Mailing List Archive | ports@openbsd.org

Hi ports@, Hi Stuart, A diff to update net/icinga/icingadb to its latest release 1.5.1 together with a small patch for pledge(2) and unveil(2) support follows. Best, Alvar diff --git Makefile Makefile index 204ee608d41..8e970d1d741 100644 --- Makefile +++ Makefile @@ -1,7 +1,7 @@ COMMENT= configuration and state database for Icinga GH_PROJECT= icingadb -GH_TAGNAME= v1.5.0 +GH_TAGNAME= v1.5.1 MODGO_MODNAME= github.com/icinga/icingadb MODGO_VERSION= ${GH_TAGNAME} @@ -18,6 +18,9 @@ MODULES= lang/go .include "modules.inc" +# for patches to apply +WRKDIST = ${WRKSRC} + post-install: ${INSTALL_DATA_DIR} ${PREFIX}/share/doc/icingadb/markdown ${INSTALL_DATA} ${WRKSRC}/{AUTHORS,LICENSE,*.md} ${PREFIX}/share/doc/icingadb diff --git distinfo distinfo index 89bca181e4f..35d7cce3e8d 100644 --- distinfo +++ distinfo @@ -38,8 +38,8 @@ SHA256 (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = Mch0odKhjmKwVQ+CPOe SHA256 (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = ZKnOBG8sMg43g/ug0fShX4oY8LAJtnvyf3YwkZ2z9Tk= SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = c9pHtjOLAKCC/UUao1oyc9OtwJuOm7qY2rAQkeQCr24= SHA256 (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 0PAvN3IX9CcC4lloTgZEHtv1FA3dzDS6m+pWA4s4pu0= -SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = TuBy+Tlxexr7Zaw8o3K8RRWunQx3rkzixq9qDRaDTeQ= -SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = FgJRtm+KhVjJsmXmzllXmh45ZvPh6fSnmaVRrIuIxCU= +SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 62kZelhlLe0QB3ERRyX7e2NIxWW2FbX/t4YsfgvbBwU= +SHA256 (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = fyA6SxKRwcqi0ezK8q8uG9XaBgPV6m65fGhdg4lAcYc= SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = XXfNPd0IYZ25q3vITtJAlbDicioz7d4iGzJlEMKwH/w= SHA256 (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = I97Ou1pRFK8aaH++1k1qZ08el25wsrTNwn9S0LAgy0s= SHA256 (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = TK1YPczEsJNGdNt/yFycLDIu5YeTNmhgqupYL2WRmU0= @@ -66,8 +66,8 @@ SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 3yjGqCPxgddheWlxd8DFlD SHA256 (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 1MNri80GFikKORMhXg9TuTG9bgBnBZbylg3xtEryvQc= SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = dLLnZushU3eGTVh7rfV+lVIfaS0qeGCzx3WQk/nJvsI= SHA256 (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 3gTOzBpLjVPkNXBRAmeUvLxU8uaiYM+sUIzmnV1kV6A= -SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg= -SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 6/q95nlTIIKBKBCdXNiwrhNvyTnzNSYbFgK725Mhalw= +SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = bVq+RIntf4jVi2SnFPH2zfBcKeRzKyNMMocJK0LzJrg= +SHA256 (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = tu9N6wgWD5rO+KrMK3g47iQkBFzRyrGq0oZoT4/b+wE= SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E= SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = bHMYonqNVHOo62YedfsAUoF24O/FkxDtJ3yhO9EqU/E= SHA256 (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = MZnZS+UChBQiIGYso7AOGd3R3r5OgN3HRf9CA+y2AcA= @@ -86,8 +86,8 @@ SHA256 (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = cO3vDOfYMNmS8CTlJ/00Ugabi SHA256 (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA= SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = WKMN3nMKuldXZxXZCEF3T2NEqHn+xWM6LGazfsMMEfA= SHA256 (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = Ikm10v3OYfbuZhpnnYVSWZrwhKdhy7yHHad2Qb3c4MM= -SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc= -SHA256 (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = uZS5b/C7UEo9WCiKuIufPGYEaJ6hr7adJbUJdpcFpsI= +SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = rYBZREWaFDYO6wZ3t8b8T/ep2oD7A3ZK+n2RzwLihcc= +SHA256 (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = OHYCJxQtODaQaTdMAFcHvGs8Jwp180+j8XxIyGMUPNw= SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = hn0KUX9LRzf6NCERYOtqiNt+Qjne9HIYFrA+dB2+rPU= SHA256 (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = lZrL41FEMMLACdyT8n5B3a1P7heKTGgMdTvAm10ud9A= SHA256 (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 5Bjsbat5ooeOZoZlE8Yfh7+BePhfy3h1Zwjv1jVYDKA= @@ -96,8 +96,8 @@ SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = XErAMQolMwdXA5zPOpjnX+/by3 SHA256 (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = py/lt5VUqJk9+VEtBeI3kI060LSAAcGrkrf6Uzns9EA= SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.mod) = cyMeKp5Xhgaj/n4ODJP/qWMavCAh96v6RCWGA4ZpCW8= SHA256 (go_modules/golang.org/x/net/@v/v0.30.0.zip) = w1e3ec3AjQlS97rUxFzoQiO3xgBdd1gioXkBro9lu7o= -SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA= -SHA256 (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = k5oaVzzYPfVoNrY3BSpF9qYPeLhqWjdfwMbCmKhooU0= +SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 0zPFS3SviguOx0jTfFly0nudCIueRci/XDq1INIRMJA= +SHA256 (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = JSEf4s/9gCC7QFua23qQ9eBnYPKBi4+y50qqohpm7Z4= SHA256 (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = cA5dsA3SaqGaF9zl/FUkNtYPaMVgbIW4IfJMPWByoVE= SHA256 (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ= SHA256 (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 8DMzMJb+GY8xUd7tk/LeunTlC7/nc5E0BFvDt85KUCQ= @@ -114,7 +114,7 @@ SHA256 (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod) SHA256 (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = ThgX+WTKNOVFuBr9oDJaXonPWN4uQT2CB8Cv3dD9wVw= SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = IVeYYKIDBvz0OxvSNNH7oxlJnHdhG3HAX5vzupDauTk= SHA256 (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = qrj7xOYwDqCOav4crqGKIckMefSJ9SxT4vIEMfGpoBU= -SHA256 (icingadb-1.5.0.zip) = sXqboDonPhhP1sNA9p9sIxdzAHa4cPjzPs/zet8Vtr4= +SHA256 (icingadb-1.5.1.zip) = tDQbm5nIRuP21PS8J9VwvbN1gxdLHSOpEpF957IWOlI= SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.mod) = 40 SIZE (go_modules/filippo.io/edwards25519/@v/v1.1.0.zip) = 55809 SIZE (go_modules/github.com/!vivid!cortex/ewma/@v/v1.2.0.mod) = 44 @@ -155,8 +155,8 @@ SIZE (go_modules/github.com/google/go-cmp/@v/v0.7.0.mod) = 41 SIZE (go_modules/github.com/google/go-cmp/@v/v0.7.0.zip) = 130179 SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.mod) = 30 SIZE (go_modules/github.com/google/uuid/@v/v1.6.0.zip) = 31981 -SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.mod) = 1245 -SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.1.zip) = 130783 +SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.mod) = 1245 +SIZE (go_modules/github.com/icinga/icinga-go-library/@v/v0.8.2.zip) = 130821 SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.mod) = 79 SIZE (go_modules/github.com/jessevdk/go-flags/@v/v1.6.1.zip) = 78585 SIZE (go_modules/github.com/jmoiron/sqlx/@v/v1.4.0.mod) = 157 @@ -183,8 +183,8 @@ SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.mod) = 29 SIZE (go_modules/github.com/pkg/errors/@v/v0.9.1.zip) = 17866 SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.mod) = 37 SIZE (go_modules/github.com/pmezard/go-difflib/@v/v1.0.0.zip) = 12433 -SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.mod) = 635 -SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.16.0.zip) = 584449 +SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.mod) = 635 +SIZE (go_modules/github.com/redis/go-redis/v9/@v/v9.17.2.zip) = 5104265 SIZE (go_modules/github.com/rivo/uniseg/@v/v0.1.0.mod) = 39 SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.mod) = 39 SIZE (go_modules/github.com/rivo/uniseg/@v/v0.2.0.zip) = 45731 @@ -203,8 +203,8 @@ SIZE (go_modules/go.uber.org/goleak/@v/v1.3.0.zip) = 37573 SIZE (go_modules/go.uber.org/multierr/@v/v1.10.0.mod) = 228 SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.mod) = 228 SIZE (go_modules/go.uber.org/multierr/@v/v1.11.0.zip) = 25681 -SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.mod) = 312 -SIZE (go_modules/go.uber.org/zap/@v/v1.27.0.zip) = 287887 +SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.mod) = 312 +SIZE (go_modules/go.uber.org/zap/@v/v1.27.1.zip) = 289619 SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.mod) = 190 SIZE (go_modules/golang.org/x/crypto/@v/v0.28.0.zip) = 1790287 SIZE (go_modules/golang.org/x/exp/@v/v0.0.0-20240506185415-9bf2ced13842.mod) = 179 @@ -213,8 +213,8 @@ SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.mod) = 84 SIZE (go_modules/golang.org/x/mod/@v/v0.17.0.zip) = 165172 SIZE (go_modules/golang.org/x/net/@v/v0.30.0.mod) = 155 SIZE (go_modules/golang.org/x/net/@v/v0.30.0.zip) = 1842318 -SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.mod) = 36 -SIZE (go_modules/golang.org/x/sync/@v/v0.18.0.zip) = 25708 +SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.mod) = 36 +SIZE (go_modules/golang.org/x/sync/@v/v0.19.0.zip) = 25714 SIZE (go_modules/golang.org/x/sync/@v/v0.7.0.mod) = 34 SIZE (go_modules/golang.org/x/sys/@v/v0.0.0-20210514084401-e8d321eab015.mod) = 33 SIZE (go_modules/golang.org/x/sys/@v/v0.0.0-20220811171246-fbc7d0a398ab.mod) = 33 @@ -231,4 +231,4 @@ SIZE (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.mod) = SIZE (go_modules/gopkg.in/check.v1/@v/v0.0.0-20161208181325-20d25e280405.zip) = 39844 SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.mod) = 95 SIZE (go_modules/gopkg.in/yaml.v3/@v/v3.0.1.zip) = 104623 -SIZE (icingadb-1.5.0.zip) = 3370896 +SIZE (icingadb-1.5.1.zip) = 3371200 diff --git modules.inc modules.inc index b685a740c69..7d91dbdb84b 100644 --- modules.inc +++ modules.inc @@ -18,7 +18,7 @@ MODGO_MODULES = \ github.com/goccy/go-yaml v1.13.0 \ github.com/google/go-cmp v0.7.0 \ github.com/google/uuid v1.6.0 \ - github.com/icinga/icinga-go-library v0.8.1 \ + github.com/icinga/icinga-go-library v0.8.2 \ github.com/jessevdk/go-flags v1.6.1 \ github.com/jmoiron/sqlx v1.4.0 \ github.com/kr/text v0.2.0 \ @@ -31,7 +31,7 @@ MODGO_MODULES = \ github.com/okzk/sdnotify v0.0.0-20180710141335-d9becc38acbd \ github.com/pkg/errors v0.9.1 \ github.com/pmezard/go-difflib v1.0.0 \ - github.com/redis/go-redis/v9 v9.16.0 \ + github.com/redis/go-redis/v9 v9.17.2 \ github.com/rivo/uniseg v0.2.0 \ github.com/ssgreg/journald v1.0.0 \ github.com/stretchr/objx v0.5.2 \ @@ -39,12 +39,12 @@ MODGO_MODULES = \ github.com/vbauerster/mpb/v6 v6.0.4 \ go.uber.org/goleak v1.3.0 \ go.uber.org/multierr v1.11.0 \ - go.uber.org/zap v1.27.0 \ + go.uber.org/zap v1.27.1 \ golang.org/x/crypto v0.28.0 \ golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 \ golang.org/x/mod v0.17.0 \ golang.org/x/net v0.30.0 \ - golang.org/x/sync v0.18.0 \ + golang.org/x/sync v0.19.0 \ golang.org/x/sys v0.26.0 \ golang.org/x/text v0.19.0 \ golang.org/x/tools v0.21.0 \ diff --git patches/patch-cmd_icingadb_main_go patches/patch-cmd_icingadb_main_go new file mode 100644 index 00000000000..846d0acbaab --- /dev/null +++ patches/patch-cmd_icingadb_main_go @@ -0,0 +1,21 @@ +Index: cmd/icingadb/main.go +--- cmd/icingadb/main.go.orig ++++ cmd/icingadb/main.go +@@ -39,6 +39,8 @@ func main() { + } + + func run() int { ++ initialPrivDrop() ++ + cmd := command.New() + + logs, err := logging.NewLoggingFromConfig(utils.AppName(), cmd.Config.Logging) +@@ -54,6 +56,8 @@ func run() int { + defer func() { _ = logger.Sync() }() + + logger.WithOptions(logs.ForceLog()).Infof("Starting Icinga DB daemon (%s)", internal.Version.Version) ++ ++ privDrop(cmd, logger) + + db, err := cmd.Database(logs.GetChildLogger("database")) + if err != nil { diff --git patches/patch-cmd_icingadb_openbsd_go patches/patch-cmd_icingadb_openbsd_go new file mode 100644 index 00000000000..839afae5168 --- /dev/null +++ patches/patch-cmd_icingadb_openbsd_go @@ -0,0 +1,87 @@ +Index: cmd/icingadb/openbsd.go +--- cmd/icingadb/openbsd.go.orig ++++ cmd/icingadb/openbsd.go +@@ -0,0 +1,83 @@ ++package main ++ ++import ( ++ "fmt" ++ "maps" ++ "slices" ++ "strings" ++ ++ "github.com/icinga/icinga-go-library/logging" ++ "github.com/icinga/icinga-go-library/utils" ++ "github.com/icinga/icingadb/internal/command" ++ "go.uber.org/zap" ++ "golang.org/x/sys/unix" ++) ++ ++// initialPrivDrop applies a first pledge(2) promise. ++// ++// This function should be called first in main to start with restricted ++// privileges. After parsing the configuration, privDrop should be called to ++// perform further restrictions. ++func initialPrivDrop() { ++ // all possible promises which can be used later in privDrop, plus unveil. ++ promises := "stdio rpath inet unix dns unveil error" ++ if err := unix.PledgePromises(promises); err != nil { ++ panic(fmt.Sprintf("initial pledge(2) failed, %q: %v", promises, err)) ++ } ++} ++ ++// privDrop should be called after parsing command.Command. ++func privDrop(c *command.Command, l *logging.Logger) { ++ pledgePromises := map[string]struct{}{ ++ "stdio": struct{}{}, ++ "inet": struct{}{}, ++ "dns": struct{}{}, ++ "error": struct{}{}, ++ } ++ ++ unveilPaths := map[string]string{ ++ // Special paths for the "dns" pledge promise from before OpenBSD 7.9. ++ "/etc/resolv.conf": "r", ++ "/etc/hosts": "r", ++ "/etc/services": "r", ++ "/etc/protocols": "r", ++ } ++ ++ for _, host := range []string{c.Config.Database.Host, c.Config.Redis.Host} { ++ if !utils.IsUnixAddr(host) { ++ continue ++ } ++ ++ pledgePromises["rpath"] = struct{}{} ++ pledgePromises["unix"] = struct{}{} ++ unveilPaths[host] = "rw" ++ } ++ ++ if c.Flags.DatabaseAutoImport { ++ pledgePromises["rpath"] = struct{}{} ++ unveilPaths[c.Flags.DatabaseSchemaDir] = "r" ++ } ++ ++ for path, permissions := range unveilPaths { ++ if err := unix.Unveil(path, permissions); err != nil { ++ l.Fatalw("Cannot unveil(2)", ++ zap.String("path", path), ++ zap.String("permissions", permissions), ++ zap.Error(err)) ++ } ++ } ++ if err := unix.UnveilBlock(); err != nil { ++ l.Fatalw("Cannot block unveil(2)", zap.Error(err)) ++ } ++ ++ promises := strings.Join(slices.Collect(maps.Keys(pledgePromises)), " ") ++ if err := unix.PledgePromises(promises); err != nil { ++ l.Fatalw("Cannot pledge(2)", ++ zap.String("promises", promises), ++ zap.Error(err)) ++ } ++ ++ l.Infow("Dropped privileges with pledge(2) and unveil(2)", ++ zap.String("pledge", promises), ++ zap.Any("unveil", unveilPaths)) ++}

2026-03-27 19:42 Alvar Penning:
[maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch
- 2026-03-27 20:16 Stuart Henderson:
  [maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch
- - 2026-03-27 20:25 Alvar Penning:
    [maintainer update] net/icinga/icingadb: 1.5.1, pledge/unveil patch