Webservice container openssl is broken
Summary
The webservice container, starting in version 13.10.3 and also in 13.11.0, has no openssl.
Steps to reproduce
Install Gitlab using Ironbank containers
>kubectl exec -it gitlab-webservice-pod-name -c webservice -- bash`
[git@gitlab-webservice-pod-name /]$ openssl
What is the current bug behavior?
If you try to use openssl from within the container:
bash: /usr/bin/openssl: No such file or directory
bash: /usr/bin/openssl: No such file or directory
bash: /usr/bin/openssl: No such file or directory
Also:
[git@gitlab-webservice-default-6d9c7b8fb7-ms6kl /]$ which openssl
openssl ()
{
( openssl_bin=/usr/bin/openssl;
case "$*" in
*\ -rand\ * | *\ -help*)
exec $openssl_bin "$@"
;;
esac;
cmds=`$openssl_bin list -digest-commands -cipher-commands | tr '\n' ' '`;
for i in `$openssl_bin list -commands`;
do
if $openssl_bin list -options "$i" | grep --color=auto -q '^rand '; then
cmds=" $i $cmds";
fi;
done;
case "$cmds" in
*\ "$1"\ *)
cmd="$1";
shift;
exec $openssl_bin "$cmd" -rand /dev/random "$@"
;;
esac;
exec $openssl_bin "$@" )
}
What is the expected correct behavior?
openssl should work as normal, i.e. if you type openssl you should get an openssl shell. This behaves as expected with the public 13.10.3 and 13.11.0 containers. which openssl should just say /usr/bin/openssl
Relevant logs and/or screenshots
(Paste any relevant logs - please use code blocks (```) to format console output, logs, and code as it's very hard to read otherwise.)
See above.
Also:
Downshot
Integration between Gitlab and Keycloak is broken due to this. The rootca is in the ca-bundle.crt in the webservice container, but attempts to login via OIDC via Keycloak result in:
OpenIDConnect::Discovery::DiscoveryFailed (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate)):
lib/gitlab/metrics/elasticsearch_rack_middleware.rb:16:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:33:in `call'
lib/gitlab/metrics/rack_middleware.rb:16:in `block in call'
lib/gitlab/metrics/transaction.rb:56:in `run'
lib/gitlab/metrics/rack_middleware.rb:16:in `call'
lib/gitlab/request_profiler/middleware.rb:17:in `call'
lib/gitlab/jira/middleware.rb:19:in `call'
lib/gitlab/middleware/go.rb:20:in `call'
lib/gitlab/etag_caching/middleware.rb:21:in `call'
lib/gitlab/middleware/multipart.rb:172:in `call'
lib/gitlab/middleware/read_only/controller.rb:50:in `call'
lib/gitlab/middleware/read_only.rb:18:in `call'
lib/gitlab/middleware/same_site_cookies.rb:27:in `call'
lib/gitlab/middleware/handle_malformed_strings.rb:21:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/middleware/handle_ip_spoof_attack_error.rb:25:in `call'
lib/gitlab/middleware/request_context.rb:21:in `call'
config/initializers/fix_local_cache_middleware.rb:11:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:76:in `call'
lib/gitlab/middleware/release_env.rb:12:in `call'
Possible fixes
(If you can, link to the line of code that might be responsible for the problem)
I'm not sure...usually when I've seen this kind of thing, it's because someone has tried to pipe a script as input to a binary, and instead of | they used > and overwrote the binary. But this looks just..weird.
Defintion of Done
-
Bug has been identified and corrected within the container
/cc @ironbank-notifications/bug