[PATCH v9 0/5] Fix usage of additional apt keys and repos

[PATCH v9 0/5] Fix usage of additional apt keys and repos

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

Diff to v8: No revert, improve docs. Map changes for missing
raspbian-jessie.conf to raspbian-stretch.conf.

Last test of BASE_REPO_KEY worked before trivial rebasing.

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>

Andreas Reichel (5):
  Simplify and enhance apt-keyring generator
  Use apt-key to generate keyrings
  If we use a custom keyring debootstrap may fall to https
  raspbian-stretch: Use DISTRO_BOOTSTRAP_KEYS
  docs: Update user_manual.md

 doc/user_manual.md                            | 41 +++++++-
 meta-isar/conf/distro/raspbian-stretch.conf   |  2 +-
 .../conf/multiconfig/qemuamd64-buster.conf    |  1 -
 meta/conf/bitbake.conf                        |  1 +
 .../isar-bootstrap/isar-bootstrap-host.bb     |  4 +-
 .../isar-bootstrap/isar-bootstrap-target.bb   |  4 +-
 .../isar-bootstrap/isar-bootstrap.inc         | 95 +++++++++++++------
 7 files changed, 114 insertions(+), 34 deletions(-)

-- 
2.21.0

[PATCH v9 1/5] Simplify and enhance apt-keyring generator

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

* Remove duplicate code from apt-keyring generation

* Fix fetched key location in apt-keyring generator:
Use bb.fetch2.Fetch to retrieve the final filename after it is
downloaded. This way we don't have to guess (which may be wrong), and
also additional SRC_URI parameters like subdir or filename are usable
now.

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
 .../isar-bootstrap/isar-bootstrap.inc         | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index c1b571a..90a0faa 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -33,23 +33,23 @@ DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org  file:///${REPO_BA
 inherit base-apt-helper
 
 python () {
-    from urllib.parse import urlparse
     distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
-    wd = d.getVar("WORKDIR", True)
+    aptkeys = []
+
     if distro_apt_keys:
-        d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
-        for key in distro_apt_keys.split():
-            url = urlparse(key)
-            d.appendVar("SRC_URI", " " + key)
-            d.appendVar("APTKEYFILES", " " + wd + url.path)
+        aptkeys += distro_apt_keys.split()
+
     if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
         own_pub_key = d.getVar("BASE_REPO_KEY", False)
         if own_pub_key:
-            d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
-            for key in own_pub_key.split():
-                url = urlparse(key)
-                d.appendVar("SRC_URI", " " + key)
-                d.appendVar("APTKEYFILES", " " + wd + url.path)
+            aptkeys += own_pub_key.split()
+
+    d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
+    for key in aptkeys:
+        d.appendVar("SRC_URI", " %s" % key)
+        fetcher = bb.fetch2.Fetch([key], d)
+        filename = fetcher.localpath(key)
+        d.appendVar("APTKEYFILES", " %s" % filename)
 }
 
 def aggregate_files(d, file_list, file_out):
-- 
2.21.0

[PATCH v9 2/5] Use apt-key to generate keyrings

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

* Keyring names as well as variable names are now cleanly separated:
  DISTRO_BOOTSTRAP_KEYS, DISTRO_BOOTSTRAP_KEYRING and
  DISTRO_BOOTSTRAP_KEYFILES

  for bootstrapping the distro.

  THIRD_PARTY_APT_KEYS, THIRD_PARTY_APT_KEYRING and
  THIRD_PARTY_APT_KEYFILES

  for installing packages after bootstrapping.

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
 meta/conf/bitbake.conf                        |  1 +
 .../isar-bootstrap/isar-bootstrap-host.bb     |  4 +-
 .../isar-bootstrap/isar-bootstrap-target.bb   |  4 +-
 .../isar-bootstrap/isar-bootstrap.inc         | 75 +++++++++++++------
 4 files changed, 59 insertions(+), 25 deletions(-)

diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 0e521bb..3782e5c 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -62,6 +62,7 @@ DEBDISTRONAME = "isar"
 # Isar apt repository paths
 REPO_ISAR_DIR = "${DEPLOY_DIR}/isar-apt/apt"
 REPO_ISAR_DB_DIR = "${DEPLOY_DIR}/isar-apt/db"
+THIRD_PARTY_APT_KEYRING = "/etc/apt/trusted.gpg.d/third_party.gpg"
 
 # Base apt repository paths
 REPO_BASE_DIR = "${DL_DIR}/base-apt/apt"
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb b/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb
index 08b068f..7ee4c61 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb
@@ -14,7 +14,7 @@ ISAR_BOOTSTRAP_LOCK = "${DEPLOY_DIR_BOOTSTRAP}/${HOST_DISTRO}-${HOST_ARCH}.lock"
 require isar-bootstrap.inc
 inherit isar-bootstrap-helper
 
-do_generate_keyring[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
+do_generate_keyrings[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
 
 do_apt_config_prepare[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
 do_apt_config_prepare[dirs] = "${WORKDIR}"
@@ -52,4 +52,4 @@ do_bootstrap[vardeps] += "HOST_DISTRO_APT_SOURCES"
 do_bootstrap() {
     isar_bootstrap --host
 }
-addtask bootstrap before do_build after do_generate_keyring
+addtask bootstrap before do_build after do_generate_keyrings
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb b/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb
index 79f3e34..39f12b5 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb
@@ -13,7 +13,7 @@ ISAR_BOOTSTRAP_LOCK = "${DEPLOY_DIR_BOOTSTRAP}/${DISTRO}-${DISTRO_ARCH}.lock"
 
 require isar-bootstrap.inc
 
-do_generate_keyring[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
+do_generate_keyrings[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
 
 do_apt_config_prepare[stamp-extra-info] = "${DISTRO}-${DISTRO_ARCH}"
 do_apt_config_prepare[dirs] = "${WORKDIR}"
@@ -49,5 +49,5 @@ do_bootstrap[vardeps] += "DISTRO_APT_SOURCES"
 do_bootstrap() {
     isar_bootstrap
 }
-addtask bootstrap before do_build after do_generate_keyring
+addtask bootstrap before do_build after do_generate_keyrings
 
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 90a0faa..835ad52 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -22,34 +22,41 @@ APTPREFS = "${WORKDIR}/apt-preferences"
 APTSRCS = "${WORKDIR}/apt-sources"
 APTSRCS_INIT = "${WORKDIR}/apt-sources-init"
 BASEAPTSRCS = "${WORKDIR}/base-apt-sources"
-APTKEYFILES = ""
-APTKEYRING = "${WORKDIR}/apt-keyring.gpg"
-DEBOOTSTRAP_KEYRING = ""
+DISTRO_BOOTSTRAP_KEYFILES = ""
+THIRD_PARTY_APT_KEYFILES = ""
 DEPLOY_ISAR_BOOTSTRAP ?= ""
 DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
+DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2"
 
 DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org  file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
 
 inherit base-apt-helper
 
 python () {
-    distro_apt_keys = d.getVar("DISTRO_APT_KEYS", False)
-    aptkeys = []
+    distro_bootstrap_keys = (d.getVar("DISTRO_BOOTSTRAP_KEYS", False) or "").split()
 
-    if distro_apt_keys:
-        aptkeys += distro_apt_keys.split()
+    third_party_apt_keys = (d.getVar("THIRD_PARTY_APT_KEYS", False) or "").split() 
+
+    # The cached repo key can be both for bootstrapping and apt package
+    # installation afterwards. However, debootstrap will include the key into
+    # the rootfs automatically thus the right place is distro_bootstrap_keys.
 
     if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')):
         own_pub_key = d.getVar("BASE_REPO_KEY", False)
         if own_pub_key:
-            aptkeys += own_pub_key.split()
+            distro_bootstrap_keys += own_pub_key.split()
+
+    for key in distro_bootstrap_keys:
+        d.appendVar("SRC_URI", " %s" % key)
+        fetcher = bb.fetch2.Fetch([key], d)
+        filename = fetcher.localpath(key)
+        d.appendVar("DISTRO_BOOTSTRAP_KEYFILES", " %s" % filename)
 
-    d.setVar("DEBOOTSTRAP_KEYRING", "--keyring ${APTKEYRING}")
-    for key in aptkeys:
+    for key in third_party_apt_keys:
         d.appendVar("SRC_URI", " %s" % key)
         fetcher = bb.fetch2.Fetch([key], d)
         filename = fetcher.localpath(key)
-        d.appendVar("APTKEYFILES", " %s" % filename)
+        d.appendVar("THIRD_PARTY_APT_KEYFILES", " %s" % filename)
 }
 
 def aggregate_files(d, file_list, file_out):
@@ -159,6 +166,14 @@ def get_distro_needs_https_support(d, is_host=False):
     else:
         return ""
 
+def get_distro_needs_gpg_support(d):
+    apt_keys = d.getVar("THIRD_PARTY_APT_KEYS", False)
+    if apt_keys and apt_keys != "":
+        return "gnupg"
+    return ""
+
+OVERRIDES_append = ":${@get_distro_needs_gpg_support(d)}"
+
 def get_distro_source(d, is_host):
     return get_distro_primary_source_entry(d, is_host)[0]
 
@@ -172,17 +187,26 @@ def get_distro_components_argument(d, is_host):
     else:
         return ""
 
-do_generate_keyring[dirs] = "${DL_DIR}"
-do_generate_keyring[vardeps] += "DISTRO_APT_KEYS"
-do_generate_keyring() {
-    if [ -n "${@d.getVar("APTKEYFILES", True) or ""}" ]; then
-        for keyfile in ${@d.getVar("APTKEYFILES", True)}; do
-           gpg --no-default-keyring --keyring "${APTKEYRING}" \
-               --no-tty --homedir "${DL_DIR}"  --import "$keyfile"
+APT_KEYS_DIR := "${WORKDIR}/aptkeys"
+DISTRO_BOOTSTRAP_KEYRING := "${WORKDIR}/distro-keyring.gpg"
+
+do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
+do_generate_keyrings[dirs] = "${DL_DIR}"
+do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings() {
+    if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
+        chmod 777 "${APT_KEYS_DIR}"
+        for keyfile in ${@d.getVar("THIRD_PARTY_APT_KEYFILES", True)}; do
+           cp "$keyfile" "${APT_KEYS_DIR}"/"$(basename "$keyfile")"
+        done
+    fi
+    if [ -n "${@d.getVar("DISTRO_BOOTSTRAP_KEYFILES", True) or ""}" ]; then
+        for keyfile in ${@d.getVar("DISTRO_BOOTSTRAP_KEYFILES", True)}; do
+           sudo apt-key --keyring "${DISTRO_BOOTSTRAP_KEYRING}" add $keyfile
         done
     fi
 }
-addtask generate_keyring before do_build after do_unpack
+addtask generate_keyrings before do_build after do_unpack
 
 
 
@@ -206,6 +230,9 @@ isar_bootstrap() {
         shift
     done
     debootstrap_args="--verbose --variant=minbase --include=${DISTRO_BOOTSTRAP_BASE_PACKAGES}"
+    if [ ! "x${DISTRO_BOOTSTRAP_KEYS}" = "x" ]; then
+        debootstrap_args="$debootstrap_args --keyring=${DISTRO_BOOTSTRAP_KEYRING}"
+    fi
     if [ "${ISAR_USE_CACHED_BASE_REPO}" = "1" ]; then
         if [ -z "${BASE_REPO_KEY}" ] ; then
             debootstrap_args="$debootstrap_args --no-check-gpg"
@@ -222,7 +249,6 @@ isar_bootstrap() {
             if [ ${IS_HOST} ]; then
                 ${DEBOOTSTRAP} $debootstrap_args \
                                ${@get_distro_components_argument(d, True)} \
-                               ${DEBOOTSTRAP_KEYRING} \
                                "${@get_distro_suite(d, True)}" \
                                "${ROOTFSDIR}" \
                                "${@get_distro_source(d, True)}"
@@ -231,7 +257,6 @@ isar_bootstrap() {
                  "${DEBOOTSTRAP}" $debootstrap_args \
                                   --arch="${DISTRO_ARCH}" \
                                   ${@get_distro_components_argument(d, False)} \
-                                  ${DEBOOTSTRAP_KEYRING} \
                                   "${@get_distro_suite(d, False)}" \
                                   "${ROOTFSDIR}" \
                                   "${@get_distro_source(d, False)}"
@@ -260,6 +285,14 @@ isar_bootstrap() {
             mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d"
             install -v -m644 "${WORKDIR}/isar-apt.conf" \
                              "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf"
+            find ${APT_KEYS_DIR}/ -type f | while read keyfile
+            do
+                kfn="$(basename $keyfile)"
+                cp $keyfile "${ROOTFSDIR}/tmp/$kfn"
+                sudo -E chroot "${ROOTFSDIR}" /usr/bin/apt-key \
+                   --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn"
+                rm "${ROOTFSDIR}/tmp/$kfn"
+            done
 
             if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then
                 install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \
-- 
2.21.0

[PATCH v9 3/5] If we use a custom keyring debootstrap may fall to https

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009

So if we have something in the distro bootstrap keyring, append
https-support to OVERRIDES.

Furthermore, the conditional append for https-support was missing
in qemuamd64-stretch.conf, thus, remove this from all the distros
and put it into the isar-bootstrap.inc.

Furthermore, packages are comma-, not space-separated.

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
 meta-isar/conf/multiconfig/qemuamd64-buster.conf    | 1 -
 meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 8 ++++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/meta-isar/conf/multiconfig/qemuamd64-buster.conf b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
index 63df75c..da90993 100644
--- a/meta-isar/conf/multiconfig/qemuamd64-buster.conf
+++ b/meta-isar/conf/multiconfig/qemuamd64-buster.conf
@@ -18,4 +18,3 @@ QEMU_MACHINE ?= "q35"
 QEMU_CPU ?= ""
 QEMU_DISK_ARGS ?= "-hda ##ROOTFS_IMAGE## -bios /usr/local/share/ovmf/OVMF.fd"
 
-DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = " apt-transport-https ca-certificates"
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 835ad52..c6c3cde 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -27,6 +27,7 @@ THIRD_PARTY_APT_KEYFILES = ""
 DEPLOY_ISAR_BOOTSTRAP ?= ""
 DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales"
 DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg2"
+DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = ",apt-transport-https,ca-certificates"
 
 DISTRO_APT_PREMIRRORS ?= "${@ "http://ftp\.(\S+\.)?debian.org  file:///${REPO_BASE_DIR} \n" if bb.utils.to_boolean(d.getVar('ISAR_USE_CACHED_BASE_REPO')) else "" }"
 
@@ -161,6 +162,13 @@ def get_distro_have_https_source(d, is_host=False):
     return any(source[2].startswith("https://") for source in generate_distro_sources(d, is_host))
 
 def get_distro_needs_https_support(d, is_host=False):
+    distro_bootstrap_keys = d.getVar("DISTRO_BOOTSTRAP_KEYS", False)
+    if distro_bootstrap_keys and distro_bootstrap_keys != "":
+        # debootstrap falls back to https if there is no
+        # 'reliable' keyring, whatever that means, but it happened
+        # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891009
+        return "https-support"
+
     if get_distro_have_https_source(d, is_host):
         return "https-support"
     else:
-- 
2.21.0

[PATCH v9 4/5] raspbian-stretch: Use DISTRO_BOOTSTRAP_KEYS

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

Use new DISTRO_BOOTSTRAP_KEYS instead of DISTRO_APT_KEYS

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
 meta-isar/conf/distro/raspbian-stretch.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-isar/conf/distro/raspbian-stretch.conf b/meta-isar/conf/distro/raspbian-stretch.conf
index c6f215b..4c47376 100644
--- a/meta-isar/conf/distro/raspbian-stretch.conf
+++ b/meta-isar/conf/distro/raspbian-stretch.conf
@@ -7,6 +7,6 @@ BASE_DISTRO = "raspbian"
 BASE_DISTRO_CODENAME = "stretch"
 
 DISTRO_APT_SOURCES += "conf/distro/raspbian-stretch.list"
-DISTRO_APT_KEYS += "https://archive.raspbian.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
+DISTRO_BOOTSTRAP_KEYS += "https://archive.raspbian.org/raspbian.public.key;sha256sum=ca59cd4f2bcbc3a1d41ba6815a02a8dc5c175467a59bd87edeac458f4a5345de"
 DISTRO_CONFIG_SCRIPT ?= "${LAYERDIR_isar}/conf/distro/raspbian-configscript.sh"
 DISTRO_KERNELS ?= "rpi rpi2 rpi-rpfv rpi2-rpfv"
-- 
2.21.0

[PATCH v9 5/5] docs: Update user_manual.md

[Andreas J. Reichel]

From: Andreas Reichel <andreas.reichel.ext@siemens.com>

Explain DISTRO_BOOTSTRAP_KEYS and THIRD_PARTY_APT_KEYS.
Give an example on how to use the variables to include docker-ce.

Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
---
 doc/user_manual.md | 41 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 40 insertions(+), 1 deletion(-)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index ba57319..eb877b1 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -321,6 +321,7 @@ Some other variables include:
  - `HOST_DISTRO_APT_SOURCES` - List of apt source files for SDK root filesystem. This variable is optional.
  - `HOST_DISTRO_APT_PREFERENCES` - List of apt preference files for SDK root filesystem. This variable is optional.
  - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it to the default URI in the format `ftp.debian.org my.preferred.mirror`. This variable is optional.
+ - `THIRD_PARTY_APT_KEYS` - List of gpg key URIs used to verify apt repos for apt installation after bootstrapping
  - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. If the variable is empty, root login is passwordless.
  - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked.
 
@@ -368,10 +369,12 @@ Isar can generate various images types for specific machine. The type of the ima
 The distro is defined by the set of the following variables:
 
  - `DISTRO_APT_SOURCES` - List of apt source files
- - `DISTRO_APT_KEYS` - List of gpg key URIs used to verify apt repos
+ - `DISTRO_BOOTSTRAP_KEYS` - List of gpg key URIs used to verify apt bootstrap repo
  - `DISTRO_APT_PREFERENCES` - List of apt preference files
  - `DISTRO_KERNELS` - List of supported kernel suffixes
 
