https://bugzilla.suse.com/show_bug.cgi?id=1124198
https://bugzilla.suse.com/show_bug.cgi?id=1124198#c3
--- Comment #3 from Archie Cobbs ---
This is an interesting bug.
It appears to be random, which smells like a race condition...
Attempt #1
==========
(1/1) Installing: ca-certificates-mozilla-2.44-lp152.2.13.1.noarch
..........................[done]
Additional rpm output:
p11-kit: couldn't create symlink: /var/lib/ca-certificates/openssl/fe8a2cd8.0:
File exists
p11-kit: couldn't create symlink: /var/lib/ca-certificates/pem/3bde41ac.0: File
exists
Died at /usr/lib/ca-certificates/update.d/80etc_ssl.run line 87.
Attempt #2
==========
(1/1) Installing: ca-certificates-mozilla-2.44-lp152.2.13.1.noarch
..........................[done]
Additional rpm output:
p11-kit: couldn't create symlink: /var/lib/ca-certificates/pem/0b1b94ef.0: File
exists
Died at /usr/lib/ca-certificates/update.d/80etc_ssl.run line 87.
Attempt #3
==========
(1/1) Installing: ca-certificates-mozilla-2.44-lp152.2.13.1.noarch
..........................[done]
Attempt #4
==========
(1/1) Installing: ca-certificates-mozilla-2.44-lp152.2.13.1.noarch
..........................[done]
Here is my theory:
- update-ca-certificates is invoking each hook in
/usr/lib/ca-certificates/update.d
- My system has Java installed so there are (among others) these two hooks:
- /usr/lib/ca-certificates/update.d/50java.run
- /usr/lib/ca-certificates/update.d/80etc_ssl.run
- Both of those hooks run trust(1) on directory /var/lib/ca-certificates/pem
- Somehow these hooks are being invoked in parallel, which would definitely
create a symlink race condition
The problem with my theory is that I don't see how they are invoked in
parallel, but then again I'm not a perl expert:
# /usr/sbin/update-ca-certificates
...
my @args;
push @args, '-f' if $options{fresh};
push @args, '-v' if $options{verbose};
for my $f (sort(glob("$hooksdir2/*.run"), glob("$hooksdir1/*.run"))) {
print "running $f ...\n" if $options{verbose};
system($f, @args);
}
(Note this script has been rewritten in bash in newer versions)
This theory is consistent with this commit to the ca-certificates utility:
https://github.com/openSUSE/ca-certificates/pull/16
So possibly this is a duplicate of boo#1188500 but who knows? because for some
reason I can't access that bug.
--
You are receiving this mail because:
You are on the CC list for the bug.