,7 +22,7 @@ RUN curl -ssL -o /opt/cadvisor https://github.com/google/cadvisor/releases/downl
22 22 
         {% set cadvisor_packages = [
23 23 
              'libjs-bootstrap',
24 24 
              'libjs-jquery',
25 
-             'http://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
25 
+             'https://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
26 26 
         ] %}
27 27
28 28 
 {{ macros.install_packages(cadvisor_packages | customizable("packages")) }}

+ 2
- 2
docker/rabbitmq/Dockerfile.j2 View File 

@@ -27,7 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
27 27 
          ] %}
28 28 
     {% else %}
29 29 
          {% set rabbitmq_packages = rabbitmq_packages + [
30 
-             'http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
30 
+             'https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
31 31 
          ] %}
32 32 
     {% endif %}
33 33 
 
@@ -52,7 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
52 52
53 53 
 RUN rm -rf /var/lib/rabbitmq/* \
54 54 
     && ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
55 
-    && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
55 
+    && curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez https://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
56 56 
     && /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
57 57 
        rabbitmq_management \
58 58 
        rabbitmq_clusterer

+ 3
- 1
kolla/common/config.py View File 

@@ -43,7 +43,9 @@ DELOREAN_DEPS = "https://trunk.rdoproject.org/centos7/delorean-deps.repo"
43 43
44 44 
 INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
45 45
46 
-TARBALLS_BASE = "http://tarballs.openstack.org"
46 
+# TODO(mandre) check for file integrity instead of downloading from an HTTPS
47 
+# source
48 
+TARBALLS_BASE = "https://tarballs.openstack.org"
47 49
48 50 
 _PROFILE_OPTS = [
49 51 
     cfg.ListOpt('infra',

Write Preview
Loading…
Cancel
Save