feat: Switch to platform-specific TLS/SSL certificate verification #1529
Conversation
Use rustls-platform-verifier to verify certificates with the OS/platform's standard methods, including the system's standard CA trust store. See rustls-platform-verifier's documentation for details on each platform.¹ Previously, the system's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Updates reqwest as necessary to ensure a single compatible rustls version remains in use. Updates wasm-bindgen as necessary for the newer reqwest. ¹ <https://github.com/rustls/rustls-platform-verifier/blob/v/0.3.4/README.md> Resolves: <#726> Related-to: <#1527>
They fixed this clippy warning: rustwasm/wasm-bindgen#3985
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
|
Looks like the builds went well in CI for all targets, but a few checks failed because there were no binaries uploaded and so none to download for those checks. That's because the binaries are written to Lines 573 to 580 in 9b2d9dd weren't met. Huh. This seems intentional (?) but I admit I don't get why. |
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed but unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API. Notably, that API also changes signature between the latest released version (0.3.4) and the Git revision we're using. Related-to: <#1529> Related-to: <#726>
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API.¹ That API also has signature changes proposed² which, while unmerged, seem likely to land, so use those in anticipation. They actually bring the signature back closer to the latest release (0.3.4). ¹ <rustls/rustls-platform-verifier#58> ² <rustls/rustls-platform-verifier#145> Related-to: <#1529> Related-to: <#726>
Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. Currently requires using landed but unreleased changes to rustls-platform-verifier so that macOS and Windows have the needed Verifier::new_with_extra_certs() API.¹ That API also has signature changes proposed² which, while unmerged, seem likely to land, so use those in anticipation. They actually bring the signature back closer to the latest release (0.3.4). ¹ <rustls/rustls-platform-verifier#58> ² <rustls/rustls-platform-verifier#145> Related-to: <#1529> Related-to: <#726>
|
@tsibley Thanks Tom! I am in favor of merging. Indeed it seems that CI is borked now for some reason. I made an issue: #1532 This will have to be investigated. If you noticed potential breakage sources or have any ideas regarding improving the (admittedly horrible) dev script, the container and CI setup, I appreciate your advice :) I believe that the bash checks should be met: running with |
Oh, you're totally right. I misread. It seems as if it's either 1) never getting to the And writing that out, it just clicked.
We need to set: include-hidden-files: truein its params. Maybe also |
The dev setup is pretty… complicated. I can get some of it to work for me, but other parts are a little broken in various ways due to little details that don't line up. The sort of thing that accumulates when only a couple people regularly run a program and then someone new tries to run it.
I don't have the energy to fix 'em now, and I haven't really had to run |
|
Oh, I see, the UID issue is directly caused by using the pulled images without rebuilding them locally. That's why the rebuild happens always. |
|
Presumably if I fix the buildx builder instance issue and force a rebuild with |
|
Fixing CI revealed another CI issue (and maybe larger issue?) with this PR: systems without a trust store cause an error, e.g. like the bare bones Linux containers without ca-certificates installed that we use in We could address this with 1) default certs from webpki-roots in code or 2) in the CI setup by ensuring |
|
As mentioned in the comment in the dev script, none of this is required. It's just basically my personal giant set of bash aliases :) Most people would just use Cargo and Node.js directly or in whatever the setup they like. But then I dragged it into CI, and now there is no easy way back.
This is to make sure the build is not stale, because I often tweak stuff. It checks hashes of files involved in docker build and rebuilds only if they differ. The pulled image is used for layer cache then. And another reason to rebuild is the UID and GID, but that's not handled. Ideally I'd like to do rootless docker sometimes to avoid the hassle.
Could it be a problem with docker version? They constantly tweak cache-related features. I am using 27.1.2. It "works" (well, worked for the past few years) in CI with no particular dance, so that's the only thing on top of my head. |
|
For the missing ca-certs - not sure what to do. Can we install it on CI and say "user responsibility" in all other cases? |
Yeah, that's why I ignored it. :-) But then I wanted to test what CI was testing…
Ah, no, but I do know what the issue is (as I said): there's an incorrect assumption that the default buildx builder driver is
I expect Debian image would be fine (ca-certificates is installed), but that the Alpine and scratch images would not be.
Conda envs basically always have ca-certificates installed on Linux, and on other systems they'll use the platform. I don't really want to say "user responsibility" as it feels unfriendly and is essentially a breaking change. I'll address this in additional code to fall back to webpki-roots (which is what was always used previously). |
|
Thanks so much for digging and explaining Tom!
I like running my daily tasks in docker and the fact that everything runs and writes as root annoyed me for years. I desperately looking for a solution better than UID & GID build args. Last time I tried rootless docker a couple of years ago it was a major pain and I failed to even set it up on my system. Now you mentioned umask. If you know a way to set things up such that UID/GID are not baked-into the image, can you teach me please? Does it have limitations compared to setting UID/GID?
I am not very familiar with the new builders stuff, neither I can repro it on my system or on CI, so I appreciate if you look at it. No rush though. My main question is if it was working for me on different machines over the years and on CI, why it does not work for you? Do you have a different local docker configuration that prevents the docker-container driver assumed by my script from working? We lived past 10 years without it all and now docker devs felt compelled to add this new complexities. I guess that there is a good reason. I need to learn more about it sometimes to avoid falling into these traps. P.S. Maybe it's more convenient to discuss these things on Slack |
…ault
We require the "docker-container" driver (via options we pass to `docker
buildx build`, e.g. --cache-to) but the default builder instance may use
the "docker" driver, leading to errors on dev machines like:
ERROR: cache export feature is currently not supported for docker
driver. Please switch to a different driver (eg. "docker buildx
create --use")
Being explicit about our builder avoids that.
Related-to: <#1529 (comment)>
…ault
We require the "docker-container" driver (via options we pass to `docker
buildx build`, e.g. --cache-to) but the default builder instance may use
the "docker" driver, leading to errors on dev machines like:
ERROR: cache export feature is currently not supported for docker
driver. Please switch to a different driver (eg. "docker buildx
create --use")
Being explicit about our builder avoids that.
This same pattern is used in nextstrain/docker-base's devel/build.¹
¹ <nextstrain/docker-base@fac834e5>
<https://github.com/nextstrain/docker-base/blob/0acdc799/devel/build#L48-L56>
Related-to: <#1529 (comment)>
You might look into Podman, which has a much simpler rootless configuration due to its design not using a daemon (docker + dockerd) but forking+execing directly.
(In case it's not clear, the umask I'm talking about is I mentioned it because the uid/gid problems I ran into only seemed to arise in the first place because files/directories were set to be readable/executable only by the owner and no one else. That might because of the umask setting at image build time, or it might be because something explicitly set them that way. Regardless, in a container context with a single user, it rarely makes the most sense to have owner-only perms, as then the invoking uid ( My rules of thumb are to:
Yeah. My default buildx builder uses the For reference, these are the builders I have right now: $ docker buildx ls
NAME/NODE DRIVER/ENDPOINT STATUS BUILDKIT PLATFORMS
nextclade-builder docker-container
nextclade-builder0 unix:///var/run/docker.sock stopped
nextstrain-builder docker-container
nextstrain-builder0 unix:///var/run/docker.sock stopped
default * docker
default default running v0.11.7+d3e6c1360f6e linux/amd64, linux/amd64/v2, linux/amd64/v3, linux/386The output indicates the currently selected builder instance (
I hear ya! I only know about this shit because we dealt with it for nextstrain/docker-base. |
Reasonable options I see for getting out of the hole I dug (lolsob):
Thoughts? Mine are: (1) is more like the Nextclade status quo before any of my work here: it just adds certs from the platform alongside previously used certs from webpki-roots. (1)(i) is maybe the least change from the status quo. (1)(i), especially if we accept the unreleased code, is doubling down on switching to (1)(i) and (2) preserve (2) is more "pure" in that it doesn't mix sources of certs unnecessarily. (1) is maybe more "consistent" though. Having spent way more time on this now than I bargained for and really want to, I'm inclined to go with (1)(ii): ditch |
…verifier" This reverts commit ed94c59, reversing changes made to 48801fa. Related-to: <#1529 (comment)>
…L trust store Previously, the platform's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots. Now the reqwest trust store will contain both certs obtained from the platform at run time as well as certs baked in via webpki-roots. Obtaining certs from the platform means that Nextclade will respect OS-level configuration to trust private CAs / self-signed certs. Keeping webpki-roots for all platforms is a precaution that makes this change merely additive for backwards compatibility, in case of platforms which lack a trust store (like some Linux containers) or platforms with out-of-date trust stores. It means that Nextclade binaries should continue to Just Work™. reqwest uses rustls-native-roots to obtain trusted CA certificates from the standard trust stores for the OS/platform. See the crate's documentation for details on each platform.¹ Notably, this does not use the platform's standard certificate verification methods like rustls-platform-verifier; it just extracts certificates. We may in the future want to switch to rustls-platform-verifier (ourselves or by waiting for reqwest to do so). Updates reqwest because an earlier (but problematic and now reverted²) change did so and there were some public API changes I'd like to use. Updates wasm-bindgen as necessary for the newer reqwest (≥0.2.89) and then a little further (0.2.93) to avoid Clippy warnings.³ ¹ <https://docs.rs/crate/rustls-native-certs/0.8.0> ² <#1529 (comment)>. ³ <rustwasm/wasm-bindgen#3985> Resolves: <#726> Related-to: <#1529> Related-to: <#1527>
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
I've implemented this as #1536. |
…d --extra-ca-certs option Allows adding additional CA certificates to the trust store specifically for Nextclade, for when modifying the system's trust store isn't desirable/possible. Works across all platforms. An option may be preferred to an env var by some users or in some invocations. It also provides a convenient place for documentation of default CA cert handling and point of discovery for users. Co-authored-by: ivan-aksamentov <[email protected]> Supersedes: <#1527> Related-to: <#1529> Related-to: <#726>
Use rustls-platform-verifier to verify certificates with the OS/platform's standard methods, including the system's standard CA trust store. See rustls-platform-verifier's documentation for details on each platform.¹
Previously, the system's trust store was ignored in favor of a baked in and unconfigurable trust store provided by webpki-roots.
Updates reqwest as necessary to ensure a single compatible rustls version remains in use. Updates wasm-bindgen as necessary for the newer reqwest.
¹ https://github.com/rustls/rustls-platform-verifier/blob/v/0.3.4/README.md
Resolves: #726
Related-to: #1527