Bug 42016 – Docker Apps should gain access to the host's certificate

Bug 42016 - Docker Apps should gain access to the host's certificate


Summary:	Docker Apps should gain access to the host's certificate

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	App Center
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 enhancement (vote)
Target Milestone:	UCS 4.1-3-errata
Assigned To:	Dirk Wiesenthal
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-08-16 23:45 CEST by Dirk Wiesenthal
Modified:	2016-09-22 07:24 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Feature Request
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dirk Wiesenthal

2016-08-16 23:45:45 CEST

HostCertificateAccess=True

should give a Docker App read-only access to /etc/univention/ssl/$dockerhost/.

Comment 1 Dirk Wiesenthal

2016-08-17 00:59:45 CEST

Done via --volume parameter for the Docker container in
  univention-appcenter 5.0.22-4.209.201608170040

While installing, I get

Join Computer Account:  done
mv: cannot move `/etc/univention/ssl/master50.dirk.singlemaster.intranet' to `/etc/univention/ssl_1608170031/master50.dirk.singlemaster.intranet': Device or resource busy
mkdir: cannot create directory `/etc/univention/ssl': File exists
Check TLS connection:  done


But this seems to be harmless.

Comment 2 Felix Botner

2016-08-24 17:09:54 CEST

OK - 

-> more meta-inf/4.1/dudle/dudle_20160201.ini | grep Ho
HostCertificateAccess=True

-> docker inspect $(ucr get appcenter/apps/dudle/container)
    "Volumes": {
        "/etc/univention/ssl/master.four.test": "/etc/univention/ssl/master.four.test",
        "/var/lib/univention-appcenter/apps/dudle/conf": "/var/lib/univention-appcenter/apps/dudle/conf",
        "/var/lib/univention-appcenter/apps/dudle/data": "/var/lib/univention-appcenter/apps/dudle/data"
    },
    "VolumesRW": {
        "/etc/univention/ssl/master.four.test": false,
        "/var/lib/univention-appcenter/apps/dudle/conf": true,
        "/var/lib/univention-appcenter/apps/dudle/data": true
    }

-> univention-app shell dudle openssl x509 -in /etc/univention/ssl/master.four.test/cert.pem  -subject  
subject= /C=US/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=master.four.test/emailAddress=ssl@four.test

OK - YAML
OK - merged to 4.2-0

Comment 3 Janek Walkenhorst

2016-09-07 18:41:47 CEST

<http://errata.software-univention.de/ucs/4.1/247.html>