From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6659376390151864320 X-Received: by 2002:ac2:53b4:: with SMTP id j20mr869489lfh.12.1551084522404; Mon, 25 Feb 2019 00:48:42 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:5b42:: with SMTP id p63ls1454606ljb.0.gmail; Mon, 25 Feb 2019 00:48:40 -0800 (PST) X-Google-Smtp-Source: AHgI3IYmreM2LuZVmSFTTxsquS2OCEUBQmLIz3hUhQTbOyMEOXMVlPhWp40ti1SwVR3bLJfcOIGQ X-Received: by 2002:a2e:974d:: with SMTP id f13mr868363ljj.14.1551084520660; Mon, 25 Feb 2019 00:48:40 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551084520; cv=none; d=google.com; s=arc-20160816; b=Z/65PLeTy/0ibDo6EhiQ1gkJKRTCLhEf8bp3I75ehyJR3wE/Z+B+UZk1v+ilOzEfI/ KCi1lALMSK4+7H86+bQ5xk8rJKiWurq39wmnql5TNnXYwPVxiOsi6K6GWOEdhKQPOlUO BquZZF2oyYBjF3Ezf7k8ZnaAfaM58IrZL8FgdLRc9yenZMZ485n68UsIHav5L02X+wBW m/NK7MWBN/kTztgYRxji6Dlqkb6Hny0FZYaCSGI/gAbSoHW5+7ToWYjozS9GG3XLg5D3 7BwxJ/JElKrtQf00XhpjblmfsU6OCBpvb/zxbF/0HsCQhmhk7/sBRlmaFkqhPM18aDGY c3/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=n+jZZCTHrxPbRUbS2eIiqzY43cQUwnBRkpV9LbDUeqE=; b=a+jBQwuUeIv17HdkA/xbE6ZSa9hVlh3thMCg8h+Nus+SQTv+TSIk4sIeQKNj+jFYWt XFdLGBToUcFQ8EnXBtmf6m31hJFsG7goIxc+Qtj9Sq9FxZ57iCB89YNi+e489AuL+mxL 9d7cNTxfPs4kKD3JMeP7exky9HGlsMkrY/728ewwXQn1k99TPeQu49lNKH5YkdE6a3sA fsCpAo7YU130HgTzfpDvRWNEbiH2WwuguasOwsRzi0TcSa/2m4CIEOZGTdhk0jJEFfSw ymuYx8/30KdAJ2qrORp7N3wKFMpF+DErKIJXoINxO3CmmXgrJj9WDdgMpCGi8IIlFojf K83Q== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Return-Path: Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40]) by gmr-mx.google.com with ESMTPS id m19si447213lfc.4.2019.02.25.00.48.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Feb 2019 00:48:40 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id x1P8mdoV023559 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 25 Feb 2019 09:48:39 +0100 Received: from [167.87.21.74] ([167.87.21.74]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x1P8mdU6009096; Mon, 25 Feb 2019 09:48:39 +0100 Subject: Re: [PATCH] added 'isar-cfg-userpw' package To: Claudius Heine , "[ext] claudius.heine.ext@siemens.com" , isar-users@googlegroups.com References: <20190218162113.8538-1-claudius.heine.ext@siemens.com> <66062d8f-1a2f-55bb-80fb-3f14ce05eace@web.de> <683245f8-e5f0-38b8-0532-94170db742fe@siemens.com> <155108427994.4408.2228465568428075120@ardipi> From: Jan Kiszka Message-ID: <44468fac-f5b7-2178-9170-8eb382528c4a@siemens.com> Date: Mon, 25 Feb 2019 09:48:38 +0100 User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12) Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666 MIME-Version: 1.0 In-Reply-To: <155108427994.4408.2228465568428075120@ardipi> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit X-TUID: ngfeEikmhQrP On 25.02.19 09:44, Claudius Heine wrote: > Hi Jan, > > Quoting Jan Kiszka (2019-02-25 09:07:35) >> On 23.02.19 11:42, Jan Kiszka wrote: >>> On 18.02.19 17:21, [ext] claudius.heine.ext@siemens.com wrote: >>>> From: Claudius Heine >>>> >>>> With this package setting of arbitrary user passwords should be >>>> possible. >>>> >>>> To do this use the 'CFG_USER_PW' variable as described in the user >>>> manual. >>>> >>>> Signed-off-by: Claudius Heine >>>> --- >>>>   doc/user_manual.md                            |  1 + >>>>   meta-isar/conf/local.conf.sample              |  2 ++ >>>>   meta/classes/isar-image.bbclass               |  2 +- >>>>   .../isar-cfg-userpw/files/postinst.tmpl       | 15 ++++++++++++ >>>>   .../isar-cfg-userpw/isar-cfg-userpw.bb        | 23 +++++++++++++++++++ >>>>   5 files changed, 42 insertions(+), 1 deletion(-) >>>>   create mode 100644 meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>>   create mode 100644 meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>> >>>> diff --git a/doc/user_manual.md b/doc/user_manual.md >>>> index db0bf85..53bb36a 100644 >>>> --- a/doc/user_manual.md >>>> +++ b/doc/user_manual.md >>>> @@ -328,6 +328,7 @@ Some other variables include: >>>>    - `DISTRO_APT_PREMIRRORS` - The preferred mirror (append it to the default >>>> URI in the format `ftp.debian.org my.preferred.mirror`. This variable is >>>> optional. >>>>    - `CFG_ROOT_PW` - The encrypted root password to be set. To encrypt >>>> password use `mkpasswd`. You find `mkpasswd` in the `whois` package of Debian. >>>> If the variable is empty, root login is passwordless. >>>>    - `CFG_ROOT_LOCKED` - If set to `1` the root account will be locked. >>>> + - `CFG_USER_PW` - A space separated list of user names and encrypted >>>> passwords separated by a colon. (e.g. `username1:encryptedpw1 >>>> username2:encryptedpw2`) >>>> >>>>   --- >>>> >>>> diff --git a/meta-isar/conf/local.conf.sample b/meta-isar/conf/local.conf.sample >>>> index e5827aa..494a283 100644 >>>> --- a/meta-isar/conf/local.conf.sample >>>> +++ b/meta-isar/conf/local.conf.sample >>>> @@ -178,3 +178,5 @@ ISAR_CROSS_COMPILE ?= "0" >>>>   #   mkpasswd -m sha512crypt -R 10000 >>>>   # mkpasswd is part of the 'whois' package of Debian >>>>   CFG_ROOT_PW ?= >>>> "$6$rounds=10000$RXeWrnFmkY$DtuS/OmsAS2cCEDo0BF5qQsizIrq6jPgXnwv3PHqREJeKd1sXdHX/ayQtuQWVDHe0KIO0/sVH8dvQm1KthF0d/" >>>> >>>> +# Set user 'isar' password to 'isar': >>>> +CFG_USER_PW ?= >>>> "isar:$6$rounds=10000$WMnSt8s9nLE$M/0eQVs0f05VpW8uzscs54GUwzhh/gjN3Vb85QEIIh1XihyvE.Xw4reJSxHqWcP0I0CnllKhseg6SRcGIIx7P1" >>>> >>>> diff --git a/meta/classes/isar-image.bbclass b/meta/classes/isar-image.bbclass >>>> index cdd1651..0100d0b 100644 >>>> --- a/meta/classes/isar-image.bbclass >>>> +++ b/meta/classes/isar-image.bbclass >>>> @@ -17,7 +17,7 @@ SRC_URI += "${@ cfg_script(d) }" >>>> >>>>   DEPENDS += "${IMAGE_INSTALL} ${IMAGE_TRANSIENT_PACKAGES}" >>>> >>>> -IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw" >>>> +IMAGE_TRANSIENT_PACKAGES += "isar-cfg-localepurge isar-cfg-rootpw >>>> isar-cfg-userpw" >>>> >>>>   WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}" >>>> >>>> diff --git a/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>> b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>> new file mode 100644 >>>> index 0000000..47fffd0 >>>> --- /dev/null >>>> +++ b/meta/recipes-support/isar-cfg-userpw/files/postinst.tmpl >>>> @@ -0,0 +1,15 @@ >>>> +#!/bin/sh >>>> +set -e >>>> + >>>> +USER_ENTRIES='${CFG_USER_PW} ' >>>> + >>>> +while true; do >>>> +    USER_ENTRY="${USER_ENTRIES%% *}" # First element of list >>>> +    USER_ENTRIES="${USER_ENTRIES#${USER_ENTRY} }" # Rest of list >>>> + >>>> +    if [ -z "${USER_ENTRY}" ]; then >>>> +        break >>>> +    fi >>>> + >>>> +    printf '%s' "${USER_ENTRY}" | chpasswd -e >>>> +done >>>> diff --git a/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>> b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>> new file mode 100644 >>>> index 0000000..75b0446 >>>> --- /dev/null >>>> +++ b/meta/recipes-support/isar-cfg-userpw/isar-cfg-userpw.bb >>>> @@ -0,0 +1,23 @@ >>>> +# This software is a part of ISAR. >>>> + >>>> +DESCRIPTION = "Isar configuration package for user passwords" >>>> +MAINTAINER = "isar-users " >>>> +DEBIAN_DEPENDS = "passwd" >>>> + >>>> +SRC_URI = "file://postinst.tmpl" >>>> + >>>> +TEMPLATE_FILES = "postinst.tmpl" >>>> +TEMPLATE_VARS = "CFG_USER_PW" >>>> + >>>> +CFG_USER_PW ?= "" >>>> + >>>> +python() { >>>> +    # Enforce CFG_USER_PW to be a single space separated array >>>> +    d.setVar("CFG_USER_PW", " ".join(d.getVar("CFG_USER_PW", True).split())) >>>> +} >>>> + >>>> +inherit dpkg-raw >>>> + >>>> +do_install() { >>>> +    echo "intentionally left blank" >>>> +} >>>> >>> >>> Missed this until I had to deal with it: This does not allow per-image password >>> configuration because there is only one, hard-coded isar-cfg-userpw package that >>> all images pull. E.g., how to build a release (root account locked) and a debug >>> image (well-known insecure or empty password) at the same time now? >>> >>> We rather need to change the logic to pass the control variables from the host >>> down into the chroot during installation where the transient package can then >>> evaluate them. Or model this - as a special case - without a package. >>> >>> Before the release, we should at least prove if the current recipe interface can >>> be maintained with the above requirement, so that we do not break it again right >>> after that. >>> >> >> The same conceptual issue applies to isar-cfg-localepurge: LOCALE_GEN and >> LOCALE_DEFAULT should be configurable on a per-image basis, not a per-build. > > You are right! I haven't considered that. > > Normally you would not have a 'debug' image and a 'release' image, but > different multi/local configurations for that. Having debug images and > release images is a anti-pattern for bb based projects IMO and should > not be done in Isar. This is not true. In the end, you will always have two images of that kind, often defined by different package sets, set in the respective image recipes. > > But of course if you now have a '*-debug' and '*-release' multiconfig, > you cannot build that in parallel if one package is build with two > different variables. > > And that exactly hits the mark with the problem I have with the way Isar > uses multiconfigs and tries to share packages from different > multiconfigs. > > IMO if you want to continue doing it that way, you would need to have a > 'isar-cfg-localpurge-debug' and a 'isar-cfg-userpw-debug'. And do that > for all possible other configurations you want to build in parallel... Awkward. We need to stop this weird patterns which require too much boilerplate recipes to achieve very simple things. Let's just make these variables per-image. Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux