Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to developers, but it results primarily in an image which root can login remotely without a password. This is incredibly useful for local development and testing purposes, but we really want to be explicit that this is what is happening instead of hiding it behind a vague "debug tweaks" statement.
To preserve the eixsting behaviour, debug-tweaks should be replaced with these features: allow-empty-password empty-root-password allow-root-login post-install-logging Signed-off-by: Ross Burton <[email protected]> --- meta/classes-recipe/core-image.bbclass | 11 ++++++----- meta/classes-recipe/image.bbclass | 2 +- meta/classes-recipe/rootfs-postcommands.bbclass | 16 ++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-) diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass index 40fc15cb04f..4072e420c58 100644 --- a/meta/classes-recipe/core-image.bbclass +++ b/meta/classes-recipe/core-image.bbclass @@ -26,11 +26,6 @@ # - ssh-server-openssh - SSH server (openssh) # - hwcodecs - Install hardware acceleration codecs # - package-management - installs package management tools and preserves the package manager database -# - debug-tweaks - makes an image suitable for development, e.g. allowing passwordless root logins -# - empty-root-password -# - allow-empty-password -# - allow-root-login -# - post-install-logging # - serial-autologin-root - with 'empty-root-password': autologin 'root' on the serial console # - dev-pkgs - development packages (headers, etc.) for all installed packages in the rootfs # - dbg-pkgs - debug symbol packages for all installed packages in the rootfs @@ -43,6 +38,12 @@ # - stateless-rootfs - systemctl-native not run, image populated by systemd at runtime # - splash - bootup splash screen # +# Features for development purposes (previously part of debug-tweaks): +# - empty-root-password - the root user has no password set +# - allow-empty-password - users can have an empty password +# - allow-root-login - the root user can login +# - post-install-logging - log the output of postinstall scriptlets +# FEATURE_PACKAGES_weston = "packagegroup-core-weston" FEATURE_PACKAGES_x11 = "packagegroup-core-x11" FEATURE_PACKAGES_x11-base = "packagegroup-core-x11-base" diff --git a/meta/classes-recipe/image.bbclass b/meta/classes-recipe/image.bbclass index 00f1d58f237..eda3c6d0f38 100644 --- a/meta/classes-recipe/image.bbclass +++ b/meta/classes-recipe/image.bbclass @@ -40,7 +40,7 @@ INHIBIT_DEFAULT_DEPS = "1" # IMAGE_FEATURES may contain any available package group IMAGE_FEATURES ?= "" IMAGE_FEATURES[type] = "list" -IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs read-only-rootfs-delayed-postinsts stateless-rootfs empty-root-password allow-empty-password allow-root-login serial-autologin-root post-install-logging overlayfs-etc" +IMAGE_FEATURES[validitems] += "read-only-rootfs read-only-rootfs-delayed-postinsts stateless-rootfs empty-root-password allow-empty-password allow-root-login serial-autologin-root post-install-logging overlayfs-etc" # Generate companion debugfs? IMAGE_GEN_DEBUGFS ?= "0" diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index 5f4d67f93ca..50e77dca763 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -4,20 +4,20 @@ # SPDX-License-Identifier: MIT # -# Zap the root password if debug-tweaks and empty-root-password features are not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ",d)}' +# Zap the root password if empty-root-password feature is not enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' -# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password ", "",d)}' +# Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' -# Allow dropbear/openssh to accept root logins if debug-tweaks or allow-root-login is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-root-login' ], "ssh_allow_root_login ", "",d)}' +# Allow dropbear/openssh to accept root logins if allow-root-login is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-root-login", "ssh_allow_root_login ", "",d)}' # Autologin the root user on the serial console, if empty-root-password and serial-autologin-root are active ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", [ 'empty-root-password', 'serial-autologin-root' ], "serial_autologin_root ", "",d)}' -# Enable postinst logging if debug-tweaks or post-install-logging is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging ", "",d)}' +# Enable postinst logging if post-install-logging is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "post-install-logging", "postinst_enable_logging ", "",d)}' # Create /etc/timestamp during image construction to give a reasonably sane default time setting ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp " -- 2.34.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#206832): https://lists.openembedded.org/g/openembedded-core/message/206832 Mute This Topic: https://lists.openembedded.org/mt/109443911/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
