Arvados

Alternately, crunch-run could DTRT and propagate the host system certs file into the container by default (which is what crunch-job is doing in the snippet above). At least when API: true

Proposal:

-ca-certs <file>

Will be mounted at /etc/arvados/ca-certificates.crt

If not provided, try

/etc/ssl/certs/ca-certificates.crt

and

/etc/pki/tls/certs/ca-bundle.crt

and mount them at /etc/arvados/ca-certificates.crt

Update Python and Go SDKs to use /etc/arvados/ca-certificates.crt

• In crunch-run, if the container does not already mount anything there, add a read-only bind mount at /etc/arvados/ca-certificates.crt using the first one of these that exists on the worker host:
  • /etc/arvados/ca-certificates.crt
  • /etc/ssl/certs/ca-certificates.crt
  • /etc/pki/tls/certs/ca-bundle.crt
• In the Python SDK, prepend /etc/arvados/ca-certificates.crt to the array of paths in ca_certs_path() (source:sdk/python/arvados/util.py)
• In the Go SDK, if /etc/arvados/ca-certificates.crt exists and insecure mode is off, read root CAs from there. Move code from source:sdk/go/crunchrunner/crunchrunner.go (but try /etc/arvados first, don't merge certs from multiple sources, don't silently ignore errors, and don't log a debug message).

• if the sysadmin puts certs in /etc/arvados/ca-certificates.crt on worker nodes, those certs (and only those certs) will be used by arvados code running both inside & outside containers
• on a given worker node, Go and Python programs use the same certificates

• Line 116: If tlsClientconfig.InsecureSkipVerify is true, can the cert file load be skipped? (asking this because of what Tom added on his proposal)
• Line 124: Maybe it’s a good idea to check if AppendCertFromPEM() returns successfully

Also, got the following install errors when running tests locally:

           ********** Running sdk/go/crunchrunner install **********

# git.curoverse.com/arvados.git/sdk/go/crunchrunner
../../tmp/GOPATH/src/git.curoverse.com/arvados.git/sdk/go/crunchrunner/crunchrunner.go:4: imported and not used: "crypto/x509" 
../../tmp/GOPATH/src/git.curoverse.com/arvados.git/sdk/go/crunchrunner/crunchrunner.go:13: imported and not used: "net/http" 

     ********** !!!!!! sdk/go/crunchrunner install FAILED !!!!!! **********

Lucas Di Pentima wrote:

On file sdk/go/arvadosclient/arvadosclient.go:

• Line 116: If tlsClientconfig.InsecureSkipVerify is true, can the cert file load be skipped? (asking this because of what Tom added on his proposal)

Done. Also refactored a setting up the TLS config a bit.

• Line 124: Maybe it’s a good idea to check if AppendCertFromPEM() returns successfully

Done. Logs a warning now.

Also, got the following install errors when running tests locally:

Fixed.

Additional changes:

• Add -ca-certs command line option to crunch-run
• crunch-run only bind mounts certificates when API: true in runtime_constraints.

Ran sdk/go & services/crunch-run tests locally. LGTM.