Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

stage0: break apart -insecure-skip-verify #912

Closed
jonboulle opened this issue May 18, 2015 · 7 comments · Fixed by #1738
Closed

stage0: break apart -insecure-skip-verify #912

jonboulle opened this issue May 18, 2015 · 7 comments · Fixed by #1738
Assignees
@blixtra
Labels
area/usability component/stage0 priority/P1
Milestone
v0.12.0

Comments

@jonboulle
Copy link
Contributor

Currently the -insecure-skip-verify flag is a sledgehammer for disabling various security mechanisms. This was an intentional design decision early in rkt's development to minimise flag churn as different security options evolved.

As rkt matures and approaches 1.0 we need to tease apart the actual functionality of this flag into separate, well-defined options.

Here are the things that the flag does today:

  • disables signature validation for images (including preventing rkt from attempting to retrieve signatures)
  • skips certificate verification for TLS (i.e. causes rkt to accept any certificate presented by HTTPS servers)
  • skips prompting the user to trust a key (during rkt trust)
  • allows discovery to drop back to HTTP (instead of being strictly HTTPS)

A couple of suggested options for what the new flags can look like:

  • separate (but similar) flags for each: -insecure-skip-verify-tls, -insecure-skip-verify-image, etc
  • distinct and arguably more accurately named flags: -no-verify-tls-certs, -enable-http-fallback, etc.
  • a combined "options" flag - e.g. -insecure-options=image,tls
@jonboulle jonboulle added this to the v1.0.0 milestone May 18, 2015
philips pushed a commit to philips/rkt that referenced this issue May 19, 2015
rkt: make warning map to insecure-skip-verify usage
86e0969 
- insecure-skip-verify is used in image fetch and trust for skipping
  verification, document this in the flags usage
- make the docs more explicit about what insecure-skip-verify does

We will split this sledgehammer flag into multiple flags via rkt#912
@philips philips mentioned this issue May 19, 2015
Merged
philips pushed a commit to philips/rkt that referenced this issue May 19, 2015
rkt: fix docs/warnings for insecure-skip-verify flag
ec65c3a 
- insecure-skip-verify is used in image fetch and trust for skipping
  verification, document this in the flags usage
- make the docs more explicit about what insecure-skip-verify does

We will split this sledgehammer flag into multiple flags via rkt#912
@jonboulle jonboulle modified the milestones: v1.0.0, v0.10.0 Oct 2, 2015
@iaguis iaguis mentioned this issue Oct 7, 2015
Closed
@blixtra
Copy link
Collaborator

blixtra commented Oct 9, 2015

I'll start on this. I think it's most clear to go with the "a combined 'options' flag " described above.

@jonboulle
Copy link
Contributor Author

Sounds reasonable to me. @robszumski ?

@robszumski
Copy link
Contributor

Sounds good to me as long as a table of all the options makes it in the docs as part of this. Maybe throw up a deprecation warning? or are we going to support both?

@jonboulle jonboulle modified the milestones: v0.11.0, v0.10.0 Oct 20, 2015
@alban alban mentioned this issue Nov 12, 2015
Closed
@alban
Copy link
Member

alban commented Nov 13, 2015

@blixtra should have a PR ready today but moving to next milestone to consider the time needed for reviewing.

@alban alban modified the milestones: v0.12.0, v0.11.0 Nov 13, 2015
@blixtra blixtra mentioned this issue Nov 13, 2015
Merged
@alban
Copy link
Member

alban commented Nov 14, 2015

@blixtra when this gets merged, please check if the acbuild documentation and containers/build#100 still use --insecure-skip-verify.

@alban alban mentioned this issue Nov 14, 2015
Merged
@blixtra
Copy link
Collaborator

blixtra commented Nov 25, 2015

@robszumski So this is in the last stage of review. Wanted to get a last ok from you regarding the UX.

The documentation for the new option (and all global options) is here.

One last thing I'm adding is --insecure-skip-verify that is equivalent to --insecure-options=all and marked as deprecated and hidden, meaning the user will get a warning when using it and it won't show up in the help.

Otherwise the global flag section of the help looks like this now

OPTIONS:
      --debug[=false]           print out more debug information to stderr
      --dir=/var/lib/rkt        rkt data directory
  -h, --help[=false]            help for rkt
      --insecure-options=none       comma-separated list of security features to disable. Allowed values: "none", "image", "tls", "all"
      --local-config=/etc/rkt       local configuration directory
      --system-config=/usr/lib/rkt  system configuration directory
      --trust-keys-from-https[=true]    automatically trust gpg keys fetched from https

(excuse github formatting)

@robszumski
Copy link
Contributor

@blixtra LGTM, thanks for checking

@blixtra blixtra mentioned this issue Nov 26, 2015
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@blixtra blixtra

Labels
area/usability component/stage0 priority/P1
Projects
None yet
Milestone
v0.12.0
Development

Successfully merging a pull request may close this issue.

stage0 break apart --insecure-skip-verify kinvolk/rkt
4 participants
@alban @blixtra @robszumski @jonboulle