CVS commit: src

Tue, 26 Sep 2023 17:24:22 -0700 

Module Name:    src
Committed By:   riastradh
Date:           Wed Sep 27 00:24:13 UTC 2023

Modified Files:
        src/distrib/amd64/liveimage/emuimage: rc.conf.emuimage
        src/distrib/evbarm/liveimage/armimage: rc.conf.armimage
        src/distrib/sets/lists/etc: mi
        src/distrib/utils/embedded/conf: evbarm.conf evbmips.conf riscv.conf
            usermode.conf x86.conf
        src/etc/rc.d: Makefile
Added Files:
        src/etc/rc.d: certctl_init

Log Message:
/etc/rc.d/cerctl_init: New script for certctl rehash in live images.

This is very limited -- it does not supplant postinstall to rehash
certificates on upgrade; it only runs certctl rehash if
/etc/openssl/certs is an empty directory, as you get in live images
not created with sysinst.

We could also have a more general-purpose way to run postinstall(8)
on first boot of an image, but that has a lot more moving parts to
think about, so let's start with this limited-scope low-risk
approach.

PR install/57629

XXX pullup-10


To generate a diff of this commit:
cvs rdiff -u -r1.2 -r1.3 \
    src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
cvs rdiff -u -r1.1 -r1.2 \
    src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
cvs rdiff -u -r1.272 -r1.273 src/distrib/sets/lists/etc/mi
cvs rdiff -u -r1.41 -r1.42 src/distrib/utils/embedded/conf/evbarm.conf
cvs rdiff -u -r1.3 -r1.4 src/distrib/utils/embedded/conf/evbmips.conf
cvs rdiff -u -r1.1 -r1.2 src/distrib/utils/embedded/conf/riscv.conf
cvs rdiff -u -r1.6 -r1.7 src/distrib/utils/embedded/conf/usermode.conf
cvs rdiff -u -r1.10 -r1.11 src/distrib/utils/embedded/conf/x86.conf
cvs rdiff -u -r1.117 -r1.118 src/etc/rc.d/Makefile
cvs rdiff -u -r0 -r1.1 src/etc/rc.d/certctl_init

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage
diff -u src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2 src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.3
--- src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2	Wed Jul 13 18:51:03 2022
+++ src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage	Wed Sep 27 00:24:12 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rc.conf.emuimage,v 1.2 2022/07/13 18:51:03 hgutch Exp $
+# $NetBSD: rc.conf.emuimage,v 1.3 2023/09/27 00:24:12 riastradh Exp $
 
 is_ec2() {
 	val=NO
@@ -24,6 +24,7 @@ is_ec2() {
 	printf $val
 }
 
+certctl_init=YES
 resize_disklabel=YES
 resize_root=YES
 resize_root_flags="-p"

Index: src/distrib/evbarm/liveimage/armimage/rc.conf.armimage
diff -u src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1 src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.2
--- src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1	Sat Jul 24 14:00:08 2021
+++ src/distrib/evbarm/liveimage/armimage/rc.conf.armimage	Wed Sep 27 00:24:12 2023
@@ -1,4 +1,4 @@
-# $NetBSD: rc.conf.armimage,v 1.1 2021/07/24 14:00:08 jmcneill Exp $
+# $NetBSD: rc.conf.armimage,v 1.2 2023/09/27 00:24:12 riastradh Exp $
 
 is_ec2() {
 	val=NO
@@ -23,6 +23,7 @@ is_ec2() {
 	printf $val
 }
 
+certctl_init=YES
 resize_gpt=YES
 resize_root=YES
 resize_root_flags="-p"

