From: Jan Kiszka <jan.kiszka@siemens.com>
To: Henning Schild <henning.schild@siemens.com>
Cc: Claudius Heine <ch@denx.de>,
"[ext] claudius.heine.ext@siemens.com"
<claudius.heine.ext@siemens.com>,
isar-users@googlegroups.com
Subject: Re: [PATCH] added 'isar-cfg-userpw' package
Date: Mon, 25 Feb 2019 12:15:32 +0100 [thread overview]
Message-ID: <40ca1c88-0843-5036-b9eb-c19fcd80078c@siemens.com> (raw)
In-Reply-To: <20190225103217.0b079975@md1za8fc.ad001.siemens.net>
On 25.02.19 10:32, Henning Schild wrote:
> Am Mon, 25 Feb 2019 09:48:38 +0100
> schrieb "[ext] Jan Kiszka" <jan.kiszka@siemens.com>:
>
>> On 25.02.19 09:44, Claudius Heine wrote:
>>> Hi Jan,
>>>
>>> Quoting Jan Kiszka (2019-02-25 09:07:35)
>>>> On 23.02.19 11:42, Jan Kiszka wrote:
>>>>> On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote:
>>>>>> From: Claudius Heine <ch@denx.de>
>>>>>>
>>>>>> With this package setting of arbitrary user passwords should be
>>>>>> possible.
>>>>>>
>>>>>> To do this use the 'CFG_USER_PW' variable as described in the
>>>>>> user manual.
>>>>>>
>>>>>> Signed-off-by: Claudius Heine <ch@denx.de>
>>>>>> ---
>>>>>> doc/user_manual.md | 1 +
>>>>>> meta-isar/conf/local.conf.sample | 2 ++
>>>>>> meta/classes/isar-image.bbclass | 2 +-
>>>>>> .../isar-cfg-userpw/files/postinst.tmpl | 15
>>>>>> ++++++++++++ .../isar-cfg-userpw/isar-cfg-userpw.bb | 23
>>>>>> +++++++++++++++++++ 5 files changed, 42 insertions(+), 1
>>>>>> deletion(-) create mode 100644
>>>>>> meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl create
>>>>>> mode 100644
>>>>>> meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>>>>>>
>>>>>> diff --git a/doc/user_manual.md b/doc/user_manual.md
>>>>>> index db0bf85..53bb36a 100644
>>>>>> --- a/doc/user_manual.md
>>>>>> +++ b/doc/user_manual.md
>>>>>> @@ -328,6 +328,7 @@ Some other variables include:
>>>>>> - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it
>>>>>> to the default URI in the format `ftp.debian.org
>>>>>> my.preferred.mirror`. This variable is optional.
>>>>>> - `CFG_ROOT_PW` - The encrypted root password to be set. To
>>>>>> encrypt password use `mkpasswd`. You find `mkpasswd` in the
>>>>>> `whois` package of Debian. If the variable is empty, root login
>>>>>> is passwordless.
>>>>>> - `CFG_ROOT_LOCKED` - If set to `1` the root account will be
>>>>>> locked.
>>>>>> + - `CFG_USER_PW` - A space separated list of user names and
>>>>>> encrypted passwords separated by a colon. (e.g.
>>>>>> `username1:encryptedpw1 username2:encryptedpw2`)
>>>>>>
>>>>>> ---
>>>>>>
>>>>>> diff --git a/meta-isar/conf/local.conf.sample
>>>>>> b/meta-isar/conf/local.conf.sample index e5827aa..494a283 100644
>>>>>> --- a/meta-isar/conf/local.conf.sample
>>>>>> +++ b/meta-isar/conf/local.conf.sample
>>>>>> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?= "0"
>>>>>> # mkpasswd -m sha512crypt -R 10000
>>>>>> # mkpasswd is part of the 'whois' package of Debian
>>>>>> CFG_ROOT_PW ?=
>>>>>> "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/"
>>>>>>
>>>>>> +# Set user 'isar' password to 'isar':
>>>>>> +CFG_USER_PW ?=
>>>>>> "isar:$6$rounds=10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1"
>>>>>>
>>>>>> diff --git a/meta/classes/isar-image.bbclass
>>>>>> b/meta/classes/isar-image.bbclass index cdd1651..0100d0b 100644
>>>>>> --- a/meta/classes/isar-image.bbclass
>>>>>> +++ b/meta/classes/isar-image.bbclass
>>>>>> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }"
>>>>>>
>>>>>> DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}"
>>>>>>
>>>>>> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge
>>>>>> isar-cfg-rootpw" +IMAGE_TRANSIENT_PACKAGES +=
>>>>>> "isar-cfg-localepurge isar-cfg-rootpw isar-cfg-userpw"
>>>>>>
>>>>>> WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}"
>>>>>>
>>>>>> diff --git
>>>>>> a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
>>>>>> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl new
>>>>>> file mode 100644 index 0000000..47fffd0
>>>>>> --- /dev/null
>>>>>> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl
>>>>>> @@ -0,0 +1,15 @@
>>>>>> +#!/bin/sh
>>>>>> +set -e
>>>>>> +
>>>>>> +USER_ENTRIES='${CFG_USER_PW} '
>>>>>> +
>>>>>> +while true; do
>>>>>> + USER_ENTRY="${USER_ENTRIES%% *}" # First element of list
>>>>>> + USER_ENTRIES="${USER_ENTRIES#${USER_ENTRY} }" # Rest of list
>>>>>> +
>>>>>> + if [ -z "${USER_ENTRY}" ]; then
>>>>>> + break
>>>>>> + fi
>>>>>> +
>>>>>> + printf '%s' "${USER_ENTRY}" | chpasswd -e
>>>>>> +done
>>>>>> diff --git
>>>>>> a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>>>>>> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb new
>>>>>> file mode 100644 index 0000000..75b0446
>>>>>> --- /dev/null
>>>>>> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb
>>>>>> @@ -0,0 +1,23 @@
>>>>>> +# This software is a part of ISAR.
>>>>>> +
>>>>>> +DESCRIPTION = "Isar configuration package for user passwords"
>>>>>> +MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>>>>>> +DEBIAN_DEPENDS = "passwd"
>>>>>> +
>>>>>> +SRC_URI = "file://postinst.tmpl"
>>>>>> +
>>>>>> +TEMPLATE_FILES = "postinst.tmpl"
>>>>>> +TEMPLATE_VARS = "CFG_USER_PW"
>>>>>> +
>>>>>> +CFG_USER_PW ?= ""
>>>>>> +
>>>>>> +python() {
>>>>>> + # Enforce CFG_USER_PW to be a single space separated array
>>>>>> + d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW",
>>>>>> True).split())) +}
>>>>>> +
>>>>>> +inherit dpkg-raw
>>>>>> +
>>>>>> +do_install() {
>>>>>> + echo "intentionally left blank"
>>>>>> +}
>>>>>>
>>>>>
>>>>> Missed this until I had to deal with it: This does not allow
>>>>> per-image password configuration because there is only one,
>>>>> hard-coded isar-cfg-userpw package that all images pull. E.g.,
>>>>> how to build a release (root account locked) and a debug image
>>>>> (well-known insecure or empty password) at the same time now?
>>>>>
>>>>> We rather need to change the logic to pass the control variables
>>>>> from the host down into the chroot during installation where the
>>>>> transient package can then evaluate them. Or model this - as a
>>>>> special case - without a package.
>>>>>
>>>>> Before the release, we should at least prove if the current
>>>>> recipe interface can be maintained with the above requirement, so
>>>>> that we do not break it again right after that.
>>>>>
>>>>
>>>> The same conceptual issue applies to isar-cfg-localepurge:
>>>> LOCALE_GEN and LOCALE_DEFAULT should be configurable on a
>>>> per-image basis, not a per-build.
>>>
>>> You are right! I haven't considered that.
>>>
>>> Normally you would not have a 'debug' image and a 'release' image,
>>> but different multi/local configurations for that. Having debug
>>> images and release images is a anti-pattern for bb based projects
>>> IMO and should not be done in Isar.
>>
>> This is not true. In the end, you will always have two images of that
>> kind, often defined by different package sets, set in the respective
>> image recipes.
>>
>>>
>>> But of course if you now have a '*-debug' and '*-release'
>>> multiconfig, you cannot build that in parallel if one package is
>>> build with two different variables.
>>>
>>> And that exactly hits the mark with the problem I have with the way
>>> Isar uses multiconfigs and tries to share packages from different
>>> multiconfigs.
>>>
>>> IMO if you want to continue doing it that way, you would need to
>>> have a 'isar-cfg-localpurge-debug' and a 'isar-cfg-userpw-debug'.
>>> And do that for all possible other configurations you want to build
>>> in parallel...
>>
>> Awkward. We need to stop this weird patterns which require too much
>> boilerplate recipes to achieve very simple things. Let's just make
>> these variables per-image.
>
> I had a feeling that same PN-PV but different content could be a
> problem. And here we go. But Claudius is right, either we have
> different packages (by name and/or version) or we do not use packages
> for such tasks. Per Image variables will not work, the last
> do_deploy_deb will win and set the password for every image sharing the
> repo.
Right, we need to discuss about that "everything is a package" in this context.
I may make Isar life easier, but not Isar user's life. Also, it's deviating with
the image configuration from OE.
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2019-02-25 11:15 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-18 16:21 claudius.heine.ext
2019-02-18 16:58 ` Henning Schild
2019-02-19 9:19 ` Henning Schild
2019-02-23 10:42 ` Jan Kiszka
2019-02-25 8:07 ` Jan Kiszka
2019-02-25 8:44 ` Claudius Heine
2019-02-25 8:48 ` Jan Kiszka
2019-02-25 9:32 ` Henning Schild
2019-02-25 11:15 ` Jan Kiszka [this message]
2019-02-25 11:44 ` Claudius Heine
2019-03-04 10:15 ` Claudius Heine
2019-02-25 11:18 ` Claudius Heine
2019-02-25 10:18 ` Adler, Michael
2019-02-25 10:34 ` Henning Schild
2019-02-25 11:38 ` Henning Schild
2019-02-26 19:36 ` Jan Kiszka
2019-02-26 19:47 ` Jan Kiszka
2019-02-27 8:46 ` Henning Schild
2019-02-27 10:20 ` Henning Schild
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=40ca1c88-0843-5036-b9eb-c19fcd80078c@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=ch@denx.de \
--cc=claudius.heine.ext@siemens.com \
--cc=henning.schild@siemens.com \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox