From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6659376390151864320 X-Received: by 2002:a2e:5d8b:: with SMTP id v11mr802866lje.4.1551087139453; Mon, 25 Feb 2019 01:32:19 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:ac2:51ba:: with SMTP id f26ls1175185lfk.7.gmail; Mon, 25 Feb 2019 01:32:18 -0800 (PST) X-Google-Smtp-Source: AHgI3IZnoHq3vXJYBRo5g63eSDoY/ijZCTXa9XFxNRAzxKbNUx8H6iCOjFB5rhiPHybwLuMGXRAw X-Received: by 2002:ac2:43a1:: with SMTP id t1mr887652lfl.9.1551087138895; Mon, 25 Feb 2019 01:32:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551087138; cv=none; d=google.com; s=arc-20160816; b=u2cNNdo3rfxJSxqdFSb/jQxgjEto9ZG4SCNy1IFFNo7aJ9feT8haBeMyd5bp7ERTCO wrvnHbSJR8ZJ4LPE5f6zmSasWAe7jXzTWeY79kbXv+La7Rotzg5A8se9Zw9AaAJyn5aV w+P4/FMDz0lvuDN+qC+nLJF1EX7q4Ff2YUIlOu3UCqQE8nMrPWWMwE7ACSaiLYGXCbJR zERDqX8W+ch7zxtj+sFy3A8GM/VF4pda44rflXLo+/GhMefSouT+unemUzpDr8q+LpLq 2WOHoj2N61vHT7y6Q1Czuh6DVz3Tlz7PjpgJcnrLdhjP4fXWtejDwZHUzI75K970hktU t2UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date; bh=5h7IjP6bUGOxWR7qEuWoWuwwGIj3OzVJ8dCyZhbUgCA=; b=Yv2ae5+svy1ll8GIGp+5AVsjrsWIh2GHRBB/1quMrv4EFX5RNqtIbDXGLowu6QaWZd wQEL5mZQvOWJTKXRBHKh9FSLfks97tJoDRwN91dphiICoarPYmdBuYp65qF3MEWYixX2 TB98G6HGLchBpZtoJgkDSzZi3aC4LlJcTAjeEg5d/qw4eW1uUiB9Z/VmU8Ys/27zOdl2 O0B2/mQOxEwotNuglJb+pTh0MWLe5uN9RlncWRe7vzwBjJE4wdee9eIo0vs7u3o1T/H1 Q4wacDr2vZ6Mx+Kz8nvyxuHVf8wj4IYaUDk+fTXKKKunyZU+dFAEqgeLU8H6agTJ0uAG xSWw== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id m19si453538lfc.4.2019.02.25.01.32.18 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 01:32:18 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x1P9WHm0013231 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 10:32:17 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.68.188]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x1P9WHMf017432; Mon, 25 Feb 2019 10:32:17 +0100 Date: Mon, 25 Feb 2019 10:32:17 +0100 From: Henning Schild To: "[ext] Jan Kiszka" Cc: Claudius Heine , "[ext] claudius.heine.ext@siemens.com" , Subject: Re: [PATCH] added 'isar-cfg-userpw' package Message-ID: <20190225103217.0b079975@md1za8fc.ad001.siemens.net> In-Reply-To: <44468fac-f5b7-2178-9170-8eb382528c4a@siemens.com> References: <20190218162113.8538-1-claudius.heine.ext@siemens.com> <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de> <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com> <155108427994.4408.2228465568428075120@ardipi> <44468fac-f5b7-2178-9170-8eb382528c4a@siemens.com> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-TUID: PjEIybRMr9Ek Am Mon, 25 Feb 2019 09:48:38 +0100 schrieb "[ext] Jan Kiszka" : > On 25.02.19 09:44, Claudius Heine wrote: > > Hi Jan, > >=20 > > Quoting Jan Kiszka (2019-02-25 09:07:35) =20 > >> On 23.02.19 11:42, Jan Kiszka wrote: =20 > >>> On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote: =20 > >>>> From: Claudius Heine > >>>> > >>>> With this package setting of arbitrary user passwords should be > >>>> possible. > >>>> > >>>> To do this use the 'CFG_USER_PW' variable as described in the > >>>> user manual. > >>>> > >>>> Signed-off-by: Claudius Heine > >>>> --- > >>>> =C2=A0 doc/user_manual.md=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 1 + > >>>> =C2=A0 meta-isar/conf/local.conf.sample=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 2 ++ > >>>> =C2=A0 meta/classes/isar-image.bbclass=C2=A0=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 |=C2=A0 2 +- > >>>> =C2=A0 .../isar-cfg-userpw/files/postinst.tmpl=C2=A0=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0 | 15 > >>>> ++++++++++++ .../isar-cfg-userpw/isar-cfg-userpw.bb=C2=A0=C2=A0=C2= =A0=C2=A0=C2=A0=C2=A0=C2=A0 | 23 > >>>> +++++++++++++++++++ 5 files changed, 42 insertions(+), 1 > >>>> deletion(-) create mode 100644 > >>>> meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl create > >>>> mode 100644 > >>>> meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > >>>> > >>>> diff --git a/doc/user_manual.md b/doc/user_manual.md > >>>> index db0bf85..53bb36a 100644 > >>>> --- a/doc/user_manual.md > >>>> +++ b/doc/user_manual.md > >>>> @@ -328,6 +328,7 @@ Some other variables include: > >>>> =C2=A0=C2=A0 - `DISTRO_APT_PREMIRRORS` - The preferred mirror (appe= nd it > >>>> to the default URI in the format `ftp.debian.org > >>>> my.preferred.mirror`. This variable is optional. > >>>> =C2=A0=C2=A0 - `CFG_ROOT_PW` - The encrypted root password to be se= t. To > >>>> encrypt password use `mkpasswd`. You find `mkpasswd` in the > >>>> `whois` package of Debian. If the variable is empty, root login > >>>> is passwordless. > >>>> =C2=A0=C2=A0 - `CFG_ROOT_LOCKED` - If set to `1` the root account w= ill be > >>>> locked. > >>>> + - `CFG_USER_PW` - A space separated list of user names and > >>>> encrypted passwords separated by a colon. (e.g. > >>>> `username1:encryptedpw1 username2:encryptedpw2`) > >>>> > >>>> =C2=A0 --- > >>>> > >>>> diff --git a/meta-isar/conf/local.conf.sample > >>>> b/meta-isar/conf/local.conf.sample index e5827aa..494a283 100644 > >>>> --- a/meta-isar/conf/local.conf.sample > >>>> +++ b/meta-isar/conf/local.conf.sample > >>>> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?=3D "0" > >>>> =C2=A0 #=C2=A0=C2=A0 mkpasswd -m sha512crypt -R 10000 > >>>> =C2=A0 # mkpasswd is part of the 'whois' package of Debian > >>>> =C2=A0 CFG_ROOT_PW ?=3D > >>>> "$6$rounds=3D10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3P= HqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" > >>>> > >>>> +# Set user 'isar' password to 'isar': > >>>> +CFG_USER_PW ?=3D > >>>> "isar:$6$rounds=3D10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN= 3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1" > >>>> > >>>> diff --git a/meta/classes/isar-image.bbclass > >>>> b/meta/classes/isar-image.bbclass index cdd1651..0100d0b 100644 > >>>> --- a/meta/classes/isar-image.bbclass > >>>> +++ b/meta/classes/isar-image.bbclass > >>>> @@ -17,7 +17,7 @@ SRC_URI +=3D "${@ cfg_script(d) }" > >>>> > >>>> =C2=A0 DEPENDS +=3D "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" > >>>> > >>>> -IMAGE_TRANSIENT_PACKAGES +=3D "isar-cfg-localepurge > >>>> isar-cfg-rootpw" +IMAGE_TRANSIENT_PACKAGES +=3D > >>>> "isar-cfg-localepurge isar-cfg-rootpw isar-cfg-userpw" > >>>> > >>>> =C2=A0 WORKDIR =3D "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" > >>>> > >>>> diff --git > >>>> a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > >>>> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl new > >>>> file mode 100644 index 0000000..47fffd0 > >>>> --- /dev/null > >>>> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl > >>>> @@ -0,0 +1,15 @@ > >>>> +#!/bin/sh > >>>> +set -e > >>>> + > >>>> +USER_ENTRIES=3D'${CFG_USER_PW} ' > >>>> + > >>>> +while true; do > >>>> +=C2=A0=C2=A0=C2=A0 USER_ENTRY=3D"${USER_ENTRIES%% *}" # First eleme= nt of list > >>>> +=C2=A0=C2=A0=C2=A0 USER_ENTRIES=3D"${USER_ENTRIES#${USER_ENTRY} }" = # Rest of list > >>>> + > >>>> +=C2=A0=C2=A0=C2=A0 if [ -z "${USER_ENTRY}" ]; then > >>>> +=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 break > >>>> +=C2=A0=C2=A0=C2=A0 fi > >>>> + > >>>> +=C2=A0=C2=A0=C2=A0 printf '%s' "${USER_ENTRY}" | chpasswd -e > >>>> +done > >>>> diff --git > >>>> a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > >>>> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb new > >>>> file mode 100644 index 0000000..75b0446 > >>>> --- /dev/null > >>>> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb > >>>> @@ -0,0 +1,23 @@ > >>>> +# This software is a part of ISAR. > >>>> + > >>>> +DESCRIPTION =3D "Isar configuration package for user passwords" > >>>> +MAINTAINER =3D "isar-users " > >>>> +DEBIAN_DEPENDS =3D "passwd" > >>>> + > >>>> +SRC_URI =3D "file://postinst.tmpl" > >>>> + > >>>> +TEMPLATE_FILES =3D "postinst.tmpl" > >>>> +TEMPLATE_VARS =3D "CFG_USER_PW" > >>>> + > >>>> +CFG_USER_PW ?=3D "" > >>>> + > >>>> +python() { > >>>> +=C2=A0=C2=A0=C2=A0 # Enforce CFG_USER_PW to be a single space separ= ated array > >>>> +=C2=A0=C2=A0=C2=A0 d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_U= SER_PW", > >>>> True).split())) +} > >>>> + > >>>> +inherit dpkg-raw > >>>> + > >>>> +do_install() { > >>>> +=C2=A0=C2=A0=C2=A0 echo "intentionally left blank" > >>>> +} > >>>> =20 > >>> > >>> Missed this until I had to deal with it: This does not allow > >>> per-image password configuration because there is only one, > >>> hard-coded isar-cfg-userpw package that all images pull. E.g., > >>> how to build a release (root account locked) and a debug image > >>> (well-known insecure or empty password) at the same time now? > >>> > >>> We rather need to change the logic to pass the control variables > >>> from the host down into the chroot during installation where the > >>> transient package can then evaluate them. Or model this - as a > >>> special case - without a package. > >>> > >>> Before the release, we should at least prove if the current > >>> recipe interface can be maintained with the above requirement, so > >>> that we do not break it again right after that. > >>> =20 > >> > >> The same conceptual issue applies to isar-cfg-localepurge: > >> LOCALE_GEN and LOCALE_DEFAULT should be configurable on a > >> per-image basis, not a per-build. =20 > >=20 > > You are right! I haven't considered that. > >=20 > > Normally you would not have a 'debug' image and a 'release' image, > > but different multi/local configurations for that. Having debug > > images and release images is a anti-pattern for bb based projects > > IMO and should not be done in Isar. =20 >=20 > This is not true. In the end, you will always have two images of that > kind, often defined by different package sets, set in the respective > image recipes. >=20 > >=20 > > But of course if you now have a '*-debug' and '*-release' > > multiconfig, you cannot build that in parallel if one package is > > build with two different variables. > >=20 > > And that exactly hits the mark with the problem I have with the way > > Isar uses multiconfigs and tries to share packages from different > > multiconfigs. > >=20 > > IMO if you want to continue doing it that way, you would need to > > have a 'isar-cfg-localpurge-debug' and a 'isar-cfg-userpw-debug'. > > And do that for all possible other configurations you want to build > > in parallel... =20 >=20 > Awkward. We need to stop this weird patterns which require too much > boilerplate recipes to achieve very simple things. Let's just make > these variables per-image. I had a feeling that same PN-PV but different content could be a problem. And here we go. But Claudius is right, either we have different packages (by name and/or version) or we do not use packages for such tasks. Per Image variables will not work, the last do_deploy_deb will win and set the password for every image sharing the repo. Henning > Jan >=20