aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlois Wohlschlager <alois1@gmx-topmail.de>2024-05-29 18:16:18 +0200
committeralois31 <alois1@gmx-topmail.de>2024-05-31 07:54:18 +0000
commitcf756fdf3c1a804af726703a12ed2990ad6c2639 (patch)
treefb757e3c85fb517fb88ffc8414b7f094778cb502
parent3df013597d7a2b5e400839e6625c05bd47de4dca (diff)
libstore/build: copy ca-certificates too
In b469c6509ba616da6df8a27e4ccb205a877c66c9, the ca-certificates file was missed. It should be copied too so that we don't end up bind-mounting a broken symlink. Change-Id: Ic9b292d602eb94b0e78f77f2a27a19d24665783c
-rw-r--r--src/libstore/build/local-derivation-goal.cc8
-rw-r--r--tests/functional/linux-sandbox.sh5
2 files changed, 11 insertions, 2 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc
index 99468d420..7066f5c93 100644
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@@ -1847,8 +1847,12 @@ void LocalDerivationGoal::runChild()
copyFile(path, chrootRootDir + path, { .followSymlinks = true });
}
- if (settings.caFile != "")
- pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true);
+ if (settings.caFile != "" && pathExists(settings.caFile)) {
+ // For the same reasons as above, copy the CA certificates file too.
+ // It should be even less likely to change during the build than resolv.conf.
+ createDirs(chrootRootDir + "/etc/ssl/certs");
+ copyFile(settings.caFile, chrootRootDir + "/etc/ssl/certs/ca-certificates.crt", { .followSymlinks = true });
+ }
}
for (auto & i : ss) pathsInChroot.emplace(i, i);
diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh
index 04209277b..82f363a09 100644
--- a/tests/functional/linux-sandbox.sh
+++ b/tests/functional/linux-sandbox.sh
@@ -60,7 +60,9 @@ testCert () {
nocert=$TEST_ROOT/no-cert-file.pem
cert=$TEST_ROOT/some-cert-file.pem
+certsymlink=$TEST_ROOT/cert-symlink.pem
echo -n "CERT_CONTENT" > $cert
+ln -s $cert $certsymlink
# No cert in sandbox when not a fixed-output derivation
testCert missing normal "$cert"
@@ -74,5 +76,8 @@ testCert missing fixed-output "$nocert"
# Cert in sandbox when ssl-cert-file is set to an existing file
testCert present fixed-output "$cert"
+# Cert in sandbox when ssl-cert-file is set to a symlink
+testCert present fixed-output "$certsymlink"
+
# Symlinks should be added in the sandbox directly and not followed
nix-sandbox-build symlink-derivation.nix