libstore/build: copy ca-certificates too

In b469c6509b, the ca-certificates file was
missed. It should be copied too so that we don't end up bind-mounting a broken
symlink.

Change-Id: Ic9b292d602eb94b0e78f77f2a27a19d24665783c
This commit is contained in:
alois31 2024-05-29 18:16:18 +02:00 committed by alois31
parent 3df013597d
commit cf756fdf3c
2 changed files with 11 additions and 2 deletions

View file

@ -1847,8 +1847,12 @@ void LocalDerivationGoal::runChild()
copyFile(path, chrootRootDir + path, { .followSymlinks = true }); copyFile(path, chrootRootDir + path, { .followSymlinks = true });
} }
if (settings.caFile != "") if (settings.caFile != "" && pathExists(settings.caFile)) {
pathsInChroot.try_emplace("/etc/ssl/certs/ca-certificates.crt", settings.caFile, true); // For the same reasons as above, copy the CA certificates file too.
// It should be even less likely to change during the build than resolv.conf.
createDirs(chrootRootDir + "/etc/ssl/certs");
copyFile(settings.caFile, chrootRootDir + "/etc/ssl/certs/ca-certificates.crt", { .followSymlinks = true });
}
} }
for (auto & i : ss) pathsInChroot.emplace(i, i); for (auto & i : ss) pathsInChroot.emplace(i, i);

View file

@ -60,7 +60,9 @@ testCert () {
nocert=$TEST_ROOT/no-cert-file.pem nocert=$TEST_ROOT/no-cert-file.pem
cert=$TEST_ROOT/some-cert-file.pem cert=$TEST_ROOT/some-cert-file.pem
certsymlink=$TEST_ROOT/cert-symlink.pem
echo -n "CERT_CONTENT" > $cert echo -n "CERT_CONTENT" > $cert
ln -s $cert $certsymlink
# No cert in sandbox when not a fixed-output derivation # No cert in sandbox when not a fixed-output derivation
testCert missing normal "$cert" testCert missing normal "$cert"
@ -74,5 +76,8 @@ testCert missing fixed-output "$nocert"
# Cert in sandbox when ssl-cert-file is set to an existing file # Cert in sandbox when ssl-cert-file is set to an existing file
testCert present fixed-output "$cert" testCert present fixed-output "$cert"
# Cert in sandbox when ssl-cert-file is set to a symlink
testCert present fixed-output "$certsymlink"
# Symlinks should be added in the sandbox directly and not followed # Symlinks should be added in the sandbox directly and not followed
nix-sandbox-build symlink-derivation.nix nix-sandbox-build symlink-derivation.nix