libreoffice-online/coolwsd-systemplate-setup
Caolán McNamara 35fd4bb744 copy CA certificates to jail
for curl >= 8.3.0 which removed the nss backend, requiring the
certs with the OpenSSL backend.

DeepL access doesn't work otherwise.

Use the same list and order as used in core:

see: similar to https://gerrit.libreoffice.org/c/core/+/158915
and: https://www.happyassassin.net/posts/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: Ic9de1e926977f63592146ac17df42704c8d86ccd
2023-11-14 17:01:49 +00:00

150 lines
5.3 KiB
Bash
Executable file

#!/usr/bin/env bash
# set -x
test $# -eq 2 || { echo "Usage: $0 <chroot template directory for system libs to create> <LO installation directory>"; exit 1; }
# No provision for spaces or other weird characters in pathnames. So sue me.
# First parameter is the pathname where this script will create the "systemplate" tree
CHROOT=$1
# Second parameter is the instdir directory of the LibreOffice installation to be used
INSTDIR=$2
test -d "$INSTDIR" || { echo "$0: No such directory: $INSTDIR"; exit 1; }
mkdir -p $CHROOT || exit 1
# Resolve the real paths, in case they are relative and/or symlinked.
# INSTDIR_LOGICAL will contain the logical path, if there are symlinks,
# while INSTDIR is the physical one. Both will most likely be the same,
# except on systems that have symlinks in the path. We must create
# both paths (if they are different) inside the jail, hence we need both.
CHROOT=`cd $CHROOT && /bin/pwd`
INSTDIR_LOGICAL=`cd $INSTDIR && /bin/pwd -L`
INSTDIR=`cd $INSTDIR && /bin/pwd -P`
if [ ! `uname -s` = "FreeBSD" ]; then
CP=cp
REALPATH=realpath
LOCALBASE=usr/
else
CP=gcp
REALPATH=grealpath
LOCALBASE=usr/local/
fi
cd / || exit 1
(
# Produce a list of file names, one per line, that will be copied
# into the template tree of system files for the chroot jails.
# First essential files and shared objects
find etc/ld.so.* \
lib/ld-* lib64/ld-* \
lib/libnss_* lib64/libnss_* lib/*/libnss_* \
lib/*/nss/*.so \
lib/libresolv* lib64/libresolv* lib/*/libresolv* \
var/cache/fontconfig \
etc/fonts \
usr/lib/locale/en_US.utf8 \
usr/lib/locale/C.UTF-8 \
usr/lib/locale/locale_archive \
usr/lib/*/nss/*.so \
usr/lib/*/libsqlite* \
usr/share/zoneinfo/* \
usr/share/liblangtag \
usr/share/hyphen \
-type f 2>/dev/null
find etc/fonts \
lib/ld-* lib64/ld-* \
lib/libnss_* lib64/libnss_* lib/*/libnss_* \
lib/libresolv* lib64/libresolv* lib/*/libresolv* \
usr/lib/*/libsqlite* \
-type l 2>/dev/null
# Find the first of these that exist to fulfill ssltls
# via openssl requirements
find etc/pki/tls/certs/ca-bundle.crt \
etc/pki/tls/certs/ca-bundle.trust.crt \
etc/ssl/certs/ca-certificates.crt \
var/lib/ca-certificates/ca-bundle.pem \
-type l,f -print -quit 2>/dev/null
# Go through the LO shared objects and check what system libraries
# they link to.
find $INSTDIR -name 'xpdfimport' |
while read file; do
ldd $file 2>/dev/null
done |
grep -v dynamic | cut -s -d " " -f 3 | grep -E '^(/lib|/usr)' | sort -u | sed -e 's,^/,,'
) |
# Can't use -l because then symlinks won't be handled well enough.
# This will now copy the file a symlink points to, but whatever.
cpio -p -d -L $CHROOT
# Link the dynamic files, replacing any existing.
rm -f $CHROOT/etc/copied
mkdir -p $CHROOT/etc/
for file in hosts nsswitch.conf resolv.conf passwd group host.conf timezone localtime
do
# echo "Linking/Copying /etc/$file"
# Prefer hard-linking, fallback to just copying (do *not* use symlinking because that would be relative to the jail).
# When copying, we must make sure that we copy the source and not a symlink. Otherwise, the source won't be accessible from the jail.
# In addition, we flag that at least one file is copied by creating the 'copied' file, so that we do check for updates.
ln -f `${REALPATH} /etc/$file` $CHROOT/etc/$file 2> /dev/null || (${CP} --dereference --preserve=all /etc/$file $CHROOT/etc/$file && touch $CHROOT/etc/copied) || echo "$0: Failed to link or copy /etc/$file"
done
# Link dev/random and dev/urandom to ../tmp/dev/.
# The jail then creates the random device nodes in its /tmp/dev/.
mkdir -p $CHROOT/dev
mkdir -p $CHROOT/tmp/dev
for file in random urandom
do
# This link is relative anyway, so can be symbolic.
ln -f ../tmp/dev/$file $CHROOT/dev/ 2> /dev/null || ln -f -s ../tmp/dev/$file $CHROOT/dev/ || echo "$0: Failed to link dev/$file"
done
# Create a relative symbolic link within systemplate that points from
# the path of $INSTDIR (as seen from the jail as an absolute path)
# to the /lo path, where the instdir of LO will really reside.
mkdir -p $CHROOT/lo
# In case the original path is different from
for path in $INSTDIR $INSTDIR_LOGICAL
do
# Create a symlink, as it's a relative directory path (can't be a hard-link).
INSTDIR_PARENT="$(dirname "$CHROOT/$path")"
mkdir -p $INSTDIR_PARENT
ln -f -s `${REALPATH} --relative-to=$INSTDIR_PARENT $CHROOT/lo` $CHROOT/$path
done
# /usr/share/fonts needs to be taken care of separately because the
# directory time stamps must be preserved for fontconfig to trust
# its cache.
cd $CHROOT || exit 1
mkdir -p $LOCALBASE/share || exit 1
${CP} -r -p -L /${LOCALBASE}/share/fonts $LOCALBASE/share
if [ -h $LOCALBASE/share/fonts/ghostscript ]; then
mkdir $LOCALBASE/share/ghostscript || exit 1
${CP} -r -p -L /$LOCALBASE/share/ghostscript/fonts $LOCALBASE/share/ghostscript
fi
# Remove obsolete & unused bitmap fonts
find $LOCALBASE/share -name '*.pcf' | xargs rm -f
find $LOCALBASE/share -name '*.pcf.gz' | xargs rm -f
# Debugging only hackery to avoid confusion.
if test "z$ENABLE_DEBUG" != "z" -a "z$HOME" != "z"; then
echo "$0: Copying development users's fonts into systemplate"
mkdir -p $CHROOT/$HOME
test -d $HOME/.fonts && ${CP} -r -p -L $HOME/.fonts $CHROOT/$HOME
fi
exit 0