Module Name: src Committed By: riastradh Date: Wed Sep 27 00:24:13 UTC 2023
Modified Files: src/distrib/amd64/liveimage/emuimage: rc.conf.emuimage src/distrib/evbarm/liveimage/armimage: rc.conf.armimage src/distrib/sets/lists/etc: mi src/distrib/utils/embedded/conf: evbarm.conf evbmips.conf riscv.conf usermode.conf x86.conf src/etc/rc.d: Makefile Added Files: src/etc/rc.d: certctl_init Log Message: /etc/rc.d/cerctl_init: New script for certctl rehash in live images. This is very limited -- it does not supplant postinstall to rehash certificates on upgrade; it only runs certctl rehash if /etc/openssl/certs is an empty directory, as you get in live images not created with sysinst. We could also have a more general-purpose way to run postinstall(8) on first boot of an image, but that has a lot more moving parts to think about, so let's start with this limited-scope low-risk approach. PR install/57629 XXX pullup-10 To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 \ src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage cvs rdiff -u -r1.1 -r1.2 \ src/distrib/evbarm/liveimage/armimage/rc.conf.armimage cvs rdiff -u -r1.272 -r1.273 src/distrib/sets/lists/etc/mi cvs rdiff -u -r1.41 -r1.42 src/distrib/utils/embedded/conf/evbarm.conf cvs rdiff -u -r1.3 -r1.4 src/distrib/utils/embedded/conf/evbmips.conf cvs rdiff -u -r1.1 -r1.2 src/distrib/utils/embedded/conf/riscv.conf cvs rdiff -u -r1.6 -r1.7 src/distrib/utils/embedded/conf/usermode.conf cvs rdiff -u -r1.10 -r1.11 src/distrib/utils/embedded/conf/x86.conf cvs rdiff -u -r1.117 -r1.118 src/etc/rc.d/Makefile cvs rdiff -u -r0 -r1.1 src/etc/rc.d/certctl_init Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage diff -u src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2 src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.3 --- src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage:1.2 Wed Jul 13 18:51:03 2022 +++ src/distrib/amd64/liveimage/emuimage/rc.conf.emuimage Wed Sep 27 00:24:12 2023 @@ -1,4 +1,4 @@ -# $NetBSD: rc.conf.emuimage,v 1.2 2022/07/13 18:51:03 hgutch Exp $ +# $NetBSD: rc.conf.emuimage,v 1.3 2023/09/27 00:24:12 riastradh Exp $ is_ec2() { val=NO @@ -24,6 +24,7 @@ is_ec2() { printf $val } +certctl_init=YES resize_disklabel=YES resize_root=YES resize_root_flags="-p" Index: src/distrib/evbarm/liveimage/armimage/rc.conf.armimage diff -u src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1 src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.2 --- src/distrib/evbarm/liveimage/armimage/rc.conf.armimage:1.1 Sat Jul 24 14:00:08 2021 +++ src/distrib/evbarm/liveimage/armimage/rc.conf.armimage Wed Sep 27 00:24:12 2023 @@ -1,4 +1,4 @@ -# $NetBSD: rc.conf.armimage,v 1.1 2021/07/24 14:00:08 jmcneill Exp $ +# $NetBSD: rc.conf.armimage,v 1.2 2023/09/27 00:24:12 riastradh Exp $ is_ec2() { val=NO @@ -23,6 +23,7 @@ is_ec2() { printf $val } +certctl_init=YES resize_gpt=YES resize_root=YES resize_root_flags="-p" Index: src/distrib/sets/lists/etc/mi diff -u src/distrib/sets/lists/etc/mi:1.272 src/distrib/sets/lists/etc/mi:1.273 --- src/distrib/sets/lists/etc/mi:1.272 Mon Aug 28 23:57:18 2023 +++ src/distrib/sets/lists/etc/mi