给定一个从网络上安装的简单 Dockerfile,我试图找出一种优雅的方式来允许构建过程信任 HTTPS 端点,无论构建是在公司代理后面还是不在公司代理后面。 理想情况下,无需更改 Dockerfile。
Dockerfile:
FROM alpine
RUN apk update -v; apk add -v curl
错误:$ docker build .
Sending build context to Docker daemon 83.97kB
Step 1/2 : FROM alpine
---> e50c909a8df2
Step 2/2 : RUN apk update -v; apk add -v curl
---> Running in 983ed3885376
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
140566353398600:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: 2 errors; 14 distinct packages available
https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
fetch https://dl-cdn.alpinelinux.org/alpine/v3.13/community/x86_64/APKINDEX.tar.gz
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/main: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/main: No such file or directory
139846303062856:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
ERROR: https://dl-cdn.alpinelinux.org/alpine/v3.13/community: Permission denied
WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.13/community: No such file or directory
ERROR: unable to select packages:
curl (no such package):
required by: world[curl]
The command '/bin/sh -c apk update -v; apk add -v curl' returned a non-zero code: 1
这里的问题是,我的开发人员机器位于流量拦截代理后面的公司网络上,该代理在 Docker 构建中从 apk 的角度来看中间人的连接含义,它看到了一个已签名的证书我们不信任的代理。来自主机的信任不是问题 - 当我 wget 构建中请求的文件时,它可以工作:
$ wget https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
--2021-02-15 12:41:59-- https://dl-cdn.alpinelinux.org/alpine/v3.13/main/x86_64/APKINDEX.tar.gz
Connecting to 10.0.2.2:9000... connected.
Proxy request sent, awaiting response... 200 OK
Length: 631235 (616K) [application/octet-stream]
Saving to: ‘APKINDEX.tar.gz’
当我在构建服务器上运行它时,它可以通过,因为没有转发代理。有没有办法在不修改 Dockerfile 的情况下将具有代理 CA(例如
/etc/ssl/certs/ca-certificates
)的 Ubuntu 信任包传递到构建过程?谢谢!
最佳答案
创建一个名为 repositories
的文件在您的本地 docker build 上下文目录中,包含以下内容:
http://dl-cdn.alpinelinux.org/alpine/v3.13/main
http://dl-cdn.alpinelinux.org/alpine/v3.13/community
在您的 docker 构建文件中,之前 RUN apk update
,添加以下行:COPY repositories /etc/apk/repositories
关于linux - 使用来自主机的 CA Trust Bundle 构建 Docker,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66201209/