diff options
author | Kyle Evans <kevans@FreeBSD.org> | 2020-09-24 18:36:31 +0000 |
---|---|---|
committer | Kyle Evans <kevans@FreeBSD.org> | 2020-09-24 18:36:31 +0000 |
commit | 718a6114c49b75836673895fe15d9b85c0d4f64e (patch) | |
tree | 559da9aa3ee01e906f51ede8cce4a26e9456192f | |
parent | 23ad3c58fe8545b89190342e34bb9dfa6085e3db (diff) | |
download | src-test2-718a6114c49b75836673895fe15d9b85c0d4f64e.tar.gz src-test2-718a6114c49b75836673895fe15d9b85c0d4f64e.zip |
MFS r365987: certctl rehash upon install/distribute
r365829:
installworld: run `certctl rehash` after installation completes
This was originally introduced back in r360833, and subsequently reverted
because it was broken for -DNO_ROOT builds and it may not have been the
correct place for it.
While debatably this may still not be 'the correct place,' it's much cleaner
than scattering rehashes all throughout the tree. brooks has fixed the issue
with -DNO_ROOT by properly writing to the METALOG in r361397.
Do note that this is different than what was originally committed; brooks
had revisions in D24932 that made it actually use the revised unprivileged
mode and write to METALOG, along with being a little more friendly to
foreign crossbuilds and just using the certctl in-tree.
With this change, I believe we should now have a populated /etc/ssl/certs in
the VM images.
r365837:
Promote the installworld `certctl rehash` to distributeworld
Contrary to my belief, installworld is not sufficient for getting certs
installed into VM images. Promote the rehash to both installworld and
distributeworld (notably: not stageworld) and rehash the base distdir so we
end up with /etc/ssl/certs populated in the base dist archive. A future
commit will remove the rehash from bsdinstall, which doesn't really need to
happen if they're installed into base.txz.
While here, fix a minor typo: s/CERTCLTFLAGS/CERTCTLFLAGS/
r365852:
Revert r361257: bsdinstall: do a `certctl rehash` upon installation [...]
As of r365829, any given base distribution set will now include the /etc/ssl
symlinks that this rehash would've otherwise installed. This extra step is
no longer required.
Approved by: re (gjb)
Notes
Notes:
svn path=/releng/12.2/; revision=366125
-rw-r--r-- | Makefile.inc1 | 17 | ||||
-rwxr-xr-x | usr.sbin/bsdinstall/scripts/config | 3 |
2 files changed, 16 insertions, 4 deletions
diff --git a/Makefile.inc1 b/Makefile.inc1 index 541858e29ac8..0236c721eeea 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -849,7 +849,9 @@ INSTALL_DDIR= ${_INSTALL_DDIR:S://:/:g:C:/$::} METALOG?= ${DESTDIR}/${DISTDIR}/METALOG METALOG:= ${METALOG:C,//+,/,g} IMAKE+= -DNO_ROOT METALOG=${METALOG} -INSTALLFLAGS+= -U -M ${METALOG} -D ${INSTALL_DDIR} +METALOG_INSTALLFLAGS= -U -M ${METALOG} -D ${INSTALL_DDIR} +INSTALLFLAGS+= ${METALOG_INSTALLFLAGS} +CERTCTLFLAGS= ${METALOG_INSTALLFLAGS} MTREEFLAGS+= -W .endif .if defined(BUILD_PKGS) @@ -859,6 +861,11 @@ INSTALLFLAGS+= -h sha256 IMAKE_INSTALL= INSTALL="install ${INSTALLFLAGS}" IMAKE_MTREE= MTREE_CMD="mtree ${MTREEFLAGS}" .endif +.if make(distributeworld) +CERTCTLDESTDIR= ${DESTDIR}/${DISTDIR}/base +.else +CERTCTLDESTDIR= ${DESTDIR} +.endif DESTDIR_MTREEFLAGS= -deU # When creating worldtmp we don't need to set the directories as owned by root @@ -1419,6 +1426,14 @@ distributeworld installworld stageworld: _installcheck_world .PHONY ${DESTDIR}/${DISTDIR}/${dist}.debug.meta .endfor .endif +.endif # make(distributeworld) +.if !make(packageworld) && ${MK_CAROOT} != "no" + @if which openssl>/dev/null; then \ + DESTDIR=${CERTCTLDESTDIR} \ + sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash \ + else \ + echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \ + fi .endif packageworld: .PHONY diff --git a/usr.sbin/bsdinstall/scripts/config b/usr.sbin/bsdinstall/scripts/config index 5b3ef996251a..cdc307176ea3 100755 --- a/usr.sbin/bsdinstall/scripts/config +++ b/usr.sbin/bsdinstall/scripts/config @@ -55,9 +55,6 @@ cp $BSDINSTALL_TMPBOOT/* $BSDINSTALL_CHROOT/boot # Set up other things from installed config chroot $BSDINSTALL_CHROOT /usr/bin/newaliases > /dev/null 2>&1 -if [ -x $BSDINSTALL_CHROOT/usr/sbin/certctl ]; then - chroot $BSDINSTALL_CHROOT /usr/sbin/certctl rehash -fi exit 0 |