[lxc-devel] [lxd/master] shared: Read certificates from host

stgraber on Github lxc-bot at linuxcontainers.org
Fri Dec 21 22:38:04 UTC 2018


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 756 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181221/30d673d3/attachment.bin>
-------------- next part --------------
From 18b9ae3224daadfef80ffddf47acfa6ee2f31016 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 21 Dec 2018 17:36:38 -0500
Subject: [PATCH] shared: Read certificates from host
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This is for snap users, during update of the core snap, the custom mount
namespace setup by LXD may be missing, causing access to the host CA
configuration to be temporarily broken (until the next LXD restart).

With this patch, we directly go look for the CA certificates of the host
and merge those with what's in the snap environment.

Closes https://github.com/lxc/lxd-pkg-snap/issues/28

Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
 shared/network.go      | 16 ++++++++--------
 shared/network_unix.go | 17 ++++++++++++++++-
 2 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/shared/network.go b/shared/network.go
index 64d4bd8afb..9a37468c0c 100644
--- a/shared/network.go
+++ b/shared/network.go
@@ -64,14 +64,15 @@ func InitTLSConfig() *tls.Config {
 }
 
 func finalizeTLSConfig(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate) {
+	// Setup RootCA
+	if tlsConfig.RootCAs == nil {
+		tlsConfig.RootCAs, _ = systemCertPool()
+	}
+
 	// Trusted certificates
 	if tlsRemoteCert != nil {
-		caCertPool := tlsConfig.RootCAs
-		if caCertPool == nil {
-			caCertPool, _ = systemCertPool()
-			if caCertPool == nil {
-				caCertPool = x509.NewCertPool()
-			}
+		if tlsConfig.RootCAs == nil {
+			tlsConfig.RootCAs = x509.NewCertPool()
 		}
 
 		// Make it a valid RootCA
@@ -79,8 +80,7 @@ func finalizeTLSConfig(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate) {
 		tlsRemoteCert.KeyUsage = x509.KeyUsageCertSign
 
 		// Setup the pool
-		caCertPool.AddCert(tlsRemoteCert)
-		tlsConfig.RootCAs = caCertPool
+		tlsConfig.RootCAs.AddCert(tlsRemoteCert)
 
 		// Set the ServerName
 		if tlsRemoteCert.DNSNames != nil {
diff --git a/shared/network_unix.go b/shared/network_unix.go
index 3c9790a18a..1e5cdc7cca 100644
--- a/shared/network_unix.go
+++ b/shared/network_unix.go
@@ -4,8 +4,23 @@ package shared
 
 import (
 	"crypto/x509"
+	"io/ioutil"
 )
 
 func systemCertPool() (*x509.CertPool, error) {
-	return x509.SystemCertPool()
+	// Get the system pool
+	pool, err := x509.SystemCertPool()
+	if err != nil {
+		return nil, err
+	}
+
+	// Attempt to load the system's pool too (for snaps)
+	if PathExists("/var/lib/snapd/hostfs/etc/ssl/certs/ca-certificates.crt") {
+		snapCerts, err := ioutil.ReadFile("/var/lib/snapd/hostfs/etc/ssl/certs/ca-certificates.crt")
+		if err == nil {
+			pool.AppendCertsFromPEM(snapCerts)
+		}
+	}
+
+	return pool, nil
 }


More information about the lxc-devel mailing list