diff options
| author | Austin S. Hemmelgarn <austin@netdata.cloud> | 2020-06-05 08:12:12 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-05 08:12:12 -0400 |
| commit | 7707f9aa3afaacfab6612a66f9e643be91f7f00f (patch) | |
| tree | 944a5dadb561a6ddd194bf5536fd3f12085bbbad | |
| parent | 5776deefc2ab4a9c0c47c9ccb78d75d50187f3ab (diff) | |
Fixed handling of OpenSSL on CentOS/RHEL by bundling a static copy and selecting a configuration directory at install time. (#9263)
* Bundle static OpenSSL in our static builds.
This adds code to bundle a static locally built copy of OpenSSL into our
static builds instead of using the Alpine provided copy. It fixes two
cases where our usage of OpenSSL currently fails:
* On CentOS, RHEL, OEL, Amazon Linux, and their derivatives, the OpenSSL
configuration directory is `/etc/pki/tls` instead of the normal
`/etc/ssl`. Any usage of TLS in our static builds currently fails
there because it can't find that directory.
* TLS usage fails similarly on systems that do not have OpenSSL at all
for the same reason.
To fix this, the newly bundled copy of OpenSSL is built to use
`/opt/netdata/etc/ssl` as it's configuration directory. This directory
is a symlink created at install time pointing to one of the following
locations (in order of precedence):
* `/etc/pki/tls` (for CentOS, RHEL, OEL, AL, and similar).
* `/etc/ssl` (for sane distros that just use the default path).
* `/opt/netdata/share/ssl` (for systems that don't have OpenSSL, this
contains a copy of the config and certificates from the build
environment).
* Ensure other components are built with local OpenSSL.
* Clone directly from the desired tag.
| -rwxr-xr-x | packaging/makeself/install-or-update.sh | 18 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/20-openssl.install.sh | 17 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/50-bash-4.4.18.install.sh | 2 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/50-curl-7.60.0.install.sh | 1 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/50-fping-4.2.install.sh | 1 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/70-netdata-git.install.sh | 1 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/99-makeself.install.sh | 5 | ||||
| -rw-r--r-- | packaging/makeself/openssl.version | 1 |
8 files changed, 46 insertions, 0 deletions
diff --git a/packaging/makeself/install-or-update.sh b/packaging/makeself/install-or-update.sh index fd64015c3b..5dc1754775 100755 --- a/packaging/makeself/install-or-update.sh +++ b/packaging/makeself/install-or-update.sh @@ -248,6 +248,24 @@ fi # ----------------------------------------------------------------------------- +echo "Configure TLS certificate paths" +if [ ! -L /opt/netdata/etc/ssl ] && [ -d /opt/netdata/etc/ssl ] ; then + echo "Preserving existing user configuration for TLS" +else + if [ -d /etc/pki/tls ] ; then + echo "Using /etc/pki/tls for TLS configuration and certificates" + ln -sf /etc/pki/tls /opt/netdata/etc/ssl + elif [ -d /etc/ssl ] ; then + echo "Using /etc/ssl for TLS configuration and certificates" + ln -sf /etc/ssl /opt/netdata/etc/ssl + else + echo "Using bundled TLS configuration and certificates" + ln -sf /opt/netdata/share/ssl /opt/netdata/etc/ssl + fi +fi + +# ----------------------------------------------------------------------------- + echo "Save install options" grep -qv 'IS_NETDATA_STATIC_BINARY="yes"' "${NETDATA_PREFIX}/etc/netdata/.environment" || echo IS_NETDATA_STATIC_BINARY=\"yes\" >> "${NETDATA_PREFIX}/etc/netdata/.environment" sed -i "s/REINSTALL_OPTIONS=\".*\"/REINSTALL_OPTIONS=\"${REINSTALL_OPTIONS}\"/" "${NETDATA_PREFIX}/etc/netdata/.environment" diff --git a/packaging/makeself/jobs/20-openssl.install.sh b/packaging/makeself/jobs/20-openssl.install.sh new file mode 100755 index 0000000000..0d99092dee --- /dev/null +++ b/packaging/makeself/jobs/20-openssl.install.sh @@ -0,0 +1,17 @@ +#!/usr/bin/env bash +# SPDX-License-Identifier: GPL-3.0-or-later + +# shellcheck source=packaging/makeself/functions.sh +. "$(dirname "${0}")/../functions.sh" "${@}" || exit 1 + +version="$(cat "$(dirname "${0}")/../openssl.version")" + +export LDFLAGS='-static' +export PKG_CONFIG="pkg-config --static" + +run git clone --branch "${version}" --single-branch git://git.openssl.org/openssl.git "${NETDATA_MAKESELF_PATH}/tmp/openssl" +cd "${NETDATA_MAKESELF_PATH}/tmp/openssl" || exit 1 + +run ./config no-shared no-tests --prefix=/openssl-static --openssldir=/opt/netdata/etc/ssl +run make -j "$(nproc)" +run make -j "$(nproc)" install_sw diff --git a/packaging/makeself/jobs/50-bash-4.4.18.install.sh b/packaging/makeself/jobs/50-bash-4.4.18.install.sh index 72420d6f6b..f40ad333bb 100755 --- a/packaging/makeself/jobs/50-bash-4.4.18.install.sh +++ b/packaging/makeself/jobs/50-bash-4.4.18.install.sh @@ -6,6 +6,8 @@ fetch "bash-4.4.18" "http://ftp.gnu.org/gnu/bash/bash-4.4.18.tar.gz" +export PKG_CONFIG_PATH="/opnessl/lib/pkgconfig" + run ./configure \ --prefix="${NETDATA_INSTALL_PATH}" \ --without-bash-malloc \ diff --git a/packaging/makeself/jobs/50-curl-7.60.0.install.sh b/packaging/makeself/jobs/50-curl-7.60.0.install.sh index 8171129db2..f55829b5b8 100755 --- a/packaging/makeself/jobs/50-curl-7.60.0.install.sh +++ b/packaging/makeself/jobs/50-curl-7.60.0.install.sh @@ -8,6 +8,7 @@ fetch "curl-curl-7_60_0" "https://github.com/curl/curl/archive/curl-7_60_0.tar.g export LDFLAGS="-static" export PKG_CONFIG="pkg-config --static" +export PKG_CONFIG_PATH="/opnessl/lib/pkgconfig" run ./buildconf diff --git a/packaging/makeself/jobs/50-fping-4.2.install.sh b/packaging/makeself/jobs/50-fping-4.2.install.sh index 635d4d582d..e9212c8db7 100755 --- a/packaging/makeself/jobs/50-fping-4.2.install.sh +++ b/packaging/makeself/jobs/50-fping-4.2.install.sh @@ -7,6 +7,7 @@ fetch "fping-4.2" "https://github.com/schweikert/fping/releases/download/v4.2/fping-4.2.tar.gz" export CFLAGS="-static" +export PKG_CONFIG_PATH="/opnessl/lib/pkgconfig" run ./configure \ --prefix="${NETDATA_INSTALL_PATH}" \ diff --git a/packaging/makeself/jobs/70-netdata-git.install.sh b/packaging/makeself/jobs/70-netdata-git.install.sh index c2cbad4c06..6a1bedcc33 100755 --- a/packaging/makeself/jobs/70-netdata-git.install.sh +++ b/packaging/makeself/jobs/70-netdata-git.install.sh @@ -18,6 +18,7 @@ export IS_NETDATA_STATIC_BINARY="yes" # Set eBPF LIBC to "static" to bundle the `-static` variant of the kernel-collector export EBPF_LIBC="static" +export PKG_CONFIG_PATH="/opnessl/lib/pkgconfig" run ./netdata-installer.sh \ --install "${NETDATA_INSTALL_PARENT}" \ diff --git a/packaging/makeself/jobs/99-makeself.install.sh b/packaging/makeself/jobs/99-makeself.install.sh index 8d806099d4..de641027b2 100755 --- a/packaging/makeself/jobs/99-makeself.install.sh +++ b/packaging/makeself/jobs/99-makeself.install.sh @@ -53,6 +53,11 @@ EOF run chmod 755 "${NETDATA_INSTALL_PATH}/bin/netdata" # ----------------------------------------------------------------------------- +# copy the SSL/TLS configuration and certificates from the build system + +run cp -a /etc/ssl "${NETDATA_INSTALL_PATH}/share/ssl" + +# ----------------------------------------------------------------------------- # remove the links to allow untaring the archive run rm "${NETDATA_INSTALL_PATH}/sbin" \ diff --git a/packaging/makeself/openssl.version b/packaging/makeself/openssl.version new file mode 100644 index 0000000000..e2137bd498 --- /dev/null +++ b/packaging/makeself/openssl.version @@ -0,0 +1 @@ +OpenSSL_1_1_1g |