From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 7192672744921628672 X-Received: by 2002:a05:6808:5ce:b0:364:5474:688f with SMTP id d14-20020a05680805ce00b003645474688fmr1768752oij.159.1674674635947; Wed, 25 Jan 2023 11:23:55 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:aca:785:0:b0:359:ca69:f473 with SMTP id 127-20020aca0785000000b00359ca69f473ls6033521oih.10.-pod-prod-gmail; Wed, 25 Jan 2023 11:23:55 -0800 (PST) X-Google-Smtp-Source: AMrXdXsGNMRewbjfuTA9xg7fp/5Uc2ogEDQDImAwvfG3s0T45NVVW394bVWHF0IvHAf4D+W+y3xD X-Received: by 2002:a54:400e:0:b0:36e:ce25:4548 with SMTP id x14-20020a54400e000000b0036ece254548mr8710145oie.42.1674674635435; Wed, 25 Jan 2023 11:23:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1674674635; cv=none; d=google.com; s=arc-20160816; b=QC/ZeNEYLAGY+tO1AOCUQVtfHXo120pZHO+kCiNMt6TlBA/zgo/MVEktxrgOQF1BlJ nwPnvAgTEVtuxQfM86b+zDPPM+lsrwkdTqqSiFokfJeljEYMo0Jke0rBZT95qZyI+W/U Cu9n/Vo8zZTsbCeKS16feOsquUiFg5IPhdSOJkNt4oImj2hSzABTMWNvoaRUDTMKu+cA p26ut1qZIHNst8Pupmy9zLoCXXkelDGRnoqQPLgKW0P/tEPKg7KvJo+ERFrwuJGzdwwT A3aHowJvxcqp2g3Sc7NvNOOe+MEhZUApp3JU63lQ4+OdnTmwRKuX37GkXzzTAtwFTuaw 7rxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from; bh=R0AytJxuCn012Hso/5RUH+ZWc54aYpsyg9pfhmywcrg=; b=DMLhpFblN8IkA8VnTfvMgo7AFOv6g0uBD0qb9L8SEHpBEXpyGdJ++jZBuQKdgt6qq1 BbZC3hsCoG/+AWZxoE43PhHKWDbInnr/qF4i+FHaCjp1E+MCJ1iAtDH15p+hFSEMIbw0 G4SxNGhNXKq5wWut63BOg2chhmI+oW37SO4sxgBQKpJRFA7aY4/1mNVdo3+2h/lx1mx7 uHCcoE1y5+HjF3vyOm7op04TJY2y07gBpfUOivvMXp8/YbyiLnS/0Lhjye1AVvX8Tx+P mYFabCNC8b5aoU5a/7EHhC6uJMAQjyGUZqH85+fZgcbPQQIavNDhErMpeIQnGaKAIC5S pHHA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Return-Path: Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id bf5-20020a056808190500b003645c7e411csi862680oib.0.2023.01.25.11.23.55 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 25 Jan 2023 11:23:55 -0800 (PST) Received-SPF: pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of amikan@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=amikan@ilbers.de Received: from user-B660.. (IN-213-226-141-182.bitemobile.lv [213.226.141.182] (may be forged)) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 30PJNdaO028378 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 25 Jan 2023 20:23:53 +0100 From: Anton Mikanovich To: isar-users@googlegroups.com Cc: Anton Mikanovich Subject: [PATCH v8 09/20] meta: mark network and sudo tasks Date: Wed, 25 Jan 2023 21:23:26 +0200 Message-Id: <20230125192337.86869-10-amikan@ilbers.de> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230125192337.86869-1-amikan@ilbers.de> References: <20230125192337.86869-1-amikan@ilbers.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-TUID: nfRgZcRu8Qv0 Network access from tasks is now disabled by default. This means that tasks accessing the network need to be marked as such with the network flag. The same marking is also required for the tasks used sudo. Signed-off-by: Anton Mikanovich --- meta/classes/base.bbclass | 1 + meta/classes/dpkg-base.bbclass | 5 +++++ meta/classes/image-locales-extension.bbclass | 2 ++ meta/classes/image-tools-extension.bbclass | 1 + meta/classes/image.bbclass | 4 ++++ meta/classes/imagetypes_container.bbclass | 1 + meta/classes/imagetypes_wic.bbclass | 1 + meta/classes/rootfs.bbclass | 5 +++++ meta/conf/bitbake.conf | 6 ++++++ meta/recipes-core/isar-bootstrap/isar-bootstrap.inc | 2 ++ 10 files changed, 28 insertions(+) diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass index 8c874f3..972eefe 100644 --- a/meta/classes/base.bbclass +++ b/meta/classes/base.bbclass @@ -183,6 +183,7 @@ def isar_export_ccache(d): do_fetch[dirs] = "${DL_DIR}" do_fetch[file-checksums] = "${@bb.fetch.get_checksum_file_list(d)}" do_fetch[vardeps] += "SRCREV" +do_fetch[network] = "${TASK_USE_NETWORK}" # Fetch package from the source link python do_fetch() { diff --git a/meta/classes/dpkg-base.bbclass b/meta/classes/dpkg-base.bbclass index c911462..d19e2a9 100644 --- a/meta/classes/dpkg-base.bbclass +++ b/meta/classes/dpkg-base.bbclass @@ -122,6 +122,7 @@ do_apt_fetch() { addtask apt_fetch do_apt_fetch[lockfiles] += "${REPO_ISAR_DIR}/isar.lock" +do_apt_fetch[network] = "${TASK_USE_NETWORK_AND_SUDO}" # Add dependency from the correct schroot: host or target do_apt_fetch[depends] += "${SCHROOT_DEP}" @@ -148,6 +149,7 @@ do_apt_unpack() { done schroot_delete_configs } +do_apt_unpack[network] = "${TASK_USE_SUDO}" addtask apt_unpack after do_apt_fetch @@ -222,6 +224,7 @@ python do_dpkg_build() { finally: bb.build.exec_func('schroot_delete_configs', d) } +do_dpkg_build[network] = "${TASK_USE_NETWORK_AND_SUDO}" addtask dpkg_build @@ -265,6 +268,7 @@ deb_clean() { } # the clean function modifies isar-apt do_clean[lockfiles] = "${REPO_ISAR_DIR}/isar.lock" +do_clean[network] = "${TASK_USE_SUDO}" do_deploy_deb() { deb_clean @@ -319,6 +323,7 @@ addtask devshell after do_prepare_build DEVSHELL_STARTDIR ?= "${S}" do_devshell[dirs] = "${DEVSHELL_STARTDIR}" do_devshell[nostamp] = "1" +do_devshell[network] = "${TASK_USE_SUDO}" python do_devshell_nodeps() { bb.build.exec_func('do_devshell', d) diff --git a/meta/classes/image-locales-extension.bbclass b/meta/classes/image-locales-extension.bbclass index 0932630..65b9ac8 100644 --- a/meta/classes/image-locales-extension.bbclass +++ b/meta/classes/image-locales-extension.bbclass @@ -27,6 +27,7 @@ def get_nopurge(d): ROOTFS_INSTALL_COMMAND_BEFORE_EXPORT += "image_install_localepurge_download" image_install_localepurge_download[weight] = "40" +image_install_localepurge_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" image_install_localepurge_download() { sudo -E chroot '${ROOTFSDIR}' \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only localepurge @@ -34,6 +35,7 @@ image_install_localepurge_download() { ROOTFS_INSTALL_COMMAND += "image_install_localepurge_install" image_install_localepurge_install[weight] = "700" +image_install_localepurge_install[network] = "${TASK_USE_NETWORK_AND_SUDO}" image_install_localepurge_install() { # Generate locale and localepurge configuration: diff --git a/meta/classes/image-tools-extension.bbclass b/meta/classes/image-tools-extension.bbclass index 101704d..2d3dda4 100644 --- a/meta/classes/image-tools-extension.bbclass +++ b/meta/classes/image-tools-extension.bbclass @@ -14,6 +14,7 @@ DEPENDS += "${IMAGER_BUILD_DEPS}" do_install_imager_deps[depends] = "${BUILDCHROOT_DEP} isar-apt:do_cache_config" do_install_imager_deps[deptask] = "do_deploy_deb" do_install_imager_deps[lockfiles] += "${REPO_ISAR_DIR}/isar.lock" +do_install_imager_deps[network] = "${TASK_USE_NETWORK_AND_SUDO}" do_install_imager_deps() { if [ -z "${@d.getVar("IMAGER_INSTALL", True).strip()}" ]; then exit diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass index e59767e..04b4a18 100644 --- a/meta/classes/image.bbclass +++ b/meta/classes/image.bbclass @@ -291,6 +291,7 @@ python() { task = 'do_image_%s' % bt_clean d.setVar(task, '\n'.join(cmds)) d.setVarFlag(task, 'func', '1') + d.setVarFlag(task, 'network', localdata.expand('${TASK_USE_SUDO}')) d.appendVarFlag(task, 'prefuncs', ' set_image_size') d.appendVarFlag(task, 'vardeps', ' ' + ' '.join(vardeps)) d.appendVarFlag(task, 'vardepsexclude', ' ' + ' '.join(vardepsexclude)) @@ -356,6 +357,7 @@ DTB_IMG = "${PP_DEPLOY}/${@(d.getVar('DTB_FILES').split() or [''])[0]}" do_copy_boot_files[dirs] = "${DEPLOY_DIR_IMAGE}" do_copy_boot_files[lockfiles] += "${DEPLOY_DIR_IMAGE}/isar.lock" +do_copy_boot_files[network] = "${TASK_USE_SUDO}" do_copy_boot_files() { kernel="$(realpath -q '${IMAGE_ROOTFS}'/vmlinu[xz])" if [ ! -f "$kernel" ]; then @@ -455,6 +457,7 @@ EOSUDO fi } +do_rootfs_finalize[network] = "${TASK_USE_SUDO}" addtask rootfs_finalize before do_rootfs after do_rootfs_postprocess ROOTFS_QA_FIND_ARGS ?= "" @@ -491,5 +494,6 @@ do_rootfs_quality_check() { bbwarn "$found" fi } +do_rootfs_quality_check[network] = "${TASK_USE_SUDO}" addtask rootfs_quality_check after do_rootfs_finalize before do_rootfs diff --git a/meta/classes/imagetypes_container.bbclass b/meta/classes/imagetypes_container.bbclass index 50645ae..ff6e10b 100644 --- a/meta/classes/imagetypes_container.bbclass +++ b/meta/classes/imagetypes_container.bbclass @@ -19,6 +19,7 @@ python() { t_clean = t.replace('-', '_').replace('.', '_') d.setVar('IMAGE_CMD_' + t_clean, 'convert_container %s "${CONTAINER_IMAGE_NAME}" "${IMAGE_FILE_HOST}"' % t) d.setVar('IMAGE_FULLNAME_' + t_clean, '${PN}-${DISTRO}-${DISTRO_ARCH}') + d.appendVarFlag('do_containerize', 'network', d.getVar('TASK_USE_SUDO')) bb.build.addtask('containerize', 'do_image_' + t_clean, 'do_image_tools', d) } diff --git a/meta/classes/imagetypes_wic.bbclass b/meta/classes/imagetypes_wic.bbclass index 3869525..24a7b85 100644 --- a/meta/classes/imagetypes_wic.bbclass +++ b/meta/classes/imagetypes_wic.bbclass @@ -134,6 +134,7 @@ python do_rootfs_wicenv () { addtask do_rootfs_wicenv after do_rootfs before do_image_wic do_rootfs_wicenv[vardeps] += "${WICVARS}" do_rootfs_wicenv[prefuncs] = 'set_image_size' +do_rootfs_wicenv[network] = "${TASK_USE_SUDO}" check_for_wic_warnings() { WARN="$(grep -e '^WARNING' ${T}/log.do_image_wic || true)" diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass index 86f228d..3247f53 100644 --- a/meta/classes/rootfs.bbclass +++ b/meta/classes/rootfs.bbclass @@ -119,6 +119,7 @@ EOSUDO ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_update" rootfs_install_pkgs_update[weight] = "5" rootfs_install_pkgs_update[isar-apt-lock] = "acquire-before" +rootfs_install_pkgs_update[network] = "${TASK_USE_NETWORK_AND_SUDO}" rootfs_install_pkgs_update() { sudo -E chroot '${ROOTFSDIR}' /usr/bin/apt-get update \ -o Dir::Etc::SourceList="sources.list.d/isar-apt.list" \ @@ -144,6 +145,7 @@ rootfs_import_package_cache() { ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_download" rootfs_install_pkgs_download[weight] = "600" rootfs_install_pkgs_download[isar-apt-lock] = "release-after" +rootfs_install_pkgs_download[network] = "${TASK_USE_NETWORK_AND_SUDO}" rootfs_install_pkgs_download() { sudo -E chroot '${ROOTFSDIR}' \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} --download-only ${ROOTFS_PACKAGES} @@ -167,6 +169,7 @@ rootfs_install_clean_files() { ROOTFS_INSTALL_COMMAND += "rootfs_install_pkgs_install" rootfs_install_pkgs_install[weight] = "8000" +rootfs_install_pkgs_install[network] = "${TASK_USE_SUDO}" rootfs_install_pkgs_install() { sudo -E chroot "${ROOTFSDIR}" \ /usr/bin/apt-get ${ROOTFS_APT_ARGS} ${ROOTFS_PACKAGES} @@ -177,6 +180,7 @@ do_rootfs_install[vardeps] += "${ROOTFS_CONFIGURE_COMMAND} ${ROOTFS_INSTALL_COMM do_rootfs_install[vardepsexclude] += "IMAGE_ROOTFS" do_rootfs_install[depends] = "isar-bootstrap-${@'target' if d.getVar('ROOTFS_ARCH') == d.getVar('DISTRO_ARCH') else 'host'}:do_build" do_rootfs_install[recrdeptask] = "do_deploy_deb" +do_rootfs_install[network] = "${TASK_USE_SUDO}" python do_rootfs_install() { configure_cmds = (d.getVar("ROOTFS_CONFIGURE_COMMAND", True) or "").split() install_cmds = (d.getVar("ROOTFS_INSTALL_COMMAND", True) or "").split() @@ -282,6 +286,7 @@ rootfs_export_dpkg_status() { } do_rootfs_postprocess[vardeps] = "${ROOTFS_POSTPROCESS_COMMAND}" +do_rootfs_postprocess[network] = "${TASK_USE_SUDO}" python do_rootfs_postprocess() { # Take care that its correctly mounted: bb.build.exec_func('rootfs_do_mounts', d) diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf index f7b464c..20fd133 100644 --- a/meta/conf/bitbake.conf +++ b/meta/conf/bitbake.conf @@ -145,6 +145,12 @@ CCACHE_TOP_DIR ?= "${TMPDIR}/ccache" CCACHE_DIR ?= "${CCACHE_TOP_DIR}/${DISTRO}-${DISTRO_ARCH}" CCACHE_DEBUG ?= "0" +# Variables for tasks marking +# Long term TODO: get rid of sudo marked tasks +TASK_USE_NETWORK = "1" +TASK_USE_SUDO = "1" +TASK_USE_NETWORK_AND_SUDO = "1" + include conf/local.conf include conf/multiconfig/${BB_CURRENT_MC}.conf include conf/machine/${MACHINE}.conf diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc index 431ef2d..8e14b9d 100644 --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc @@ -216,6 +216,7 @@ DISTRO_BOOTSTRAP_KEYRING = "${WORKDIR}/distro-keyring.gpg" do_generate_keyrings[cleandirs] = "${APT_KEYS_DIR}" do_generate_keyrings[dirs] = "${DL_DIR}" do_generate_keyrings[vardeps] += "DISTRO_BOOTSTRAP_KEYS THIRD_PARTY_APT_KEYS" +do_generate_keyrings[network] = "${TASK_USE_SUDO}" do_generate_keyrings() { if [ -n "${@d.getVar("THIRD_PARTY_APT_KEYFILES", True) or ""}" ]; then chmod 777 "${APT_KEYS_DIR}" @@ -271,6 +272,7 @@ do_bootstrap[vardeps] += " \ " do_bootstrap[dirs] = "${DEPLOY_DIR_BOOTSTRAP}" do_bootstrap[depends] = "base-apt:do_cache isar-apt:do_cache_config" +do_bootstrap[network] = "${TASK_USE_NETWORK_AND_SUDO}" do_bootstrap() { if [ "${ISAR_ENABLE_COMPAT_ARCH}" = "1" ]; then -- 2.34.1