From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6654511347151142912
X-Received: by 2002:a5d:6b52:: with SMTP id x18mr587274wrw.19.1549455146927;
        Wed, 06 Feb 2019 04:12:26 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:adf:f50b:: with SMTP id q11ls3132000wro.11.gmail; Wed, 06
 Feb 2019 04:12:26 -0800 (PST)
X-Google-Smtp-Source: AHgI3IaWMgrGTrSOXE5AIR7M6gINJZcE5I515OH4mXuvfjuvOYStwEIWA+3uDbdlAhAcUvHr4GnZ
X-Received: by 2002:adf:ff92:: with SMTP id j18mr569087wrr.3.1549455146471;
        Wed, 06 Feb 2019 04:12:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549455146; cv=none;
        d=google.com; s=arc-20160816;
        b=wSnBtp5VhSREI2QXydRvIC4OGXrvRQ1+nxkIR5J5dARAhEYSaw8xS2/S33qOYldwoZ
         l/R0NOy7BEGlJP8G2HeLMs8+S4rIxeYkndEkrYH4uOnxtkTTcsJ6rwiYISNZHV8jFear
         kQkgCiPRqIGJenw3uChUw2MC+vDO2m8wBydCVvm/aT6OlsyHiQJZlE28JoHWAx0kimmN
         0k3QJAUF1dTgWbb/3DovrhKNTQo4LZ6hfFUD3AVOXApaUuRj8OoA3MOC2py4AQXBzo2Q
         I/MZkK+iVT5UwCv9sJjDxYfpGig3fVs4T2RRqUBYX/nt4SOi7WW7VkzUUqHttFtu07VC
         Tj5g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:subject:cc:to:from:date;
        bh=r+UOcvpMukpds9wjngRdbs5zymkdfRiQ9Wm9H88eCzk=;
        b=dP1opSS9AS/jhy3hiXkOoWM/pDUb7t9B1f7eXHSB8lmf5uyo5Vr6n2jOgbNLCPZfJ6
         Z1Yt9CdfMbVRlCZte/WqIUfYVG8gsA9tuQuMCkRnuhKSQJ5q9sVvHLx+U+iC/eJSCfBK
         3sz93FCl42EhOuytRqGrM/cRrqy5atmKzNuhPSc28jkuAZUgb/ob0Nh3RP2Jlzje+kwA
         dax3xMClLCsGRMM++UZhoPe2WH6sRjjDolrniZiCCcFYE5FPMyIFoW7Ta4Ex3IvLDEf8
         TRW8dQRsmF1sIIUPZrOtn9RwExMj6HLxKr5gyzAfb8WEBNorPYScAZqLr93B3ieUJIsI
         ocaA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Return-Path: <henning.schild@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id t23si553861wmt.1.2019.02.06.04.12.26
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 06 Feb 2019 04:12:26 -0800 (PST)
Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of henning.schild@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=henning.schild@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id x16CCP5F032641
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Wed, 6 Feb 2019 13:12:25 +0100
Received: from md1za8fc.ad001.siemens.net ([139.25.69.48])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x16CCPtI027473;
	Wed, 6 Feb 2019 13:12:25 +0100
Date: Wed, 6 Feb 2019 13:12:25 +0100
From: Henning Schild <henning.schild@siemens.com>
To: "[ext] claudius.heine.ext@siemens.com" <claudius.heine.ext@siemens.com>
Cc: <isar-users@googlegroups.com>, Claudius Heine <ch@denx.de>
Subject: Re: [RFC PATCH 1/2] meta: add isar-cfg-rootpw recipe for setting
 root password
Message-ID: <20190206131225.7d2b6212@md1za8fc.ad001.siemens.net>
In-Reply-To: <20190205134235.27523-2-claudius.heine.ext@siemens.com>
References: <20190205134235.27523-1-claudius.heine.ext@siemens.com>
	<20190205134235.27523-2-claudius.heine.ext@siemens.com>
X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-TUID: Y0w3AWeRTu+i

Good idea to tackle the password problem! The current way of not having
a fallback in Isar means that every layer has to somehow deal with the
rootpw, and once you start combining layers you get conflicts of
multiple packages wanting to set the password.
The result is a "random" password depending on the install order of the
several packages.

We need one central way (fallback) again. One that supports
one/emtpy/no passwd cases just like your suggestion.

What i do not like is the fact that the package will always have the
same PN-PV, even if the content is different. Say you find the .dep
somewhere and install it with "dpkg -i", the result will be pretty
random again, depending on where you found the .deb.

Henning

Am Tue, 5 Feb 2019 14:42:34 +0100
schrieb "[ext] claudius.heine.ext@siemens.com"
<claudius.heine.ext@siemens.com>:

> From: Claudius Heine <ch@denx.de>
> 
> The isar-cfg-rootpw recipe is a central point to set the root password
> for images. It provides the `CFG_ROOT_LOCKED` and `CFG_ROOT_PW`
> variables, that can be set from any `.conf` file or via
> `isar-cfg-rootpw.bbappend`.
> 
> The `CFG_ROOT_LOCKED` variable that can be set to "1" in order to lock
> the root account, other values leave the account unlocked.
> 
> The `CFG_ROOT_RW` variable contains either a root password, or is
> empty, in which case login without password is possible.
> 
> Signed-off-by: Claudius Heine <ch@denx.de>
> ---
>  meta-isar/conf/local.conf.sample              |  3 ++-
>  .../recipes-app/example-raw/files/postinst    |  4 ----
>  .../isar-cfg-rootpw/files/postinst.tmpl       | 11 +++++++++++
>  .../isar-cfg-rootpw/isar-cfg-rootpw.bb        | 19
> +++++++++++++++++++ 4 files changed, 32 insertions(+), 5 deletions(-)
>  create mode 100644
> meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl create mode
> 100644 meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> 
> diff --git a/meta-isar/conf/local.conf.sample
> b/meta-isar/conf/local.conf.sample index a671b20..a2bdd7e 100644
> --- a/meta-isar/conf/local.conf.sample
> +++ b/meta-isar/conf/local.conf.sample
> @@ -161,7 +161,8 @@ CONF_VERSION = "1"
>  
>  #
>  # The default list of extra packages to be installed.
> -IMAGE_INSTALL = "hello-isar example-raw
> example-module-${KERNEL_NAME} enable-fsck" +IMAGE_INSTALL =
> "hello-isar example-raw example-module-${KERNEL_NAME} enable-fsck \
> +                 isar-cfg-rootpw"
>  
>  #
>  # Enable cross-compilation support
> diff --git a/meta-isar/recipes-app/example-raw/files/postinst
> b/meta-isar/recipes-app/example-raw/files/postinst index
> f60be8c..f48d993 100644 ---
> a/meta-isar/recipes-app/example-raw/files/postinst +++
> b/meta-isar/recipes-app/example-raw/files/postinst @@ -15,8 +15,4 @@
> fi 
>  chown -R isar:isar /var/lib/isar
>  
> -# this wins over meta-isar/recipes-core/images/files/*configscript.sh
> -# but we take the same password for this example
> -echo "root:root" | chpasswd
> -
>  echo "isar" > /etc/hostname
> diff --git a/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl new file
> mode 100644 index 0000000..51e901e
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/files/postinst.tmpl
> @@ -0,0 +1,11 @@
> +#!/bin/sh
> +set -e
> +if [ "${CFG_ROOT_LOCKED}" == "1" ]; then
> +    passwd -l root
> +else
> +    if [ -n "${CFG_ROOT_PW}" ]; then
> +        echo "root:${CFG_ROOT_PW}" | chpasswd
> +    else
> +        passwd -d root
> +    fi
> +fi
> diff --git a/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb new file
> mode 100644 index 0000000..adee3b5
> --- /dev/null
> +++ b/meta/recipes-support/isar-cfg-rootpw/isar-cfg-rootpw.bb
> @@ -0,0 +1,19 @@
> +# This software is a part of ISAR.
> +
> +DESCRIPTION = "Isar configuration package for root password"
> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
> +DEBIAN_DEPENDS = "passwd"
> +
> +SRC_URI = "file://postinst.tmpl"
> +
> +TEMPLATE_FILES = "postinst.tmpl"
> +TEMPLATE_VARS = "CFG_ROOT_PW CFG_ROOT_LOCKED"
> +
> +CFG_ROOT_PW ??= ""
> +CFG_ROOT_LOCKED ??= "0"
> +
> +inherit dpkg-raw
> +
> +do_install() {
> +    echo "intentionally left blank"
> +}