curl in Fedora recently changed its default CA trust store. The
Fedora package no longer specifies an OpenSSL-format bundle file
during build, and curl itself has been patched to use an NSS
plugin called libnssckbi.so when no bundle file or directory is
specified. There are (at present) two possible providers of the
libnssckbi.so module: the original NSS implementation, which
uses a trust bundle built in at build time, and a compatible
implementation from the p11-kit project, which reads a trust
bundle at run time. So if we find a string in libcurl.so that
suggests libnssckbi might be in use, we must both install it and
make an effort to install any trust bundle files it may use.
The p11-kit libnssckbi implementation does include a string that
lists the top-level trust directories it will use, so we try to
find that string, though the best effort I can come up with will
also find many false positives too. To weed out the false
positives, we check whether the matches actually exist as dirs,
and if so, whether they contain some specific subdirectories we
know p11-kit trust dirs must have (thanks, @kaie). For the NSS
libnssckbi implementation, we will likely wind up not finding any
dirs that match the requirements, so we will simply install the
libnssckbi.so file itself, which is the correct action.
This fixes TLS transactions in the initramfs environment when
using a curl that's built this new way; it's significant for
use of kickstarts and update images with the Fedora / RHEL
installer, as these are retrieved in the initramfs environment,
and are frequently retrieved via HTTPS.
use inst() instead of inst_simple()
/etc/pki/tls/certs/ca-bundle.crt is a symlink to
../../ca-trust/extracted/pem/tls-ca-bundle.pem
with inst() we install the original file also.
https://bugzilla.redhat.com/show_bug.cgi?id=1341280
(cherry picked from commit 1b23c6c65c)
This patch adds bittorrent support to 45url-lib for those that might want
to retrieve the same live image for multiple systems at once without
saturating the network.
This patch requires ctorrent to be installed into initramfs.
Torrent kernel command line format:
root=live:torrent://example.com/liveboot.img.torrent
Start a tracker:
bttrack --bind <tracker_ip> --port 6969 --dfile dstate --reannounce_interval 60
Create the torrent:
ctorrent -t live_image -u http://<tracker_ip>:6969/announce -s live_image.torrent
Seed the initial torrent:
ctorrent live_image.torrent
Boot the live image.
Add new functions require_binaries() and require_any_binary() to be used
in the check() section of module-setup.sh.
These functions print a warning line telling the user, which binary is
missing for the specific dracut module.
This unifies the way of checking for binaries and makes the life of an
initramfs creator easier, if he wants to find out why a specific dracut
module is not included in the initramfs.
Libcurl has wider capabilities than those assigned to it by Dracut.
In this patch to url-lib I've added registration for TFTP URLs,
which I've found to be useful.
Enjoy,
Stig Telfer
Basically, s390 is the only place I've ever seen TERM=dumb, and it's too
dumb to handle '\r', so --progress-bar produces waaaaay too much output.
The normal progress meter only prints something once per second, so
that's reasonable on terminals where '\r' doesn't work.
See also: https://bugzilla.redhat.com/show_bug.cgi?id=814713
Every time url-lib gets imported we end up making the list of handlers
longer with redundant entries. That's silly - we shouldn't add items
that already exist.
Note that this means you'll have to manipulate the handler list yourself
if you want to change the position/priority of existing handlers.
For curl_fetch_url (http/https/ftp):
- use --progress-bar (the output is less messy)
- print the URL we're fetching so the user know's what's happening
For curl and nfs:
- don't echo the filename if it was provided by the user
If you do "fetch_url $url/.somefile", fetch_url would return failure,
because "$outdir/*" wouldn't match the file.
Use ls -A (which busybox ls supports) to actually find possible dotfiles
in the created output dir.
Signed-off-by: Will Woods <wwoods@redhat.com>
This adds nfs_fetch_url to allow fetching arbitrary files from NFS.
This means that livenet can now run using an NFS-mounted live image,
which reduces memory usage by a lot.
Signed-off-by: Will Woods <wwoods@redhat.com>
url-lib adds some functions for dealing with URLs (mostly for fetching
files, for the moment).
It uses curl to handle http/https/ftp URLs, but it can be extended by other
modules at runtime by using the "add_url_handler" function.
Signed-off-by: Will Woods <wwoods@redhat.com>
Adam Williamson