runners: drop ca certificate handling

Now that stages no longer access the network, drop CA certificate
setup.

In the future, we may want to restrict all network access to the
container, but that requires more work.

Signed-off-by: Tom Gundersen <teg@jklm.no>

runners/org.osbuild.fedora30

@@ -2,7 +2,6 @@
 
 import array
 import json
-import shutil
 import os
 import socket
 import subprocess
@@ -33,42 +32,6 @@ def sysusers():
         sys.exit(1)
 
 
-def update_ca_trust():
-    if not shutil.which("update-ca-trust"):
-        return
-
-    # generate /etc/pki/tls/certs/ca-bundle.crt
-    os.makedirs("/etc/pki/ca-trust/extracted/pem")
-    os.makedirs("/etc/pki/tls/certs")
-    os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt")
-
-    # allow to fail, because it sometimes mysteriously does
-    subprocess.run(["update-ca-trust", "extract"], check=False)
-
-
-def append_certs(cert_conf, dir_fd, parents=b""):
-    for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()):
-        if entry.is_file():
-            line = os.path.join(parents, entry.name)
-            cert_conf.write(line)
-            cert_conf.write(b"\n")
-        elif entry.is_dir():
-            append_certs(cert_conf,
-                         os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd),
-                         os.path.join(parents, entry.name))
-
-
-def update_ca_certificates():
-    if not shutil.which("update-ca-certificates"):
-        return
-
-    # generate /etc/ssl/certs/ca-certificates.crt
-    os.makedirs("/etc/ssl/certs")
-    with open("/etc/ca-certificates.conf", "wb") as f:
-        append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY))
-    subprocess.run(["update-ca-certificates"], check=True)
-
-
 def tmpfiles():
     # Allow systemd-tmpfiles to return non-0. Some packages want to create
     # directories owned by users that are not set up with systemd-sysusers.
@@ -103,8 +66,6 @@ if __name__ == "__main__":
     setup_stdio()
     ldconfig()
     sysusers()
-    update_ca_trust()
-    update_ca_certificates()
     tmpfiles()
     nsswitch()
 

runners/org.osbuild.rhel81

@@ -2,7 +2,6 @@
 
 import array
 import json
-import shutil
 import os
 import socket
 import subprocess
@@ -33,42 +32,6 @@ def sysusers():
         sys.exit(1)
 
 
-def update_ca_trust():
-    if not shutil.which("update-ca-trust"):
-        return
-
-    # generate /etc/pki/tls/certs/ca-bundle.crt
-    os.makedirs("/etc/pki/ca-trust/extracted/pem")
-    os.makedirs("/etc/pki/tls/certs")
-    os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt")
-
-    # allow to fail, because it sometimes mysteriously does
-    subprocess.run(["update-ca-trust", "extract"], check=False)
-
-
-def append_certs(cert_conf, dir_fd, parents=b""):
-    for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()):
-        if entry.is_file():
-            line = os.path.join(parents, entry.name)
-            cert_conf.write(line)
-            cert_conf.write(b"\n")
-        elif entry.is_dir():
-            append_certs(cert_conf,
-                         os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd),
-                         os.path.join(parents, entry.name))
-
-
-def update_ca_certificates():
-    if not shutil.which("update-ca-certificates"):
-        return
-
-    # generate /etc/ssl/certs/ca-certificates.crt
-    os.makedirs("/etc/ssl/certs")
-    with open("/etc/ca-certificates.conf", "wb") as f:
-        append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY))
-    subprocess.run(["update-ca-certificates"], check=True)
-
-
 def tmpfiles():
     # Allow systemd-tmpfiles to return non-0. Some packages want to create
     # directories owned by users that are not set up with systemd-sysusers.
@@ -136,8 +99,6 @@ if __name__ == "__main__":
     setup_stdio()
     ldconfig()
     sysusers()
-    update_ca_trust()
-    update_ca_certificates()
     tmpfiles()
     nsswitch()
     os_release()

runners/org.osbuild.rhel82

@@ -2,7 +2,6 @@
 
 import array
 import json
-import shutil
 import os
 import socket
 import subprocess
@@ -33,42 +32,6 @@ def sysusers():
         sys.exit(1)
 
 
-def update_ca_trust():
-    if not shutil.which("update-ca-trust"):
-        return
-
-    # generate /etc/pki/tls/certs/ca-bundle.crt
-    os.makedirs("/etc/pki/ca-trust/extracted/pem")
-    os.makedirs("/etc/pki/tls/certs")
-    os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt")
-
-    # allow to fail, because it sometimes mysteriously does
-    subprocess.run(["update-ca-trust", "extract"], check=False)
-
-
-def append_certs(cert_conf, dir_fd, parents=b""):
-    for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()):
-        if entry.is_file():
-            line = os.path.join(parents, entry.name)
-            cert_conf.write(line)
-            cert_conf.write(b"\n")
-        elif entry.is_dir():
-            append_certs(cert_conf,
-                         os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd),
-                         os.path.join(parents, entry.name))
-
-
-def update_ca_certificates():
-    if not shutil.which("update-ca-certificates"):
-        return
-
-    # generate /etc/ssl/certs/ca-certificates.crt
-    os.makedirs("/etc/ssl/certs")
-    with open("/etc/ca-certificates.conf", "wb") as f:
-        append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY))
-    subprocess.run(["update-ca-certificates"], check=True)
-
-
 def tmpfiles():
     # Allow systemd-tmpfiles to return non-0. Some packages want to create
     # directories owned by users that are not set up with systemd-sysusers.
@@ -113,8 +76,6 @@ if __name__ == "__main__":
     setup_stdio()
     ldconfig()
     sysusers()
-    update_ca_trust()
-    update_ca_certificates()
     tmpfiles()
     nsswitch()
     python_alternatives()

runners/org.osbuild.ubuntu1804

@@ -2,7 +2,6 @@
 
 import array
 import json
-import shutil
 import os
 import socket
 import subprocess
@@ -33,42 +32,6 @@ def sysusers():
         sys.exit(1)
 
 
-def update_ca_trust():
-    if not shutil.which("update-ca-trust"):
-        return
-
-    # generate /etc/pki/tls/certs/ca-bundle.crt
-    os.makedirs("/etc/pki/ca-trust/extracted/pem")
-    os.makedirs("/etc/pki/tls/certs")
-    os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt")
-
-    # allow to fail, because it sometimes mysteriously does
-    subprocess.run(["update-ca-trust", "extract"], check=False)
-
-
-def append_certs(cert_conf, dir_fd, parents=b""):
-    for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()):
-        if entry.is_file():
-            line = os.path.join(parents, entry.name)
-            cert_conf.write(line)
-            cert_conf.write(b"\n")
-        elif entry.is_dir():
-            append_certs(cert_conf,
-                         os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd),
-                         os.path.join(parents, entry.name))
-
-
-def update_ca_certificates():
-    if not shutil.which("update-ca-certificates"):
-        return
-
-    # generate /etc/ssl/certs/ca-certificates.crt
-    os.makedirs("/etc/ssl/certs")
-    with open("/etc/ca-certificates.conf", "wb") as f:
-        append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY))
-    subprocess.run(["update-ca-certificates"], check=True)
-
-
 def tmpfiles():
     # Allow systemd-tmpfiles to return non-0. Some packages want to create
     # directories owned by users that are not set up with systemd-sysusers.
@@ -103,8 +66,6 @@ if __name__ == "__main__":
     setup_stdio()
     ldconfig()
     sysusers()
-    update_ca_trust()
-    update_ca_certificates()
     tmpfiles()
     nsswitch()