Make FIPS not use ReadonlyRootfsManager as due to systemd-sysext …

…usage we wont be able to make `/usr` writeable anymore (#15016)
truenas · Nov 22, 2024 · dc22872 · dc22872
1 parent d06e38b
commit dc22872
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 27 deletions.
diff --git a/debian/debian/preinst b/debian/debian/preinst
@@ -0,0 +1,5 @@
+#!/bin/sh -ex
+
+mkdir -p /var/lib/ssl
+mv /usr/lib/ssl/fipsmodule.cnf /var/lib/ssl/fipsmodule.cnf
+ln -s /var/lib/ssl/fipsmodule.cnf /usr/lib/ssl/fipsmodule.cnf
diff --git a/src/freenas/debian/preinst b/src/freenas/debian/preinst
diff --git a/src/middlewared/middlewared/scripts/configure_fips.py b/src/middlewared/middlewared/scripts/configure_fips.py
@@ -3,7 +3,6 @@
 import shutil
 import sqlite3
 import subprocess
-import typing
 
 from middlewared.utils.db import query_config_table
 
@@ -38,42 +37,17 @@ def configure_fips(enable_fips: bool) -> None:
     modify_openssl_config(enable_fips)
 
 
-def get_active_be() -> typing.Optional[str]:
-    cp = subprocess.run(['zfs', 'get', '-o', 'name', '-H', 'name', '/'], capture_output=True, check=False)
-    if cp.returncode or not (active_be := cp.stdout.decode().strip()):
-        return None
-
-    return active_be
-
-
-def set_readonly(readonly: bool) -> None:
-    active_be = get_active_be()
-    if not active_be or subprocess.run(
-        ['zfs', 'get', '-H', 'truenas:developer', active_be], capture_output=True, check=False
-    ).stdout.decode().split()[-2] == 'on':
-        # We do not want to do anything here if developer mode is enabled or if we are not able to find active be
-        # because we are in chroot env in that case
-        return
-
-    subprocess.run(
-        ['zfs', 'set', f'readonly={"on" if readonly else "off"}', os.path.join(active_be, 'usr')],
-        capture_output=True, check=False
-    )
-
-
 def main() -> None:
     validate_system_state()
     try:
         security_settings = query_config_table('system_security')
     except (sqlite3.OperationalError, IndexError):
-        # This is for the case when users are upgrading and in that case table will not exist
+        # This is for the case when users are upgrading and in that case table will not exist,
         # so we should always disable fips as a default because users might not be able to ssh
         # into the system
         security_settings = {'enable_fips': False}
 
-    set_readonly(False)
     configure_fips(security_settings['enable_fips'])
-    set_readonly(True)
 
 
 if __name__ == '__main__':