From ed17b02937ebd3c5cb1dfd12b06c826ef50f3de6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Harald=20Jens=C3=A5s?= Date: Thu, 19 Dec 2024 18:52:35 +0100 Subject: [PATCH] Fix ironic-python-agent - CA bundle inject Currently the pxe-init script copies the certificate bundle directly to /etc/pki/ca-trust/extracted in the initramfs. When update-ca-trust runs under chroot the contents under pki/ca-trust/extracted is overwritten. See manual page: update-ca-trust(8) "EXTRACTED CONFIGURATION" section. With this change the bundle is copied to /etc/pki/ca-trust/source/anchors directory in the initramfs instead, so that update-ca-trust will find the source and update CA certs and trusts correctly. Jira: OSPRH-12526 --- templates/common/bin/pxe-init.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/common/bin/pxe-init.sh b/templates/common/bin/pxe-init.sh index 458d527d..e67dd180 100755 --- a/templates/common/bin/pxe-init.sh +++ b/templates/common/bin/pxe-init.sh @@ -54,7 +54,7 @@ if [ -f "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem" ] && [ -f "/var/lib/ popd # Copy the CA certificates - cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/extracted/pem/ + cp /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem /initramfs/etc/pki/ca-trust/source/anchors/ echo update-ca-trust | unshare -r chroot ./initramfs # Repack the initramfs