Skip to content

Support arbitrary registration URL #610

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Support arbitrary registration URL #610

wants to merge 7 commits into from

Conversation

josegomezr
Copy link

Add support for operatingSystem.packages.sccRegistrationUrl to allow for registration against an RMT/SMT/SUMA.

Similar to suse-edge/misc#112

@atanasdinov
Copy link
Contributor

Thank you for your contribution, however, I have to note that this registration only concerns the intermediate container used for RPM resolution, and not the final provisioned node(s).

What is the problem that we're trying to solve?

@josegomezr
Copy link
Author

Enable the full process to be able to talk with a SUMA/RMT/SCC Instance.

I understand that this container calls suseconnect to get repositories added via the services returned by the registration server (scc right now) and then will download all RPMs (from the default location: CDN).

By allowing the registration URL just before the download, the downloads can be served by SUMA/RMT/SMT instead.

Or at least is my understanding on when each stage is called 😅

@jdob
Copy link
Contributor

jdob commented Nov 20, 2024

This is awesome, thanks for the contribution. I'll do a quick test on my own to verify the templating part works correctly. In the meantime, I have a few notes on areas that aren't necessarily obvious that need to be updated before it can land:

  • pkg/image/validation/os.go - I'd like to see some sort of validation on the URL. Nothing major, but you can use some built in URL functions to make sure it's valid.
  • pkg/image/testdata/full-valid-example.yaml - The intention there is to mention every attribute to demonstrate its usage and be able to unit test the parsing. Please add an entry there (line 78 has a usage of sccRegistrationCode, you can put it under there).
  • pkg/image/definition_test.go - Make sure to update this with the assertion that the new field is parsed correctly.
  • docs/building-images.md - This is our documentation for the definition file. Please update as appropriate (you can follow the model for sccRegistrationCode).
  • RELEASE_NOTES.md - Under "Image Definition Changes", add an entry for this new field with a brief description.

@jdob
Copy link
Contributor

jdob commented Nov 20, 2024

@fdegir This is an outside contribution, so not on our roadmap, but can you put this on your todo list of things to add to CI?

@jdob
Copy link
Contributor

jdob commented Nov 20, 2024

Light testing looked good to me. I don't have a local server to test against, but I was able to get the resolution script to show:

suseconnect -r INTERNAL-USE-ONLY-LOL-NO --url "http://foo"

jdob
jdob reviewed Nov 20, 2024
View reviewed changes
pkg/rpm/resolver/templates/rpm-resolution.sh.tpl Outdated
@@ -12,7 +12,7 @@ set -euo pipefail
# Arch - sets the architecture of the rpm packages to pull
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more thing @josegomezr, please add mention of the new template variable and a brief description here.

@rdoxenham
Copy link
Contributor

Thanks for the contribution @josegomezr - another thing to mention in the documentation would be that by default we register against SCC/CDN, and that if the URL is omitted, this what we use by default. Thanks!

josegomezr and others added 6 commits November 22, 2024 21:59
@josegomezr
Support arbitrary registration URL
0de7642 
Add support for `operatingSystem.packages.sccRegistrationUrl` to allow
for registration against an RMT/SMT/SUMA.
@josegomezr
Validate registration url parameter
cef09fe 
Use net/url.Parse function to ensure a valid url is present
@josegomezr
Example of a registration url in the sample YAML
f7828af
@josegomezr
Test registration URL goes from YAML to go struct
4a36df7
@josegomezr
Document usage of Registration URL
98c0d0d
@josegomezr
Add line in release notes
5bf8166
@josegomezr josegomezr force-pushed the support_registration_url branch from 8b28958 to 5bf8166 Compare November 22, 2024 20:59
josegomezr
josegomezr commented Nov 22, 2024
View reviewed changes
docs/building-images.md
Comment on lines +204 to +207
* `sccRegistrationUrl` - Specifies a registration server like RMT or SUMA, which is used to connect download SUSE's internal RPM repositories. Defaults to `https://scc.suse.com`.

