Invoking `update-ca-trust` in a toolbox container wipes the contents of the /etc/ca-trust/extracted/pem/tls-ca-bundle.pem file. Reproducible: Always Steps to Reproduce: Steps to reproduce: 1. Create the toolbox and enter $ podman pull fedora-toolbox:43 $ toolbox create --release 43 test-43-tbx $ toolbox enter test-43-tbx 2. In toolbox: $ ls -la /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -r--r--r--. 1 root root 226489 Aug 11 08:20 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem $ sudo update-ca-trust $ ls -la /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem -r--r--r--. 1 root root 0 Aug 11 13:45 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem Actual Results: The size of the file changes to 0 as indicated by the reproducer. Expected Results: The file should stay the same or be updated. Additional Information: This doesn't happen on host nor on a classical VM
I had discussed this with Daiki Ueno and Zoltán Fridrich a few weeks ago, and Daiki tracked it down to this p11-kit commit: https://github.com/p11-glue/p11-kit/pull/365 https://github.com/p11-glue/p11-kit/commit/b3243a754763f6df19351593781b88e277a324bc
Thanks Debarshi, It can see that it is being tracked upstream: https://github.com/p11-glue/p11-kit/issues/692 I will move this to p11-kit so that we have a fedora tracker.
Could you please provide a simple way to disable: 5ed2442 * Give access to the CA certificates from the host in toolbox, like an environment variable? Currently `dnf update ca-certificates` etc basically breaks a F43+ fedora-toolbox.
(Currently the only simple way seems to be removing p11-kit-server from the host, but this is also used for flatpak, so removing it is undesirable. And I think p11-kit-client needs to be removed from the toolbox image before a container is setup and run?)
(In reply to Frantisek Krenzelok from comment #2) > It can see that it is being tracked upstream: > https://github.com/p11-glue/p11-kit/issues/692 Zoltán tracked this down as a duplicate of: https://github.com/p11-glue/p11-kit/issues/686 He said that he is testing a fix for this at the moment. (Thanks, Zoltán!)
(In reply to Jens Petersen from comment #3) > Could you please provide a simple way to disable: > > 5ed2442 * Give access to the CA certificates from the host > > in toolbox, like an environment variable? One way to work around this problem is to remove `/etc/pkcs11/modules/p11-kit-trust.module` and `/usr/lib64/pkcs11/p11-kit-client.so` from the container. Delete the former with `rm(1)`, and the latter by removing the `p11-kit-client` (Rawhide and F43) or `p11-kit-server` (F41 and F42) RPM. Stop the container with `podman stop` and try to `enter` it again and it should work as before. (In reply to Jens Petersen from comment #4) > (Currently the only simple way seems to be removing p11-kit-server from the > host, but this is also used for flatpak, so removing it is undesirable. Yes, correct. > And I think p11-kit-client needs to be removed from the toolbox image before > a container is setup and run?) It can be removed from the container. Toolbx won't install the RPM at runtime if it's not there. See above for the details.
(In reply to Debarshi Ray from comment #6) > (In reply to Jens Petersen from comment #3) > > Could you please provide a simple way to disable: > > > > 5ed2442 * Give access to the CA certificates from the host > > > > in toolbox, like an environment variable? > > One way to work around this problem is to remove > `/etc/pkcs11/modules/p11-kit-trust.module` and > `/usr/lib64/pkcs11/p11-kit-client.so` from the container. Delete the former > with `rm(1)`, and the latter by removing the `p11-kit-client` (Rawhide and > F43) or `p11-kit-server` (F41 and F42) RPM. Stop the container with `podman > stop` and try to `enter` it again and it should work as before. Oh, and one more step. You need to run 'sudo update-ca-trust' to rebuild the files (ie., like `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`, etc.) that got emptied by `update-ca-trust(8)` when remote p11-kit was in place. Another work around is to replace the files in the container that got emptied by `update-ca-trust(8)` (ie., like `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`, etc.) with the ones on the host: ⬢ [rishi@toolbx ~]$ cd /etc/pki/ca-trust/extracted/pem ⬢ [rishi@toolbx pem]$ sudo ln --symbolic /run/host/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem tls-ca-bundle.pem
(In reply to Debarshi Ray from comment #7) > Another work around is to replace the files in the container that got > emptied by `update-ca-trust(8)` (ie., like > `/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem`, etc.) with the ones on > the host: > > ⬢ [rishi@toolbx ~]$ cd /etc/pki/ca-trust/extracted/pem > ⬢ [rishi@toolbx pem]$ sudo ln --symbolic > /run/host/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem tls-ca-bundle.pem I missed a step between those two: ⬢ [rishi@toolbx pem]$ sudo rm tls-ca-bundle.pem
Let's move this back to p11-kit then, since it is getting attention upstream now. Proposing for a Beta Freeze Exception Dunno if this qualifies as a Final Blocker: it even affects toolbox on F41 & F42 though. ;-(
+3 for Beta FE in https://pagure.io/fedora-qa/blocker-review/issue/1895 , marking accepted.
FEDORA-2025-af662b3457 (p11-kit-0.25.5-10.fc43) has been submitted as an update to Fedora 43. https://bodhi.fedoraproject.org/updates/FEDORA-2025-af662b3457
FEDORA-2025-af662b3457 has been pushed to the Fedora 43 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-af662b3457` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-af662b3457 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-af662b3457 (p11-kit-0.25.5-10.fc43) has been pushed to the Fedora 43 stable repository. If problem still persists, please make note of it in this bug report.