search

canonical / ubuntu-pro-client

Ubuntu Pro Client for offerings from Canonical
https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/
GNU General Public License v3.0
52 stars 73 forks source link

Bug/feature: bundle necessary ca-cert in package to eliminate need for ca-certificates #2846

Open Monochromics opened 11 months ago

Monochromics commented 11 months ago

Description of the bug

ca-certificates is not listed as a dependency of ubuntu-advantage-tools, so when execing certain pro operations, you'll get a message suggesting you install ca-certificates. I couldn't find a particular reason that this isn't just a dependency rather than an in-package warning message on failure. This can cause some confusion when trying to operate the pro client within one of the docker OCI images that Canonical produces (as they are about the only images without ca-certificates by default).

Expected behavior

ca-certificates should be listed as a deb dependency

Current behavior

An error prints when leveraging certain pro client actions that suggests you install ca-certificates

To Reproduce

Please include details on how to reproduce the bug.

  1. Launch a container (ubuntu:focal ex: https://canonical-ubuntu-pro-client.readthedocs-hosted.com/en/latest/howtoguides/enable_in_dockerfile/)
  2. Attempt to attach while omitting the ca-certificates package as suggested above.

Additional context

If there is a particular reason this isn't listed as a dependency, just let me know. Based on issue #25 and #1618 , this just seems more like an oversight than a design choice.

Thanks!

orndorffgrant commented 11 months ago

Thanks @Monochromics for bringing this up!

This was a design choice in the past, but I'm struggling to remember the exact rationale. I will dig up some history and post it here; then we can reconsider the decision.

orndorffgrant commented 11 months ago

So we added this last year https://github.com/canonical/ubuntu-pro-client/commit/8e1c04a9119a60687eb3e174e39f2211bedc0719 And then during the v27.10 release process the SRU team decided it posed to much potential for regression. See the IRC discussion here: https://irclogs.ubuntu.com/2022/07/29/%23ubuntu-devel.html#t13:07 In that discussion they propose that we can bundle the specific certs we need, which we haven't gotten around to yet

Monochromics commented 11 months ago

Ah, I have no idea how I missed that issue in my search. Thanks for the link and extra context though (as always :) )! We can probably just close this then if it's just backlogged for the long term.

The documentation for working with the OCI images does have the caveat, so no urgency behind the change.

orndorffgrant commented 10 months ago

Let's leave this open to represent the task to bundle the cert we need in the package and use it if there is no system ca-certs installed.

cjdcordeiro commented 3 months ago

Just leaving a +1 on this, as during a regular pro attach on an environment without ca-certificates, the only message I got was

Failed to attach machine. See https://ubuntu.com/pro/dashboard

It took some lucky digging to eventually find out the hint

Cannot verify certificate of server Please install "ca-certificates" and try again.