Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bib: load repo keys using external paths (COMPOSER-2408) #734

Merged
merged 1 commit into from
Nov 28, 2024

Conversation

achilleas-k
Copy link
Member

Since d192f85, we switched to using dnf (osbuild-depsolve-dnf) from BIB itself, but using the base (bootc) container root to read configurations, certificates, keys, etc. Unfortunately, what we didn't change, is the way in which we load the repository certs after the depsolve.

The extractTLSKeys() function currently takes a Container instance which implements ReadFile() by cating a file from inside the running container. However, the paths we get from the depsolve are relative to the BIB worktree. Therefore, we can simply read the files directly.

Add a SimpleFileReader that implements the fileReader interface to simply read a file from a path. We could simplify this to not require a reader interface at all, but let's keep the implementation in case we ever need to switch back to the older way of depsolving from inside the container.

Resolves COMPOSER-2408

ondrejbudai
ondrejbudai previously approved these changes Nov 28, 2024
Copy link
Member

@ondrejbudai ondrejbudai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Should we implement an E2E test in a follow-up? This logic seems to be quite brittle. :/

bib/cmd/bootc-image-builder/mtls.go Outdated Show resolved Hide resolved
Since d192f85, we switched to using dnf
(osbuild-depsolve-dnf) from BIB itself, but using the base (bootc)
container root to read configurations, certificates, keys, etc.
Unfortunately, what we didn't change, is the way in which we load the
repository certs after the depsolve.

The extractTLSKeys() function currently takes a Container instance which
implements ReadFile() by `cat`ing a file from inside the running
container.  However, the paths we get from the depsolve are relative to
the BIB worktree.  Therefore, we can simply read the files directly.

Add a SimpleFileReader that implements the fileReader interface to
simply read a file from a path.  We could simplify this to not require
a reader interface at all, but let's keep the implementation in case we
ever need to switch back to the older way of depsolving from inside the
container.

Resolves COMPOSER-2408
Copy link
Member

@ondrejbudai ondrejbudai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@ondrejbudai ondrejbudai added this pull request to the merge queue Nov 28, 2024
Copy link
Collaborator

@mvo5 mvo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for finding/fixing this! This is great!

Merged via the queue into osbuild:main with commit 739aa04 Nov 28, 2024
10 of 11 checks passed
@achilleas-k achilleas-k deleted the bug/repo-certs branch November 28, 2024 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants