From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v7 09/20] meta: mark network and sudo tasks
Date: Tue, 27 Dec 2022 10:00:28 +0300 [thread overview]
Message-ID: <20221227070039.23496-10-amikan@ilbers.de> (raw)
In-Reply-To: <20221227070039.23496-1-amikan@ilbers.de>
Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.
The same marking is also required for the tasks used sudo.
Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
meta/classes/base.bbclass | 1 +
meta/classes/dpkg-base.bbclass | 5 +++++
meta/classes/image-locales-extension.bbclass | 2 ++
meta/classes/image-tools-extension.bbclass | 1 +
meta/classes/image.bbclass | 4 ++++
meta/classes/imagetypes_container.bbclass | 1 +
meta/classes/imagetypes_wic.bbclass | 1 +
meta/classes/rootfs.bbclass | 5 +++++
meta/conf/bitbake.conf | 6 ++++++
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
10 files changed, 28 insertions(+)
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 8c874f31..972eefe3 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -183,6 +183,7 @@ def isar_export_ccache(d):
do_fetch[dirs] = "${DL_DIR}"
do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "${TASK_USE_NETWORK}"
# Fetch package from the source link
python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index 260aa73e..e12f76c2 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
addtask apt_fetch
do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "${TASK_USE_NETWORK_AND_SUDO}"
# Add dependency from the correct buildchroot: host or target
do_apt_fetch[depends] += "${BUILDCHROOT_DEP}"
@@ -151,6 +152,7 @@ do_apt_unpack() {
done
schroot_delete_configs
}
+do_apt_unpack[network] = "${TASK_USE_SUDO}"
addtask apt_unpack after do_apt_fetch
@@ -249,6 +251,7 @@ python do_dpkg_build() {
finally:
bb.build.exec_func('schroot_delete_configs', d)
}
+do_dpkg_build[network] = "${TASK_USE_NETWORK_AND_SUDO}"
addtask dpkg_build
@@ -292,6 +295,7 @@ deb_clean() {
}
# the clean function modifies isar-apt
do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock"
+do_clean[network] = "${TASK_USE_SUDO}"
do_deploy_deb() {
deb_clean
@@ -343,6 +347,7 @@ addtask devshell after do_prepare_build
DEVSHELL_STARTDIR ?= "${S}"
do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
do_devshell[nostamp] = "1"
+do_devshell[network] = "${TASK_USE_SUDO}"
python do_devshell_nodeps() {
bb.build.exec_func('do_devshell', d)
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 0932630f..65b9ac80 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
image_install_localepurge_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "${TASK_USE_NETWORK_AND_SUDO}"
image_install_localepurge_install() {
# Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 101704d0..2d3dda4f 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
do_install_imager_deps[deptask] = "do_deploy_deb"
do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "${TASK_USE_NETWORK_AND_SUDO}"
do_install_imager_deps() {
if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 629a0c1d..b0763a12 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
task = 'do_image_%s' % bt_clean
d.setVar(task, '\n'.join(cmds))
d.setVarFlag(task, 'func', '1')
+ d.setVarFlag(task, 'network', localdata.expand('${TASK_USE_SUDO}'))
d.appendVarFlag(task, 'prefuncs', ' set_image_size')
d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "${TASK_USE_SUDO}"
do_copy_boot_files() {
kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
if [ ! -f "$kernel" ]; then
@@ -430,6 +432,7 @@ do_rootfs_finalize() {
rm -f "${ROOTFSDIR}/etc/apt/sources-list"
EOSUDO
}
+do_rootfs_finalize[network] = "${TASK_USE_SUDO}"
addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
ROOTFS_QA_FIND_ARGS ?= ""
@@ -466,5 +469,6 @@ do_rootfs_quality_check() {
bbwarn "$found"
fi
}
+do_rootfs_quality_check[network] = "${TASK_USE_SUDO}"
addtask rootfs_quality_check after do_rootfs_finalize before do_rootfs
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 436a0051..aee5ef45 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
t_clean = t.replace('-', '_').replace('.', '_')
d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+ d.appendVarFlag('do_containerize', 'network', d.getVar('TASK_USE_SUDO'))
bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
}
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 3869525b..24a7b852 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -134,6 +134,7 @@ python do_rootfs_wicenv () {
addtask do_rootfs_wicenv after do_rootfs before do_image_wic
do_rootfs_wicenv[vardeps] += "${WICVARS}"
do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "${TASK_USE_SUDO}"
check_for_wic_warnings() {
WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 786682d9..d36b7196 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -119,6 +119,7 @@ EOSUDO
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
rootfs_install_pkgs_update[weight] = "5"
rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "${TASK_USE_NETWORK_AND_SUDO}"
rootfs_install_pkgs_update() {
sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
-o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -144,6 +145,7 @@ rootfs_import_package_cache() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
rootfs_install_pkgs_download[weight] = "600"
rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
rootfs_install_pkgs_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -167,6 +169,7 @@ rootfs_install_clean_files() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "${TASK_USE_SUDO}"
rootfs_install_pkgs_install() {
sudo -E chroot "${ROOTFSDIR}" \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -177,6 +180,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "${TASK_USE_SUDO}"
python do_rootfs_install() {
configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -269,6 +273,7 @@ rootfs_export_dpkg_status() {
}
do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "${TASK_USE_SUDO}"
python do_rootfs_postprocess() {
# Take care that its correctly mounted:
bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index f7b464c7..20fd1332 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -145,6 +145,12 @@ CCACHE_TOP_DIR ?= "${TMPDIR}/ccache"
CCACHE_DIR ?= "${CCACHE_TOP_DIR}/${DISTRO}-${DISTRO_ARCH}"
CCACHE_DEBUG ?= "0"
+# Variables for tasks marking
+# Long term TODO: get rid of sudo marked tasks
+TASK_USE_NETWORK = "1"
+TASK_USE_SUDO = "1"
+TASK_USE_NETWORK_AND_SUDO = "1"
+
include conf/local.conf
include conf/multiconfig/${BB_CURRENT_MC}.conf
include conf/machine/${MACHINE}.conf
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index faba73fe..db1607ce 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -216,6 +216,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
do_generate_keyrings[dirs] = "${DL_DIR}"
do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "${TASK_USE_SUDO}"
do_generate_keyrings() {
if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
chmod 777 "${APT_KEYS_DIR}"
@@ -271,6 +272,7 @@ do_bootstrap[vardeps] += " \
"
do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "${TASK_USE_NETWORK_AND_SUDO}"
do_bootstrap() {
if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
--
2.17.1
next prev parent reply other threads:[~2022-12-27 7:01 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-27 7:00 [PATCH v7 00/20] Migrate to Bitbake 2.0 Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 01/20] meta: change deprecated parse calls Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 02/20] scripts/contrib: add override conversion script Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 03/20] scripts/contrib: configure " Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 04/20] meta-isar: set default branch names Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 05/20] meta: remove non recommended syntax Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 06/20] bitbake: update to Bitbake 2.0.5 Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 07/20] meta: update bitbake variables Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 08/20] bitbake.conf: align hash vars with openembedded Anton Mikanovich
2022-12-27 7:00 ` Anton Mikanovich [this message]
2022-12-27 7:00 ` [PATCH v7 10/20] meta: update overrides syntax Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 11/20] sstate: update bbclass Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 12/20] bitbake.conf: declare default XZ and ZSTD options Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 13/20] Revert "devshell: Use different termination test to avoid warnings" Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 14/20] meta: align with OE-core libraries update Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 15/20] Revert "Revert "devshell: Use different termination test to avoid warnings"" Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 16/20] CI: adapt tests to syntax change Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 17/20] isar-sstate: adapt sstate maintenance script Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 18/20] doc: require zstd tool Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 19/20] RECIPE-API-CHANGELOG: add tips after bitbake version update Anton Mikanovich
2022-12-27 7:00 ` [PATCH v7 20/20] docs: update override syntax Anton Mikanovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221227070039.23496-10-amikan@ilbers.de \
--to=amikan@ilbers.de \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox