Leap Docker image: repo URLs are "http:", not "https:"

Hi geekos!

I stumbled over a peculiarity with the Docker image provided by openSUSE for Leap 15.5. (But it is actually the same for all images I looked at.) Specifically:
If I run

# get into the image
docker run -it registry.opensuse.org/opensuse/leap:15.5 /bin/bash
# print out any repo, e.g. oss
cat /etc/zypp/repos.d/repo-oss.repo

the URL is

baseurl=http://download.opensuse.org/distribution/leap/$releasever/repo/oss/

On software.opensuse.org, all base URLs so far as I can see are https, and it appears that there are not many mirrors left that support unsecured HTTP. This seems to result in many download errors when building a Docker image based off Leap:15.5.

I wonder whether there is a technical reason for this or if this was overlooked (and we should file a bug report that asks to change it). Any insight here?

FTR: Adding

RUN find /etc/zypp/repos.d/ -name '*.repo' -exec sed -i 's/http:\/\/download/https\:\/\/download/' {} \;

pretty much at the start of a Dockerfile seems to mitigate the issue.

Whether “http” or “https” shouldn’t actually matter. There’s nothing particularly private in the repos that needs encryption. And the packages all have GPG signatures for verification.

1 Like

I was not concerned about security in this case. However, anecdotically we suffered from many connection issues when downloading packages in Docker (during docker build), and switching to https seems to have fixed that. Our understanding was that only few repository mirrors still support unsecured http traffic and this might cause problems.

Furthermore, if openSUSE’s default behaviour is to use https, there should be a reason why the Docker image diverges from that behaviour…? If there is no reason to do things differently than the default, I would consider this a bug.

You can compare mirrors to which both http and https are resolved. Something like

curl -ILs http://download.opensuse.org/distribution/leap/15.5/repo/oss/x86_64/bash-4.4-150400.2
5.22.x86_64.rpm | grep -i location
curl -ILs https://download.opensuse.org/distribution/leap/15.5/repo/oss/x86_64/bash-4.4-150400.2
5.22.x86_64.rpm | grep -i location

Default repository URLs were always http and using https caused quite a lot of issues in the past (because zypper disables downgrade to http and mirrorbrain did not distinguished between http and https and often returned http URL).