From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Wed, 26 Nov 2025 11:02:34 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f61.google.com (mail-wm1-f61.google.com [209.85.128.61]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AQA2XUe011125 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 26 Nov 2025 11:02:34 +0100 Received: by mail-wm1-f61.google.com with SMTP id 5b1f17b1804b1-477563a0c75sf34794365e9.1 for ; Wed, 26 Nov 2025 02:02:34 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1764151348; cv=pass; d=google.com; s=arc-20240605; b=C3J+/frIY9OygFayazfa/ZmfeWHVPUfKUmmjeso4LzfQe4QHwgWklLJDpciRqH7x0A 4FlLd3KQomsQdgbeYj5dL1cLrUZSBEiegHwOcD4OXstprXvVY7GOXhbqawmeq790xNKi 7DCSNdIxsUC9WkR/mxkrM7TPvWkb2fU5JocJRocjq/kUcvmAvbGrH45WTnWYkRsuvuj0 7v4T7pLuQT5+83/FfrnKkDBURvVagZAWY2aPoSXeMQY6TkDzT30xhuu6B2g6G8t/utxL JvHYQnre2ib9t5Fz14MgRINsj5+9PqLMOOqOBBxzH9qAt0meY0WHgoG4q30F37RrPHaW oeGA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :sender:dkim-signature; bh=9W7swbtup/rWtqYrfH1gY1hLf8F7URIoewp1KyxaN6c=; fh=jUl5GTjMXugwZr60c7hFi3kG1se2ozlXXnUefQGD5qE=; b=C8ZA6S4P1EhVN/nCWLMWS9rw0sArXVbLOhQqVdkHn7/ocnq83tZrydIovsHC6ShkMj kqhH2Z5aRHWbmdLLmL9a/OPYT6/8a5Vq7r4K3XDsEvdxr6fCQKguplywQwAUJ8ejiPsx cBVUClamjn854a8q8NFAZiWirQdxJLPkWtu6y21F3dznebq5Se7dT6UdLZzwJ8MSSuv/ US+s6+wZ/p2P3OXzyC9x4WMYEgCdSCxG3ttWRE4fQ8MMmAzZBoykd0vKtyNT3v+nxBva zB27vpKbTC90ShW4nOQ/AoAf2pydOJW1X4GJVX36juVOELY6UJe3rHos+FNFbFc5RbVf MxuQ==; darn=ilbers.de ARC-Authentication-Results: i=2; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1764151348; x=1764756148; darn=ilbers.de; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:x-original-authentication-results :x-original-sender:in-reply-to:from:content-language:references:to :subject:user-agent:mime-version:date:message-id:sender:from:to:cc :subject:date:message-id:reply-to; bh=9W7swbtup/rWtqYrfH1gY1hLf8F7URIoewp1KyxaN6c=; b=YaWScCfU5+yrKHXl/LTt8FBVBf7RS+L6OZlR3ThnHvb0MUYg8y1wpm17PHKnNeeBp7 xuxHlBAuWk5+sM5A/MYzcalqU+PEd3uyM/GWWdiSUI6hAWC9BsHLq3UreYFh0aG9KPNm 1KPYHjdW5ydF/hnhT0SNuBL5EisuKWyYo4pr0FBTGPBoes1yN/rdXD9mAwE2WOI8KJPR z241bnJZzjLEyoLhg4aGaXE8ZL4zA8fhk5oTnatGTXUB2kI8tbN9D3u9nIe0qhQZaa/t 5U9bCoTMHnZvpcz6x5rztdIc/0qAemfrYpdWjhmWm6Vf8EkzD/d2RpfUvEDHPdq1adtu vjEw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764151348; x=1764756148; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence :x-original-authentication-results:x-original-sender:in-reply-to :from:content-language:references:to:subject:user-agent:mime-version :date:message-id:x-beenthere:x-gm-message-state:sender:from:to:cc :subject:date:message-id:reply-to; bh=9W7swbtup/rWtqYrfH1gY1hLf8F7URIoewp1KyxaN6c=; b=c4eM86totwA6V6MFw492NzQxJffqDyaqqbjxD8S7SIpz1jCMtzNbEKeRh60MFyiI9N J6RAu8QKZw2FiK3RInpuTiIutPrE4wIRp3GWab3U2DRiADu3mZTCOXgW9GR8YI6rxdYg ro+ckoOf/8cOdT43i2bsdh7LIRQxOq6mfiQGdwCAYM72g/yapVn/nmfyXF+9wPE8uGgC rtjAiN+0NsMlBp2ZEk8P92oHzp7ZiB/d7+X4Wi0w/1ZI+AJ2S5y1RkqOfSopjPs122sW WYvWvNJbDR28+8IT2Hg2q2PnH4G32kjeZ/H6O4xBFyIfx3mOTrfIaUTt5SpiUpPRiHBP xsLg== Sender: isar-users@googlegroups.com X-Forwarded-Encrypted: i=2; AJvYcCWZtt1lO2gTnInltKFmhY9tuFvOl7EgPch99AXJpJPxzDVRDcFjDvKvliKczEZyCitUt5VJ@ilbers.de X-Gm-Message-State: AOJu0YyD6/Hfgfinon6/CJA08/33tJk3BaeS/WEi4jA0YnqkTVmJApEI q0WOd5mVSK0C8O7VRyKbpx60IyRkhbIWLgtP2AIzerndyp1twL7UNN6T X-Google-Smtp-Source: AGHT+IFD6uoL81uDHqTk+JntZMyCzfQ6dm44xgLprFqYdQwvB5yfH9Wz+1cupWWojWygXgB5furA9A== X-Received: by 2002:a05:600c:3152:b0:458:a7fa:211d with SMTP id 5b1f17b1804b1-47904b24282mr61098725e9.29.1764151348204; Wed, 26 Nov 2025 02:02:28 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+YkYP2+kyu7NwdrPKyOyRL/bNGcT95vdb80zgCEFhQaMw==" Received: by 2002:a05:600c:8188:b0:477:5c4c:acc2 with SMTP id 5b1f17b1804b1-477b8e1bc46ls24171235e9.1.-pod-prod-08-eu; Wed, 26 Nov 2025 02:02:25 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXSJ+o8c7Ddn6MTFkSDWe2uC1VbNaV7OiuQLNxZ/UWlnT3B5+zqxofR7nuH1UwYyKl9jP8eZymcoDS0@googlegroups.com X-Received: by 2002:a05:600c:1f0f:b0:477:7b30:a6fc with SMTP id 5b1f17b1804b1-47904b2484amr59285585e9.30.1764151345256; Wed, 26 Nov 2025 02:02:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764151345; cv=none; d=google.com; s=arc-20240605; b=XmnY6ka5q24F7tVEBW+BfEBnc8kGm09MnRu7WGvGQxVp2kCIu96WGEJE9vViiv4WFU IKQT3MZC07heuLjAC+1geXfxH/7N/1ymveNaBfQXT1qUr8ooX/3qLpTrxP2FPv5mrMlp tqwO+kveDYLAAx7vvB1ZNgm0cOU3Rz4i0svwq65vrAKZitLSunmnU4AuBq23Mg2czkyO y3X9XpadKWSLRVJafbIjMpzlpt0ZY8R/6SSpmxqVmMSk60q8PBeA3tMjudCVzxvuVMmu Qhl2Jvy0SJp+Lscbln8pag3h1t48to5fa4mvJz9R8ZSv9LtxAwJsUOW41rcQ4faziMtE 0PKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id; bh=yOGo4Ba8GSfWS+BBz9FmFS1ba8hlILJk+6bA6XfAelA=; fh=1x/T85rXr8yhgzXWAa7zssXnuyt2jGlhJYPIGFWr6UE=; b=kzQWFKICMbh4ES6wS9lYLkLUXEWJgftobakhOO5AWvJSRJkRDz8jOLtgNyiTlsFr/t yT5qLBAIuq686cF2bb6OJR/K6QYatGM/VAvGFf3dnwiSZwYGjv0xApGlHxOYJsZChqqs issCpydhR/XAqsdv4RQrxbCp/GGYOhwoeYB5mmq7vvoVI+EKQAIxWKcLGPsyZ2sEBxt0 8cysRALdmQYqzg7PRCDvCral+1FVmt4xViSEEzQqxmnTqMPDLMalzRnE5UjuPauYEcWQ v11ckwbRzwcMh56cPIDPvVen/gMXE+dZkOKu6LGNuSMtyFC9mi0d9dgmGgAQVJxl2z4I tGvg==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Received: from shymkent.ilbers.de (shymkent.ilbers.de. [85.214.156.166]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-4790adb5416si146755e9.1.2025.11.26.02.02.25 for (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Wed, 26 Nov 2025 02:02:25 -0800 (PST) Received-SPF: pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) client-ip=85.214.156.166; Received: from [192.168.178.117] ([88.130.203.42]) (authenticated bits=0) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPSA id 5AQA2E2x011112 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 26 Nov 2025 11:02:20 +0100 Message-ID: <4a8cbaae-9e20-4965-9e81-f31659abea57@ilbers.de> Date: Wed, 26 Nov 2025 11:02:14 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] mmdebstrap: support for user credentials for apt sources To: Cedric Hombourger , isar-users@googlegroups.com References: <20251121042931.3520717-1-cedric.hombourger@siemens.com> Content-Language: en-US From: Zhihang Wei In-Reply-To: <20251121042931.3520717-1-cedric.hombourger@siemens.com> Content-Type: text/plain; charset="UTF-8"; format=flowed X-Spam-Status: No, score=-4.6 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2, RCVD_IN_RP_CERTIFIED,RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-Original-Sender: wzh@ilbers.de X-Original-Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of wzh@ilbers.de designates 85.214.156.166 as permitted sender) smtp.mailfrom=wzh@ilbers.de Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-TUID: emmL1GUhbkIe Applied to next, thanks. On 11/21/25 05:29, 'Cedric Hombourger' via isar-users wrote: > Some organization may restrict access to their package feeds and require > users to supply a user and password/token. With Isar having adopted > mmdebstrap, we may now supply an apt auth configuration file in > /etc/apt/auth.conf.d/. Credentials may be specified in local.conf (a kas > configuration fragment with environment variables may be used). Multiple > remotes and their respective credentials may be listed: > > ISAR_APT_CREDS += "apt.server1.com" > ISAR_APT_CREDS_apt.server1.com = "my-user-for-server1 pass-for-server1" > > ISAR_APT_CREDS += "apt.server2.com" > ISAR_APT_CREDS_apt.server2.com = "another-user-for-server2 different-pass" > > Signed-off-by: Cedric Hombourger > --- > RECIPE-API-CHANGELOG.md | 18 ++++++++++ > doc/user_manual.md | 10 ++++++ > .../isar-mmdebstrap/isar-mmdebstrap.inc | 34 +++++++++++++++++++ > 3 files changed, 62 insertions(+) > > diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md > index 20183a8d..ede375fa 100644 > --- a/RECIPE-API-CHANGELOG.md > +++ b/RECIPE-API-CHANGELOG.md > @@ -866,3 +866,21 @@ INITRD_IMAGE is "only" deprecated; meaning that it may still be used (but > build-time warnings will be raised). If both IMAGE_INITRD and INITRD_IMAGE > are set then the latter will be ignored (a warning noting that both were > set will be emitted). > + > +### User-authentification for apt sources > + > +Some organization may restrict access to their package feeds and require > +users to supply a user and password/token. With Isar having adopted > +mmdebstrap, we may now supply an apt auth configuration file in > +/etc/apt/auth.conf.d/. Credentials may be specified in local.conf (a kas > +configuration fragment with environment variables may be used). Multiple > +remotes and their respective credentials may be listed: > + > + ISAR_APT_CREDS += "apt.server1.com" > + ISAR_APT_CREDS_apt.server1.com = "my-user-for-server1 pass-for-server1" > + > + ISAR_APT_CREDS += "apt.server2.com" > + ISAR_APT_CREDS_apt.server2.com = "another-user-for-server2 different-pass" > + > +NOTE: this is not supported for the (soon-to-be-removed?) legacy bootstrap > +method (based on deboostrap) > diff --git a/doc/user_manual.md b/doc/user_manual.md > index efe65a51..30002bea 100644 > --- a/doc/user_manual.md > +++ b/doc/user_manual.md > @@ -451,6 +451,7 @@ Some other variables include: > - `ISAR_APT_SNAPSHOT_TIMESTAMP[security]` - Unix timestamp of the security distribution. Optional. > - `ISAR_APT_SNAPSHOT_DATE` - Timestamp in upstream format (e.g. `20240702T082400Z`) of the apt snapshot. Overrides `ISAR_APT_SNAPSHOT_TIMESTAMP` if set. Otherwise, will be automatically derived from `ISAR_APT_SNAPSHOT_TIMESTAMP` > - `ISAR_APT_SNAPSHOT_DATE[security]` - Timestamp in upstream format of the security distribution. Optional. > + * `ISAR_APT_CREDS` - List of of remote apt servers requiring credentials (individually configured with `ISAR_APT_CREDS_server_fqdn = "user password")` > - `THIRD_PARTY_APT_KEYS` - List of gpg key URIs used to verify apt repos for apt installation after bootstrapping. > - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS. > - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable. > @@ -540,6 +541,15 @@ DISTRO_CONFIG_SCRIPT?= "raspbian-configscript.sh" > DISTRO_KERNELS ?= "rpi rpi2 rpi-rpfv rpi2-rpfv" > ``` > > +If the distribution has apt sources requiring authentication, users may add the following to e.g. `local.conf`: > + > + ``` > + ISAR_APT_CREDS += "apt.restricted-server.com" > + ISAR_APT_CREDS_apt.restricted-server.com = "my-user-name my-password-or-token" > + ``` > + > +Consider passing these credentials via (CI-protected) environment variables and refrain from leaving your credentials in `local.conf`. > + > For RaspiOS a different DISTRO_KERNELS list is used: > - `kernel` - for Raspberry Pi 1, Pi Zero, Pi Zero W, and Compute Module > - `kernel7` - for Raspberry Pi 2, Pi 3, Pi 3+, and Compute Module 3 > diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > index b2de61ad..d88628ac 100644 > --- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > +++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc > @@ -74,6 +74,39 @@ do_generate_keyrings() { > } > addtask generate_keyrings before do_build after do_unpack > > +# Generate an apt configuration file holding credentials for the apt sources > +# requiring user authentication > +do_generate_auth_file[vardeps] += "ISAR_APT_CREDS" > +python do_generate_auth_file() { > + creds = d.getVar('ISAR_APT_CREDS') or '' > + auth_file = os.path.join(d.getVar('WORKDIR'), 'apt-auth') > + if not creds: > + if os.path.exists(auth_file): > + os.unlink(auth_file) > + return > + > + with open(auth_file, "w") as f: > + for machine in creds.split(): > + user_password = d.getVar(f"ISAR_APT_CREDS_{machine}") > + try: > + user, passwd = user_password.split() > + f.write(f"machine {machine}\n" > + f" user {user}\n" > + f" password {passwd}\n") > + except ValueError: > + bb.fatal(f"Too few/many tokens in ISAR_APT_CREDS['{machine}']: " > + f"user and password expected (got '{user_password}')!") > +} > +addtask generate_auth_file before do_bootstrap after do_unpack > + > +def get_apt_auth_opts(d): > + creds = d.getVar('ISAR_APT_CREDS') or '' > + workdir = d.getVar('WORKDIR') > + if creds: > + return "--setup-hook='mkdir -p \"$1/etc/apt/auth.conf.d\"' " + \ > + f"--setup-hook='upload \"{workdir}/apt-auth\" /etc/apt/auth.conf.d/isar.conf'" > + return '' > + > do_bootstrap[vardeps] += " \ > DISTRO_APT_PREMIRRORS \ > ISAR_ENABLE_COMPAT_ARCH \ > @@ -189,6 +222,7 @@ do_bootstrap() { > $arch_param \ > --mode=unshare \ > ${MMHOOKS} \ > + ${@get_apt_auth_opts(d)} \ > --setup-hook='mkdir -p "$1/var/cache/apt/archives/"' \ > --setup-hook="$extra_setup" \ > --setup-hook='upload "${APTPREFS}" /etc/apt/preferences.d/bootstrap' \ -- You received this message because you are subscribed to the Google Groups "isar-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to isar-users+unsubscribe@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/isar-users/4a8cbaae-9e20-4965-9e81-f31659abea57%40ilbers.de.