This makes it possible to remove the caroot package and still have the
tool needed to install its replacement (e.g. security/ca_root_nss).
MFC after: 3 days
Details
Details
- Reviewers
dfr freebsd_igalic.co ivy - Group Reviewers
pkgbase - Commits
- rGc19877b03f8c: release: Let caroot depend on certctl, not vice versa.
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped - Build Status
Buildable 53870 Build 50761: arc lint + arc unit
Event Timeline
Comment Actions
My goal with the previous change (hash 1d7ffb3) was to be able to install the caroot files in an empty chroot. This can be used as a base container image for statically linked SSL workloads. The other change in that commit to separate out openssl libs allows for a similar (but slightly larger) base image for dynamically linked SSL workloads. When building these images, I use the build host's certctl with DESTDIR set to generate the contents of $chroot/etc/ssl.
Making caroot depend on certctl would pull in the whole of the runtime package which is not wanted for these use-cases. I particularly want to avoid installing base utilities and /bin/sh along with their libraries - its a waste of space and expands the attack surface within the container.
Comment Actions
You'd still need to hash them. So a better solution is to modify certctl to copy instead of symlinking, and just run certctl -D /path/to/jail without installing anything.
Comment Actions
I don't want to install the build host's certs - I want the ones from the caroot package that my build system spits out for the freebsd version that matches the version I want for the container image.
I'm guessing that your goal is to be able to install certctl without caroot from base and then hash data from somewhere else (e.g. security/ca_root_nss). If so, we could both get what we want if the certs move to a new package, e.g. caroot-data and then caroot can just depend on both caroot-data and certctl. I can install caroot-data into my tiny images and you can install certctl without caroot-data. Would that work?
Comment Actions
I'm lost, what would caroot contain then ?
Probably just the install scripts that rehash the data? It starts to look like a metapackage which I know you don't like. Do you have any other suggestions on a way forward? I really don't want to back out my previous change to split caroot and certctl apart
Perhaps just remove the dependency from caroot to certctl entirely?
Comment Actions
The script is in certctl right now, having an empty meta-package just for a post-install script seems a bad design to me.
Perhaps just remove the dependency from caroot to certctl entirely?
That's what I was asking myself earlier but the problem with this approch is that if you pkg install FreeBSD-\* (or something like that) nothing guaranty that caroot will be installed before certctl and you have a non fonctional installation because certctl wasn't run.
Comment Actions
Perhaps just remove the dependency from caroot to certctl entirely?
That's what I was asking myself earlier but the problem with this approch is that if you pkg install FreeBSD-\* (or something like that) nothing guaranty that caroot will be installed before certctl and you have a non fonctional installation because certctl wasn't run.
Yes, that would be a problem. I can't currently think of a way around that without the caroot 'metapackage'. I don't really think of it in the same way as a kind of 'package group' metapackage - in this case it serves a specific function to get the right ordering of package installs and initialisations.
Comment Actions
It's too bad we can't have a shared pkg-install that will just run certctl once when either caroot or certctl (or both) are updated, the former only if there's an executable certctl in $PATH.
Comment Actions
i noticed this while installing a new jail the other day and i think this change makes sense: the current dependency order is rather confusing, at least to me. i appreciate this might break some container use cases but that seems less important (even though, ideally, we should support both).
Comment Actions
I think this is wrong. This makes it impossible to install caroot without pulling in all of FreeBSD-runtime. My though process is 'can I use caroot without certctl' and the answer is a qualified yes - it can be done by running certctl with DESTDIR set. Conversely, 'can I use certctl without caroot' - clearly not since certctl is useless without certs. Therefor (in my mind), certctl should depend on caroot, not the other way around.
| release/packages/ucl/caroot.ucl | ||
|---|---|---|
| 2 ↗ | (On Diff #158598) | This will break the release OCI image build by installing FreeBSD-certctl and FreeBSD-runtime into images which should not have those packages installed. |
Comment Actions
The other way round can be defended too: your certctl with DESTDIR means certctl has use even if the host doesn’t have any certs. Maybe neither should depend on the other and there should be a meta package that is both? (Maybe with some renaming of existing packages to make it clear)
Comment Actions
Honestly, I think this is the best approach but in the past there has been pushback on adding pkgbase meta packages but I'm not sure I really understood why.
Comment Actions
No, certctl is not useless without the caroot package. It can still be used to hash certificates installed from ports or some other source. On the other hand, installing caroot without the tool needed to hash the certificates it contains makes no sense.
Comment Actions
It makes perfect sense for building tiny images where certctl is only needed at build time. Installing it in the image pulls in CLI tools such as openssl and sh which are unwanted in this type of image.
Comment Actions
I'm pretty sure this broke the OCI image build - did you not see my comment above. I don't have time to deal with this in the near future - please either back this out or fix the image build script to use the new certctl feature.