Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd e… #16457

Merged
merged 1 commit into from
Nov 28, 2022
Merged

podman machine: Propagate SSL_CERT_FILE and SSL_CERT_DIR to systemd e… #16457

merged 1 commit into from
Nov 28, 2022

Conversation

bjorndown
Copy link
Contributor

@bjorndown bjorndown commented Nov 9, 2022
edited
Loading

…nvironment.

Fixes #16041.

Signed-off-by: Björn Mosler [email protected]

Does this PR introduce a user-facing change?

SSL_CERT_FILE and SSL_CERT_DIR are propagated to VM by podman machine.

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note labels Nov 9, 2022
@mheon
Copy link
Member

mheon commented Nov 9, 2022

@baude @ashley-cui PTAL

@bjorndown bjorndown force-pushed the feature/pass-ssl-cert-file-via-fw-cfg branch from 34a98fd to 8bb7cf3 Compare November 9, 2022 20:02
@bjorndown
Copy link
Contributor Author

I am currently testing on macOS. Given

% env | grep SSL
SSL_CERT_FILE=/Users/bjorm/googlecert4.pem
SSL_CERT_DIR=/Users/bjorm/certs

% ls -l  /Users/bjorm/certs
total 24
-rw-r--r--  1 bjorm  staff  1939 Nov  9 20:38 googlecert.pem
-rw-r--r--  1 bjorm  staff  1939 Nov  9 20:38 googlecert2.pem
-rw-r--r--  1 bjorm  staff  1939 Nov  9 20:38 googlecert3.pem

turns into

[core@localhost ~]$ env | grep SSL
SSL_CERT_DIR=/etc/containers/certs.d/certs
SSL_CERT_FILE=/etc/containers/certs.d/googlecert4.pem

[core@localhost ~]$ ls -l /etc/containers/certs.d
total 16
-rw-r--r--. 1 root root 1939 Nov 10 15:11 googlecert.pem
-rw-r--r--. 1 root root 1939 Nov 10 15:11 googlecert2.pem
-rw-r--r--. 1 root root 1939 Nov 10 15:11 googlecert3.pem
-rw-r--r--. 1 root root 1939 Nov 10 15:11 googlecert4.pem

Need to fix path of SSL_CERT_DIR inside VM.

@bjorndown bjorndown force-pushed the feature/pass-ssl-cert-file-via-fw-cfg branch from 8bb7cf3 to b89aee0 Compare November 11, 2022 10:26
@bjorndown
Copy link
Contributor Author

SSL_CERT_DIR is now /etc/containers/certs.d inside the VM.

@bjorndown bjorndown force-pushed the feature/pass-ssl-cert-file-via-fw-cfg branch from b89aee0 to b791d69 Compare November 14, 2022 14:32
@bjorndown
Copy link
Contributor Author

rebased, removed a Fixed comment in commit message.

@bjorndown bjorndown marked this pull request as ready for review November 14, 2022 15:54
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 14, 2022
vrothberg
vrothberg reviewed Nov 15, 2022
View reviewed changes
Copy link
Member

@vrothberg vrothberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bjorndown bjorndown mentioned this pull request Nov 15, 2022
Closed
@rhatdan
Copy link
Member

rhatdan commented Nov 17, 2022

LGTM once you remove the spaces on the import files.
/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 17, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bjorndown, rhatdan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 17, 2022
@bjorndown bjorndown force-pushed the feature/pass-ssl-cert-file-via-fw-cfg branch from b791d69 to b043651 Compare November 18, 2022 08:28
@bjorndown bjorndown force-pushed the feature/pass-ssl-cert-file-via-fw-cfg branch from b043651 to caa2dfe Compare November 20, 2022 13:19
@bjorndown
Copy link
Contributor Author

@rhatdan I addressed all the issues that were raised. Can we move forward?

@rhatdan
Copy link
Member

rhatdan commented Nov 28, 2022

Thanks @bjorndown
/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Nov 28, 2022
@openshift-merge-robot openshift-merge-robot merged commit e4e7e41 into containers:main Nov 28, 2022
@ashley-cui ashley-cui mentioned this pull request Dec 12, 2022
Closed
@igitur
Copy link

igitur commented Apr 19, 2023

Hi all,

I'd love some help here. I'm using podman on Windows behind a corporate proxy that uses SSL inspection. I have the SSL_CERT_DIR and SSL_CERT_FILE environment variables populated, but I can't get them to bite in podman. I inspected the podman source and see that the relevant code is in ignition.go, but when exactly is that executed? I've tried resetting my environment and doing podman machine init --log-level=debug and podman machine start --log-level=debug but nowhere do I see the certificates being copied into the VM. podman machine ssh and I can see /etc/containers/certs.d/ is indeed empty. I'd like to avoid having to copy the certs manually into the VM. Please point me to the correct steps to get the certificates to be copied. Much appreciated.

@djukxe djukxe mentioned this pull request Jun 6, 2023
Merged
@github-actions github-actions bot added the locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. label Aug 27, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Aug 27, 2023
@bjorndown bjorndown deleted the feature/pass-ssl-cert-file-via-fw-cfg branch September 15, 2023 12:29
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@TomSweeneyRedHat TomSweeneyRedHat TomSweeneyRedHat left review comments

@vrothberg vrothberg vrothberg left review comments

@rhatdan rhatdan rhatdan left review comments

Assignees

@rhatdan rhatdan

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. locked - please file new issue/PR Assist humans wanting to comment on an old issue or PR with locked comments. release-note
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

SSL_CERT_FILE in podman machine's systemd environment
7 participants
@bjorndown @mheon @rhatdan @igitur @vrothberg @TomSweeneyRedHat @openshift-merge-robot