cmd/snap-confine: use /etc/ssl from the core snap #3271

Merged
merged 9 commits into from May 15, 2017

Conversation

Projects
None yet
5 participants
Contributor

morphis commented May 4, 2017

We need to use /etc/ssl from the core snap next to /etc/alternatives
as applications like LXD expect a correct setup of the certificate
chain which is broken if we're running snaps on non Ubuntu/Debian
distributions.

Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1028568

zyga approved these changes May 8, 2017

LGTM, just one comment to apply.

@@ -0,0 +1,25 @@
+summary: Ensure that certain directories are coming from the core snap
@zyga

zyga May 8, 2017

Contributor

Nice, thanks!

@@ -0,0 +1,25 @@
+summary: Ensure that certain directories are coming from the core snap
+description: |
@zyga

zyga May 8, 2017

Contributor

I think you meant:

details: |
  The snap-confine program bind mounts the /etc directory from the classic distribution into the snap execution
  environment. Certain directories however, if they exist on the host's /etc are actually, bind-mounted from the
  core snap for a more consistent behaviour across various distributions.

@zyga zyga requested review from jdstrand and niemeyer May 8, 2017

LGTM. One request.

cmd/snap-confine/mount-support.c
+ // (e.g. the core snap) back. This way the behavior of running snaps is not
+ // affected by the alternatives directory from the host, if one exists.
+ //
+ // https://bugs.launchpad.net/snap-confine/+bug/1580018
@chipaca

chipaca May 15, 2017

Member

could you expand this comment a little bit to also link the bug this PR fixes?

@morphis

morphis May 15, 2017

Contributor

Done.

Simon Fels added some commits Apr 27, 2017

cmd/snap-confine: use /etc/ssl from the core snap
We need to use /etc/ssl from the core snap next to /etc/alternatives
as applications like LXD expect a correct setup of the certificate
chain which is broken if we're running snaps on non Ubuntu/Debian
distributions.

Fixes https://bugzilla.opensuse.org/show_bug.cgi?id=1028568

@zyga zyga merged commit 62e64cb into snapcore:master May 15, 2017

7 checks passed

artful-amd64 autopkgtest finished (success)
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
xenial-amd64 autopkgtest finished (success)
Details
xenial-i386 autopkgtest finished (success)
Details
xenial-ppc64el autopkgtest finished (success)
Details
yakkety-amd64 autopkgtest finished (success)
Details
zesty-amd64 autopkgtest finished (success)
Details
Contributor

jdstrand commented May 15, 2017

This PR is a 6 of one half dozen of the other type of thing. This PR means that now locally installed certificates on classic won't work and there is no mechanism for extending the core snap's certificates. Debian and Ubuntu have 'update-ca-certificates' (man 8 update-ca-certificates) which can look at /usr/local/share/ca-certificates that might be used to help address this, but I don't know what mechanisms are available in other distros. I suspect more people are affected by this PR not being applied than those that will be when it is applied, but I predict bug reports.

anlx-sw commented Jul 19, 2017

is there a way to persistently add root certificates to snap? i run snap on a ubuntu 16.04 server and it seems that tls certificates from an internal ca can't be verified anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment