Copy certs from SSL_CERT_DIR into chroot jail (!291) · Merge requests · GitLab.org / gitlab-pages

Jonathon Reinhart requested to merge JonathonReinhart/gitlab-pages:137-copy-certs-from-SSL_CERT_DIR into master May 26, 2020

This fixes #137 (closed) by copying all certificate files from SSL_CERT_DIR into the chroot jail and resetting SSL_CERT_DIR accordingly.

This MR is a simpler fix than !125 (closed) which tried to fix #137 (closed) by bind-mounting SSL_CERT_DIR into the chroot jail. There were concerns about that implementation having to remove the lazy-unmounting. Furthermore, if there were symlinks in SSL_CERT_DIR which pointed outside of it, those links would be invalid inside the chroot jail.

Note that this requires support in omnibus-gitlab to set SSL_CERT_DIR appropriately (omnibus-gitlab#5383 (closed) / omnibus-gitlab!4289 (merged)).

This (as of commit ff749826) is being tested in a production instance (12.10.6) with the following hack to /opt/gitlab/sv/gitlab-pages/run:

- exec /usr/bin/env SSL_CERT_FILE=/opt/gitlab/embedded/ssl/certs/cacert.pem \
+ exec /usr/bin/env SSL_CERT_DIR=/opt/gitlab/embedded/ssl/certs/ \

cc @dblessing @nick.thomas @nolith @vshushlin @jmeshell

Upstream issue: gitlab#25411 (closed)

Edited Jun 26, 2020 by Ben Bodenmiller

Copy certs from SSL_CERT_DIR into chroot jail

Merge request reports