[PATCH v2 0/2] Fix possible build errors due to expired root account

[PATCH v2 0/2] Fix possible build errors due to expired root account

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This fixes build errors due to expiring/deactiving the root password before
installing packages which create new user.

Changes in V2:
 - add entry RECIPE-API-CHANGELOG.md

Quirin Gylstorff (2):
  classes/image-account-extension:Move account configuration to
    post-process
  classes/image-account-extension: Add flag to force password change on
    first login

 RECIPE-API-CHANGELOG.md                      |  6 ++++++
 doc/user_manual.md                           |  1 +
 meta/classes/image-account-extension.bbclass | 10 +++++++---
 3 files changed, 14 insertions(+), 3 deletions(-)

-- 
2.35.1

[PATCH v2 1/2] classes/image-account-extension:Move account configuration to post-process

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

If the root account is deactivate during rootfs configuration
, e.g. by setting 'USER_root[expire]="01-01-1970"', the following error
occurs if a packages tries to create/modifies a user account.

```
Setting up systemd (247.3-7) ...
Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service -> /lib/systemd/system/getty@.service.
Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target -> /lib/systemd/system/remote-fs.target.
Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> /lib/systemd/system/systemd-pstore.service.
Initializing machine ID from random generator.
Your account has expired; please contact your system administrator.
chfn: PAM: Authentication failure
adduser: `/bin/chfn -f systemd Network Management systemd-network' returned error code 1. Exiting.
dpkg: error processing package systemd (--configure):
installed systemd package post-installation script subprocess returned error exit status 1
Setting up dmsetup (2:1.02.175-2.1) ...
Errors were encountered while processing:
systemd
E: Sub-process /usr/bin/dpkg returned an error code (1)
WARNING: exit code 100 from a shell command.
```

This move also allows  /etc/skel modification to be applicable to
all users.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 RECIPE-API-CHANGELOG.md                      | 6 ++++++
 meta/classes/image-account-extension.bbclass | 3 +--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md
index 5913dd27..8996e1b6 100644
--- a/RECIPE-API-CHANGELOG.md
+++ b/RECIPE-API-CHANGELOG.md
@@ -349,3 +349,9 @@ For a list of well-known Debian build profiles and common practices, we refer to
 It was replaced by WIC and no more needed.
 Machines that use `rpi-sdimg` image type should be modified to use `wic` type
 with `rpi-sdimg` wks file instead.
+
+### Handling of variables USERS and GROUPS is moved to image post processing
+
+The user and groups defined by the variables `USERS` and `GROUPS`
+was moved from image configuration to image post processing. The users and
+groups are now created after all packages are installed.
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index c9bebe85..caa962a0 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -58,8 +58,7 @@ IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP', ['gid', 'f
 
 do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} ${IMAGE_ACCOUNTS_USERS}"
 
-ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts"
-image_configure_accounts[weight] = "3"
+ROOTFS_POSTPROCESS_COMMAND += "image_configure_accounts"
 image_configure_accounts() {
     # Create groups
     # Add space to the end of the list:
-- 
2.35.1

[PATCH v2 2/2] classes/image-account-extension: Add flag to force password change on first login

[Quirin Gylstorff]

From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This avoids possible errors if `passwd --expire root` is
set during package installation.

Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 doc/user_manual.md                           | 1 +
 meta/classes/image-account-extension.bbclass | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/doc/user_manual.md b/doc/user_manual.md
index cdb73224..02874b6d 100644
--- a/doc/user_manual.md
+++ b/doc/user_manual.md
@@ -678,6 +678,7 @@ The `USERS` and `USER_<username>` variable works similar to the `GROUPS` and `GR
    - `system` - `useradd` will be called with `--system`.
    - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password.
    - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it.
+   - `force-passwd-change` - Force the user to change to password on first login.
 
 #### Home directory contents prefilling
 
diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index caa962a0..99de8b0d 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -17,7 +17,7 @@ USERS ??= ""
 #USER_root[home] = "/home/root"
 #USER_root[shell] = "/bin/sh"
 #USER_root[groups] = "audio video"
-#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password"
+#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password force-passwd-change"
 
 GROUPS ??= ""
 
@@ -258,5 +258,10 @@ image_configure_accounts() {
             printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \
                 /usr/sbin/chpasswd $chpasswd_args
         fi
+        if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then
+            echo "Execute passwd to force password change on first boot for \"$name\""
+            sudo -E chroot '${ROOTFSDIR}' \
+                /usr/bin/passwd --expire "$name"
+        fi
     done
 }
-- 
2.35.1