linux - 使用来自主机的 CA Trust Bundle 构建 Docker

Question

给定一个从网络上安装的简单 Dockerfile，我试图找出一种优雅的方式来允许构建过程信任 HTTPS 端点，无论构建是在公司代理后面还是不在公司代理后面。 理想情况下，无需更改 Dockerfile。
Dockerfile:

FROM alpine

RUN apk update -v; apk add -v curl

错误:

$ docker build .
Sending build context to Docker daemon  83.97kB
Step 1/2 : FROM alpine
 ---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
 ---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
  curl (no such package):
    required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1

这里的问题是，我的开发人员机器位于流量拦截代理后面的公司网络上，该代理在 Docker 构建中从 apk 的角度来看中间人的连接含义，它看到了一个已签名的证书我们不信任的代理。
来自主机的信任不是问题 - 当我 wget 构建中请求的文件时，它可以工作:

$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59--  https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’

当我在构建服务器上运行它时，它可以通过，因为没有转发代理。
有没有办法在不修改 Dockerfile 的情况下将具有代理 CA(例如 /etc/ssl/certs/ca-certificates)的 Ubuntu 信任包传递到构建过程？
谢谢!

Answer 1

创建一个名为 repositories 的文件在您的本地 docker build 上下文目录中，包含以下内容:

http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community

在您的 docker 构建文件中，之前 RUN apk update ，添加以下行:

COPY repositories /etc/apk/repositories