containers
/
automation-tests
mirror of https://github.com/containers/automation-tests.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

troubleshooting.md: tweak subuid paragraph, encryption 

Expand the bit about needing to allocate UIDs so that we don't appear to
imply that adding a range of 10000 IDs to /etc/subuid will allow people
to use UID 1000000, which isn't in the range that we'd map a range of
that size to.

TLS is an acronym, so capitalize when we're talking about the protocol.

TLS verification is about encryption, not authentication.

Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
This commit is contained in:
Nalin Dahyabhai 2022-02-21 10:20:39 -05:00
parent d224a0f8ac
commit f150f29211
1 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
troubleshooting.md
View File

@ -87,7 +87,7 @@ error pulling image "fedora": unable to pull fedora: error getting default regis
### 4) http: server gave HTTP response to HTTPS client ### 4) http: server gave HTTP response to HTTPS client
When doing a Podman command such as `build`, `commit`, `pull`, or `push` to a registry, When doing a Podman command such as `build`, `commit`, `pull`, or `push` to a registry,
tls verification is turned on by default. If authentication is not used with TLS verification is turned on by default. If encryption is not used with
those commands, this error can occur. those commands, this error can occur.
#### Symptom #### Symptom
@ -100,13 +100,13 @@ Get https://localhost:5000/v2/: http: server gave HTTP response to HTTPS client
#### Solution #### Solution
By default tls verification is turned on when communicating to registries from By default TLS verification is turned on when communicating to registries from
Podman. If the registry does not require authentication the Podman commands Podman. If the registry does not require encryption the Podman commands
such as `build`, `commit`, `pull` and `push` will fail unless tls verification is turned such as `build`, `commit`, `pull` and `push` will fail unless TLS verification is turned
off using the `--tls-verify` option. **NOTE:** It is not at all recommended to off using the `--tls-verify` option. **NOTE:** It is not at all recommended to
communicate with a registry and not use tls verification. communicate with a registry and not use TLS verification.
* Turn off tls verification by passing false to the tls-verification option. * Turn off TLS verification by passing false to the tls-verify option.
* I.e. `podman push --tls-verify=false alpine docker://localhost:5000/myalpine:latest` * I.e. `podman push --tls-verify=false alpine docker://localhost:5000/myalpine:latest`
--- ---
@ -259,7 +259,8 @@ You should ensure that each user has a unique range of uids, because overlapping
would potentially allow one user to attack another user. In addition, make sure would potentially allow one user to attack another user. In addition, make sure
that the range of uids you allocate can cover all uids that the container that the range of uids you allocate can cover all uids that the container
requires. For example, if the container has a user with uid 10000, ensure you requires. For example, if the container has a user with uid 10000, ensure you
have at least 10001 subuids. have at least 10001 subuids, and if the container needs to be run as a user with
uid 1000000, ensure you have at least 1000001 subuids.
You could also use the usermod program to assign UIDs to a user. You could also use the usermod program to assign UIDs to a user.