fix(iso): rebuild-blocker — FIPS needs libdbus-1-dev + libssl-dev
rust:1-slim-bookworm doesn't include dbus/ssl dev headers, and jmcorgan/fips upstream started linking against libdbus-sys + openssl at some recent commit. Observed during the 2026-04-19 v1.5.0-alpha rebuild: libdbus-sys's build.rs panics when pkg-config can't find dbus-1.pc, which kills the whole cargo build → the whole ISO build → ships an ISO without FIPS installed. Also mask nostr-vpn.service + archipelago-wg*.service in the rootfs Dockerfile: these have WantedBy=multi-user.target so systemd pulls them into the default boot target, but their EnvironmentFile + an ExecStartPre guard cause them to [FAILED] in the boot MOTD on every fresh install until onboarding writes their env files. Masking keeps the startup clean; the onboarding / install RPC handlers unmask + start them when prerequisites exist (same model as archipelago-fips). Bonus discovery from same diag: the default build was silently reusing a stale rootfs cache from Apr 12 — before the FIPS integration landed. So the v1.5.0-alpha ISO I shipped had no FIPS package at all. Rebuild pass with --rebuild forces fresh rootfs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
@@ -249,8 +249,13 @@ if [ ! -f "$ROOTFS_TAR" ] || [ "$1" == "--rebuild" ]; then
|
|||||||
# we don't want to ship an ISO that silently skips FIPS.
|
# we don't want to ship an ISO that silently skips FIPS.
|
||||||
FROM rust:1-slim-bookworm AS fips-builder
|
FROM rust:1-slim-bookworm AS fips-builder
|
||||||
ENV DEBIAN_FRONTEND=noninteractive
|
ENV DEBIAN_FRONTEND=noninteractive
|
||||||
|
# libdbus-1-dev and libssl-dev added because jmcorgan/fips upstream
|
||||||
|
# now links against dbus + openssl (observed 2026-04-19 rebuild). The
|
||||||
|
# .pc files need to be present at pkg-config time or the cargo build
|
||||||
|
# panics in libdbus-sys's build.rs.
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \\
|
RUN apt-get update && apt-get install -y --no-install-recommends \\
|
||||||
git ca-certificates build-essential pkg-config dpkg-dev \\
|
git ca-certificates build-essential pkg-config dpkg-dev \\
|
||||||
|
libdbus-1-dev libssl-dev \\
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
RUN cargo install --locked cargo-deb
|
RUN cargo install --locked cargo-deb
|
||||||
RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips
|
RUN git clone --depth 1 https://github.com/jmcorgan/fips.git /src/fips
|
||||||
@@ -450,6 +455,14 @@ RUN systemctl enable NetworkManager || true && \
|
|||||||
# stays dark on FIPS so no traffic leaves an ephemeral identity.
|
# stays dark on FIPS so no traffic leaves an ephemeral identity.
|
||||||
RUN systemctl mask archipelago-fips.service || true
|
RUN systemctl mask archipelago-fips.service || true
|
||||||
|
|
||||||
|
# Same rationale for nostr-vpn and wireguard helpers — their env files
|
||||||
|
# don't exist until onboarding completes, so leaving these "enabled"
|
||||||
|
# (the default from WantedBy=multi-user.target) produces a red
|
||||||
|
# [FAILED] in the boot MOTD every reboot. Mask by default; the
|
||||||
|
# onboarding flow / fips.install-equivalent RPC handlers unmask and
|
||||||
|
# start them once their prerequisites are on disk.
|
||||||
|
RUN systemctl mask nostr-vpn.service archipelago-wg.service archipelago-wg-address.service || true
|
||||||
|
|
||||||
# Remove policy-rc.d so services can start on first boot
|
# Remove policy-rc.d so services can start on first boot
|
||||||
RUN rm -f /usr/sbin/policy-rc.d
|
RUN rm -f /usr/sbin/policy-rc.d
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user