CVS commit: [netbsd-10] src

Martin Husemann Mon, 02 Oct 2023 06:26:12 -0700

Module Name:    src
Committed By:   martin
Date:           Mon Oct  2 13:26:04 UTC 2023


Modified Files:
        src/distrib/amd64/liveimage/emuimage [netbsd-10]: rc.conf.emuimage
        src/distrib/evbarm/liveimage/armimage [netbsd-10]: rc.conf.armimage
        src/distrib/sets/lists/etc [netbsd-10]: mi
        src/distrib/utils/embedded/conf [netbsd-10]: evbarm.conf evbmips.conf
            usermode.conf x86.conf
        src/etc/defaults [netbsd-10]: rc.conf
        src/etc/rc.d [netbsd-10]: Makefile
Added Files:
        src/etc/rc.d [netbsd-10]: certctl_init

Log Message:
Pull up following revision(s) (requested by riastradh in ticket #381):

        distrib/utils/embedded/conf/evbarm.conf: revision 1.42
        distrib/sets/lists/etc/mi: revision 1.273
        etc/rc.d/Makefile: revision 1.118
        distrib/utils/embedded/conf/usermode.conf: revision 1.7
        etc/rc.d/certctl_init: revision 1.1
        distrib/evbarm/liveimage/armimage/rc.conf.armimage: revision 1.2
        etc/defaults/rc.conf: revision 1.166
        distrib/amd64/liveimage/emuimage/rc.conf.emuimage: revision 1.3
        distrib/utils/embedded/conf/x86.conf: revision 1.11
        distrib/utils/embedded/conf/evbmips.conf: revision 1.4

/etc/rc.d/cerctl_init: New script for certctl rehash in live images.

This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.

We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.

PR install/57629

/etc/rc.d/certctl_init: Default off.
Otherwise in systems without certctl_init=YES, such as systems
installed with sysinst(8) where it's unnecessary because the rehash
has already happened at install time, you'll get spurious warnings.


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.2.2.1 \
    src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
cvs rdiff -u -r1.1 -r1.1.2.1 \
    src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
cvs rdiff -u -r1.270.2.1 -r1.270.2.2 src/distrib/sets/lists/etc/mi
cvs rdiff -u -r1.41 -r1.41.2.1 src/distrib/utils/embedded/conf/evbarm.conf
cvs rdiff -u -r1.3 -r1.3.2.1 src/distrib/utils/embedded/conf/evbmips.conf
cvs rdiff -u -r1.6 -r1.6.2.1 src/distrib/utils/embedded/conf/usermode.conf
cvs rdiff -u -r1.10 -r1.10.2.1 src/distrib/utils/embedded/conf/x86.conf
cvs rdiff -u -r1.162.2.1 -r1.162.2.2 src/etc/defaults/rc.conf
cvs rdiff -u -r1.116 -r1.116.2.1 src/etc/rc.d/Makefile
cvs rdiff -u -r0 -r1.1.2.2 src/etc/rc.d/certctl_init

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
diff -u src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2 src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2.2.1
--- src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2	Wed Jul 13 18:51:03 2022
+++ src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rc.conf.emuimage,v 1.2 2022/07/13 18:51:03 hgutch Exp $
+# $NetBSD: rc.conf.emuimage,v 1.2.2.1 2023/10/02 13:26:04 martin Exp $
 
 is_ec2() {
 	val=NO
@@ -24,6 +24,7 @@ is_ec2() {
 	printf $val
 }
 
+certctl_init=YES
 resize_disklabel=YES
 resize_root=YES
 resize_root_flags="-p"

Index: src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
diff -u src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1 src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1.2.1
--- src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1	Sat Jul 24 14:00:08 2021
+++ src/distrib/evbarm/liveimage/armimage/rc.conf.armimage	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rc.conf.armimage,v 1.1 2021/07/24 14:00:08 jmcneill Exp $
+# $NetBSD: rc.conf.armimage,v 1.1.2.1 2023/10/02 13:26:04 martin Exp $
 
 is_ec2() {
 	val=NO
@@ -23,6 +23,7 @@ is_ec2() {
 	printf $val
 }
 
+certctl_init=YES
 resize_gpt=YES
 resize_root=YES
 resize_root_flags="-p"

Index: src/distrib/sets/lists/etc/mi
diff -u src/distrib/sets/lists/etc/mi:1.270.2.1 src/distrib/sets/lists/etc/mi:1.270.2.2
--- src/distrib/sets/lists/etc/mi:1.270.2.1	Mon Sep  4 17:33:27 2023
+++ src/distrib/sets/lists/etc/mi	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.270.2.1 2023/09/04 17:33:27 martin Exp $
+# $NetBSD: mi,v 1.270.2.2 2023/10/02 13:26:04 martin Exp $
 #
 # Note: end-user configuration files that are moved to another location
 #	should not be marked "obsolete"; they should just be removed from
@@ -203,6 +203,7 @@
 ./etc/rc.d/bthcid				etc-obsolete		obsolete
 ./etc/rc.d/btuartd				etc-obsolete		obsolete
 ./etc/rc.d/ccd					etc-sys-rc
+./etc/rc.d/certctl_init				etc-sys-rc
 ./etc/rc.d/cgd					etc-sys-rc
 ./etc/rc.d/clearcritlocal				etc-sys-rc
 ./etc/rc.d/cleartmp				etc-sys-rc

Index: src/distrib/utils/embedded/conf/evbarm.conf
diff -u src/distrib/utils/embedded/conf/evbarm.conf:1.41 src/distrib/utils/embedded/conf/evbarm.conf:1.41.2.1
--- src/distrib/utils/embedded/conf/evbarm.conf:1.41	Sun Oct 30 15:08:50 2022
+++ src/distrib/utils/embedded/conf/evbarm.conf	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: evbarm.conf,v 1.41 2022/10/30 15:08:50 jmcneill Exp $
+# $NetBSD: evbarm.conf,v 1.41.2.1 2023/10/02 13:26:04 martin Exp $
 # evbarm shared config
 #
 image=$HOME/${board}.img
@@ -173,6 +173,7 @@ ntpd=YES
 ntpd_flags="-g"
 creds_msdos=YES
 creds_msdos_partition=/boot
+certctl_init=YES
 EOF
 
 	if $resize; then

Index: src/distrib/utils/embedded/conf/evbmips.conf
diff -u src/distrib/utils/embedded/conf/evbmips.conf:1.3 src/distrib/utils/embedded/conf/evbmips.conf:1.3.2.1
--- src/distrib/utils/embedded/conf/evbmips.conf:1.3	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/evbmips.conf	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: evbmips.conf,v 1.3 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: evbmips.conf,v 1.3.2.1 2023/10/02 13:26:04 martin Exp $
 # evbmips shared config
 #
 image=$HOME/${board}.img
@@ -155,6 +155,7 @@ ntpd=YES
 ntpd_flags="-g"
 creds_msdos=YES
 creds_msdos_partition=/boot
+certctl_init=YES
 EOF
 
 	if $resize; then

Index: src/distrib/utils/embedded/conf/usermode.conf
diff -u src/distrib/utils/embedded/conf/usermode.conf:1.6 src/distrib/utils/embedded/conf/usermode.conf:1.6.2.1
--- src/distrib/utils/embedded/conf/usermode.conf:1.6	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/usermode.conf	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: usermode.conf,v 1.6 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: usermode.conf,v 1.6.2.1 2023/10/02 13:26:04 martin Exp $
 # NetBSD/usermode customization script used by mkimage
 
 # XXX: BROKEN, needs to be converted to makefs
@@ -40,6 +40,7 @@ critical_filesystems_local="/var.cow /va
 #
 dhcpcd=YES
 sshd=YES
+certctl_init=YES
 EOF
 
 echo "${bar} making extra directories ${bar}"

Index: src/distrib/utils/embedded/conf/x86.conf
diff -u src/distrib/utils/embedded/conf/x86.conf:1.10 src/distrib/utils/embedded/conf/x86.conf:1.10.2.1
--- src/distrib/utils/embedded/conf/x86.conf:1.10	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/x86.conf	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: x86.conf,v 1.10 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: x86.conf,v 1.10.2.1 2023/10/02 13:26:04 martin Exp $
 # x86 shared config
 #
 
@@ -111,6 +111,7 @@ sshd=YES
 dhcpcd=YES
 wscons=YES
 devpubd=YES
+certctl_init=YES
 EOF
 	echo "./etc/rc.conf type=file uname=root gname=wheel mode=0644" \
 	    >> "$tmp/selected_sets"

