From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6880878174534631424 X-Received: by 2002:a2e:87cb:: with SMTP id v11mr288838ljj.218.1610991048330; Mon, 18 Jan 2021 09:30:48 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a2e:3001:: with SMTP id w1ls2809364ljw.3.gmail; Mon, 18 Jan 2021 09:30:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJzMrg+NSu8xrgwhKnRTaPRIrMW6PsB7ZhIw8C6/OlTlcj94rJasEQEhTw0pmkAYFl3e26RE X-Received: by 2002:a05:651c:1bb:: with SMTP id c27mr285380ljn.44.1610991047236; Mon, 18 Jan 2021 09:30:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610991047; cv=none; d=google.com; s=arc-20160816; b=ih9hO9O1GEeVUdIqm2lwrpZsX3roiUpVSbNZ2lYwJmk7PclwsSSKdPdqDAQl+QPvxM AsQyp7ERQYoblwt9L0mVMk8j4Cz2Vcc/+SQPqfonMBUD2BhBC0VZqeAecZZqfvaqsjiC VTSabR1urqAUPHDbMkmIE/Ejgx5/3FvaRriLE/MQUGSXn071cSiq7lKSps6qdQ8zDiFR C6ECEN80cLhxMGaOgqhMgwnhXhViFWnKW/s04VsgLjc8FnaqI8gbnuMf/1k97DLqQhGy UlPiWWTsaA9XavcewRbWWafBZFr7hukUqFkoz/f5VTxuQRrG6o+DXHznhA6Baz3khsnY zMtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:references:to:from:subject; bh=IQVNNQa+SrbsEl3XUYi37plG3sktSTey00OdHNYYb8U=; b=hkJxLULVf8zmfQrADJErk23zfGOYxT7UaYWS1H1Un33tsWX0hbngP0Ebe88t+lIFVG 5F9SS6T+yJZym/jA6Yren+kwIilYno3/0y1oikpXgyS1FLpZiQcoDaRrIjHRbKszW/ll kwolQ2ATY49LTp9a1t3TpGvtmhQhjvblrGlAgoMrZeLCzaj84FgAMSfwkR/aVf0AzElU bWgIDqOvxXlw9eH+wHieHYerK8w/Zx5JoiPwpSB5n8/7ar0ZpJl5cRgIzYoMcP1AR/LP dFfOPOUzKW4jHhxQPT9ze1JSO+ohvDoJhJv5GscR1R2ikw4az9LrojS5dSCfKqrjTvoD uoCg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id q28si955359lfb.10.2021.01.18.09.30.47 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Jan 2021 09:30:47 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 10IHUkI5019262 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 18 Jan 2021 18:30:46 +0100 Received: from [167.87.43.136] ([167.87.43.136]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 10IHUjCM002883; Mon, 18 Jan 2021 18:30:45 +0100 Subject: Re: [PATCH v1] isar-bootstrap: Run gpg-agent before starting apt-key From: Jan Kiszka To: Baurzhan Ismagulov , isar-users@googlegroups.com References: <72ce3a90-0772-c8a4-f233-1b887c636a9d@siemens.com> <20201216155330.28348-1-ibr@radix50.net> Message-ID: <87deff61-0fc1-9f37-c05d-e875e9f62c06@siemens.com> Date: Mon, 18 Jan 2021 18:30:45 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: dzwimwW2NWoI On 16.12.20 17:41, [ext] Jan Kiszka wrote: > On 16.12.20 16:53, Baurzhan Ismagulov wrote: >> From: Yuri Adamov >> >> Building rpi-stretch natively (under qemu) sometimes fails with: >> >> gpg: can't connect to the agent: IPC connect call failed >> >> gpg starts gpg-agent and times out after 5 s. This value is hard-coded. >> > > This is not limited to stretch or rpi. We were seeing this with buster > builds on our CI systems as well - likely when they were overloaded. > >> Besides, leaving running gpg-agent processes is not clean and prevents >> unmounting of filesystems. >> >> This patch starts and stops the agent manually. >> >> Signed-off-by: Yuri Adamov >> --- >> >> Notes: >> * Submitting WIP for preview, as cleaning up will require testing time. >> * Remove sleeping. > > Yep, that would be good. > >> * Remove -9 in kill. >> * Maybe check if starting the agent is necessary. >> * Remove OVERRIDES_append and get_distro_needs_gpg_support() if unused. > > That last two points I was wondering as well: Why do we need to make it > unconditionally now? That should at least be explain - or fixed. > >> >> .../recipes-core/isar-bootstrap/isar-bootstrap.inc | 14 ++++++++++++-- >> 1 file changed, 12 insertions(+), 2 deletions(-) >> >> diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >> index 4925a45d..74569e5d 100644 >> --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >> +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc >> @@ -24,7 +24,7 @@ DISTRO_BOOTSTRAP_KEYFILES = "" >> THIRD_PARTY_APT_KEYFILES = "" >> DEPLOY_ISAR_BOOTSTRAP ?= "" >> DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" >> -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg" >> +DISTRO_BOOTSTRAP_BASE_PACKAGES_append = ",gnupg" >> DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "${@https_support(d)}" >> >> inherit deb-dl-dir >> @@ -307,14 +307,24 @@ isar_bootstrap() { >> mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" >> install -v -m644 "${WORKDIR}/isar-apt.conf" \ >> "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" >> + MY_GPGHOME=$(chroot "${ROOTFSDIR}" mktemp -d /tmp/gpghomeXXXXXXXXXX) >> + echo "Created temporary directory ${MY_GPGHOME} for gpg-agent" >> + chroot "${ROOTFSDIR}" gpg-agent --homedir "${MY_GPGHOME}" --daemon >> find ${APT_KEYS_DIR}/ -type f | while read keyfile >> do >> kfn="$(basename $keyfile)" >> cp $keyfile "${ROOTFSDIR}/tmp/$kfn" >> chroot "${ROOTFSDIR}" /usr/bin/apt-key \ >> - --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn" >> + --keyring ${THIRD_PARTY_APT_KEYRING} \ >> + --homedir ${MY_GPGHOME} add "/tmp/$kfn" >> rm "${ROOTFSDIR}/tmp/$kfn" >> done >> + sleep 4 >> + GPG_AGENT_PID=$(ps -aux | grep "gpg-agent.*${MY_GPGHOME}" | grep -v grep | awk '{print $2}') >> + echo "Killing gpg-agent with pid $GPG_AGENT_PID" >> + /bin/kill -9 ${GPG_AGENT_PID} >> + sleep 4 >> + chroot "${ROOTFSDIR}" /bin/rm -rf "${MY_GPGHOME}" >> >> if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then >> install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \ >> > > I do like the approach of controlling gpg's lifecycle. As you said, some > cleanup is needed, but I'm all for going this direction. > > Jan > Any news on this? Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux