[PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Harald Seiler]

Currently, when sshd-regen-keys runs dpkg-reconfigure, this
will lead to a call to `systemctl restart ssh`.  This call blocks
forever because of course the sshd-regen-keys unit, which is a
dependency of sshd, hasn't finished at this point and can't do so
because it is waiting as well.

To circumvent this deadlock, this commit changes sshd-regen-keys'
behavior so sshd is first disabled and only reenabled after the
job is done.

Signed-off-by: Harald Seiler <hws@denx.de>
---
 .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
 .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 +++++++++++++++++++
 .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
 3 files changed, 25 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index 3b8231f..a05e1a9 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
 Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStart=/usr/sbin/sshd-regen-keys.sh
 ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
new file mode 100644
index 0000000..294e8fa
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -0,0 +1,19 @@
+#!/usr/bin/env sh
+
+echo -n "SSH server is "
+if systemctl is-enabled ssh; then
+    SSHD_ENABLED="true"
+    systemctl disable --no-reload ssh
+fi
+
+echo "Removing keys ..."
+rm -v /etc/ssh/ssh_host_*_key*
+
+echo "Regenerating keys ..."
+dpkg-reconfigure openssh-server
+
+if test -n $SSHD_ENABLED; then
+    echo "Reenabling ssh server ..."
+    systemctl enable --no-reload ssh
+    systemctl start --no-block ssh
+fi
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
index 02e9e25..6f12414 100644
--- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
@@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
 DEBIAN_DEPENDS = "openssh-server, systemd"
 
 SRC_URI = "file://postinst \
-           file://sshd-regen-keys.service"
+           file://sshd-regen-keys.service \
+           file://sshd-regen-keys.sh"
 
+do_install[cleandirs] = "${D}/lib/systemd/system \
+                         ${D}/usr/sbin"
 do_install() {
-    install -v -d -m 755 "${D}/lib/systemd/system"
     install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
 }
-- 
2.14.1

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Claudius Heine]

Hi Harald,

On 13/12/2018 09.56, Harald Seiler wrote:
> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
>   .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>   .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 +++++++++++++++++++
>   .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
>   3 files changed, 25 insertions(+), 3 deletions(-)
>   create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>   Type=oneshot
>   RemainAfterExit=yes
>   Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>   ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>   StandardOutput=syslog
>   StandardError=syslog
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> new file mode 100644
> index 0000000..294e8fa
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,19 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server

Since this is part of 'meta', does it make sense to make the package 
name+service file name configurable from the bitbake configuration or is 
that too much trouble.

> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +    systemctl start --no-block ssh

Should the service be stopped before? Or in other words: Does it make 
sense to differentiate between sshd enabled and started in this script?

So apart from those minor nitpicks/questions, LGTM.

Kind regards,
Claudius

> +fi
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> index 02e9e25..6f12414 100644
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> @@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>   DEBIAN_DEPENDS = "openssh-server, systemd"
>   
>   SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>   
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>   do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>       install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
>   }
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Harald Seiler]

Hello Claudius,

On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote:
> Hi Harald,
> 
> On 13/12/2018 09.56, Harald Seiler wrote:
> > Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> > will lead to a call to `systemctl restart ssh`.  This call blocks
> > forever because of course the sshd-regen-keys unit, which is a
> > dependency of sshd, hasn't finished at this point and can't do so
> > because it is waiting as well.
> > 
> > To circumvent this deadlock, this commit changes sshd-regen-keys'
> > behavior so sshd is first disabled and only reenabled after the
> > job is done.
> > 
> > Signed-off-by: Harald Seiler <hws@denx.de>
> > ---
> >   .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
> >   .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 +++++++++++++++++++
> >   .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
> >   3 files changed, 25 insertions(+), 3 deletions(-)
> >   create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > 
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index 3b8231f..a05e1a9 100644
> > --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
> >   Type=oneshot
> >   RemainAfterExit=yes
> >   Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
> > +ExecStart=/usr/sbin/sshd-regen-keys.sh
> >   ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> >   StandardOutput=syslog
> >   StandardError=syslog
> > diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > new file mode 100644
> > index 0000000..294e8fa
> > --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > @@ -0,0 +1,19 @@
> > +#!/usr/bin/env sh
> > +
> > +echo -n "SSH server is "
> > +if systemctl is-enabled ssh; then
> > +    SSHD_ENABLED="true"
> > +    systemctl disable --no-reload ssh
> > +fi
> > +
> > +echo "Removing keys ..."
> > +rm -v /etc/ssh/ssh_host_*_key*
> > +
> > +echo "Regenerating keys ..."
> > +dpkg-reconfigure openssh-server
> 
> Since this is part of 'meta', does it make sense to make the package 
> name+service file name configurable from the bitbake configuration or is 
> that too much trouble.
> 

I don't quite understand what you mean, can you please
elaborate on that?

> > +
> > +if test -n $SSHD_ENABLED; then
> > +    echo "Reenabling ssh server ..."
> > +    systemctl enable --no-reload ssh
> > +    systemctl start --no-block ssh
> 
> Should the service be stopped before? Or in other words: Does it make 
> sense to differentiate between sshd enabled and started in this script?

ssh.service is guaranteed to be stopped because it requires
sshd-regen-keys.service to be done before starting.

> So apart from those minor nitpicks/questions, LGTM.
> 
> Kind regards,
> Claudius
> 
> > +fi
> > diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > index 02e9e25..6f12414 100644
> > --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > @@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> >   DEBIAN_DEPENDS = "openssh-server, systemd"
> >   
> >   SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service"
> > +           file://sshd-regen-keys.service \
> > +           file://sshd-regen-keys.sh"
> >   
> > +do_install[cleandirs] = "${D}/lib/systemd/system \
> > +                         ${D}/usr/sbin"
> >   do_install() {
> > -    install -v -d -m 755 "${D}/lib/systemd/system"
> >       install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> > +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
> >   }
> > 
> 
> 
-- 
Harald

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-62  Fax: +49-8142-66989-80   Email: hws@denx.de

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Claudius Heine]

Hi,

On 13/12/2018 10.48, Harald Seiler wrote:
> Hello Claudius,
> 
> On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote:
>> Hi Harald,
>>
>> On 13/12/2018 09.56, Harald Seiler wrote:
>>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
>>> will lead to a call to `systemctl restart ssh`.  This call blocks
>>> forever because of course the sshd-regen-keys unit, which is a
>>> dependency of sshd, hasn't finished at this point and can't do so
>>> because it is waiting as well.
>>>
>>> To circumvent this deadlock, this commit changes sshd-regen-keys'
>>> behavior so sshd is first disabled and only reenabled after the
>>> job is done.
>>>
>>> Signed-off-by: Harald Seiler <hws@denx.de>
>>> ---
>>>    .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>>>    .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 +++++++++++++++++++
>>>    .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
>>>    3 files changed, 25 insertions(+), 3 deletions(-)
>>>    create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>
>>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>> index 3b8231f..a05e1a9 100644
>>> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>>>    Type=oneshot
>>>    RemainAfterExit=yes
>>>    Environment=DEBIAN_FRONTEND=noninteractive
>>> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
>>> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>>>    ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>>>    StandardOutput=syslog
>>>    StandardError=syslog
>>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>> new file mode 100644
>>> index 0000000..294e8fa
>>> --- /dev/null
>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>> @@ -0,0 +1,19 @@
>>> +#!/usr/bin/env sh
>>> +
>>> +echo -n "SSH server is "
>>> +if systemctl is-enabled ssh; then
>>> +    SSHD_ENABLED="true"
>>> +    systemctl disable --no-reload ssh
>>> +fi
>>> +
>>> +echo "Removing keys ..."
>>> +rm -v /etc/ssh/ssh_host_*_key*
>>> +
>>> +echo "Regenerating keys ..."
>>> +dpkg-reconfigure openssh-server
>>
>> Since this is part of 'meta', does it make sense to make the package
>> name+service file name configurable from the bitbake configuration or is
>> that too much trouble.
>>
> 
> I don't quite understand what you mean, can you please
> elaborate on that?

Basically if those names should be configurable from the isar 
distro/multiconfig etc. E.g. what happens if I decided to use some 
openssh replacement or a different/future debian based distribution?

IIUC ideally `meta` should be distribution independent.

So if that is wanted then we would need to create those files via some 
template mechanism, e.g. envsubst or just sed.

But since sshd-regen-keys already depends on those elsewhere, that point 
might just be out of scope of this patch. So I let you decide. :)

> 
>>> +
>>> +if test -n $SSHD_ENABLED; then
>>> +    echo "Reenabling ssh server ..."
>>> +    systemctl enable --no-reload ssh
>>> +    systemctl start --no-block ssh
>>
>> Should the service be stopped before? Or in other words: Does it make
>> sense to differentiate between sshd enabled and started in this script?
> 
> ssh.service is guaranteed to be stopped because it requires
> sshd-regen-keys.service to be done before starting.

Ok. Make sense. Then its impossible or very difficult to figure out if 
sshd was started but disabled before your script was entered (in which 
case you would have to start it but not enable it).

Claudius

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Jan Kiszka]

On 13.12.18 11:03, [ext] Claudius Heine wrote:
> Hi,
> 
> On 13/12/2018 10.48, Harald Seiler wrote:
>> Hello Claudius,
>>
>> On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote:
>>> Hi Harald,
>>>
>>> On 13/12/2018 09.56, Harald Seiler wrote:
>>>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
>>>> will lead to a call to `systemctl restart ssh`.  This call blocks
>>>> forever because of course the sshd-regen-keys unit, which is a
>>>> dependency of sshd, hasn't finished at this point and can't do so
>>>> because it is waiting as well.
>>>>
>>>> To circumvent this deadlock, this commit changes sshd-regen-keys'
>>>> behavior so sshd is first disabled and only reenabled after the
>>>> job is done.
>>>>
>>>> Signed-off-by: Harald Seiler <hws@denx.de>
>>>> ---
>>>>    .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>>>>    .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 
>>>> +++++++++++++++++++
>>>>    .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
>>>>    3 files changed, 25 insertions(+), 3 deletions(-)
>>>>    create mode 100644 
>>>> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>>
>>>> diff --git 
>>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service 
>>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> index 3b8231f..a05e1a9 100644
>>>> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>>>>    Type=oneshot
>>>>    RemainAfterExit=yes
>>>>    Environment=DEBIAN_FRONTEND=noninteractive
>>>> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure 
>>>> openssh-server"
>>>> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>>>>    ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>>>>    StandardOutput=syslog
>>>>    StandardError=syslog
>>>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh 
>>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>> new file mode 100644
>>>> index 0000000..294e8fa
>>>> --- /dev/null
>>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>> @@ -0,0 +1,19 @@
>>>> +#!/usr/bin/env sh
>>>> +
>>>> +echo -n "SSH server is "
>>>> +if systemctl is-enabled ssh; then
>>>> +    SSHD_ENABLED="true"
>>>> +    systemctl disable --no-reload ssh
>>>> +fi
>>>> +
>>>> +echo "Removing keys ..."
>>>> +rm -v /etc/ssh/ssh_host_*_key*
>>>> +
>>>> +echo "Regenerating keys ..."
>>>> +dpkg-reconfigure openssh-server
>>>
>>> Since this is part of 'meta', does it make sense to make the package
>>> name+service file name configurable from the bitbake configuration or is
>>> that too much trouble.
>>>
>>
>> I don't quite understand what you mean, can you please
>> elaborate on that?
> 
> Basically if those names should be configurable from the isar distro/multiconfig 
> etc. E.g. what happens if I decided to use some openssh replacement or a 
> different/future debian based distribution?
> 
> IIUC ideally `meta` should be distribution independent.
> 
> So if that is wanted then we would need to create those files via some template 
> mechanism, e.g. envsubst or just sed.
> 
> But since sshd-regen-keys already depends on those elsewhere, that point might 
> just be out of scope of this patch. So I let you decide. :)
> 

I agree on the general goal but I think we could be more relaxed at this stage 
/wrt optional support packages like this one. Eventually, we can sort out also 
these kind of dependencies but we will also need proper test cases for such 
abstractions which we lack at this point.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Am Thu, 13 Dec 2018 11:09:14 +0100
schrieb "[ext] Jan Kiszka" <jan.kiszka@siemens.com>:

> On 13.12.18 11:03, [ext] Claudius Heine wrote:
> > Hi,
> > 
> > On 13/12/2018 10.48, Harald Seiler wrote:  
> >> Hello Claudius,
> >>
> >> On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote:  
> >>> Hi Harald,
> >>>
> >>> On 13/12/2018 09.56, Harald Seiler wrote:  
> >>>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> >>>> will lead to a call to `systemctl restart ssh`.  This call blocks
> >>>> forever because of course the sshd-regen-keys unit, which is a
> >>>> dependency of sshd, hasn't finished at this point and can't do so
> >>>> because it is waiting as well.
> >>>>
> >>>> To circumvent this deadlock, this commit changes sshd-regen-keys'
> >>>> behavior so sshd is first disabled and only reenabled after the
> >>>> job is done.
> >>>>
> >>>> Signed-off-by: Harald Seiler <hws@denx.de>
> >>>> ---
> >>>>    .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
> >>>>    .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 
> >>>> +++++++++++++++++++
> >>>>    .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7
> >>>> +++++-- 3 files changed, 25 insertions(+), 3 deletions(-)
> >>>>    create mode 100644 
> >>>> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >>>>
> >>>> diff --git 
> >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service 
> >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >>>> index 3b8231f..a05e1a9 100644
> >>>> ---
> >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >>>> +++
> >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> >>>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> >>>> RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> >>>> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> >>>> dpkg-reconfigure openssh-server"
> >>>> +ExecStart=/usr/sbin/sshd-regen-keys.sh
> >>>>    ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> >>>>    StandardOutput=syslog
> >>>>    StandardError=syslog
> >>>> diff --git
> >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >>>> new file mode 100644 index 0000000..294e8fa
> >>>> --- /dev/null
> >>>> +++
> >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> >>>> @@ -0,0 +1,19 @@ +#!/usr/bin/env sh
> >>>> +
> >>>> +echo -n "SSH server is "
> >>>> +if systemctl is-enabled ssh; then
> >>>> +    SSHD_ENABLED="true"
> >>>> +    systemctl disable --no-reload ssh
> >>>> +fi
> >>>> +
> >>>> +echo "Removing keys ..."
> >>>> +rm -v /etc/ssh/ssh_host_*_key*
> >>>> +
> >>>> +echo "Regenerating keys ..."
> >>>> +dpkg-reconfigure openssh-server  
> >>>
> >>> Since this is part of 'meta', does it make sense to make the
> >>> package name+service file name configurable from the bitbake
> >>> configuration or is that too much trouble.
> >>>  
> >>
> >> I don't quite understand what you mean, can you please
> >> elaborate on that?  
> > 
> > Basically if those names should be configurable from the isar
> > distro/multiconfig etc. E.g. what happens if I decided to use some
> > openssh replacement or a different/future debian based distribution?
> > 
> > IIUC ideally `meta` should be distribution independent.
> > 
> > So if that is wanted then we would need to create those files via
> > some template mechanism, e.g. envsubst or just sed.
> > 
> > But since sshd-regen-keys already depends on those elsewhere, that
> > point might just be out of scope of this patch. So I let you
> > decide. :) 
> 
> I agree on the general goal but I think we could be more relaxed at
> this stage /wrt optional support packages like this one. Eventually,
> we can sort out also these kind of dependencies but we will also need
> proper test cases for such abstractions which we lack at this point.

Agreed, and a dropbear or whatever would also potentially store the keys
in another location. Just like we silently assume that systemd is init
we can assume that openssh is the sshd.

Henning

> Jan
> 

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Am Thu, 13 Dec 2018 09:56:58 +0100
schrieb Harald Seiler <hws@denx.de>:

> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
>  .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>  .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19
> +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys_0.1.bb
> |  7 +++++-- 3 files changed, 25 insertions(+), 3 deletions(-)
>  create mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> 
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh ExecStartPost=-/bin/systemctl
> disable sshd-regen-keys.service StandardOutput=syslog
> StandardError=syslog diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> file mode 100644 index 0000000..294e8fa --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,19 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server
> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +    systemctl start --no-block ssh

Do we need the start? Is that not in fact taking us into the same
issue? ... i guess that is the "--no-block".

Henning

> +fi
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb index
> 02e9e25..6f12414 100644 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb @@ -6,9
> +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> DEBIAN_DEPENDS = "openssh-server, systemd" SRC_URI = "file://postinst
> \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>  
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>  do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" }

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Harald Seiler]

On Thu, 2018-12-13 at 13:46 +0100, Henning Schild wrote:
> Am Thu, 13 Dec 2018 09:56:58 +0100
> schrieb Harald Seiler <hws@denx.de>:
> 
> > Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> > will lead to a call to `systemctl restart ssh`.  This call blocks
> > forever because of course the sshd-regen-keys unit, which is a
> > dependency of sshd, hasn't finished at this point and can't do so
> > because it is waiting as well.
> > 
> > To circumvent this deadlock, this commit changes sshd-regen-keys'
> > behavior so sshd is first disabled and only reenabled after the
> > job is done.
> > 
> > Signed-off-by: Harald Seiler <hws@denx.de>
> > ---
> >  .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
> >  .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19
> > +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys_0.1.bb
> > >  7 +++++-- 3 files changed, 25 insertions(+), 3 deletions(-)
> > 
> >  create mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > 
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index 3b8231f..a05e1a9 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> > RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> > dpkg-reconfigure openssh-server"
> > +ExecStart=/usr/sbin/sshd-regen-keys.sh ExecStartPost=-/bin/systemctl
> > disable sshd-regen-keys.service StandardOutput=syslog
> > StandardError=syslog diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> > file mode 100644 index 0000000..294e8fa --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > @@ -0,0 +1,19 @@
> > +#!/usr/bin/env sh
> > +
> > +echo -n "SSH server is "
> > +if systemctl is-enabled ssh; then
> > +    SSHD_ENABLED="true"
> > +    systemctl disable --no-reload ssh
> > +fi
> > +
> > +echo "Removing keys ..."
> > +rm -v /etc/ssh/ssh_host_*_key*
> > +
> > +echo "Regenerating keys ..."
> > +dpkg-reconfigure openssh-server
> > +
> > +if test -n $SSHD_ENABLED; then
> > +    echo "Reenabling ssh server ..."
> > +    systemctl enable --no-reload ssh
> > +    systemctl start --no-block ssh
> 
> Do we need the start? Is that not in fact taking us into the same
> issue? ... i guess that is the "--no-block".

Yes, `systemctl start --no-block` queues the unit for starting
and immediately returns, which prevents us from running into the
same deadlock again.

> Henning
> 
> > +fi
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb index
> > 02e9e25..6f12414 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb @@ -6,9
> > +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> > DEBIAN_DEPENDS = "openssh-server, systemd" SRC_URI = "file://postinst
> > \
> > -           file://sshd-regen-keys.service"
> > +           file://sshd-regen-keys.service \
> > +           file://sshd-regen-keys.sh"
> >  
> > +do_install[cleandirs] = "${D}/lib/systemd/system \
> > +                         ${D}/usr/sbin"
> >  do_install() {
> > -    install -v -d -m 755 "${D}/lib/systemd/system"
> >      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd-regen-keys.sh" }
> 
> 
-- 
Harald

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-62  Fax: +49-8142-66989-80   Email: hws@denx.de

Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Am Thu, 13 Dec 2018 14:00:04 +0100
schrieb Harald Seiler <hws@denx.de>:

> On Thu, 2018-12-13 at 13:46 +0100, Henning Schild wrote:
> > Am Thu, 13 Dec 2018 09:56:58 +0100
> > schrieb Harald Seiler <hws@denx.de>:
> >   
> > > Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> > > will lead to a call to `systemctl restart ssh`.  This call blocks
> > > forever because of course the sshd-regen-keys unit, which is a
> > > dependency of sshd, hasn't finished at this point and can't do so
> > > because it is waiting as well.
> > > 
> > > To circumvent this deadlock, this commit changes sshd-regen-keys'
> > > behavior so sshd is first disabled and only reenabled after the
> > > job is done.
> > > 
> > > Signed-off-by: Harald Seiler <hws@denx.de>
> > > ---
> > >  .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
> > >  .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19
> > > +++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys_0.1.bb  
> > > >  7 +++++-- 3 files changed, 25 insertions(+), 3 deletions(-)  
> > > 
> > >  create mode 100644
> > > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > > 
> > > diff --git
> > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > > index 3b8231f..a05e1a9 100644 ---
> > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > > +++
> > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > > @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> > > RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> > > -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> > > dpkg-reconfigure openssh-server"
> > > +ExecStart=/usr/sbin/sshd-regen-keys.sh
> > > ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > > StandardOutput=syslog StandardError=syslog diff --git
> > > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > > new file mode 100644 index 0000000..294e8fa --- /dev/null
> > > +++
> > > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > > @@ -0,0 +1,19 @@ +#!/usr/bin/env sh
> > > +
> > > +echo -n "SSH server is "
> > > +if systemctl is-enabled ssh; then
> > > +    SSHD_ENABLED="true"
> > > +    systemctl disable --no-reload ssh
> > > +fi
> > > +
> > > +echo "Removing keys ..."
> > > +rm -v /etc/ssh/ssh_host_*_key*
> > > +
> > > +echo "Regenerating keys ..."
> > > +dpkg-reconfigure openssh-server
> > > +
> > > +if test -n $SSHD_ENABLED; then
> > > +    echo "Reenabling ssh server ..."
> > > +    systemctl enable --no-reload ssh
> > > +    systemctl start --no-block ssh  
> > 
> > Do we need the start? Is that not in fact taking us into the same
> > issue? ... i guess that is the "--no-block".  
> 
> Yes, `systemctl start --no-block` queues the unit for starting
> and immediately returns, which prevents us from running into the
> same deadlock again.

That is what i guessed. But can we not drop that? The unit has to
finish before sshd anyways, so there will be a "start sshd" somewhere
after that point.

Henning

> > Henning
> >   
> > > +fi
> > > diff --git
> > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > > index 02e9e25..6f12414 100644 ---
> > > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> > > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb @@
> > > -6,9 +6,12 @@ MAINTAINER = "isar-users
> > > <isar-users@googlegroups.com>" DEBIAN_DEPENDS = "openssh-server,
> > > systemd" SRC_URI = "file://postinst \
> > > -           file://sshd-regen-keys.service"
> > > +           file://sshd-regen-keys.service \
> > > +           file://sshd-regen-keys.sh"
> > >  
> > > +do_install[cleandirs] = "${D}/lib/systemd/system \
> > > +                         ${D}/usr/sbin"
> > >  do_install() {
> > > -    install -v -d -m 755 "${D}/lib/systemd/system"
> > >      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > > +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > > "${D}/usr/sbin/sshd-regen-keys.sh" }  
> > 
> >   

[PATCH v2] sshd-regen-keys: Fix sshd deadlock on boot

[Harald Seiler]

Currently, when sshd-regen-keys runs dpkg-reconfigure, this
will lead to a call to `systemctl restart ssh`.  This call blocks
forever because of course the sshd-regen-keys unit, which is a
dependency of sshd, hasn't finished at this point and can't do so
because it is waiting as well.

To circumvent this deadlock, this commit changes sshd-regen-keys'
behavior so sshd is first disabled and only reenabled after the
job is done.

Signed-off-by: Harald Seiler <hws@denx.de>
---
> That is what i guessed. But can we not drop that? The unit has to
> finish before sshd anyways, so there will be a "start sshd" somewhere
> after that point.

I am not certain, however I tested it and it looks like you are right.

Changes for v2:
  - Remove `systemctl start --no-block ssh` call as it looks like
    this is not needed.

 .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
 .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18 ++++++++++++++++++
 .../sshd-regen-keys/sshd-regen-keys_0.1.bb             |  7 +++++--
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index 3b8231f..a05e1a9 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
 Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStart=/usr/sbin/sshd-regen-keys.sh
 ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
new file mode 100644
index 0000000..11fca3b
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+echo -n "SSH server is "
+if systemctl is-enabled ssh; then
+    SSHD_ENABLED="true"
+    systemctl disable --no-reload ssh
+fi
+
+echo "Removing keys ..."
+rm -v /etc/ssh/ssh_host_*_key*
+
+echo "Regenerating keys ..."
+dpkg-reconfigure openssh-server
+
+if test -n $SSHD_ENABLED; then
+    echo "Reenabling ssh server ..."
+    systemctl enable --no-reload ssh
+fi
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
index 02e9e25..6f12414 100644
--- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
@@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
 DEBIAN_DEPENDS = "openssh-server, systemd"
 
 SRC_URI = "file://postinst \
-           file://sshd-regen-keys.service"
+           file://sshd-regen-keys.service \
+           file://sshd-regen-keys.sh"
 
+do_install[cleandirs] = "${D}/lib/systemd/system \
+                         ${D}/usr/sbin"
 do_install() {
-    install -v -d -m 755 "${D}/lib/systemd/system"
     install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
 }

-- 
Harald

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-62  Fax: +49-8142-66989-80   Email: hws@denx.de 

Re: [PATCH v2] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Hi,

i am testing this right now and do not assume to find more. But i would
suggest a PV bump, i.e. 0.2.

Henning

Am Wed, 19 Dec 2018 12:43:43 +0100
schrieb Harald Seiler <hws@denx.de>:

> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
> > That is what i guessed. But can we not drop that? The unit has to
> > finish before sshd anyways, so there will be a "start sshd"
> > somewhere after that point.  
> 
> I am not certain, however I tested it and it looks like you are right.
> 
> Changes for v2:
>   - Remove `systemctl start --no-block ssh` call as it looks like
>     this is not needed.
> 
>  .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
>  .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18
> ++++++++++++++++++ .../sshd-regen-keys/sshd-regen-keys_0.1.bb
> |  7 +++++-- 3 files changed, 24 insertions(+), 3 deletions(-)
>  create mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> 
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh ExecStartPost=-/bin/systemctl
> disable sshd-regen-keys.service StandardOutput=syslog
> StandardError=syslog diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> file mode 100644 index 0000000..11fca3b --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,18 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server
> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +fi
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb index
> 02e9e25..6f12414 100644 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb @@ -6,9
> +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> DEBIAN_DEPENDS = "openssh-server, systemd" SRC_URI = "file://postinst
> \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>  
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>  do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" }
> 

[PATCH v3] sshd-regen-keys: Fix sshd deadlock on boot

[Harald Seiler]

Currently, when sshd-regen-keys runs dpkg-reconfigure, this
will lead to a call to `systemctl restart ssh`.  This call blocks
forever because of course the sshd-regen-keys unit, which is a
dependency of sshd, hasn't finished at this point and can't do so
because it is waiting as well.

To circumvent this deadlock, this commit changes sshd-regen-keys'
behavior so sshd is first disabled and only reenabled after the
job is done.

Signed-off-by: Harald Seiler <hws@denx.de>
---
Changes for v2:
  - Remove `systemctl start --no-block ssh` call as it looks like
    this is not needed.

Changes for v3:
  - Bump version number to 0.2

 .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
 .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18 ++++++++++++++++++
 .../{sshd-regen-keys_0.1.bb => sshd-regen-keys_0.2.bb} |  7 +++++--
 3 files changed, 24 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
 rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.1.bb => sshd-regen-keys_0.2.bb} (58%)

diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
index 3b8231f..a05e1a9 100644
--- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
@@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
 Type=oneshot
 RemainAfterExit=yes
 Environment=DEBIAN_FRONTEND=noninteractive
-ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
+ExecStart=/usr/sbin/sshd-regen-keys.sh
 ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
 StandardOutput=syslog
 StandardError=syslog
diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
new file mode 100644
index 0000000..11fca3b
--- /dev/null
+++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env sh
+
+echo -n "SSH server is "
+if systemctl is-enabled ssh; then
+    SSHD_ENABLED="true"
+    systemctl disable --no-reload ssh
+fi
+
+echo "Removing keys ..."
+rm -v /etc/ssh/ssh_host_*_key*
+
+echo "Regenerating keys ..."
+dpkg-reconfigure openssh-server
+
+if test -n $SSHD_ENABLED; then
+    echo "Reenabling ssh server ..."
+    systemctl enable --no-reload ssh
+fi
diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
similarity index 58%
rename from meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
rename to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
index 02e9e25..6f12414 100644
--- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
+++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
@@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
 DEBIAN_DEPENDS = "openssh-server, systemd"
 
 SRC_URI = "file://postinst \
-           file://sshd-regen-keys.service"
+           file://sshd-regen-keys.service \
+           file://sshd-regen-keys.sh"
 
+do_install[cleandirs] = "${D}/lib/systemd/system \
+                         ${D}/usr/sbin"
 do_install() {
-    install -v -d -m 755 "${D}/lib/systemd/system"
     install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
+    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
 }

-- 
Harald

DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: +49-8142-66989-62  Fax: +49-8142-66989-80   Email: hws@denx.de 

Re: [PATCH v3] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

LGTM, and tests succeeded as expected.

Henning

Am Wed, 19 Dec 2018 14:54:04 +0100
schrieb Harald Seiler <hws@denx.de>:

> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
> Changes for v2:
>   - Remove `systemctl start --no-block ssh` call as it looks like
>     this is not needed.
> 
> Changes for v3:
>   - Bump version number to 0.2
> 
>  .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
>  .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18
> ++++++++++++++++++ .../{sshd-regen-keys_0.1.bb =>
> sshd-regen-keys_0.2.bb} |  7 +++++-- 3 files changed, 24
> insertions(+), 3 deletions(-) create mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh rename
> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.1.bb =>
> sshd-regen-keys_0.2.bb} (58%)
> 
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh ExecStartPost=-/bin/systemctl
> disable sshd-regen-keys.service StandardOutput=syslog
> StandardError=syslog diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> file mode 100644 index 0000000..11fca3b --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,18 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server
> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +fi
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> similarity index 58% rename from
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb rename to
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb index
> 02e9e25..6f12414 100644 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb @@ -6,9
> +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> DEBIAN_DEPENDS = "openssh-server, systemd" SRC_URI = "file://postinst
> \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>  
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>  do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" }
> 

Re: [PATCH v3] sshd-regen-keys: Fix sshd deadlock on boot

[Maxim Yu. Osipov]

On 12/19/18 4:54 PM, Harald Seiler wrote:
> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.


Applied to the 'next',


Thanks,
Maxim.


> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
> Changes for v2:
>    - Remove `systemctl start --no-block ssh` call as it looks like
>      this is not needed.
> 
> Changes for v3:
>    - Bump version number to 0.2
> 
>   .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
>   .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18 ++++++++++++++++++
>   .../{sshd-regen-keys_0.1.bb => sshd-regen-keys_0.2.bb} |  7 +++++--
>   3 files changed, 24 insertions(+), 3 deletions(-)
>   create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>   rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.1.bb => sshd-regen-keys_0.2.bb} (58%)
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>   Type=oneshot
>   RemainAfterExit=yes
>   Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>   ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>   StandardOutput=syslog
>   StandardError=syslog
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> new file mode 100644
> index 0000000..11fca3b
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,18 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server
> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +fi
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> similarity index 58%
> rename from meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> rename to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> index 02e9e25..6f12414 100644
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> @@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>   DEBIAN_DEPENDS = "openssh-server, systemd"
>   
>   SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>   
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>   do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>       install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
>   }
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov

Re: [PATCH v3] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Looking at the recent rootfs postprocessing scripts and how we stop
putting magic into install hooks i thought about this one again.

This is all nice but it does not solve the real problem. You have to be
aware that you get the ssh key problem when building and later
deploying a debian like we do. Once you are aware you might discover
this handy package.

I think we should have bitbake magic that installs this package as soon
as sshd gets installed. Which could be tricky if sshd gets pulled as
dep ...

Henning

Am Wed, 19 Dec 2018 14:54:04 +0100
schrieb Harald Seiler <hws@denx.de>:

> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
> Changes for v2:
>   - Remove `systemctl start --no-block ssh` call as it looks like
>     this is not needed.
> 
> Changes for v3:
>   - Bump version number to 0.2
> 
>  .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
>  .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18
> ++++++++++++++++++ .../{sshd-regen-keys_0.1.bb =>
> sshd-regen-keys_0.2.bb} |  7 +++++-- 3 files changed, 24
> insertions(+), 3 deletions(-) create mode 100644
> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh rename
> meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.1.bb =>
> sshd-regen-keys_0.2.bb} (58%)
> 
> diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644 ---
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh ExecStartPost=-/bin/systemctl
> disable sshd-regen-keys.service StandardOutput=syslog
> StandardError=syslog diff --git
> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> file mode 100644 index 0000000..11fca3b --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,18 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server
> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +fi
> diff --git
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> similarity index 58% rename from
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb rename to
> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb index
> 02e9e25..6f12414 100644 ---
> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb @@ -6,9
> +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> DEBIAN_DEPENDS = "openssh-server, systemd" SRC_URI = "file://postinst
> \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>  
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>  do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> "${D}/usr/sbin/sshd-regen-keys.sh" }
> 

Re: [PATCH v3] sshd-regen-keys: Fix sshd deadlock on boot

[Henning Schild]

Am Tue, 28 May 2019 20:25:11 +0200
schrieb "[ext] Henning Schild" <henning.schild@siemens.com>:

> Looking at the recent rootfs postprocessing scripts and how we stop
> putting magic into install hooks i thought about this one again.
> 
> This is all nice but it does not solve the real problem. You have to
> be aware that you get the ssh key problem when building and later
> deploying a debian like we do. Once you are aware you might discover
> this handy package.
> 
> I think we should have bitbake magic that installs this package as
> soon as sshd gets installed. Which could be tricky if sshd gets
> pulled as dep ...

The probably most lighweight way will be to bbwarn in a postprocess if
sshd installed and sshd-regen-keys is not. I will send a patch.

Henning

> Henning
> 
> Am Wed, 19 Dec 2018 14:54:04 +0100
> schrieb Harald Seiler <hws@denx.de>:
> 
> > Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> > will lead to a call to `systemctl restart ssh`.  This call blocks
> > forever because of course the sshd-regen-keys unit, which is a
> > dependency of sshd, hasn't finished at this point and can't do so
> > because it is waiting as well.
> > 
> > To circumvent this deadlock, this commit changes sshd-regen-keys'
> > behavior so sshd is first disabled and only reenabled after the
> > job is done.
> > 
> > Signed-off-by: Harald Seiler <hws@denx.de>
> > ---
> > Changes for v2:
> >   - Remove `systemctl start --no-block ssh` call as it looks like
> >     this is not needed.
> > 
> > Changes for v3:
> >   - Bump version number to 0.2
> > 
> >  .../sshd-regen-keys/files/sshd-regen-keys.service      |  2 +-
> >  .../sshd-regen-keys/files/sshd-regen-keys.sh           | 18
> > ++++++++++++++++++ .../{sshd-regen-keys_0.1.bb =>
> > sshd-regen-keys_0.2.bb} |  7 +++++-- 3 files changed, 24
> > insertions(+), 3 deletions(-) create mode 100644
> > meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh rename
> > meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.1.bb =>
> > sshd-regen-keys_0.2.bb} (58%)
> > 
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > index 3b8231f..a05e1a9 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > +++
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> > @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc Type=oneshot
> > RemainAfterExit=yes Environment=DEBIAN_FRONTEND=noninteractive
> > -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*;
> > dpkg-reconfigure openssh-server"
> > +ExecStart=/usr/sbin/sshd-regen-keys.sh
> > ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
> > StandardOutput=syslog StandardError=syslog diff --git
> > a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh new
> > file mode 100644 index 0000000..11fca3b --- /dev/null
> > +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> > @@ -0,0 +1,18 @@
> > +#!/usr/bin/env sh
> > +
> > +echo -n "SSH server is "
> > +if systemctl is-enabled ssh; then
> > +    SSHD_ENABLED="true"
> > +    systemctl disable --no-reload ssh
> > +fi
> > +
> > +echo "Removing keys ..."
> > +rm -v /etc/ssh/ssh_host_*_key*
> > +
> > +echo "Regenerating keys ..."
> > +dpkg-reconfigure openssh-server
> > +
> > +if test -n $SSHD_ENABLED; then
> > +    echo "Reenabling ssh server ..."
> > +    systemctl enable --no-reload ssh
> > +fi
> > diff --git
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb
> > similarity index 58% rename from
> > meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb rename
> > to meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb index
> > 02e9e25..6f12414 100644 ---
> > a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb +++
> > b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.2.bb @@
> > -6,9 +6,12 @@ MAINTAINER = "isar-users
> > <isar-users@googlegroups.com>" DEBIAN_DEPENDS = "openssh-server,
> > systemd" SRC_URI = "file://postinst \
> > -           file://sshd-regen-keys.service"
> > +           file://sshd-regen-keys.service \
> > +           file://sshd-regen-keys.sh"
> >  
> > +do_install[cleandirs] = "${D}/lib/systemd/system \
> > +                         ${D}/usr/sbin"
> >  do_install() {
> > -    install -v -d -m 755 "${D}/lib/systemd/system"
> >      install -v -m 644 "${WORKDIR}/sshd-regen-keys.service"
> > "${D}/lib/systemd/system/sshd-regen-keys.service"
> > +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh"
> > "${D}/usr/sbin/sshd-regen-keys.sh" }
> >   
>