Bugzilla – Bug 1028568
system:snappy/snapd: lxd doesn't work (x509: failed to load system roots and no roots provided)
Last modified: 2017-06-07 12:42:51 UTC
I installed lxd snap following instructions from [1] on my tumbleweed machine running snapd 2.23.1-3 zyga@undvik:~> lxd.lxc launch ubuntu:16.04 xenial If this is your first time using LXD, you should also run: sudo lxd init To start your first container, try: lxc launch ubuntu:16.04 Creating xenial error: Get https://cloud-images.ubuntu.com/releases/streams/v1/index.json: x509: failed to load system roots and no roots provided zyga@undvik:~> snap version snap 2.23.1-3.2 snapd 2.23.1-3.2 series 16 opensuse 20170308 kernel 4.10.1-1-default This looks related to SSL certificates.
To answer my own bug report, this is related to where ssl certificates are stored on OpenSUSE. On my tumbleweed machine I see this: zyga@undvik:/etc/ssl> ls -la razem 20 drwxr-xr-x 1 root root 72 02-25 18:17 . drwxr-xr-x 1 root root 5212 03-08 23:24 .. lrwxrwxrwx 1 root root 38 2016-06-15 ca-bundle.pem -> /var/lib/ca-certificates/ca-bundle.pem lrwxrwxrwx 1 root root 28 2016-06-15 certs -> /var/lib/ca-certificates/pem -rw-r--r-- 1 root root 10835 02-07 12:39 openssl.cnf drwx------ 1 root root 0 02-07 12:39 private At runtime the /etc directory is the real one from the host system but the rest of the filesystem is the one from the core snap. What we will then see is a symlink from /etc/ssl./certs to /var/lib/ca-certificates/pem that is just broken (the symlink). I think this calls into question two design decisions: - the sharing of /etc -- we should probably share less of /etc (perhaps none and then see what's missing) - the way SSL certificates are managed in snappy (both in classic and core installations)
@zyga: We already revert /etc/alternatives to come from the core snap, we could do the same with /etc/ssl too to get this particular problem fixed too.
This is fixed now and LXD works fine with the latest 2.25 based package.