apk update - ERROR: https://dl-cdn.alpinelinux.org/alpine/edge/main: Permission denied #98
Comments
|
Got exaclty the same issue ! working for alpine:latest who use http and not alpine:edge who use https ... |
|
Instead of running apk, can you try wget from your Dockerfile and see if there's any error? |
|
I have the same issue. I was going to create a new issues but stumble upon yours first. Here is the solution: I learned from this issue that dl-cdn.alpinelinux.org does not support TLS at all alpine:3.12 (latest as of august 24 2020) alpine:edge APK repositories url should be http only. |
|
@jpmorin Kudos! Well done, but then bug is in alpine:edge docker image, since I am not changing repositories to https and they are there by default. So really.. I put there |
|
@ronnicek Yes, I did the same The thing is every previous version of alpine images had plain http repository urls. To be honest I don't know if it's a simple mistake that introduce the https urls or if it is a deliberate change to apk configuration... |
|
I do appreciate switching to https in general and I don't think that just replacing it again with http is a reasonable course of action. The bug ticket even has a patch attached that at least one commenter claims works. However, there seems to be no progress upstream. Maybe alpine can apply this on their libfetch version as an intermediate solution or push for it to get merged? It also seems that this is now becoming more important as https is now the default in alpine:latest since Friday. |
|
There has been multiple issues with libfetch and proxy + https. Hopefully those issues are fixed now in the latest apk-tools release which is pushed to edge. Could someone verify if apk 2.12.1 works? |
|
Editing all of our pipelines to replace https with http ist no real solution. Please upgrade to the new libfetch. |
|
I also ran into this issue behind a corporate http proxy, not using proxy authentication but https traffic is decrypted/re-encrypted using an internal CA so I can understand why that wouldn't be verified. Here are the 2 solutions I found:
It would be nice if the |
I'm using https://gitlab.com/shell-bootstrap-scripts/shell-bootstrap-scripts/-/blob/master/before_script.yaml#L243 to bootstrap by manually adding the certificate if the image doesn't have ca-certificates installed. This allows |
...in the alpine docker image: alpinelinux/docker-alpine#98
|
FYI, the issue referenced above related to libfetch seems it has been solved, at least when using Alpine 3.14.0 |
|
I am still seeing this issue. |
|
I can still see the same issue on Alpine 3.14.0. I'm behind a corporate proxy which doesn't require any authentication. Adding the internal certificate to My Dockerfile: This is the log what I can see: |
…download We need to use an old binary from a custom repo for uaa provider as required version is not available anymore. Related to alpinelinux/docker-alpine#98
…download We need to use an old binary from a custom repo for uaa provider as required version is not available anymore. This is related to [Alpine issue][]. We also remove useless provided (aws, azure, kubernetes). [Alpine issue]: alpinelinux/docker-alpine#98
…download We need to use an old binary from a custom repo for uaa provider as required version is not available anymore. This is related to [Alpine issue][]. We also remove useless provided (aws, azure, kubernetes). [Alpine issue]: alpinelinux/docker-alpine#98
Have you solved this problem? |
FROM alpine:3.14 |
|
Still happening - see: "sed" patch seems to work. |
A problem affecting the build of the Mosquitto container keeps showing up in Discord questions. Examples: * [2021-09-17](https://discord.com/channels/638610460567928832/638610461109256194/888096248761045022) * [2021-09-09](https://discord.com/channels/638610460567928832/638610461109256194/885494986710335498) The problem is discussed in [alpinelinux/docker-alpine issues/98](alpinelinux/docker-alpine#98). It is not clear whether: 1. The problem is transient (ie those reporting it are able to get past the problem on a retry); 2. Only affects Mosquitto or potentially affects other Alpine-based IOTstack containers using `apk` to add packages (eg Node-RED); or 3. Environmental (eg if there is a proxy system between the Raspberry Pi and dl-cdn.alpinelinux.org). This Pull Request is implementing the patch suggested by Issue 98 of reverting `apk` requests to use HTTP. Given the march towards HTTPS-everywhere, reverting to HTTP might seem inadvisable but: * Issue 98 was opened in July 2020. * There seems to have been no significant progress towards its resolution since January 2021. * The Discord traffic suggests it is an ongoing and present issue for IOTstack users.
A problem affecting the build of the Mosquitto container keeps showing up in Discord questions. Examples: * [2021-09-17](https://discord.com/channels/638610460567928832/638610461109256194/888096248761045022) * [2021-09-09](https://discord.com/channels/638610460567928832/638610461109256194/885494986710335498) The problem is discussed in [alpinelinux/docker-alpine issues/98](alpinelinux/docker-alpine#98). It is not clear whether: 1. The problem is transient (ie those reporting it are able to get past the problem on a retry); 2. Only affects Mosquitto or potentially affects other Alpine-based IOTstack containers using `apk` to add packages (eg Node-RED); or 3. Environmental (eg if there is a proxy system between the Raspberry Pi and dl-cdn.alpinelinux.org). This Pull Request is implementing the patch suggested by Issue 98 of reverting `apk` requests to use HTTP. Given the march towards HTTPS-everywhere, reverting to HTTP might seem inadvisable but: * Issue 98 was opened in July 2020. * There seems to have been no significant progress towards its resolution since January 2021. * The Discord traffic suggests it is an ongoing and present issue for IOTstack users.
A problem affecting the build of the Mosquitto container keeps showing up in Discord questions. Examples: * [2021-09-17](https://discord.com/channels/638610460567928832/638610461109256194/888096248761045022) * [2021-09-09](https://discord.com/channels/638610460567928832/638610461109256194/885494986710335498) The problem is discussed in [alpinelinux/docker-alpine issues/98](alpinelinux/docker-alpine#98). It is not clear whether: 1. The problem is transient (ie those reporting it are able to get past the problem on a retry); 2. Only affects Mosquitto or potentially affects other Alpine-based IOTstack containers using `apk` to add packages (eg Node-RED); or 3. Environmental (eg if there is a proxy system between the Raspberry Pi and dl-cdn.alpinelinux.org). This Pull Request is implementing the patch suggested by Issue 98 of reverting `apk` requests to use HTTP. Given the march towards HTTPS-everywhere, reverting to HTTP might seem inadvisable but: * Issue 98 was opened in July 2020. * There seems to have been no significant progress towards its resolution since January 2021. * The Discord traffic suggests it is an ongoing and present issue for IOTstack users. Also harmonises Mosquitto Dockerfile on experimental branch with the common versions on master and old-menu branches.
|
Finally this thing looks to be working on my end. |
|
On my end too, without any changes to my setups (same dockerfile, same docker version, same host config, tested on arch / ubuntu / alpine), |
|
What did you use for the proxy server @benispeti? I'm still getting the error |
I had this issue behind my corporate proxy, so I used it's URL here. You should use your company's proxy URL. |
|
Gotcha, yeah I'm trying to do this at home and still having problems. Is this thread exclusive to having this problem behind a corporate proxy? |
same issue here on my home network |
|
Are you running Buster? If yes, have you upgraded There's background info here. Also, Mosquitto seemed to need the |
Finally I succeeded to update my docker version. It is ok now. |
|
I have this error now, needed to replace No proxy being used, but we build using |
|
Add some code to the dockerfile to solve this problem RUN sed -i ‘s/https/http/’ /etc/apk/repositories
RUN apk add curl |
|
I have the same problem on Arch with libseccomp v2.5.4, all alpine versions that I tested (3.10 through 3.16), with and without TLS, with buildkit and not. With both docker v20.10.17 and podman 4.1.1. Not on a corporate network, no proxy, I'm at home. It works in GH Actions though. |
|
same as you arch too.. @OJFord |
|
Hello! I faced the same problem on I just created the daemon.json file (in the fedora host) with the following content in My Dockerfile looks like: Note that I do not use the sed trick. |
|
to everyone who has still this problem and all suggested solutions dont work, please check your firewall rules. |
|
@drrobotic agreed. In my case it was rule that redirected all incoming traffic on port 443 to another port. Problem was solved by specifying WAN interface only. |
|
I was able to fix the issue in a microk8s Kubernetes Cluster by specifying dnsPolicy and hostNetwork in the CronJob spec. While normal pods created with kubectl run had no issues to run apk update the pod created by the cronjob did. That fixed it for me. Haven't validated if dnsPolicy alone would be enough, but maybe you don't need the hostNetwork: true To learn what is actually happening check the Kubernetes Docs for dns-pod-service |
|
I'm getting the permission-denied error. My firewall is fine, my docker setup is unchanged over many years. This is reproducible across different networks, though I'm finding it fails more when the CDN resolves to the This inconsistency to me suggests it is not necessarily with the internal libraries or All in-alpine commands below are based on this container and cmdline: root@franz:~# docker images | grep -E 'REPO|alpine'
REPOSITORY TAG IMAGE ID CREATED SIZE
alpine latest 05455a08881e 3 weeks ago 7.38MB
root@myhost:~# docker run -it --rm alpine sh
/ # cat /etc/os-release
NAME="Alpine Linux"
ID=alpine
VERSION_ID=3.19.1
PRETTY_NAME="Alpine Linux v3.19"
HOME_URL="https://alpinelinux.org/"
BUG_REPORT_URL="https://gitlab.alpinelinux.org/alpine/aports/-/issues"InconsistencyThe behavior is inconsistent and changes on each invocation (even within the same container). / # apk add --no-cache ca-certificates
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.19/main: Permission denied
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
WARNING: fetching https://dl-cdn.alpinelinux.org/alpine/v3.19/community: Permission denied
ERROR: unable to select packages:
ca-certificates (no such package):
required by: world[ca-certificates]
/ # apk add --no-cache ca-certificates
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/1) Installing ca-certificates (20230506-r0)
Executing busybox-1.36.1-r15.trigger
Executing ca-certificates-20230506-r0.trigger
OK: 8 MiB in 16 packagesNo delay between attempts (there were a half-dozen attempts before the first shown). Checking certs/ # sed -i s/https/http/ /etc/apk/repositories
/ # apk add openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
(1/1) Installing openssl (3.1.4-r5)
Executing busybox-1.36.1-r15.trigger
OK: 8 MiB in 16 packagesWith that temporary hack (I don't yet accept going / # openssl version
OpenSSL 3.1.4 24 Oct 2023 (Library: OpenSSL 3.1.4 24 Oct 2023)
/ # echo | openssl s_client -connect dl-cdn.alpinelinux.org:443 -showcerts
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 324 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
This TLS version forbids renegotiation.
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---And in the same container, if I wait a moment and try again, / # echo | openssl s_client -connect dl-cdn.alpinelinux.org:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = dl-cdn.alpinelinux.org
verify return:1
---
Certificate chain
0 s:CN = dl-cdn.alpinelinux.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 29 16:57:18 2024 GMT; NotAfter: Apr 28 16:57:17 2024 GMT
-----BEGIN CERTIFICATE-----
MIIE+TCCA+GgAwIBAgISA1hz6FwMJ3EYQna99ui1aKbaMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
...(A completely-valid SSL connection.) Changing DNSChanging to quad-8 for DNS resolution does not fix it. / # sed -E 's/nameserver.*/nameserver 8.8.8.8/g' /etc/resolv.conf > /tmp/resolv.conf
/ # cat /tmp/resolv.conf > /etc/resolv.conf
/ # cat /etc/resolv.conf
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 8.8.8.8
/ # apk update
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/main/x86_64/APKINDEX.tar.gz
WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.19/main: Permission denied
fetch https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
WARNING: updating and opening https://dl-cdn.alpinelinux.org/alpine/v3.19/community: Permission denied
4 unavailable, 0 stale; 15 distinct packages availablewget failure
/ # wget -S https://dl-cdn.alpinelinux.org/alpine/v3.19/community/x86_64/APKINDEX.tar.gz
Connecting to dl-cdn.alpinelinux.org (146.75.30.132:443)
ssl_client: SSL_connect
wget: error getting response: Connection reset by peer |
|
Got similar errors, along with many SSL failues on curl and wget, using alpine 3.18 and 3.19. POTENTIAL CAUSE: Missing ca-certificates and symlink /usr/lib/ssl/certs -> /etc/ssl/certs. The ErrorThe Fix
|
|
Up until today August 2024, I still have this problem.
Base image is a mirror image of Because this happens intermittently, I think it's mostly related to tls certificate verification, but the real root cause is still unknown, because the complexity of the network layers in the company. |
|
I’m using Alpine 3.17 (node:18.16.0-alpine3.17), but I still occasionally encounter this problem, though it doesn't happen every time. #13 [builder 2/7] RUN apk add --no #-cache --verbose bash git && corepack enable && yarn global add zx -D
#13 0.230 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/main/x86_64/APKINDEX.tar.gz
#13 15.69 fetch https://dl-cdn.alpinelinux.org/alpine/v3.17/community/x86_64/APKINDEX.tar.gz
#13 15.69 WARNING: Ignoring https://dl-cdn.alpinelinux.org/alpine/v3.17/main: Permission denied
#13 17.10 ERROR: unable to select packages:
#13 17.15 bash (no such package):
#13 17.15 required by: world[bash]
#13 17.15 git (no such package):
#13 17.15 required by: world[git]
#13 ERROR: process "/bin/sh -c apk add --no-cache --verbose bash git && corepack enable && yarn global add zx -D" did not complete successfully: exit code: 2 |
|
using |
|
@sanjiv-16 |
facing same issue while building, need to add |
Full disclaimer: I am no longer using alpine, but I think to address your question about security @sanjiv-16 ...
I'm still rather surprised that the repo does not serve over https (nor serve them reliably). While I recognize that serving files over TLS technically "costs" more, I find it difficult to believe that there is not a way to use SSL to provide assurance about the source (e.g., SSL cert fingerprint). If a bad actor takes over (or masks as) this repo, then package poisoning is trivial, and SSL is one step to providing a verifiable source. (Note: more steps are needed to really arm against it, since a valid SSL doesn't mean the packages are untouched. But lack of SSL seems like a show-stopper for any reassurance.) |
and others
Hi,
sorry, if this bug is reported towards the wrong repo.
We hit following errors in edge:
I read thru gliderlabs/docker-alpine#191, but we are not using authentication on proxy, so we cannot use any username/password anything. I tried with HTTP_PROXY_AUTH, but getting still the same.
The text was updated successfully, but these errors were encountered: