-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed #42457
Conversation
rebased |
6125d05
to
4160a8b
Compare
contrib/dockerd-rootless.sh
Outdated
|
||
# Workaround for "x509: certificate signed by unknown authority" on openSUSE Tumbleweed. | ||
# https://github.com/rootless-containers/rootlesskit/issues/225 | ||
realpath_etc_ssl=$(realpath /etc/ssl) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm slightly confused here; from that ticket, it looks like the files inside /etc/ssl
are symlinks, but /etc/ssl
itself is not, correct?
$ docker run --rm opensuse/tumbleweed sh -c 'ls -l /etc | grep ssl && ls -l /etc/ssl'
drwxr-xr-x 2 root root 4096 Jun 4 13:11 ssl
total 0
lrwxrwxrwx 1 root root 43 May 8 20:10 ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
lrwxrwxrwx 1 root root 33 May 8 20:10 certs -> ../../var/lib/ca-certificates/pem
$ docker run --rm opensuse/tumbleweed realpath /etc/ssl
/etc/ssl
Isn't the issue that the files inside it cannot be used (because they're symlinked?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In other words, would we:
- find
/var/lib/ca-certificates/
(based on one of the symlinks inside the directory) - then
mount --rbind /var/lib/ca-certificates/ /etc/ssl
?
Currently it looks like it's just mounting /etc/ssl
on /etc/ssl
(perhaps I'm wrong!)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it looks like the files inside /etc/ssl are symlinks, but /etc/ssl itself is not, correct?
true
Isn't the issue that the files inside it cannot be used (because they're symlinked?)
Yes.
The issue is that ca-bundle.pem -> ../../var/lib/ca-certificates/ca-bundle.pem
is no longer accessible as it is now resolved into /etc/var/lib/ca-certificates/ca-bundle.pem
, not /var/lib/ca-certificates/ca-bundle.pem
, because the base directory is now /etc/.ro780432485/ssl
, not /etc/ssl
find /var/lib/ca-certificates/
No, that probably doesn't work for other distros.
Currently it looks like it's just mounting /etc/ssl on /etc/ssl
It is mounting /etc/ssl
in the parent namespace on /etc/ssl
in the child namespace.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But what's the realpath_etc_ssl=$(realpath /etc/ssl)
doing? As there's no symlink to resolve in that case.
So the effective change is that we delete /etc/ssl
(and the symlinks) and replace it with an empty directory?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rootlesskit --copy-up=/etc
mounts an empty tmpfs on /etc
(to make it writable), mounts the old /etc
on /etc/.ro780432485
,and simlinkify /etc/ssl
to /etc/.ro780432485/ssl
.
So realpath_etc_ssl
= /etc/.ro780432485/ssl
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ahhhhhh! That's the bit I was missing! Sorry for the confusion 🤗 ❤️
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That rm -rf
looks scary. From a naive look, it seems it only works if /etc/ssl
is a symlink and then it makes it not a symlink. It should at least validate somehow that all this is created by rootlesskit, symlink on tmpfs etc.
…SUSE Tumbleweed openSUSE Tumbleweed was facing "x509: certificate signed by unknown authority" error, as `/etc/ssl/ca-bundle.pem` is provided as a symlink to `../../var/lib/ca-certificates/ca-bundle.pem`, which was not supported by `rootlesskit --copy-up=/etc` . See rootless-containers/rootlesskit issues 225 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
4160a8b
to
8610d8c
Compare
Added |
@tonistiigi PTAL 🙏 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
still LGTM
Cherry-pick PR: #42462 |
- What I did
Fix "x509: certificate signed by unknown authority" error on openSUSE Tumbleweed.
openSUSE Tumbleweed was facing this error, as
/etc/ssl/ca-bundle.pem
is provided as a symlink to../../var/lib/ca-certificates/ca-bundle.pem
, which was not supported byrootlesskit --copy-up=/etc
.See rootless-containers/rootlesskit#225
- How I did it
By bind-mounting
/etc/ssl
from the parent namespace into the child.- How to verify it
Run
docker --context=rootless pull hello-world
on an openSUSE Tumbleweed host.- Description for the changelog
rootless: fix "x509: certificate signed by unknown authority" on openSUSE Tumbleweed
- A picture of a cute animal (not mandatory but encouraged)
🐧