From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6634399131619033088 X-Received: by 2002:adf:8245:: with SMTP id 63mr2057443wrb.25.1544695421803; Thu, 13 Dec 2018 02:03:41 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a5d:4982:: with SMTP id r2ls342582wrq.0.gmail; Thu, 13 Dec 2018 02:03:41 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vg6Ambf7pfJTphqntJL+R2kTBNN0hLOLs+EKL8ugdp69Wg/1KNBDUDl4fB2kijAe34BtL+ X-Received: by 2002:adf:fa8c:: with SMTP id h12mr2044193wrr.6.1544695421416; Thu, 13 Dec 2018 02:03:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544695421; cv=none; d=google.com; s=arc-20160816; b=ZSjghrVcNlY9u4k2+PvJ0UO/nUBMkWCIJClxg0ldKhlpIGSnn0KcS775U+GEceex70 kn5ukba+tTMKT0TcZXfvzr6wurIxW0Q93xuZRKkHmkHwB6e9HL3oxuFuJRpCQZNF4Nmr 5oteg7/9wQSv5SlzEqpCT5VWF0WH3UzD2z8BOgPhRYYJN6KT+HjZJCznWqJ//pktdLHP ts8rXTDaDLEF45ylLtD24PM21atRtYuCvMEbf0SHAplqTVOWE4ByJzLLqAvc2Pwrg/RU 5hdcIOw9grhki7HH/g9oHBJX2u1NQlWZvHzNlzMv8Q26WUtffl8w+4dwbpbp07glmdGV sdsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=c1WYedxDEV04Gs67ChOUVBJ4ptLOzrz8AGfDInosT18=; b=DrydZEnEdAT/GAcJqh3N40gVdIIVtGyF4zWOJy/JAGjuNQIY4emxw7fogB/r6MjM6P ly8i9QqInILRm3PaafKUCvMagqFMSMf4pbb9ecrWkSg4P0UANYudzsk4JQUCP7Z319wi J+hDuA2SbH4uNVqQceUVYKZGHB5wpeugdzHERV6FL80PkK4L+YQqSWXpoLbK9z3z13a3 xt6Dw3rtG2WzYA9MbcftkIsFvl/Ydy8vxiHMjaJXKrsBd86Qawy6BX0BYs2UMapVSZRy PNfo+96E+senIS9a2hw7zlkA/eycqvEcFNL/92n37Hb+csP0YBmaeaCX4L6w6R3fM9xX HuxQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id y200si71196wmd.0.2018.12.13.02.03.41 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Dec 2018 02:03:41 -0800 (PST) Received-SPF: pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of claudius.heine.ext@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=claudius.heine.ext@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id wBDA3eHG002023 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Thu, 13 Dec 2018 11:03:40 +0100 Received: from [139.25.69.181] (linux-ses-ext02.ppmd.siemens.net [139.25.69.181]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id wBDA3ehK032228; Thu, 13 Dec 2018 11:03:40 +0100 Subject: Re: [PATCH] sshd-regen-keys: Fix sshd deadlock on boot To: Harald Seiler , isar-users@googlegroups.com References: <1544691418.2560.7.camel@denx.de> <1544694484.2560.15.camel@denx.de> From: Claudius Heine Message-ID: Date: Thu, 13 Dec 2018 11:03:40 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <1544694484.2560.15.camel@denx.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: xSikp7a/n3GD Hi, On 13/12/2018 10.48, Harald Seiler wrote: > Hello Claudius, > > On Thu, 2018-12-13 at 10:41 +0100, Claudius Heine wrote: >> Hi Harald, >> >> On 13/12/2018 09.56, Harald Seiler wrote: >>> Currently, when sshd-regen-keys runs dpkg-reconfigure, this >>> will lead to a call to `systemctl restart ssh`. This call blocks >>> forever because of course the sshd-regen-keys unit, which is a >>> dependency of sshd, hasn't finished at this point and can't do so >>> because it is waiting as well. >>> >>> To circumvent this deadlock, this commit changes sshd-regen-keys' >>> behavior so sshd is first disabled and only reenabled after the >>> job is done. >>> >>> Signed-off-by: Harald Seiler >>> --- >>> .../sshd-regen-keys/files/sshd-regen-keys.service | 2 +- >>> .../sshd-regen-keys/files/sshd-regen-keys.sh | 19 +++++++++++++++++++ >>> .../sshd-regen-keys/sshd-regen-keys_0.1.bb | 7 +++++-- >>> 3 files changed, 25 insertions(+), 3 deletions(-) >>> create mode 100644 meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh >>> >>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service >>> index 3b8231f..a05e1a9 100644 >>> --- a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service >>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.service >>> @@ -10,7 +10,7 @@ ConditionPathIsReadWrite=/etc >>> Type=oneshot >>> RemainAfterExit=yes >>> Environment=DEBIAN_FRONTEND=noninteractive >>> -ExecStart=/bin/sh -c "rm -v /etc/ssh/ssh_host_*_key*; dpkg-reconfigure openssh-server" >>> +ExecStart=/usr/sbin/sshd-regen-keys.sh >>> ExecStartPost=-/bin/systemctl disable sshd-regen-keys.service >>> StandardOutput=syslog >>> StandardError=syslog >>> diff --git a/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh >>> new file mode 100644 >>> index 0000000..294e8fa >>> --- /dev/null >>> +++ b/meta/recipes-support/sshd-regen-keys/files/sshd-regen-keys.sh >>> @@ -0,0 +1,19 @@ >>> +#!/usr/bin/env sh >>> + >>> +echo -n "SSH server is " >>> +if systemctl is-enabled ssh; then >>> + SSHD_ENABLED="true" >>> + systemctl disable --no-reload ssh >>> +fi >>> + >>> +echo "Removing keys ..." >>> +rm -v /etc/ssh/ssh_host_*_key* >>> + >>> +echo "Regenerating keys ..." >>> +dpkg-reconfigure openssh-server >> >> Since this is part of 'meta', does it make sense to make the package >> name+service file name configurable from the bitbake configuration or is >> that too much trouble. >> > > I don't quite understand what you mean, can you please > elaborate on that? Basically if those names should be configurable from the isar distro/multiconfig etc. E.g. what happens if I decided to use some openssh replacement or a different/future debian based distribution? IIUC ideally `meta` should be distribution independent. So if that is wanted then we would need to create those files via some template mechanism, e.g. envsubst or just sed. But since sshd-regen-keys already depends on those elsewhere, that point might just be out of scope of this patch. So I let you decide. :) > >>> + >>> +if test -n $SSHD_ENABLED; then >>> + echo "Reenabling ssh server ..." >>> + systemctl enable --no-reload ssh >>> + systemctl start --no-block ssh >> >> Should the service be stopped before? Or in other words: Does it make >> sense to differentiate between sshd enabled and started in this script? > > ssh.service is guaranteed to be stopped because it requires > sshd-regen-keys.service to be done before starting. Ok. Make sense. Then its impossible or very difficult to figure out if sshd was started but disabled before your script was entered (in which case you would have to start it but not enable it). Claudius -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-54 Fax: (+49)-8142-66989-80 Email: ch@denx.de