On Tue, Apr 6, 2021 at 9:19 AM Martin Jansa <[email protected]> wrote: > > On Tue, Apr 06, 2021 at 08:58:13AM -0400, Bruce Ashfield wrote: > > On Sat, Apr 3, 2021 at 3:51 PM Martin Jansa <[email protected]> wrote: > > > > > > * PNBLACKLISTs are IMHO a bit easier to read and easier to override from > > > distro > > > which e.g. provides own recipe for libseccomp > > > > Thanks Martin, > > > > I'm trying to decide if I should just give up and make meta-security a > > hard/full layer dependency. More and more of the container components > > just don't work if we don't have seccomp enabled. > > Agreed, but Armin also mentioned that he plans to send libseccomp to > meta-oe, so this PNBLACKLIST change should be only temporary until that > happens. >
Thanks for the detailed description, it helps me understand how things are being used and gives me things to check before merging potential breakages. As it turns out, there was a yocto meeting today and where libseccomp lives came up. There seems to be a consensus that it should end up in oe-core (and at the very least meta-oe), so this will work itself out over time. So I went ahead and merged everything as-is, since we might as well keep the optional meta-security dependency for now, and revisit with libseccomp moves. > And I can imagine some people pulling libseccomp to their layer already > (instead of adding whole meta-security) and then being able to simply > set PNBLACKLIST to empty for these recipes would be much easier than > undoing the anonymous python (witch is imho impossible without > overlaying whole recipe except the function). Agreed. > > > But I agree that the blacklist technique is easier to read than the > > proliferating anonymous python. I'll merge it while I ponder the above > > question. > > > > On that topic, would adding meta-security as a layer dependency cause > > any issues in your setup/distros/builds ? > > I wouldn't call it my setup anymore, but I'm just going through > PNBLACKLISTs used in webOS OSE: > https://github.com/webosose/meta-webosose/blob/master/meta-webos/conf/distro/include/webos-recipe-blacklist.inc > https://github.com/webosose/meta-webosose/blob/master/meta-webos-virtualization/conf/layer.conf#L19 > > and fixing some of them or moving them to the layer where the issue is > introduced. Aha! > > In webOS OSE setup this libseccomp issue is kind of special, because it > already includes meta-security layer, but BBMASKs all its content except > smack recipes which are actively used: > https://github.com/webosose/meta-webosose/blob/master/meta-webos-smack/conf/layer.conf#L10 > so these 3-4 PNBLACKLISTs will need to stay in OSE anyway even with the > conditional on security-layer, I'll just move it to meta-webos-smack > where the BBMASK is being set: > https://github.com/shr-project/meta-webosose/commit/430589dbae6c8616d69692e65a3da40d2b192277 > at least until libseccomp is in meta-oe and I'll be able to drop this as > well. > > And who know when LGE will update webOS OSE from currently used dunfell > release, so whatever you decide in meta-virtualization is fine with me > :). Gotcha. Again, thanks for the detailed explanation. Bruce > > Cheers, > > > > Signed-off-by: Martin Jansa <[email protected]> > > > --- > > > recipes-containers/cri-o/cri-o_git.bb | 16 +--------------- > > > recipes-containers/podman/podman_git.bb | 10 +--------- > > > .../packagegroups/packagegroup-container.bb | 10 +--------- > > > 3 files changed, 3 insertions(+), 33 deletions(-) > > > > > > diff --git a/recipes-containers/cri-o/cri-o_git.bb > > > b/recipes-containers/cri-o/cri-o_git.bb > > > index 2d6187a..0ac5ddc 100644 > > > --- a/recipes-containers/cri-o/cri-o_git.bb > > > +++ b/recipes-containers/cri-o/cri-o_git.bb > > > @@ -43,21 +43,7 @@ RDEPENDS_${PN} = " \ > > > libdevmapper \ > > > " > > > > > > -python __anonymous() { > > > - msg = "" > > > - # ERROR: Nothing PROVIDES 'libseccomp' (but > > > /buildarea/layers/meta-virtualization/recipes-containers/cri-o/cri-o_git.bb > > > DEPENDS on or otherwise requires it). > > > - # ERROR: Required build target 'meta-world-pkgdata' has no buildable > > > providers. > > > - # Missing or unbuildable dependency chain was: > > > ['meta-world-pkgdata', 'cri-o', 'libseccomp'] > > > - if 'security' not in d.getVar('BBFILE_COLLECTIONS').split(): > > > - msg += "Make sure meta-security should be present as it provides > > > 'libseccomp'" > > > - raise bb.parse.SkipRecipe(msg) > > > - # ERROR: Nothing PROVIDES 'libselinux' (but > > > /buildarea/layers/meta-virtualization/recipes-containers/cri-o/cri-o_git.bb > > > DEPENDS on or otherwise requires it). > > > - # ERROR: Required build target 'meta-world-pkgdata' has no buildable > > > providers. > > > - # Missing or unbuildable dependency chain was: > > > ['meta-world-pkgdata', 'cri-o', 'libselinux'] > > > - elif 'selinux' not in d.getVar('BBFILE_COLLECTIONS').split(): > > > - msg += "Make sure meta-selinux should be present as it provides > > > 'libselinux'" > > > - raise bb.parse.SkipRecipe(msg) > > > -} > > > +PNBLACKLIST[cri-o] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', > > > 'security', bb.utils.contains('BBFILE_COLLECTIONS', 'selinux', '', > > > 'Depends on libselinux from meta-selinux which is not included', d), > > > 'Depends on libseccomp from meta-security which is not included', d)}" > > > > > > PACKAGES =+ "${PN}-config" > > > > > > diff --git a/recipes-containers/podman/podman_git.bb > > > b/recipes-containers/podman/podman_git.bb > > > index a552a7f..62ae024 100644 > > > --- a/recipes-containers/podman/podman_git.bb > > > +++ b/recipes-containers/podman/podman_git.bb > > > @@ -14,15 +14,7 @@ DEPENDS = " \ > > > ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \ > > > " > > > > > > -python __anonymous() { > > > - msg = "" > > > - # ERROR: Nothing PROVIDES 'libseccomp' (but > > > meta-virtualization/recipes-containers/podman/ DEPENDS on or otherwise > > > requires it). > > > - # ERROR: Required build target 'meta-world-pkgdata' has no buildable > > > providers. > > > - # Missing or unbuildable dependency chain was: > > > ['meta-world-pkgdata', 'podman', 'libseccomp'] > > > - if 'security' not in d.getVar('BBFILE_COLLECTIONS').split(): > > > - msg += "Make sure meta-security should be present as it provides > > > 'libseccomp'" > > > - raise bb.parse.SkipRecipe(msg) > > > -} > > > +PNBLACKLIST[podman] ?= "${@bb.utils.contains('BBFILE_COLLECTIONS', > > > 'security', '', 'Depends on libseccomp from meta-security which is not > > > included', d)}" > > > > > > SRCREV = "288fb688964cb7fc7086d0728daa1f5f6b726dd6" > > > SRC_URI = " \ > > > diff --git a/recipes-core/packagegroups/packagegroup-container.bb > > > b/recipes-core/packagegroups/packagegroup-container.bb > > > index b3b0d4c..b06a7c7 100644 > > > --- a/recipes-core/packagegroups/packagegroup-container.bb > > > +++ b/recipes-core/packagegroups/packagegroup-container.bb > > > @@ -44,12 +44,4 @@ RDEPENDS_packagegroup-containerd = " \ > > > virtual/containerd \ > > > " > > > > > > -python __anonymous() { > > > - msg = "" > > > - # ERROR: Nothing PROVIDES 'libseccomp' (but > > > meta-virtualization/recipes-containers/podman/ DEPENDS on or otherwise > > > requires it). > > > - # ERROR: Required build target 'meta-world-pkgdata' has no buildable > > > providers. > > > - # Missing or unbuildable dependency chain was: > > > ['meta-world-pkgdata', 'podman', 'libseccomp'] > > > - if 'security' not in d.getVar('BBFILE_COLLECTIONS').split(): > > > - msg += "Make sure meta-security should be present as it provides > > > 'libseccomp'" > > > - raise bb.parse.SkipRecipe(msg) > > > -} > > > +PNBLACKLIST[packagegroup-container] ?= > > > "${@bb.utils.contains('BBFILE_COLLECTIONS', 'security', '', 'Depends on > > > podman which depends on libseccomp from meta-security which is not > > > included', d)}" > > > -- > > > 2.30.2 > > > > > > > > > > > > > > > > > > -- > > - Thou shalt not follow the NULL pointer, for chaos and madness await > > thee at its end > > - "Use the force Harry" - Gandalf, Star Trek II -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#6324): https://lists.yoctoproject.org/g/meta-virtualization/message/6324 Mute This Topic: https://lists.yoctoproject.org/mt/81831764/21656 Group Owner: [email protected] Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
