Bug 42016

Summary: Docker Apps should gain access to the host's certificate
Product: UCS Reporter: Dirk Wiesenthal <wiesenthal>
Component: App CenterAssignee: Dirk Wiesenthal <wiesenthal>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: enhancement    
Priority: P2 CC: gohmann
Version: UCS 4.1   
Target Milestone: UCS 4.1-3-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Feature Request What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Dirk Wiesenthal univentionstaff 2016-08-16 23:45:45 CEST 
HostCertificateAccess=True

should give a Docker App read-only access to /etc/univention/ssl/$dockerhost/.
Comment 1 Dirk Wiesenthal univentionstaff 2016-08-17 00:59:45 CEST 
Done via --volume parameter for the Docker container in
  univention-appcenter 5.0.22-4.209.201608170040

While installing, I get

Join Computer Account:  done
mv: cannot move `/etc/univention/ssl/master50.dirk.singlemaster.intranet' to `/etc/univention/ssl_1608170031/master50.dirk.singlemaster.intranet': Device or resource busy
mkdir: cannot create directory `/etc/univention/ssl': File exists
Check TLS connection:  done


But this seems to be harmless.
Comment 2 Felix Botner univentionstaff 2016-08-24 17:09:54 CEST 
OK - 

-> more meta-inf/4.1/dudle/dudle_20160201.ini | grep Ho
HostCertificateAccess=True

-> docker inspect $(ucr get appcenter/apps/dudle/container)
    "Volumes": {
        "/etc/univention/ssl/master.four.test": "/etc/univention/ssl/master.four.test",
        "/var/lib/univention-appcenter/apps/dudle/conf": "/var/lib/univention-appcenter/apps/dudle/conf",
        "/var/lib/univention-appcenter/apps/dudle/data": "/var/lib/univention-appcenter/apps/dudle/data"
    },
    "VolumesRW": {
        "/etc/univention/ssl/master.four.test": false,
        "/var/lib/univention-appcenter/apps/dudle/conf": true,
        "/var/lib/univention-appcenter/apps/dudle/data": true
    }

-> univention-app shell dudle openssl x509 -in /etc/univention/ssl/master.four.test/cert.pem  -subject  
subject= /C=US/ST=DE/L=DE/O=home/OU=Univention Corporate Server/CN=master.four.test/emailAddress=ssl@four.test

OK - YAML
OK - merged to 4.2-0
Comment 3 Janek Walkenhorst univentionstaff 2016-09-07 18:41:47 CEST 
<http://errata.software-univention.de/ucs/4.1/247.html>