-
Notifications
You must be signed in to change notification settings - Fork 706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot get cloud-init phone_home to use self-signed certificate added to registry #1523
Comments
What is the output of:
|
|
Any updates or ideas on this? |
I"ll try that tomorrow and report back. |
Here is the version of cloud-init data from photon 4r2: I don't think it's possible for me to add the extra lines to a cloud-init configuration. Aria Automation creates that stanza automatically and seems to discard anything I put in the general cloud-init config. I'll continue to play around and see if I can figure out if I can maybe hand manipulate it. |
While I mess around trying to get those post parameters added, is there any finer debug we can enable in cloud-init that might enumerate what's going on? |
OK, so I've looked through the docs you sent me:
This problem, to me, is between the phone_home module and the photon OS. It's like the phone_home module is not using the same certs registry that the OS is (thus it can't find the 3rd party certs I added to the configuration of the photon VM). normal wget sees it fine, but phone_home does not. Is there perhaps an alternate/different registry that I should be using? Normally I would have expected to just put the cert into the cacerts stanza in cloud-init, but I see that is specifically ignored when it's photon. |
Thank you, I'm aware that AA is a commercial product. However, I don't see how that matters. You can create this configuration yourself without AA on the other end (honestly doesn't matter what you set as the call home target as long as it is using a 3rd party root cert you add to Photon to trust), because it will never get beyond validating the certificate. This problem seems squarely, to me, in how/where cloud-init is looking for the default trusted certificate store. Is that something you can configure/customize in cloud-init? I see a photon.py but I can't see were it would be configured. I'm 99.5% positive if I go to the AA team (I work for VMware/Broadcom) they will say "this syntax works in rhel, ubuntu, etc... it must be something in Photon" and just send me back here. Do you have any docs on cert store locations that cloud-init uses? |
OK, So after doing a lot more debugging/looking at files I finally figured out how to at least "get it to work". The default certificate authority seems to come from the cc_cacerts.py config module. In that module, I added a section for photon:
Doing both of those things allows cloud-init to load in the default store so phone_home works. I believe this also allows the certificate to be added effectively enabling the entire cacerts stanza in cloud-init (something else I would would like to see). As I'm not a proper cloud-init developer though, I don't have the proper test harness or know-how to really enable this. Is this something you can carry forward so we can get cloud-init to properly support 3rd party certs and cacerts @dcasota ? |
@dark2phoenix thanks for the analysis. Sorry, I got busy with other things. |
I created the pull request at cloud-init: canonical/cloud-init#4763 |
This results in a lot of false positives. We might be having a patch file or some instruction in specs to enable Photon distro. |
FYI - they had some additional fixes back on my PR over at canonical. I incorporated their changes in. My hope is that if they accept this upstream we can just pull it into photon4r2 and photon5 |
Hiya! The work I did was accepted into the main cloud-init branch! canonical/cloud-init#4763 Possible to pull it into 4.0rev2 and 5.0 please? |
I will take it soon. |
Let me know and I'll try it out. |
Hello, FINALLY got around to testing this. I see 2 issues that I'm not 100% sure are problems with cloud-init vs problems in Photon (and subsequently where to resolve them. I also don't understand why the unit testing didn't catch this - perhaps canonical doesn't use photon VM's in their test bed.
@sshedi - How do you think we should proceed to resolve this? |
I decided to incorporate both fixes into a pull request for Canonical. It's available here: |
Hello @prashant1221 @sshedi, So it turns out I made 5048 incorrectly, so they had me resubmit the changes to canonical/cloud-init#5077. That pull request was merged yesterday and the pull request was closed. Let me know when you accept it into Photon 4.0r2 and Photon 5.x so I can retest it with the final packages. We may finally be able to get this fixed once and for all! |
I will take it with cloud-init's next major release. In ph4 & above branches of Photon. |
Hi, Two questions
|
@dark2phoenix unnecessary to answer. cloud-init works for any platforms with Photon OS' network-config-manager only. There is no fallback, no options strategy. That was the old comment content. |
@sshedi I saw updates for cloud-init in Photon 4.0r2 and 5.0 but when I look at the files it doesn't look like it caught the upstream fixes in canonical/cloud-init#5077. I looked and that has been merged and is available in main for cloud-init. |
Just throwing 2 cents in, that pretraining custom code generator models helps for accelerating
https://github.com/vmware-private-ai/VMware-generative-ai-reference-architecture/blob/main/Starter-Packs/Code_Assistant/ is in a quite early stage. I don't think Fabric and DeepSpeed with StarCoder or DeepSeekCoder, etc. are already "over the top". There is space. If the team needs help, let's do this. |
The rpms are already published. Do |
Describe the bug
Using photon OS with cloud-init and Aria Automation's phone home feature. AA adds the following syntax to the cloud-init file:
Call home constantly fails with:
certificate chain added to /etc/ssl/certs/ and rehash done. Verified that curl can properly work using new certificates:
This problem occurs with both Photon 4.0r2 and Photon 5.
Reproduction steps
...
Expected behavior
cloud-init should honor the certificates that are trusted in the /etc/ssl/certificates directory after rehash_ca_certificates.sh is executed.
Additional context
No response
The text was updated successfully, but these errors were encountered: