* [PATCH v3 0/2] Fix possible build errors due to expired root account
@ 2022-05-17 12:37 Quirin Gylstorff
2022-05-17 12:37 ` [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process Quirin Gylstorff
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Quirin Gylstorff @ 2022-05-17 12:37 UTC (permalink / raw)
To: jan.kiszka, isar-users, henning.schild
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
his fixes build errors due to expiring/deactiving the root password before
installing packages which create new user.
Changes in V2:
- add entry RECIPE-API-CHANGELOG.md
Changes in V3:
- rebase onto 2bf30acc8ee1d3345fecd79777f3d3cb3a0a4d71
- rename function from image_configure_accounts to image_postprocess_accounts
- add exceptions to quality check
Quirin Gylstorff (2):
classes/image-account-extension:Move account configuration to
post-process
classes/image-account-extension: Add flag to force password change on
first login
RECIPE-API-CHANGELOG.md | 6 ++++++
doc/user_manual.md | 1 +
meta/classes/image-account-extension.bbclass | 12 ++++++++----
meta/classes/image.bbclass | 8 ++++++++
4 files changed, 23 insertions(+), 4 deletions(-)
--
2.35.1
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process 2022-05-17 12:37 [PATCH v3 0/2] Fix possible build errors due to expired root account Quirin Gylstorff @ 2022-05-17 12:37 ` Quirin Gylstorff 2022-09-02 9:37 ` Uladzimir Bely 2022-05-17 12:37 ` [PATCH v3 2/2] classes/image-account-extension: Add flag to force password change on first login Quirin Gylstorff 2022-05-25 6:17 ` [PATCH v3 0/2] Fix possible build errors due to expired root account Anton Mikanovich 2 siblings, 1 reply; 6+ messages in thread From: Quirin Gylstorff @ 2022-05-17 12:37 UTC (permalink / raw) To: jan.kiszka, isar-users, henning.schild From: Quirin Gylstorff <quirin.gylstorff@siemens.com> If the root account is deactivate during rootfs configuration , e.g. by setting 'USER_root[expire]="01-01-1970"', the following error occurs if a packages tries to create/modifies a user account. ``` Setting up systemd (247.3-7) ... Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service -> /lib/systemd/system/getty@.service. Created symlink /etc/systemd/system/multi-user.target.wants/remote-fs.target -> /lib/systemd/system/remote-fs.target. Created symlink /etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> /lib/systemd/system/systemd-pstore.service. Initializing machine ID from random generator. Your account has expired; please contact your system administrator. chfn: PAM: Authentication failure adduser: `/bin/chfn -f systemd Network Management systemd-network' returned error code 1. Exiting. dpkg: error processing package systemd (--configure): installed systemd package post-installation script subprocess returned error exit status 1 Setting up dmsetup (2:1.02.175-2.1) ... Errors were encountered while processing: systemd E: Sub-process /usr/bin/dpkg returned an error code (1) WARNING: exit code 100 from a shell command. ``` This move also allows /etc/skel modification to be applicable to all users. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- RECIPE-API-CHANGELOG.md | 6 ++++++ meta/classes/image-account-extension.bbclass | 5 ++--- meta/classes/image.bbclass | 9 +++++++++ 3 files changed, 17 insertions(+), 3 deletions(-) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index f3b30351..d1ed6792 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -397,3 +397,9 @@ New conversions can be added by defining CONVERSION_CMD_type. - the conversions appends its own type, e.g. the output file of a conversion `xz` would be ${IMAGE_FULLNAME}.${type}.xz - a final chown is appended automatically + +### Handling of variables USERS and GROUPS is moved to image post processing + +The user and groups defined by the variables `USERS` and `GROUPS` +was moved from image configuration to image post processing. The users and +groups are now created after all packages are installed. diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index c9bebe85..c64ba769 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -58,9 +58,8 @@ IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, 'GROUPS', 'GROUP', ['gid', 'f do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} ${IMAGE_ACCOUNTS_USERS}" -ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts" -image_configure_accounts[weight] = "3" -image_configure_accounts() { +ROOTFS_POSTPROCESS_COMMAND += "image_postprocess_accounts" +image_postprocess_accounts() { # Create groups # Add space to the end of the list: list='${@" ".join(d.getVar('IMAGE_ACCOUNTS_GROUPS', True).split())} ' diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index aa6c510c..0da56b7a 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -440,6 +440,15 @@ do_rootfs_quality_check() { args="${args} ! -path ${ROOTFSDIR}/etc/os-release";; image_postprocess_machine_id) args="${args} ! -path ${ROOTFSDIR}/etc/machine-id";; + image_postprocess_accounts) + args="${args} ! -path ${ROOTFSDIR}/etc/passwd \ + ! -path ${ROOTFSDIR}/etc/subgid \ + ! -path ${ROOTFSDIR}/etc/subuid \ + ! -path ${ROOTFSDIR}/etc/shadow- \ + ! -path ${ROOTFSDIR}/etc/gshadow \ + ! -path ${ROOTFSDIR}/etc/shadow \ + ! -path ${ROOTFSDIR}/etc/group" + ;; esac done found=$( sudo find ${ROOTFSDIR} -type f -newer $rootfs_install_stamp $args ) -- 2.35.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process 2022-05-17 12:37 ` [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process Quirin Gylstorff @ 2022-09-02 9:37 ` Uladzimir Bely 2022-09-05 11:01 ` Uladzimir Bely 0 siblings, 1 reply; 6+ messages in thread From: Uladzimir Bely @ 2022-09-02 9:37 UTC (permalink / raw) To: isar-users, Quirin Gylstorff During debugging the downstream I've found that this patch breaks build in case we want to have some specific homedir for 'root'. E.g., if we have the following in local.conf: USERS += "root" USER_root[home] = "/home/root" it comes to "/usr/sbin/usermod --home /home/root --move-home root" execution under chroot and it fails with an error "usermod: user root is currently used by process NNN", where NNN seems to be PID of 'usermod' itself. It looks a bit weird for me, because exactly the same thing was executed before the patch was applied, but with no any errors. In default local.conf we don't change default root's homedir, so this issue was not caught earlier. Any ideas how that could be properly fixed without reverting? In the email from Tuesday, 17 May 2022 15:37:12 +03 user Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > If the root account is deactivate during rootfs configuration > , e.g. by setting 'USER_root[expire]="01-01-1970"', the following error > occurs if a packages tries to create/modifies a user account. > > ``` > Setting up systemd (247.3-7) ... > Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service -> > /lib/systemd/system/getty@.service. Created symlink > /etc/systemd/system/multi-user.target.wants/remote-fs.target -> > /lib/systemd/system/remote-fs.target. Created symlink > /etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> > /lib/systemd/system/systemd-pstore.service. Initializing machine ID from > random generator. > Your account has expired; please contact your system administrator. > chfn: PAM: Authentication failure > adduser: `/bin/chfn -f systemd Network Management systemd-network' returned > error code 1. Exiting. dpkg: error processing package systemd > (--configure): > installed systemd package post-installation script subprocess returned error > exit status 1 Setting up dmsetup (2:1.02.175-2.1) ... > Errors were encountered while processing: > systemd > E: Sub-process /usr/bin/dpkg returned an error code (1) > WARNING: exit code 100 from a shell command. > ``` > > This move also allows /etc/skel modification to be applicable to > all users. > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > --- > RECIPE-API-CHANGELOG.md | 6 ++++++ > meta/classes/image-account-extension.bbclass | 5 ++--- > meta/classes/image.bbclass | 9 +++++++++ > 3 files changed, 17 insertions(+), 3 deletions(-) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index f3b30351..d1ed6792 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -397,3 +397,9 @@ New conversions can be added by defining > CONVERSION_CMD_type. - the conversions appends its own type, e.g. the > output file of a conversion `xz` would be ${IMAGE_FULLNAME}.${type}.xz > - a final chown is appended automatically > + > +### Handling of variables USERS and GROUPS is moved to image post > processing + > +The user and groups defined by the variables `USERS` and `GROUPS` > +was moved from image configuration to image post processing. The users and > +groups are now created after all packages are installed. > diff --git a/meta/classes/image-account-extension.bbclass > b/meta/classes/image-account-extension.bbclass index c9bebe85..c64ba769 > 100644 > --- a/meta/classes/image-account-extension.bbclass > +++ b/meta/classes/image-account-extension.bbclass > @@ -58,9 +58,8 @@ IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, > 'GROUPS', 'GROUP', ['gid', 'f > > do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} > ${IMAGE_ACCOUNTS_USERS}" > > -ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts" > -image_configure_accounts[weight] = "3" > -image_configure_accounts() { > +ROOTFS_POSTPROCESS_COMMAND += "image_postprocess_accounts" > +image_postprocess_accounts() { > # Create groups > # Add space to the end of the list: > list='${@" ".join(d.getVar('IMAGE_ACCOUNTS_GROUPS', True).split())} ' > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > index aa6c510c..0da56b7a 100644 > --- a/meta/classes/image.bbclass > +++ b/meta/classes/image.bbclass > @@ -440,6 +440,15 @@ do_rootfs_quality_check() { > args="${args} ! -path ${ROOTFSDIR}/etc/os-release";; > image_postprocess_machine_id) > args="${args} ! -path ${ROOTFSDIR}/etc/machine-id";; > + image_postprocess_accounts) > + args="${args} ! -path ${ROOTFSDIR}/etc/passwd \ > + ! -path ${ROOTFSDIR}/etc/subgid \ > + ! -path ${ROOTFSDIR}/etc/subuid \ > + ! -path ${ROOTFSDIR}/etc/shadow- \ > + ! -path ${ROOTFSDIR}/etc/gshadow \ > + ! -path ${ROOTFSDIR}/etc/shadow \ > + ! -path ${ROOTFSDIR}/etc/group" > + ;; > esac > done > found=$( sudo find ${ROOTFSDIR} -type f -newer $rootfs_install_stamp > $args ) -- Uladzimir Bely ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process 2022-09-02 9:37 ` Uladzimir Bely @ 2022-09-05 11:01 ` Uladzimir Bely 0 siblings, 0 replies; 6+ messages in thread From: Uladzimir Bely @ 2022-09-05 11:01 UTC (permalink / raw) To: isar-users, Quirin Gylstorff In the email from Friday, 2 September 2022 12:37:29 +03 user Uladzimir Bely wrote: > During debugging the downstream I've found that this patch breaks build in > case we want to have some specific homedir for 'root'. > > E.g., if we have the following in local.conf: > > USERS += "root" > USER_root[home] = "/home/root" > > it comes to "/usr/sbin/usermod --home /home/root --move-home root" execution > under chroot and it fails with an error "usermod: user root is currently > used by process NNN", where NNN seems to be PID of 'usermod' itself. > > It looks a bit weird for me, because exactly the same thing was executed > before the patch was applied, but with no any errors. > > In default local.conf we don't change default root's homedir, so this issue > was not caught earlier. > After some investigations I found, that the issue is related to the mounted "/ proc" in case usermod is executed in chroot during "image post processing" stage. This leads to the error when attempting to change the current root's home directory. Earlier, when it was done during "image configuration" stage, "/proc" was not yet mounted and we simply didn't see an error. > Any ideas how that could be properly fixed without reverting? > > In the email from Tuesday, 17 May 2022 15:37:12 +03 user Quirin Gylstorff > > wrote: > > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > > > If the root account is deactivate during rootfs configuration > > , e.g. by setting 'USER_root[expire]="01-01-1970"', the following error > > occurs if a packages tries to create/modifies a user account. > > > > ``` > > Setting up systemd (247.3-7) ... > > Created symlink /etc/systemd/system/getty.target.wants/getty@tty1.service > > -> /lib/systemd/system/getty@.service. Created symlink > > /etc/systemd/system/multi-user.target.wants/remote-fs.target -> > > /lib/systemd/system/remote-fs.target. Created symlink > > /etc/systemd/system/sysinit.target.wants/systemd-pstore.service -> > > /lib/systemd/system/systemd-pstore.service. Initializing machine ID from > > random generator. > > Your account has expired; please contact your system administrator. > > chfn: PAM: Authentication failure > > adduser: `/bin/chfn -f systemd Network Management systemd-network' > > returned > > error code 1. Exiting. dpkg: error processing package systemd > > (--configure): > > installed systemd package post-installation script subprocess returned > > error exit status 1 Setting up dmsetup (2:1.02.175-2.1) ... > > Errors were encountered while processing: > > systemd > > E: Sub-process /usr/bin/dpkg returned an error code (1) > > WARNING: exit code 100 from a shell command. > > ``` > > > > This move also allows /etc/skel modification to be applicable to > > all users. > > > > Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > --- > > > > RECIPE-API-CHANGELOG.md | 6 ++++++ > > meta/classes/image-account-extension.bbclass | 5 ++--- > > meta/classes/image.bbclass | 9 +++++++++ > > 3 files changed, 17 insertions(+), 3 deletions(-) > > > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > > index f3b30351..d1ed6792 100644 > > --- a/RECIPE-API-CHANGELOG.md > > +++ b/RECIPE-API-CHANGELOG.md > > @@ -397,3 +397,9 @@ New conversions can be added by defining > > CONVERSION_CMD_type. - the conversions appends its own type, e.g. the > > output file of a conversion `xz` would be ${IMAGE_FULLNAME}.${type}.xz > > > > - a final chown is appended automatically > > > > + > > +### Handling of variables USERS and GROUPS is moved to image post > > processing + > > +The user and groups defined by the variables `USERS` and `GROUPS` > > +was moved from image configuration to image post processing. The users > > and > > +groups are now created after all packages are installed. > > diff --git a/meta/classes/image-account-extension.bbclass > > b/meta/classes/image-account-extension.bbclass index c9bebe85..c64ba769 > > 100644 > > --- a/meta/classes/image-account-extension.bbclass > > +++ b/meta/classes/image-account-extension.bbclass > > @@ -58,9 +58,8 @@ IMAGE_ACCOUNTS_GROUPS =+ "${@gen_accounts_array(d, > > 'GROUPS', 'GROUP', ['gid', 'f > > > > do_rootfs_install[vardeps] += "${IMAGE_ACCOUNTS_GROUPS} > > > > ${IMAGE_ACCOUNTS_USERS}" > > > > -ROOTFS_CONFIGURE_COMMAND += "image_configure_accounts" > > -image_configure_accounts[weight] = "3" > > -image_configure_accounts() { > > +ROOTFS_POSTPROCESS_COMMAND += "image_postprocess_accounts" > > +image_postprocess_accounts() { > > > > # Create groups > > # Add space to the end of the list: > > list='${@" ".join(d.getVar('IMAGE_ACCOUNTS_GROUPS', True).split())} ' > > > > diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass > > index aa6c510c..0da56b7a 100644 > > --- a/meta/classes/image.bbclass > > +++ b/meta/classes/image.bbclass > > @@ -440,6 +440,15 @@ do_rootfs_quality_check() { > > > > args="${args} ! -path ${ROOTFSDIR}/etc/os-release";; > > > > image_postprocess_machine_id) > > > > args="${args} ! -path ${ROOTFSDIR}/etc/machine-id";; > > > > + image_postprocess_accounts) > > + args="${args} ! -path ${ROOTFSDIR}/etc/passwd \ > > + ! -path ${ROOTFSDIR}/etc/subgid \ > > + ! -path ${ROOTFSDIR}/etc/subuid \ > > + ! -path ${ROOTFSDIR}/etc/shadow- \ > > + ! -path ${ROOTFSDIR}/etc/gshadow \ > > + ! -path ${ROOTFSDIR}/etc/shadow \ > > + ! -path ${ROOTFSDIR}/etc/group" > > + ;; > > > > esac > > > > done > > found=$( sudo find ${ROOTFSDIR} -type f -newer $rootfs_install_stamp > > > > $args ) -- Uladzimir Bely ^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH v3 2/2] classes/image-account-extension: Add flag to force password change on first login 2022-05-17 12:37 [PATCH v3 0/2] Fix possible build errors due to expired root account Quirin Gylstorff 2022-05-17 12:37 ` [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process Quirin Gylstorff @ 2022-05-17 12:37 ` Quirin Gylstorff 2022-05-25 6:17 ` [PATCH v3 0/2] Fix possible build errors due to expired root account Anton Mikanovich 2 siblings, 0 replies; 6+ messages in thread From: Quirin Gylstorff @ 2022-05-17 12:37 UTC (permalink / raw) To: jan.kiszka, isar-users, henning.schild From: Quirin Gylstorff <quirin.gylstorff@siemens.com> This avoids possible errors if `passwd --expire root` is set during package installation. Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com> --- doc/user_manual.md | 1 + meta/classes/image-account-extension.bbclass | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/doc/user_manual.md b/doc/user_manual.md index cdb73224..02874b6d 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -678,6 +678,7 @@ The `USERS` and `USER_<username>` variable works similar to the `GROUPS` and `GR - `system` - `useradd` will be called with `--system`. - `allow-empty-password` - Even if the `password` flag is empty, it will still be set. This results in a login without password. - `clear-text-password` - The `password` flag of the given user contains a clear-text password and not an encrypted version of it. + - `force-passwd-change` - Force the user to change to password on first login. #### Home directory contents prefilling diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass index c64ba769..70950a7b 100644 --- a/meta/classes/image-account-extension.bbclass +++ b/meta/classes/image-account-extension.bbclass @@ -17,7 +17,7 @@ USERS ??= "" #USER_root[home] = "/home/root" #USER_root[shell] = "/bin/sh" #USER_root[groups] = "audio video" -#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password" +#USER_root[flags] = "no-create-home create-home system allow-empty-password clear-text-password force-passwd-change" GROUPS ??= "" @@ -258,5 +258,10 @@ image_postprocess_accounts() { printf '%s:%s' "$name" "$password" | sudo chroot '${ROOTFSDIR}' \ /usr/sbin/chpasswd $chpasswd_args fi + if [ "${flags}" != "${flags%*,force-passwd-change,*}" ]; then + echo "Execute passwd to force password change on first boot for \"$name\"" + sudo -E chroot '${ROOTFSDIR}' \ + /usr/bin/passwd --expire "$name" + fi done } -- 2.35.1 ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v3 0/2] Fix possible build errors due to expired root account 2022-05-17 12:37 [PATCH v3 0/2] Fix possible build errors due to expired root account Quirin Gylstorff 2022-05-17 12:37 ` [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process Quirin Gylstorff 2022-05-17 12:37 ` [PATCH v3 2/2] classes/image-account-extension: Add flag to force password change on first login Quirin Gylstorff @ 2022-05-25 6:17 ` Anton Mikanovich 2 siblings, 0 replies; 6+ messages in thread From: Anton Mikanovich @ 2022-05-25 6:17 UTC (permalink / raw) To: Quirin Gylstorff, jan.kiszka, isar-users, henning.schild 17.05.2022 15:37, Quirin Gylstorff wrote: > From: Quirin Gylstorff <quirin.gylstorff@siemens.com> > > his fixes build errors due to expiring/deactiving the root password before > installing packages which create new user. > > Changes in V2: > - add entry RECIPE-API-CHANGELOG.md > > Changes in V3: > - rebase onto 2bf30acc8ee1d3345fecd79777f3d3cb3a0a4d71 > - rename function from image_configure_accounts to image_postprocess_accounts > - add exceptions to quality check > > Quirin Gylstorff (2): > classes/image-account-extension:Move account configuration to > post-process > classes/image-account-extension: Add flag to force password change on > first login > > RECIPE-API-CHANGELOG.md | 6 ++++++ > doc/user_manual.md | 1 + > meta/classes/image-account-extension.bbclass | 12 ++++++++---- > meta/classes/image.bbclass | 8 ++++++++ > 4 files changed, 23 insertions(+), 4 deletions(-) > Applied to next, thanks. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-09-05 11:01 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2022-05-17 12:37 [PATCH v3 0/2] Fix possible build errors due to expired root account Quirin Gylstorff 2022-05-17 12:37 ` [PATCH v3 1/2] classes/image-account-extension:Move account configuration to post-process Quirin Gylstorff 2022-09-02 9:37 ` Uladzimir Bely 2022-09-05 11:01 ` Uladzimir Bely 2022-05-17 12:37 ` [PATCH v3 2/2] classes/image-account-extension: Add flag to force password change on first login Quirin Gylstorff 2022-05-25 6:17 ` [PATCH v3 0/2] Fix possible build errors due to expired root account Anton Mikanovich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox