openstackclients snap with strict confinement can't access /etc/openstack-integrator/ca.crt

Bug #1922720 reported by Nikolay Vinogradov
26
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Openstack Integrator Charm
High
George Kraft

Bug Description

Deploying openstack-integrator charm, revision 102. openstackclients snap can't access the CA certificate the charm installs to /etc/openstack-integrator/ca.crt:

021-04-05 10:42:22 WARNING loadbalancer-relation-joined SSL exception connecting to https://<keystone>:5000/v3/auth/tokens: HTTPSConnectionPool(host='<keystone>', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by SSLError(SSLError("unable to load trusted certificates: Error([('system library', 'fopen
', 'Permission denied'), ('BIO routines', 'BIO_new_file', 'system lib'), ('x509 certificate routines', 'X509_load_cert_crl_file', 'system lib')],)",),))
2021-04-05 10:42:22 ERROR juju-log loadbalancer:53: Hook error:

in syslog:

Apr 5 10:43:49 juju-c9a0e1-k8s-1-15 kernel: [ 6400.662336] audit: type=1400 audit(1617619429.274:454): apparmor="DENIED" operation="open" profile="snap.openstackclients.openstack" name="/etc/openstack-integrator/ca.crt" pid=56173 comm="python3" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

Re-installing openstack-integrator snap without strict confinement (e.g. --devmode) fixes the "Permission denied" issue.

George Kraft (cynerva)
Changed in charm-openstack-integrator:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
Vladimir Grevtsev (vlgrevtsev) wrote :

Still actual. Is there any plans for fixing this issue?

Revision history for this message
Calvin Hartwell (calvinh) wrote :

Marked as Field High as per Chris' recommendation.

George Kraft (cynerva)
Changed in charm-openstack-integrator:
importance: Medium → High
Revision history for this message
Chris Sanders (chris.sanders) wrote :

It appears we'll need to be careful about certificate placement when making this change.
https://forum.snapcraft.io/t/etc-ssl-certs-is-different-on-each-core-version/23852

George Kraft (cynerva)
Changed in charm-openstack-integrator:
status: Triaged → In Progress
assignee: nobody → George Kraft (cynerva)
Revision history for this message
George Kraft (cynerva) wrote :
Revision history for this message
George Kraft (cynerva) wrote :
Changed in charm-openstack-integrator:
status: In Progress → Fix Committed
milestone: none → 1.21+ck1
Changed in charm-openstack-integrator:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers