Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Missing update-ca-certificates #2709

Closed
FrankYang0529 opened this issue Aug 29, 2022 · 10 comments
Closed

[BUG] Missing update-ca-certificates #2709

FrankYang0529 opened this issue Aug 29, 2022 · 10 comments
Assignees
@tjjh89017 @TachunLin
Labels
area/os Harvester OS related (ex: SLE Micro) kind/bug Issues that are defects reported by users or that we know have reached a real release priority/0 Must be fixed in this release reproduce/always Reproducible 100% of the time require/release-note severity/2 Function working but has a major issue w/o workaround (a major incident with significant impact)
Milestone
v1.1.0

Comments

@FrankYang0529
Copy link
Member

Describe the bug
We use update-ca-certificates to add additional ca, but the command is not found in current master-head version.

To Reproduce
Steps to reproduce the behavior:

  1. Start a harvester node.
  2. ssh to the node.
  3. Run sudo -i.
  4. Run update-ca-certificates.

Expected behavior
The command should exist.

Environment

  • Harvester ISO version: master-head
  • Underlying Infrastructure (e.g. Baremetal with Dell PowerEdge R630): vagrant
@FrankYang0529 FrankYang0529 added kind/bug Issues that are defects reported by users or that we know have reached a real release reproduce/needed Reminder to add a reproduce label and to remove this one severity/needed Reminder to add a severity label and to remove this one labels Aug 29, 2022
@tjjh89017 tjjh89017 self-assigned this Aug 29, 2022
@tjjh89017 tjjh89017 mentioned this issue Aug 30, 2022
Merged
@tjjh89017
Copy link
Contributor

PR: harvester/harvester-installer#328

test step

  1. install harvester
  2. open shell and grant root permission
  3. test update-ca-certificates is existing

@harvesterhci-io-github-bot
Copy link
Collaborator

Pre Ready-For-Testing Checklist

  • If labeled: require/HEP Has the Harvester Enhancement Proposal PR submitted?
    The HEP PR is at:

  • Where is the reproduce steps/test steps documented?
    The reproduce steps/test steps are at:

  • Is there a workaround for the issue? If so, where is it documented?
    The workaround is at:

  • Have the backend code been merged (harvester, harvester-installer, etc) (including backport-needed/*)?
    The PR is at:

    • Does the PR include the explanation for the fix or the feature?

    • Does the PR include deployment change (YAML/Chart)? If so, where are the PRs for both YAML file and Chart?
      The PR for the YAML change is at:
      The PR for the chart change is at:

  • If labeled: area/ui Has the UI issue filed or ready to be merged?
    The UI issue/PR is at:

  • If labeled: require/doc, require/knowledge-base Has the necessary document PR submitted or merged?
    The documentation/KB PR is at:

  • If NOT labeled: not-require/test-plan Has the e2e test plan been merged? Have QAs agreed on the automation test case? If only test case skeleton w/o implementation, have you created an implementation issue?

    • The automation skeleton PR is at:
    • The automation test case PR is at:

  • If the fix introduces the code for backward compatibility Has a separate issue been filed with the label release/obsolete-compatibility?
    The compatibility issue is filed at:

@harvesterhci-io-github-bot
Copy link
Collaborator

Automation e2e test issue: harvester/tests#477

Open
1 task
@yasker yasker added priority/0 Must be fixed in this release severity/2 Function working but has a major issue w/o workaround (a major incident with significant impact) reproduce/always Reproducible 100% of the time and removed reproduce/needed Reminder to add a reproduce label and to remove this one severity/needed Reminder to add a severity label and to remove this one labels Aug 30, 2022
@yasker yasker added this to the v1.1.0 milestone Aug 30, 2022
@yasker yasker added the area/os Harvester OS related (ex: SLE Micro) label Aug 30, 2022
@TachunLin TachunLin self-assigned this Sep 1, 2022
@TachunLin
Copy link

Verified fixed on master-69a6b1b2-head (08/29). Close this issue.

Result

  • Command update-ca-certificates exists on each Harvester node (4 nodes)
rancher@harvester-fd4qn:~> sudo -i
harvester-fd4qn:~ # update-ca-certificates
harvester-fd4qn:~ # which update-ca-certificates
/usr/sbin/update-ca-certificates

Test Information

  • Test Environment: 4 nodes harvester on dolphin bare machine
  • Harvester version: master-69a6b1b2-head (08/29)

Verify Steps

  1. ssh to each harvester node
  2. Execute sudo -i
  3. Execute update-ca-certificates
  4. Check command exist with which update-ca-certificates

@Martin-Weiss
Copy link

Does the command work and add the certificates from /etc/pki/trust/anchors to /etc/ssl/ca-bundle.pem?
I thought /etc/ssl/ca-bundle.pem is read-only - but maybe I misunderstood..

@TachunLin
Copy link

TachunLin commented Sep 1, 2022
edited
Loading

The update-ca-certificates command can work adding the certificate from /etc/pki/trust/anchors to /etc/ssl/ca-bundle.pem in the following manner

  1. When we add the certificate in the Harvester additional-ca settings
    image

  2. The added certificate content located in /etc/pki/trust/anchors/additional-ca.pem

  3. Harvester will use the update-ca-certificates and add the content to /etc/ssl/ca-bundle.pem
    image

  4. And we also verified the added certificates still exists after we restart the current node

  5. Since during reboot, Harvester will perform the update-ca-certificates in the os level.
    https://github.com/harvester/harvester-installer/blob/master/package/harvester-os/files/system/oem/09_ca.yaml

@Martin-Weiss
Copy link

In 1.0.3 I could see that /etc/ssl/ca-bundle.pem is read-only - or did I oversee something?
So when ever we add / adjust the additional CA with the UI - all nodes in the cluster need to be rebooted?
Will this happen automatically?

@TachunLin
Copy link

Yes, once we add the additional CA with the UI, Harvester will automatically execute update-ca-certificates to add it to /etc/ssl/ca-bundle.pem without the requirement to reboot the node.

The reboot check in step 4 just double confirm the additional CA still exists after the reboot.

@Martin-Weiss
Copy link

Ok - then we "just" have to restart all running services that are using this ca-bundle.pem (i.e. RKE2)?

@FrankYang0529
Copy link
Member Author

Yes, we need to restart RKE2. We will automatically restart RKE2 after this fix f860269.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tjjh89017 tjjh89017

@TachunLin TachunLin

Labels
area/os Harvester OS related (ex: SLE Micro) kind/bug Issues that are defects reported by users or that we know have reached a real release priority/0 Must be fixed in this release reproduce/always Reproducible 100% of the time require/release-note severity/2 Function working but has a major issue w/o workaround (a major incident with significant impact)
Projects
None yet
Milestone
v1.1.0
Development

No branches or pull requests
7 participants
@bk201 @tjjh89017 @yasker @FrankYang0529 @Martin-Weiss @TachunLin @harvesterhci-io-github-bot