[oe] [meta-java][PATCH 1/3] ca-certificates-java: Fix sysconfdir for -native recipe

Wed Sep 19 14:27:21 UTC 2018

On Wed, 2018-09-19 at 12:48 +0300, Yevgeny Popovych wrote:
> 
> On 09/17/2018 05:39 PM, André Draszik wrote:
> > On Fri, 2018-09-07 at 21:10 +0300, Yevgeny Popovych wrote:
> > > When ca-certificates-java-native is built, sysconfdir variable will
> > > be set to value that includes WORKDIR.
> > 
> > What is your use-case for a -native version of this?
> 
> I'm glad you asked as this should answer some questions..
> 
> I am building a package that contains prebuilt ca-certificates
> (including what ca-certificates itself build and JKS),
> for this package I need -native version of ca-certificates-java.
> We have an immutable (readonly) rootfs, so running scripts at runtime is
> not an option.
> With patches I have recently sent it works pretty well.
> 
> The bottom line is that there is a use-case for -native version.
> Even if you don't have an immutable (readonly) rootfs - you might want to
> use it
> that way because running scripts is quite error prone.
> 
> > 
> > > Avoid patching source with this value - use sysconfdir_native.
> > > 
> > > Change-Id: I8ac79c3cd5016a8139d9d8c8d58bc2976d0b6fa3
> > > Signed-off-by: Yevgeny Popovych <yevgenyp at pointgrab.com>
> > > ---
> > >  .../ca-certificates-java/ca-certificates-java_20180516.bb        | 9
> > > +++++++--
> > >  1 file changed, 7 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb b/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > index 2db1915..7db5110 100644
> > > --- a/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > +++ b/recipes-core/ca-certificates-java/ca-certificates-
> > > java_20180516.bb
> > > @@ -41,9 +41,14 @@ do_patch_append () {
> > >      bb.build.exec_func('do_fix_sysconfdir', d)
> > >  }
> > >  
> > > +# sysconfdir will include absolute native sysroot path in -native
> > > builds,
> > > avoid this
> > > +# (see 36.24 of 
> > > https://www.yoctoproject.org/docs/2.5/mega-manual/mega-manual.html#faq
> > > )
> > > +SYSCONFDIR_VALUE_class-target = "${sysconfdir}"
> > > +SYSCONFDIR_VALUE_class-native = "${sysconfdir_native}"
> > > +
> > >  do_fix_sysconfdir () {
> > > -	sed -e 's|/etc/ssl/certs/java|${sysconfdir}/ssl/certs/java|g' \
> > > -	    -i
> > > ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> > > +    sed -e
> > > 's|/etc/ssl/certs/java|${SYSCONFDIR_VALUE}/ssl/certs/java|g' \
> > > +        -i
> > > ${S}/src/main/java/org/debian/security/UpdateCertificates.java
> > >  }
> > >  
> > 
> > No.
> > 
> > It's probably best to remove the BBCLASSEXTEND statement in this recipe
> > instead, as it was never tested, and is unlikely to be needed.
> 
> We have a use-case for -native and this series fixes it.
> 
> > 
> > The whole idea is to make this independent of the build machine paths.
> > If
> > you want a -native version of this, you still need to make sure to point
> > this into the yocto sysroot. Otherwise this will try to write to the
> > *build
> > machine's* /etc/ directory!
> > 
> > If you really want a -native version, you need to point this into the
> > sysroot, and update this dynamically because of sstate usage, too.
> 
> Ok, I suppose that ${sysconfdir_native} has mislead you -
> it does _not_ resolve to an absolute path into native sysroot.
> The value of ${sysconfdir_native} is always "/etc", it does not mangle in
> any way (that's why I have used it).

Exactly, so the code in UpdateCertificates.java will try to access
${SYSCONFDIR_VALUE}/ssl/certs/java, i.e. /etc/ssl/certs/java, which is what
your linux distro might or might not provide. It's not what yocto provides.

Cheers,
Andre'