From 8ad791be13e1c2bec6a7f61a113019ebb0707947 Mon Sep 17 00:00:00 2001 From: Tom Gundersen Date: Wed, 15 Apr 2020 03:12:48 +0200 Subject: [PATCH] runners: drop ca certificate handling Now that stages no longer access the network, drop CA certificate setup. In the future, we may want to restrict all network access to the container, but that requires more work. Signed-off-by: Tom Gundersen --- runners/org.osbuild.fedora30 | 39 ---------------------------------- runners/org.osbuild.rhel81 | 39 ---------------------------------- runners/org.osbuild.rhel82 | 39 ---------------------------------- runners/org.osbuild.ubuntu1804 | 39 ---------------------------------- 4 files changed, 156 deletions(-) diff --git a/runners/org.osbuild.fedora30 b/runners/org.osbuild.fedora30 index c3e0fe10..93f1374f 100755 --- a/runners/org.osbuild.fedora30 +++ b/runners/org.osbuild.fedora30 @@ -2,7 +2,6 @@ import array import json -import shutil import os import socket import subprocess @@ -33,42 +32,6 @@ def sysusers(): sys.exit(1) -def update_ca_trust(): - if not shutil.which("update-ca-trust"): - return - - # generate /etc/pki/tls/certs/ca-bundle.crt - os.makedirs("/etc/pki/ca-trust/extracted/pem") - os.makedirs("/etc/pki/tls/certs") - os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt") - - # allow to fail, because it sometimes mysteriously does - subprocess.run(["update-ca-trust", "extract"], check=False) - - -def append_certs(cert_conf, dir_fd, parents=b""): - for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()): - if entry.is_file(): - line = os.path.join(parents, entry.name) - cert_conf.write(line) - cert_conf.write(b"\n") - elif entry.is_dir(): - append_certs(cert_conf, - os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd), - os.path.join(parents, entry.name)) - - -def update_ca_certificates(): - if not shutil.which("update-ca-certificates"): - return - - # generate /etc/ssl/certs/ca-certificates.crt - os.makedirs("/etc/ssl/certs") - with open("/etc/ca-certificates.conf", "wb") as f: - append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY)) - subprocess.run(["update-ca-certificates"], check=True) - - def tmpfiles(): # Allow systemd-tmpfiles to return non-0. Some packages want to create # directories owned by users that are not set up with systemd-sysusers. @@ -103,8 +66,6 @@ if __name__ == "__main__": setup_stdio() ldconfig() sysusers() - update_ca_trust() - update_ca_certificates() tmpfiles() nsswitch() diff --git a/runners/org.osbuild.rhel81 b/runners/org.osbuild.rhel81 index ae00cf34..a7a95264 100755 --- a/runners/org.osbuild.rhel81 +++ b/runners/org.osbuild.rhel81 @@ -2,7 +2,6 @@ import array import json -import shutil import os import socket import subprocess @@ -33,42 +32,6 @@ def sysusers(): sys.exit(1) -def update_ca_trust(): - if not shutil.which("update-ca-trust"): - return - - # generate /etc/pki/tls/certs/ca-bundle.crt - os.makedirs("/etc/pki/ca-trust/extracted/pem") - os.makedirs("/etc/pki/tls/certs") - os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt") - - # allow to fail, because it sometimes mysteriously does - subprocess.run(["update-ca-trust", "extract"], check=False) - - -def append_certs(cert_conf, dir_fd, parents=b""): - for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()): - if entry.is_file(): - line = os.path.join(parents, entry.name) - cert_conf.write(line) - cert_conf.write(b"\n") - elif entry.is_dir(): - append_certs(cert_conf, - os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd), - os.path.join(parents, entry.name)) - - -def update_ca_certificates(): - if not shutil.which("update-ca-certificates"): - return - - # generate /etc/ssl/certs/ca-certificates.crt - os.makedirs("/etc/ssl/certs") - with open("/etc/ca-certificates.conf", "wb") as f: - append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY)) - subprocess.run(["update-ca-certificates"], check=True) - - def