Skip to content

[PHP] fix: provide OpenSSL defaults from rootfs images#746

Merged
brandonpayton merged 1 commit into
integration/kd-6nz-php-phpt-platform-fixesfrom
gascity/kd-6nz/split-pr717-default-openssl-config
Jul 11, 2026
Merged

[PHP] fix: provide OpenSSL defaults from rootfs images#746
brandonpayton merged 1 commit into
integration/kd-6nz-php-phpt-platform-fixesfrom
gascity/kd-6nz/split-pr717-default-openssl-config

Conversation

@brandonpayton

@brandonpayton brandonpayton commented Jun 20, 2026

Copy link
Copy Markdown
Member

Summary

  • Move the maintained OpenSSL configuration and Mozilla trust bundle into the canonical rootfs at /etc/ssl.
  • Remove kernel and Node boot-time fabrication, so arbitrary caller-supplied images remain responsible for their own static policy.
  • Replace the legacy browser's flat /etc/* copier with a recursive, ownership-preserving merge that keeps demo-owned leaves and fails initialization on missing/corrupt/partial canonical state.
  • Bump the rootfs package revision from 6 to 7, relocate the CA refresh helper, and add Node, real-Chromium, and PHP coverage.

Review and repair

Original review: the two old commits were not safe to replay. They made static OpenSSL policy kernel-synthetic, and the second commit depended on an openssl.cnf supplied only by the stale harness base while carrying the unrelated headline “stabilize parallel php harness server tests.” The scheduler work implied by that headline is already superseded by the repaired #740.

Changes made: I replaced both commits with one atomic platform/VFS change. Static config and public trust now follow the normal rootfs path; Node no longer mutates caller images; the browser's per-session MITM CA remains the documented dynamic exception at ca-certificates.crt; and legacy browser boots recursively merge canonical /etc data without overwriting demo leaves. Review follow-up also made overlay errors fail closed, added exact full-byte/mode/owner Node checks, added missing-image and ENOSPC tests, cleaned up browser kernels deterministically, and made PHP OpenSSL failures exit nonzero with error-queue diagnostics.

View: accept this rebuilt one-commit PR into Batch 2. It is the truthful platform fix. It changes rootfs/package bytes and transitive image cache keys, but adds no structural ABI surface. Standalone images that are not based on the canonical rootfs intentionally do not receive fabricated OpenSSL policy.

Package and ABI notes

  • Rootfs revision: 6 -> 7.
  • The existing rootfs input hash covers MANIFEST and images/rootfs, so both assets and future CA refreshes invalidate the cache.
  • Reverse-dependency hashing propagates the new rootfs key to shell, Node VFS, WordPress, and LAMP images; no manual revision bump is needed for those packages.
  • OpenSSL and PHP package outputs are unchanged, so their revisions do not change.
  • No new syscall number/layout, shared constant, kernel export, or generated ABI surface is introduced. Batch 2 still remains quarantined for its already-planned ABI 17 reconciliation and artifact rebuild.

Validation

Passed on the repaired one-commit tree:

  • cargo test -p kandelo --target aarch64-apple-darwin --lib: 1,077/1,077.
  • Focused Vitest after final diff cleanup: 60/60 across rootfs overlay, Node mounts, ABI marker, NSS/rootfs, PHPT harness, and PHP package tests.
  • PHP Node package suite: 17/17, including default key + CSR generation.
  • Real Chromium legacy-rootfs probe: 1/1.
  • Real Chromium PHP package suite: 1/1 with exit code 0, empty guest stderr, explicit host diagnostics, and worker cleanup.
  • ./run.sh browser: normal preparation rebuilt the invalidated rootfs-derived images; Vite readiness was observed and the Chromium rootfs probe against that server passed 1/1.
  • Upstream PHPT cases openssl_csr_new_basic.phpt and openssl_pkey_new_basic.phpt: pass on Node and Chromium.
  • Canonical rootfs build and bash build.sh: completed.
  • bash scripts/check-abi-version.sh: passed; only inherited backward-compatible aggregate additions are reported.

Broad host diagnostic, not claimed green:

  • cd host && npx vitest run reached 1,223 passing, 2 expected failures, and 26 skips, with one unrelated SpiderMonkey guest exit 139 in a SHA-1 case. A prior broad run failed a different SpiderMonkey case the same way; the isolated parity file then passed 16/16. This PR does not touch SpiderMonkey, and I am preserving the failure rather than relabeling the full host suite as passing.

Per the batch protocol, the full libc/ready-to-merge gate is deferred to aggregate PR #871 and has not been claimed here.

Move the maintained OpenSSL config and trust bundle into image-owned /etc/ssl state, and remove kernel and Node fabrication for caller-supplied images.

Recursively merge canonical /etc into legacy browser filesystems without overwriting demo leaves, fail boot on incomplete overlays, bump the rootfs revision, and cover Node, Chromium, and PHP paths.
@brandonpayton
brandonpayton force-pushed the gascity/kd-6nz/split-pr717-default-openssl-config branch from 2efa15e to 7dc5c6f Compare July 11, 2026 16:25
@brandonpayton brandonpayton changed the title [PHP] fix: provide default openssl config file [PHP] fix: provide OpenSSL defaults from rootfs images Jul 11, 2026
@brandonpayton
brandonpayton changed the base branch from integration/kd-6nz-php-phpt-harness-only-base to integration/kd-6nz-php-phpt-platform-fixes July 11, 2026 16:26
@brandonpayton
brandonpayton merged commit cd3f018 into integration/kd-6nz-php-phpt-platform-fixes Jul 11, 2026
@brandonpayton
brandonpayton deleted the gascity/kd-6nz/split-pr717-default-openssl-config branch July 11, 2026 16:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant