Conversation
3580012
to
efdbe30
Compare
Hi @jcvenegas - I'm afraid we don't want to do this. Everything should be using https now. I think you've been hit by the same proxy problem as @eadamsintel had on #61. |
(ftr, it works perfectly using https without proxies ;) |
@jodh-intel I ran into this issue on an external (cloud) machine. No proxy. |
It sounds like this is a package version issue. I tested with Ubuntu 17.10. We really want to avoid having to document an insecure installation method using http though. |
|
hey @jodh-intel thanks for the clarification, I was thinking was a general issue - and wanted not having our docs broken. So if is only for a few of us - lets debug a bit more. |
@jcvenegas I think this is xenial specific. Perhaps just a short term w/a necessary while we still package Xenial? |
I've recreated the problem on Ubuntu 16.04. In fact, you can simulate it in any environment like this by telling
The problem is that the opensuse download site appears to be redirecting the incoming https request to an http download url, even though the connection originally came in via https. If correct, that seems rather broken to me. What's odd is that the opensuse download site can service https downloads fwics. Adding curl debug ( And yet, you can download that file over https!:
Hence, I think this issue can be summarised as "Ubuntu 16.04 is dtrt wrt security but the opensuse server appears to be 'not configured optimally', atleast for libcurl clients ;-)". Unless opensuse change their server configuration, I think we are indeed going to be forced into changing the urls to "http" for two reasons:
/cc @cseader. |
@jodh-intel based on this; this PR shouldn't be "do not merge" at this point, right? |
Well, imho we need to:
|
@ajaeger - FYI. |
a3e2f87
to
17c4314
Compare
Hi @jcvenegas - it appears obs still has the problem so... lgtm (You need to rebase though). |
obs provides ubuntu packages by http not https. Fixes: kata-containers#81 Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
17c4314
to
f39dc40
Compare
hum odd travis fail.
Not a blocker |
Hi @vrothberg - could you provide any further details on the https -> http issue mentioned above (#83 (comment))? |
@jodh-intel Thanks for reaching out! I will make sure our build team has a look at the issue. |
@vrothberg - no problem and thanks! 😄 |
@vrothberg, @adrianschroeter - I've checked this morning and the https -> http issue seems to be mostly resolved so thanks for fixing this this! However, a random sampling of downloads for https://download.opensuse.org/repositories/home:/katacontainers:/release/ shows that the only distros where we are unable to download entirely via https are... OpenSUSE and SLES:
Could you tweak the settings for those repos too please? |
Hi @jodh-intel, not all the mirrors in the mirror infrastructure supports HTTPS. That's also why the But as I explained here HTTP is not an issue, and in my view the warning should be removed from the doc pages. (Speaking for SUSE) Probably you can safely use HTTPS as the main repo URL, but individual packages will still be downloaded using HTTP. |
…file refactor and create a summary file inside the image
Fix kata installation URL.