From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6634399131619033088
X-Received: by 2002:a50:aeaf:: with SMTP id e44mr4475486edd.4.1544695758029;
        Thu, 13 Dec 2018 02:09:18 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a17:906:a843:: with SMTP id dx3-v6ls366168ejb.7.gmail; Thu,
 13 Dec 2018 02:09:17 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UBWm+h2hq1DScuFf0dCsgTmXhPAEBDyJf3REhCSDudczL/V6wUW6DlP/y2VcstDq4e/Poc
X-Received: by 2002:a17:906:78c5:: with SMTP id r5-v6mr3666419ejn.16.1544695757504;
        Thu, 13 Dec 2018 02:09:17 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544695757; cv=none;
        d=google.com; s=arc-20160816;
        b=eFRwVszOAghQlZrOSXcedwIzmbPOR7BPMPfl4qFb5x4k8fZqg35wRXXqETomhcdGuQ
         gDdDndtXKUjQB4gffdl8xAjBtDn1bt+3Rw5rDG28mK2NxCOPV18Of5kJkkdJEXMqCW1B
         XT66ATNJOXMhwWaYPF/vmmJ6NFngaT2Nk+2/+6Q3Q1fpD4PYPlJauo6fotUSId+0H0Nm
         R5oa+e1GudVQy4nwuybBSaYTYK8NU6pkmFm/9eLpHG7L7RuZxNwB56g1ePEpckuujIhC
         oaDe6tizTwchpc1F15iv35OS6FBeFVH3HDwQQ0g1iWHSJyHC7SMIMvk8M80z3RKJLkK/
         34zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:to:subject;
        bh=fJEelwl7vshQoSiBi00LxbZl77wBkGQkOtk2u+C91GM=;
        b=0jbWblxYUscIjFn/aFmO/DOO/E4SA5V+dHhH8Q6T3fRemIz1NrPDSVFjPAnRrgKW9f
         7o7iHtAYQ/L7i2UvAdf7UvfCXAM1DSv7EsuGF4P+3fHxyGIPKIH3yxlToKbS00ZOo27j
         xuU3cFpazy5hb5kp1fPQAF0rqEyno+LRcHZjoQbRHhFYq0KuukJ09vhgLanm3iqznqTg
         KpSjXxBl+jxKegW37fz82EfVxy4dKfa8oYJ/lEu8M1k/vAVo2bs7xjC+qHxTkyrj06fM
         glXExm51ntuwVk7T5sPYXv0YzuRKTOmONePePIaxbVG7/ahhqS/gzafm7HySz1cYkZSD
         1Taw==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Return-Path: <jan.kiszka@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id d10-v6si86890ejx.0.2018.12.13.02.09.17
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 13 Dec 2018 02:09:17 -0800 (PST)
Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id wBDA9GSx027707
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 13 Dec 2018 11:09:16 +0100
Received: from [167.87.53.45] ([167.87.53.45])
	by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id wBDA9FHX031942;
	Thu, 13 Dec 2018 11:09:15 +0100
Subject: Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot
To: "[ext] Claudius Heine" <claudius.heine.ext@siemens.com>,
        Harald Seiler <hws@denx.de>, isar-users@googlegroups.com
References: <1544691418.2560.7.camel@denx.de>
 <bbc017ba-1db7-9925-9b48-d40ba07deaaf@siemens.com>
 <1544694484.2560.15.camel@denx.de>
 <d47ce511-bda6-5d79-6eeb-b243bbc5ce1f@siemens.com>
From: Jan Kiszka <jan.kiszka@siemens.com>
Message-ID: <622004a8-a4c5-2b3a-3dc3-ce3cfe640320@siemens.com>
Date: Thu, 13 Dec 2018 11:09:14 +0100
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); de; rv:1.8.1.12)
 Gecko/20080226 SUSE/2.0.0.12-1.1 Thunderbird/2.0.0.12 Mnenhy/0.7.5.666
MIME-Version: 1.0
In-Reply-To: <d47ce511-bda6-5d79-6eeb-b243bbc5ce1f@siemens.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-TUID: NvwdntY9afEy

On 13.12.18 11:03, [ext] Claudius Heine wrote:
> Hi,
> 
> On 13/12/2018 10.48, Harald Seiler wrote:
>> Hello Claudius,
>>
>> On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote:
>>> Hi Harald,
>>>
>>> On 13/12/2018 09.56, Harald Seiler wrote:
>>>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
>>>> will lead to a call to `systemctl restart ssh`.  This call blocks
>>>> forever because of course the sshd-regen-keys unit, which is a
>>>> dependency of sshd, hasn't finished at this point and can't do so
>>>> because it is waiting as well.
>>>>
>>>> To circumvent this deadlock, this commit changes sshd-regen-keys'
>>>> behavior so sshd is first disabled and only reenabled after the
>>>> job is done.
>>>>
>>>> Signed-off-by: Harald Seiler <hws@denx.de>
>>>> ---
>>>>    .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>>>>    .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 
>>>> +++++++++++++++++++
>>>>    .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
>>>>    3 files changed, 25 insertions(+), 3 deletions(-)
>>>>    create mode 100644 
>>>> meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>>
>>>> diff --git 
>>>> a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service 
>>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> index 3b8231f..a05e1a9 100644
>>>> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
>>>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>>>>    Type=oneshot
>>>>    RemainAfterExit=yes
>>>>    Environment=DEBIAN_FRONTEND=noninteractive
>>>> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure 
>>>> openssh-server"
>>>> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>>>>    ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>>>>    StandardOutput=syslog
>>>>    StandardError=syslog
>>>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh 
>>>> b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>> new file mode 100644
>>>> index 0000000..294e8fa
>>>> --- /dev/null
>>>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
>>>> @@ -0,0 +1,19 @@
>>>> +#!/usr/bin/env sh
>>>> +
>>>> +echo -n "SSH server is "
>>>> +if systemctl is-enabled ssh; then
>>>> +    SSHD_ENABLED="true"
>>>> +    systemctl disable --no-reload ssh
>>>> +fi
>>>> +
>>>> +echo "Removing keys ..."
>>>> +rm -v /etc/ssh/ssh_host_*_key*
>>>> +
>>>> +echo "Regenerating keys ..."
>>>> +dpkg-reconfigure openssh-server
>>>
>>> Since this is part of 'meta', does it make sense to make the package
>>> name+service file name configurable from the bitbake configuration or is
>>> that too much trouble.
>>>
>>
>> I don't quite understand what you mean, can you please
>> elaborate on that?
> 
> Basically if those names should be configurable from the isar distro/multiconfig 
> etc. E.g. what happens if I decided to use some openssh replacement or a 
> different/future debian based distribution?
> 
> IIUC ideally `meta` should be distribution independent.
> 
> So if that is wanted then we would need to create those files via some template 
> mechanism, e.g. envsubst or just sed.
> 
> But since sshd-regen-keys already depends on those elsewhere, that point might 
> just be out of scope of this patch. So I let you decide. :)
> 

I agree on the general goal but I think we could be more relaxed at this stage 
/wrt optional support packages like this one. Eventually, we can sort out also 
these kind of dependencies but we will also need proper test cases for such 
abstractions which we lack at this point.

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux