From owner-svn-src-stable-11@freebsd.org Tue Sep 22 02:15:28 2020 Return-Path: Delivered-To: svn-src-stable-11@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D910442648D; Tue, 22 Sep 2020 02:15:28 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BwPzN5MmLz4KXG; Tue, 22 Sep 2020 02:15:28 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 9BC9B18114; Tue, 22 Sep 2020 02:15:28 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 08M2FSb2002958; Tue, 22 Sep 2020 02:15:28 GMT (envelope-from kevans@FreeBSD.org) Received: (from kevans@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 08M2FSdK002957; Tue, 22 Sep 2020 02:15:28 GMT (envelope-from kevans@FreeBSD.org) Message-Id: <202009220215.08M2FSdK002957@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kevans set sender to kevans@FreeBSD.org using -f From: Kyle Evans Date: Tue, 22 Sep 2020 02:15:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-11@freebsd.org Subject: svn commit: r365988 - stable/11 X-SVN-Group: stable-11 X-SVN-Commit-Author: kevans X-SVN-Commit-Paths: stable/11 X-SVN-Commit-Revision: 365988 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable-11@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for only the 11-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 22 Sep 2020 02:15:28 -0000 Author: kevans Date: Tue Sep 22 02:15:28 2020 New Revision: 365988 URL: https://svnweb.freebsd.org/changeset/base/365988 Log: MFC r365829, r365837: certctl rehash upon install/distribute r365829: installworld: run `certctl rehash` after installation completes This was originally introduced back in r360833, and subsequently reverted because it was broken for -DNO_ROOT builds and it may not have been the correct place for it. While debatably this may still not be 'the correct place,' it's much cleaner than scattering rehashes all throughout the tree. brooks has fixed the issue with -DNO_ROOT by properly writing to the METALOG in r361397. Do note that this is different than what was originally committed; brooks had revisions in D24932 that made it actually use the revised unprivileged mode and write to METALOG, along with being a little more friendly to foreign crossbuilds and just using the certctl in-tree. With this change, I believe we should now have a populated /etc/ssl/certs in the VM images. r365837: Promote the installworld `certctl rehash` to distributeworld Contrary to my belief, installworld is not sufficient for getting certs installed into VM images. Promote the rehash to both installworld and distributeworld (notably: not stageworld) and rehash the base distdir so we end up with /etc/ssl/certs populated in the base dist archive. A future commit will remove the rehash from bsdinstall, which doesn't really need to happen if they're installed into base.txz. While here, fix a minor typo: s/CERTCLTFLAGS/CERTCTLFLAGS/ Modified: stable/11/Makefile.inc1 Directory Properties: stable/11/ (props changed) Modified: stable/11/Makefile.inc1 ============================================================================== --- stable/11/Makefile.inc1 Tue Sep 22 02:14:55 2020 (r365987) +++ stable/11/Makefile.inc1 Tue Sep 22 02:15:28 2020 (r365988) @@ -647,7 +647,9 @@ INSTALL_DDIR= ${_INSTALL_DDIR:S://:/:g:C:/$::} METALOG?= ${DESTDIR}/${DISTDIR}/METALOG METALOG:= ${METALOG:C,//+,/,g} IMAKE+= -DNO_ROOT METALOG=${METALOG} -INSTALLFLAGS+= -U -M ${METALOG} -D ${INSTALL_DDIR} +METALOG_INSTALLFLAGS= -U -M ${METALOG} -D ${INSTALL_DDIR} +INSTALLFLAGS+= ${METALOG_INSTALLFLAGS} +CERTCTLFLAGS= ${METALOG_INSTALLFLAGS} MTREEFLAGS+= -W .endif .if defined(BUILD_PKGS) @@ -657,6 +659,11 @@ INSTALLFLAGS+= -h sha256 IMAKE_INSTALL= INSTALL="install ${INSTALLFLAGS}" IMAKE_MTREE= MTREE_CMD="mtree ${MTREEFLAGS}" .endif +.if make(distributeworld) +CERTCTLDESTDIR= ${DESTDIR}/${DISTDIR}/base +.else +CERTCTLDESTDIR= ${DESTDIR} +.endif # kernel stage KMAKEENV= ${WMAKEENV} @@ -1104,6 +1111,14 @@ distributeworld installworld stageworld: _installcheck ${DESTDIR}/${DISTDIR}/${dist}.debug.meta .endfor .endif +.endif # make(distributeworld) +.if !make(packageworld) && ${MK_CAROOT} != "no" + @if which openssl>/dev/null; then \ + DESTDIR=${CERTCTLDESTDIR} \ + sh ${SRCTOP}/usr.sbin/certctl/certctl.sh ${CERTCTLFLAGS} rehash \ + else \ + echo "No openssl on the host, not rehashing certificates target -- /etc/ssl may not be populated."; \ + fi .endif packageworld: .PHONY