From: Henning Schild <henning.schild@siemens.com>
To: <isar-users@googlegroups.com>
Cc: Baurzhan Ismagulov <ibr@radix50.net>,
Alexander Smirnov <asmirnov@ilbers.de>
Subject: Re: [PATCH] images: wic: limit use of sudo and enable manual call again
Date: Thu, 1 Feb 2018 13:44:59 +0100 [thread overview]
Message-ID: <20180201134459.319ab24f@mmd1pvb1c.ad001.siemens.net> (raw)
In-Reply-To: <20180201124106.29397-1-henning.schild@siemens.com>
This patch addresses the two main issues found in the reviews. The big
"sudo" and the broken "call it manually". The latter one is not fully
solved because users will have to call "isar-wic" instead of "wic".
I would even suggest to not fold this into the series and apply it on
top. It kind of shows some of the hacks required to wrap an unmodified
wic. The patch cleanly applies on top of the series i posted so far.
Henning
Am Thu, 1 Feb 2018 13:41:06 +0100
schrieb Henning Schild <henning.schild@siemens.com>:
> Issues:
> 1. after the wic rework wic was called under a big sudo
> 2. and calling it manually - like stated in the doc - did not work
> anymore
>
> Impact:
> This patch solves both issues. Just like before sudo is only used
> for "du" and "mkfs". And by applying some tricks and wrapping we now
> can call "isar-wic" just like "wic" before.
>
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
> doc/user_manual.md | 4 +--
> meta/classes/wic-img.bbclass | 6 ++--
> meta/recipes-devtools/wic-tools/wic-tools.bb | 4 +++
> scripts/isar-wic | 27 ++++++++++++++
> scripts/isar-wic-handler | 53
> ++++++++++++++++++++++++++++
> scripts/wic_fakeroot | 37 -------------------
> 6 files changed, 90 insertions(+), 41 deletions(-) create mode 100644
> meta/recipes-devtools/wic-tools/wic-tools.bb create mode 100755
> scripts/isar-wic create mode 100755 scripts/isar-wic-handler
> delete mode 100755 scripts/wic_fakeroot
>
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index 969f6d2..e9284a0 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -208,9 +208,9 @@ Once the image artifacts have been built (c.f.
> previous section), full EFI disk Currently, only the `i386` and
> `amd64` target architectures are supported: ```
> # Generate an EFI image for the `i386` target architecture
> - $ wic create -D sdimage-efi -o . -e
> multiconfig:qemui386-stretch:isar-image-base
> + $ isar-wic create -D sdimage-efi -o . -e
> multiconfig:qemui386-stretch:isar-image-base # Similarly, for the
> `amd64` target architecture
> - $ wic create -D sdimage-efi -o . -e
> multiconfig:qemuamd64-stretch:isar-image-base
> + $ isar-wic create -D sdimage-efi -o . -e
> multiconfig:qemuamd64-stretch:isar-image-base ```
>
> In order to run the images with `qemu`, an EFI firmware is required
> and available at the following address: diff --git
> a/meta/classes/wic-img.bbclass b/meta/classes/wic-img.bbclass index
> e8d2678..d4afde6 100644 --- a/meta/classes/wic-img.bbclass
> +++ b/meta/classes/wic-img.bbclass
> @@ -14,7 +14,7 @@ STAGING_DATADIR ?= "/usr/share/"
> STAGING_LIBDIR ?= "/usr/lib/"
> STAGING_DIR ?= "${TMPDIR}"
> IMAGE_BASENAME ?= "multiconfig:${MACHINE}-${DISTRO}:${PN}"
> -FAKEROOTCMD ?= "wic_fakeroot"
> +FAKEROOTCMD ?= "/builder/isar/scripts/isar-wic-handler"
> RECIPE_SYSROOT_NATIVE ?= "/"
>
> do_wic_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
> @@ -57,8 +57,10 @@ do_rootfs_wicenv[prefuncs] = 'set_image_size'
>
> do_wic_image() {
> export BUILDDIR="${BUILDDIR}"
> + export FAKEROOTCMD="${FAKEROOTCMD}"
> + export TMPDIR="${TMPDIR}"
>
> - sudo -E
> PATH="$PATH:/builder/isar/bitbake/bin:/builder/isar/scripts" /builder/isar/scripts/wic
> create ${WKS_FILE} --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -o
> ${DEPLOY_DIR_IMAGE} -e ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS}
> + isar-wic create ${WKS_FILE} --vars
> "${STAGING_DIR}/${MACHINE}/imgdata/" -o ${DEPLOY_DIR_IMAGE} -e
> ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS} }
> addtask wic_image before do_build after do_copy_boot_files
> diff --git a/meta/recipes-devtools/wic-tools/wic-tools.bb
> b/meta/recipes-devtools/wic-tools/wic-tools.bb new file mode 100644
> index 0000000..50ba664
> --- /dev/null
> +++ b/meta/recipes-devtools/wic-tools/wic-tools.bb
> @@ -0,0 +1,4 @@
> +# This software is a part of ISAR.
> +# Copyright (C) 2018 Siemens AG
> +# This is just a dummy because wic might call "bitbake -e
> wic-tools" to learn wic variables +inherit wic-img
> diff --git a/scripts/isar-wic b/scripts/isar-wic
> new file mode 100755
> index 0000000..4e4d0dd
> --- /dev/null
> +++ b/scripts/isar-wic
> @@ -0,0 +1,27 @@
> +#!/bin/sh
> +#
> +# This script is a wrapper to wic that prepares everything for Isar
> specific +# needs.
> +#
> +# This software is a part of Isar.
> +# Copyright (C) 2018 Siemens AG
> +
> +set -e
> +
> +[ -z $FAKEROOTCMD ] &&
> FAKEROOTCMD="/builder/isar/scripts/isar-wic-handler" +[ -z $TMPDIR ]
> && TMPDIR=$( mktemp -d ) +
> +export MTOOLS_SKIP_CHECK=1
> +
> +# Play a dirty trick to redirect "du" and "mkfs.*" to FAKEROOTCMD
> +TRICK_SYSROOT="${TMPDIR}/trick_wic_sysroot/"
> +mkdir -p ${TRICK_SYSROOT}/sbin
> +mkdir -p ${TRICK_SYSROOT}/usr/bin
> +for fstype in btrfs ext2 ext3 ext4 vfat; do
> + ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/sbin/mkfs.${fstype}
> +done
> +ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/usr/bin/du
> +
> +export
> PATH="${TRICK_SYSROOT}/sbin:${TRICK_SYSROOT}/usr/sbin:${TRICK_SYSROOT}/usr/bin:${PATH}"
> + +exec wic $@
> diff --git a/scripts/isar-wic-handler b/scripts/isar-wic-handler
> new file mode 100755
> index 0000000..01fe4fe
> --- /dev/null
> +++ b/scripts/isar-wic-handler
> @@ -0,0 +1,53 @@
> +#!/usr/bin/env python3
> +#
> +# This script is used to handle Isar specifics in wic without having
> to change +# wic. It is called in two cases:
> +# 1. if wic calls exec_native_cmd with pseudo != ""
> +# 2. if wic calls exec_cmd on one of our trick symlinks
> +#
> +# This software is a part of Isar.
> +# Copyright (C) 2018 Siemens AG
> +#
> +import os
> +import sys
> +import shutil
> +import subprocess
> +
> +use_sudo = False
> +native = False
> +
> +args = sys.argv
> +args[0] = os.path.basename(args[0])
> +
> +# first thing we do is remove the PATH hack that took us here
> +os.environ['PATH'] = ':'.join(os.environ['PATH'].split(':')[3:])
> +
> +if args[0] == 'isar-wic-handler':
> + native = True
> + args.pop(0)
> +
> +# run only "mkfs.*" and "du" with sudo, in "exec_native_cmd" and
> "exec_cmd" +if (args[0].startswith('mkfs.') or args[0] == 'du'):
> + use_sudo = True
> +else:
> + if not native:
> + print('ERROR: wic_fakeroot cmd "%s" not supported in
> non-native mode.'
> + % args[0], file=sys.stderr)
> + sys.exit(1)
> +
> +cmd = args[0]
> +args.pop(0)
> +
> +# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before
> affected) +# treat 1 as safe ... the filesystem was successfully
> repaired and is OK +if cmd.startswith('fsck.'):
> + ret = subprocess.call([cmd] + args)
> + if ret == 0 or ret == 1:
> + sys.exit(0)
> + sys.exit(ret)
> +
> +if use_sudo:
> + args = ['-E', 'PATH="%s"' % os.environ['PATH'], cmd ] + args
> + cmd = 'sudo'
> +
> +os.execv(shutil.which(cmd), args)
> diff --git a/scripts/wic_fakeroot b/scripts/wic_fakeroot
> deleted file mode 100755
> index 9e01c38..0000000
> --- a/scripts/wic_fakeroot
> +++ /dev/null
> @@ -1,37 +0,0 @@
> -#!/usr/bin/env python3
> -#
> -# wic needs a FAKEROOT cmd to run, the default is pseudo. In Isar we
> do/can not -# use pseudo. And we call wic as root to begin with, so
> this script could be a -# dummy doing nothing. It is almost a
> dummy ... -#
> -# If the fsck hack ever becomes obsolete, FAKEROOTCMD ?= "true;" can
> be used -#
> -# This software is a part of Isar.
> -# Copyright (C) 2018 Siemens AG
> -#
> -import os
> -import sys
> -import shutil
> -import subprocess
> -
> -args = sys.argv
> -args.pop(0)
> -cmd = args[0]
> -
> -# expect to be running as root
> -# we could loosen that and execv(sudo, args) but even some early
> -# "du"s fail, which do not use the fakeroot-wrapper
> -# i.e. in wics partition.py the "du -ks" fails on
> -# var/cache/apt/archives/partial
> -# rootfs/root ...
> -assert 'root' == os.environ["USER"]
> -
> -# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before
> affected) -# treat 1 as safe ... the filesystem was successfully
> repaired and is OK -if cmd.startswith('fsck.'):
> - ret = subprocess.call(args)
> - if ret == 0 or ret == 1:
> - sys.exit(0)
> - sys.exit(ret)
> -
> -os.execv(shutil.which(cmd), args)
next prev parent reply other threads:[~2018-02-01 12:45 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-31 9:41 [PATCH 0/9] first wic integration Henning Schild
2018-01-31 9:41 ` [PATCH 1/9] classes: image: introduce size measuring function, for before do_*_image Henning Schild
2018-01-31 9:41 ` [PATCH 2/9] images: new class wic-img for wic intregration Henning Schild
2018-02-13 14:44 ` Alexander Smirnov
2018-02-13 16:06 ` Henning Schild
2018-01-31 9:41 ` [PATCH 3/9] wic: add a bootimg-efi-isar plugin outside the wic tree Henning Schild
2018-02-12 17:48 ` Jan Kiszka
2018-01-31 9:41 ` [PATCH 4/9] Revert "wic: Make the bootimg-efi plugin generate usable images" Henning Schild
2018-01-31 9:41 ` [PATCH 5/9] Revert "wic: Introduce the `WicExecError` exception class" Henning Schild
2018-01-31 9:41 ` [PATCH 6/9] Revert "wic: Work around mcopy error" Henning Schild
2018-01-31 9:41 ` [PATCH 7/9] Revert "wic: Use sudo instead of pseudo" Henning Schild
2018-01-31 9:41 ` [PATCH 8/9] Revert "wic: Remove sysroot support" Henning Schild
2018-01-31 9:42 ` [PATCH 9/9] wic: now truly go for the wic version we claim to have Henning Schild
2018-01-31 10:11 ` Alexander Smirnov
2018-01-31 10:55 ` Jan Kiszka
2018-01-31 11:11 ` Alexander Smirnov
2018-01-31 11:43 ` Jan Kiszka
2018-01-31 11:53 ` Baurzhan Ismagulov
2018-01-31 12:01 ` Jan Kiszka
2018-01-31 12:28 ` Baurzhan Ismagulov
2018-01-31 13:53 ` Henning Schild
2018-01-31 14:01 ` Baurzhan Ismagulov
2018-01-31 14:21 ` Henning Schild
2018-01-31 10:02 ` [PATCH 0/9] first wic integration Alexander Smirnov
2018-01-31 10:12 ` Henning Schild
2018-01-31 11:24 ` Baurzhan Ismagulov
2018-01-31 11:47 ` Jan Kiszka
2018-01-31 12:02 ` Baurzhan Ismagulov
2018-01-31 12:15 ` Jan Kiszka
2018-01-31 13:30 ` Jan Kiszka
2018-01-31 13:41 ` Baurzhan Ismagulov
2018-01-31 14:01 ` Jan Kiszka
2018-01-31 15:21 ` Baurzhan Ismagulov
2018-01-31 15:46 ` Henning Schild
2018-01-31 16:13 ` Jan Kiszka
2018-01-31 13:35 ` Baurzhan Ismagulov
2018-01-31 13:47 ` Henning Schild
2018-01-31 14:00 ` Baurzhan Ismagulov
2018-01-31 13:46 ` Henning Schild
2018-01-31 13:36 ` Henning Schild
2018-01-31 13:40 ` Baurzhan Ismagulov
2018-01-31 13:05 ` Henning Schild
2018-02-01 12:41 ` [PATCH] images: wic: limit use of sudo and enable manual call again Henning Schild
2018-02-01 12:44 ` Henning Schild [this message]
2018-02-01 16:09 ` Baurzhan Ismagulov
2018-02-01 18:10 ` Henning Schild
2018-02-01 18:55 ` Henning Schild
2018-02-12 19:07 ` Henning Schild
2018-02-12 17:27 ` [PATCH 0/9] first wic integration Henning Schild
2018-02-12 18:21 ` Alexander Smirnov
2018-02-12 18:30 ` Henning Schild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180201134459.319ab24f@mmd1pvb1c.ad001.siemens.net \
--to=henning.schild@siemens.com \
--cc=asmirnov@ilbers.de \
--cc=ibr@radix50.net \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox