From a90e38f03e464d6ffa100b37e4de9cadd247f28f Mon Sep 17 00:00:00 2001 From: Dimitrios Christidis Date: Thu, 11 Apr 2024 09:09:07 +0200 Subject: [PATCH] daemons/server: Add Grid CAs to the system trust The origin of the /etc/grid-security directory appears to be Globus. GFAL uses it transparently, but all other native system utilities and libraries do not. This commits adds the Grid CAs to the system trust at the time the container starts, when applicable. This will be important for the Rucio components that: * Connect directly to the RSEs (Automatix, Dark Reaper, Reaper) * Communicate with FTS (Cleaner, Poller, Submitter, and the Rucio servers) The /etc/grid-security directory does not exist by default; it has to be populated externally and mounted in the container with extraHostPathMounts. --- daemons/start-daemon.sh | 6 ++++++ server/docker-entrypoint.sh | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/daemons/start-daemon.sh b/daemons/start-daemon.sh index 2679b93..0c0ab82 100755 --- a/daemons/start-daemon.sh +++ b/daemons/start-daemon.sh @@ -81,6 +81,12 @@ then done fi +if [ -d /etc/grid-security/certificates ]; then + echo 'Adding Grid CAs to the system trust.' + cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust extract +fi + echo "starting daemon with: $RUCIO_DAEMON $RUCIO_DAEMON_ARGS" echo "" diff --git a/server/docker-entrypoint.sh b/server/docker-entrypoint.sh index 16822fe..759591c 100755 --- a/server/docker-entrypoint.sh +++ b/server/docker-entrypoint.sh @@ -92,6 +92,12 @@ then done fi +if [ -d /etc/grid-security/certificates ]; then + echo 'Adding Grid CAs to the system trust.' + cp -v /etc/grid-security/certificates/*.pem /etc/pki/ca-trust/source/anchors/ + update-ca-trust extract +fi + pkill httpd || : sleep 2 exec httpd -D FOREGROUND \ No newline at end of file