Add coreos-update-ca-trust.service #120
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # This service is currently specific to Fedora CoreOS, | ||
| # but we may want to add it to the base OS in the future. | ||
| # The idea here is to allow users to just drop in CA roots | ||
| # via Ignition without having to know to run the special | ||
| # update command. | ||
| [Unit] | ||
| Description=Run update-ca-trust | ||
| ConditionFirstBoot=true | ||
| ConditionDirectoryNotEmpty=/etc/pki/ca-trust/source/anchors/ | ||
| # We want to run quite early, in particular before anything | ||
| # that may speak TLS to external services. In the future, | ||
| # it may make sense to do this in the initramfs too. | ||
| DefaultDependencies=no | ||
|
Member
There was a problem hiding this comment. This needs
Member
Author
There was a problem hiding this comment. If we did this, we wouldn't be able to use this service for the MCD.
Contributor
There was a problem hiding this comment. MCD doesn't run on FCOS right now. MCD could also add it's own drop in for turning There was a problem hiding this comment. Have we verified that systemd honors conditions in drop-ins? I seem to recall this not working in the past.
Member
Author
There was a problem hiding this comment. In playing with this, it seems to work to do There was a problem hiding this comment. When a user adds a new cert via machineconfig, wouldn't that restart the hosts anyway? So, in that case, we would actually want this to run on firstboot only. |
||
|
|
||
| [Service] | ||
| ExecStart=/usr/bin/update-ca-trust extract | ||
| Type=oneshot | ||
| RemainAfterExit=yes | ||
|
|
||
| [Install] | ||
| WantedBy=basic.target | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WRT the initramfs, I'm not sure it's needed. The only things in there I can think of that might need TLS are Ignition (which supports custom certs in the
ignitionsection) and afterburn, which is talking to cloud providers.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right coreos/ignition#636 is about this, but I can imagine people wanting to have the ones provided to Ignition persist for the host too.
But, this doesn't conflict with that; if Ignition writes it optionally, this service could read it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure I 100% follow? Ignition does not write them to the initramfs root, it adds them to its HTTP client directly from the config. I also think it would be a little misleading for Ignition to write them out to the initramfs root since the
ignitionsection is just for configuring Ignition, not the initramfs in general. I still don't see a use case for this either.If people want them to persist to the host they should add
storage.filesentries. We could also add sugar to FCCT for this that generates both.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
People have asked that Ignition persist the CA to disk, but I'm very much against this. The
ignitionsection of the config directs Ignition; nothing more.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, no one is talking about changing that default, just adding a new mechanism to do both.