This started off as a Twitter thread earlier this morning.
databases/mysql57-client has an optional dependency on security/cyrus-sasl2 which defaults to on.
Let’s try turning that off and see if it also removes openldap-client from the dependency list.
Why?
I install net-mgmt/nagios-plugins in just above every jail and host. Even hosts which don’t use MySQL.
I use poudriere to build all my own packages. I added this entry:
# Trying to avoid pulling in cyrus-sasl databases_mysql57-client_UNSET+=SASLCLIENT
to this file: /usr/local/etc/poudriere.d/make.conf
This option will affect all builds. For more information on such configuration files, please the CUSTOMISATION section of the man page. There are many ways to do this.
Why so many options?
Why do I install mysql-client if I’m not using it?
Because it’s needed on some hosts, but not all. I could compile different versions (flavors?) of net-mgmt/nagios-plugins for different requirements (not all hosts use PostgreSQL client either).
That complicates things.
There are no flavors for net-mgmt/nagios-plugins, one for each combination of options. Rather than complicate the repo list, I take this approach: compile in everything I need across all hosts.
Test complete: https://services.unixathome.org/poudriere/build.html?mastername=13amd64-default-pg13&build=2021-09-11_12h09m02s
I ran this command:
sudo poudriere bulk -j 13amd64 -p default -z pg13 -i databases/mysql57-client
Note the -i for Interactive mode. That dropped me into a shell with the newly build package already installed. That let me see what packages are installed as dependencies:
root@13amd64-default-pg13:~ # pkg info ca_root_nss-3.69_1 Root certificate bundle from the Mozilla Project curl-7.78.0 Command line tool and library for transferring data with URLs groff-1.22.4_3 Software typesetting package indexinfo-0.3.1 Utility to regenerate the GNU info page index libedit-3.1.20210216,1 Command line editor library libevent-2.1.12 API for executing callback functions on events or timeouts liblz4-1.9.3,1 LZ4 compression library, lossless and very fast libnghttp2-1.44.0 HTTP/2.0 C Library libpaper-1.1.24.4 Library providing routines for paper size management libssh2-1.9.0_3,3 Library implementing the SSH2 protocol mysql57-client-5.7.35_1 Multithreaded SQL database (client) perl5-5.32.1_1 Practical Extraction and Report Language pkg-1.17.1 Package manager protobuf-3.17.3,1 Data interchange format library psutils-1.17_5 Utilities for manipulating PostScript documents uchardet-0.0.7 Universal charset detection library
No LDAP there. Good to go.
First test
Let’s install that on a host which uses it.
[dan@pg13:~] $ sudo pkg upgrade Updating local repository catalogue... [pg13.int.unixathome.org] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [pg13.int.unixathome.org] Fetching packagesite.pkg: 100% 54 KiB 55.1kB/s 00:01 Processing entries: 100% local repository update completed. 176 packages processed. All repositories are up to date. Checking for upgrades (5 candidates): 100% Processing candidates (5 candidates): 100% The following 5 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: bind-tools: 9.16.19 -> 9.16.20 ca_root_nss: 3.69 -> 3.69_1 libuv: 1.41.0 -> 1.42.0 pcre: 8.44 -> 8.45 Installed packages to be REINSTALLED: mysql57-client-5.7.35_1 (options changed) Number of packages to be upgraded: 4 Number of packages to be reinstalled: 1 The operation will free 1 MiB. 7 MiB to be downloaded. Proceed with this action? [y/N]: y [pg13.int.unixathome.org] [1/5] Fetching pcre-8.45.pkg: 100% 1 MiB 1.3MB/s 00:01 [pg13.int.unixathome.org] [2/5] Fetching mysql57-client-5.7.35_1.pkg: 100% 2 MiB 1.9MB/s 00:01 [pg13.int.unixathome.org] [3/5] Fetching libuv-1.42.0.pkg: 100% 116 KiB 118.7kB/s 00:01 [pg13.int.unixathome.org] [4/5] Fetching ca_root_nss-3.69_1.pkg: 100% 244 KiB 249.6kB/s 00:01 [pg13.int.unixathome.org] [5/5] Fetching bind-tools-9.16.20.pkg: 100% 4 MiB 4.2MB/s 00:01 Checking integrity... done (0 conflicting) [pg13.int.unixathome.org] [1/5] Upgrading ca_root_nss from 3.69 to 3.69_1... [pg13.int.unixathome.org] [1/5] Extracting ca_root_nss-3.69_1: 100% [pg13.int.unixathome.org] [2/5] Upgrading libuv from 1.41.0 to 1.42.0... [pg13.int.unixathome.org] [2/5] Extracting libuv-1.42.0: 100% [pg13.int.unixathome.org] [3/5] Upgrading pcre from 8.44 to 8.45... [pg13.int.unixathome.org] [3/5] Extracting pcre-8.45: 100% [pg13.int.unixathome.org] [4/5] Reinstalling mysql57-client-5.7.35_1... [pg13.int.unixathome.org] [4/5] Extracting mysql57-client-5.7.35_1: 100% [pg13.int.unixathome.org] [5/5] Upgrading bind-tools from 9.16.19 to 9.16.20... [pg13.int.unixathome.org] [5/5] Extracting bind-tools-9.16.20: 100%
There is the new mysql-client coming in, with new options.
Now, let’s remove dependencies which are no longer required.
[dan@pg13:~] $ sudo pkg autoremove Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 2 packages: Installed packages to be REMOVED: libiconv: 1.16 openldap-client: 2.4.59_1 Number of packages to be removed: 2 The operation will free 8 MiB. Proceed with deinstalling packages? [y/N]: y [pg13.int.unixathome.org] [1/2] Deinstalling libiconv-1.16... [pg13.int.unixathome.org] [1/2] Deleting files for libiconv-1.16: 100% [pg13.int.unixathome.org] [2/2] Deinstalling openldap-client-2.4.59_1... [pg13.int.unixathome.org] [2/2] Deleting files for openldap-client-2.4.59_1: 100%
Why wasn’t SASL removed? That was my objective.
[dan@pg13:~] $ pkg info -x sasl cyrus-sasl-2.1.27_2 [dan@pg13:~] $ sudo pkg delete cyrus-sasl Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 2 packages (of 0 packages in the universe): Installed packages to be REMOVED: cyrus-sasl: 2.1.27_2 postfix: 3.6.2_1,1 Number of packages to be removed: 2 The operation will free 15 MiB. Proceed with deinstalling packages? [y/N]: n
Ahh, my Postfix requires it.
Not to worry. I’ve been replacing Postfix with dma because a full-blown MTA is not required on most of my hosts. They don’t receive incoming mail, they only send mail.
Another host
Let’s try this on the ingress node (a jail) for the dev.freshports.org website:
[dan@dev-ingress01:~] $ sudo pkg upgrade Updating local repository catalogue... [dev-ingress01.int.unixathome.org] Fetching meta.conf: 100% 163 B 0.2kB/s 00:01 [dev-ingress01.int.unixathome.org] Fetching packagesite.pkg: 100% 253 KiB 259.1kB/s 00:01 Processing entries: 100% local repository update completed. 968 packages processed. All repositories are up to date. Checking for upgrades (15 candidates): 100% Processing candidates (15 candidates): 100% The following 10 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: bind-tools: 9.16.19 -> 9.16.20 ca_root_nss: 3.69 -> 3.69_1 gdbm: 1.20 -> 1.21 glib: 2.68.3,2 -> 2.68.4,2 libgit2: 1.1.0 -> 1.1.1 libuv: 1.41.0 -> 1.42.0 pcre: 8.44 -> 8.45 Installed packages to be REINSTALLED: mysql57-client-5.7.35_1 (options changed) p5-IO-HTML-1.001_1 (ABI changed: 'freebsd:12:x86:64' -> 'freebsd:12:*') p5-IO-Socket-INET6-2.72_1 (ABI changed: 'freebsd:12:x86:64' -> 'freebsd:12:*') Number of packages to be upgraded: 7 Number of packages to be reinstalled: 3 The operation will free 1 MiB. 11 MiB to be downloaded. Proceed with this action? [y/N]: y [dev-ingress01.int.unixathome.org] [1/10] Fetching pcre-8.45.pkg: 100% 1 MiB 1.3MB/s 00:01 [dev-ingress01.int.unixathome.org] [2/10] Fetching p5-IO-Socket-INET6-2.72_1.pkg: 100% 10 KiB 10.5kB/s 00:01 [dev-ingress01.int.unixathome.org] [3/10] Fetching p5-IO-HTML-1.001_1.pkg: 100% 12 KiB 12.0kB/s 00:01 [dev-ingress01.int.unixathome.org] [4/10] Fetching mysql57-client-5.7.35_1.pkg: 100% 2 MiB 1.9MB/s 00:01 [dev-ingress01.int.unixathome.org] [5/10] Fetching libuv-1.42.0.pkg: 100% 116 KiB 118.7kB/s 00:01 [dev-ingress01.int.unixathome.org] [6/10] Fetching libgit2-1.1.1.pkg: 100% 561 KiB 574.6kB/s 00:01 [dev-ingress01.int.unixathome.org] [7/10] Fetching glib-2.68.4,2.pkg: 100% 3 MiB 3.4MB/s 00:01 [dev-ingress01.int.unixathome.org] [8/10] Fetching gdbm-1.21.pkg: 100% 176 KiB 180.2kB/s 00:01 [dev-ingress01.int.unixathome.org] [9/10] Fetching ca_root_nss-3.69_1.pkg: 100% 243 KiB 249.1kB/s 00:01 [dev-ingress01.int.unixathome.org] [10/10] Fetching bind-tools-9.16.20.pkg: 100% 4 MiB 4.2MB/s 00:01 Checking integrity... done (0 conflicting) [dev-ingress01.int.unixathome.org] [1/10] Upgrading ca_root_nss from 3.69 to 3.69_1... [dev-ingress01.int.unixathome.org] [1/10] Extracting ca_root_nss-3.69_1: 100% [dev-ingress01.int.unixathome.org] [2/10] Upgrading pcre from 8.44 to 8.45... [dev-ingress01.int.unixathome.org] [2/10] Extracting pcre-8.45: 100% [dev-ingress01.int.unixathome.org] [3/10] Upgrading libuv from 1.41.0 to 1.42.0... [dev-ingress01.int.unixathome.org] [3/10] Extracting libuv-1.42.0: 100% [dev-ingress01.int.unixathome.org] [4/10] Reinstalling p5-IO-Socket-INET6-2.72_1... [dev-ingress01.int.unixathome.org] [4/10] Extracting p5-IO-Socket-INET6-2.72_1: 100% [dev-ingress01.int.unixathome.org] [5/10] Reinstalling p5-IO-HTML-1.001_1... [dev-ingress01.int.unixathome.org] [5/10] Extracting p5-IO-HTML-1.001_1: 100% [dev-ingress01.int.unixathome.org] [6/10] Reinstalling mysql57-client-5.7.35_1... [dev-ingress01.int.unixathome.org] [6/10] Extracting mysql57-client-5.7.35_1: 100% [dev-ingress01.int.unixathome.org] [7/10] Upgrading libgit2 from 1.1.0 to 1.1.1... [dev-ingress01.int.unixathome.org] [7/10] Extracting libgit2-1.1.1: 100% [dev-ingress01.int.unixathome.org] [8/10] Upgrading glib from 2.68.3,2 to 2.68.4,2... [dev-ingress01.int.unixathome.org] [8/10] Extracting glib-2.68.4,2: 100% No schema files found: doing nothing. [dev-ingress01.int.unixathome.org] [9/10] Upgrading gdbm from 1.20 to 1.21... [dev-ingress01.int.unixathome.org] [9/10] Extracting gdbm-1.21: 100% [dev-ingress01.int.unixathome.org] [10/10] Upgrading bind-tools from 9.16.19 to 9.16.20... [dev-ingress01.int.unixathome.org] [10/10] Extracting bind-tools-9.16.20: 100% You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed. You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed. [dan@dev-ingress01:~] $ pkg autoremove pkg: Insufficient privileges to autoremove packages [dan@dev-ingress01:~] $ sudo pkg autoremove Checking integrity... done (0 conflicting) Deinstallation has been requested for the following 2 packages: Installed packages to be REMOVED: cyrus-sasl: 2.1.27_2 openldap-client: 2.4.59_1 Number of packages to be removed: 2 The operation will free 14 MiB. Proceed with deinstalling packages? [y/N]: y [dev-ingress01.int.unixathome.org] [1/2] Deinstalling openldap-client-2.4.59_1... [dev-ingress01.int.unixathome.org] [1/2] Deleting files for openldap-client-2.4.59_1: 100% [dev-ingress01.int.unixathome.org] [2/2] Deinstalling cyrus-sasl-2.1.27_2... [dev-ingress01.int.unixathome.org] [2/2] Deleting files for cyrus-sasl-2.1.27_2: 100% To delete Cyrus user permanently, use 'pw userdel cyrus' To delete Cyrus group permanently, use 'pw groupdel cyrus' [dan@dev-ingress01:~] $
There’s SASL going out.
But wait, there’s more
Let’s delete that user, no longer required.
[dan@dev-ingress01:~] $ sudo pw userdel cyrus [dan@dev-ingress01:~] $ sudo pw groupdel cyrus pw: unknown group `cyrus' [dan@dev-ingress01:~] $
Why is that not automatic?
- You might be upgrade the package, in which case, why delete then add right back in?
- You might be using the user for something else, unknown to the package.
Why this came to mind
This issue came to my attention because Nagios is talking about “openldap-client-2.4.59_1 ? orphaned: net/openldap24-client”. See this screen shot:
What’s this orphaned thing? The pkg command has the ability to tell you if an installed package is not available in the repo. Such packages are referred to as orphans. In this blog post I show how I create a Nagios check for this. Knowing that a package is now an orphan is important to me. I don’t want to be surprised come upgrade or reinstall time.
In this case, net/openldap24-client changed its package name from openldap-client to openldap24-client. This isn’t critical in this situation, but it brought to my attention. Hence, the change to compile options.
What’s next?
I will also do this for mysql80-client, which I use on another host, for Bacula regression testing.
In a follow-up post, I hope to outline the how many hosts no longer have this software installed.
