Sep 112021
 

This started off as a Twitter thread earlier this morning.

databases/mysql57-client has an optional dependency on security/cyrus-sasl2 which defaults to on.

Let’s try turning that off and see if it also removes openldap-client from the dependency list.

Why?

I install net-mgmt/nagios-plugins in just above every jail and host. Even hosts which don’t use MySQL.

I use poudriere to build all my own packages. I added this entry:

# Trying to avoid pulling in cyrus-sasl
databases_mysql57-client_UNSET+=SASLCLIENT

to this file: /usr/local/etc/poudriere.d/make.conf

This option will affect all builds. For more information on such configuration files, please the CUSTOMISATION section of the man page. There are many ways to do this.

Why so many options?

Why do I install mysql-client if I’m not using it?

Because it’s needed on some hosts, but not all. I could compile different versions (flavors?) of net-mgmt/nagios-plugins for different requirements (not all hosts use PostgreSQL client either).

That complicates things.

There are no flavors for net-mgmt/nagios-plugins, one for each combination of options. Rather than complicate the repo list, I take this approach: compile in everything I need across all hosts.

Test complete: https://services.unixathome.org/poudriere/build.html?mastername=13amd64-default-pg13&build=2021-09-11_12h09m02s

I ran this command:

sudo poudriere bulk -j 13amd64 -p default -z pg13 -i databases/mysql57-client

Note the -i for Interactive mode. That dropped me into a shell with the newly build package already installed. That let me see what packages are installed as dependencies:

root@13amd64-default-pg13:~ # pkg info
ca_root_nss-3.69_1             Root certificate bundle from the Mozilla Project
curl-7.78.0                    Command line tool and library for transferring data with URLs
groff-1.22.4_3                 Software typesetting package
indexinfo-0.3.1                Utility to regenerate the GNU info page index
libedit-3.1.20210216,1         Command line editor library
libevent-2.1.12                API for executing callback functions on events or timeouts
liblz4-1.9.3,1                 LZ4 compression library, lossless and very fast
libnghttp2-1.44.0              HTTP/2.0 C Library
libpaper-1.1.24.4              Library providing routines for paper size management
libssh2-1.9.0_3,3              Library implementing the SSH2 protocol
mysql57-client-5.7.35_1        Multithreaded SQL database (client)
perl5-5.32.1_1                 Practical Extraction and Report Language
pkg-1.17.1                     Package manager
protobuf-3.17.3,1              Data interchange format library
psutils-1.17_5                 Utilities for manipulating PostScript documents
uchardet-0.0.7                 Universal charset detection library

No LDAP there. Good to go.

First test

Let’s install that on a host which uses it.

[dan@pg13:~] $ sudo pkg upgrade
Updating local repository catalogue...
[pg13.int.unixathome.org] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[pg13.int.unixathome.org] Fetching packagesite.pkg: 100%   54 KiB  55.1kB/s    00:01    
Processing entries: 100%
local repository update completed. 176 packages processed.
All repositories are up to date.
Checking for upgrades (5 candidates): 100%
Processing candidates (5 candidates): 100%
The following 5 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	bind-tools: 9.16.19 -> 9.16.20
	ca_root_nss: 3.69 -> 3.69_1
	libuv: 1.41.0 -> 1.42.0
	pcre: 8.44 -> 8.45

Installed packages to be REINSTALLED:
	mysql57-client-5.7.35_1 (options changed)

Number of packages to be upgraded: 4
Number of packages to be reinstalled: 1

The operation will free 1 MiB.
7 MiB to be downloaded.

Proceed with this action? [y/N]: y
[pg13.int.unixathome.org] [1/5] Fetching pcre-8.45.pkg: 100%    1 MiB   1.3MB/s    00:01    
[pg13.int.unixathome.org] [2/5] Fetching mysql57-client-5.7.35_1.pkg: 100%    2 MiB   1.9MB/s    00:01    
[pg13.int.unixathome.org] [3/5] Fetching libuv-1.42.0.pkg: 100%  116 KiB 118.7kB/s    00:01    
[pg13.int.unixathome.org] [4/5] Fetching ca_root_nss-3.69_1.pkg: 100%  244 KiB 249.6kB/s    00:01    
[pg13.int.unixathome.org] [5/5] Fetching bind-tools-9.16.20.pkg: 100%    4 MiB   4.2MB/s    00:01    
Checking integrity... done (0 conflicting)
[pg13.int.unixathome.org] [1/5] Upgrading ca_root_nss from 3.69 to 3.69_1...
[pg13.int.unixathome.org] [1/5] Extracting ca_root_nss-3.69_1: 100%
[pg13.int.unixathome.org] [2/5] Upgrading libuv from 1.41.0 to 1.42.0...
[pg13.int.unixathome.org] [2/5] Extracting libuv-1.42.0: 100%
[pg13.int.unixathome.org] [3/5] Upgrading pcre from 8.44 to 8.45...
[pg13.int.unixathome.org] [3/5] Extracting pcre-8.45: 100%
[pg13.int.unixathome.org] [4/5] Reinstalling mysql57-client-5.7.35_1...
[pg13.int.unixathome.org] [4/5] Extracting mysql57-client-5.7.35_1: 100%
[pg13.int.unixathome.org] [5/5] Upgrading bind-tools from 9.16.19 to 9.16.20...
[pg13.int.unixathome.org] [5/5] Extracting bind-tools-9.16.20: 100%

There is the new mysql-client coming in, with new options.

Now, let’s remove dependencies which are no longer required.

[dan@pg13:~] $ sudo pkg autoremove
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:

Installed packages to be REMOVED:
	libiconv: 1.16
	openldap-client: 2.4.59_1

Number of packages to be removed: 2

The operation will free 8 MiB.

Proceed with deinstalling packages? [y/N]: y
[pg13.int.unixathome.org] [1/2] Deinstalling libiconv-1.16...
[pg13.int.unixathome.org] [1/2] Deleting files for libiconv-1.16: 100%
[pg13.int.unixathome.org] [2/2] Deinstalling openldap-client-2.4.59_1...
[pg13.int.unixathome.org] [2/2] Deleting files for openldap-client-2.4.59_1: 100%

Why wasn’t SASL removed? That was my objective.

[dan@pg13:~] $ pkg info -x sasl
cyrus-sasl-2.1.27_2
[dan@pg13:~] $ sudo pkg delete cyrus-sasl
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
	cyrus-sasl: 2.1.27_2
	postfix: 3.6.2_1,1

Number of packages to be removed: 2

The operation will free 15 MiB.

Proceed with deinstalling packages? [y/N]: n

Ahh, my Postfix requires it.

Not to worry. I’ve been replacing Postfix with dma because a full-blown MTA is not required on most of my hosts. They don’t receive incoming mail, they only send mail.

Another host

Let’s try this on the ingress node (a jail) for the dev.freshports.org website:

[dan@dev-ingress01:~] $ sudo pkg upgrade
Updating local repository catalogue...
[dev-ingress01.int.unixathome.org] Fetching meta.conf: 100%    163 B   0.2kB/s    00:01    
[dev-ingress01.int.unixathome.org] Fetching packagesite.pkg: 100%  253 KiB 259.1kB/s    00:01    
Processing entries: 100%
local repository update completed. 968 packages processed.
All repositories are up to date.
Checking for upgrades (15 candidates): 100%
Processing candidates (15 candidates): 100%
The following 10 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
	bind-tools: 9.16.19 -> 9.16.20
	ca_root_nss: 3.69 -> 3.69_1
	gdbm: 1.20 -> 1.21
	glib: 2.68.3,2 -> 2.68.4,2
	libgit2: 1.1.0 -> 1.1.1
	libuv: 1.41.0 -> 1.42.0
	pcre: 8.44 -> 8.45

Installed packages to be REINSTALLED:
	mysql57-client-5.7.35_1 (options changed)
	p5-IO-HTML-1.001_1 (ABI changed: 'freebsd:12:x86:64' -> 'freebsd:12:*')
	p5-IO-Socket-INET6-2.72_1 (ABI changed: 'freebsd:12:x86:64' -> 'freebsd:12:*')

Number of packages to be upgraded: 7
Number of packages to be reinstalled: 3

The operation will free 1 MiB.
11 MiB to be downloaded.

