Remove all pkcs11 variants
Recent freeipa uses openssl backend pkcs11 to offload keys to secure storage. Remove duplicate native builds of pkcs11 tools and daemon. Do not build tools like pkcs11-tokens, rely or more advanced tools p11tool and pkcs11-tool. Keep setup-named-softhsm as part of named package.
This commit is contained in:
parent
411463dad7
commit
989a3e3876
151
bind.spec
151
bind.spec
@ -7,9 +7,6 @@
|
||||
# bcond_with is built only when --with X is passed to build
|
||||
%bcond_with SYSTEMTEST
|
||||
%bcond_without GSSTSIG
|
||||
# it is not possible to build the package without PKCS11 sub-package
|
||||
# due to extensive changes to Makefiles
|
||||
%bcond_with PKCS11 # TODO: Remove
|
||||
%bcond_without JSON
|
||||
# FIXME: Not ready. Should it be worked on?
|
||||
%bcond_without DLZ
|
||||
@ -92,7 +89,6 @@ Source42: generate-rndc-key.sh
|
||||
Source43: named.rwtab
|
||||
Source44: named-chroot-setup.service
|
||||
Source46: named-setup-rndc.service
|
||||
Source47: named-pkcs11.service
|
||||
Source48: setup-named-softhsm.sh
|
||||
Source49: named-chroot.files
|
||||
|
||||
@ -111,6 +107,7 @@ Requires(post): grep
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Recommends: %{name}-utils %{name}-dnssec-utils
|
||||
%upname_compat %{upname}
|
||||
Obsoletes: %{name}-pkcs11 < 32:9.18.4-2
|
||||
|
||||
BuildRequires: gcc, make
|
||||
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
|
||||
@ -131,7 +128,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
|
||||
# make unit dependencies
|
||||
BuildRequires: libcmocka-devel
|
||||
%endif
|
||||
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||
%if %{with UNITTEST} || %{with SYSTEMTEST}
|
||||
BuildRequires: softhsm
|
||||
%endif
|
||||
%if %{with SYSTEMTEST}
|
||||
@ -175,60 +172,12 @@ which resolves host names to IP addresses; a resolver library
|
||||
(routines for applications to use when interfacing with DNS); and
|
||||
tools for verifying that the DNS server is operating properly.
|
||||
|
||||
%if %{with PKCS11}
|
||||
%package pkcs11
|
||||
Summary: Bind with native PKCS#11 functionality for crypto
|
||||
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Recommends: softhsm
|
||||
|
||||
%description pkcs11
|
||||
This is a version of BIND server built with native PKCS#11 functionality.
|
||||
It is important to have SoftHSM v2+ installed and some token initialized.
|
||||
For other supported HSM modules please check the BIND documentation.
|
||||
|
||||
# TODO: Those utils can be used also without pkcs11 variant, but are not?
|
||||
%package pkcs11-utils
|
||||
Summary: Bind tools with native PKCS#11 for using DNSSEC
|
||||
Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
|
||||
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
|
||||
%if %{with PKCS11}
|
||||
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
%endif
|
||||
|
||||
%description pkcs11-utils
|
||||
This is a set of PKCS#11 utilities that when used together create rsa
|
||||
keys in a PKCS11 keystore.
|
||||
%if %{with PKCS11}
|
||||
Also utilities for working with DNSSEC
|
||||
compiled with native PKCS#11 functionality are included.
|
||||
%endif
|
||||
|
||||
%package pkcs11-libs
|
||||
Summary: Bind libraries compiled with native PKCS#11
|
||||
Requires: %{name}-license = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description pkcs11-libs
|
||||
This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
|
||||
functionality.
|
||||
|
||||
%package pkcs11-devel
|
||||
Summary: Development files for Bind libraries compiled with native PKCS#11
|
||||
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
|
||||
%description pkcs11-devel
|
||||
This a set of development files for BIND libraries (dns, isc) compiled
|
||||
with native PKCS#11 functionality.
|
||||
%endif
|
||||
|
||||
%package libs
|
||||
Summary: Libraries used by the BIND DNS packages
|
||||
Requires: %{name}-license = %{epoch}:%{version}-%{release}
|
||||
Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
|
||||
Obsoletes: %{name}-libs-lite < 32:9.16.13
|
||||
Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2
|
||||
|
||||
%description libs
|
||||
Contains heavyweight version of BIND suite libraries used by both named DNS
|
||||
@ -246,6 +195,7 @@ Summary: Utilities for querying DNS name servers
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
# For compatibility with Debian package
|
||||
Provides: dnsutils = %{epoch}:%{version}-%{release}
|
||||
Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2
|
||||
%upname_compat %{upname}-utils
|
||||
|
||||
%description utils
|
||||
@ -262,8 +212,8 @@ servers.
|
||||
Summary: DNSSEC keys and zones management utilities
|
||||
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
Recommends: %{name}-utils
|
||||
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
|
||||
Obsoletes: python3-%{name} < 32:9.18.0
|
||||
Obsoletes: %{name}-dnssec-doc < 32:9.18.4
|
||||
%upname_compat %{upname}-dnssec-utils
|
||||
|
||||
%description dnssec-utils
|
||||
@ -274,14 +224,6 @@ revocation and verification of keys and DNSSEC signatures in zone files.
|
||||
You should install %{name}-dnssec-utils if you need to sign a DNS zone
|
||||
or maintain keys for it.
|
||||
|
||||
%package dnssec-doc
|
||||
Summary: Manual pages of DNSSEC utilities
|
||||
Requires: %{name}-license = %{epoch}:%{version}-%{release}
|
||||
BuildArch:noarch
|
||||
|
||||
%description dnssec-doc
|
||||
%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
|
||||
|
||||
%package devel
|
||||
Summary: Header files and libraries needed for bind-dyndb-ldap
|
||||
Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
|
||||
@ -441,10 +383,6 @@ export LIBDIR_SUFFIX
|
||||
%if %{with GEOIP2}
|
||||
--with-maxminddb \
|
||||
%endif
|
||||
%if %{with PKCS11}
|
||||
--enable-native-pkcs11 \
|
||||
--with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
|
||||
%endif
|
||||
%if %{with GSSTSIG}
|
||||
--with-gssapi=yes \
|
||||
%endif
|
||||
@ -499,7 +437,7 @@ popd # build
|
||||
%systemtest_prepare_build build
|
||||
|
||||
%check
|
||||
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
|
||||
%if %{with UNITTEST} || %{with SYSTEMTEST}
|
||||
# Tests require initialization of pkcs11 token
|
||||
eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
|
||||
%endif
|
||||
@ -594,17 +532,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
|
||||
install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
|
||||
install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
|
||||
|
||||
%if %{with PKCS11}
|
||||
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
|
||||
%endif
|
||||
|
||||
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
|
||||
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
|
||||
install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
|
||||
|
||||
%if %{with PKCS11}
|
||||
install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
|
||||
%endif
|
||||
|
||||
install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
|
||||
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
|
||||
@ -639,22 +571,6 @@ popd
|
||||
# Remove libtool .la files:
|
||||
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
|
||||
|
||||
# PKCS11 versions manpages
|
||||
%if %{with PKCS11}
|
||||
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
|
||||
ln -s named.8.gz named-pkcs11.8.gz
|
||||
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
|
||||
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
|
||||
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
|
||||
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
|
||||
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
|
||||
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
|
||||
ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
|
||||
ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
|
||||
ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
|
||||
popd
|
||||
%endif
|
||||
|
||||
# 9.16.4 installs even manual pages for tools not generated
|
||||
%if %{without DNSTAP}
|
||||
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
|
||||
@ -770,20 +686,6 @@ fi
|
||||
# Package upgrade, not uninstall
|
||||
%systemd_postun_with_restart named.service
|
||||
|
||||
%if %{with PKCS11}
|
||||
%post pkcs11
|
||||
# Initial installation
|
||||
%systemd_post named-pkcs11.service
|
||||
|
||||
%preun pkcs11
|
||||
# Package removal, not upgrade
|
||||
%systemd_preun named-pkcs11.service
|
||||
|
||||
%postun pkcs11
|
||||
# Package upgrade, not uninstall
|
||||
%systemd_postun_with_restart named-pkcs11.service
|
||||
%endif
|
||||
|
||||
# Fix permissions on existing device files on upgrade
|
||||
%define chroot_fix_devices() \
|
||||
if [ $1 -gt 1 ]; then \
|
||||
@ -813,10 +715,6 @@ fi
|
||||
|
||||
%ldconfig_scriptlets libs
|
||||
|
||||
%if %{with PKCS11}
|
||||
%ldconfig_scriptlets pkcs11-libs
|
||||
%endif
|
||||
|
||||
%post chroot
|
||||
%systemd_post named-chroot.service
|
||||
%chroot_fix_devices %{chroot_prefix}
|
||||
@ -859,6 +757,7 @@ fi;
|
||||
%{_sbindir}/rndc*
|
||||
%{_sbindir}/named-checkconf
|
||||
%{_libexecdir}/generate-rndc-key.sh
|
||||
%{_libexecdir}/setup-named-softhsm.sh
|
||||
%{_mandir}/man1/mdig.1*
|
||||
%{_mandir}/man1/named-rrchecker.1*
|
||||
%{_mandir}/man5/named.conf.5*
|
||||
@ -947,15 +846,7 @@ fi;
|
||||
|
||||
%files dnssec-utils
|
||||
%{_bindir}/dnssec*
|
||||
%if %{with PKCS11}
|
||||
%exclude %{_sbindir}/dnssec*pkcs11
|
||||
%endif
|
||||
|
||||
%files dnssec-doc
|
||||
%{_mandir}/man1/dnssec*.1*
|
||||
%if %{with PKCS11}
|
||||
%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
|
||||
%endif
|
||||
|
||||
%files devel
|
||||
%{_libdir}/libbind9.so
|
||||
@ -1012,33 +903,6 @@ fi;
|
||||
%dir %{chroot_prefix}/run/named
|
||||
%{chroot_prefix}%{_localstatedir}/run
|
||||
|
||||
%if %{with PKCS11}
|
||||
%files pkcs11
|
||||
%{_sbindir}/named-pkcs11
|
||||
%{_unitdir}/named-pkcs11.service
|
||||
%{_mandir}/man8/named-pkcs11.8*
|
||||
%{_libexecdir}/setup-named-softhsm.sh
|
||||
|
||||
%files pkcs11-utils
|
||||
%{_bindir}/pkcs11-destroy
|
||||
%{_bindir}/pkcs11-keygen
|
||||
%{_bindir}/pkcs11-list
|
||||
%{_bindir}/pkcs11-tokens
|
||||
%{_mandir}/man1/pkcs11-*.1*
|
||||
%if %{with PKCS11}
|
||||
%{_bindir}/dnssec*pkcs11
|
||||
%{_mandir}/man1/dnssec*-pkcs11.1*
|
||||
%endif
|
||||
|
||||
%files pkcs11-libs
|
||||
%{_libdir}/libdns-pkcs11-%{version}*.so
|
||||
%{_libdir}/libns-pkcs11-%{version}*.so
|
||||
|
||||
%files pkcs11-devel
|
||||
%{_libdir}/libdns-pkcs11.so
|
||||
%{_libdir}/libns-pkcs11.so
|
||||
%endif
|
||||
|
||||
%if %{with DLZ}
|
||||
%files dlz-filesystem
|
||||
%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
|
||||
@ -1072,6 +936,7 @@ fi;
|
||||
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
|
||||
- Stop enabling selinux booleans on every upgrade
|
||||
- Deprecate python3-bind for smooth upgrade
|
||||
- Remove PKCS1111 native utilities, libs and daemon
|
||||
|
||||
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
|
||||
- Update to 9.18.4 (#2057493)
|
||||
|
@ -1,26 +0,0 @@
|
||||
[Unit]
|
||||
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
|
||||
Wants=nss-lookup.target
|
||||
Wants=named-setup-rndc.service
|
||||
Before=nss-lookup.target
|
||||
After=network.target
|
||||
After=named-setup-rndc.service
|
||||
|
||||
[Service]
|
||||
Type=forking
|
||||
Environment=NAMEDCONF=/etc/named.conf
|
||||
EnvironmentFile=-/etc/sysconfig/named
|
||||
Environment=KRB5_KTNAME=/etc/named.keytab
|
||||
PIDFile=/run/named/named.pid
|
||||
|
||||
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
|
||||
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
|
||||
|
||||
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
|
||||
|
||||
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
|
||||
|
||||
PrivateTmp=true
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Loading…
Reference in New Issue
Block a user