/snapd

cmd/snap-confine: use /etc/ssl from the core snap #3271

Merged
merged 9 commits into from May 15, 2017

Conversation

Reviewers

@zyga zyga

@chipaca chipaca

@niemeyer niemeyer

@jdstrand jdstrand

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
5 participants
@morphis @jdstrand @anlx-sw @zyga @chipaca
@morphis
Contributor

morphis commented May 4, 2017

We need to use /etc/ssl from the core snap next to /etc/alternatives
as applications like LXD expect a correct setup of the certificate
chain which is broken if we're running snaps on non Ubuntu/Debian
distributions.

Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1028568
@zyga

zyga approved these changes May 8, 2017
View changes

LGTM, just one comment to apply.

tests/main/dirs-not-shared-with-host/task.yaml
@@ -0,0 +1,25 @@
+summary: Ensure that certain directories are coming from the core snap
@zyga

zyga May 8, 2017

Contributor

Nice, thanks!

tests/main/dirs-not-shared-with-host/task.yaml
@@ -0,0 +1,25 @@
+summary: Ensure that certain directories are coming from the core snap
+description: |
@zyga

zyga May 8, 2017

Contributor

I think you meant:

details: |
  The snap-confine program bind mounts the /etc directory from the classic distribution into the snap execution
  environment. Certain directories however, if they exist on the host's /etc are actually, bind-mounted from the
  core snap for a more consistent behaviour across various distributions.

@zyga zyga referenced this pull request May 8, 2017

Merged

cmd/snap, client: add "whoami" command #3277

@zyga zyga requested review from jdstrand and niemeyer May 8, 2017

@chipaca

chipaca approved these changes May 15, 2017
View changes

LGTM. One request.

cmd/snap-confine/mount-support.c
+ // (e.g. the core snap) back. This way the behavior of running snaps is not
+ // affected by the alternatives directory from the host, if one exists.
+ //
+ // https://bugs.launchpad.net/snap-confine/+bug/1580018
@chipaca

chipaca May 15, 2017

Member

could you expand this comment a little bit to also link the bug this PR fixes?

@morphis

morphis May 15, 2017

Contributor

Done.

Simon Fels added some commits Apr 27, 2017

cmd/snap-confine: use /etc/ssl from the core snap 
We need to use /etc/ssl from the core snap next to /etc/alternatives
as applications like LXD expect a correct setup of the certificate
chain which is broken if we're running snaps on non Ubuntu/Debian
distributions.

Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1028568
915767a
tests/main: add test case to ensure /etc/ssl always comes from the co… 
…re snap
cc18a4e
cmd/snap-confine: rework string array iteration
6027d48
tests/main: rename test case and check /etc/{alternatives,ssl}
e18477d
cmd/snap-confine: correct formatting
3480d71
tests/main: add proper description of our test case
5c849af
cmd/snap-confine: only unshare /etc/{ssl,alternatives} when !core
6772fed
cmd/snap-confine: correct indentation
b08a5aa
cmd/snap-confine: mention openSUSE bug we're fixing

All checks have passed

7 successful checks
@mvo5
artful-amd64 — autopkgtest finished (success)
Details
continuous-integration/travis-ci/pr — The Travis CI build passed
Details
@mvo5
xenial-amd64 — autopkgtest finished (success)
Details
@mvo5
xenial-i386 — autopkgtest finished (success)
Details
@mvo5
xenial-ppc64el — autopkgtest finished (success)
Details
@mvo5
yakkety-amd64 — autopkgtest finished (success)
Details
@mvo5
zesty-amd64 — autopkgtest finished (success)
Details
d8da611

@zyga zyga merged commit 62e64cb into snapcore:master May 15, 2017
7 checks passed

7 checks passed

artful-amd64 autopkgtest finished (success)
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
xenial-amd64 autopkgtest finished (success)
Details
xenial-i386 autopkgtest finished (success)
Details
xenial-ppc64el autopkgtest finished (success)
Details
yakkety-amd64 autopkgtest finished (success)
Details
zesty-amd64 autopkgtest finished (success)
Details
@jdstrand
Contributor

jdstrand commented May 15, 2017

This PR is a 6 of one half dozen of the other type of thing. This PR means that now locally installed certificates on classic won't work and there is no mechanism for extending the core snap's certificates. Debian and Ubuntu have 'update-ca-certificates' (man 8 update-ca-certificates) which can look at /usr/local/share/ca-certificates that might be used to help address this, but I don't know what mechanisms are available in other distros. I suspect more people are affected by this PR not being applied than those that will be when it is applied, but I predict bug reports.

@anlx-sw anlx-sw referenced this pull request in wekan/wekan Jul 19, 2017

Open

Trying to send signed email even though TLS is disabled #1120

@anlx-sw

anlx-sw commented Jul 19, 2017

is there a way to persistently add root certificates to snap? i run snap on a ubuntu 16.04 server and it seems that tls certificates from an internal ca can't be verified anymore.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment