From 043ad08237beeacde63f9cad851d2e49c0d16ec5 Mon Sep 17 00:00:00 2001 From: Tomasz Nowak Date: Wed, 29 Mar 2017 11:42:52 +0200 Subject: [PATCH] Configure guestagent on Ubuntu guest images to use CA certificates Currently there is no way to provide SSL configuration for Trove, so it fails e.g. when uploading backups to a secured Swift endpoint. This patch sets an environment variable (REQUESTS_CA_BUNDLE [1]) understood by Requests library for Python, so all HTTPS calls done by trove-guest service will trust the provided CAs. For Ubuntu Xenial and Fedora a systemd drop-in sets this environment variable for trove-guest service, so it uses Ubuntu's/Fedora's system certificate store to validate server certificates. For Ubuntu Trusty the upstart script is modified to build and use a bundle file from certificates in /usr/local/share/ca-certificates, because Requests library doesn't support CA directories in such old Python versions. On Ubuntu systems the custom certificates are taken from /usr/local/share/ca-certificates; please use PEM format, .crt extension and call update-ca-certificates. On Fedora systems custom certificates can be put in /usr/share/pki/ca-trust-source/anchors; please use PEM format, .pem extension and call update-ca-trust. [1] http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification Change-Id: I0025e7c72fa2d863ae9540941956b1ab63bcc636 --- .../fedora-guest/install.d/21-use-fedora-certificates | 11 +++++++++++ .../install.d/21-use-ubuntu-certificates | 11 +++++++++++ integration/scripts/files/trove-guest.upstart.conf | 4 +++- 3 files changed, 25 insertions(+), 1 deletion(-) create mode 100755 integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates create mode 100755 integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates diff --git a/integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates b/integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates new file mode 100755 index 0000000000..8ef6c50a21 --- /dev/null +++ b/integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates @@ -0,0 +1,11 @@ +#!/bin/sh + +# CONTEXT: GUEST during CONSTRUCTION as ROOT +# PURPOSE: configure trove-guest service to use system store of trusted certificates + +GUEST_UNIT_DROPINS="/etc/systemd/system/trove-guest.service.d" + +mkdir -v -p ${GUEST_UNIT_DROPINS} +echo -e '[Service]\nEnvironment=REQUESTS_CA_BUNDLE=/etc/pki/tls/certs' > ${GUEST_UNIT_DROPINS}/30-use-system-certificates.conf + + diff --git a/integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates b/integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates new file mode 100755 index 0000000000..ab9469ed93 --- /dev/null +++ b/integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates @@ -0,0 +1,11 @@ +#!/bin/sh + +# CONTEXT: GUEST during CONSTRUCTION as ROOT +# PURPOSE: configure trove-guest service to use system store of trusted certificates + +GUEST_UNIT_DROPINS="/etc/systemd/system/trove-guest.service.d" + +mkdir -v -p ${GUEST_UNIT_DROPINS} +echo -e '[Service]\nEnvironment=REQUESTS_CA_BUNDLE=/etc/ssl/certs' > ${GUEST_UNIT_DROPINS}/30-use-system-certificates.conf + + diff --git a/integration/scripts/files/trove-guest.upstart.conf b/integration/scripts/files/trove-guest.upstart.conf index 2e20d6cfb9..f6a3dba24a 100644 --- a/integration/scripts/files/trove-guest.upstart.conf +++ b/integration/scripts/files/trove-guest.upstart.conf @@ -36,5 +36,7 @@ script fi - exec su -c "/home/GUEST_USERNAME/trove/contrib/trove-guestagent $TROVE_CONFIG" GUEST_USERNAME + # Requests: CA directories not supported in older Pythons, a custom bundle file is needed + cat /usr/local/share/ca-certificates/*.crt > /usr/local/share/ca-certificates/custom.bundle + exec su -c "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/custom.bundle /home/GUEST_USERNAME/trove/contrib/trove-guestagent $TROVE_CONFIG" GUEST_USERNAME end script