[OE-core] [PATCH RESEND 1/3] openssh: Package server configuration

Peter Kjellerstedt peter.kjellerstedt at axis.com
Fri Jun 9 09:41:25 UTC 2017 

> -----Original Message-----
> From: openembedded-core-bounces at lists.openembedded.org
> [mailto:openembedded-core-bounces at lists.openembedded.org] On Behalf Of
> David Vincent
> Sent: den 9 juni 2017 09:04
> To: openembedded-core at lists.openembedded.org
> Subject: [OE-core] [PATCH RESEND 1/3] openssh: Package server
> configuration
> 
> Split sshd configuration for read-write/read-only rootfs in two
> distinct
> packages. Also, add a package dependency between openssh-sshd package
> and a provider of sshd-config.
> 
> Signed-off-by: David Vincent <freesilicon at gmail.com>
> ---
>  meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51
> ++++++++++++++++++----
>  1 file changed, 42 insertions(+), 9 deletions(-)
> 
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> index 5b96745aae..e22e6c672d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> @@ -91,13 +91,17 @@ do_compile_ptest() {
>  }
> 
>  do_install_append () {
> -	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
> +	# Create default config files
> +	install -m 0644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_default
> +	rm -f ${D}${sysconfdir}/ssh/sshd_config
> +
> +	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
>  		install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
> -		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
> +		sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config_default
>  	fi
> 
> -	if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
> -		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
> +	if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then
> +		sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config_default
>  	fi

Instead of all the changes above you could just do this here instead:

	mv ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_default

>  	install -d ${D}${sysconfdir}/init.d
> @@ -110,7 +114,7 @@ do_install_append () {
> 
>  	# Create config files for read-only rootfs
>  	install -d ${D}${sysconfdir}/ssh

Creating the directory here again is unnecessary.

> -	install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
> +	install -m 644 ${D}${sysconfdir}/ssh/sshd_config_default ${D}${sysconfdir}/ssh/sshd_config_readonly
>  	sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
>  	echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
>  	echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
> @@ -134,30 +138,59 @@ do_install_ptest () {
> 
>  ALLOW_EMPTY_${PN} = "1"
> 
> -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd-config ${PN}-sshd-config-readonly ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
>  FILES_${PN}-scp = "${bindir}/scp.${BPN}"
>  FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> +FILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> +FILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
>  FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
> -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
> +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
>  FILES_${PN}-sftp = "${bindir}/sftp"
>  FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
>  FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
>  FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> 
>  RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> -RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
> +RDEPENDS_${PN}-sshd += "${PN}-keygen sshd-config ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
>  RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make"
> 
>  RPROVIDES_${PN}-ssh = "ssh"
> +RPROVIDES_${PN}-sshd-config = "sshd-config"
> +RPROVIDES_${PN}-sshd-config-readonly = "sshd-config"
>  RPROVIDES_${PN}-sshd = "sshd"
> 
>  RCONFLICTS_${PN} = "dropbear"
> +RCONFLICTS_${PN}-sshd-config = "${PN}-sshd-config-readonly"
> +RCONFLICTS_${PN}-sshd-config-readonly = "${PN}-sshd-config"
>  RCONFLICTS_${PN}-sshd = "dropbear"
>  RCONFLICTS_${PN}-keygen = "ssh-keygen"
> 
> -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> +CONFFILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> +CONFFILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
>  CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> 
> +pkg_postinst_${PN}-sshd-config () {
> +#!/bin/sh
> +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> +    rm $D${sysconfdir}/ssh/sshd_config
> +fi
> +
> +# Make sure destination directory exists, before creating the symlink
> +mkdir -p $D${sysconfdir}/ssh
> +ln -s sshd_config_default $D${sysconfdir}/ssh/sshd_config
> +}
> +
> +pkg_postinst_${PN}-sshd-config-readonly () {
> +#!/bin/sh
> +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> +    rm $D${sysconfdir}/ssh/sshd_config
> +fi
> +
> +# Make sure destination directory exists, before creating the symlink
> +mkdir -p $D${sysconfdir}/ssh
> +ln -s sshd_config_readonly $D${sysconfdir}/ssh/sshd_config
> +}
> +

I do not like changing /etc/ssh/sshd_config to be a link. I know at least 
we have our own rootfs-postcommands that will be affected by such a change.

How about you use a PACKAGESPLITFUNCS function instead and move the files 
back into place before they are packaged, so that both configuration 
packages contain the /etc/ssh/sshd_config file.

Something like this should work (totally untested):

PACKAGESPLITFUNCS += "restore_sshd_config"

restore_sshd_config() {
	for file in ${PKGDEST}/*${sysconfdir}/sshd/sshd_config_*; do
		mv $file ${file%_*}
	done
}

>  ALTERNATIVE_PRIORITY = "90"
>  ALTERNATIVE_${PN}-scp = "scp"
>  ALTERNATIVE_${PN}-ssh = "ssh"
> --
> 2.13.0

//Peter

More information about the Openembedded-core mailing list