Index: src/distrib/sets/lists/etc/mi
diff -u src/distrib/sets/lists/etc/mi:1.272 src/distrib/sets/lists/etc/mi:1.273
--- src/distrib/sets/lists/etc/mi:1.272	Mon Aug 28 23:57:18 2023
+++ src/distrib/sets/lists/etc/mi	Wed Sep 27 00:24:12 2023
@@ -1,4 +1,4 @@
-# $NetBSD: mi,v 1.272 2023/08/28 23:57:18 riastradh Exp $
+# $NetBSD: mi,v 1.273 2023/09/27 00:24:12 riastradh Exp $
 #
 # Note: end-user configuration files that are moved to another location
 #	should not be marked "obsolete"; they should just be removed from
@@ -204,6 +204,7 @@
 ./etc/rc.d/bthcid				etc-obsolete		obsolete
 ./etc/rc.d/btuartd				etc-obsolete		obsolete
 ./etc/rc.d/ccd					etc-sys-rc
+./etc/rc.d/certctl_init				etc-sys-rc
 ./etc/rc.d/cgd					etc-sys-rc
 ./etc/rc.d/clearcritlocal				etc-sys-rc
 ./etc/rc.d/cleartmp				etc-sys-rc

Index: src/distrib/utils/embedded/conf/evbarm.conf
diff -u src/distrib/utils/embedded/conf/evbarm.conf:1.41 src/distrib/utils/embedded/conf/evbarm.conf:1.42
--- src/distrib/utils/embedded/conf/evbarm.conf:1.41	Sun Oct 30 15:08:50 2022
+++ src/distrib/utils/embedded/conf/evbarm.conf	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: evbarm.conf,v 1.41 2022/10/30 15:08:50 jmcneill Exp $
+# $NetBSD: evbarm.conf,v 1.42 2023/09/27 00:24:13 riastradh Exp $
 # evbarm shared config
 #
 image=$HOME/${board}.img
@@ -173,6 +173,7 @@ ntpd=YES
 ntpd_flags="-g"
 creds_msdos=YES
 creds_msdos_partition=/boot
+certctl_init=YES
 EOF
 
 	if $resize; then

Index: src/distrib/utils/embedded/conf/evbmips.conf
diff -u src/distrib/utils/embedded/conf/evbmips.conf:1.3 src/distrib/utils/embedded/conf/evbmips.conf:1.4
--- src/distrib/utils/embedded/conf/evbmips.conf:1.3	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/evbmips.conf	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: evbmips.conf,v 1.3 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: evbmips.conf,v 1.4 2023/09/27 00:24:13 riastradh Exp $
 # evbmips shared config
 #
 image=$HOME/${board}.img
@@ -155,6 +155,7 @@ ntpd=YES
 ntpd_flags="-g"
 creds_msdos=YES
 creds_msdos_partition=/boot
+certctl_init=YES
 EOF
 
 	if $resize; then

Index: src/distrib/utils/embedded/conf/riscv.conf
diff -u src/distrib/utils/embedded/conf/riscv.conf:1.1 src/distrib/utils/embedded/conf/riscv.conf:1.2
--- src/distrib/utils/embedded/conf/riscv.conf:1.1	Sun May  7 12:41:46 2023
+++ src/distrib/utils/embedded/conf/riscv.conf	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: riscv.conf,v 1.1 2023/05/07 12:41:46 skrll Exp $
+# $NetBSD: riscv.conf,v 1.2 2023/09/27 00:24:13 riastradh Exp $
 # riscv shared config
 #
 image=$HOME/${board}.img
@@ -122,6 +122,7 @@ ntpd=YES
 ntpd_flags="-g"
 creds_msdos=YES
 creds_msdos_partition=/boot
+certctl_init=YES
 EOF
 
 	if $resize; then

Index: src/distrib/utils/embedded/conf/usermode.conf
diff -u src/distrib/utils/embedded/conf/usermode.conf:1.6 src/distrib/utils/embedded/conf/usermode.conf:1.7
--- src/distrib/utils/embedded/conf/usermode.conf:1.6	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/usermode.conf	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: usermode.conf,v 1.6 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: usermode.conf,v 1.7 2023/09/27 00:24:13 riastradh Exp $
 # NetBSD/usermode customization script used by mkimage
 
 # XXX: BROKEN, needs to be converted to makefs
@@ -40,6 +40,7 @@ critical_filesystems_local="/var.cow /va
 #
 dhcpcd=YES
 sshd=YES
+certctl_init=YES
 EOF
 
 echo "${bar} making extra directories ${bar}"

Index: src/distrib/utils/embedded/conf/x86.conf
diff -u src/distrib/utils/embedded/conf/x86.conf:1.10 src/distrib/utils/embedded/conf/x86.conf:1.11
--- src/distrib/utils/embedded/conf/x86.conf:1.10	Tue Jul  6 11:49:36 2021
+++ src/distrib/utils/embedded/conf/x86.conf	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: x86.conf,v 1.10 2021/07/06 11:49:36 jmcneill Exp $
+# $NetBSD: x86.conf,v 1.11 2023/09/27 00:24:13 riastradh Exp $
 # x86 shared config
 #
 
@@ -111,6 +111,7 @@ sshd=YES
 dhcpcd=YES
 wscons=YES
 devpubd=YES
+certctl_init=YES
 EOF
 	echo "./etc/rc.conf type=file uname=root gname=wheel mode=0644" \
 	    >> "$tmp/selected_sets"

Index: src/etc/rc.d/Makefile
diff -u src/etc/rc.d/Makefile:1.117 src/etc/rc.d/Makefile:1.118
--- src/etc/rc.d/Makefile:1.117	Fri Feb  3 13:53:40 2023
+++ src/etc/rc.d/Makefile	Wed Sep 27 00:24:13 2023
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.117 2023/02/03 13:53:40 mlelstv Exp $
+# $NetBSD: Makefile,v 1.118 2023/09/27 00:24:13 riastradh Exp $
 
 .include <bsd.own.mk>
 
@@ -17,7 +17,7 @@ CONFIGFILES=\
 		CRITLOCALMOUNTED DAEMON DISKS LOGIN NETWORKING SERVERS \
 		accounting altqd amd apmd automount automountd autounmountd \
 		bluetooth bootconf.sh bootparams \
-		ccd cgd clearcritlocal cleartmp cron \
+		ccd certctl_init cgd clearcritlocal cleartmp cron \
 		devpubd dhcpcd dhcpd dhcpd6 dhcrelay dmesg \
 		downinterfaces \
 		entropy envsys \

Added files:

Index: src/etc/rc.d/certctl_init
diff -u /dev/null src/etc/rc.d/certctl_init:1.1
--- /dev/null	Wed Sep 27 00:24:13 2023
+++ src/etc/rc.d/certctl_init	Wed Sep 27 00:24:13 2023
@@ -0,0 +1,54 @@
+#!/bin/sh
+#
+# $NetBSD: certctl_init,v 1.1 2023/09/27 00:24:13 riastradh Exp $
+#
+# PROVIDE: certctl_init
+# REQUIRE: mountcritremote
+#
+# This script ensures that we run `certctl rehash' on first boot of a
+# live image to configure TLS trust anchors for OpenSSL in
+# /etc/openssl/certs.  We do this only on first boot by testing whether
+# /etc/openssl/certs is an empty directory.
+#
+# Requires mountcritremote for /usr/sbin/certctl.
+#
+# This is a stop-gap measure to ensure we get TLS trust anchors with
+# live images, which we can't prepare at build time because the
+# preparation requires running openssl(1) as a tool.  This stop-gap
+# measure should perhaps be replaced by a more general-purpose way to
+# run postinstall on first boot of the image, but that's a riskier
+# proposition to implement on short notice for netbsd-10.
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="certctl_init"
+rcvar=${name}
+start_cmd="certctl_init"
+stop_cmd=":"
+
+certctl_init()
+{
+	local certsdir
+
+	certsdir=/etc/openssl/certs
+
+	# If /etc/openssl/certs is a symlink, or exists but is not a
+	# directory, or is a directory but is nonempty, then we're not
+	# in the first boot's initial configuration.  So do nothing.
+	if [ -h "$certsdir" ] ||
+	    [ -e "$certsdir" -a ! -d "$certsdir" ] ||
+	    ([ -d "$certsdir" ] &&
+		find -f "$certsdir" -- \
+		    -maxdepth 0 -type d -empty -exit 1)
+        then
+		return
+	fi
+
+	# Otherwise, if /etc/openssl/certs is nonexistent or is an
+	# empty directory, run `certctl rehash'.
+	echo "Configuring TLS trust anchors."
+	certctl rehash
+}
+
+load_rc_config $name
+run_rc_command "$1"

Reply via email to