Declaring ca-certificates in stage-packages doesn't populate the /etc/ssl/certs directory

[weiiwang01]

Bug Description

When declaring ca-certificates in the part's stage-packages, the /etc/ssl/certs directory is not populated as expected. The /etc/ssl/certs should contain symbolic links pointing to the certificates found in /usr/share/ca-certificates/mozilla/. It's worth noting that certificates are present in /usr/share/ca-certificates/mozilla/ within the Rock image.

To Reproduce

Build the rock image based on the rockcraft.yaml file below, and then inspect the content of /etc/ssl/certs directory in the image. The directory is empty.

rockcraft pack
sudo /snap/rockcraft/current/bin/skopeo --insecure-policy copy oci-archive:ca-certs_0.1_amd64.rock docker-daemon:ca-certs:latest
docker run -it --rm --entrypoint /bin/ls ca-certs:latest -lah /etc/ssl/certs

Environment

ubuntu 22.04 LTS, LXD

rockcraft.yaml

# Copyright 2023 Canonical Ltd.
# See LICENSE file for licensing details.
name: ca-certs
summary: ca-certs issue.
description: ca-certs issue.
version: "0.1"
base: ubuntu:20.04
license: Apache-2.0
platforms:
  amd64:

parts:
  apt-dependencies:
    plugin: nil
    source: .
    stage-packages:
      - ca-certificates

Relevant log output

N/A

[gregory-schiano]

Side comment, the chisel slice ca-certificates_data should work since it's aggregating all the /usr/share/ca-certificates/mozilla/ certificate into a file in the mutate part See: https://github.com/canonical/chisel-releases/blob/ubuntu-22.04/slices/ca-certificates.yaml

So it's not relying on symlinks

[cjdcordeiro]

have you tried using overlay-packages?

[weiiwang01]

have you tried using overlay-packages?

overlay-packages works, thanks! Is there a general rule to decide which packages should go in the staging-packages, and which should go in the overlay-packages? Since other packages works in the staging-packages.

[jnsgruk]

have you tried using overlay-packages?

overlay-packages works, thanks! Is there a general rule to decide which packages should go in the staging-packages, and which should go in the overlay-packages? Since other packages works in the staging-packages.

Yeh, this might be good to include in the docs - I can see more people tripping over this.

[cjdcordeiro]

yes definitely. @sergiusens and @dboddie may already have this item included in their roadmap item for improving the docs (?)

can you guys confirm? If not planned, can you please add an item to the backlog?

[gregory-schiano]

But is it intended that symlinks aren't copied from stage-packages ? Even if you document that, you don't easily know if a package will add symlinks or node, so how do you decide if a package is added as in stage-packages or overlay-packages Because for packages without symlinks... it'll work without issues

[dboddie]

yes definitely. @sergiusens and @dboddie may already have this item included in their roadmap item for improving the docs (?)

can you guys confirm? If not planned, can you please add an item to the backlog?

Will CRAFT-88 cover this?

[sergiusens]

Documenting overlays will help. Updating, in case it is not there, the idea that stage-package does not run maintainer scripts would also do so for someone to self serve on getting an answer into why something is not working as expected. As Chisel becomes more prominent in stage-packages, this problem will be not much of a concern.

Regardless, this is well documented in snapcraft and the question still comes up for stage-packages

[gregory-schiano]

Regardless, this is well documented in snapcraft and the question still comes up for stage-packages TBH I didn't find anything about that on snapcraft documentation :/ There are some discourse discussion about it explaining the reasons