Proceed with this action? [y/N]: y
[dev-ingress01.int.unixathome.org] [1/10] Fetching pcre-8.45.pkg: 100%    1 MiB   1.3MB/s    00:01    
[dev-ingress01.int.unixathome.org] [2/10] Fetching p5-IO-Socket-INET6-2.72_1.pkg: 100%   10 KiB  10.5kB/s    00:01    
[dev-ingress01.int.unixathome.org] [3/10] Fetching p5-IO-HTML-1.001_1.pkg: 100%   12 KiB  12.0kB/s    00:01    
[dev-ingress01.int.unixathome.org] [4/10] Fetching mysql57-client-5.7.35_1.pkg: 100%    2 MiB   1.9MB/s    00:01    
[dev-ingress01.int.unixathome.org] [5/10] Fetching libuv-1.42.0.pkg: 100%  116 KiB 118.7kB/s    00:01    
[dev-ingress01.int.unixathome.org] [6/10] Fetching libgit2-1.1.1.pkg: 100%  561 KiB 574.6kB/s    00:01    
[dev-ingress01.int.unixathome.org] [7/10] Fetching glib-2.68.4,2.pkg: 100%    3 MiB   3.4MB/s    00:01    
[dev-ingress01.int.unixathome.org] [8/10] Fetching gdbm-1.21.pkg: 100%  176 KiB 180.2kB/s    00:01    
[dev-ingress01.int.unixathome.org] [9/10] Fetching ca_root_nss-3.69_1.pkg: 100%  243 KiB 249.1kB/s    00:01    
[dev-ingress01.int.unixathome.org] [10/10] Fetching bind-tools-9.16.20.pkg: 100%    4 MiB   4.2MB/s    00:01    
Checking integrity... done (0 conflicting)
[dev-ingress01.int.unixathome.org] [1/10] Upgrading ca_root_nss from 3.69 to 3.69_1...
[dev-ingress01.int.unixathome.org] [1/10] Extracting ca_root_nss-3.69_1: 100%
[dev-ingress01.int.unixathome.org] [2/10] Upgrading pcre from 8.44 to 8.45...
[dev-ingress01.int.unixathome.org] [2/10] Extracting pcre-8.45: 100%
[dev-ingress01.int.unixathome.org] [3/10] Upgrading libuv from 1.41.0 to 1.42.0...
[dev-ingress01.int.unixathome.org] [3/10] Extracting libuv-1.42.0: 100%
[dev-ingress01.int.unixathome.org] [4/10] Reinstalling p5-IO-Socket-INET6-2.72_1...
[dev-ingress01.int.unixathome.org] [4/10] Extracting p5-IO-Socket-INET6-2.72_1: 100%
[dev-ingress01.int.unixathome.org] [5/10] Reinstalling p5-IO-HTML-1.001_1...
[dev-ingress01.int.unixathome.org] [5/10] Extracting p5-IO-HTML-1.001_1: 100%
[dev-ingress01.int.unixathome.org] [6/10] Reinstalling mysql57-client-5.7.35_1...
[dev-ingress01.int.unixathome.org] [6/10] Extracting mysql57-client-5.7.35_1: 100%
[dev-ingress01.int.unixathome.org] [7/10] Upgrading libgit2 from 1.1.0 to 1.1.1...
[dev-ingress01.int.unixathome.org] [7/10] Extracting libgit2-1.1.1: 100%
[dev-ingress01.int.unixathome.org] [8/10] Upgrading glib from 2.68.3,2 to 2.68.4,2...
[dev-ingress01.int.unixathome.org] [8/10] Extracting glib-2.68.4,2: 100%
No schema files found: doing nothing.
[dev-ingress01.int.unixathome.org] [9/10] Upgrading gdbm from 1.20 to 1.21...
[dev-ingress01.int.unixathome.org] [9/10] Extracting gdbm-1.21: 100%
[dev-ingress01.int.unixathome.org] [10/10] Upgrading bind-tools from 9.16.19 to 9.16.20...
[dev-ingress01.int.unixathome.org] [10/10] Extracting bind-tools-9.16.20: 100%
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/openssl/cert.pem if it is no longer needed.
[dan@dev-ingress01:~] $ pkg autoremove
pkg: Insufficient privileges to autoremove packages
[dan@dev-ingress01:~] $ sudo pkg autoremove
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 2 packages:

Installed packages to be REMOVED:
	cyrus-sasl: 2.1.27_2
	openldap-client: 2.4.59_1

Number of packages to be removed: 2

The operation will free 14 MiB.

Proceed with deinstalling packages? [y/N]: y
[dev-ingress01.int.unixathome.org] [1/2] Deinstalling openldap-client-2.4.59_1...
[dev-ingress01.int.unixathome.org] [1/2] Deleting files for openldap-client-2.4.59_1: 100%
[dev-ingress01.int.unixathome.org] [2/2] Deinstalling cyrus-sasl-2.1.27_2...
[dev-ingress01.int.unixathome.org] [2/2] Deleting files for cyrus-sasl-2.1.27_2: 100%
To delete Cyrus user permanently, use 'pw userdel cyrus'
To delete Cyrus group permanently, use 'pw groupdel cyrus'
[dan@dev-ingress01:~] $ 

There’s SASL going out.

But wait, there’s more

Let’s delete that user, no longer required.

[dan@dev-ingress01:~] $ sudo pw userdel cyrus
[dan@dev-ingress01:~] $ sudo pw groupdel cyrus
pw: unknown group `cyrus'
[dan@dev-ingress01:~] $ 

Why is that not automatic?

  1. You might be upgrade the package, in which case, why delete then add right back in?
  2. You might be using the user for something else, unknown to the package.

Why this came to mind

This issue came to my attention because Nagios is talking about “openldap-client-2.4.59_1 ? orphaned: net/openldap24-client”. See this screen shot:

openldap-client-2.4.59_1 ? orphaned: net/openldap24-client

openldap-client-2.4.59_1 ? orphaned: net/openldap24-client

What’s this orphaned thing? The pkg command has the ability to tell you if an installed package is not available in the repo. Such packages are referred to as orphans. In this blog post I show how I create a Nagios check for this. Knowing that a package is now an orphan is important to me. I don’t want to be surprised come upgrade or reinstall time.

In this case, net/openldap24-client changed its package name from openldap-client to openldap24-client. This isn’t critical in this situation, but it brought to my attention. Hence, the change to compile options.

What’s next?

I will also do this for mysql80-client, which I use on another host, for Bacula regression testing.

In a follow-up post, I hope to outline the how many hosts no longer have this software installed.

Website Pin Facebook Twitter Myspace Friendfeed Technorati del.icio.us Digg Google StumbleUpon Premium Responsive