[meta-java,1/3] ca-certificates-java: Fix sysconfdir for -native recipe

Submitted by Yevgeny Popovych on Sept. 7, 2018, 6:10 p.m. | Patch ID: 154720

Details

Message ID 1536343810-87649-2-git-send-email-yevgenyp@pointgrab.com
State Changes Requested
Delegated to: Richard Leitner
Headers show

Commit Message

Yevgeny Popovych Sept. 7, 2018, 6:10 p.m.
When ca-certificates-java-native is built, sysconfdir variable will
be set to value that includes WORKDIR.
Avoid patching source with this value - use sysconfdir_native.

Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
---
 .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

Patch hide | download patch | download mbox

diff --git a/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
index 2db1915..7db5110 100644
--- a/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
+++ b/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
@@ -41,9 +41,14 @@  do_patch_append () {
     bb.build.exec_func('do_fix_sysconfdir', d)
 }
 
+# sysconfdir will include absolute native sysroot path in -native builds, avoid this
+# (see 36.24 of https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq)
+SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
+SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
+
 do_fix_sysconfdir () {
-	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
-	    -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
+    sed -e 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
+        -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
 }
 
 do_compile () {

Comments

André Draszik Sept. 17, 2018, 2:39 p.m.
On Fri, 2018-09-07 at 21:10 +0300, Yevgeny Popovych wrote:
> When ca-certificates-java-native is built, sysconfdir variable will
> be set to value that includes WORKDIR.

What is your use-case for a -native version of this?

> Avoid patching source with this value - use sysconfdir_native.
> 
> Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
> Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
> ---
>  .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9
> +++++++--
>  1 file changed, 7 insertions(+), 2 deletions(-)
> 
> diff --git a/recipes-core/ca-certificates-java/ca-certificates-
> java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-
> java_20180516.bb
> index 2db1915..7db5110 100644
> --- a/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
> +++ b/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
> @@ -41,9 +41,14 @@ do_patch_append () {
>      bb.build.exec_func('do_fix_sysconfdir', d)
>  }
>  
> +# sysconfdir will include absolute native sysroot path in -native builds,
> avoid this
> +# (see 36.24 of 
> https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq)
> +SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
> +SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
> +
>  do_fix_sysconfdir () {
> -	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
> -	    -i
> ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> +    sed -e 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
> +        -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
>  }
>  

No.

It's probably best to remove the BBCLASSEXTEND statement in this recipe
instead, as it was never tested, and is unlikely to be needed.

The whole idea is to make this independent of the build machine paths. If
you want a -native version of this, you still need to make sure to point
this into the yocto sysroot. Otherwise this will try to write to the *build
machine's* /etc/ directory!

If you really want a -native version, you need to point this into the
sysroot, and update this dynamically because of sstate usage, too.


Cheers,
Andre'
Yevgeny Popovych Sept. 19, 2018, 9:48 a.m.
On 09/17/2018 05:39 PM, André Draszik wrote:
> On Fri, 2018-09-07 at 21:10 +0300, Yevgeny Popovych wrote:
>> When ca-certificates-java-native is built, sysconfdir variable will
>> be set to value that includes WORKDIR.
> 
> What is your use-case for a -native version of this?

I'm glad you asked as this should answer some questions..

I am building a package that contains prebuilt ca-certificates
(including what ca-certificates itself build and JKS),
for this package I need -native version of ca-certificates-java.
We have an immutable (readonly) rootfs, so running scripts at runtime is not an option.
With patches I have recently sent it works pretty well.

The bottom line is that there is a use-case for -native version.
Even if you don't have an immutable (readonly) rootfs - you might want to use it
that way because running scripts is quite error prone.

> 
>> Avoid patching source with this value - use sysconfdir_native.
>>
>> Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
>> Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
>> ---
>>  .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9
>> +++++++--
>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>
>> diff --git a/recipes-core/ca-certificates-java/ca-certificates-
>> java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-
>> java_20180516.bb
>> index 2db1915..7db5110 100644
>> --- a/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
>> +++ b/recipes-core/ca-certificates-java/ca-certificates-java_20180516.bb
>> @@ -41,9 +41,14 @@ do_patch_append () {
>>      bb.build.exec_func('do_fix_sysconfdir', d)
>>  }
>>  
>> +# sysconfdir will include absolute native sysroot path in -native builds,
>> avoid this
>> +# (see 36.24 of 
>> https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq)
>> +SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
>> +SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
>> +
>>  do_fix_sysconfdir () {
>> -	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
>> -	    -i
>> ${S}/src/main/java/org/debian/security/UpdateCertificates.java
>> +    sed -e 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
>> +        -i ${S}/src/main/java/org/debian/security/UpdateCertificates.java
>>  }
>>  
> 
> No.
> 
> It's probably best to remove the BBCLASSEXTEND statement in this recipe
> instead, as it was never tested, and is unlikely to be needed.

We have a use-case for -native and this series fixes it.

> 
> The whole idea is to make this independent of the build machine paths. If
> you want a -native version of this, you still need to make sure to point
> this into the yocto sysroot. Otherwise this will try to write to the *build
> machine's* /etc/ directory!
> 
> If you really want a -native version, you need to point this into the
> sysroot, and update this dynamically because of sstate usage, too.

Ok, I suppose that ${sysconfdir_native} has mislead you -
it does _not_ resolve to an absolute path into native sysroot.
The value of ${sysconfdir_native} is always "/etc", it does not mangle in any way (that's why I have used it).
So this don't have any issue with sstate or else.


> 
> 
> Cheers,
> Andre'
> 
>
André Draszik Sept. 19, 2018, 2:27 p.m.
On Wed, 2018-09-19 at 12:48 +0300, Yevgeny Popovych wrote:
> 
> On 09/17/2018 05:39 PM, André Draszik wrote:
> > On Fri, 2018-09-07 at 21:10 +0300, Yevgeny Popovych wrote:
> > > When ca-certificates-java-native is built, sysconfdir variable will
> > > be set to value that includes WORKDIR.
> > 
> > What is your use-case for a -native version of this?
> 
> I'm glad you asked as this should answer some questions..
> 
> I am building a package that contains prebuilt ca-certificates
> (including what ca-certificates itself build and JKS),
> for this package I need -native version of ca-certificates-java.
> We have an immutable (readonly) rootfs, so running scripts at runtime is
> not an option.
> With patches I have recently sent it works pretty well.
> 
> The bottom line is that there is a use-case for -native version.
> Even if you don't have an immutable (readonly) rootfs - you might want to
> use it
> that way because running scripts is quite error prone.
> 
> > 
> > > Avoid patching source with this value - use sysconfdir_native.
> > > 
> > > Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
> > > Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
> > > ---
> > >  .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9
> > > +++++++--
> > >  1 file changed, 7 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > index 2db1915..7db5110 100644
> > > --- a/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > +++ b/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > @@ -41,9 +41,14 @@ do_patch_append () {
> > >      bb.build.exec_func('do_fix_sysconfdir', d)
> > >  }
> > >  
> > > +# sysconfdir will include absolute native sysroot path in -native
> > > builds,
> > > avoid this
> > > +# (see 36.24 of 
> > > https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq
> > > )
> > > +SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
> > > +SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
> > > +
> > >  do_fix_sysconfdir () {
> > > -	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
> > > -	    -i
> > > ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> > > +    sed -e
> > > 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
> > > +        -i
> > > ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> > >  }
> > >  
> > 
> > No.
> > 
> > It's probably best to remove the BBCLASSEXTEND statement in this recipe
> > instead, as it was never tested, and is unlikely to be needed.
> 
> We have a use-case for -native and this series fixes it.
> 
> > 
> > The whole idea is to make this independent of the build machine paths.
> > If
> > you want a -native version of this, you still need to make sure to point
> > this into the yocto sysroot. Otherwise this will try to write to the
> > *build
> > machine's* /etc/ directory!
> > 
> > If you really want a -native version, you need to point this into the
> > sysroot, and update this dynamically because of sstate usage, too.
> 
> Ok, I suppose that ${sysconfdir_native} has mislead you -
> it does _not_ resolve to an absolute path into native sysroot.
> The value of ${sysconfdir_native} is always "/etc", it does not mangle in
> any way (that's why I have used it).

Exactly, so the code in UpdateCertificates.java will try to access
${SYSCONFDIR_VALUE}/ssl/certs/java, i.e. /etc/ssl/certs/java, which is what
your linux distro might or might not provide. It's not what yocto provides.


Cheers,
Andre'
Yevgeny Popovych Sept. 19, 2018, 4 p.m.
On 09/19/2018 05:27 PM, André Draszik wrote:
> On Wed, 2018-09-19 at 12:48 +0300, Yevgeny Popovych wrote:
>>
>> On 09/17/2018 05:39 PM, André Draszik wrote:
>>> On Fri, 2018-09-07 at 21:10 +0300, Yevgeny Popovych wrote:
>>>> When ca-certificates-java-native is built, sysconfdir variable will
>>>> be set to value that includes WORKDIR.
>>>
>>> What is your use-case for a -native version of this?
>>
>> I'm glad you asked as this should answer some questions..
>>
>> I am building a package that contains prebuilt ca-certificates
>> (including what ca-certificates itself build and JKS),
>> for this package I need -native version of ca-certificates-java.
>> We have an immutable (readonly) rootfs, so running scripts at runtime is
>> not an option.
>> With patches I have recently sent it works pretty well.
>>
>> The bottom line is that there is a use-case for -native version.
>> Even if you don't have an immutable (readonly) rootfs - you might want to
>> use it
>> that way because running scripts is quite error prone.
>>
>>>
>>>> Avoid patching source with this value - use sysconfdir_native.
>>>>
>>>> Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
>>>> Signed-off-by: Yevgeny Popovych <yevgenyp@pointgrab.com>
>>>> ---
>>>>  .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9
>>>> +++++++--
>>>>  1 file changed, 7 insertions(+), 2 deletions(-)
>>>>
>>>> diff --git a/recipes-core/ca-certificates-java/ca-certificates-
>>>> java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-
>>>> java_20180516.bb
>>>> index 2db1915..7db5110 100644
>>>> --- a/recipes-core/ca-certificates-java/ca-certificates-
>>>> java_20180516.bb
>>>> +++ b/recipes-core/ca-certificates-java/ca-certificates-
>>>> java_20180516.bb
>>>> @@ -41,9 +41,14 @@ do_patch_append () {
>>>>      bb.build.exec_func('do_fix_sysconfdir', d)
>>>>  }
>>>>  
>>>> +# sysconfdir will include absolute native sysroot path in -native
>>>> builds,
>>>> avoid this
>>>> +# (see 36.24 of 
>>>> https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq
>>>> )
>>>> +SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
>>>> +SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
>>>> +
>>>>  do_fix_sysconfdir () {
>>>> -	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
>>>> -	    -i
>>>> ${S}/src/main/java/org/debian/security/UpdateCertificates.java
>>>> +    sed -e
>>>> 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
>>>> +        -i
>>>> ${S}/src/main/java/org/debian/security/UpdateCertificates.java
>>>>  }
>>>>  
>>>
>>> No.
>>>
>>> It's probably best to remove the BBCLASSEXTEND statement in this recipe
>>> instead, as it was never tested, and is unlikely to be needed.
>>
>> We have a use-case for -native and this series fixes it.
>>
>>>
>>> The whole idea is to make this independent of the build machine paths.
>>> If
>>> you want a -native version of this, you still need to make sure to point
>>> this into the yocto sysroot. Otherwise this will try to write to the
>>> *build
>>> machine's* /etc/ directory!
>>>
>>> If you really want a -native version, you need to point this into the
>>> sysroot, and update this dynamically because of sstate usage, too.
>>
>> Ok, I suppose that ${sysconfdir_native} has mislead you -
>> it does _not_ resolve to an absolute path into native sysroot.
>> The value of ${sysconfdir_native} is always "/etc", it does not mangle in
>> any way (that's why I have used it).
> 
> Exactly, so the code in UpdateCertificates.java will try to access
> ${SYSCONFDIR_VALUE}/ssl/certs/java, i.e. /etc/ssl/certs/java, which is what
> your linux distro might or might not provide. It's not what yocto provides.

That's why we provide it with SYSROOT variable
(which is prepended to what becomes "/etc/ssl/certs/java")
because we want it to operate on a specific SYSROOT/file, not build host files.
Even if you forgot to specify SYSROOT - you are not going to screw up
your system because these files should be owned by root.

>> 
> Cheers,
> Andre'
> 
>