tmpfiles(): # Allow systemd-tmpfiles to return non-0. Some packages want to create # directories owned by users that are not set up with systemd-sysusers. @@ -136,8 +99,6 @@ if __name__ == "__main__": setup_stdio() ldconfig() sysusers() - update_ca_trust() - update_ca_certificates() tmpfiles() nsswitch() os_release() diff --git a/runners/org.osbuild.rhel82 b/runners/org.osbuild.rhel82 index 97c97a3d..235e1cdf 100755 --- a/runners/org.osbuild.rhel82 +++ b/runners/org.osbuild.rhel82 @@ -2,7 +2,6 @@ import array import json -import shutil import os import socket import subprocess @@ -33,42 +32,6 @@ def sysusers(): sys.exit(1) -def update_ca_trust(): - if not shutil.which("update-ca-trust"): - return - - # generate /etc/pki/tls/certs/ca-bundle.crt - os.makedirs("/etc/pki/ca-trust/extracted/pem") - os.makedirs("/etc/pki/tls/certs") - os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt") - - # allow to fail, because it sometimes mysteriously does - subprocess.run(["update-ca-trust", "extract"], check=False) - - -def append_certs(cert_conf, dir_fd, parents=b""): - for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()): - if entry.is_file(): - line = os.path.join(parents, entry.name) - cert_conf.write(line) - cert_conf.write(b"\n") - elif entry.is_dir(): - append_certs(cert_conf, - os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd), - os.path.join(parents, entry.name)) - - -def update_ca_certificates(): - if not shutil.which("update-ca-certificates"): - return - - # generate /etc/ssl/certs/ca-certificates.crt - os.makedirs("/etc/ssl/certs") - with open("/etc/ca-certificates.conf", "wb") as f: - append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY)) - subprocess.run(["update-ca-certificates"], check=True) - - def tmpfiles(): # Allow systemd-tmpfiles to return non-0. Some packages want to create # directories owned by users that are not set up with systemd-sysusers. @@ -113,8 +76,6 @@ if __name__ == "__main__": setup_stdio() ldconfig() sysusers() - update_ca_trust() - update_ca_certificates() tmpfiles() nsswitch() python_alternatives() diff --git a/runners/org.osbuild.ubuntu1804 b/runners/org.osbuild.ubuntu1804 index c3e0fe10..93f1374f 100755 --- a/runners/org.osbuild.ubuntu1804 +++ b/runners/org.osbuild.ubuntu1804 @@ -2,7 +2,6 @@ import array import json -import shutil import os import socket import subprocess @@ -33,42 +32,6 @@ def sysusers(): sys.exit(1) -def update_ca_trust(): - if not shutil.which("update-ca-trust"): - return - - # generate /etc/pki/tls/certs/ca-bundle.crt - os.makedirs("/etc/pki/ca-trust/extracted/pem") - os.makedirs("/etc/pki/tls/certs") - os.symlink("/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem", "/etc/pki/tls/certs/ca-bundle.crt") - - # allow to fail, because it sometimes mysteriously does - subprocess.run(["update-ca-trust", "extract"], check=False) - - -def append_certs(cert_conf, dir_fd, parents=b""): - for entry in os.scandir(f"/proc/self/fd/{dir_fd}".encode()): - if entry.is_file(): - line = os.path.join(parents, entry.name) - cert_conf.write(line) - cert_conf.write(b"\n") - elif entry.is_dir(): - append_certs(cert_conf, - os.open(entry.name, os.O_DIRECTORY, dir_fd=dir_fd), - os.path.join(parents, entry.name)) - - -def update_ca_certificates(): - if not shutil.which("update-ca-certificates"): - return - - # generate /etc/ssl/certs/ca-certificates.crt - os.makedirs("/etc/ssl/certs") - with open("/etc/ca-certificates.conf", "wb") as f: - append_certs(f, os.open("/usr/share/ca-certificates", os.O_DIRECTORY)) - subprocess.run(["update-ca-certificates"], check=True) - - def tmpfiles(): # Allow systemd-tmpfiles to return non-0. Some packages want to create # directories owned by users that are not set up with systemd-sysusers. @@ -103,8 +66,6 @@ if __name__ == "__main__": setup_stdio() ldconfig() sysusers() - update_ca_trust() - update_ca_certificates() tmpfiles() nsswitch()