From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6659376390151864320 X-Received: by 2002:a17:906:350e:: with SMTP id r14mr1766079eja.10.1551093335272; Mon, 25 Feb 2019 03:15:35 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a50:8b8a:: with SMTP id m10ls3272756edm.7.gmail; Mon, 25 Feb 2019 03:15:34 -0800 (PST) X-Google-Smtp-Source: AHgI3IZFe0IS4nnn4IxKk8tOxnPs4u57WbHZg5Q3TwtfwS0WRSt2bj/s4s/Cr7eGfkpSSNKzuQn9 X-Received: by 2002:a50:8881:: with SMTP id d1mr1958590edd.0.1551093334753; Mon, 25 Feb 2019 03:15:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551093334; cv=none; d=google.com; s=arc-20160816; b=TUz5HVDkqQPqG4RRBzkKoz51Eah45B67tzGfJ1l5uwGJU4AYBvIqAUQob60PA+Q4Hn 7n9rhzDrjBCFOBxJ8fk5VYZqgQGI4bnggIvPbyq59ztl/2f4UmstiYqJM7OltaYKiYQ/ OhSQzgFtVvKve+wcPnfinn3JrgGYEzXQD9aDLHxiQDGGY2H79CHlYyOx+JSPlLktXJ76 CAts0EmPyWAXbfecJqcUDBIjlgrku8DCpmbEFERzLva4vAGyy4zm1k/Xp9D0QbNdKfhl z7HtGwoS8Um3uYjWs7bSd4wN633WMuhRBxUIoHmORfx++4hvw+NdNY5kicuh+v0/FuXD ns3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:cc:to:subject; bh=iNFM7AHyLNuu9Bz10fquLkCAypElVd5GNJ3x+G3x+gc=; b=ZpxprON5jdglJEaBOObhg9XsrZG6Cho8sisU8hAvIvxT20eS9G5ee181omsx+MuAWy Rc3wPtKBxshB3yOk85mf6ad8PXhCXATWBs6cXY6kWu37TULCrXwii9c53NC2gU7g/x00 1+okoCD3PTHNVrzmkPmo6jzswx0aNOwYmaAeGTr3rOq+L7TK1nGDmieat+fMspdFDRJN N9XgcnCD3/3h7HNth05Mm5AnivtDRX/Qbyo6vABL01QXznyv+7OD1+tV37DoFZL3rNAi pQ4sCWBtbC8cA8HlGTX8n0SoyT6Plg5k4zPQQkfum8TUzN/KWBGP1v6hpY0QSR4VGIZ0 0VmA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from goliath.siemens.de (goliath.siemens.de. [192.35.17.28]) by gmr-mx.google.com with ESMTPS id gu13si509531ejb.0.2019.02.25.03.15.34 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 03:15:34 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) client-ip=192.35.17.28; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.28 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by goliath.siemens.de (8.15.2/8.15.2) with ESMTPS id x1PBFXjE025255 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 12:15:33 +0100 Received: from [139.25.68.37] (md1q0hnc.ad001.siemens.net [139.25.68.37] (may be forged)) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id x1PBFW5c021307; Mon, 25 Feb 2019 12:15:32 +0100 Subject: Re: [PATCH] added 'isar-cfg-userpw' package To: Henning Schild Cc: Claudius Heine , "[ext] claudius.heine.ext@siemens.com" , isar-users@googlegroups.com References: <20190218162113.8538-1-claudius.heine.ext@siemens.com> <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de> <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com> <155108427994.4408.2228465568428075120@ardipi> <44468fac-f5b7-2178-9170-8eb382528c4a@siemens.com> <20190225103217.0b079975@md1za8fc.ad001.siemens.net> From: Jan Kiszka Message-ID: <40ca1c88-0843-5036-b9eb-c19fcd80078c@siemens.com> Date: Mon, 25 Feb 2019 12:15:32 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <20190225103217.0b079975@md1za8fc.ad001.siemens.net> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: TFaVtqwkXUVe On 25.02.19 10:32, Henning Schild wrote: > Am Mon, 25 Feb 2019 09:48:38 +0100 > schrieb "[ext] Jan Kiszka" : > >> On 25.02.19 09:44, Claudius Heine wrote: >>> Hi Jan, >>> >>> Quoting Jan Kiszka (2019-02-25 09:07:35) >>>> On 23.02.19 11:42, Jan Kiszka wrote: >>>>> On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote: >>>>>> From: Claudius Heine >>>>>> >>>>>> With this package setting of arbitrary user passwords should be >>>>>> possible. >>>>>> >>>>>> To do this use the 'CFG_USER_PW' variable as described in the >>>>>> user manual. >>>>>> >>>>>> Signed-off-by: Claudius Heine >>>>>> --- >>>>>>   doc/user_manual.md                            |  1 + >>>>>>   meta-isar/conf/local.conf.sample              |  2 ++ >>>>>>   meta/classes/isar-image.bbclass               |  2 +- >>>>>>   .../isar-cfg-userpw/files/postinst.tmpl       | 15 >>>>>> ++++++++++++ .../isar-cfg-userpw/isar-cfg-userpw.bb        | 23 >>>>>> +++++++++++++++++++ 5 files changed, 42 insertions(+), 1 >>>>>> deletion(-) create mode 100644 >>>>>> meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl create >>>>>> mode 100644 >>>>>> meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>>>> >>>>>> diff --git a/doc/user_manual.md b/doc/user_manual.md >>>>>> index db0bf85..53bb36a 100644 >>>>>> --- a/doc/user_manual.md >>>>>> +++ b/doc/user_manual.md >>>>>> @@ -328,6 +328,7 @@ Some other variables include: >>>>>>    - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it >>>>>> to the default URI in the format `ftp.debian.org >>>>>> my.preferred.mirror`. This variable is optional. >>>>>>    - `CFG_ROOT_PW` - The encrypted root password to be set. To >>>>>> encrypt password use `mkpasswd`. You find `mkpasswd` in the >>>>>> `whois` package of Debian. If the variable is empty, root login >>>>>> is passwordless. >>>>>>    - `CFG_ROOT_LOCKED` - If set to `1` the root account will be >>>>>> locked. >>>>>> + - `CFG_USER_PW` - A space separated list of user names and >>>>>> encrypted passwords separated by a colon. (e.g. >>>>>> `username1:encryptedpw1 username2:encryptedpw2`) >>>>>> >>>>>>   --- >>>>>> >>>>>> diff --git a/meta-isar/conf/local.conf.sample >>>>>> b/meta-isar/conf/local.conf.sample index e5827aa..494a283 100644 >>>>>> --- a/meta-isar/conf/local.conf.sample >>>>>> +++ b/meta-isar/conf/local.conf.sample >>>>>> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?= "0" >>>>>>   #   mkpasswd -m sha512crypt -R 10000 >>>>>>   # mkpasswd is part of the 'whois' package of Debian >>>>>>   CFG_ROOT_PW ?= >>>>>> "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" >>>>>> >>>>>> +# Set user 'isar' password to 'isar': >>>>>> +CFG_USER_PW ?= >>>>>> "isar:$6$rounds=10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1" >>>>>> >>>>>> diff --git a/meta/classes/isar-image.bbclass >>>>>> b/meta/classes/isar-image.bbclass index cdd1651..0100d0b 100644 >>>>>> --- a/meta/classes/isar-image.bbclass >>>>>> +++ b/meta/classes/isar-image.bbclass >>>>>> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" >>>>>> >>>>>>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" >>>>>> >>>>>> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge >>>>>> isar-cfg-rootpw" +IMAGE_TRANSIENT_PACKAGES += >>>>>> "isar-cfg-localepurge isar-cfg-rootpw isar-cfg-userpw" >>>>>> >>>>>>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >>>>>> >>>>>> diff --git >>>>>> a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>>>> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl new >>>>>> file mode 100644 index 0000000..47fffd0 >>>>>> --- /dev/null >>>>>> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>>>> @@ -0,0 +1,15 @@ >>>>>> +#!/bin/sh >>>>>> +set -e >>>>>> + >>>>>> +USER_ENTRIES='${CFG_USER_PW} ' >>>>>> + >>>>>> +while true; do >>>>>> +    USER_ENTRY="${USER_ENTRIES%% *}" # First element of list >>>>>> +    USER_ENTRIES="${USER_ENTRIES#${USER_ENTRY} }" # Rest of list >>>>>> + >>>>>> +    if [ -z "${USER_ENTRY}" ]; then >>>>>> +        break >>>>>> +    fi >>>>>> + >>>>>> +    printf '%s' "${USER_ENTRY}" | chpasswd -e >>>>>> +done >>>>>> diff --git >>>>>> a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>>>> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb new >>>>>> file mode 100644 index 0000000..75b0446 >>>>>> --- /dev/null >>>>>> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>>>> @@ -0,0 +1,23 @@ >>>>>> +# This software is a part of ISAR. >>>>>> + >>>>>> +DESCRIPTION = "Isar configuration package for user passwords" >>>>>> +MAINTAINER = "isar-users " >>>>>> +DEBIAN_DEPENDS = "passwd" >>>>>> + >>>>>> +SRC_URI = "file://postinst.tmpl" >>>>>> + >>>>>> +TEMPLATE_FILES = "postinst.tmpl" >>>>>> +TEMPLATE_VARS = "CFG_USER_PW" >>>>>> + >>>>>> +CFG_USER_PW ?= "" >>>>>> + >>>>>> +python() { >>>>>> +    # Enforce CFG_USER_PW to be a single space separated array >>>>>> +    d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW", >>>>>> True).split())) +} >>>>>> + >>>>>> +inherit dpkg-raw >>>>>> + >>>>>> +do_install() { >>>>>> +    echo "intentionally left blank" >>>>>> +} >>>>>> >>>>> >>>>> Missed this until I had to deal with it: This does not allow >>>>> per-image password configuration because there is only one, >>>>> hard-coded isar-cfg-userpw package that all images pull. E.g., >>>>> how to build a release (root account locked) and a debug image >>>>> (well-known insecure or empty password) at the same time now? >>>>> >>>>> We rather need to change the logic to pass the control variables >>>>> from the host down into the chroot during installation where the >>>>> transient package can then evaluate them. Or model this - as a >>>>> special case - without a package. >>>>> >>>>> Before the release, we should at least prove if the current >>>>> recipe interface can be maintained with the above requirement, so >>>>> that we do not break it again right after that. >>>>> >>>> >>>> The same conceptual issue applies to isar-cfg-localepurge: >>>> LOCALE_GEN and LOCALE_DEFAULT should be configurable on a >>>> per-image basis, not a per-build. >>> >>> You are right! I haven't considered that. >>> >>> Normally you would not have a 'debug' image and a 'release' image, >>> but different multi/local configurations for that. Having debug >>> images and release images is a anti-pattern for bb based projects >>> IMO and should not be done in Isar. >> >> This is not true. In the end, you will always have two images of that >> kind, often defined by different package sets, set in the respective >> image recipes. >> >>> >>> But of course if you now have a '*-debug' and '*-release' >>> multiconfig, you cannot build that in parallel if one package is >>> build with two different variables. >>> >>> And that exactly hits the mark with the problem I have with the way >>> Isar uses multiconfigs and tries to share packages from different >>> multiconfigs. >>> >>> IMO if you want to continue doing it that way, you would need to >>> have a 'isar-cfg-localpurge-debug' and a 'isar-cfg-userpw-debug'. >>> And do that for all possible other configurations you want to build >>> in parallel... >> >> Awkward. We need to stop this weird patterns which require too much >> boilerplate recipes to achieve very simple things. Let's just make >> these variables per-image. > > I had a feeling that same PN-PV but different content could be a > problem. And here we go. But Claudius is right, either we have > different packages (by name and/or version) or we do not use packages > for such tasks. Per Image variables will not work, the last > do_deploy_deb will win and set the password for every image sharing the > repo. Right, we need to discuss about that "everything is a package" in this context. I may make Isar life easier, but not Isar user's life. Also, it's deviating with the image configuration from OE. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux