Page MenuHomeFreeBSD

Support METALOG when calling certctl in installworld
ClosedPublic

Authored by brooks on Wed, May 20, 6:19 PM.

Details

Summary

This is a pair of commits for conceptual review and is missingdocumentation and usage() updates to certctl.

----certctl: handle METALOG like install(1) does

Add an unprivileged mode where calls to install are passed appropriate
flags. For ease of integration, use the same flags as install:

-U		unprivileged mode
-D <destdir>	Specify DESTDIR (overrides the environment)
-M <metalog>	Full path to METALOG file

Support NO_ROOT when calling certctl.

Use the certctl in the source tree rather than trying to figure out
if it supports new features. Key off the existance of openssl in the
path rather than certctl. This is also more friendly to foreign
crossbuilds.

Test Plan

Works in CheriBSD and eliminates warnings about files not in METALOG

Diff Detail

Repository
rS FreeBSD src repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

brooks created this revision.Wed, May 20, 6:19 PM
brooks requested review of this revision.Wed, May 20, 6:19 PM
brooks retitled this revision from Support METALOG when calling certctl in installworld This is a pair of commits for conceptual review and is missing documentation and usage() updates to certctl. ---- certctl: handle METALOG like install(1) does to Support METALOG when calling certctl in installworld.Wed, May 20, 8:41 PM
brooks edited the summary of this revision. (Show Details)
kevans accepted this revision.Thu, May 21, 2:15 AM

I've created a minor merge conflict here and actually backed it out of installworld to facilitate testing of a version in release(7), thinking that I might be able to get it into releng/11.4 and we could refine it later; the release script change is clogged in review, though, so I think 11.4 will just ship without certs on install media and vm images. The latter can, at least, run certctl rehash if they want them.

That said, I think METALOG is an overall win regardless of where all certctl ends up. It's clearly not invasive and doesn't really complicate much of anything. This looks overall good to me.

This revision is now accepted and ready to land.Thu, May 21, 2:15 AM

Given rS361149, I'll convert this review to one of the certctl changes and add docs.

brooks updated this revision to Diff 72098.Thu, May 21, 11:37 PM
  • certctl: handle METALOG like install(1) does
  • Support NO_ROOT when calling certctl.
This revision now requires review to proceed.Thu, May 21, 11:37 PM

I've added documentation. While the backlist command does support the new flags I've not documented it because I'm not convinced it makes sense and unblacklist doesn't support them.

This revision was not accepted when it landed; it landed in state Needs Review.Fri, May 22, 5:45 PM
This revision was automatically updated to reflect the committed changes.