From 6751326e804fff2f01f49f128456c7a8a5a184a5 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 12 Jun 2015 18:59:10 -0700 Subject: [PATCH] ca-certificates: match /usr/share/ca-certificates to /etc/ssl/certs It is a common pattern to bind mount /etc/ssl/certs from the host system into a container. This doesn't work on CoreOS because /etc/ssl/certs is just a pile of symlinks to /usr. If the applications in the container use Go then binding /usr/share/ca-certificates to /etc/ssl/certs does happen to work because Go only needs ca-certificates.crt which is in that top level directory. This however does not work for OpenSSL applications because it needs a whole directory of hashed certificates. To fix this change two things: - Remove the `mozilla` directory left over from when certs came from multiple sources. Install certs in ca-certificates directory instead. - Include the OpenSSL hash symlinks in ca-certificates. --- ....ebuild => ca-certificates-3.16-r3.ebuild} | 60 +++++++++++++------ 1 file changed, 43 insertions(+), 17 deletions(-) rename sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/{ca-certificates-3.16-r2.ebuild => ca-certificates-3.16-r3.ebuild} (55%) diff --git a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild similarity index 55% rename from sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild rename to sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild index 064bac08a7..0f70a006f7 100644 --- a/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r2.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/app-misc/ca-certificates/ca-certificates-3.16-r3.ebuild @@ -26,40 +26,62 @@ RDEPEND="dev-libs/openssl DEPEND="${RDEPEND} ${PYTHON_DEPS}" -sym_to_usr() { - local l="/etc/ssl/certs/${1##*/}" - local p="../../../usr/share/${PN}/${1}" - echo "L ${l} - - - - ${p}" +pkg_setup() { + python-any-r1_pkg_setup + + # Deal with the case where older ca-certificates installed a + # dir here, but newer one installs symlinks. Portage will + # barf when you try to transition file types. + # This trick is stolen from sys-libs/timezone-data + if cd "${EROOT}"/usr/share/${PN} 2>/dev/null ; then + # In case of a failed upgrade, clean up the symlinks #506570 + if [ -L .gentoo-upgrade ] ; then + rm -rf mozilla .gentoo-upgrade + fi + if [ -d mozilla ] ; then + rm -rf .gentoo-upgrade #487192 + mv mozilla .gentoo-upgrade || die + ln -s .gentoo-upgrade mozilla || die + fi + fi +} + +gen_hash_links() { + local certfile certhash + for certfile in "$@"; do + certhash=$(openssl x509 -hash -noout -in "${certfile}") || die + # This assumes the hashes have no collisions + ln -s "${certfile}" "${certhash}.0" || die + done } gen_tmpfiles() { local certfile echo "d /etc/ssl - - - - -" echo "d /etc/ssl/certs - - - - -" - sym_to_usr ca-certificates.crt for certfile in "$@"; do - sym_to_usr "${certfile}" - done - for certfile in "$@"; do - local certhash=$(openssl x509 -hash -noout -in "${certfile}") - # This assumes the hashes have no collisions - local l="/etc/ssl/certs/${certhash}.0" - local p="${certfile##*/}" + local l="/etc/ssl/certs/${certfile}" + local p="../../../usr/share/${PN}/${certfile}" echo "L ${l} - - - - ${p}" done } src_compile() { local certdata="${MY_P}/nss/lib/ckfw/builtins/certdata.txt" - ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" mozilla || die - cat mozilla/*.pem > ca-certificates.crt || die - gen_tmpfiles mozilla/*.pem > ${PN}.conf || die + ${PYTHON} "${FILESDIR}/certdata2pem.py" "${certdata}" certs || die + + cd certs || die + gen_hash_links *.pem + cat *.pem > ca-certificates.crt || die + gen_tmpfiles * > "${S}/${PN}.conf" || die } src_install() { insinto /usr/share/${PN} - doins ca-certificates.crt - doins -r mozilla + doins certs/* + + # for compatibility with older directory structure + dosym . /usr/share/${PN}/mozilla dosbin "${FILESDIR}/update-ca-certificates" systemd_dounit "${FILESDIR}/clean-ca-certificates.service" @@ -72,3 +94,7 @@ src_install() { dodir /etc/ssl/certs systemd-tmpfiles --root="${D}" --create } + +pkg_postinst() { + rm -rf "${EROOT}"/usr/share/${PN}/.gentoo-upgrade +}