Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

omero-certificates run before "CONFIG_" variables set #60

Open
dpwrussell opened this issue Sep 25, 2021 · 3 comments
Open

omero-certificates run before "CONFIG_" variables set #60

dpwrussell opened this issue Sep 25, 2021 · 3 comments

Comments

@dpwrussell
Copy link
Member

dpwrussell commented Sep 25, 2021
edited

It looks like omero-certificates is being run before any CONFIG_ environment variables have been set, thus the config map when read in omero-certificates is not configurable. E.g. If you want to change the default directory used to write the PKCS12 then the following will be ignored and /OMERO/certs used instead as it's the default in omero-certificates itself.

CONFIG_omero_glacier2_IceSSL_DefaultDir: "/tmp"
@dpwrussell dpwrussell changed the title omero-certificates loaded before "CONFIG_" variables set omero-certificates run before "CONFIG_" variables set Sep 25, 2021
@joshmoore
Copy link
Member

Thanks for the heads up, @dpwrussell.

cf. https://github.com/ome/ansible-role-omero-server/blob/3d76ee7d28846244b2cb723d866eef1c1b8f8b2a/templates/00-omero-server-omero.j2#L28

Looking at the Dockerfile:

ARG OMERO_VERSION=5.6.3
ARG OMEGO_ADDITIONAL_ARGS=
ENV OMERODIR=/opt/omero/server/OMERO.server/
RUN ansible-playbook playbook.yml \
    -e omero_server_release=$OMERO_VERSION \
    -e omero_server_omego_additional_args="$OMEGO_ADDITIONAL_ARGS"

RUN curl -L -o /usr/local/bin/dumb-init \
    https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64 && \
    chmod +x /usr/local/bin/dumb-init
ADD entrypoint.sh /usr/local/bin/
ADD 50-config.py 60-database.sh 99-run.sh /startup/

this is likely to be a tricky one. Rough first ideas:

  • re-run playbook on startup (actually in wrong context since needs root)
  • move certificates to a script (only works if doesn't conflict with the root certs)
  • don't support CONFIG_ for certs
  • ...

@dpwrussell
Copy link
Member Author

I elected to disable omero-certificates and handle it manually in another script after 50-config.py, but this required overriding /opt/omero/server/config/00-omero-server.omero with a bind mount to disable certificates. While that file is built with Ansible, it's done at Docker image build time and thus thankfully not a risk for overrriding. This sounds similar to the second of your proposed solutions, except I didn't actually used omero-certificates.

Can you elaborate on the caveat about conflicting with the root certificates?

@joshmoore
Copy link
Member

Can you elaborate on the caveat about conflicting with the root certificates?

Sorry, nothing too terribly likely. Just if root has already run omero-certificates with a given location then re-running as 1000 is bound to fail.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshmoore @dpwrussell