yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1077020] Re: cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1077020@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Jan 2013 14:21:09 -0000
Reply-to: Bug 1077020 <1077020@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package cloud-init - 0.7.0-0ubuntu2.2

---------------
cloud-init (0.7.0-0ubuntu2.2) quantal-proposed; urgency=low

  * debian/patches/lp-1090482-fix-cloud-config-mirrors.patch:
    fix issue with cloud-config data in user-data providing mirror
    info (LP: #1073077)

cloud-init (0.7.0-0ubuntu2.1) quantal-proposed; urgency=low

  * debian/patches/lp-1073077-zsh-workaround-for-locale_warn.patch: avoid
    warning when user's shell is zsh (LP: #1073077)
  * debian/patches/lp-1077700-config-drive-fix-ssh-authorized-keys.patch:
    fix bug in config-drive-v2 usage of authoried keys (LP: #1077700)
  * debian/patches/lp-1080985-fix-resize-root-noblock.patch:
    fix 'resize_root: noblock' (LP: #1080985)
  * debian/patches/lp-1076811-fix-userdata-update-to-distro-config.patch:
    fix updates to distro config via user-data. (LP: #1076811)
  * debian/patches/lp-1066115-install-landscape-if-needed.patch:
    fix permissions on landscape config, and ensure landscape client
    is installed if landscape config is given. (LP: #1066115)
  * debian/patches/lp-1070345-restart-landscape-if-needed.patch:
    restart the landscape-client if changes to config were made. (LP: #1070345)
  * debian/patches/lp-1077020-fix-ca-certificates-blanklines.patch: fix
    adding of empty lines in ca-certificates file (LP: #1077020)
 -- Scott Moser <smoser@xxxxxxxxxx>   Mon, 17 Dec 2012 10:15:03 -0500

** Changed in: cloud-init (Ubuntu Quantal)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to cloud-init.
https://bugs.launchpad.net/bugs/1077020

Title:
  cloud-init ca-certs leaves a blank line in /etc/ca-certificates.conf

Status in Init scripts for use on cloud images:
  Fix Committed
Status in “cloud-init” package in Ubuntu:
  Fix Released
Status in “cloud-init” source package in Precise:
  Triaged
Status in “cloud-init” source package in Quantal:
  Fix Released
Status in “cloud-init” source package in Raring:
  Fix Released

Bug description:
  == Begin SRU Information ==
  [Impact] 
   * a documented feature of cloud-init, for adding ca-certificates does not function as it should.  Instead, certificates added in this manner simply are ignored.  This is because apparently, a line directly following a blank line in /etc/ca-certificates.conf is ignored.

  [Test Case]
    - start a cloud instance with no user-data
    - add content below to /etc/cloud/cloud.cfg.d/99-local-certs.cfg
    - run the ca-certs code through cloud-init single
      you will see output from update-ca-certificates indicating no
      new certificates were added
      $ sudo cloud-init single --name=ca_certs --frequency=always
      Cloud-init v. 0.7 running 'single' at Sun, 02 Dec 2012 02:23:21 +0000. Up 2429.68 seconds.
      Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
      Running hooks in /etc/ca-certificates/update.d....done.

      # this can be fixed by removing the blank line and re-running
      # update-ca-certificates
      Also, note that the following has no output:
      $ ls -l /usr/lib/ssl/certs/ | grep -i cloud
    - edit /etc/ca-certificates.conf, remove cloud-init added entry
      $ sed -i '/cloud-init-ca-certs.crt/d'
    - upgrade cloud-init, re-run the ca_certs
      $ sudo dpkg -i cloud-init_all.deb
      $ sudo cloud-init single --name=ca_certs --frequency=always

      This time, you will see output containing: "1 added, 0 removed; done."
      Also, (trimmed output), you will see:
      $ ls -l /usr/lib/ssl/certs/ | grep -i cloud
      lrwxrwxrwx b1d2b355.0 -> cloud-init-ca-certs.pem    
      lrwxrwxrwx cbbf81bb.0 -> cloud-init-ca-certs.pem    
      lrwxrwxrwx cloud-init-ca-certs.pem -> /usr/share/ca-certificates/cloud-init-ca-certs.crt

  [Regression Potential] 
   * regression potential is low.  It could break the ca_certs module further, but the module is not functional as it is. Tracebacks are caught when modules are executed, so there is really no potential for further harm.

  == End   SRU Information ==

  Using a cloud-init yaml file adding a certificate like this:

  # BEGIN /etc/cloud/cloud.cfg.d/99-local-certs.cfg
  ca-certs:
    # If present, the 'trusted' parameter should contain a certificate (or list
    # of certificates) to add to the system as trusted CA certificates.
    # Pay close attention to the YAML multiline list syntax.  The example shown
    # here is for a list of multiline certificates.
    # - Amazon RDS SSL Certificate (http://s3.amazonaws.com/rds-downloads/mysql-ssl-ca-cert.pem)
    trusted:
      - |
        -----BEGIN CERTIFICATE-----
        MIIDQzCCAqygAwIBAgIJAOd1tlfiGoEoMA0GCSqGSIb3DQEBBQUAMHUxCzAJBgNV
        BAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMRMw
        EQYDVQQKEwpBbWF6b24uY29tMQwwCgYDVQQLEwNSRFMxHDAaBgNVBAMTE2F3cy5h
        bWF6b24uY29tL3Jkcy8wHhcNMTAwNDA1MjI0NDMxWhcNMTUwNDA0MjI0NDMxWjB1
        MQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHU2Vh
        dHRsZTETMBEGA1UEChMKQW1hem9uLmNvbTEMMAoGA1UECxMDUkRTMRwwGgYDVQQD
        ExNhd3MuYW1hem9uLmNvbS9yZHMvMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
        gQDKhXGU7tizxUR5WaFoMTFcxNxa05PEjZaIOEN5ctkWrqYSRov0/nOMoZjqk8bC
        med9vPFoQGD0OTakPs0jVe3wwmR735hyVwmKIPPsGlaBYj1O6llIpZeQVyupNx56
        UzqtiLaDzh1KcmfqP3qP2dInzBfJQKjiRudo1FWnpPt33QIDAQABo4HaMIHXMB0G
        A1UdDgQWBBT/H3x+cqSkR/ePSIinPtc4yWKe3DCBpwYDVR0jBIGfMIGcgBT/H3x+
        cqSkR/ePSIinPtc4yWKe3KF5pHcwdTELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldh
        c2hpbmd0b24xEDAOBgNVBAcTB1NlYXR0bGUxEzARBgNVBAoTCkFtYXpvbi5jb20x
        DDAKBgNVBAsTA1JEUzEcMBoGA1UEAxMTYXdzLmFtYXpvbi5jb20vcmRzL4IJAOd1
        tlfiGoEoMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAvguZy/BDT66x
        GfgnJlyQwnFSeVLQm9u/FIvz4huGjbq9dqnD6h/Gm56QPFdyMEyDiZWaqY6V08lY
        LTBNb4kcIc9/6pc0/ojKciP5QJRm6OiZ4vgG05nF4fYjhU7WClUx7cxq1fKjNc2J
        UCmmYqgiVkAGWRETVo+byOSDZ4swb10=
        -----END CERTIFICATE-----
  # END /etc/cloud/cloud.cfg.d/99-local-certs.cfg

  The certificate is added to the /etc/ca-certificates.conf file but
  there is a blank line between the previous content and the line added
  by cloud-init.  In this situation running update-ca-certificates
  doesn't take the cloud-init certificates into account.  Removing the
  blank line and running update-ca-certificates again fixes the issue.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: cloud-init 0.6.3-0ubuntu1.1
  ProcVersionSignature: User Name 3.2.0-31.50-virtual 3.2.28
  Uname: Linux 3.2.0-31-virtual x86_64
  ApportVersion: 2.0.1-0ubuntu14
  Architecture: amd64
  Date: Fri Nov  9 15:01:03 2012
  Ec2AMI: ami-3d4ff254
  Ec2AMIManifest: (unknown)
  Ec2AvailabilityZone: us-east-1d
  Ec2InstanceType: m1.medium
  Ec2Kernel: aki-825ea7eb
  Ec2Ramdisk: unavailable
  PackageArchitecture: all
  ProcEnviron:
   TERM=screen
   PATH=(custom, user)
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: cloud-init
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-init/+bug/1077020/+subscriptions