From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6943578040844681216
X-Received: by 2002:ac2:43d1:: with SMTP id u17mr5666198lfl.311.1616698429328;
        Thu, 25 Mar 2021 11:53:49 -0700 (PDT)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a05:6512:6c2:: with SMTP id u2ls1647402lff.3.gmail; Thu, 25
 Mar 2021 11:53:48 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyB6AUuDyhlAhsD+a29IVve03k2mbOaaKTELwSj6wUdJtGg4ffWPFWDD3/S54M3oReyk+DJ
X-Received: by 2002:a19:c7d7:: with SMTP id x206mr5937363lff.403.1616698428110;
        Thu, 25 Mar 2021 11:53:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1616698428; cv=none;
        d=google.com; s=arc-20160816;
        b=eXiK8Rqtf7L+O81ne3SklR3y3qygPQnq5czsXGXjebtFvyjISMleGEUbjj5f+Iq+O7
         m4WF86siZCJ+rCBmujnemzxnbUxXDRqPC2NAb8Qtkqz9o8A5cV1VplWwy4C8cJPrzQ+C
         3yr6clq5qEVTxwi663ODyEJVeIeZikvbeXrD7UCShbRV5rhdLt18nLMUKoc8OW+z70kP
         KyQ7S80RLYPNIZwYM1ChNnBvJBKxjA1oeTjHe9QFTSDfb27wUNM+5/U16LiqmOGXBGA+
         XRhts+Kdi04HUhBNxQ05W8fDuwmWpkctV5u7uj+bMvA8baEleVeVNx55pItLlkZMfEaD
         nFag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:cc:to:subject;
        bh=8nbUP/gGV1VNtADgPbEtT3VYeTANdwOUu/rGGjaca9A=;
        b=OURsyuin8IeUpEAiIOnEIN6v0gPcaO6dxIJIo5CiAUg2/WUxz85Qswle1jd7LV1Gg+
         7e5c3S58R6Q4s4jYa1FiaNCEg7A8PEghW39EX8dnyOko8ufN6WoLJUPHMaLk1pxHVor5
         qFmfT+LGLR0JL4iLxTYDoLWZau6gGNk/sxDzlqRroF7WlGH3u2u7LRBODlOiz5upoecW
         OKoZucTPi+De3eS3k3GwSDqp3y63YPWMqcNJpZfj+ZgjuMdSq1fHtMYAkQQKMk2aDote
         katwYle3H5lFWCa5rAxJXsgOtC/PXGrBqZAEJwGHRYckKtO3T+aF2cZffbmOwiOKrsnF
         0U6g==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from gecko.sbs.de (gecko.sbs.de. [194.138.37.40])
        by gmr-mx.google.com with ESMTPS id v26si286690lfo.2.2021.03.25.11.53.47
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 25 Mar 2021 11:53:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) client-ip=194.138.37.40;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 194.138.37.40 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by gecko.sbs.de (8.15.2/8.15.2) with ESMTPS id 12PIrkfZ005664
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 25 Mar 2021 19:53:46 +0100
Received: from [139.22.38.170] ([139.22.38.170])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 12PIrkoI018250;
	Thu, 25 Mar 2021 19:53:46 +0100
Subject: Re: [PATCH] sshd-regen-keys: Improve service, make more robust
To: Henning Schild <henning.schild@siemens.com>
Cc: isar-users <isar-users@googlegroups.com>,
        Quirin Gylstorff <quirin.gylstorff@siemens.com>,
        Harald Seiler <hws@denx.de>
References: <29bfb292-fa50-e82f-d0aa-172a14f93515@siemens.com>
 <20210325153026.5d51271a@md1za8fc.ad001.siemens.net>
From: Jan Kiszka <jan.kiszka@siemens.com>
Message-ID: <617ecfce-3b7e-cce7-ba5d-f86c87287e8b@siemens.com>
Date: Thu, 25 Mar 2021 19:53:46 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.8.0
MIME-Version: 1.0
In-Reply-To: <20210325153026.5d51271a@md1za8fc.ad001.siemens.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: SouiZhwADNVY

On 25.03.21 15:30, Henning Schild wrote:
> I am beginning to think we should fix that upstream. If the upstream
> service file would generate the keys if missing ... all isar would need
> to do is remove the files. Either with a package hook or with a
> image-postprocess
> 
> Am Thu, 25 Mar 2021 13:54:02 +0100
> schrieb Jan Kiszka <jan.kiszka@siemens.com>:
> 
>> From: Jan Kiszka <jan.kiszka@siemens.com>
>>
>> This improves a number of things:
>>
>>  - stop the service while regenerating keys, rather than disabling its
>>    auto-start
> 
> Not sure this is going to work. There is this "Before=ssh.service"
> which i would expect makes sure it should never end up being
> "is-active". And that dpkg-reconfigure also plays with is-active ...
> /var/lib/dpkg/info/openssh-server.postinst
> 
> The idea was to reuse the key generation code from that postinst, but
> the construct we need to build to get that to work seems to be getting
> out of hand and too complicated. In fact it is systemd-only, which
> could be an issue for some.
> 
> Maybe running after ssh
> - remove
> - "create with own code"
>   - "copy those few ssh-keygen lines"
>   - or "source openssh-server.postinst && create_keys"
> - killall -HUP sshd (systemctl reload ssh)
> might turn out to be the simpler and easier to maintain version.
> 
> For sure Harald should be involved, did add him to Cc.
> 

I don't mind any simpler solution. It need to be robust as well, that's
all. The one we have so far once again fell apart today and costed me
hours to understand and resolve (because it was slow to reproduce).

Jan

> Henning
> 
>>  - fix restart test condition
>>  - also check that /tmp is writable (better safe than sorry)
>>  - do not disabling the regen service if it was not successful
>>
>> Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
>> ---
>>
>> This obsoletes Quirin's patch "sshd-regen-keys: do not enable ssh
>> server if previously disabled".
>>
>>  .../sshd-regen-keys/files/sshd-regen-keys.service  |  2 +-
>>  .../sshd-regen-keys/files/sshd-regen-keys.sh       | 14
>> ++++++++------ ...hd-regen-keys_0.3.bb => sshd-regen-keys_0.4.bb} |  0
>>  3 files changed, 9 insertions(+), 7 deletions(-)
>>  rename meta/recipes-support/sshd-regen-keys/{sshd-regen-keys_0.3.bb
>> => sshd-regen-keys_0.4.bb} (100%)
>>
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> index f50d34c8..e7142e69 100644 ---
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> +++
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>> @@ -5,13 +5,13 @@ Conflicts=shutdown.target
>> After=systemd-remount-fs.service Before=shutdown.target ssh.service
>> ConditionPathIsReadWrite=/etc +ConditionPathIsReadWrite=/tmp 
>>  [Service]
>>  Type=oneshot
>>  RemainAfterExit=yes
>>  Environment=DEBIAN_FRONTEND=noninteractive
>>  ExecStart=/usr/sbin/sshd-regen-keys.sh
>> -ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>>  StandardOutput=syslog
>>  StandardError=syslog
>>  
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh index
>> 910d879b..9b19f9d3 100644 ---
>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh +++
>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh @@
>> -1,9 +1,9 @@ #!/usr/bin/env sh 
>>  echo -n "SSH server is "
>> -if systemctl is-enabled ssh; then
>> -    SSHD_ENABLED="true"
>> -    systemctl disable --no-reload ssh
>> +if systemctl is-active ssh; then
>> +    SSHD_ACTIVE="true"
>> +    systemctl stop ssh
>>  fi
>>  
>>  echo "Removing keys ..."
>> @@ -12,9 +12,11 @@ rm -v /etc/ssh/ssh_host_*_key*
>>  echo "Regenerating keys ..."
>>  dpkg-reconfigure openssh-server
>>  
>> -if test -n $SSHD_ENABLED; then
>> -    echo "Reenabling ssh server ..."
>> -    systemctl enable --no-reload ssh
>> +if test -n "$SSHD_ACTIVE"; then
>> +    echo "Restarting ssh server ..."
>> +    systemctl start ssh
>>  fi
>>  
>> +systemctl disable sshd-regen-keys.service
>> +
>>  sync
>> diff --git
>> a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb
>> b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
>> similarity index 100% rename from
>> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.3.bb rename to
>> meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.4.bb
> 

-- 
Siemens AG, T RDA IOT
Corporate Competence Center Embedded Linux