From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7172560304523444224 X-Received: by 2002:a17:90b:374c:b0:21a:1dad:b9d6 with SMTP id ne12-20020a17090b374c00b0021a1dadb9d6mr2199341pjb.81.1672124464018; Mon, 26 Dec 2022 23:01:04 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a17:90a:8c13:b0:202:a0c3:702 with SMTP id a19-20020a17090a8c1300b00202a0c30702ls15185565pjo.1.-pod-control-gmail; Mon, 26 Dec 2022 23:01:03 -0800 (PST) X-Google-Smtp-Source: AMrXdXvaogQHng2tZWY/APYpy8tOj65Otdp3QMvBa62iCRTH6l8LoXU/9yzcAcpbXpQi+ly58QsY X-Received: by 2002:a17:902:d355:b0:189:7e2f:d64c with SMTP id l21-20020a170902d35500b001897e2fd64cmr43227925plk.55.1672124463079; Mon, 26 Dec 2022 23:01:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1672124463; cv=none; d=google.com; s=arc-20160816; b=LFG759b6OYX9AGqbBb6p7iuY1I5l9fmUX1691YEfzUFreNe/Yoo4/+OVKVfO2RlTPe 49pjIBSjO4n4lND5IrF9NdwZATZOxo+LRXr/tdmzNjkGg5+Ek78y0Sady10kEUtCBbky I0Wcvj5Y0dFSXE6zdVQR29R3zSGbNXTstsh10CeCeYTzLs3x87BSg6XBg9SgmWh0Ba57 f42MvBu76Q8eozh9SiG+/2J+qwDpkDjPG24/7qd0wL0Y6brNC7O+k+UHzA4XuUUoazfI St8jBZEoqQdTXOpKiMQ2n0mcPFcNlsne9C1SjAh9uRAZa4YcqqmQ6B2qkwWI9s2XBH6M z2EQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=references:in-reply-to:message-id:date:subject:cc:to:from; bh=Ga/GLgIr+ocmX7mBDriPs6JD9EImNn42bGP9tUsih78=; b=PqIQHzNpqYOKhs/mvvM+GweP3swbKixV0Zncz6r6EsyvqcjMuSH4Jab6tLO2nqp/Xd cE+N+cyb6+yaCUUnhTJ47GMx4YU+0U/IAHEXDL9QHUoUZhgLs9NBDAoTRx4g+csF9SkH +e4t78o350kUykpdXg1i2jaHZAPrxapTBfpSZqrFOSYpfr9nmbFaojgTHm3Rh+gLfnhG 3hP/8/MEjXQh8qYUkUv5pF+Jq9sYJlQ4dlYiRDyqbAtF61Fl4zNjS5k5+2Sza51bO4iP 9SYHG9mFT1BTfDa5LywEYGGRdYQiWGDp7F7zEDSob/O6jquhrrSTEZEwUdTDAXX8osBU IVjQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id r10-20020a170902c60a00b00189348ab16fsi1209493plr.13.2022.12.26.23.01.02 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Mon, 26 Dec 2022 23:01:03 -0800 (PST) Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Received: from alena-nb.promwad.com ([193.228.193.9]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 2BR70j9s030666 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 27 Dec 2022 08:01:00 +0100 From: Anton Mikanovich To: isar-users@googlegroups.com Cc: Anton Mikanovich Subject: [PATCH v7 09/20] meta: mark network and sudo tasks Date: Tue, 27 Dec 2022 10:00:28 +0300 Message-Id: <20221227070039.23496-10-amikan@ilbers.de> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20221227070039.23496-1-amikan@ilbers.de> References: <20221227070039.23496-1-amikan@ilbers.de> X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: aemCSTuzJIgN Network access from tasks is now disabled by default. This means that tasks accessing the network need to be marked as such with the network flag. The same marking is also required for the tasks used sudo. Signed-off-by: Anton Mikanovich --- meta/classes/base.bbclass | 1 + meta/classes/dpkg-base.bbclass | 5 +++++ meta/classes/image-locales-extension.bbclass | 2 ++ meta/classes/image-tools-extension.bbclass | 1 + meta/classes/image.bbclass | 4 ++++ meta/classes/imagetypes_container.bbclass | 1 + meta/classes/imagetypes_wic.bbclass | 1 + meta/classes/rootfs.bbclass | 5 +++++ meta/conf/bitbake.conf | 6 ++++++ meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++ 10 files changed, 28 insertions(+) diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass index 8c874f31..972eefe3 100644 --- a/meta/classes/base.bbclass +++ b/meta/classes/base.bbclass @@ -183,6 +183,7 @@ def isar_export_ccache(d): do_fetch[dirs] = "${DL_DIR}" do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}" do_fetch[vardeps] += "SRCREV" +do_fetch[network] = "${TASK_USE_NETWORK}" # Fetch package from the source link python do_fetch() { diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass index 260aa73e..e12f76c2 100644 --- a/meta/classes/dpkg-base.bbclass +++ b/meta/classes/dpkg-base.bbclass @@ -122,6 +122,7 @@ do_apt_fetch() { addtask apt_fetch do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock" +do_apt_fetch[network] = "${TASK_USE_NETWORK_AND_SUDO}" # Add