[lxc-devel] [lxd/master] shared: Read certificates from host
stgraber on Github
lxc-bot at linuxcontainers.org
Fri Dec 21 22:38:04 UTC 2018
A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 756 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20181221/30d673d3/attachment.bin>
-------------- next part --------------
From 18b9ae3224daadfef80ffddf47acfa6ee2f31016 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Graber?= <stgraber at ubuntu.com>
Date: Fri, 21 Dec 2018 17:36:38 -0500
Subject: [PATCH] shared: Read certificates from host
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is for snap users, during update of the core snap, the custom mount
namespace setup by LXD may be missing, causing access to the host CA
configuration to be temporarily broken (until the next LXD restart).
With this patch, we directly go look for the CA certificates of the host
and merge those with what's in the snap environment.
Closes https://github.com/lxc/lxd-pkg-snap/issues/28
Signed-off-by: Stéphane Graber <stgraber at ubuntu.com>
---
shared/network.go | 16 ++++++++--------
shared/network_unix.go | 17 ++++++++++++++++-
2 files changed, 24 insertions(+), 9 deletions(-)
diff --git a/shared/network.go b/shared/network.go
index 64d4bd8afb..9a37468c0c 100644
--- a/shared/network.go
+++ b/shared/network.go
@@ -64,14 +64,15 @@ func InitTLSConfig() *tls.Config {
}
func finalizeTLSConfig(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate) {
+ // Setup RootCA
+ if tlsConfig.RootCAs == nil {
+ tlsConfig.RootCAs, _ = systemCertPool()
+ }
+
// Trusted certificates
if tlsRemoteCert != nil {
- caCertPool := tlsConfig.RootCAs
- if caCertPool == nil {
- caCertPool, _ = systemCertPool()
- if caCertPool == nil {
- caCertPool = x509.NewCertPool()
- }
+ if tlsConfig.RootCAs == nil {
+ tlsConfig.RootCAs = x509.NewCertPool()
}
// Make it a valid RootCA
@@ -79,8 +80,7 @@ func finalizeTLSConfig(tlsConfig *tls.Config, tlsRemoteCert *x509.Certificate) {
tlsRemoteCert.KeyUsage = x509.KeyUsageCertSign
// Setup the pool
- caCertPool.AddCert(tlsRemoteCert)
- tlsConfig.RootCAs = caCertPool
+ tlsConfig.RootCAs.AddCert(tlsRemoteCert)
// Set the ServerName
if tlsRemoteCert.DNSNames != nil {
diff --git a/shared/network_unix.go b/shared/network_unix.go
index 3c9790a18a..1e5cdc7cca 100644
--- a/shared/network_unix.go
+++ b/shared/network_unix.go
@@ -4,8 +4,23 @@ package shared
import (
"crypto/x509"
+ "io/ioutil"
)
func systemCertPool() (*x509.CertPool, error) {
- return x509.SystemCertPool()
+ // Get the system pool
+ pool, err := x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+
+ // Attempt to load the system's pool too (for snaps)
+ if PathExists("/var/lib/snapd/hostfs/etc/ssl/certs/ca-certificates.crt") {
+ snapCerts, err := ioutil.ReadFile("/var/lib/snapd/hostfs/etc/ssl/certs/ca-certificates.crt")
+ if err == nil {
+ pool.AppendCertsFromPEM(snapCerts)
+ }
+ }
+
+ return pool, nil
}
More information about the lxc-devel
mailing list