Download binaries more securely
Obtain binaries from encrypted source when we're unable to check for their signatures. This should provide better security than downloading the files over HTTP but does not replace signature verification or file integrity check. Related-Bug: #1791674 Change-Id: I7d6eed9ab14ceb130ea4f5f03d893ddaaa0a7acd
This commit is contained in:
parent
a4187d9d02
commit
27bab79096
@ -1,5 +1,6 @@
|
|||||||
[opendaylight]
|
[opendaylight]
|
||||||
name=CentOS CBS OpenDaylight Release Repository
|
name=CentOS CBS OpenDaylight Release Repository
|
||||||
baseurl=http://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
|
# opendaylight package is not signed, so download from HTTPS source at least
|
||||||
|
baseurl=https://cbs.centos.org/repos/nfv7-opendaylight-6-release/x86_64/os/
|
||||||
enabled=1
|
enabled=1
|
||||||
gpgcheck=0
|
gpgcheck=0
|
||||||
|
@ -55,7 +55,8 @@ ENV helm_arch={{ base_arch }}
|
|||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
{% block helm_repository_install_kubernetes_helm %}
|
{% block helm_repository_install_kubernetes_helm %}
|
||||||
RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz http://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
|
# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
|
||||||
|
RUN curl -Lo /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz https://storage.googleapis.com/kubernetes-helm/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
|
||||||
&& sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
|
&& sudo tar --strip-components 1 -C /usr/bin linux-${helm_arch}/helm -zxvf /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz \
|
||||||
&& sudo chmod 755 /usr/bin/helm \
|
&& sudo chmod 755 /usr/bin/helm \
|
||||||
&& rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz
|
&& rm /tmp/helm-v${helm_version}-linux-${helm_arch}.tar.gz
|
||||||
|
@ -84,7 +84,8 @@ RUN apt-get update \
|
|||||||
&& /bin/false
|
&& /bin/false
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
RUN curl -o /usr/bin/kubectl http://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
|
# TODO(mandre) check for file integrity instead of downloading from an HTTPS source
|
||||||
|
RUN curl -o /usr/bin/kubectl https://storage.googleapis.com/kubernetes-release/release/v1.5.4/bin/linux/${KUBE_ARCH}/kubectl \
|
||||||
&& chmod 755 /usr/bin/kubectl
|
&& chmod 755 /usr/bin/kubectl
|
||||||
{% endmacro %}
|
{% endmacro %}
|
||||||
|
|
||||||
|
@ -22,7 +22,7 @@ RUN curl -ssL -o /opt/cadvisor https://github.com/google/cadvisor/releases/downl
|
|||||||
{% set cadvisor_packages = [
|
{% set cadvisor_packages = [
|
||||||
'libjs-bootstrap',
|
'libjs-bootstrap',
|
||||||
'libjs-jquery',
|
'libjs-jquery',
|
||||||
'http://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
|
'https://snapshot.debian.org/archive/debian/20180503T060640Z/pool/main/c/cadvisor/cadvisor_0.27.1+dfsg2-1_arm64.deb'
|
||||||
] %}
|
] %}
|
||||||
|
|
||||||
{{ macros.install_packages(cadvisor_packages | customizable("packages")) }}
|
{{ macros.install_packages(cadvisor_packages | customizable("packages")) }}
|
||||||
|
@ -27,7 +27,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
|
|||||||
] %}
|
] %}
|
||||||
{% else %}
|
{% else %}
|
||||||
{% set rabbitmq_packages = rabbitmq_packages + [
|
{% set rabbitmq_packages = rabbitmq_packages + [
|
||||||
'http://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
|
'https://www.rabbitmq.com/releases/rabbitmq-server/v3.6.5/rabbitmq-server_3.6.5-1_all.deb',
|
||||||
] %}
|
] %}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
@ -52,7 +52,7 @@ LABEL maintainer="{{ maintainer }}" name="{{ image_name }}" build-date="{{ build
|
|||||||
|
|
||||||
RUN rm -rf /var/lib/rabbitmq/* \
|
RUN rm -rf /var/lib/rabbitmq/* \
|
||||||
&& ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
|
&& ln -s /usr/lib/rabbitmq/lib/rabbitmq_server-3.6.* /usr/lib/rabbitmq/lib/rabbitmq_server-3.6 \
|
||||||
&& curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez http://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
|
&& curl -o /usr/lib/rabbitmq/lib/rabbitmq_server-3.6/plugins/rabbitmq_clusterer-3.6.x-667f92b0.ez https://www.rabbitmq.com/community-plugins/v3.6.x/rabbitmq_clusterer-3.6.x-667f92b0.ez \
|
||||||
&& /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
|
&& /usr/lib/rabbitmq/bin/rabbitmq-plugins enable --offline \
|
||||||
rabbitmq_management \
|
rabbitmq_management \
|
||||||
rabbitmq_clusterer
|
rabbitmq_clusterer
|
||||||
|
@ -43,7 +43,9 @@ DELOREAN_DEPS = "https://trunk.rdoproject.org/centos7/delorean-deps.repo"
|
|||||||
|
|
||||||
INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
|
INSTALL_TYPE_CHOICES = ['binary', 'source', 'rdo', 'rhos']
|
||||||
|
|
||||||
TARBALLS_BASE = "http://tarballs.openstack.org"
|
# TODO(mandre) check for file integrity instead of downloading from an HTTPS
|
||||||
|
# source
|
||||||
|
TARBALLS_BASE = "https://tarballs.openstack.org"
|
||||||
|
|
||||||
_PROFILE_OPTS = [
|
_PROFILE_OPTS = [
|
||||||
cfg.ListOpt('infra',
|
cfg.ListOpt('infra',
|
||||||
|
Loading…
Reference in New Issue
Block a user