From mboxrd@z Thu Jan  1 00:00:00 1970
X-GM-THRID: 6634399131619033088
X-Received: by 2002:a2e:8842:: with SMTP id z2-v6mr1975716ljj.29.1544694082643;
        Thu, 13 Dec 2018 01:41:22 -0800 (PST)
X-BeenThere: isar-users@googlegroups.com
Received: by 2002:a2e:8551:: with SMTP id u17-v6ls202191ljj.3.gmail; Thu, 13
 Dec 2018 01:41:22 -0800 (PST)
X-Google-Smtp-Source: AFSGD/VLRHiJwGhuMqrFQVk4d8h/+n1qbu3UkSfYyJSY3mojSz/sz1CQQkjmS0tClSZ/cKl0tASn
X-Received: by 2002:a2e:7402:: with SMTP id p2-v6mr2040282ljc.18.1544694081972;
        Thu, 13 Dec 2018 01:41:21 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544694081; cv=none;
        d=google.com; s=arc-20160816;
        b=NTXoigotwVk3mOr0eniI0au1tG9CYvK0lL+4SWIqTbq+t6qeNH/MChQXCNIEfMOg5V
         Sljh8038zCOx+7Y8CHMD28yXFeRBbXHvoY72pRaxe9I7CtwfBVpQGwTGGwnDHvM/yB/C
         bYy5RuoMmNHM4rn1EPVUDQS+vNrWcskXMk0+i2fFODjjl27TzqvpUmM3DbRr5xT8IICT
         BOBZp6H8+t+N0v6yyvO7nVELuNHL9/Pnu5T+B8M7Da2awwqoj8i6ZyexUEzA11yjwdZ8
         yL+JpIX9MRonsoTCI3alUnciZWqDvqx1S6sQfDSCQpojDIISZgYz+nPX9B0OflDIBEAF
         HMrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:content-language:in-reply-to:mime-version
         :user-agent:date:message-id:from:references:to:subject;
        bh=eDwlB9ObZePj2c/r+Fz9azi6czXdg9BRzUr+8E21bLM=;
        b=odaCtLOuBeg7molnyifYhS4eeNjXhKE1v8tve2kyD0CGjePjCHNpNw1vs23x8To5QX
         YjIR48BH84u9j0GclR2aILR/irsSDsBq3e+Hr3HGq1/67h0cexuUlwr+tT7efqhbrAp+
         TMrGw7lnsna6k2LjHBdXnmPlPJaBDfKGZTU/G1+GbFpRzt29J05rj7bzvXAQ4onvM+Xc
         fKiU9EZmf662dyXXBA/gEPQtB0CPaa7v4dYK9MdUSCf1wvgkebyUnPdzXFsuQZV4naRh
         4vbhqgTIceQfvOkcGiF47f1oDa0AB6wGoT6PrEzAUpS9ZgUgV9BYvalhBENaYIN4n390
         r+QA==
ARC-Authentication-Results: i=1; gmr-mx.google.com;
       spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com
Return-Path: <claudius.heine.ext@siemens.com>
Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2])
        by gmr-mx.google.com with ESMTPS id n189si39306lfa.4.2018.12.13.01.41.21
        for <isar-users@googlegroups.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Thu, 13 Dec 2018 01:41:21 -0800 (PST)
Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2;
Authentication-Results: gmr-mx.google.com;
       spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com
Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35])
	by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id wBD9fKgG006227
	(version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Thu, 13 Dec 2018 10:41:20 +0100
Received: from [139.25.69.181] (linux-ses-ext02.ppmd.siemens.net [139.25.69.181])
	by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id wBD9fJ1E017156;
	Thu, 13 Dec 2018 10:41:19 +0100
Subject: Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot
To: Harald Seiler <hws@denx.de>, isar-users@googlegroups.com
References: <1544691418.2560.7.camel@denx.de>
From: Claudius Heine <claudius.heine.ext@siemens.com>
Message-ID: <bbc017ba-1db7-9925-9b48-d40ba07deaaf@siemens.com>
Date: Thu, 13 Dec 2018 10:41:19 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <1544691418.2560.7.camel@denx.de>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-TUID: fGVGMnFydDI4

Hi Harald,

On 13/12/2018 09.56, Harald Seiler wrote:
> Currently, when sshd-regen-keys runs dpkg-reconfigure, this
> will lead to a call to `systemctl restart ssh`.  This call blocks
> forever because of course the sshd-regen-keys unit, which is a
> dependency of sshd, hasn't finished at this point and can't do so
> because it is waiting as well.
> 
> To circumvent this deadlock, this commit changes sshd-regen-keys'
> behavior so sshd is first disabled and only reenabled after the
> job is done.
> 
> Signed-off-by: Harald Seiler <hws@denx.de>
> ---
>   .../sshd-regen-keys/files/sshd-regen-keys.service     |  2 +-
>   .../sshd-regen-keys/files/sshd-regen-keys.sh          | 19 +++++++++++++++++++
>   .../sshd-regen-keys/sshd-regen-keys_0.1.bb            |  7 +++++--
>   3 files changed, 25 insertions(+), 3 deletions(-)
>   create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> 
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> index 3b8231f..a05e1a9 100644
> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service
> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc
>   Type=oneshot
>   RemainAfterExit=yes
>   Environment=DEBIAN_FRONTEND=noninteractive
> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server"
> +ExecStart=/usr/sbin/sshd-regen-keys.sh
>   ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service
>   StandardOutput=syslog
>   StandardError=syslog
> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> new file mode 100644
> index 0000000..294e8fa
> --- /dev/null
> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh
> @@ -0,0 +1,19 @@
> +#!/usr/bin/env sh
> +
> +echo -n "SSH server is "
> +if systemctl is-enabled ssh; then
> +    SSHD_ENABLED="true"
> +    systemctl disable --no-reload ssh
> +fi
> +
> +echo "Removing keys ..."
> +rm -v /etc/ssh/ssh_host_*_key*
> +
> +echo "Regenerating keys ..."
> +dpkg-reconfigure openssh-server

Since this is part of 'meta', does it make sense to make the package 
name+service file name configurable from the bitbake configuration or is 
that too much trouble.

> +
> +if test -n $SSHD_ENABLED; then
> +    echo "Reenabling ssh server ..."
> +    systemctl enable --no-reload ssh
> +    systemctl start --no-block ssh

Should the service be stopped before? Or in other words: Does it make 
sense to differentiate between sshd enabled and started in this script?

So apart from those minor nitpicks/questions, LGTM.

Kind regards,
Claudius

> +fi
> diff --git a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> index 02e9e25..6f12414 100644
> --- a/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> +++ b/meta/recipes-support/sshd-regen-keys/sshd-regen-keys_0.1.bb
> @@ -6,9 +6,12 @@ MAINTAINER = "isar-users <isar-users@googlegroups.com>"
>   DEBIAN_DEPENDS = "openssh-server, systemd"
>   
>   SRC_URI = "file://postinst \
> -           file://sshd-regen-keys.service"
> +           file://sshd-regen-keys.service \
> +           file://sshd-regen-keys.sh"
>   
> +do_install[cleandirs] = "${D}/lib/systemd/system \
> +                         ${D}/usr/sbin"
>   do_install() {
> -    install -v -d -m 755 "${D}/lib/systemd/system"
>       install -v -m 644 "${WORKDIR}/sshd-regen-keys.service" "${D}/lib/systemd/system/sshd-regen-keys.service"
> +    install -v -m 755 "${WORKDIR}/sshd-regen-keys.sh" "${D}/usr/sbin/sshd-regen-keys.sh"
>   }
> 

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de