From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6880878174534631424 X-Received: by 2002:a05:6402:2074:: with SMTP id bd20mr34051066edb.326.1608136900136; Wed, 16 Dec 2020 08:41:40 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a50:fd15:: with SMTP id i21ls5152613eds.1.gmail; Wed, 16 Dec 2020 08:41:39 -0800 (PST) X-Google-Smtp-Source: ABdhPJw7u91EY7gtAMPEF3K0k0mHqYQF6IzAKhOgLQ2s/c8kwgDLtMI4cq4lpOno3yYzIlrv2DYz X-Received: by 2002:aa7:d999:: with SMTP id u25mr33971725eds.297.1608136899111; Wed, 16 Dec 2020 08:41:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1608136899; cv=none; d=google.com; s=arc-20160816; b=BeT5o4xLcn9IhFuVPgoDdP4lvQHACG2AnZCkaKNCFmpYr+PRS0e+sAdjQQvHavE0F+ wBVX7ZB5ne3ddZ7RIfNuZRrA0gYGiOJWKf+WN9jhXY0SJuN+m71Rdtmc4Wjgy9HZRZdy 4QQwtv+OkHXBJ8q+7Kt8soxHV2PYBtpu+aFrhmtH//Eux5bsjKi6ZTreRJFEOprUQCau adKQw5hI0LnOjrEA1lGJ3HxBvyO599bw6Hjg7QEQXde+UJ2SBDgrjjMmWAIcA1uWG8Am 6r6xvDHgZRbybZVxG0p2r3MH4dhnFycDGAy8JdswldcBhbkt0xWu6BLULHrEOrCV6A4g wgOw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=po9bZ509HkIykvDvZ9pSwEG0xEQRwVZqmXEXI3LfPII=; b=05rEhhuGpHxX4WWi33s2AzNbrgzKlGbapt71A7hzQvGX2jFj8GcdwXqo1yDKcYE3ci mst22vhH2oBvTdnMJSo04F+fECSRPwqEVoX1tQUmKZvMGKNHVXuBn3+olk/4QIAecdWw Gle7HBXPiGL5ipLzP01UDaRPN1ZgI2hV6m/XZoifRIYi8tOESvpwxGdXSdrIO6jzKzZh 0ftZnfliZF9utzjghbS8Nsqd64NLdGBGy1gRrB4C+CtGtch2S422SAmggI5w99EqTL0i Sj1TBsP+IJy0DeL4KrCcDs4ne6m6UYHOg+NsWNmMH3iVSGhUamYg/6EqH5xse01/NHq3 eUjg== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from david.siemens.de (david.siemens.de. [192.35.17.14]) by gmr-mx.google.com with ESMTPS id v7si297084edj.5.2020.12.16.08.41.39 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Dec 2020 08:41:39 -0800 (PST) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) client-ip=192.35.17.14; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.14 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id 0BGGfcJp001050 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 16 Dec 2020 17:41:38 +0100 Received: from [167.87.38.225] ([167.87.38.225]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 0BGGfc3H003843; Wed, 16 Dec 2020 17:41:38 +0100 Subject: Re: [PATCH v1] isar-bootstrap: Run gpg-agent before starting apt-key To: Baurzhan Ismagulov , isar-users@googlegroups.com References: <72ce3a90-0772-c8a4-f233-1b887c636a9d@siemens.com> <20201216155330.28348-1-ibr@radix50.net> From: Jan Kiszka Message-ID: Date: Wed, 16 Dec 2020 17:41:38 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.5.0 MIME-Version: 1.0 In-Reply-To: <20201216155330.28348-1-ibr@radix50.net> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: PqkX7neklgmj On 16.12.20 16:53, Baurzhan Ismagulov wrote: > From: Yuri Adamov > > Building rpi-stretch natively (under qemu) sometimes fails with: > > gpg: can't connect to the agent: IPC connect call failed > > gpg starts gpg-agent and times out after 5 s. This value is hard-coded. > This is not limited to stretch or rpi. We were seeing this with buster builds on our CI systems as well - likely when they were overloaded. > Besides, leaving running gpg-agent processes is not clean and prevents > unmounting of filesystems. > > This patch starts and stops the agent manually. > > Signed-off-by: Yuri Adamov > --- > > Notes: > * Submitting WIP for preview, as cleaning up will require testing time. > * Remove sleeping. Yep, that would be good. > * Remove -9 in kill. > * Maybe check if starting the agent is necessary. > * Remove OVERRIDES_append and get_distro_needs_gpg_support() if unused. That last two points I was wondering as well: Why do we need to make it unconditionally now? That should at least be explain - or fixed. > > .../recipes-core/isar-bootstrap/isar-bootstrap.inc | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) > > diff --git a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > index 4925a45d..74569e5d 100644 > --- a/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > +++ b/meta/recipes-core/isar-bootstrap/isar-bootstrap.inc > @@ -24,7 +24,7 @@ DISTRO_BOOTSTRAP_KEYFILES = "" > THIRD_PARTY_APT_KEYFILES = "" > DEPLOY_ISAR_BOOTSTRAP ?= "" > DISTRO_BOOTSTRAP_BASE_PACKAGES = "locales" > -DISTRO_BOOTSTRAP_BASE_PACKAGES_append_gnupg = ",gnupg" > +DISTRO_BOOTSTRAP_BASE_PACKAGES_append = ",gnupg" > DISTRO_BOOTSTRAP_BASE_PACKAGES_append_https-support = "${@https_support(d)}" > > inherit deb-dl-dir > @@ -307,14 +307,24 @@ isar_bootstrap() { > mkdir -p "${ROOTFSDIR}/etc/apt/apt.conf.d" > install -v -m644 "${WORKDIR}/isar-apt.conf" \ > "${ROOTFSDIR}/etc/apt/apt.conf.d/50isar.conf" > + MY_GPGHOME=$(chroot "${ROOTFSDIR}" mktemp -d /tmp/gpghomeXXXXXXXXXX) > + echo "Created temporary directory ${MY_GPGHOME} for gpg-agent" > + chroot "${ROOTFSDIR}" gpg-agent --homedir "${MY_GPGHOME}" --daemon > find ${APT_KEYS_DIR}/ -type f | while read keyfile > do > kfn="$(basename $keyfile)" > cp $keyfile "${ROOTFSDIR}/tmp/$kfn" > chroot "${ROOTFSDIR}" /usr/bin/apt-key \ > - --keyring ${THIRD_PARTY_APT_KEYRING} add "/tmp/$kfn" > + --keyring ${THIRD_PARTY_APT_KEYRING} \ > + --homedir ${MY_GPGHOME} add "/tmp/$kfn" > rm "${ROOTFSDIR}/tmp/$kfn" > done > + sleep 4 > + GPG_AGENT_PID=$(ps -aux | grep "gpg-agent.*${MY_GPGHOME}" | grep -v grep | awk '{print $2}') > + echo "Killing gpg-agent with pid $GPG_AGENT_PID" > + /bin/kill -9 ${GPG_AGENT_PID} > + sleep 4 > + chroot "${ROOTFSDIR}" /bin/rm -rf "${MY_GPGHOME}" > > if [ "${@get_distro_suite(d, True)}" = "stretch" ] && [ "${@get_host_release().split('.')[0]}" -lt "4" ]; then > install -v -m644 "${WORKDIR}/isar-apt-fallback.conf" \ > I do like the approach of controlling gpg's lifecycle. As you said, some cleanup is needed, but I'm all for going this direction. Jan -- Siemens AG, T RDA IOT Corporate Competence Center Embedded Linux