Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Preparing NSS for SharedSystemCertificates|
|Product:||[Fedora] Fedora||Reporter:||Kai Engert (:kaie) <kengert>|
|Component:||nss||Assignee:||Kai Engert (:kaie) <kengert>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||19||CC:||dwmw2, emaldona, kdudka, kengert, mitr, rrelyea, stefw|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|:||959179 (view as bug list)||Environment:|
|Last Closed:||2013-05-03 15:36:32 EDT||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
|Bug Blocks:||466626, 959179|
Description Kai Engert (:kaie) 2013-02-26 10:09:46 EST
This is a preparation task for https://fedoraproject.org/wiki/Features/SharedSystemCertificates For Fedora 19, we want to introduce a drop-in replacement for libnssckbi.so The drop in replacement will likely be contained in the p11-kit.rpm package. We want: - NSS continues to ship a libnssckbi.so file, however under a new name - the drop-in replacement shipped by p11-kit is also shipped under a new name - use the http://fedoraproject.org/wiki/Packaging:Alternatives approach that uses symbolic link to select one or the other. - use a low priority number for libnssckbi.so shipped by NSS - use a high priority number for the replacement shipped by p11-kit In order to prepare for that new world, we should prepare the NSS package as soon as possible to make use of the alternatives system. This means, we need an update to NSS that: - ships libnssckbi.so under a different name, I propose: libnssckbi.so - setup symbolic links using the alternatives system. I suspect this will be the only NSS-related change necessary for the new system feature. I would like to ensure that things don't break when upgrading/downgrading between packages that ship libnssckbi.so as a full file, and those newer packages that ship it as a symbolic link. For that reason, I already made experiments, and I have example .spec files including post/pre scripts, that seem to solve the problem for me.
Comment 1 Kai Engert (:kaie) 2013-02-26 10:13:48 EST
In case you are interested, I would like you to be able to experiment with the proposed upgrade/downgrade solution, and to review the scripts. I'm therefore attaching the "dummy" packages I used for testing.
Comment 2 Kai Engert (:kaie) 2013-02-26 10:15:11 EST
Created attachment 702958 [details] a dummy.src.rpm, using NSS existing approach - regular lib.so
Comment 3 Kai Engert (:kaie) 2013-02-26 10:16:13 EST
Created attachment 702959 [details] a dummy.src.rpm, new proposed approach - lib.so as alternative symbolic link
Comment 4 Kai Engert (:kaie) 2013-03-05 10:01:14 EST
Created attachment 705495 [details] Patch for nss.spec
Comment 5 Kai Engert (:kaie) 2013-03-05 15:38:07 EST
Comment on attachment 705495 [details] Patch for nss.spec bad patch
Comment 6 Kai Engert (:kaie) 2013-03-05 15:39:51 EST
Created attachment 705665 [details] Patch v2 Using this patch, we get the following files on a multiarch system: [root@localhost ~]# ls -ld /usr/lib*/libnssckbi.so* /etc/alternatives/*nssckbi* /usr/lib*/nss/*.so lrwxrwxrwx. 1 root root 26 Mar 5 15:28 /etc/alternatives/libnssckbi.so -> /usr/lib/nss/libnssckbi.so lrwxrwxrwx. 1 root root 28 Mar 5 15:28 /etc/alternatives/libnssckbi.so.x86_64 -> /usr/lib64/nss/libnssckbi.so lrwxrwxrwx. 1 root root 38 Mar 5 15:28 /usr/lib64/libnssckbi.so -> /etc/alternatives/libnssckbi.so.x86_64 -rwxr-xr-x. 1 root root 616568 Mar 5 15:13 /usr/lib64/nss/libnssckbi.so lrwxrwxrwx. 1 root root 31 Mar 5 15:28 /usr/lib/libnssckbi.so -> /etc/alternatives/libnssckbi.so -rwxr-xr-x. 1 root root 467308 Mar 5 15:13 /usr/lib/nss/libnssckbi.so
Comment 7 Kai Engert (:kaie) 2013-03-05 15:46:59 EST
Scratch build with the patch: http://koji.fedoraproject.org/koji/taskinfo?taskID=5082474
Comment 8 Kai Engert (:kaie) 2013-03-05 18:21:57 EST
FYI, of course, the %check exit 0 isn't meant to get included. I use it for quicker turnaround while working on the package scripts.
Comment 9 Stef Walter 2013-03-12 05:38:43 EDT
Ready for testing in rawhide.
Comment 10 David Woodhouse 2013-03-21 08:18:57 EDT
Some apps such as EVolution
Comment 11 David Woodhouse 2013-03-21 08:21:16 EDT
Oops. Some apps such as Evolution are already updated to use the NSS shared system database, finding certs and keys in /etc/pki/nssdb and then ~/.pki/nssdb. Are we limiting our focus *only* to certs, for now? It would have been good to move all apps to the shared system database, and the new p11-kit modules could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a hacked nssckbi.so. What *should* NSS-using applications be doing, ideally?
Comment 12 Stef Walter 2013-03-21 08:28:23 EDT
(In reply to comment #11) > Oops. Some apps such as Evolution are already updated to use the NSS shared > system database, finding certs and keys in /etc/pki/nssdb and then > ~/.pki/nssdb. > > Are we limiting our focus *only* to certs, for now? Yes for now. > It would have been good > to move all apps to the shared system database, and the new p11-kit modules > could have been loaded from /etc/pki/nssdb/pkcs11.txt rather than needing a > hacked nssckbi.so. Perhaps. And we can still do that in the future. But realistically we weren't able to pull that off that as part of this first step. > What *should* NSS-using applications be doing, ideally? I would indeed like to see NSS use p11-kit to load the configured modules. In addition, you may be aware that libsoftoken usage of /etc/pki/nssdb is pretty broken, due to file locking DOSing from unprivileged users on the sqlite database.
Comment 13 Kai Engert (:kaie) 2013-03-21 08:42:07 EDT
(In reply to comment #11)> > Are we limiting our focus *only* to certs, for now? It would have been good > to move all apps to the shared system database, That's nontrivial, because applications decide which path they use, and we don't have migration code that works in all scenarios (in particular, if different passwords are set on app specific and shared location).
Comment 14 Kai Engert (:kaie) 2013-03-21 08:44:34 EDT
Solving the pkcs#11 config and obsoleting the old /etc/pki/nssdb is a separate task, we cannot do everything at once.
Comment 15 Fedora End Of Life 2013-04-03 16:32:19 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle. Changing version to '19'. (As we did not run this process for some time, it could affect also pre-Fedora 19 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 16 Stef Walter 2013-05-03 05:52:24 EDT
Kai, I believe this is complete right?