> **_NOTE:_** When using `sccRegistrationUrl` over `https` it's important that the `eib` recognizes the CA of the `registrationUrl`.
> This is common on RMT setups. See the [RMT docs on configuring clients](https://documentation.suse.com/sles/15-SP6/html/SLES-all/cha-rmt-client.html).
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I must confess I'm not super inspired on this writing part, I'm very open to suggestions 😅

@rdoxenham
Copy link
Contributor

@atanasdinov @dbw7 @ipetrov117 - would you mind re-reviewing this? I think we should look to merge it if possible. Thank you!

ipetrov117
ipetrov117 requested changes Jan 30, 2025
View reviewed changes
Copy link
Contributor

@ipetrov117 ipetrov117 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your contribution @josegomezr and apologies for jumping late on this.

Sadly, the suggested implementation does not handle all the use-cases that come with the sccRegistrationUrl property introduction.

Ran some tests with this implementation against a local RMT server and found the following things to be working or in need of improvement.

Working:

  1. RMT server with http URL is successfully called and used in the RPM resolution process. Image is successfully built and booted.

In need of improvement:

  1. Currently, sccRegistrationCode and sccRegistrationUrl are always bundled together.
  2. The implementation does not really support https remote server urls.

TL;DR
Regarding (1), bundling these two properties together would mean that if users want to connect a local registration server, they must always provide a registration code. To my knowledge this is not always the case. RMT for instance does not require each connecting machine to provide a registration code. The registration code is placed onto the RMT server itself and connecting machines only need to provide the RMT server URL. IMO we should not bundle these two properties together.

Regarding (2), in the Building Images documentation, we want to suggest the following:

When using sccRegistrationUrl over https it's important that the eib recognizes the CA of the registrationUrl.

There is actually no mechanism that EIB offers to add a custom certificate to the container that is running the RPM resolution process (in order to ensure a consistent RPM resolution process a new container is created inside of the EIB container, check our design doc about this if you have not already).

Yes, we have the certificates directory, however, it is not used to introduce certificates inside of the EIB container, or the RPM resolution container that is inside of it. It is used to introduce the certificates during the image boot. @atanasdinov @jdob please keep me honest.

So with today's implementation, if a user goes and provides sccRegistrationUrl: https://registration-server.like-rmt-smt.here, during the RPM resolution process they would always get the following error:

SUSEConnect error: Post "https://<RMT_SERVER>/connect/subscriptions/systems": tls: failed to verify certificate: x509: certificate signed by unknown authority

To resolve this, the implementation would need to be enhanced to provide the certificate in some way.

@atanasdinov and @jdob, I would love to hear what you think, but from a first glance at the problem I see two approaches:

  1. Use the rmt-client-setup script inside of the RPM resolution container to pull the certificates for the RMT server and connect to it (as described in the official doc).

  2. Introduce a mechanism that users could leverage to provide custom certificates to the RPM resolution container. In theory we could support a configuration similar to:

    operatingSystem:
  packages:
    scc:
      registrationCode: <code>
      registrationUrl: <url>
       # Directory holding registration server specific certificates.
       # Created by the user within the Image Configure Directory
      certificateDir: <path>

    With this approach, we would need to implement a mechanism to retrieve the certificates from certificateDir and transfer them to the RPM resolution container. This would ensure that the necessary certificates are always available in the container before attempting to connect to the registration server over https.

Let me know if I missed or misunderstood something, but IMO we should not merge this implementation until we tackle/discuss the above points.

@josegomezr
Copy link
Author

Leaving a note to self here: there seems to be support for populating the cert pool with arbitrary certificate and/or a directory!

https://github.com/SUSE/connect-ng/blob/9e380ad555245d18d16bd7e2843594f50def2f7a/internal/connect/cert_pool.go#L25

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jdob jdob jdob left review comments

@ipetrov117 ipetrov117 ipetrov117 requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@josegomezr @atanasdinov @jdob @rdoxenham @ipetrov117