Home Explore Help
Register Sign In
Apq
/
Docker-official-images
mirror of https://github.com/docker-library/official-images.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Fix issue with newer MongoDB requiring TLS trust chain

Before:

```console
$ ./test/run.sh -t mongo-tls-basics -t mongo-tls-auth mongo:4.4.29
testing mongo:4.4.29
	'mongo-tls-basics' [1/2]...librarytest/mongo-tls:mongo-4.4.29 stopped unexpectedly!
++ docker logs c6b35d558bcd95eeb36932e02b289b1d9e62283aa05e143a1cda20b6fbcf476f
{"t":{"$date":"2024-02-28T22:56:30.628Z"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":72,"codeName":"InvalidOptions","errmsg":"The use of TLS without specifying a chain of trust is no longer supported. See https://jira.mongodb.org/browse/SERVER-72839 for details."}}}
failed
	'mongo-tls-auth' [2/2]...librarytest/mongo-tls:mongo-4.4.29 stopped unexpectedly!
++ docker logs 0417420c857d936cbd80e34f43450b624ada55e543de3fa42325d7a7fe7876fc
{"t":{"$date":"2024-02-28T22:56:32.344Z"},"s":"F",  "c":"CONTROL",  "id":20574,   "ctx":"main","msg":"Error during global initialization","attr":{"error":{"code":72,"codeName":"InvalidOptions","errmsg":"The use of TLS without specifying a chain of trust is no longer supported. See https://jira.mongodb.org/browse/SERVER-72839 for details."}}}
failed
```

After:

```console
$ ./test/run.sh -t mongo-tls-basics -t mongo-tls-auth mongo:4.4.29
testing mongo:4.4.29
	'mongo-tls-basics' [1/2]....passed
	'mongo-tls-auth' [2/2]....passed
```
Tianon Gravi 1 year ago
parent
156605fbc1
commit
3d0901f245
1 changed files with 11 additions and 22 deletions
Split View Show Diff Stats
  1. 11 22
      test/tests/mongo-basics/run.sh

+ 11 - 22
test/tests/mongo-basics/run.sh
View File 

@@ -55,7 +55,7 @@ if [[ "$testName" == *tls* ]]; then
 
 			openssl verify -CAfile /certs/ca.crt /certs/cert.crt
 
 
 		FROM $image
 
-		# gotta be :0 because percona's mongo doesn't have a mongodb group and estesp slayed tianon with https://github.com/moby/moby/pull/34263/files#diff-f157a3a45b3e5d85aadff73bff1f5a7cR170-R171
 
+		# gotta be :0 because percona's mongo doesn't have a mongodb group and estesp slayed tianon with https://github.com/moby/moby/commit/a1183dda578f531ef65766611f9e16a0636e3a17#diff-2d1cd0cbc407f38960e628655d0f29f3bf49219da7be0d1f60d2ba42a8b10bfcR170-R171
 
 		COPY --from=certs --chown=mongodb:0 /certs /certs
 
 		RUN cat /certs/cert.crt /certs/private.key > /certs/both.pem # yeah, what
 
 	EOD
 
@@ -63,27 +63,16 @@ if [[ "$testName" == *tls* ]]; then
 
 	mongodRunArgs+=(
 
 		--hostname mongo
 
 	)
 
-	# test for 4.2+ (where "s/ssl/tls/" was applied to all related options/flags)
 
-	# see https://docs.mongodb.com/manual/tutorial/configure-ssl/#procedures-using-net-ssl-settings
 
-	if docker run --rm "$image" mongod --help 2>&1 | grep -q -- ' --tlsMode '; then
 
-		mongodCmdArgs+=(
 
-			--tlsMode requireTLS
 
-			--tlsCertificateKeyFile /certs/both.pem
 
-		)
 
-		mongoArgs+=(
 
-			--tls
 
-			--tlsCAFile /certs/ca.crt
 
-		)
 
-	else
 
-		mongodCmdArgs+=(
 
-			--sslMode requireSSL
 
-			--sslPEMKeyFile /certs/both.pem
 
-		)
 
-		mongoArgs+=(
 
-			--ssl
 
-			--sslCAFile /certs/ca.crt
 
-		)
 
-	fi
 
+	mongodCmdArgs+=(
 
+		--tlsMode requireTLS
 
+		--tlsCAFile /certs/ca.crt # https://jira.mongodb.org/browse/SERVER-72839
 
+		--tlsCertificateKeyFile /certs/both.pem
 
+		--tlsAllowConnectionsWithoutCertificates # likely unintended consequence of https://jira.mongodb.org/browse/SERVER-72839 is that we now have to set *either* --tlsCAFile or "tlsUseSystemCA" but the catch is that the latter can *only* be set via the config file and setting the former changes the default behavior to require mutual TLS 🙃
 
+	)
 
+	mongoArgs+=(
 
+		--tls
 
+		--tlsCAFile /certs/ca.crt
 
+	)
 
 fi
 
 
 cid="$(docker run "${mongodRunArgs[@]}" "$image" "${mongodCmdArgs[@]}")"