From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6517147827419742208 X-Received: by 10.223.139.86 with SMTP id v22mr3899846wra.11.1517488869245; Thu, 01 Feb 2018 04:41:09 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 10.28.199.10 with SMTP id x10ls1785580wmf.9.gmail; Thu, 01 Feb 2018 04:41:08 -0800 (PST) X-Google-Smtp-Source: AH8x225Qq+zPv7OHtemZPuf/gI5fRYnZEo+iRa3G9PQl4QtPeuhOL88Zej4MGoqREbMXbhYmFY75 X-Received: by 10.223.152.204 with SMTP id w70mr3731822wrb.15.1517488868698; Thu, 01 Feb 2018 04:41:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517488868; cv=none; d=google.com; s=arc-20160816; b=k8PsQ+uEF6wmGz5lP/2Pn52n/UUEF7e5ZoOM8/qnuhaU2liZGiK0X1POOjQhJDWjRb mvxgqb6vgxzgOGheNMjdB3jLPdzoEboou8rs/yLsrxF5E2mXAiuPg1vIhnvLuVkaKu5Q VpVjK8R4Bp14tMJhFZaoEBopoB/2ppICJL0YvgdObYCi6cqNPGl5mKuy9dCpcBsoPmmV Z4OeNLoElB3Opkh1nmsLpH/ziQ2qItX0610J1SaZCrPKu2BTnNoQ68SZKe/DVXBRrpv5 k4qRp62fju+YLE+eatemHfLSgeOHu3PsCjZsJWDnAxAwD/6znqgdVhRRC1beyLnVjzdK H0iA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=EuJQn5befm5vVTKrANUusRXTm402ipcbLomYJ13Sekk=; b=miKtKWqEgumZuQKEufLmP0igbOnNX/TgGKPWQhAiB0XAaRyuu1XEl47ST0jk29D/fT mTwG2pCnRue9AG9WDWrUwVRtbabCx5WRzqVj+4WdlDZgPEsPT8TnMhAM8FCu3qFshqQU EiYC5hivtO4afgorOqCK6FeryXGv/SYGFU68vOTxKLOELh1PNkDDBNTOcF4yrrJqRtx8 JHWTEITPbPOST4/3V5gILNnQBIkOGw88m6cfoaFSBa8bU8MKMv9DF9FPhxASCi8GAzkK QGJCjn1hstfLLJ5eIgHdhL1LVUzfB02yrdw55i5UYH1At5pAinkX79MkLOuAbt0kV9eX U3Yg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id c11si1014540wrb.0.2018.02.01.04.41.08 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Feb 2018 04:41:08 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id w11Cf8p4013844 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 1 Feb 2018 13:41:08 +0100 Received: from md1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40] (may be forged)) by mail3.siemens.de (8.15.2/8.15.2) with ESMTP id w11Cf7fr008287; Thu, 1 Feb 2018 13:41:07 +0100 From: Henning Schild To: isar-users@googlegroups.com Cc: Baurzhan Ismagulov , Alexander Smirnov , Henning Schild Subject: [PATCH] images: wic: limit use of sudo and enable manual call again Date: Thu, 1 Feb 2018 13:41:06 +0100 Message-Id: <20180201124106.29397-1-henning.schild@siemens.com> X-Mailer: git-send-email 2.13.6 In-Reply-To: References: X-TUID: fXKuVzwgx9lF Issues: 1. after the wic rework wic was called under a big sudo 2. and calling it manually - like stated in the doc - did not work anymore Impact: This patch solves both issues. Just like before sudo is only used for "du" and "mkfs". And by applying some tricks and wrapping we now can call "isar-wic" just like "wic" before. Signed-off-by: Henning Schild --- doc/user_manual.md | 4 +-- meta/classes/wic-img.bbclass | 6 ++-- meta/recipes-devtools/wic-tools/wic-tools.bb | 4 +++ scripts/isar-wic | 27 ++++++++++++++ scripts/isar-wic-handler | 53 ++++++++++++++++++++++++++++ scripts/wic_fakeroot | 37 ------------------- 6 files changed, 90 insertions(+), 41 deletions(-) create mode 100644 meta/recipes-devtools/wic-tools/wic-tools.bb create mode 100755 scripts/isar-wic create mode 100755 scripts/isar-wic-handler delete mode 100755 scripts/wic_fakeroot diff --git a/doc/user_manual.md b/doc/user_manual.md index 969f6d2..e9284a0 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -208,9 +208,9 @@ Once the image artifacts have been built (c.f. previous section), full EFI disk Currently, only the `i386` and `amd64` target architectures are supported: ``` # Generate an EFI image for the `i386` target architecture - $ wic create -D sdimage-efi -o . -e multiconfig:qemui386-stretch:isar-image-base + $ isar-wic create -D sdimage-efi -o . -e multiconfig:qemui386-stretch:isar-image-base # Similarly, for the `amd64` target architecture - $ wic create -D sdimage-efi -o . -e multiconfig:qemuamd64-stretch:isar-image-base + $ isar-wic create -D sdimage-efi -o . -e multiconfig:qemuamd64-stretch:isar-image-base ``` In order to run the images with `qemu`, an EFI firmware is required and available at the following address: diff --git a/meta/classes/wic-img.bbclass b/meta/classes/wic-img.bbclass index e8d2678..d4afde6 100644 --- a/meta/classes/wic-img.bbclass +++ b/meta/classes/wic-img.bbclass @@ -14,7 +14,7 @@ STAGING_DATADIR ?= "/usr/share/" STAGING_LIBDIR ?= "/usr/lib/" STAGING_DIR ?= "${TMPDIR}" IMAGE_BASENAME ?= "multiconfig:${MACHINE}-${DISTRO}:${PN}" -FAKEROOTCMD ?= "wic_fakeroot" +FAKEROOTCMD ?= "/builder/isar/scripts/isar-wic-handler" RECIPE_SYSROOT_NATIVE ?= "/" do_wic_image[stamp-extra-info] = "${DISTRO}-${MACHINE}" @@ -57,8 +57,10 @@ do_rootfs_wicenv[prefuncs] = 'set_image_size' do_wic_image() { export BUILDDIR="${BUILDDIR}" + export FAKEROOTCMD="${FAKEROOTCMD}" + export TMPDIR="${TMPDIR}" - sudo -E PATH="$PATH:/builder/isar/bitbake/bin:/builder/isar/scripts" /builder/isar/scripts/wic create ${WKS_FILE} --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -o ${DEPLOY_DIR_IMAGE} -e ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS} + isar-wic create ${WKS_FILE} --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -o ${DEPLOY_DIR_IMAGE} -e ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS} } addtask wic_image before do_build after do_copy_boot_files diff --git a/meta/recipes-devtools/wic-tools/wic-tools.bb b/meta/recipes-devtools/wic-tools/wic-tools.bb new file mode 100644 index 0000000..50ba664 --- /dev/null +++ b/meta/recipes-devtools/wic-tools/wic-tools.bb @@ -0,0 +1,4 @@ +# This software is a part of ISAR. +# Copyright (C) 2018 Siemens AG +# This is just a dummy because wic might call "bitbake -e wic-tools" to learn wic variables +inherit wic-img diff --git a/scripts/isar-wic b/scripts/isar-wic new file mode 100755 index 0000000..4e4d0dd --- /dev/null +++ b/scripts/isar-wic @@ -0,0 +1,27 @@ +#!/bin/sh +# +# This script is a wrapper to wic that prepares everything for Isar specific +# needs. +# +# This software is a part of Isar. +# Copyright (C) 2018 Siemens AG + +set -e + +[ -z $FAKEROOTCMD ] && FAKEROOTCMD="/builder/isar/scripts/isar-wic-handler" +[ -z $TMPDIR ] && TMPDIR=$( mktemp -d ) + +export MTOOLS_SKIP_CHECK=1 + +# Play a dirty trick to redirect "du" and "mkfs.*" to FAKEROOTCMD +TRICK_SYSROOT="${TMPDIR}/trick_wic_sysroot/" +mkdir -p ${TRICK_SYSROOT}/sbin +mkdir -p ${TRICK_SYSROOT}/usr/bin +for fstype in btrfs ext2 ext3 ext4 vfat; do + ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/sbin/mkfs.${fstype} +done +ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/usr/bin/du + +export PATH="${TRICK_SYSROOT}/sbin:${TRICK_SYSROOT}/usr/sbin:${TRICK_SYSROOT}/usr/bin:${PATH}" + +exec wic $@ diff --git a/scripts/isar-wic-handler b/scripts/isar-wic-handler new file mode 100755 index 0000000..01fe4fe --- /dev/null +++ b/scripts/isar-wic-handler @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +# +# This script is used to handle Isar specifics in wic without having to change +# wic. It is called in two cases: +# 1. if wic calls exec_native_cmd with pseudo != "" +# 2. if wic calls exec_cmd on one of our trick symlinks +# +# This software is a part of Isar. +# Copyright (C) 2018 Siemens AG +# +import os +import sys +import shutil +import subprocess + +use_sudo = False +native = False + +args = sys.argv +args[0] = os.path.basename(args[0]) + +# first thing we do is remove the PATH hack that took us here +os.environ['PATH'] = ':'.join(os.environ['PATH'].split(':')[3:]) + +if args[0] == 'isar-wic-handler': + native = True + args.pop(0) + +# run only "mkfs.*" and "du" with sudo, in "exec_native_cmd" and "exec_cmd" +if (args[0].startswith('mkfs.') or args[0] == 'du'): + use_sudo = True +else: + if not native: + print('ERROR: wic_fakeroot cmd "%s" not supported in non-native mode.' + % args[0], file=sys.stderr) + sys.exit(1) + +cmd = args[0] +args.pop(0) + +# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before affected) +# treat 1 as safe ... the filesystem was successfully repaired and is OK +if cmd.startswith('fsck.'): + ret = subprocess.call([cmd] + args) + if ret == 0 or ret == 1: + sys.exit(0) + sys.exit(ret) + +if use_sudo: + args = ['-E', 'PATH="%s"' % os.environ['PATH'], cmd ] + args + cmd = 'sudo' + +os.execv(shutil.which(cmd), args) diff --git a/scripts/wic_fakeroot b/scripts/wic_fakeroot deleted file mode 100755 index 9e01c38..0000000 --- a/scripts/wic_fakeroot +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env python3 -# -# wic needs a FAKEROOT cmd to run, the default is pseudo. In Isar we do/can not -# use pseudo. And we call wic as root to begin with, so this script could be a -# dummy doing nothing. It is almost a dummy ... -# -# If the fsck hack ever becomes obsolete, FAKEROOTCMD ?= "true;" can be used -# -# This software is a part of Isar. -# Copyright (C) 2018 Siemens AG -# -import os -import sys -import shutil -import subprocess - -args = sys.argv -args.pop(0) -cmd = args[0] - -# expect to be running as root -# we could loosen that and execv(sudo, args) but even some early -# "du"s fail, which do not use the fakeroot-wrapper -# i.e. in wics partition.py the "du -ks" fails on -# var/cache/apt/archives/partial -# rootfs/root ... -assert 'root' == os.environ["USER"] - -# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before affected) -# treat 1 as safe ... the filesystem was successfully repaired and is OK -if cmd.startswith('fsck.'): - ret = subprocess.call(args) - if ret == 0 or ret == 1: - sys.exit(0) - sys.exit(ret) - -os.execv(shutil.which(cmd), args) -- 2.13.6