Page MenuHomeFreeBSD
Differential D51404

release: Don't install caroot in OCI images.
ClosedPublic
Actions

Authored by des on Jul 18 2025, 10:00 AM.
Tags
None
Referenced Files
Unknown Object (File)
Thu, Aug 14, 10:46 PM
Unknown Object (File)
Tue, Jul 29, 2:19 AM
Unknown Object (File)
Mon, Jul 28, 5:24 PM
Unknown Object (File)
Mon, Jul 28, 1:54 AM
Unknown Object (File)
Mon, Jul 28, 12:42 AM
Unknown Object (File)
Jul 22 2025, 7:09 PM
Unknown Object (File)
Jul 20 2025, 10:16 AM
Unknown Object (File)
Jul 20 2025, 10:16 AM
View All 11 Files
Subscribers
imp
jrtc27

Details

Reviewers
dfr
Commits
rG5fe15d7cf39b: release: Don't install caroot in OCI images.
Summary

Instead, use certctl to install certificates directly from the source
tree into the image.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

des created this revision.Jul 18 2025, 10:00 AM
Herald added subscribers: jrtc27, imp. · View Herald TranscriptJul 18 2025, 10:00 AM
des requested review of this revision.Jul 18 2025, 10:00 AM
Harbormaster completed remote builds in B65553: Diff 158728.Jul 18 2025, 10:00 AM
des mentioned this in D42095: release: Let caroot depend on certctl, not vice versa..Jul 19 2025, 9:40 PM
dfr accepted this revision.Jul 22 2025, 10:56 AM

Sorry - I didn't see the notification for this one. I spent some time yesterday trying to do something similar but this version is much nicer. I tested it locally and everything looks right - I had to patch it to run certctl.sh from ${srcdir} instead running the host's certctl.

release/tools/oci-image-static.conf
28

I needed to change this to ${srcdir}/use.sbin/certctl/certctl.sh so that I could build on a host which doesn't have the certctl which supports copies.

This revision is now accepted and ready to land.Jul 22 2025, 10:56 AM
des marked an inline comment as done.Jul 22 2025, 7:06 PM
des added inline comments.
release/tools/oci-image-static.conf
28

That won't work after D42320 though.

des marked an inline comment as done.Jul 22 2025, 7:06 PM
Closed by commit rG5fe15d7cf39b: release: Don't install caroot in OCI images. (authored by des). · Explain WhyJul 22 2025, 7:08 PM
This revision was automatically updated to reflect the committed changes.
des added a commit: rG5fe15d7cf39b: release: Don't install caroot in OCI images..
dfr added inline comments.Jul 23 2025, 7:30 AM
release/tools/oci-image-static.conf
28

That is probably fine. For re@ builds, everything happens in a chroot with all fresh binaries. For my own local testing of image builds, I often skip that but I'm sure I can work around any problems with the C version when that lands.

Revision Contents
Changeset List

PathSize
release/
tools/
7 lines

Diff 158914

View Options

release/tools/oci-image-static.conf

Loading...