[PHP] fix: provide OpenSSL defaults from rootfs images#746
Merged
brandonpayton merged 1 commit intoJul 11, 2026
Conversation
This was referenced Jul 10, 2026
Move the maintained OpenSSL config and trust bundle into image-owned /etc/ssl state, and remove kernel and Node fabrication for caller-supplied images. Recursively merge canonical /etc into legacy browser filesystems without overwriting demo leaves, fail boot on incomplete overlays, bump the rootfs revision, and cover Node, Chromium, and PHP paths.
brandonpayton
force-pushed
the
gascity/kd-6nz/split-pr717-default-openssl-config
branch
from
July 11, 2026 16:25
2efa15e to
7dc5c6f
Compare
brandonpayton
changed the base branch from
integration/kd-6nz-php-phpt-harness-only-base
to
integration/kd-6nz-php-phpt-platform-fixes
July 11, 2026 16:26
brandonpayton
deleted the
gascity/kd-6nz/split-pr717-default-openssl-config
branch
July 11, 2026 16:26
13 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
/etc/ssl./etc/*copier with a recursive, ownership-preserving merge that keeps demo-owned leaves and fails initialization on missing/corrupt/partial canonical state.Review and repair
Original review: the two old commits were not safe to replay. They made static OpenSSL policy kernel-synthetic, and the second commit depended on an
openssl.cnfsupplied only by the stale harness base while carrying the unrelated headline “stabilize parallel php harness server tests.” The scheduler work implied by that headline is already superseded by the repaired #740.Changes made: I replaced both commits with one atomic platform/VFS change. Static config and public trust now follow the normal rootfs path; Node no longer mutates caller images; the browser's per-session MITM CA remains the documented dynamic exception at
ca-certificates.crt; and legacy browser boots recursively merge canonical/etcdata without overwriting demo leaves. Review follow-up also made overlay errors fail closed, added exact full-byte/mode/owner Node checks, added missing-image and ENOSPC tests, cleaned up browser kernels deterministically, and made PHP OpenSSL failures exit nonzero with error-queue diagnostics.View: accept this rebuilt one-commit PR into Batch 2. It is the truthful platform fix. It changes rootfs/package bytes and transitive image cache keys, but adds no structural ABI surface. Standalone images that are not based on the canonical rootfs intentionally do not receive fabricated OpenSSL policy.
Package and ABI notes
6 -> 7.MANIFESTandimages/rootfs, so both assets and future CA refreshes invalidate the cache.Validation
Passed on the repaired one-commit tree:
cargo test -p kandelo --target aarch64-apple-darwin --lib: 1,077/1,077../run.sh browser: normal preparation rebuilt the invalidated rootfs-derived images; Vite readiness was observed and the Chromium rootfs probe against that server passed 1/1.openssl_csr_new_basic.phptandopenssl_pkey_new_basic.phpt: pass on Node and Chromium.bash build.sh: completed.bash scripts/check-abi-version.sh: passed; only inherited backward-compatible aggregate additions are reported.Broad host diagnostic, not claimed green:
cd host && npx vitest runreached 1,223 passing, 2 expected failures, and 26 skips, with one unrelated SpiderMonkey guestexit 139in a SHA-1 case. A prior broad run failed a different SpiderMonkey case the same way; the isolated parity file then passed 16/16. This PR does not touch SpiderMonkey, and I am preserving the failure rather than relabeling the full host suite as passing.Per the batch protocol, the full libc/ready-to-merge gate is deferred to aggregate PR #871 and has not been claimed here.