我尝试在 docker 启动之前运行 coreOS 。如果运行后 docker 立即重新启动,update-ca-certificates也是可以的。update-ca-certificates
我在云配置中创建了一个新单元:
- name: updatecertificates.service
command: start
content: |
[Unit]
Description=Update the certificates w/ self-signed root CAs
Before=docker.service
[Service]
ExecStart=/usr/sbin/update-ca-certificates
RemainAfterExit=yes
Type=oneshot
它确实运行了,但没有docker.service按我需要的时间提前。
我尝试修改该docker.service单元,但是甚至无法成功启动docker守护进程。
关于如何强制updatecertificates按正确顺序运行或如何在updatecertificates激活后重新启动 docker 服务有什么想法吗?
答案1
这里存在同样的问题,但我意识到这个单元已经存在:
core@worker-1 ~ $ systemctl cat update-ca-certificates.service
# /usr/lib64/systemd/system/update-ca-certificates.service
[Unit]
Description=Update CA bundle at /etc/ssl/certs/ca-certificates.crt
# Since other services depend on the certificate store run this early
DefaultDependencies=no
Wants=systemd-tmpfiles-setup.service clean-ca-certificates.service
After=systemd-tmpfiles-setup.service clean-ca-certificates.service
Before=sysinit.target
ConditionPathIsReadWrite=/etc/ssl/certs
# Do nothing if update-ca-certificates has never been run before
ConditionPathIsSymbolicLink=!/etc/ssl/certs/ca-certificates.crt
[Service]
Type=oneshot
ExecStart=/usr/sbin/update-ca-certificates --skip-rehash
尝试这个:
- name: "update-ca-certificates.service"
drop-ins:
- name: 50-rehash-certs.conf
content: |
[Unit]
ConditionPathIsSymbolicLink=
[Service]
ExecStart=
ExecStart=/usr/sbin/update-ca-certificates