[Bug 1192078] New: Transactional shell misses root certificates
http://bugzilla.opensuse.org/show_bug.cgi?id=1192078 Bug ID: 1192078 Summary: Transactional shell misses root certificates Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem Assignee: screening-team-bugs@suse.de Reporter: marius.kittler@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- The directory containing all root certificates is empty in the environment of `transactional-update shell`. Just enter the shell and find `/etc/ssl/certs` (and `/var/lib/ca-certificates/pem` empty or try `curl https://www.google.de` which will fail due to missing root certificates. Note that the issue appears to be fixed in Leap 15.3 but it can go in one's way when trying to upgrade Leap 15.2 to Leap 15.3. As a workaround one could only use http repository URLs when upgrading to Leap 15.3. Note that redirections to https URLs might still be possible. This can be avoided by using `mirrorcache.opensuse.org`, e.g.: ``` sed -i 's,download.opensuse.org,mirrorcache.opensuse.org,g' \ /etc/zypp/repos.d/*.repo ``` -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1192078 Guillaume GARDET <guillaume.gardet@arm.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |guillaume.gardet@arm.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1192078 Oliver Kurz <okurz@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |okurz@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1192078 http://bugzilla.opensuse.org/show_bug.cgi?id=1192078#c1 Nick Singer <nsinger@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nsinger@suse.com Version|Leap 15.2 |Leap 15.3 --- Comment #1 from Nick Singer <nsinger@suse.com> --- I see the same issue on a freshly installed leap15.3 system: ``` rebel:~ # journalctl -u transactional-update | tail Nov 08 00:07:04 rebel transactional-update[26188]: 2021-11-08 00:07:03 tukit 3.2.2 started Nov 08 00:07:04 rebel transactional-update[26188]: 2021-11-08 00:07:03 Options: -c9 open Nov 08 00:07:04 rebel transactional-update[26188]: 2021-11-08 00:07:03 Using snapshot 9 as base for new snapshot 11. Nov 08 00:07:04 rebel transactional-update[26188]: 2021-11-08 00:07:03 Syncing /etc of previous snapshot 8 as base into new snapshot /.snapshots/11/snapshot Nov 08 00:07:04 rebel transactional-update[26188]: 2021-11-08 00:07:03 Discarding snapshot 11. Nov 08 00:07:04 rebel transactional-update[26188]: ERROR: Mounting '/var/lib/ca-certificates': special device /var/lib/ca-certificates does not exist Nov 08 00:07:04 rebel transactional-update[26188]: transactional-update finished Nov 08 00:07:04 rebel systemd[1]: transactional-update.service: Main process exited, code=exited, status=1/FAILURE Nov 08 00:07:04 rebel systemd[1]: transactional-update.service: Failed with result 'exit-code'. Nov 08 00:07:04 rebel systemd[1]: Failed to start Update the system. ``` which results in me not being able to use `transactional-update` at all. It always fails with a similar error message: ``` rebel:~ # transactional-update pkg install ca-certificates Checking for newer version. transactional-update 3.2.2 started Options: pkg install ca-certificates Separate /var detected. 2021-11-08 14:39:34 tukit 3.2.2 started 2021-11-08 14:39:34 Options: -c9 open 2021-11-08 14:39:35 Using snapshot 9 as base for new snapshot 11. 2021-11-08 14:39:35 Syncing /etc of previous snapshot 8 as base into new snapshot /.snapshots/11/snapshot 2021-11-08 14:39:35 Discarding snapshot 11. ERROR: Mounting '/var/lib/ca-certificates': special device /var/lib/ca-certificates does not exist transactional-update finished ``` Interestingly enough the directory should be present given that ca-certificates is installed on the system: ``` rebel:~ # rpm -ql ca-certificates [���] /var/lib/ca-certificates /var/lib/ca-certificates/ca-bundle.pem /var/lib/ca-certificates/java-cacerts /var/lib/ca-certificates/openssl /var/lib/ca-certificates/pem ``` Looking at the subvolumes it also seems that the folder is completely missing: ``` rebel:/ # mkdir /tmp/mounts rebel:/ # mount /dev/sda2 -o subvolid=5 /tmp/mounts/ rebel:/ # ls /tmp/mounts/\@/var/lib/ca-certificates ls: cannot access '/tmp/mounts/@/var/lib/ca-certificates': No such file or directory ``` I was able to manually workaround the issue above by just creating the folder in the mounted "root subvolume", then do a `transactional-update shell` and force reinstall `ca-certificates` in there but somewhere in between installing and using the system for one month the folder seems to have gone missing. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1192078 http://bugzilla.opensuse.org/show_bug.cgi?id=1192078#c5 --- Comment #5 from OBSbugzilla Bot <bwiedemann+obsbugzillabot@suse.com> --- This is an autogenerated message for OBS integration: This bug (1192078) was mentioned in https://build.opensuse.org/request/show/930877 15.2 / transactional-update -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com