From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6634399131619033088 X-Received: by 2002:a1c:2dd0:: with SMTP id t199mr1228004wmt.21.1544704821440; Thu, 13 Dec 2018 04:40:21 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:4987:: with SMTP id w129ls434190wma.13.gmail; Thu, 13 Dec 2018 04:40:20 -0800 (PST) X-Google-Smtp-Source: AFSGD/UqOqPUPA2IkuAq46q6EXSu+dX+TC69De4dQGeQOkGHro9M+co9apP7axf+E8gX100IuLpz X-Received: by 2002:a1c:96d2:: with SMTP id y201mr1314275wmd.3.1544704820870; Thu, 13 Dec 2018 04:40:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544704820; cv=none; d=google.com; s=arc-20160816; b=TMRdeBonPo7WWnfJ5wpev0XHBO6nAeyKID/OSLM96WPAehSpJMrNsxrW5j8DAtYQq6 SEoCGU84S9LunOfEylh7zka18H+nr3594w0DxGzGYdjhqxguYb6HfNw6aarv2AkukSan Gl+Nuaolwqc3ZCOm/eTqXXYx67tGefpOYCEqhWzpp4c3flF9zF0EbU8t+EuBlbNMkv6V 8kYRAuF+Dqz4UsWvQM2SgNWIKB2vjHz6obp0giHUQrSN7oFDHNqDtHIw8hVxZPg4ZkbX AoG9GuTIy/vA9OMO1BNVEnALfXn1dwTPWK2sV8ELRIRLmrGA+RjeXxJKQuRkCQHIeWDR t1vw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=DqNarsXjcH19HR5miSOSI164ECqS3NMpesClavTR8kw=; b=MG+OAN6YjdtIOQQd3kW0Y2zG/aMLRoIizCEZzEE+CEFA1yA71MF1CT7KpexpoKpYog u3X9txVQIfHeW+izlvyqhA50dmQYoWaaCAmdcHOXNXYTXiXWt0Z8Zz+zFgY5d49IqHM2 PHTAlwUuQTtSq3BYi7verwyCz8Dn6kmQANUTCim6TwWgPD68NklhYhYSQa1eQYMDLVAp d3wYIR9rrPF2SUhuxbJ3Hbz5Lq6530zQsYbwQ7VvAme8tJuI8CG4zw9amUcF8Pk010YA fyQh4plk2Z2R3q3vpJGuLS1X/YnNZsrVs449z8H1fhHHNnLMKL7bYyEs0te12bWqbwH0 3KJg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id j45si50685wre.0.2018.12.13.04.40.20 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Dec 2018 04:40:20 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id wBDCeJLN007594 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 13 Dec 2018 13:40:20 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.236]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id wBDCeIWw007280; Thu, 13 Dec 2018 13:40:18 +0100 Date: Thu, 13 Dec 2018 13:40:17 +0100 From: Henning Schild To: "[ext] Jan Kiszka" Cc: "[ext] Claudius Heine" , Harald Seiler , Subject: Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot Message-ID: <20181213134017.19db456c@md1za8fc.ad001.siemens.net> In-Reply-To: <622004a8-a4c5-2b3a-3dc3-ce3cfe640320@siemens.com> References: <1544691418.2560.7.camel@denx.de> <1544694484.2560.15.camel@denx.de> <622004a8-a4c5-2b3a-3dc3-ce3cfe640320@siemens.com> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TUID: u2pk1gqKaEz2 Am Thu, 13 Dec 2018 11:09:14 +0100 schrieb "[ext] Jan Kiszka" : > On 13.12.18 11:03, [ext] Claudius Heine wrote: > > Hi, > >=20 > > On 13/12/2018 10.48, Harald Seiler wrote: =20 > >> Hello Claudius, > >> > >> On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote: =20 > >>> Hi Harald, > >>> > >>> On 13/12/2018 09.56, Harald Seiler wrote: =20 > >>>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this > >>>> will lead to a call to `systemctl restart ssh`.=C2=A0 This call bloc= ks > >>>> forever because of course the sshd-regen-keys unit, which is a > >>>> dependency of sshd, hasn't finished at this point and can't do so > >>>> because it is waiting as well. > >>>> > >>>> To circumvent this deadlock, this commit changes sshd-regen-keys' > >>>> behavior so sshd is first disabled and only reenabled after the > >>>> job is done. > >>>> > >>>> Signed-off-by: Harald Seiler > >>>> --- > >>>> =C2=A0=C2=A0 .../sshd-regen-keys/files/sshd-regen-keys.service=C2=A0= =C2=A0=C2=A0=C2=A0 |=C2=A0 2 +- > >>>> =C2=A0=C2=A0 .../sshd-regen-keys/files/sshd-regen-keys.sh=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 | 19=20 > >>>> +++++++++++++++++++ > >>>> =C2=A0=C2=A0 .../sshd-regen-keys/sshd-regen-keys_0.1.bb=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 7 > >>>> +++++-- 3 files changed, 25 insertions(+), 3 deletions(-) > >>>> =C2=A0=C2=A0 create mode 100644=20 > >>>> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > >>>> > >>>> diff --git=20 > >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service= =20 > >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > >>>> index 3b8231f..a05e1a9 100644 > >>>> --- > >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > >>>> +++ > >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service > >>>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=3D/etc Type=3Doneshot > >>>> RemainAfterExit=3Dyes Environment=3DDEBIAN_FRONTEND=3Dnoninteractive > >>>> -ExecStart=3D/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; > >>>> dpkg-reconfigure openssh-server" > >>>> +ExecStart=3D/usr/sbin/sshd-regen-keys.sh > >>>> =C2=A0=C2=A0 ExecStartPost=3D-/bin/systemctl disable sshd-regen-keys= .service > >>>> =C2=A0=C2=A0 StandardOutput=3Dsyslog > >>>> =C2=A0=C2=A0 StandardError=3Dsyslog > >>>> diff --git > >>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > >>>> new file mode 100644 index 0000000..294e8fa > >>>> --- /dev/null > >>>> +++ > >>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh > >>>> @@ -0,0 +1,19 @@ +#!/usr/bin/env sh > >>>> + > >>>> +echo -n "SSH server is " > >>>> +if systemctl is-enabled ssh; then > >>>> +=C2=A0=C2=A0=C2=A0 SSHD_ENABLED=3D"true" > >>>> +=C2=A0=C2=A0=C2=A0 systemctl disable --no-reload ssh > >>>> +fi > >>>> + > >>>> +echo "Removing keys ..." > >>>> +rm -v /etc/ssh/ssh_host_*_key* > >>>> + > >>>> +echo "Regenerating keys ..." > >>>> +dpkg-reconfigure openssh-server =20 > >>> > >>> Since this is part of 'meta', does it make sense to make the > >>> package name+service file name configurable from the bitbake > >>> configuration or is that too much trouble. > >>> =20 > >> > >> I don't quite understand what you mean, can you please > >> elaborate on that? =20 > >=20 > > Basically if those names should be configurable from the isar > > distro/multiconfig etc. E.g. what happens if I decided to use some > > openssh replacement or a different/future debian based distribution? > >=20 > > IIUC ideally `meta` should be distribution independent. > >=20 > > So if that is wanted then we would need to create those files via > > some template mechanism, e.g. envsubst or just sed. > >=20 > > But since sshd-regen-keys already depends on those elsewhere, that > > point might just be out of scope of this patch. So I let you > > decide. :)=20 >=20 > I agree on the general goal but I think we could be more relaxed at > this stage /wrt optional support packages like this one. Eventually, > we can sort out also these kind of dependencies but we will also need > proper test cases for such abstractions which we lack at this point. Agreed, and a dropbear or whatever would also potentially store the keys in another location. Just like we silently assume that systemd is init we can assume that openssh is the sshd. Henning > Jan >=20