aboutsummaryrefslogtreecommitdiffstats
path: root/testing/cloud-init/05-add-ca_certs-module-support.patch
blob: 80251019218c3a9af880987fd4b0af3e7759959f (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
--- a/cloudinit/config/cc_ca_certs.py
+++ b/cloudinit/config/cc_ca_certs.py
@@ -16,11 +16,15 @@
     certificates must be specified using valid yaml. in order to specify a
     multiline certificate, the yaml multiline list syntax must be used
 
+.. note::
+    For Alpine Linux this module works with the ca-certificates package
+    but not with the ca-certificates-bundle package.
+
 **Internal name:** ``cc_ca_certs``
 
 **Module frequency:** per instance
 
-**Supported distros:** ubuntu, debian
+**Supported distros:** alpine, debian, ubuntu
 
 **Config keys**::
 
@@ -44,7 +48,7 @@
 CA_CERT_SYSTEM_PATH = "/etc/ssl/certs/"
 CA_CERT_FULL_PATH = os.path.join(CA_CERT_PATH, CA_CERT_FILENAME)
 
-distros = ['ubuntu', 'debian']
+distros = ['alpine', 'debian', 'ubuntu']
 
 
 def update_ca_certs():
@@ -66,17 +70,23 @@
         cert_file_contents = "\n".join([str(c) for c in certs])
         util.write_file(CA_CERT_FULL_PATH, cert_file_contents, mode=0o644)
 
-        # Append cert filename to CA_CERT_CONFIG file.
-        # We have to strip the content because blank lines in the file
-        # causes subsequent entries to be ignored. (LP: #1077020)
-        orig = util.load_file(CA_CERT_CONFIG)
-        cur_cont = '\n'.join([line for line in orig.splitlines()
+        if os.stat(CA_CERT_CONFIG).st_size == 0:
+            # If the CA_CERT_CONFIG file is empty (i.e. all existing
+            # certificates have been deleted) then simply output a single
+            # line with the cloud-init cert filename.
+            out = "%s\n" % CA_CERT_FILENAME
+        else:
+            # Append cert filename to CA_CERT_CONFIG file.
+            # We have to strip the content because blank lines in the file
+            # causes subsequent entries to be ignored. (LP: #1077020)
+            orig = util.load_file(CA_CERT_CONFIG)
+            cur_cont = '\n'.join([line for line in orig.splitlines()
                               if line != CA_CERT_FILENAME])
-        out = "%s\n%s\n" % (cur_cont.rstrip(), CA_CERT_FILENAME)
+            out = "%s\n%s\n" % (cur_cont.rstrip(), CA_CERT_FILENAME)
         util.write_file(CA_CERT_CONFIG, out, omode="wb")
 
 
-def remove_default_ca_certs():
+def remove_default_ca_certs(distro):
     """
     Removes all default trusted CA certificates from the system. To actually
     apply the change you must also call L{update_ca_certs}.
@@ -84,8 +94,9 @@
     util.delete_dir_contents(CA_CERT_PATH)
     util.delete_dir_contents(CA_CERT_SYSTEM_PATH)
     util.write_file(CA_CERT_CONFIG, "", mode=0o644)
-    debconf_sel = "ca-certificates ca-certificates/trust_new_crts select no"
-    util.subp(('debconf-set-selections', '-'), debconf_sel)
+    if distro != 'alpine':
+        debconf_sel = "ca-certificates ca-certificates/trust_new_crts select no"
+        util.subp(('debconf-set-selections', '-'), debconf_sel)
 
 
 def handle(name, cfg, _cloud, log, _args):
@@ -110,7 +121,7 @@
     # default trusted CA certs first.
     if ca_cert_cfg.get("remove-defaults", False):
         log.debug("Removing default certificates")
-        remove_default_ca_certs()
+        remove_default_ca_certs(_cloud.distro.name)
 
     # If we are given any new trusted CA certs to add, add them.
     if "trusted" in ca_cert_cfg: