Remove all pkcs11 variants

Recent freeipa uses openssl backend pkcs11 to offload keys to secure
storage. Remove duplicate native builds of pkcs11 tools and daemon. Do
not build tools like pkcs11-tokens, rely or more advanced tools p11tool
and pkcs11-tool. Keep setup-named-softhsm as part of named package.
This commit is contained in:
Petr Menšík 2022-06-28 20:19:10 +02:00
parent 411463dad7
commit 989a3e3876
2 changed files with 8 additions and 169 deletions

151
bind.spec
View File

@ -7,9 +7,6 @@
# bcond_with is built only when --with X is passed to build
%bcond_with SYSTEMTEST
%bcond_without GSSTSIG
# it is not possible to build the package without PKCS11 sub-package
# due to extensive changes to Makefiles
%bcond_with PKCS11 # TODO: Remove
%bcond_without JSON
# FIXME: Not ready. Should it be worked on?
%bcond_without DLZ
@ -92,7 +89,6 @@ Source42: generate-rndc-key.sh
Source43: named.rwtab
Source44: named-chroot-setup.service
Source46: named-setup-rndc.service
Source47: named-pkcs11.service
Source48: setup-named-softhsm.sh
Source49: named-chroot.files
@ -111,6 +107,7 @@ Requires(post): grep
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: %{name}-utils %{name}-dnssec-utils
%upname_compat %{upname}
Obsoletes: %{name}-pkcs11 < 32:9.18.4-2
BuildRequires: gcc, make
BuildRequires: openssl-devel, libtool, autoconf, pkgconfig, libcap-devel
@ -131,7 +128,7 @@ BuildRequires: openldap-devel, libpq-devel, sqlite-devel, mariadb-connector-c-d
# make unit dependencies
BuildRequires: libcmocka-devel
%endif
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
%if %{with UNITTEST} || %{with SYSTEMTEST}
BuildRequires: softhsm
%endif
%if %{with SYSTEMTEST}
@ -175,60 +172,12 @@ which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
%if %{with PKCS11}
%package pkcs11
Summary: Bind with native PKCS#11 functionality for crypto
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: softhsm
%description pkcs11
This is a version of BIND server built with native PKCS#11 functionality.
It is important to have SoftHSM v2+ installed and some token initialized.
For other supported HSM modules please check the BIND documentation.
# TODO: Those utils can be used also without pkcs11 variant, but are not?
%package pkcs11-utils
Summary: Bind tools with native PKCS#11 for using DNSSEC
Obsoletes: %{name}-pkcs11 < 32:9.9.4-16.P2
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
%if %{with PKCS11}
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
%endif
%description pkcs11-utils
This is a set of PKCS#11 utilities that when used together create rsa
keys in a PKCS11 keystore.
%if %{with PKCS11}
Also utilities for working with DNSSEC
compiled with native PKCS#11 functionality are included.
%endif
%package pkcs11-libs
Summary: Bind libraries compiled with native PKCS#11
Requires: %{name}-license = %{epoch}:%{version}-%{release}
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
%description pkcs11-libs
This is a set of BIND libraries (dns, isc) compiled with native PKCS#11
functionality.
%package pkcs11-devel
Summary: Development files for Bind libraries compiled with native PKCS#11
Requires: %{name}-pkcs11-libs%{?_isa} = %{epoch}:%{version}-%{release}
Requires: %{name}-devel%{?_isa} = %{epoch}:%{version}-%{release}
%description pkcs11-devel
This a set of development files for BIND libraries (dns, isc) compiled
with native PKCS#11 functionality.
%endif
%package libs
Summary: Libraries used by the BIND DNS packages
Requires: %{name}-license = %{epoch}:%{version}-%{release}
Provides: %{name}-libs-lite = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-libs-lite < 32:9.16.13
Obsoletes: %{name}-pkcs11-libs < 32:9.18.4-2
%description libs
Contains heavyweight version of BIND suite libraries used by both named DNS
@ -246,6 +195,7 @@ Summary: Utilities for querying DNS name servers
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
# For compatibility with Debian package
Provides: dnsutils = %{epoch}:%{version}-%{release}
Obsoletes: %{name}-pkcs11-utils < 32:9.18.4-2
%upname_compat %{upname}-utils
%description utils
@ -262,8 +212,8 @@ servers.
Summary: DNSSEC keys and zones management utilities
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
Recommends: %{name}-utils
Requires: %{name}-dnssec-doc = %{epoch}:%{version}-%{release}
Obsoletes: python3-%{name} < 32:9.18.0
Obsoletes: %{name}-dnssec-doc < 32:9.18.4
%upname_compat %{upname}-dnssec-utils
%description dnssec-utils
@ -274,14 +224,6 @@ revocation and verification of keys and DNSSEC signatures in zone files.
You should install %{name}-dnssec-utils if you need to sign a DNS zone
or maintain keys for it.
%package dnssec-doc
Summary: Manual pages of DNSSEC utilities
Requires: %{name}-license = %{epoch}:%{version}-%{release}
BuildArch:noarch
%description dnssec-doc
%{name}-dnssec-doc contains manual pages for %{name}-dnssec-utils.
%package devel
Summary: Header files and libraries needed for bind-dyndb-ldap
Provides: %{name}-lite-devel = %{epoch}:%{version}-%{release}
@ -441,10 +383,6 @@ export LIBDIR_SUFFIX
%if %{with GEOIP2}
--with-maxminddb \
%endif
%if %{with PKCS11}
--enable-native-pkcs11 \
--with-pkcs11=%{_libdir}/pkcs11/libsofthsm2.so \
%endif
%if %{with GSSTSIG}
--with-gssapi=yes \
%endif
@ -499,7 +437,7 @@ popd # build
%systemtest_prepare_build build
%check
%if %{with PKCS11} && (%{with UNITTEST} || %{with SYSTEMTEST})
%if %{with UNITTEST} || %{with SYSTEMTEST}
# Tests require initialization of pkcs11 token
eval "$(bash %{SOURCE48} -A "`pwd`/softhsm-tokens")"
%endif
@ -594,17 +532,11 @@ install -m 644 %{SOURCE38} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE44} ${RPM_BUILD_ROOT}%{_unitdir}
install -m 644 %{SOURCE46} ${RPM_BUILD_ROOT}%{_unitdir}
%if %{with PKCS11}
install -m 644 %{SOURCE47} ${RPM_BUILD_ROOT}%{_unitdir}
%endif
mkdir -p ${RPM_BUILD_ROOT}%{_libexecdir}
install -m 755 %{SOURCE41} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-chroot.sh
install -m 755 %{SOURCE42} ${RPM_BUILD_ROOT}%{_libexecdir}/generate-rndc-key.sh
%if %{with PKCS11}
install -m 755 %{SOURCE48} ${RPM_BUILD_ROOT}%{_libexecdir}/setup-named-softhsm.sh
%endif
install -m 644 %SOURCE3 ${RPM_BUILD_ROOT}/etc/logrotate.d/named
mkdir -p ${RPM_BUILD_ROOT}%{_sysconfdir}/sysconfig
@ -639,22 +571,6 @@ popd
# Remove libtool .la files:
find ${RPM_BUILD_ROOT}/%{_libdir} -name '*.la' -exec '/bin/rm' '-f' '{}' ';';
# PKCS11 versions manpages
%if %{with PKCS11}
pushd ${RPM_BUILD_ROOT}%{_mandir}/man8
ln -s named.8.gz named-pkcs11.8.gz
ln -s dnssec-checkds.8.gz dnssec-checkds-pkcs11.8.gz
ln -s dnssec-dsfromkey.8.gz dnssec-dsfromkey-pkcs11.8.gz
ln -s dnssec-importkey.8.gz dnssec-importkey-pkcs11.8.gz
ln -s dnssec-keyfromlabel.8.gz dnssec-keyfromlabel-pkcs11.8.gz
ln -s dnssec-keygen.8.gz dnssec-keygen-pkcs11.8.gz
ln -s dnssec-revoke.8.gz dnssec-revoke-pkcs11.8.gz
ln -s dnssec-settime.8.gz dnssec-settime-pkcs11.8.gz
ln -s dnssec-signzone.8.gz dnssec-signzone-pkcs11.8.gz
ln -s dnssec-verify.8.gz dnssec-verify-pkcs11.8.gz
popd
%endif
# 9.16.4 installs even manual pages for tools not generated
%if %{without DNSTAP}
rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/dnstap-read.1* || true
@ -770,20 +686,6 @@ fi
# Package upgrade, not uninstall
%systemd_postun_with_restart named.service
%if %{with PKCS11}
%post pkcs11
# Initial installation
%systemd_post named-pkcs11.service
%preun pkcs11
# Package removal, not upgrade
%systemd_preun named-pkcs11.service
%postun pkcs11
# Package upgrade, not uninstall
%systemd_postun_with_restart named-pkcs11.service
%endif
# Fix permissions on existing device files on upgrade
%define chroot_fix_devices() \
if [ $1 -gt 1 ]; then \
@ -813,10 +715,6 @@ fi
%ldconfig_scriptlets libs
%if %{with PKCS11}
%ldconfig_scriptlets pkcs11-libs
%endif
%post chroot
%systemd_post named-chroot.service
%chroot_fix_devices %{chroot_prefix}
@ -859,6 +757,7 @@ fi;
%{_sbindir}/rndc*
%{_sbindir}/named-checkconf
%{_libexecdir}/generate-rndc-key.sh
%{_libexecdir}/setup-named-softhsm.sh
%{_mandir}/man1/mdig.1*
%{_mandir}/man1/named-rrchecker.1*
%{_mandir}/man5/named.conf.5*
@ -947,15 +846,7 @@ fi;
%files dnssec-utils
%{_bindir}/dnssec*
%if %{with PKCS11}
%exclude %{_sbindir}/dnssec*pkcs11
%endif
%files dnssec-doc
%{_mandir}/man1/dnssec*.1*
%if %{with PKCS11}
%exclude %{_mandir}/man1/dnssec*-pkcs11.1*
%endif
%files devel
%{_libdir}/libbind9.so
@ -1012,33 +903,6 @@ fi;
%dir %{chroot_prefix}/run/named
%{chroot_prefix}%{_localstatedir}/run
%if %{with PKCS11}
%files pkcs11
%{_sbindir}/named-pkcs11
%{_unitdir}/named-pkcs11.service
%{_mandir}/man8/named-pkcs11.8*
%{_libexecdir}/setup-named-softhsm.sh
%files pkcs11-utils
%{_bindir}/pkcs11-destroy
%{_bindir}/pkcs11-keygen
%{_bindir}/pkcs11-list
%{_bindir}/pkcs11-tokens
%{_mandir}/man1/pkcs11-*.1*
%if %{with PKCS11}
%{_bindir}/dnssec*pkcs11
%{_mandir}/man1/dnssec*-pkcs11.1*
%endif
%files pkcs11-libs
%{_libdir}/libdns-pkcs11-%{version}*.so
%{_libdir}/libns-pkcs11-%{version}*.so
%files pkcs11-devel
%{_libdir}/libdns-pkcs11.so
%{_libdir}/libns-pkcs11.so
%endif
%if %{with DLZ}
%files dlz-filesystem
%{_libdir}/{named,bind}/dlz_filesystem_dynamic.so
@ -1072,6 +936,7 @@ fi;
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-2
- Stop enabling selinux booleans on every upgrade
- Deprecate python3-bind for smooth upgrade
- Remove PKCS1111 native utilities, libs and daemon
* Wed Jul 20 2022 Petr Menšík <pemensik@redhat.com> - 32:9.18.4-1
- Update to 9.18.4 (#2057493)

View File

@ -1,26 +0,0 @@
[Unit]
Description=Berkeley Internet Name Domain (DNS) with native PKCS#11
Wants=nss-lookup.target
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=network.target
After=named-setup-rndc.service
[Service]
Type=forking
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pid
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/bin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named-pkcs11 -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target