diff options
| author | alois31 <alois1@gmx-topmail.de> | 2024-05-31 16:44:18 +0000 |
|---|---|---|
| committer | Gerrit Code Review <gerrit@lix-systems> | 2024-05-31 16:44:18 +0000 |
| commit | ff08d954206a557ec7afe7301cdb4bb72114875f (patch) | |
| tree | 66ab550326cb8e818dd811019e9c9930161eecfb | |
| parent | 0c6cb34de6033d0ceab5de8cbfc37465afeefaa4 (diff) | |
| parent | cf756fdf3c1a804af726703a12ed2990ad6c2639 (diff) | |
Merge "libstore/build: copy ca-certificates too" into main
| -rw-r--r-- | src/libstore/build/local-derivation-goal.cc | 8 | ||||
| -rw-r--r-- | tests/functional/linux-sandbox.sh | 5 |
2 files changed, 11 insertions, 2 deletions
diff --git a/src/libstore/build/local-derivation-goal.cc b/src/libstore/build/local-derivation-goal.cc index 99468d420..7066f5c93 100644 --- a/src/libstore/build/local-derivation-goal.cc +++ b/src/libstore/build/local-derivation-goal.cc @@ -1847,8 +1847,12 @@ void LocalDerivationGoal::runChild() copyFile(path, chrootRootDir + path, { .followSymlinks = true }); } - if (settings.caFile != "") - pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true); + if (settings.caFile != "" && pathExists(settings.caFile)) { + // For the same reasons as above, copy the CA certificates file too. + // It should be even less likely to change during the build than resolv.conf. + createDirs(chrootRootDir + "/etc/ssl/certs"); + copyFile(settings.caFile, chrootRootDir + "/etc/ssl/certs/ca-certificates.crt", { .followSymlinks = true }); + } } for (auto & i : ss) pathsInChroot.emplace(i, i); diff --git a/tests/functional/linux-sandbox.sh b/tests/functional/linux-sandbox.sh index 04209277b..82f363a09 100644 --- a/tests/functional/linux-sandbox.sh +++ b/tests/functional/linux-sandbox.sh @@ -60,7 +60,9 @@ testCert () { nocert=$TEST_ROOT/no-cert-file.pem cert=$TEST_ROOT/some-cert-file.pem +certsymlink=$TEST_ROOT/cert-symlink.pem echo -n "CERT_CONTENT" > $cert +ln -s $cert $certsymlink # No cert in sandbox when not a fixed-output derivation testCert missing normal "$cert" @@ -74,5 +76,8 @@ testCert missing fixed-output "$nocert" # Cert in sandbox when ssl-cert-file is set to an existing file testCert present fixed-output "$cert" +# Cert in sandbox when ssl-cert-file is set to a symlink +testCert present fixed-output "$certsymlink" + # Symlinks should be added in the sandbox directly and not followed nix-sandbox-build symlink-derivation.nix |