+The first entry of DISTRO_APT_SOURCES is used for bootstrapping.
+
 Below is an example for Raspbian Stretch:
 ```
 DISTRO_APT_SOURCES += "conf/distro/raspbian-stretch.list"
@@ -783,3 +786,39 @@ bitbake multiconfig:qemuarm-stretch:isar-image-base
 ### Limitation
 
 Files fetched with the `SRC_URI` protocol "apt://" are not yet cached.
+
+## Add foreign packages from other repositories to the generated image
+
+### Motivation
+
+When building embedded systems with Isar, one might want to include packages that are not provided by debian by default. One example is docker-ce.
+
+### Approach/Solution
+
+Add a new sources list entry to fetch the package from, i.e. include a new apt source mirror. Then add the needed apt key for the third party repository. Add the wanted package to the IMAGE_PREINSTALL variable.
+
+### Example
+
+Add docker-ce from arm64:
+
+Create a new layer containing `conf/distro/docker-stretch.list` with the following content:
+
+```
+deb [arch=arm64] https://download.docker.com/linux/debian	stretch	stable
+```
+
+Include the layer in your project.
+
+To the local.conf add:
+
+```
+IMAGE_PREINSTALL += "docker-ce"
+THIRD_PARTY_APT_KEYS_append = " https://download.docker.com/linux/debian/gpg;md5sum=1afae06b34a13c1b3d9cb61a26285a15"
+DISTRO_APT_SOURCES_append = " conf/distro/docker-stretch.list"
+```
+
+And build the corresponding image target:
+
+```
+bitbake multiconfig:qemuarm64-stretch:isar-image-base
+```
-- 
2.21.0

Re: [PATCH v9 0/5] Fix usage of additional apt keys and repos

[Maxim Yu. Osipov]

[-- Attachment #1: Type: text/plain, Size: 6700 bytes --]

Hi Andreas,

I've tested your series (with the docker use-case example you described 
in last patch in series). It works as described in the default case - 
without local apt caching enabled.

I've tested it with with signed local apt caching feature enabled.

The first stage - creation of local repo passed OK -

bitbake -c cache_base_repo multiconfig:qemuarm64-stretch:isar-image-base

But on the second stage the build failed (see log below).

I've double checked 'signed local apt caching feature' works fine in the 
current 'next'.

My local.conf is attached for convenience.

Regards,
Maxim.

=============

  bitbake multiconfig:qemuarm64-stretch:isar-image-base
Parsing recipes: 100% 
|#######################################################################################################################################################################################################| 
Time: 0:00:03
Parsing of 26 .bb files complete (0 cached, 26 parsed). 390 targets, 0 
skipped, 0 masked, 0 errors.
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
NOTE: Resolving any missing task queue dependencies
Initialising tasks: 100% 
|####################################################################################################################################################################################################| 
Time: 0:00:04
NOTE: Executing RunQueue Tasks
ERROR: mc:qemuarm64-stretch:isar-bootstrap-host-1.0-r0 do_bootstrap: 
Function failed: do_bootstrap (log file is located at 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651)
ERROR: mc:qemuarm64-stretch:isar-bootstrap-target-1.0-r0 do_bootstrap: 
Function failed: do_bootstrap (log file is located at 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652)
ERROR: Logfile of failure stored in: 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651
Log data follows:
| DEBUG: Executing shell function do_bootstrap
| W: Target architecture is the same as host architecture; disabling 
QEMU support
| I: Running command: debootstrap --arch amd64 --verbose 
--variant=minbase --include=locales,gnupg2 
--components=main,contrib,non-free stretch 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/rootfs 
file:////home/myo/work/isar/src/trunk/isar/build/downloads/base-apt/apt/debian
| I: Retrieving InRelease
| I: Checking Release signature
| E: Release signed by unknown key (key id 75CB2BE443564A84)
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_bootstrap (log file is located at 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651)
ERROR: Task 
(multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb:do_bootstrap) 
failed with exit code '1'
ERROR: Logfile of failure stored in: 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652
Log data follows:
| DEBUG: Executing shell function do_bootstrap
| I: Running command: debootstrap --arch arm64 --foreign --verbose 
--variant=minbase 
--include=locales,gnupg2,apt-transport-https,ca-certificates 
--components=main,contrib,non-free stretch 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/rootfs 
file:////home/myo/work/isar/src/trunk/isar/build/downloads/base-apt/apt/debian
| I: Retrieving InRelease
| I: Checking Release signature
| E: Release signed by unknown key (key id 75CB2BE443564A84)
| WARNING: exit code 1 from a shell command.
| ERROR: Function failed: do_bootstrap (log file is located at 
/home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652)
ERROR: Task 
(multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb:do_bootstrap) 
failed with exit code '1'
NOTE: Tasks Summary: Attempted 53 tasks of which 0 didn't need to be 
rerun and 2 failed.

Summary: 2 tasks failed:
 
multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb:do_bootstrap
 
multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb:do_bootstrap
Summary: There were 2 ERROR messages shown, returning a non-zero exit code.

====





On 4/16/19 3:05 PM, Andreas J. Reichel wrote:
> From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> Diff to v8: No revert, improve docs. Map changes for missing
> raspbian-jessie.conf to raspbian-stretch.conf.
> 
> Last test of BASE_REPO_KEY worked before trivial rebasing.
> 
> Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> 
> Andreas Reichel (5):
>    Simplify and enhance apt-keyring generator
>    Use apt-key to generate keyrings
>    If we use a custom keyring debootstrap may fall to https
>    raspbian-stretch: Use DISTRO_BOOTSTRAP_KEYS
>    docs: Update user_manual.md
> 
>   doc/user_manual.md                            | 41 +++++++-
>   meta-isar/conf/distro/raspbian-stretch.conf   |  2 +-
>   .../conf/multiconfig/qemuamd64-buster.conf    |  1 -
>   meta/conf/bitbake.conf                        |  1 +
>   .../isar-bootstrap/isar-bootstrap-host.bb     |  4 +-
>   .../isar-bootstrap/isar-bootstrap-target.bb   |  4 +-
>   .../isar-bootstrap/isar-bootstrap.inc         | 95 +++++++++++++------
>   7 files changed, 114 insertions(+), 34 deletions(-)
> 


-- 
Maxim Osipov
ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn
Germany
+49 (151) 6517 6917
mosipov@ilbers.de
http://ilbers.de/
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov

[-- Attachment #2: local.conf --]
[-- Type: text/plain, Size: 7354 bytes --]

#
# This file is your local configuration file and is where all local user settings
# are placed. The comments in this file give some guide to the options a new user
# to the system might want to change but pretty much any configuration option can
# be set in this file. More adventurous users can look at local.conf.extended
# which contains other examples of configuration which can be placed in this file
# but new users likely won't need any of them initially.
#
# Lines starting with the '#' character are commented out and in some cases the
# default values are provided as comments to show people example syntax. Enabling
# the option is a question of removing the # character and making any change to the
# variable as required.

#
# Machine Selection
#
# You need to select a specific machine to target the build with. There are a selection
# of emulated machines available which can boot and run in the QEMU emulator:
#
# This sets the default machine to be qemuarm if no other machine is selected:
MACHINE ??= "qemuarm"

#
# Isar Configuration Selection
#
# You need to select a specific distribution configuration which will used for both:
# generation of buildchroot environment and target root filesystem.
#
# This sets the default distribution configuration:
DISTRO ??= "debian-stretch"
DISTRO_ARCH ??= "armhf"

#
# Multiple Configuration Selection
#
# If you want to use multiple configuration files for the build, list them in the
# following option.
#
# This sets the default multiple configurations used:
BBMULTICONFIG = " \
    qemuarm-stretch \
    qemuarm-buster \
    qemuarm64-stretch \
    qemuarm64-buster \
    qemui386-stretch \
    qemui386-buster \
    qemuamd64-stretch \
    bananapi-stretch \
    de0-nano-soc-stretch \
    hikey-stretch \
    qemuamd64-buster \
    qemuamd64-buster-tgz \
    nand-ubi-demo-buster \
    rpi-stretch \
"

#
# Where to place downloads
#
# During a first build the system will download many different source code tarballs
# from various upstream projects. This can take a while, particularly if your network
# connection is slow. These are all stored in DL_DIR. When wiping and rebuilding you
# can preserve this directory to speed up this part of subsequent builds. This directory
# is safe to share between multiple builds on the same machine too.
#
# The default is a downloads directory under TOPDIR which is the build directory.
#
#DL_DIR ?= "${TOPDIR}/downloads"

#
# Where to place shared-state files
#
# BitBake has the capability to accelerate builds based on previously built output.
# This is done using "shared state" files which can be thought of as cache objects
# and this option determines where those files are placed.
#
# You can wipe out TMPDIR leaving this directory intact and the build would regenerate
# from these files if no changes were made to the configuration. If changes were made
# to the configuration, only shared state files where the state was still valid would
# be used (done using checksums).
#
# The default is a sstate-cache directory under TOPDIR.
#
#SSTATE_DIR ?= "${TOPDIR}/sstate-cache"

#
# Where to place the build output
#
# This option specifies where the bulk of the building work should be done and
# where BitBake should place its temporary files and output. Keep in mind that
# this includes the extraction and compilation of many applications and the toolchain
# which can use Gigabytes of hard disk space.
#
# The default is a tmp directory under TOPDIR.
#
#TMPDIR = "${TOPDIR}/tmp"

#
# Interactive shell configuration
#
# Under certain circumstances the system may need input from you and to do this it
# can launch an interactive shell. It needs to do this since the build is
# multithreaded and needs to be able to handle the case where more than one parallel
# process may require the user's attention. The default is iterate over the available
# terminal types to find one that works.
#
# Examples of the occasions this may happen are when resolving patches which cannot
# be applied, to use the devshell or the kernel menuconfig
#
# Supported values are auto, gnome, xfce, rxvt, screen, konsole (KDE 3.x only), none
# Note: currently, Konsole support only works for KDE 3.x due to the way
# newer Konsole versions behave
#OE_TERMINAL = "auto"
# By default disable interactive patch resolution (tasks will just fail instead):
PATCHRESOLVE = "noop"

#
# Disk Space Monitoring during the build
#
# Monitor the disk space during the build. If there is less that 1GB of space or less
# than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
# shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
# of the build. The reason for this is that running completely out of space can corrupt
# files and damages the build in ways which may not be easily recoverable.
# It's necesary to monitor /tmp, if there is no space left the build will fail
# with very exotic errors.
BB_DISKMON_DIRS = "\
    STOPTASKS,${TMPDIR},1G,100K \
    STOPTASKS,${DL_DIR},1G,100K \
    STOPTASKS,${SSTATE_DIR},1G,100K \
    STOPTASKS,/tmp,100M,100K \
    ABORT,${TMPDIR},100M,1K \
    ABORT,${DL_DIR},100M,1K \
    ABORT,${SSTATE_DIR},100M,1K \
    ABORT,/tmp,10M,1K"

#
# Shared-state files from other locations
#
# As mentioned above, shared state files are prebuilt cache data objects which can
# used to accelerate build time. This variable can be used to configure the system
# to search other mirror locations for these objects before it builds the data itself.
#
# This can be a filesystem directory, or a remote url such as http or ftp. These
# would contain the sstate-cache results from previous builds (possibly from other
# machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
# cache locations to check for the shared objects.
# NOTE: if the mirror uses the same structure as SSTATE_DIR, you need to add PATH
# at the end as shown in the examples below. This will be substituted with the
# correct path within the directory structure.
#SSTATE_MIRRORS ?= "\
#file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
#file://.* file:///some/local/dir/sstate/PATH"

# CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
# track the version of this file when it was generated. This can safely be ignored if
# this doesn't mean anything to you.
CONF_VERSION = "1"

#
# The default list of extra packages to be installed.
IMAGE_INSTALL = "hello-isar example-raw example-module-${KERNEL_NAME} enable-fsck"

IMAGE_PREINSTALL += "docker-ce"
THIRD_PARTY_APT_KEYS_append = " https://download.docker.com/linux/debian/gpg;md5sum=1afae06b34a13c1b3d9cb61a26285a15"
DISTRO_APT_SOURCES_append = " conf/distro/docker-stretch.list"

BASE_REPO_KEY = "file:///home/myo/my_pub_key.key"

#
# Enable cross-compilation support
# NOTE: this works on build host >= stretch for armhf, arm64 and amd64 targets for now.
ISAR_CROSS_COMPILE ?= "1"

#
# Uncomment this to enable use of cached base repository
ISAR_USE_CACHED_BASE_REPO ?= "1"

# Set root password to 'root'
# Password was encrypted using following command:
#   mkpasswd -m sha512crypt -R 10000
# mkpasswd is part of the 'whois' package of Debian
CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"

Re: [PATCH v9 0/5] Fix usage of additional apt keys and repos

[Andreas Reichel]

Hi Maxim,

could reproduce it. Fix is on the way. It is a one-liner fix.

Regards
Andreas

On Mon, Apr 22, 2019 at 02:22:24PM +0200, Maxim Yu. Osipov wrote:
> Hi Andreas,
> 
> I've tested your series (with the docker use-case example you described in
> last patch in series). It works as described in the default case - without
> local apt caching enabled.
> 
> I've tested it with with signed local apt caching feature enabled.
> 
> The first stage - creation of local repo passed OK -
> 
> bitbake -c cache_base_repo multiconfig:qemuarm64-stretch:isar-image-base
> 
> But on the second stage the build failed (see log below).
> 
> I've double checked 'signed local apt caching feature' works fine in the
> current 'next'.
> 
> My local.conf is attached for convenience.
> 
> Regards,
> Maxim.
> 
> =============
> 
>  bitbake multiconfig:qemuarm64-stretch:isar-image-base
> Parsing recipes: 100% |#######################################################################################################################################################################################################|
> Time: 0:00:03
> Parsing of 26 .bb files complete (0 cached, 26 parsed). 390 targets, 0
> skipped, 0 masked, 0 errors.
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> NOTE: Resolving any missing task queue dependencies
> Initialising tasks: 100% |####################################################################################################################################################################################################|
> Time: 0:00:04
> NOTE: Executing RunQueue Tasks
> ERROR: mc:qemuarm64-stretch:isar-bootstrap-host-1.0-r0 do_bootstrap:
> Function failed: do_bootstrap (log file is located at /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651)
> ERROR: mc:qemuarm64-stretch:isar-bootstrap-target-1.0-r0 do_bootstrap:
> Function failed: do_bootstrap (log file is located at /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652)
> ERROR: Logfile of failure stored in: /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651
> Log data follows:
> | DEBUG: Executing shell function do_bootstrap
> | W: Target architecture is the same as host architecture; disabling QEMU
> support
> | I: Running command: debootstrap --arch amd64 --verbose --variant=minbase
> --include=locales,gnupg2 --components=main,contrib,non-free stretch /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/rootfs file:////home/myo/work/isar/src/trunk/isar/build/downloads/base-apt/apt/debian
> | I: Retrieving InRelease
> | I: Checking Release signature
> | E: Release signed by unknown key (key id 75CB2BE443564A84)
> | WARNING: exit code 1 from a shell command.
> | ERROR: Function failed: do_bootstrap (log file is located at /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-host-debian-stretch-amd64/temp/log.do_bootstrap.26651)
> ERROR: Task (multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb:do_bootstrap)
> failed with exit code '1'
> ERROR: Logfile of failure stored in: /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652
> Log data follows:
> | DEBUG: Executing shell function do_bootstrap
> | I: Running command: debootstrap --arch arm64 --foreign --verbose
> --variant=minbase
> --include=locales,gnupg2,apt-transport-https,ca-certificates
> --components=main,contrib,non-free stretch /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/rootfs file:////home/myo/work/isar/src/trunk/isar/build/downloads/base-apt/apt/debian
> | I: Retrieving InRelease
> | I: Checking Release signature
> | E: Release signed by unknown key (key id 75CB2BE443564A84)
> | WARNING: exit code 1 from a shell command.
> | ERROR: Function failed: do_bootstrap (log file is located at /home/myo/work/isar/src/trunk/isar/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/temp/log.do_bootstrap.26652)
> ERROR: Task (multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb:do_bootstrap)
> failed with exit code '1'
> NOTE: Tasks Summary: Attempted 53 tasks of which 0 didn't need to be rerun
> and 2 failed.
> 
> Summary: 2 tasks failed:
> 
> multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-host.bb:do_bootstrap
> 
> multiconfig:qemuarm64-stretch:/home/myo/work/isar/src/trunk/isar/meta/recipes-core/isar-bootstrap/isar-bootstrap-target.bb:do_bootstrap
> Summary: There were 2 ERROR messages shown, returning a non-zero exit code.
> 
> ====
> 
> 
> 
> 
> 
> On 4/16/19 3:05 PM, Andreas J. Reichel wrote:
> > From: Andreas Reichel <andreas.reichel.ext@siemens.com>
> > 
> > Diff to v8: No revert, improve docs. Map changes for missing
> > raspbian-jessie.conf to raspbian-stretch.conf.
> > 
> > Last test of BASE_REPO_KEY worked before trivial rebasing.
> > 
> > Signed-off-by: Andreas Reichel <andreas.reichel.ext@siemens.com>
> > 
> > Andreas Reichel (5):
> >    Simplify and enhance apt-keyring generator
> >    Use apt-key to generate keyrings
> >    If we use a custom keyring debootstrap may fall to https
> >    raspbian-stretch: Use DISTRO_BOOTSTRAP_KEYS
> >    docs: Update user_manual.md
> > 
> >   doc/user_manual.md                            | 41 +++++++-
> >   meta-isar/conf/distro/raspbian-stretch.conf   |  2 +-
> >   .../conf/multiconfig/qemuamd64-buster.conf    |  1 -
> >   meta/conf/bitbake.conf                        |  1 +
> >   .../isar-bootstrap/isar-bootstrap-host.bb     |  4 +-
> >   .../isar-bootstrap/isar-bootstrap-target.bb   |  4 +-
> >   .../isar-bootstrap/isar-bootstrap.inc         | 95 +++++++++++++------
> >   7 files changed, 114 insertions(+), 34 deletions(-)
> > 
> 
> 
> -- 
> Maxim Osipov
> ilbers GmbH
> Maria-Merian-Str. 8
> 85521 Ottobrunn
> Germany
> +49 (151) 6517 6917
> mosipov@ilbers.de
> http://ilbers.de/
> Commercial register Munich, HRB 214197
> General Manager: Baurzhan Ismagulov

> #
> # This file is your local configuration file and is where all local user settings
> # are placed. The comments in this file give some guide to the options a new user
> # to the system might want to change but pretty much any configuration option can
> # be set in this file. More adventurous users can look at local.conf.extended
> # which contains other examples of configuration which can be placed in this file
> # but new users likely won't need any of them initially.
> #
> # Lines starting with the '#' character are commented out and in some cases the
> # default values are provided as comments to show people example syntax. Enabling
> # the option is a question of removing the # character and making any change to the
> # variable as required.
> 
> #
> # Machine Selection
> #
> # You need to select a specific machine to target the build with. There are a selection
> # of emulated machines available which can boot and run in the QEMU emulator:
> #
> # This sets the default machine to be qemuarm if no other machine is selected:
> MACHINE ??= "qemuarm"
> 
> #
> # Isar Configuration Selection
> #
> # You need to select a specific distribution configuration which will used for both:
> # generation of buildchroot environment and target root filesystem.
> #
> # This sets the default distribution configuration:
> DISTRO ??= "debian-stretch"
> DISTRO_ARCH ??= "armhf"
> 
> #
> # Multiple Configuration Selection
> #
> # If you want to use multiple configuration files for the build, list them in the
> # following option.
> #
> # This sets the default multiple configurations used:
> BBMULTICONFIG = " \
>     qemuarm-stretch \
>     qemuarm-buster \
>     qemuarm64-stretch \
>     qemuarm64-buster \
>     qemui386-stretch \
>     qemui386-buster \
>     qemuamd64-stretch \
>     bananapi-stretch \
>     de0-nano-soc-stretch \
>     hikey-stretch \
>     qemuamd64-buster \
>     qemuamd64-buster-tgz \
>     nand-ubi-demo-buster \
>     rpi-stretch \
> "
> 
> #
> # Where to place downloads
> #
> # During a first build the system will download many different source code tarballs
> # from various upstream projects. This can take a while, particularly if your network
> # connection is slow. These are all stored in DL_DIR. When wiping and rebuilding you
> # can preserve this directory to speed up this part of subsequent builds. This directory
> # is safe to share between multiple builds on the same machine too.
> #
> # The default is a downloads directory under TOPDIR which is the build directory.
> #
> #DL_DIR ?= "${TOPDIR}/downloads"
> 
> #
> # Where to place shared-state files
> #
> # BitBake has the capability to accelerate builds based on previously built output.
> # This is done using "shared state" files which can be thought of as cache objects
> # and this option determines where those files are placed.
> #
> # You can wipe out TMPDIR leaving this directory intact and the build would regenerate
> # from these files if no changes were made to the configuration. If changes were made
> # to the configuration, only shared state files where the state was still valid would
> # be used (done using checksums).
> #
> # The default is a sstate-cache directory under TOPDIR.
> #
> #SSTATE_DIR ?= "${TOPDIR}/sstate-cache"
> 
> #
> # Where to place the build output
> #
> # This option specifies where the bulk of the building work should be done and
> # where BitBake should place its temporary files and output. Keep in mind that
> # this includes the extraction and compilation of many applications and the toolchain
> # which can use Gigabytes of hard disk space.
> #
> # The default is a tmp directory under TOPDIR.
> #
> #TMPDIR = "${TOPDIR}/tmp"
> 
> #
> # Interactive shell configuration
> #
> # Under certain circumstances the system may need input from you and to do this it
> # can launch an interactive shell. It needs to do this since the build is
> # multithreaded and needs to be able to handle the case where more than one parallel
> # process may require the user's attention. The default is iterate over the available
> # terminal types to find one that works.
> #
> # Examples of the occasions this may happen are when resolving patches which cannot
> # be applied, to use the devshell or the kernel menuconfig
> #
> # Supported values are auto, gnome, xfce, rxvt, screen, konsole (KDE 3.x only), none
> # Note: currently, Konsole support only works for KDE 3.x due to the way
> # newer Konsole versions behave
> #OE_TERMINAL = "auto"
> # By default disable interactive patch resolution (tasks will just fail instead):
> PATCHRESOLVE = "noop"
> 
> #
> # Disk Space Monitoring during the build
> #
> # Monitor the disk space during the build. If there is less that 1GB of space or less
> # than 100K inodes in any key build location (TMPDIR, DL_DIR, SSTATE_DIR), gracefully
> # shutdown the build. If there is less that 100MB or 1K inodes, perform a hard abort
> # of the build. The reason for this is that running completely out of space can corrupt
> # files and damages the build in ways which may not be easily recoverable.
> # It's necesary to monitor /tmp, if there is no space left the build will fail
> # with very exotic errors.
> BB_DISKMON_DIRS = "\
>     STOPTASKS,${TMPDIR},1G,100K \
>     STOPTASKS,${DL_DIR},1G,100K \
>     STOPTASKS,${SSTATE_DIR},1G,100K \
>     STOPTASKS,/tmp,100M,100K \
>     ABORT,${TMPDIR},100M,1K \
>     ABORT,${DL_DIR},100M,1K \
>     ABORT,${SSTATE_DIR},100M,1K \
>     ABORT,/tmp,10M,1K"
> 
> #
> # Shared-state files from other locations
> #
> # As mentioned above, shared state files are prebuilt cache data objects which can
> # used to accelerate build time. This variable can be used to configure the system
> # to search other mirror locations for these objects before it builds the data itself.
> #
> # This can be a filesystem directory, or a remote url such as http or ftp. These
> # would contain the sstate-cache results from previous builds (possibly from other
> # machines). This variable works like fetcher MIRRORS/PREMIRRORS and points to the
> # cache locations to check for the shared objects.
> # NOTE: if the mirror uses the same structure as SSTATE_DIR, you need to add PATH
> # at the end as shown in the examples below. This will be substituted with the
> # correct path within the directory structure.
> #SSTATE_MIRRORS ?= "\
> #file://.* http://someserver.tld/share/sstate/PATH;downloadfilename=PATH \n \
> #file://.* file:///some/local/dir/sstate/PATH"
> 
> # CONF_VERSION is increased each time build/conf/ changes incompatibly and is used to
> # track the version of this file when it was generated. This can safely be ignored if
> # this doesn't mean anything to you.
> CONF_VERSION = "1"
> 
> #
> # The default list of extra packages to be installed.
> IMAGE_INSTALL = "hello-isar example-raw example-module-${KERNEL_NAME} enable-fsck"
> 
> IMAGE_PREINSTALL += "docker-ce"
> THIRD_PARTY_APT_KEYS_append = " https://download.docker.com/linux/debian/gpg;md5sum=1afae06b34a13c1b3d9cb61a26285a15"
> DISTRO_APT_SOURCES_append = " conf/distro/docker-stretch.list"
> 
> BASE_REPO_KEY = "file:///home/myo/my_pub_key.key"
> 
> #
> # Enable cross-compilation support
> # NOTE: this works on build host >= stretch for armhf, arm64 and amd64 targets for now.
> ISAR_CROSS_COMPILE ?= "1"
> 
> #
> # Uncomment this to enable use of cached base repository
> ISAR_USE_CACHED_BASE_REPO ?= "1"
> 
> # Set root password to 'root'
> # Password was encrypted using following command:
> #   mkpasswd -m sha512crypt -R 10000
> # mkpasswd is part of the 'whois' package of Debian
> CFG_ROOT_PW ?= "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"


-- 
Andreas Reichel
Dipl.-Phys. (Univ.)
Software Consultant

Andreas.Reichel@tngtech.com, +49-174-3180074
TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring
Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller
Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082