Skip to content

Commit

Permalink
daemons/server: Add Grid CAs to the system trust
Browse files Browse the repository at this point in the history
The origin of the /etc/grid-security directory appears to be Globus.
GFAL uses it transparently, but all other native system utilities and
libraries do not.

This commits adds the Grid CAs to the system trust at the time the
container starts, when applicable.  This will be important for the Rucio
components that:

  * Connect directly to the RSEs (Automatix, Dark Reaper, Reaper)
  * Communicate with FTS (Cleaner, Poller, Submitter, and the Rucio
    servers)

The /etc/grid-security directory does not exist by default; it has to be
populated externally and mounted in the container with
extraHostPathMounts.
  • Loading branch information
dchristidis authored and bari12 committed Apr 16, 2024
1 parent 5f83b5a commit a90e38f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
6 changes: 6 additions & 0 deletions daemons/start-daemon.sh
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,12 @@ then
done
fi

if [ -d /etc/grid-security/certificates ]; then
echo 'Adding Grid CAs to the system trust.'
cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
fi

echo "starting daemon with: $RUCIO_DAEMON $RUCIO_DAEMON_ARGS"
echo ""

Expand Down
6 changes: 6 additions & 0 deletions server/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,12 @@ then
done
fi

if [ -d /etc/grid-security/certificates ]; then
echo 'Adding Grid CAs to the system trust.'
cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/
update-ca-trust extract
fi

pkill httpd || :
sleep 2
exec httpd -D FOREGROUND

0 comments on commit a90e38f

Please sign in to comment.