From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v4 10/21] meta: mark network and sudo tasks
Date: Fri, 5 Aug 2022 16:10:24 +0300 [thread overview]
Message-ID: <20220805131035.22844-11-amikan@ilbers.de> (raw)
In-Reply-To: <20220805131035.22844-1-amikan@ilbers.de>
Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.
The same marking is also required for the tasks used sudo.
Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
meta/classes/base.bbclass | 1 +
meta/classes/dpkg-base.bbclass | 5 +++++
meta/classes/image-locales-extension.bbclass | 2 ++
meta/classes/image-tools-extension.bbclass | 1 +
meta/classes/image.bbclass | 4 ++++
meta/classes/imagetypes_container.bbclass | 1 +
meta/classes/imagetypes_wic.bbclass | 1 +
meta/classes/rootfs.bbclass | 5 +++++
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
9 files changed, 22 insertions(+)
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 17dfeab..07277e2 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -181,6 +181,7 @@ def isar_export_ccache(d):
do_fetch[dirs] = "${DL_DIR}"
do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "1"
# Fetch package from the source link
python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 64f0c26..8158fd0 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
addtask apt_fetch
do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "1"
# Add dependency from the correct buildchroot: host or target
do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
@@ -129,6 +130,7 @@ do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
# Add dependency from the correct schroot: host or target
do_apt_fetch[depends] += "${SCHROOT_DEP}"
+do_apt_unpack[network] = "1"
do_apt_unpack() {
rm -rf ${S}
schroot_create_configs
@@ -242,6 +244,7 @@ def isar_export_build_settings(d):
os.environ['DEB_BUILD_OPTIONS'] = isar_deb_build_options(d)
os.environ['DEB_BUILD_PROFILES'] = isar_deb_build_profiles(d)
+do_dpkg_build[network] = "1"
python do_dpkg_build() {
bb.build.exec_func('schroot_create_configs', d)
try:
@@ -336,6 +339,7 @@ addtask devshell after do_prepare_build
DEVSHELL_STARTDIR ?= "${S}"
do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
python do_devshell_nodeps() {
bb.build.exec_func('do_devshell', d)
@@ -346,3 +350,4 @@ python do_devshell_nodeps() {
addtask devshell_nodeps after do_prepare_build
do_devshell_nodeps[dirs] = "${DEVSHELL_STARTDIR}"
do_devshell_nodeps[nostamp] = "1"
+do_devshell_nodeps[network] = "1"
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 25af540..e4f41a6 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "1"
image_install_localepurge_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "1"
image_install_localepurge_install() {
# Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index b996813..c979c3c 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -17,6 +17,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
do_install_imager_deps[deptask] = "do_deploy_deb"
do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "1"
do_install_imager_deps() {
if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 0688b02..59921c9 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
task = 'do_image_%s' % bt_clean
d.setVar(task, '\n'.join(cmds))
d.setVarFlag(task, 'func', '1')
+ d.setVarFlag(task, 'network', '1')
d.appendVarFlag(task, 'prefuncs', ' set_image_size')
d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "1"
do_copy_boot_files() {
kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
if [ ! -f "$kernel" ]; then
@@ -393,6 +395,7 @@ python do_deploy() {
}
addtask deploy before do_build after do_image
+do_rootfs_finalize[network] = "1"
do_rootfs_finalize() {
sudo -s <<'EOSUDO'
set -e
@@ -436,6 +439,7 @@ addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
ROOTFS_QA_FIND_ARGS ?= ""
+do_rootfs_quality_check[network] = "1"
do_rootfs_quality_check() {
rootfs_install_stamp=$( ls -1 "${STAMP}".do_rootfs_install* | head -1 )
test -f "$rootfs_install_stamp"
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 436a005..ba09beb 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
t_clean = t.replace('-', '_').replace('.', '_')
d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+ d.appendVarFlag('do_containerize', 'network', '1')
bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
}
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 61a74d4..dd2268f 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -133,6 +133,7 @@ python do_rootfs_wicenv () {
addtask do_rootfs_wicenv after do_rootfs before do_image_wic
do_rootfs_wicenv[vardeps] += "${WICVARS}"
do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "1"
check_for_wic_warnings() {
WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index bbb5ac0..cd827bd 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -118,6 +118,7 @@ EOSUDO
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
rootfs_install_pkgs_update[weight] = "5"
rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "1"
rootfs_install_pkgs_update() {
sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
-o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -143,6 +144,7 @@ rootfs_import_package_cache() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
rootfs_install_pkgs_download[weight] = "600"
rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "1"
rootfs_install_pkgs_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -166,6 +168,7 @@ rootfs_install_clean_files() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "1"
rootfs_install_pkgs_install() {
sudo -E chroot "${ROOTFSDIR}" \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -176,6 +179,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "1"
python do_rootfs_install() {
configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -268,6 +272,7 @@ rootfs_export_dpkg_status() {
}
do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "1"
python do_rootfs_postprocess() {
# Take care that its correctly mounted:
bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 604cd24..e8831b0 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -222,6 +222,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
do_generate_keyrings[dirs] = "${DL_DIR}"
do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "1"
do_generate_keyrings() {
if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
chmod 777 "${APT_KEYS_DIR}"
@@ -277,6 +278,7 @@ do_bootstrap[vardeps] += " \
"
do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "1"
do_bootstrap() {
if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
--
2.17.1
next prev parent reply other threads:[~2022-08-05 13:11 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-05 13:10 [PATCH v4 00/21] Migrate to Bitbake 2.0 Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 01/21] meta: change deprecated parse calls Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 02/21] scripts/contrib: Add override conversion script Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 03/21] scripts/contrib: configure " Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 04/21] meta-isar: set default branch names Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 05/21] meta: remove non recommended syntax Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 06/21] bitbake: Update to Bitbake 2.0.1 Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 07/21] doc: require zstd tool Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 08/21] meta: update bitbake variables Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 09/21] bitbake.conf: align hash vars with openembedded Anton Mikanovich
2022-08-05 13:21 ` Anton Mikanovich
2022-08-08 6:40 ` Schmidt, Adriaan
2022-08-05 13:10 ` Anton Mikanovich [this message]
2022-08-05 13:29 ` [PATCH v4 10/21] meta: mark network and sudo tasks Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 11/21] meta: update overrides syntax Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 12/21] sstate: update bbclass Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 13/21] bitbake.conf: declare default XZ and ZSTD options Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 14/21] Revert "devshell: Use different termination test to avoid warnings" Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 15/21] meta: align with OE-core libraries update Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 16/21] Revert "Revert "devshell: Use different termination test to avoid warnings"" Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 17/21] CI: Adopt tests to syntax change Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 18/21] isar-sstate: adopt sstate maintenance script Anton Mikanovich
2022-08-08 6:56 ` Schmidt, Adriaan
2022-08-05 13:10 ` [PATCH v4 19/21] Revert "bitbake: Make 3.6.0 the minimum python version" Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 20/21] Revert "utils/ply: Change md5 usages to work on FIPS enabled hosts" Anton Mikanovich
2022-08-05 13:10 ` [PATCH v4 21/21] RECIPE-API-CHANGELOG: Add tips after bitbake version update Anton Mikanovich
2022-08-10 8:01 ` [PATCH v4 00/21] Migrate to Bitbake 2.0 Henning Schild
2022-08-10 8:42 ` Anton Mikanovich
2022-08-10 15:54 ` Henning Schild
2022-08-10 16:20 ` Henning Schild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220805131035.22844-11-amikan@ilbers.de \
--to=amikan@ilbers.de \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox