Comments (7)
The root issue that seems to be causing our problems is that the version of Linux this is based on, deep, deep in the layer chain, has an old set of CA certificates.
We ported the entire logic/behaviour over to a custom CentOS7 based container and it's all working fine now - so I suspect this issue is twofold:
- Image is using old baseline, missing many common CA's (a quick compare versus CentOS7/Ubuntu latest)
- No way to inject custom certs bundle. Would allow us to use internal registry / self-signed and also mitigate issue of missing root public CA.
from drone-docker.
I believe this needs to be resolved at the Drone level with the ability to read-only mount certificate volumes into plugin containers. We can then update plugins to load these certs from well-known directories using something like https://github.com/jackspirou/syscerts
from drone-docker.
This would be a great improvement. The current workaround of using the insecure
flag isn't ideal.
from drone-docker.
+1 for the ability to inject certificates, by some means, into /etc/docker/certs.d/ to allow for a self-signed secure registry. I'm at the point now where, in the absence of this feature, I'm forced to explore other options for the generation of Docker images as build artifacts.
from drone-docker.
@bchivari you can always fork the plugin and build your own image with the certificate included (0.5 only), or mount your certificate at runtime as a volume (0.5 only)
pipeline:
...
publish:
image: plugins/docker
...
volumes:
- /etc/docker/certs.d:/etc/docker/certs.d
As mentioned above you might be able to use the insecure: true
flag as a temporary workaround:
pipeline:
...
publish:
image: plugins/docker
insecure: true
...
There are plans to expose a global certificate pool to all plugins (not just docker) but that isn't something that will be ready in the near term. In the mean time, there should be sufficient workarounds available to proceed even if you require a custom certificate.
from drone-docker.
If anyone is interested in contributing an implementation of the global cert pool please contact us in our gitter channel to discuss further. https://gitter.im/drone/drone
If not, please note that it is not something I'm actively working on in the near term. If you have to wait for me to implement this feature, you could be waiting months ...
from drone-docker.
drone now supports a global DRONE_VOLUME
parameter. This is a global server setting that instructs drone to mount folders in all containers and can be used to mount custom certificate chains.
DRONE_VOLUME=/etc/ssl/certs:/etc/ssl/certs
from drone-docker.
Related Issues (20)
- Can pugin-docker access workspace content directly? HOT 1
- Support TLS 1.3 HOT 10
- Tag wrongly gets parsed as octal HOT 2
- Archive old repository HOT 2
- support customized Dockerfile name ? HOT 1
- Parameter add_host not work HOT 3
- Enable auth against multiple registries HOT 1
- Upgrade to Docker 20.10.05
- Error authenticating: exit status 1 HOT 2
- Debian 11 Support HOT 1
- Default ´dockerfile´ value is wrong
- Remove deprecated support of label-schema in favor of OCI
- No recent releases since May 17th
- Why does the plugin skip builds for PRs?
- Execute system prune and rmi in cleanup HOT 1
- End of life for docker 20.10 HOT 1
- Cannot connect to the Docker daemon at unix:///var/run/docker.sock. HOT 4
- Issues when connecting to my registry HOT 1
- Unable to reach Docker Daemon after latest release of plugin/docker HOT 14
- Cleanup routines never execute
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from drone-docker.