From: Anton Mikanovich <amikan@ilbers.de>
To: isar-users@googlegroups.com
Cc: Anton Mikanovich <amikan@ilbers.de>
Subject: [PATCH v8 09/20] meta: mark network and sudo tasks
Date: Wed, 25 Jan 2023 21:23:26 +0200 [thread overview]
Message-ID: <20230125192337.86869-10-amikan@ilbers.de> (raw)
In-Reply-To: <20230125192337.86869-1-amikan@ilbers.de>
Network access from tasks is now disabled by default. This means that
tasks accessing the network need to be marked as such with the network
flag.
The same marking is also required for the tasks used sudo.
Signed-off-by: Anton Mikanovich <amikan@ilbers.de>
---
meta/classes/base.bbclass | 1 +
meta/classes/dpkg-base.bbclass | 5 +++++
meta/classes/image-locales-extension.bbclass | 2 ++
meta/classes/image-tools-extension.bbclass | 1 +
meta/classes/image.bbclass | 4 ++++
meta/classes/imagetypes_container.bbclass | 1 +
meta/classes/imagetypes_wic.bbclass | 1 +
meta/classes/rootfs.bbclass | 5 +++++
meta/conf/bitbake.conf | 6 ++++++
meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++
10 files changed, 28 insertions(+)
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 8c874f3..972eefe 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -183,6 +183,7 @@ def isar_export_ccache(d):
do_fetch[dirs] = "${DL_DIR}"
do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}"
do_fetch[vardeps] += "SRCREV"
+do_fetch[network] = "${TASK_USE_NETWORK}"
# Fetch package from the source link
python do_fetch() {
diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass
index c911462..d19e2a9 100644
--- a/meta/classes/dpkg-base.bbclass
+++ b/meta/classes/dpkg-base.bbclass
@@ -122,6 +122,7 @@ do_apt_fetch() {
addtask apt_fetch
do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_apt_fetch[network] = "${TASK_USE_NETWORK_AND_SUDO}"
# Add dependency from the correct schroot: host or target
do_apt_fetch[depends] += "${SCHROOT_DEP}"
@@ -148,6 +149,7 @@ do_apt_unpack() {
done
schroot_delete_configs
}
+do_apt_unpack[network] = "${TASK_USE_SUDO}"
addtask apt_unpack after do_apt_fetch
@@ -222,6 +224,7 @@ python do_dpkg_build() {
finally:
bb.build.exec_func('schroot_delete_configs', d)
}
+do_dpkg_build[network] = "${TASK_USE_NETWORK_AND_SUDO}"
addtask dpkg_build
@@ -265,6 +268,7 @@ deb_clean() {
}
# the clean function modifies isar-apt
do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock"
+do_clean[network] = "${TASK_USE_SUDO}"
do_deploy_deb() {
deb_clean
@@ -319,6 +323,7 @@ addtask devshell after do_prepare_build
DEVSHELL_STARTDIR ?= "${S}"
do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
do_devshell[nostamp] = "1"
+do_devshell[network] = "${TASK_USE_SUDO}"
python do_devshell_nodeps() {
bb.build.exec_func('do_devshell', d)
diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass
index 0932630..65b9ac8 100644
--- a/meta/classes/image-locales-extension.bbclass
+++ b/meta/classes/image-locales-extension.bbclass
@@ -27,6 +27,7 @@ def get_nopurge(d):
ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download"
image_install_localepurge_download[weight] = "40"
+image_install_localepurge_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
image_install_localepurge_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge
@@ -34,6 +35,7 @@ image_install_localepurge_download() {
ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install"
image_install_localepurge_install[weight] = "700"
+image_install_localepurge_install[network] = "${TASK_USE_NETWORK_AND_SUDO}"
image_install_localepurge_install() {
# Generate locale and localepurge configuration:
diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass
index 101704d..2d3dda4 100644
--- a/meta/classes/image-tools-extension.bbclass
+++ b/meta/classes/image-tools-extension.bbclass
@@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}"
do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config"
do_install_imager_deps[deptask] = "do_deploy_deb"
do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock"
+do_install_imager_deps[network] = "${TASK_USE_NETWORK_AND_SUDO}"
do_install_imager_deps() {
if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then
exit
diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index e59767e..04b4a18 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -291,6 +291,7 @@ python() {
task = 'do_image_%s' % bt_clean
d.setVar(task, '\n'.join(cmds))
d.setVarFlag(task, 'func', '1')
+ d.setVarFlag(task, 'network', localdata.expand('${TASK_USE_SUDO}'))
d.appendVarFlag(task, 'prefuncs', ' set_image_size')
d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps))
d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude))
@@ -356,6 +357,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}"
do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}"
do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock"
+do_copy_boot_files[network] = "${TASK_USE_SUDO}"
do_copy_boot_files() {
kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])"
if [ ! -f "$kernel" ]; then
@@ -455,6 +457,7 @@ EOSUDO
fi
}
+do_rootfs_finalize[network] = "${TASK_USE_SUDO}"
addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess
ROOTFS_QA_FIND_ARGS ?= ""
@@ -491,5 +494,6 @@ do_rootfs_quality_check() {
bbwarn "$found"
fi
}
+do_rootfs_quality_check[network] = "${TASK_USE_SUDO}"
addtask rootfs_quality_check after do_rootfs_finalize before do_rootfs
diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass
index 50645ae..ff6e10b 100644
--- a/meta/classes/imagetypes_container.bbclass
+++ b/meta/classes/imagetypes_container.bbclass
@@ -19,6 +19,7 @@ python() {
t_clean = t.replace('-', '_').replace('.', '_')
d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t)
d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}')
+ d.appendVarFlag('do_containerize', 'network', d.getVar('TASK_USE_SUDO'))
bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d)
}
diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass
index 3869525..24a7b85 100644
--- a/meta/classes/imagetypes_wic.bbclass
+++ b/meta/classes/imagetypes_wic.bbclass
@@ -134,6 +134,7 @@ python do_rootfs_wicenv () {
addtask do_rootfs_wicenv after do_rootfs before do_image_wic
do_rootfs_wicenv[vardeps] += "${WICVARS}"
do_rootfs_wicenv[prefuncs] = 'set_image_size'
+do_rootfs_wicenv[network] = "${TASK_USE_SUDO}"
check_for_wic_warnings() {
WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)"
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 86f228d..3247f53 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -119,6 +119,7 @@ EOSUDO
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update"
rootfs_install_pkgs_update[weight] = "5"
rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before"
+rootfs_install_pkgs_update[network] = "${TASK_USE_NETWORK_AND_SUDO}"
rootfs_install_pkgs_update() {
sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \
-o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \
@@ -144,6 +145,7 @@ rootfs_import_package_cache() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download"
rootfs_install_pkgs_download[weight] = "600"
rootfs_install_pkgs_download[isar-apt-lock] = "release-after"
+rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}"
rootfs_install_pkgs_download() {
sudo -E chroot '${ROOTFSDIR}' \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES}
@@ -167,6 +169,7 @@ rootfs_install_clean_files() {
ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install"
rootfs_install_pkgs_install[weight] = "8000"
+rootfs_install_pkgs_install[network] = "${TASK_USE_SUDO}"
rootfs_install_pkgs_install() {
sudo -E chroot "${ROOTFSDIR}" \
/usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES}
@@ -177,6 +180,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM
do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS"
do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build"
do_rootfs_install[recrdeptask] = "do_deploy_deb"
+do_rootfs_install[network] = "${TASK_USE_SUDO}"
python do_rootfs_install() {
configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split()
install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split()
@@ -282,6 +286,7 @@ rootfs_export_dpkg_status() {
}
do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}"
+do_rootfs_postprocess[network] = "${TASK_USE_SUDO}"
python do_rootfs_postprocess() {
# Take care that its correctly mounted:
bb.build.exec_func('rootfs_do_mounts', d)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index f7b464c..20fd133 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -145,6 +145,12 @@ CCACHE_TOP_DIR ?= "${TMPDIR}/ccache"
CCACHE_DIR ?= "${CCACHE_TOP_DIR}/${DISTRO}-${DISTRO_ARCH}"
CCACHE_DEBUG ?= "0"
+# Variables for tasks marking
+# Long term TODO: get rid of sudo marked tasks
+TASK_USE_NETWORK = "1"
+TASK_USE_SUDO = "1"
+TASK_USE_NETWORK_AND_SUDO = "1"
+
include conf/local.conf
include conf/multiconfig/${BB_CURRENT_MC}.conf
include conf/machine/${MACHINE}.conf
diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
index 431ef2d..8e14b9d 100644
--- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
+++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc
@@ -216,6 +216,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg"
do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}"
do_generate_keyrings[dirs] = "${DL_DIR}"
do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS"
+do_generate_keyrings[network] = "${TASK_USE_SUDO}"
do_generate_keyrings() {
if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then
chmod 777 "${APT_KEYS_DIR}"
@@ -271,6 +272,7 @@ do_bootstrap[vardeps] += " \
"
do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}"
do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config"
+do_bootstrap[network] = "${TASK_USE_NETWORK_AND_SUDO}"
do_bootstrap() {
if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then
--
2.34.1
next prev parent reply other threads:[~2023-01-25 19:23 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-25 19:23 [PATCH v8 00/20] Migrate to Bitbake 2.0 Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 01/20] meta: change deprecated parse calls Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 02/20] scripts/contrib: add override conversion script Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 03/20] scripts/contrib: configure " Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 04/20] meta-isar: set default branch names Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 05/20] meta: remove non recommended syntax Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 06/20] bitbake: update to Bitbake 2.0.5 Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 07/20] meta: update bitbake variables Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 08/20] bitbake.conf: align hash vars with openembedded Anton Mikanovich
2023-01-25 19:23 ` Anton Mikanovich [this message]
2023-01-25 19:23 ` [PATCH v8 10/20] meta: update overrides syntax Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 11/20] sstate: update bbclass Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 12/20] bitbake.conf: declare default XZ and ZSTD options Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 13/20] Revert "devshell: Use different termination test to avoid warnings" Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 14/20] meta: align with OE-core libraries update Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 15/20] Revert "Revert "devshell: Use different termination test to avoid warnings"" Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 16/20] CI: adapt tests to syntax change Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 17/20] isar-sstate: adapt sstate maintenance script Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 18/20] doc: require zstd tool Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 19/20] RECIPE-API-CHANGELOG: add tips after bitbake version update Anton Mikanovich
2023-01-25 19:23 ` [PATCH v8 20/20] docs: update override syntax Anton Mikanovich
2023-01-25 23:43 ` [PATCH v8 00/20] Migrate to Bitbake 2.0 Roberto A. Foglietta
2023-01-26 7:29 ` Anton Mikanovich
2023-01-26 13:23 ` Roberto A. Foglietta
2023-01-26 19:59 ` Henning Schild
2023-01-27 4:09 ` Roberto A. Foglietta
2023-01-31 11:26 ` Uladzimir Bely
2023-02-01 6:17 ` Uladzimir Bely
2023-02-02 9:02 ` Florian Bezdeka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230125192337.86869-10-amikan@ilbers.de \
--to=amikan@ilbers.de \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox