From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6517147827419742208
X-Received: by 10.46.68.24 with SMTP id r24mr1019132lja.5.1517489101764;
        Thu, 01 Feb 2018 04:45:01 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 10.25.125.135 with SMTP id y129ls1085212lfc.16.gmail; Thu, 01 Feb
 2018 04:45:01 -0800 (PST)
X-Google-Smtp-Source: AH8x226ed6BwXTXmeTlG+T8LU5oIAKAlZnfK3fSkA7a4XbtHbIh7nvDVdGxDGQ7ppnNDd7rwOYMu
X-Received: by 10.25.205.202 with SMTP id d193mr2643926lfg.16.1517489101182;
        Thu, 01 Feb 2018 04:45:01 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1517489101; cv=none;
        d=google.com; s=arc-20160816;
        b=mP9nk7JzGb8iZ9Y+wdqlseao+5Hao7PdNUkQPmiDQuXHR13yi94U0DxYtfokl2WTeb
         7OEuwFHZHnWv8XSBdEDr1m3LgwyUaEJP8OH2/aVBZHrC7U7+w1SCCisZsf+W7oL0b3Yc
         90duXErum7fOwvcfJwXsdsNPP6OVkoRDd0d9uyKQO655O45bIk2dAdHccrDC9ECnMpr1
         uyOVLsC2GnKLulGvabbqYqYpjdDdoilFPfR+w4e3L0rx54rG0xRutfDp2Kzulmd/NSA2
         x2ysHx8tIml8HxtUYwnA57/QfvFvwkgxqiANLDKqFNlwtpf8liUTnEaHuGAAI+5rHhnZ
         U3+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date:arc-authentication-results;
        bh=Y5NMKHnviwDDEHzmOOZNsxhi7i/4TGiVSl7IkPArkfU=;
        b=LSPSSKUk2e8xcd/gFJKHXFFtRZfn4CBJWu+14rzP1sY51WXf3TmJ9zmQkBdXKfsC7b
         Ioy/cd8qDDjU6jnVw7QhJG6Jog/9sIFX5Zfzq/BMnKeTgItAp03aXM/2ZX2JPlI/qcHx
         vXY18xWn6lg/8hmnxyifG+vtiqQz7EVJX7tkertS4D7BqCeos9Zp6+AlHSIFM4ITLIw6
         YhtMImqtTOI1unF5EixLL13/yrh7UOMALwmp52xjtGRRNUy8hKwUdAfe4OI/ExrXHQVq
         4dfyQhSsryrK9o2ri/2avdtuo7UNJc4tTiZLhUlc92Yp2lvoc8RoodN6CHN0Gn6xiScs
         ysrg==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28])
        by gmr-mx.google.com with ESMTPS id y16si1410918lje.2.2018.02.01.04.45.00
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 01 Feb 2018 04:45:01 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.siemens.de (mail1.siemens.de [139.23.33.14])
	by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id w11Cixeu031862
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 1 Feb 2018 13:45:00 +0100
Received: from mmd1pvb1c.ad001.siemens.net (md1pvb1c.ad001.siemens.net [139.25.68.40] (may be forged))
	by mail1.siemens.de (8.15.2/8.15.2) with ESMTP id w11CixfS012466;
	Thu, 1 Feb 2018 13:44:59 +0100
Date: Thu, 1 Feb 2018 13:44:59 +0100
From: Henning Schild <henning.schild@siemens.com>
To: <isar-users@googlegroups.com>
Cc: Baurzhan Ismagulov <ibr@radix50.net>,
        Alexander Smirnov
 <asmirnov@ilbers.de>
Subject: Re: [PATCH] images: wic: limit use of sudo and enable manual call
 again
Message-ID: <20180201134459.319ab24f@mmd1pvb1c.ad001.siemens.net>
In-Reply-To: <20180201124106.29397-1-henning.schild@siemens.com>
References: <cover.1517390790.git.henning.schild@siemens.com>
	<20180201124106.29397-1-henning.schild@siemens.com>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: xmB1r1ko1wEW

This patch addresses the two main issues found in the reviews. The big
"sudo" and the broken "call it manually". The latter one is not fully
solved because users will have to call "isar-wic" instead of "wic".

I would even suggest to not fold this into the series and apply it on
top. It kind of shows some of the hacks required to wrap an unmodified
wic. The patch cleanly applies on top of the series i posted so far.

Henning

Am Thu, 1 Feb 2018 13:41:06 +0100
schrieb Henning Schild <henning.schild@siemens.com>:

> Issues:
>   1. after the wic rework wic was called under a big sudo
>   2. and calling it manually - like stated in the doc - did not work
>      anymore
> 
> Impact:
>   This patch solves both issues. Just like before sudo is only used
> for "du" and "mkfs". And by applying some tricks and wrapping we now
> can call "isar-wic" just like "wic" before.
> 
> Signed-off-by: Henning Schild <henning.schild@siemens.com>
> ---
>  doc/user_manual.md                           |  4 +--
>  meta/classes/wic-img.bbclass                 |  6 ++--
>  meta/recipes-devtools/wic-tools/wic-tools.bb |  4 +++
>  scripts/isar-wic                             | 27 ++++++++++++++
>  scripts/isar-wic-handler                     | 53
> ++++++++++++++++++++++++++++
> scripts/wic_fakeroot                         | 37 -------------------
> 6 files changed, 90 insertions(+), 41 deletions(-) create mode 100644
> meta/recipes-devtools/wic-tools/wic-tools.bb create mode 100755
> scripts/isar-wic create mode 100755 scripts/isar-wic-handler
>  delete mode 100755 scripts/wic_fakeroot
> 
> diff --git a/doc/user_manual.md b/doc/user_manual.md
> index 969f6d2..e9284a0 100644
> --- a/doc/user_manual.md
> +++ b/doc/user_manual.md
> @@ -208,9 +208,9 @@ Once the image artifacts have been built (c.f.
> previous section), full EFI disk Currently, only the `i386` and
> `amd64` target architectures are supported: ```
>   # Generate an EFI image for the `i386` target architecture
> - $ wic create -D sdimage-efi -o . -e
> multiconfig:qemui386-stretch:isar-image-base
> + $ isar-wic create -D sdimage-efi -o . -e
> multiconfig:qemui386-stretch:isar-image-base # Similarly, for the
> `amd64` target architecture
> - $ wic create -D sdimage-efi -o . -e
> multiconfig:qemuamd64-stretch:isar-image-base
> + $ isar-wic create -D sdimage-efi -o . -e
> multiconfig:qemuamd64-stretch:isar-image-base ```
>  
>  In order to run the images with `qemu`, an EFI firmware is required
> and available at the following address: diff --git
> a/meta/classes/wic-img.bbclass b/meta/classes/wic-img.bbclass index
> e8d2678..d4afde6 100644 --- a/meta/classes/wic-img.bbclass
> +++ b/meta/classes/wic-img.bbclass
> @@ -14,7 +14,7 @@ STAGING_DATADIR ?= "/usr/share/"
>  STAGING_LIBDIR ?= "/usr/lib/"
>  STAGING_DIR ?= "${TMPDIR}"
>  IMAGE_BASENAME ?= "multiconfig:${MACHINE}-${DISTRO}:${PN}"
> -FAKEROOTCMD ?= "wic_fakeroot"
> +FAKEROOTCMD ?= "/builder/isar/scripts/isar-wic-handler"
>  RECIPE_SYSROOT_NATIVE ?= "/"
>  
>  do_wic_image[stamp-extra-info] = "${DISTRO}-${MACHINE}"
> @@ -57,8 +57,10 @@ do_rootfs_wicenv[prefuncs] = 'set_image_size'
>  
>  do_wic_image() {
>      export BUILDDIR="${BUILDDIR}"
> +    export FAKEROOTCMD="${FAKEROOTCMD}"
> +    export TMPDIR="${TMPDIR}"
>  
> -    sudo -E
> PATH="$PATH:/builder/isar/bitbake/bin:/builder/isar/scripts" /builder/isar/scripts/wic
> create ${WKS_FILE} --vars "${STAGING_DIR}/${MACHINE}/imgdata/" -o
> ${DEPLOY_DIR_IMAGE} -e ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS}
> +    isar-wic create ${WKS_FILE} --vars
> "${STAGING_DIR}/${MACHINE}/imgdata/" -o ${DEPLOY_DIR_IMAGE} -e
> ${IMAGE_BASENAME} ${WIC_CREATE_EXTRA_ARGS} } 
>  addtask wic_image before do_build after do_copy_boot_files
> diff --git a/meta/recipes-devtools/wic-tools/wic-tools.bb
> b/meta/recipes-devtools/wic-tools/wic-tools.bb new file mode 100644
> index 0000000..50ba664
> --- /dev/null
> +++ b/meta/recipes-devtools/wic-tools/wic-tools.bb
> @@ -0,0 +1,4 @@
> +# This software is a part of ISAR.
> +# Copyright (C) 2018 Siemens AG
> +# This is just a dummy  because wic might call "bitbake -e
> wic-tools" to learn wic variables +inherit wic-img
> diff --git a/scripts/isar-wic b/scripts/isar-wic
> new file mode 100755
> index 0000000..4e4d0dd
> --- /dev/null
> +++ b/scripts/isar-wic
> @@ -0,0 +1,27 @@
> +#!/bin/sh
> +#
> +# This script is a wrapper to wic that prepares everything for Isar
> specific +# needs.
> +#
> +# This software is a part of Isar.
> +# Copyright (C) 2018 Siemens AG
> +
> +set -e
> +
> +[ -z $FAKEROOTCMD ] &&
> FAKEROOTCMD="/builder/isar/scripts/isar-wic-handler" +[ -z $TMPDIR ]
> && TMPDIR=$( mktemp -d ) +
> +export MTOOLS_SKIP_CHECK=1
> +
> +# Play a dirty trick to redirect "du" and "mkfs.*" to FAKEROOTCMD
> +TRICK_SYSROOT="${TMPDIR}/trick_wic_sysroot/"
> +mkdir -p ${TRICK_SYSROOT}/sbin
> +mkdir -p ${TRICK_SYSROOT}/usr/bin
> +for fstype in btrfs ext2 ext3 ext4 vfat; do
> +  ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/sbin/mkfs.${fstype}
> +done
> +ln -sf ${FAKEROOTCMD} ${TRICK_SYSROOT}/usr/bin/du
> +
> +export
> PATH="${TRICK_SYSROOT}/sbin:${TRICK_SYSROOT}/usr/sbin:${TRICK_SYSROOT}/usr/bin:${PATH}"
> + +exec wic $@
> diff --git a/scripts/isar-wic-handler b/scripts/isar-wic-handler
> new file mode 100755
> index 0000000..01fe4fe
> --- /dev/null
> +++ b/scripts/isar-wic-handler
> @@ -0,0 +1,53 @@
> +#!/usr/bin/env python3
> +#
> +# This script is used to handle Isar specifics in wic without having
> to change +# wic. It is called in two cases:
> +#  1. if wic calls exec_native_cmd with pseudo != ""
> +#  2. if wic calls exec_cmd on one of our trick symlinks
> +#
> +# This software is a part of Isar.
> +# Copyright (C) 2018 Siemens AG
> +#
> +import os
> +import sys
> +import shutil
> +import subprocess
> +
> +use_sudo = False
> +native = False
> +
> +args = sys.argv
> +args[0] = os.path.basename(args[0])
> +
> +# first thing we do is remove the PATH hack that took us here
> +os.environ['PATH'] = ':'.join(os.environ['PATH'].split(':')[3:])
> +
> +if args[0] == 'isar-wic-handler':
> +    native = True
> +    args.pop(0)
> +
> +# run only "mkfs.*" and "du" with sudo, in "exec_native_cmd" and
> "exec_cmd" +if (args[0].startswith('mkfs.') or args[0] == 'du'):
> +    use_sudo = True
> +else:
> +    if not native:
> +        print('ERROR: wic_fakeroot cmd "%s" not supported in
> non-native mode.'
> +              % args[0], file=sys.stderr)
> +        sys.exit(1)
> +
> +cmd = args[0]
> +args.pop(0)
> +
> +# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before
> affected) +# treat 1 as safe ... the filesystem was successfully
> repaired and is OK +if cmd.startswith('fsck.'):
> +    ret = subprocess.call([cmd] + args)
> +    if ret == 0 or ret == 1:
> +        sys.exit(0)
> +    sys.exit(ret)
> +
> +if use_sudo:
> +    args = ['-E', 'PATH="%s"' % os.environ['PATH'], cmd ] + args
> +    cmd = 'sudo'
> +
> +os.execv(shutil.which(cmd), args)
> diff --git a/scripts/wic_fakeroot b/scripts/wic_fakeroot
> deleted file mode 100755
> index 9e01c38..0000000
> --- a/scripts/wic_fakeroot
> +++ /dev/null
> @@ -1,37 +0,0 @@
> -#!/usr/bin/env python3
> -#
> -# wic needs a FAKEROOT cmd to run, the default is pseudo. In Isar we
> do/can not -# use pseudo. And we call wic as root to begin with, so
> this script could be a -# dummy doing nothing. It is almost a
> dummy ... -#
> -# If the fsck hack ever becomes obsolete, FAKEROOTCMD ?= "true;" can
> be used -#
> -# This software is a part of Isar.
> -# Copyright (C) 2018 Siemens AG
> -#
> -import os
> -import sys
> -import shutil
> -import subprocess
> -
> -args = sys.argv
> -args.pop(0)
> -cmd = args[0]
> -
> -# expect to be running as root
> -# we could loosen that and execv(sudo, args) but even some early
> -# "du"s fail, which do not use the fakeroot-wrapper
> -#  i.e. in wics partition.py the "du -ks" fails on
> -#    var/cache/apt/archives/partial
> -#    rootfs/root ...
> -assert 'root' == os.environ["USER"]
> -
> -# e2fsck <= 1.43.5 returns 1 on non-errors (stretch and before
> affected) -# treat 1 as safe ... the filesystem was successfully
> repaired and is OK -if cmd.startswith('fsck.'):
> -    ret = subprocess.call(args)
> -    if ret == 0 or ret == 1:
> -        sys.exit(0)
> -    sys.exit(ret)
> -
> -os.execv(shutil.which(cmd), args)