Copy certs from SSL_CERT_DIR into chroot jail
This fixes #137 (closed) by copying all certificate files from SSL_CERT_DIR
into the chroot jail and resetting SSL_CERT_DIR
accordingly.
This MR is a simpler fix than !125 (closed) which tried to fix #137 (closed) by bind-mounting SSL_CERT_DIR
into the chroot jail. There were concerns about that implementation having to remove the lazy-unmounting. Furthermore, if there were symlinks in SSL_CERT_DIR
which pointed outside of it, those links would be invalid inside the chroot jail.
Note that this requires support in omnibus-gitlab to set SSL_CERT_DIR
appropriately (omnibus-gitlab#5383 (closed) / omnibus-gitlab!4289 (merged)).
This (as of commit ff749826) is being tested in a production instance (12.10.6) with the following hack to /opt/gitlab/sv/gitlab-pages/run
:
- exec /usr/bin/env SSL_CERT_FILE=/opt/gitlab/embedded/ssl/certs/cacert.pem \
+ exec /usr/bin/env SSL_CERT_DIR=/opt/gitlab/embedded/ssl/certs/ \
cc @dblessing @nick.thomas @nolith @vshushlin @jmeshell
Upstream issue: gitlab#25411 (closed)