ssl_verify disable for a Singularity bootstrap
137 views
Skip to first unread message
Richard Powell
Feb 10, 2021, 4:21:21 PM2/10/21
to singularity
So, I'm moving our repo strategy to Nexus Repo Manager and setting up Nexus proxy repos to the yum repos I need. Our Nexus repo server (which is configured for https) to the yum centos6 archive repo is using basic auth. I believe my https is getting in the way here.
I get an error on attempt to reach my basic auth https repo proxy. I think I simply need to have the equivalent of "--setopt=sslverify=false" set for this container to build from https, but I don't know a way to turn off yum ssl_verify for the bootstrap to work. Is there a Singularity environment variable that would ensure ssl_verify=0 is in effect for the bootstrap build? Or, is there some other strategy I can consider?
####execution and resulting error below####username and password below omitted for this discussion
[root@server scratch]# singularity build --sandbox /scratch/centos6 /recipes/dev/centos6.def
INFO: Starting build...
INFO: Skipping GPG Key Import
https://uname:password@nexus01/repository/centos6/repodata/repomd.xml: [Errno 14] Peer cert cannot be verified or peer cert invalid
Trying other mirror.
Error: Cannot retrieve repository metadata (repomd.xml) for repository: base. Please verify its path and try again
FATAL: While performing build: conveyor failed to get: while bootstrapping: exit status 1
###first few lines of my recipe
[root@server scratch]# cat /nfs/system/singularity/recipes/dev/centos6.def | head -n 10
BootStrap: yum
OSVersion: 6.10
MirrorURL: https://uname:password@nexus01/repository/centos6/
Include: yum
Thomas Hartmann
Feb 11, 2021, 4:03:25 AM2/11/21
to singu...@lbl.gov, Richard Powell
Hi Richard,
I guess that the error is not directly Signularity but your yum/dnf in
the container build context.
Can yopu try, if your build works, when you add to the repo file in the
container, that is pulled through/from your nexus
`sslverify=0`
or general for all (probably not the ebst solution) add to /etc/yum.conf
`sslverify=false`
Else you could try and set
SINGULARITY_NOHTTPS
but AFAIK this envvar only controls pulling from http-only container hubs
Cheers,
Thomas
On 10/02/2021 22.21, Richard Powell wrote:
> So, I'm moving our repo strategy to Nexus Repo Manager and setting up
> Nexus proxy repos to the yum repos I need. Our Nexus repo server (which
> is configured for https) to the yum centos6 archive repo is using basic
> auth. I believe my https is getting in the way here.
>
> I get an error on attempt to reach my basic auth https repo proxy. I
> think I simply need to have the equivalent of "--setopt=sslverify=false"
> set for this container to build from https, but I don't know a way to
> turn off yum ssl_verify for the bootstrap to work. Is there a
> Singularity environment variable that would ensure ssl_verify=0 is in
> effect for the bootstrap build? Or, is there some other strategy I can
> consider?
>
> ####execution and resulting error below####username and password below
> omitted for this discussion
>
> [root@server scratch]#singularity build --sandbox /scratch/centos6
> You received this message because you are subscribed to the Google
> Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to singularity...@lbl.gov
> <mailto:singularity...@lbl.gov>.
> To view this discussion on the web visit
> https://groups.google.com/a/lbl.gov/d/msgid/singularity/1c924097-5c78-4733-9df2-b746dcbd053en%40lbl.gov
> <https://groups.google.com/a/lbl.gov/d/msgid/singularity/1c924097-5c78-4733-9df2-b746dcbd053en%40lbl.gov?utm_medium=email&utm_source=footer>.
I guess that the error is not directly Signularity but your yum/dnf in
the container build context.
Can yopu try, if your build works, when you add to the repo file in the
container, that is pulled through/from your nexus
`sslverify=0`
or general for all (probably not the ebst solution) add to /etc/yum.conf
`sslverify=false`
Else you could try and set
SINGULARITY_NOHTTPS
but AFAIK this envvar only controls pulling from http-only container hubs
Cheers,
Thomas
On 10/02/2021 22.21, Richard Powell wrote:
> So, I'm moving our repo strategy to Nexus Repo Manager and setting up
> Nexus proxy repos to the yum repos I need. Our Nexus repo server (which
> is configured for https) to the yum centos6 archive repo is using basic
> auth. I believe my https is getting in the way here.
>
> I get an error on attempt to reach my basic auth https repo proxy. I
> think I simply need to have the equivalent of "--setopt=sslverify=false"
> set for this container to build from https, but I don't know a way to
> turn off yum ssl_verify for the bootstrap to work. Is there a
> Singularity environment variable that would ensure ssl_verify=0 is in
> effect for the bootstrap build? Or, is there some other strategy I can
> consider?
>
> ####execution and resulting error below####username and password below
> omitted for this discussion
>
> /recipes/dev/centos6.def
>
> INFO: Starting build...
>
> INFO: Skipping GPG Key Import
>
> https://uname:password@nexus01/repository/centos6/repodata/repomd.xml:
> [Errno 14] Peer cert cannot be verified or peer cert invalid
>
> Trying other mirror.
>
> Error: Cannot retrieve repository metadata (repomd.xml) for repository:
> base. Please verify its path and try again
>
> FATAL: While performing build: conveyor failed to get: while
> bootstrapping: exit status 1
>
> ###first few lines of my recipe
>
> [root@server scratch]#cat
> /nfs/system/singularity/recipes/dev/centos6.def | head -n 10
>
> BootStrap: yum
>
> OSVersion: 6.10
>
> MirrorURL: https://uname:password@nexus01/repository/centos6/
>
> Include: yum
>
> --
>
> INFO: Starting build...
>
> INFO: Skipping GPG Key Import
>
> https://uname:password@nexus01/repository/centos6/repodata/repomd.xml:
> [Errno 14] Peer cert cannot be verified or peer cert invalid
>
> Trying other mirror.
>
> Error: Cannot retrieve repository metadata (repomd.xml) for repository:
> base. Please verify its path and try again
>
> FATAL: While performing build: conveyor failed to get: while
> bootstrapping: exit status 1
>
> ###first few lines of my recipe
>
> [root@server scratch]#cat
> /nfs/system/singularity/recipes/dev/centos6.def | head -n 10
>
> BootStrap: yum
>
> OSVersion: 6.10
>
> MirrorURL: https://uname:password@nexus01/repository/centos6/
>
> Include: yum
>
> You received this message because you are subscribed to the Google
> Groups "singularity" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to singularity...@lbl.gov
> <mailto:singularity...@lbl.gov>.
> To view this discussion on the web visit
> https://groups.google.com/a/lbl.gov/d/msgid/singularity/1c924097-5c78-4733-9df2-b746dcbd053en%40lbl.gov
> <https://groups.google.com/a/lbl.gov/d/msgid/singularity/1c924097-5c78-4733-9df2-b746dcbd053en%40lbl.gov?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages