Thanks for the review. I have addressed them in v2 that is sent.
/Peter
On 2022-09-05 18:15, Peter Kjellerstedt wrote:
-----Original Message-----
From: [email protected]
<[email protected]> On Behalf Of Peter Bergin
Sent: den 5 september 2022 16:23
To: [email protected]
Cc: Peter Bergin <[email protected]>
Subject: [OE-core] [PATCH] rootfs-postcommands.bbclass: avoid moving ssh host
keys if etc is writable
When using IMAGE_FEATURE read-only-rootfs ssh host keys are moved to volatile
storage. If the feature overlayfs-etc is used in addition to read-only-rootfs
/etc is writable and the move is not wanted. But in the case also the
IMAGE_FEATURE
stateless-roots is used the keys will be moved as storage of keys should not
Correct "stateless-roots" to "stateless-rootfs".
be wanted in a stateless-rootfs.
This change only takes effect in the case IMAGE_FEATURE contains
read-only-rootfs.
In adddition the following cases are handled:
IMAGE_FEATURES = "read-only-rootfs" --> ssh keys/config handled as ro root
IMAGE_FEATURES = "read-only-rootfs overlayfs-etc" --> ssh keys/config
handled as rw root
IMAGE_FEATURES = "read-only-rootfs stateless-rootfs" --> ssh keys/config
handled as ro root
IMAGE_FEATURES = "read-only-rootfs overlayfs-etc stateless-rootfs" --> ssh
keys/config handled as ro root
Signed-off-by: Peter Bergin <[email protected]>
---
.../rootfs-postcommands.bbclass | 32 +++++++++++--------
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass
b/meta/classes-recipe/rootfs-postcommands.bbclass
index 215e38e33d..367fe07c09 100644
--- a/meta/classes-recipe/rootfs-postcommands.bbclass
+++ b/meta/classes-recipe/rootfs-postcommands.bbclass
@@ -22,7 +22,7 @@ ROOTFS_POSTPROCESS_COMMAND +=
'${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
# Create /etc/timestamp during image construction to give a reasonably sane
default time setting
ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp; "
-# Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is
enabled
+# Tweak files in /etc if read-only-rootfs is enabled
ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs",
"read_only_rootfs_hook; ", "",d)}'
# We also need to do the same for the kernel boot parameters,
@@ -111,21 +111,25 @@ read_only_rootfs_hook () {
# If we're using openssh and the /etc/ssh directory has no
pre-generated keys,
# we should configure openssh to use the configuration file
/etc/ssh/sshd_config_readonly
# and the keys under /var/run/ssh.
- if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
- if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
- echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >>
${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
- else
- echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >>
${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >>
${IMAGE_ROOTFS}/etc/default/ssh
+ # If overlayfs-etc is used this is not done as /etc is treated as
writable
+ # If stateless-rootfs is enabled this is always done as we don't want
to save keys then
+ if ${@ 'false;' if bb.utils.contains('IMAGE_FEATURES', 'overlayfs-etc',
True, False, d) and not bb.utils.contains('IMAGE_FEATURES', 'stateless-rootfs',
True, False, d) else 'true;'} then
It is easier to understand the combined if statement if the
conditions of the inner if statements are true when the
conditions of the outer if statement shall be true. Also,
the ";" belongs outside the ${@...}:
if ${@ 'true' if not bb.utils.contains('IMAGE_FEATURES',
'overlayfs-etc', True, False, d) or bb.utils.contains('IMAGE_FEATURES',
'stateless-rootfs', True, False, d) else 'false'}; then
+ if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
Correct the indentation here and below. Indentation of shell
code in OE Core is done using tabs.
+ if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
+ echo "SYSCONFDIR=\${SYSCONFDIR:-/etc/ssh}" >>
${IMAGE_ROOTFS}/etc/default/ssh
+ echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
+ else
+ echo "SYSCONFDIR=\${SYSCONFDIR:-/var/run/ssh}" >>
${IMAGE_ROOTFS}/etc/default/ssh
+ echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'"
>> ${IMAGE_ROOTFS}/etc/default/ssh
+ fi
fi
- fi
- # Also tweak the key location for dropbear in the same way.
- if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
- if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ];
then
- echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >>
${IMAGE_ROOTFS}/etc/default/dropbear
- fi
+ # Also tweak the key location for dropbear in the same way.
+ if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
+ if [ ! -e
${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
+ echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >>
${IMAGE_ROOTFS}/etc/default/dropbear
+ fi
+ fi
fi
if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false",
d)}; then
--
2.34.1
//Peter
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#170325):
https://lists.openembedded.org/g/openembedded-core/message/170325
Mute This Topic: https://lists.openembedded.org/mt/93479678/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