Wed Sep 27 00:24:12 2023 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.272 2023/08/28 23:57:18 riastradh Exp $ +# $NetBSD: mi,v 1.273 2023/09/27 00:24:12 riastradh Exp $ # # Note: end-user configuration files that are moved to another location # should not be marked "obsolete"; they should just be removed from @@ -204,6 +204,7 @@ ./etc/rc.d/bthcid etc-obsolete obsolete ./etc/rc.d/btuartd etc-obsolete obsolete ./etc/rc.d/ccd etc-sys-rc +./etc/rc.d/certctl_init etc-sys-rc ./etc/rc.d/cgd etc-sys-rc ./etc/rc.d/clearcritlocal etc-sys-rc ./etc/rc.d/cleartmp etc-sys-rc Index: src/distrib/utils/embedded/conf/evbarm.conf diff -u src/distrib/utils/embedded/conf/evbarm.conf:1.41 src/distrib/utils/embedded/conf/evbarm.conf:1.42 --- src/distrib/utils/embedded/conf/evbarm.conf:1.41 Sun Oct 30 15:08:50 2022 +++ src/distrib/utils/embedded/conf/evbarm.conf Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: evbarm.conf,v 1.41 2022/10/30 15:08:50 jmcneill Exp $ +# $NetBSD: evbarm.conf,v 1.42 2023/09/27 00:24:13 riastradh Exp $ # evbarm shared config # image=$HOME/${board}.img @@ -173,6 +173,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then Index: src/distrib/utils/embedded/conf/evbmips.conf diff -u src/distrib/utils/embedded/conf/evbmips.conf:1.3 src/distrib/utils/embedded/conf/evbmips.conf:1.4 --- src/distrib/utils/embedded/conf/evbmips.conf:1.3 Tue Jul 6 11:49:36 2021 +++ src/distrib/utils/embedded/conf/evbmips.conf Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: evbmips.conf,v 1.3 2021/07/06 11:49:36 jmcneill Exp $ +# $NetBSD: evbmips.conf,v 1.4 2023/09/27 00:24:13 riastradh Exp $ # evbmips shared config # image=$HOME/${board}.img @@ -155,6 +155,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then Index: src/distrib/utils/embedded/conf/riscv.conf diff -u src/distrib/utils/embedded/conf/riscv.conf:1.1 src/distrib/utils/embedded/conf/riscv.conf:1.2 --- src/distrib/utils/embedded/conf/riscv.conf:1.1 Sun May 7 12:41:46 2023 +++ src/distrib/utils/embedded/conf/riscv.conf Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: riscv.conf,v 1.1 2023/05/07 12:41:46 skrll Exp $ +# $NetBSD: riscv.conf,v 1.2 2023/09/27 00:24:13 riastradh Exp $ # riscv shared config # image=$HOME/${board}.img @@ -122,6 +122,7 @@ ntpd=YES ntpd_flags="-g" creds_msdos=YES creds_msdos_partition=/boot +certctl_init=YES EOF if $resize; then Index: src/distrib/utils/embedded/conf/usermode.conf diff -u src/distrib/utils/embedded/conf/usermode.conf:1.6 src/distrib/utils/embedded/conf/usermode.conf:1.7 --- src/distrib/utils/embedded/conf/usermode.conf:1.6 Tue Jul 6 11:49:36 2021 +++ src/distrib/utils/embedded/conf/usermode.conf Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: usermode.conf,v 1.6 2021/07/06 11:49:36 jmcneill Exp $ +# $NetBSD: usermode.conf,v 1.7 2023/09/27 00:24:13 riastradh Exp $ # NetBSD/usermode customization script used by mkimage # XXX: BROKEN, needs to be converted to makefs @@ -40,6 +40,7 @@ critical_filesystems_local="/var.cow /va # dhcpcd=YES sshd=YES +certctl_init=YES EOF echo "${bar} making extra directories ${bar}" Index: src/distrib/utils/embedded/conf/x86.conf