Index: src/etc/defaults/rc.conf
diff -u src/etc/defaults/rc.conf:1.162.2.1 src/etc/defaults/rc.conf:1.162.2.2
--- src/etc/defaults/rc.conf:1.162.2.1	Fri Aug 11 14:35:25 2023
+++ src/etc/defaults/rc.conf	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-#	$NetBSD: rc.conf,v 1.162.2.1 2023/08/11 14:35:25 martin Exp $
+#	$NetBSD: rc.conf,v 1.162.2.2 2023/10/02 13:26:04 martin Exp $
 #
 # /etc/defaults/rc.conf --
 #	default configuration of /etc/rc.conf
@@ -144,6 +144,7 @@ sysdb=YES					# build system databases
 rndctl=NO		rndctl_flags=""		# configure rndctl(8)
 gpio=NO						# configure GPIO devices
 modules=YES					# process /etc/modules.conf
+certctl_init=NO					# rehash /etc/openssl/certs
 
 # cope with other OSes using the real time clock at localtime on this
 # machine (by adjusting kern.rtc_offset at boot)

Index: src/etc/rc.d/Makefile
diff -u src/etc/rc.d/Makefile:1.116 src/etc/rc.d/Makefile:1.116.2.1
--- src/etc/rc.d/Makefile:1.116	Mon Jun  6 10:56:28 2022
+++ src/etc/rc.d/Makefile	Mon Oct  2 13:26:04 2023
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.116 2022/06/06 10:56:28 nia Exp $
+# $NetBSD: Makefile,v 1.116.2.1 2023/10/02 13:26:04 martin Exp $
 
 .include <bsd.own.mk>
 
@@ -17,7 +17,7 @@ CONFIGFILES=\
 		CRITLOCALMOUNTED DAEMON DISKS LOGIN NETWORKING SERVERS \
 		accounting altqd amd apmd automount automountd autounmountd \
 		bluetooth bootconf.sh bootparams \
-		ccd cgd clearcritlocal cleartmp cron \
+		ccd certctl_init cgd clearcritlocal cleartmp cron \
 		devpubd dhcpcd dhcpd dhcpd6 dhcrelay dmesg \
 		downinterfaces \
 		entropy envsys \

Added files:

Index: src/etc/rc.d/certctl_init
diff -u /dev/null src/etc/rc.d/certctl_init:1.1.2.2
--- /dev/null	Mon Oct  2 13:26:04 2023
+++ src/etc/rc.d/certctl_init	Mon Oct  2 13:26:04 2023
@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# $NetBSD: certctl_init,v 1.1.2.2 2023/10/02 13:26:04 martin Exp $
+#
+# PROVIDE: certctl_init
+# REQUIRE: mountcritremote
+#
+# This script ensures that we run `certctl rehash' on first boot of a
+# live image to configure TLS trust anchors for OpenSSL in
+# /etc/openssl/certs.  We do this only on first boot by testing whether
+# /etc/openssl/certs is an empty directory.
+#
+# Requires mountcritremote for /usr/sbin/certctl.
+#
+# This is a stop-gap measure to ensure we get TLS trust anchors with
+# live images, which we can't prepare at build time because the
+# preparation requires running openssl(1) as a tool.  This stop-gap
+# measure should perhaps be replaced by a more general-purpose way to
+# run postinstall on first boot of the image, but that's a riskier
+# proposition to implement on short notice for netbsd-10.
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="certctl_init"
+rcvar=${name}
+start_cmd="certctl_init"
+stop_cmd=":"
+
+certctl_init()
+{
+	local certsdir
+
+	certsdir=/etc/openssl/certs
+
+	# If /etc/openssl/certs is a symlink, or exists but is not a
+	# directory, or is a directory but is nonempty, then we're not
+	# in the first boot's initial configuration.  So do nothing.
+	if [ -h "$certsdir" ] ||
+	    [ -e "$certsdir" -a ! -d "$certsdir" ] ||
+	    ([ -d "$certsdir" ] &&
+		find -f "$certsdir" -- \
+		    -maxdepth 0 -type d -empty -exit 1)
+        then
+		return
+	fi
+
+	# Otherwise, if /etc/openssl/certs is nonexistent or is an
+	# empty directory, run `certctl rehash'.
+	echo "Configuring TLS trust anchors."
+	certctl rehash
+}
+
+load_rc_config $name
+run_rc_command "$1"

CVS commit: [netbsd-10] src

Reply via email to