Configure guestagent on Ubuntu guest images to use CA certificates

Currently there is no way to provide SSL configuration for Trove, so it fails e.g. when uploading backups to a secured Swift endpoint. This patch sets an environment variable (REQUESTS_CA_BUNDLE [1]) understood by Requests library for Python, so all HTTPS calls done by trove-guest service will trust the provided CAs. For Ubuntu Xenial and Fedora a systemd drop-in sets this environment variable for trove-guest service, so it uses Ubuntu's/Fedora's system certificate store to validate server certificates. For Ubuntu Trusty the upstart script is modified to build and use a bundle file from certificates in /usr/local/share/ca-certificates, because Requests library doesn't support CA directories in such old Python versions. On Ubuntu systems the custom certificates are taken from /usr/local/share/ca-certificates; please use PEM format, .crt extension and call update-ca-certificates. On Fedora systems custom certificates can be put in /usr/share/pki/ca-trust-source/anchors; please use PEM format, .pem extension and call update-ca-trust. [1] http://docs.python-requests.org/en/master/user/advanced/#ssl-cert-verification Change-Id: I0025e7c72fa2d863ae9540941956b1ab63bcc636
2017-03-29 11:42:52 +02:00 · 2017-03-29 11:42:52 +02:00 · 043ad08237
parent c3c6b7fdc7
commit 043ad08237
3 changed files with 25 additions and 1 deletions
--- a/integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates
+++ b/integration/scripts/files/elements/fedora-guest/install.d/21-use-fedora-certificates
@ -0,0 +1,11 @@
+#!/bin/sh
+
+# CONTEXT: GUEST during CONSTRUCTION as ROOT
+# PURPOSE: configure trove-guest service to use system store of trusted certificates
+
+GUEST_UNIT_DROPINS="/etc/systemd/system/trove-guest.service.d"
+
+mkdir -v -p ${GUEST_UNIT_DROPINS}
+echo -e '[Service]\nEnvironment=REQUESTS_CA_BUNDLE=/etc/pki/tls/certs' > ${GUEST_UNIT_DROPINS}/30-use-system-certificates.conf
+
+
--- a/integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates
+++ b/integration/scripts/files/elements/ubuntu-xenial-guest/install.d/21-use-ubuntu-certificates
@ -0,0 +1,11 @@
+#!/bin/sh
+
+# CONTEXT: GUEST during CONSTRUCTION as ROOT
+# PURPOSE: configure trove-guest service to use system store of trusted certificates
+
+GUEST_UNIT_DROPINS="/etc/systemd/system/trove-guest.service.d"
+
+mkdir -v -p ${GUEST_UNIT_DROPINS}
+echo -e '[Service]\nEnvironment=REQUESTS_CA_BUNDLE=/etc/ssl/certs' > ${GUEST_UNIT_DROPINS}/30-use-system-certificates.conf
+
+
--- a/integration/scripts/files/trove-guest.upstart.conf
+++ b/integration/scripts/files/trove-guest.upstart.conf
@ -36,5 +36,7 @@ script

    fi

-    exec su -c "/home/GUEST_USERNAME/trove/contrib/trove-guestagent $TROVE_CONFIG" GUEST_USERNAME
+    # Requests: CA directories not supported in older Pythons, a custom bundle file is needed
+    cat /usr/local/share/ca-certificates/*.crt > /usr/local/share/ca-certificates/custom.bundle
+    exec su -c "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/custom.bundle /home/GUEST_USERNAME/trove/contrib/trove-guestagent $TROVE_CONFIG" GUEST_USERNAME
 end script