diff -u src/distrib/utils/embedded/conf/x86.conf:1.10 src/distrib/utils/embedded/conf/x86.conf:1.11 --- src/distrib/utils/embedded/conf/x86.conf:1.10 Tue Jul 6 11:49:36 2021 +++ src/distrib/utils/embedded/conf/x86.conf Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: x86.conf,v 1.10 2021/07/06 11:49:36 jmcneill Exp $ +# $NetBSD: x86.conf,v 1.11 2023/09/27 00:24:13 riastradh Exp $ # x86 shared config # @@ -111,6 +111,7 @@ sshd=YES dhcpcd=YES wscons=YES devpubd=YES +certctl_init=YES EOF echo "./etc/rc.conf type=file uname=root gname=wheel mode=0644" \ >> "$tmp/selected_sets" Index: src/etc/rc.d/Makefile diff -u src/etc/rc.d/Makefile:1.117 src/etc/rc.d/Makefile:1.118 --- src/etc/rc.d/Makefile:1.117 Fri Feb 3 13:53:40 2023 +++ src/etc/rc.d/Makefile Wed Sep 27 00:24:13 2023 @@ -1,4 +1,4 @@ -# $NetBSD: Makefile,v 1.117 2023/02/03 13:53:40 mlelstv Exp $ +# $NetBSD: Makefile,v 1.118 2023/09/27 00:24:13 riastradh Exp $ .include <bsd.own.mk> @@ -17,7 +17,7 @@ CONFIGFILES=\ CRITLOCALMOUNTED DAEMON DISKS LOGIN NETWORKING SERVERS \ accounting altqd amd apmd automount automountd autounmountd \ bluetooth bootconf.sh bootparams \ - ccd cgd clearcritlocal cleartmp cron \ + ccd certctl_init cgd clearcritlocal cleartmp cron \ devpubd dhcpcd dhcpd dhcpd6 dhcrelay dmesg \ downinterfaces \ entropy envsys \ Added files: Index: src/etc/rc.d/certctl_init diff -u /dev/null src/etc/rc.d/certctl_init:1.1 --- /dev/null Wed Sep 27 00:24:13 2023 +++ src/etc/rc.d/certctl_init Wed Sep 27 00:24:13 2023 @@ -0,0 +1,54 @@ +#!/bin/sh +# +# $NetBSD: certctl_init,v 1.1 2023/09/27 00:24:13 riastradh Exp $ +# +# PROVIDE: certctl_init +# REQUIRE: mountcritremote +# +# This script ensures that we run `certctl rehash' on first boot of a +# live image to configure TLS trust anchors for OpenSSL in +# /etc/openssl/certs. We do this only on first boot by testing whether +# /etc/openssl/certs is an empty directory. +# +# Requires mountcritremote for /usr/sbin/certctl. +# +# This is a stop-gap measure to ensure we get TLS trust anchors with +# live images, which we can't prepare at build time because the +# preparation requires running openssl(1) as a tool. This stop-gap +# measure should perhaps be replaced by a more general-purpose way to +# run postinstall on first boot of the image, but that's a riskier +# proposition to implement on short notice for netbsd-10. + +$_rc_subr_loaded . /etc/rc.subr + +name="certctl_init" +rcvar=${name} +start_cmd="certctl_init" +stop_cmd=":" + +certctl_init() +{ + local certsdir + + certsdir=/etc/openssl/certs + + # If /etc/openssl/certs is a symlink, or exists but is not a + # directory, or is a directory but is nonempty, then we're not + # in the first boot's initial configuration. So do nothing. + if [ -h "$certsdir" ] || + [ -e "$certsdir" -a ! -d "$certsdir" ] || + ([ -d "$certsdir" ] && + find -f "$certsdir" -- \ + -maxdepth 0 -type d -empty -exit 1) + then + return + fi + + # Otherwise, if /etc/openssl/certs is nonexistent or is an + # empty directory, run `certctl rehash'. + echo "Configuring TLS trust anchors." + certctl rehash +} + +load_rc_config $name +run_rc_command "$1"