Openstack Integrator Charm

openstackclients snap with strict confinement can't access /etc/openstack-integrator/ca.crt

Bug #1922720 reported by Nikolay Vinogradov
26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Openstack Integrator Charm
Fix Released
High
George Kraft
Openstack Integrator Charm 1.21+ck1

Bug Description

Deploying openstack-integrator charm, revision 102. openstackclients snap can't access the CA certificate the charm installs to /etc/openstack-integrator/ca.crt:

021-04-05 10:42:22 WARNING loadbalancer-relation-joined SSL exception connecting to https://<keystone>:5000/v3/auth/tokens: HTTPSConnectionPool(host='<keystone>', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("unable to load trusted certificates: Error([('system library', 'fopen
', 'Permission denied'), ('BIO routines', 'BIO_new_file', 'system lib'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')],)",),))
2021-04-05 10:42:22 ERROR juju-log loadbalancer:53: Hook error:

in syslog:

Apr 5 10:43:49 juju-c9a0e1-k8s-1-15 kernel: [ 6400.662336] audit: type=1400 audit(1617619429.274:454): apparmor="DENIED" operation="open" profile="snap.openstackclients.openstack" name="/etc/openstack-integrator/ca.crt" pid=56173 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Re-installing openstack-integrator snap without strict confinement (e.g. --devmode) fixes the "Permission denied" issue.

George Kraft (cynerva)
Changed in charm-openstack-integrator:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

Still actual. Is there any plans for fixing this issue?

Revision history for this message
Calvin Hartwell (calvinh) wrote :

Marked as Field High as per Chris' recommendation.

George Kraft (cynerva)
Changed in charm-openstack-integrator:
importance: Medium → High
Revision history for this message
Chris Sanders (chris.sanders) wrote :

It appears we'll need to be careful about certificate placement when making this change.
https://forum.snapcraft.io/t/etc-ssl-certs-is-different-on-each-core-version/23852

George Kraft (cynerva)
Changed in charm-openstack-integrator:
status: Triaged → In Progress
assignee: nobody → George Kraft (cynerva)
Revision history for this message
George Kraft (cynerva) wrote :

PR: https://github.com/juju-solutions/charm-openstack-integrator/pull/50

Revision history for this message
George Kraft (cynerva) wrote :

Cherry-pick to release branch: https://github.com/charmed-kubernetes/charm-openstack-integrator/commit/2e8a90dbf840d2aad5ef80b29e1f4adf0d93d1e9

Changed in charm-openstack-integrator:
status: In Progress → Fix Committed
milestone: none → 1.21+ck1
Chris Sanders (chris.sanders)
Changed in charm-openstack-integrator:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.