[bug-notifications] [openssl_rt 0004807]: Migration of SSL certs fails on upgrade
Mantis Bug Tracker
noreply at opencsw.org
Fri Jul 22 00:37:01 CEST 2011
A NOTE has been added to this issue.
======================================================================
https://www.opencsw.org/mantis/view.php?id=4807
======================================================================
Reported By: domcleal
Assigned To: yann
======================================================================
Project: openssl_rt
Issue ID: 4807
Category: upgrade
Reproducibility: always
Severity: major
Priority: normal
Status: feedback
======================================================================
Date Submitted: 2011-07-19 15:16 CEST
Last Modified: 2011-07-22 00:37 CEST
======================================================================
Summary: Migration of SSL certs fails on upgrade
Description:
When upgrading with pkgutil from
openssl_rt-0.9.8,REV=2007.12.26_rev=g-SunOS5.8-sparc-CSW to
openssl_rt-0.9.8r,REV=2011.02.12-SunOS5.9-sparc-CSW, the package preinstall
performs a migration of SSL certs from /opt/csw/ssl/certs to
/opt/csw/etc/ssl/certs.
This causes the pkgadd to fail, as it also removes the /opt/csw/ssl/certs
directory:
Custom certificates have been installed in /opt/csw/ssl/certs/.
They will be moved under /opt/csw/etc/ssl/certs.
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
about CA.
WARNING: /opt/csw/ssl/certs <no longer a directory>
mv: cannot rename /opt/csw/ssl/certs/demo to /opt/csw/etc/ssl/certs/demo:
File exists
mv: cannot rename /opt/csw/ssl/certs/expired to
/opt/csw/etc/ssl/certs/expired: File exists
rmdir: directory "/opt/csw/ssl/certs": Directory not empty
WARNING: /opt/csw/ssl/certs may not overwrite a populated directory.
pkgadd: ERROR: /opt/csw/ssl/certs could not be installed.
Updating certificates in /opt/csw/etc/ssl/certs...done.
Installation of <CSWosslrt> partially failed.
Removing the "rmdir /opt/csw/ssl/certs" from the preinstall lets the
upgrade go through, indicating perhaps that the directory should be left in
place?
======================================================================
----------------------------------------------------------------------
(0009209) yann (manager) - 2011-07-22 00:37
https://www.opencsw.org/mantis/view.php?id=4807#c9209
----------------------------------------------------------------------
Hi,
The /opt/csw/ssl/certs should be removed so that pkgadd can create a
symlink /opt/csw/ssl/certs -> /opt/csw/etc/ssl/certs
It is perfectly normal that the /opt/csw/ssl/certs is removed.
In fact, in there is no custom file installed in /opt/csw/ssl/certs, it
should always be removed when the previous openssl_rt package is removed.
See Demonstration 1.
I am a bit surprised that removing the rmdir solves the problem.
If I create custom files in /opt/csw/ssl/certs, I can't also reproduce
your bug, see demonstration 2.
So I suppose there is something specific in your configuration.
The things that come to my mind are:
- /opt/csw/ssl/certs is a mount point,
- /opt/csw is zone shared.
Could you give me more information about your setup so I understand the
condition that trigger this bug ?
Thanks in advance,
Yann
Demonstration 1:
# pkginfo -l CSWosslrt | grep VERSION
VERSION: 0.9.8,REV=2007.12.26_rev=g
# ls -ld /opt/csw/ssl/certs
drwxr-xr-x 4 root bin 1024 Jul 22 00:16 /opt/csw/ssl/certs
# pkgrm CSWosslrt
[...]
# ls -ld /opt/csw/ssl/certs
/opt/csw/ssl/certs: No such file or directory
If the last openssl_rt is then installed, there is no problem:
# pkgutil --trace -t
http://buildfarm.opencsw.org/opencsw/experimental/yann -i openssl_rt
[...]
Installation of <CSWosslrt> was successful.
Demonstration 2:
# # Let's create some custom files
# cd /opt/csw/ssl/certs
# mkdir -p demo expired
# touch test1.pem demo/test2.pem expired/test3.pem
# I also create demo and expired directory at the new location to create a
clash (triggered a problem with the previous package).
# mkdir -p /opt/csw/etc/ssl/certs/demo /opt/csw/etc/ssl/certs/expired
# pkgrm CSWosslrt
Removal of <CSWosslrt> was successful.
# ls -l /opt/csw/ssl/certs/
total 4
drwxr-xr-x 2 root bin 512 Jul 22 00:29 demo
drwxr-xr-x 2 root bin 512 Jul 22 00:29 expired
-rw-r--r-- 1 root root 0 Jul 22 00:27 test1.pem
[...]
## Executing checkinstall script.
+ /usr/bin/uname -p
PLATFORM=i386
+ /usr/bin/uname -r
VERSION=5.10
+ [ 5.10 -eq 5.8 ]
+ [ ! -c /dev/random ]
+ [ ! -c /dev/urandom ]
+ [ = 1 ]
+ [ ! -h /opt/csw/ssl/certs ]
+ [ -d /opt/csw/ssl/certs ]
+ ls -1 /opt/csw/ssl/certs/
+ [ -n demo
expired
test1.pem ]
+ echo Custom certificates have been installed in /opt/csw/ssl/certs/.
Custom certificates have been installed in /opt/csw/ssl/certs/.
+ echo They will be moved under /opt/csw/etc/ssl/certs.
They will be moved under /opt/csw/etc/ssl/certs.
+ echo see /opt/csw/share/doc/openssl_rt/README.CSW for more information
see /opt/csw/share/doc/openssl_rt/README.CSW for more information
+ echo about CA.
about CA.
+ cat
MOVE_CERTS=Yes
+ exit 0
[...]
## Executing preinstall script.
+ [ Yes = Yes ]
+ cd /opt/csw/ssl/certs
+ [ 0 -eq 0 ]
+ pwd
+ [ /opt/csw/ssl/certs = /opt/csw/ssl/certs ]
+ find . -type f
+ read FILE
+ dirname ./demo/test2.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./demo
+ mv ./demo/test2.pem /opt/csw/etc/ssl/certs/./demo/test2.pem
+ read FILE
+ dirname ./expired/test3.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/./expired
+ mv ./expired/test3.pem /opt/csw/etc/ssl/certs/./expired/test3.pem
+ read FILE
+ dirname ./test1.pem
+ mkdir -p -m 0755 /opt/csw/etc/ssl/certs/.
+ mv ./test1.pem /opt/csw/etc/ssl/certs/./test1.pem
+ read FILE
+ find . ! -name . -type d -exec rmdir {} ;
+ rmdir /opt/csw/ssl/certs
+ true
[...]
/opt/csw/ssl/certs <symbolic link>
[...]
Installation of <CSWosslrt> was successful.
More information about the bug-notifications
mailing list