rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed#42457
Conversation
AkihiroSuda
added
process/cherry-pick
area/rootless
|
rebased |
AkihiroSuda
force-pushed
the
rootless-tumbleweed-etc-ssl
branch
from
6125d05 to
4160a8b
Compare
contrib/dockerd-rootless.sh
Outdated
There was a problem hiding this comment.
I'm slightly confused here; from that ticket, it looks like the files inside /etc/ssl are symlinks, but /etc/ssl itself is not, correct?
$ docker run --rm opensuse/tumbleweed sh -c 'ls -l /etc | grep ssl && ls -l /etc/ssl'
drwxr-xr-x 2 root root 4096 Jun 4 13:11 ssl
total 0
lrwxrwxrwx 1 root root 43 May 8 20:10 ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
lrwxrwxrwx 1 root root 33 May 8 20:10 certs -> ../../var/lib/ca-certificates/pem
$ docker run --rm opensuse/tumbleweed realpath /etc/ssl
/etc/sslIsn't the issue that the files inside it cannot be used (because they're symlinked?)
There was a problem hiding this comment.
In other words, would we:
- find
/var/lib/ca-certificates/(based on one of the symlinks inside the directory) - then
mount --rbind /var/lib/ca-certificates/ /etc/ssl?
Currently it looks like it's just mounting /etc/ssl on /etc/ssl
(perhaps I'm wrong!)
There was a problem hiding this comment.
it looks like the files inside /etc/ssl are symlinks, but /etc/ssl itself is not, correct?
true
Isn't the issue that the files inside it cannot be used (because they're symlinked?)
Yes.
The issue is that ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem is no longer accessible as it is now resolved into /etc/var/lib/ca-certificates/ca-bundle.pem, not /var/lib/ca-certificates/ca-bundle.pem, because the base directory is now /etc/.ro780432485/ssl, not /etc/ssl
find /var/lib/ca-certificates/
No, that probably doesn't work for other distros.
Currently it looks like it's just mounting /etc/ssl on /etc/ssl
It is mounting /etc/ssl in the parent namespace on /etc/ssl in the child namespace.
There was a problem hiding this comment.
But what's the realpath_etc_ssl=$(realpath /etc/ssl) doing? As there's no symlink to resolve in that case.
So the effective change is that we delete /etc/ssl (and the symlinks) and replace it with an empty directory?
There was a problem hiding this comment.
rootlesskit --copy-up=/etc mounts an empty tmpfs on /etc (to make it writable), mounts the old /etc on /etc/.ro780432485 ,and simlinkify /etc/ssl to /etc/.ro780432485/ssl.
So realpath_etc_ssl = /etc/.ro780432485/ssl.
There was a problem hiding this comment.
Ahhhhhh! That's the bit I was missing! Sorry for the confusion 🤗 ❤️
tonistiigi
left a comment
tonistiigi
left a comment
There was a problem hiding this comment.
That rm -rf looks scary. From a naive look, it seems it only works if /etc/ssl is a symlink and then it makes it not a symlink. It should at least validate somehow that all this is created by rootlesskit, symlink on tmpfs etc.
…SUSE Tumbleweed openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error, as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`, which was not supported by `rootlesskit --copy-up=/etc` . See rootless-containers/rootlesskit issues 225 Signed-off-by: Akihiro Suda <[email protected]>
AkihiroSuda
force-pushed
the
rootless-tumbleweed-etc-ssl
branch
from
4160a8b to
8610d8c
Compare
|
Added |
|
@tonistiigi PTAL 🙏 |
|
Cherry-pick PR: #42462 |
3 participants
- What I did
Fix "x509: certificate signed by unknown authority" error on openSUSE Tumbleweed.
openSUSE Tumbleweed was facing this error, as
/etc/ssl/ca-bundle.pemis provided as a symlink to../../var/lib/ca-certificates/ca-bundle.pem, which was not supported byrootlesskit --copy-up=/etc.See rootless-containers/rootlesskit#225
- How I did it
By bind-mounting
/etc/sslfrom the parent namespace into the child.- How to verify it
Run
docker --context=rootless pull hello-worldon an openSUSE Tumbleweed host.- Description for the changelog
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
- A picture of a cute animal (not mandatory but encouraged)
🐧