dependency from the correct buildchroot: host or target do_apt_fetch[depends] += "${BUILDCHROOT_DEP}" @@ -151,6 +152,7 @@ do_apt_unpack() { done schroot_delete_configs } +do_apt_unpack[network] = "${TASK_USE_SUDO}" addtask apt_unpack after do_apt_fetch @@ -249,6 +251,7 @@ python do_dpkg_build() { finally: bb.build.exec_func('schroot_delete_configs', d) } +do_dpkg_build[network] = "${TASK_USE_NETWORK_AND_SUDO}" addtask dpkg_build @@ -292,6 +295,7 @@ deb_clean() { } # the clean function modifies isar-apt do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock" +do_clean[network] = "${TASK_USE_SUDO}" do_deploy_deb() { deb_clean @@ -343,6 +347,7 @@ addtask devshell after do_prepare_build DEVSHELL_STARTDIR ?= "${S}" do_devshell[dirs] = "${DEVSHELL_STARTDIR}" do_devshell[nostamp] = "1" +do_devshell[network] = "${TASK_USE_SUDO}" python do_devshell_nodeps() { bb.build.exec_func('do_devshell', d) diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass index 0932630f..65b9ac80 100644 --- a/meta/classes/image-locales-extension.bbclass +++ b/meta/classes/image-locales-extension.bbclass @@ -27,6 +27,7 @@ def get_nopurge(d): ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download" image_install_localepurge_download[weight] = "40" +image_install_localepurge_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" image_install_localepurge_download() { sudo -E chroot '${ROOTFSDIR}' \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge @@ -34,6 +35,7 @@ image_install_localepurge_download() { ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install" image_install_localepurge_install[weight] = "700" +image_install_localepurge_install[network] = "${TASK_USE_NETWORK_AND_SUDO}" image_install_localepurge_install() { # Generate locale and localepurge configuration: diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass index 101704d0..2d3dda4f 100644 --- a/meta/classes/image-tools-extension.bbclass +++ b/meta/classes/image-tools-extension.bbclass @@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}" do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config" do_install_imager_deps[deptask] = "do_deploy_deb" do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock" +do_install_imager_deps[network] = "${TASK_USE_NETWORK_AND_SUDO}" do_install_imager_deps() { if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then exit diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index 629a0c1d..b0763a12 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -291,6 +291,7 @@ python() { task = 'do_image_%s' % bt_clean d.setVar(task, '\n'.join(cmds)) d.setVarFlag(task, 'func', '1') + d.setVarFlag(task, 'network', localdata.expand('${TASK_USE_SUDO}')) d.appendVarFlag(task, 'prefuncs', ' set_image_size') d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps)) d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude)) @@ -345,6 +346,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}" do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}" do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock" +do_copy_boot_files[network] = "${TASK_USE_SUDO}" do_copy_boot_files() { kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])" if [ ! -f "$kernel" ]; then @@ -430,6 +432,7 @@ do_rootfs_finalize() { rm -f "${ROOTFSDIR}/etc/apt/sources-list" EOSUDO } +do_rootfs_finalize[network] = "${TASK_USE_SUDO}" addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess ROOTFS_QA_FIND_ARGS ?= "" @@ -466,5 +469,6 @@ do_rootfs_quality_check() { bbwarn "$found" fi } +do_rootfs_quality_check[network] = "${TASK_USE_SUDO}" addtask rootfs_quality_check after do_rootfs_finalize before do_rootfs diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass index 436a0051..aee5ef45 100644 --- a/meta/classes/imagetypes_container.bbclass +++ b/meta/classes/imagetypes_container.bbclass @@ -19,6 +19,7 @@ python() { t_clean = t.replace('-', '_').replace('.', '_') d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t) d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}') + d.appendVarFlag('do_containerize', 'network', d.getVar('TASK_USE_SUDO')) bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d) } diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass index 3869525b..24a7b852 100644 --- a/meta/classes/imagetypes_wic.bbclass +++ b/meta/classes/imagetypes_wic.bbclass @@ -134,6 +134,7 @@ python do_rootfs_wicenv () { addtask do_rootfs_wicenv after do_rootfs before do_image_wic do_rootfs_wicenv[vardeps] += "${WICVARS}" do_rootfs_wicenv[prefuncs] = 'set_image_size' +do_rootfs_wicenv[network] = "${TASK_USE_SUDO}" check_for_wic_warnings() { WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)" diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 786682d9..d36b7196 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -119,6 +119,7 @@ EOSUDO ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update" rootfs_install_pkgs_update[weight] = "5" rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before" +rootfs_install_pkgs_update[network] = "${TASK_USE_NETWORK_AND_SUDO}" rootfs_install_pkgs_update() { sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \ -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \ @@ -144,6 +145,7 @@ rootfs_import_package_cache() { ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download" rootfs_install_pkgs_download[weight] = "600" rootfs_install_pkgs_download[isar-apt-lock] = "release-after" +rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" rootfs_install_pkgs_download() { sudo -E chroot '${ROOTFSDIR}' \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} @@ -167,6 +169,7 @@ rootfs_install_clean_files() { ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install" rootfs_install_pkgs_install[weight] = "8000" +rootfs_install_pkgs_install[network] = "${TASK_USE_SUDO}" rootfs_install_pkgs_install() { sudo -E chroot "${ROOTFSDIR}" \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES} @@ -177,6 +180,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS" do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build" do_rootfs_install[recrdeptask] = "do_deploy_deb" +do_rootfs_install[network] = "${TASK_USE_SUDO}" python do_rootfs_install() { configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split() install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split() @@ -269,6 +273,7 @@ rootfs_export_dpkg_status() { } do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}" +do_rootfs_postprocess[network] = "${TASK_USE_SUDO}" python do_rootfs_postprocess() { # Take care that its correctly mounted: bb.build.exec_func('rootfs_do_mounts', d) diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index f7b464c7..20fd1332 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -145,6 +145,12 @@ CCACHE_TOP_DIR ?= "${TMPDIR}/ccache" CCACHE_DIR ?= "${CCACHE_TOP_DIR}/${DISTRO}-${DISTRO_ARCH}" CCACHE_DEBUG ?= "0" +# Variables for tasks marking +# Long term TODO: get rid of sudo marked tasks +TASK_USE_NETWORK = "1" +TASK_USE_SUDO = "1" +TASK_USE_NETWORK_AND_SUDO = "1" + include conf/local.conf include conf/multiconfig/${BB_CURRENT_MC}.conf include conf/machine/${MACHINE}.conf diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index faba73fe..db1607ce 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -216,6 +216,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg" do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}" do_generate_keyrings[dirs] = "${DL_DIR}" do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS" +do_generate_keyrings[network] = "${TASK_USE_SUDO}" do_generate_keyrings() { if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then chmod 777 "${APT_KEYS_DIR}" @@ -271,6 +272,7 @@ do_bootstrap[vardeps] += " \ " do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}" do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_bootstrap[network] = "${TASK_USE_NETWORK_AND_SUDO}" do_bootstrap() { if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then -- 2.17.1