Support METALOG when calling certctl in installworld
ClosedPublic
Actions

Authored by brooks on May 20 2020, 6:19 PM.

Details

Reviewers

kevans
allanjude
jhb

Group Reviewers

manpages

Commits

rS361397: Add an unprivileged mode where calls to install are passed appropriate

Summary

This is a pair of commits for conceptual review and is missingdocumentation and usage() updates to certctl.

----certctl: handle METALOG like install(1) does

Add an unprivileged mode where calls to install are passed appropriate
flags. For ease of integration, use the same flags as install:

-U		unprivileged mode
-D <destdir>	Specify DESTDIR (overrides the environment)
-M <metalog>	Full path to METALOG file

Support NO_ROOT when calling certctl.

Use the certctl in the source tree rather than trying to figure out
if it supports new features. Key off the existance of openssl in the
path rather than certctl. This is also more friendly to foreign
crossbuilds.

Test Plan

Works in CheriBSD and eliminates warnings about files not in METALOG

Diff Detail

Lint

Lint Passed

Unit

No Test Coverage

Build Status

Buildable 31225
Build 28876: arc lint + arc unit

Event Timeline

brooks created this revision.May 20 2020, 6:19 PM

Herald added a subscriber: emaste. · View Herald TranscriptMay 20 2020, 6:19 PM

Harbormaster completed remote builds in B31204: Diff 72037.May 20 2020, 6:19 PM

brooks requested review of this revision.May 20 2020, 6:19 PM

brooks retitled this revision from Support METALOG when calling certctl in installworld This is a pair of commits for conceptual review and is missing documentation and usage() updates to certctl. ---- certctl: handle METALOG like install(1) does to Support METALOG when calling certctl in installworld.May 20 2020, 8:41 PM

brooks edited the summary of this revision. (Show Details)

I've created a minor merge conflict here and actually backed it out of installworld to facilitate testing of a version in release(7), thinking that I might be able to get it into releng/11.4 and we could refine it later; the release script change is clogged in review, though, so I think 11.4 will just ship without certs on install media and vm images. The latter can, at least, run certctl rehash if they want them.

That said, I think METALOG is an overall win regardless of where all certctl ends up. It's clearly not invasive and doesn't really complicate much of anything. This looks overall good to me.

This revision is now accepted and ready to land.May 21 2020, 2:15 AM

Given rS361149, I'll convert this review to one of the certctl changes and add docs.

certctl: handle METALOG like install(1) does
Support NO_ROOT when calling certctl.

This revision now requires review to proceed.May 21 2020, 11:37 PM

Harbormaster completed remote builds in B31225: Diff 72098.May 21 2020, 11:37 PM

I've added documentation. While the backlist command does support the new flags I've not documented it because I'm not convinced it makes sense and unblacklist doesn't support them.

This revision was not accepted when it landed; it landed in state Needs Review.May 22 2020, 5:45 PM

Closed by commit rS361397: Add an unprivileged mode where calls to install are passed appropriate (authored by brooks). · Explain Why

This revision was automatically updated to reflect the committed changes.

brooks added a commit: rS361397: Add an unprivileged mode where calls to install are passed appropriate.

Herald added a reviewer: manpages. · View Herald TranscriptMay 22 2020, 5:45 PM

Herald added a subscriber: imp. · View Herald Transcript

kevans mentioned this in rS365829: installworld: run `certctl rehash` after installation completes.Sep 17 2020, 2:18 AM

kevans mentioned this in rS365987: MFC r365829, r365837, r365852: certctl rehash upon install/distribute.Sep 22 2020, 2:15 AM

kevans mentioned this in rS365988: MFC r365829, r365837: certctl rehash upon install/distribute.

kevans mentioned this in rS366125: MFS r365987: certctl rehash upon install/distribute.Sep 24 2020, 6:36 PM