A popular base container image for linux containers is the distroless family of images (https://github.com/GoogleContainerTools/distroless). For statically linked openssl based programs, there is a very small 'static' image which contains just certificates and a few config files. For dynamically linked program support there is also 'base' which adds in base system dynamic libs as well as openssl libs. These help to reduce the attack surface on the inside of the container as well as reducing the raw image size. Trying to use pkgbase to build something like distroless-static isn't currently possible since the FreeBSD-caroot package which contains the certificates also depends on FreeBSD-openssl which has all the ssl dynamic libs. Building something like distroless-base is almost possible but FreeBSD-openssl also installs the openssl utility which isn't wanted and is ~0.7Mb in size. Perhaps FreeBSD-caroot could split out the certificates into another package or possibly just not depend on FreeBSD-openssl? To avoid installing /usr/bin/openssl when adding SSL dynamic libs, perhaps FreeBSD-openssl could split out the libs into FreeBSD-openssl-libs?
I can't see how FreeBSD-caroot couldn't depend on openssl, certctl needs the openssl binary as we need to generate stuff after installation. Splitting the openssl binary and libs could make sense but it won't help you here. Note that it's needed to run certctl rehash after updating/installing FreeBSD-caroot in all cases as the users might have some custom certificates etc ...
In my (admittedly specialised) example, I'm installing FreeBSD-caroot into an empty directory using 'pkg --rootdir' (actually not quite empty - I use mtree to create a directory structure). In this usage, pkg runs the host certctl with a DESTDIR env var to tell it what to work on. This also pulls in FreeBSD-openssl as an explict dependency added by generate-ucl.sh and FreeBSD-clibs, probably as an implicit dependency from FreeBSD-openssl. While the resulting image does contain the certctl script, it doesn't work since the image doesn't have /bin/sh. What I'm proposing is to split out the certificate data from caroot e.g. into FreeBSD-certificates which caroot would explicitly depend on. For my image building I can install FreeBSD-certificates and then run certctl manually to create the required structure. This is enough to build a suitable image for statically linked workloads. Splitting the libraries out from FreeBSD-openssl is straightforward and will let me build a similar image for dynamically linked workloads without having to add the openssl binary. I'll hack on this a little today and see if this works out.
Created attachment 243740 [details] Implements the suggested approach for reorganising caroot and openssl This patch splits caroot into caroot and caroot-data and openssl into openssl and libssl
You're missing the desc/comment for the new libssl package. And I'm not really understanding the code for generate-ucl.sh, care to explain ?
I thought about adding a comment for libssl but none of the other lib packages seem to have one and the build generates a default 'libfoo package' comment. The change to generate_ucl.sh was to allow for more than one dependency. To allow for the new structure, caroot needs to depend on both caroot-data and openssl.
Any more comments or concerns for this one? If this approach is acceptable, I'd like to commit ahead of the 14.0 branch. I don't plan to merge back to stable/13 - I have an ugly workaround for building 13.2 and 13-stable images.
I think that the new libssl package should be named openssl-libs (This matches what we do with kerberbos for example where there is distinct packages for utilities and libs). caroot might be better renamed to FreeBSD-certctl as this will be the only content of this package. Otherwise I guess I'm ok with this change.
Seems reasonable. Adding a certctl package will mean that upgrades of caroot will uninstall certctl but that probably doesn't matter if this new arrangement is only for 14-current.
Added https://reviews.freebsd.org/D41321. I called the OpenSSL library package openssl-lib for consistency with kerberos-lib.
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=1d7ffb373c9d639c9645a6b09ae46b2b92adb2e3 commit 1d7ffb373c9d639c9645a6b09ae46b2b92adb2e3 Author: Doug Rabson <dfr@FreeBSD.org> AuthorDate: 2023-07-31 14:38:45 +0000 Commit: Doug Rabson <dfr@FreeBSD.org> CommitDate: 2023-08-05 08:30:35 +0000 pkgbase: reorganise caroot and openssl packages This splits out the certctl utility into a new certctl package and the openssl libs into an openssl-lib package. PR: 272816 Reviewed by: manu Differential Revision: https://reviews.freebsd.org/D41321 release/packages/Makefile.package | 10 ++++++++-- release/packages/{caroot.ucl => certctl.ucl} | 0 release/packages/generate-ucl.sh | 14 ++++++++------ secure/lib/libcrypto/Makefile | 2 +- secure/lib/libssl/Makefile | 2 +- usr.sbin/certctl/Makefile | 2 +- 6 files changed, 19 insertions(+), 11 deletions(-)