[OE-core] [PATCH] rootfs-postcommands.bbclass: break up read_only_rootfs_hook
Andre McCurdy
armccurdy at gmail.com
Tue Mar 26 18:03:39 UTC 2019
On Tue, Mar 26, 2019 at 9:44 AM Nick Rosbrook <rosbrookn at gmail.com> wrote:
>
> The function read_only_rootfs_hook makes changes to ssh, dropbear,
> fstab, and sysvinit configurations. Replace this function with
> four new functions for each component so that they can be removed
> from postprocess independently of each other.
Just curious... but why would you want to remove them? Is one of them
buggy in some way?
> Signed-off-by: Nick Rosbrook <rosbrookn at ainfosec.com>
> ---
> meta/classes/rootfs-postcommands.bbclass | 22 +++++++++++++++++-----
> 1 file changed, 17 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
> index bde58ad6cd..110f67e40d 100644
> --- a/meta/classes/rootfs-postcommands.bbclass
> +++ b/meta/classes/rootfs-postcommands.bbclass
> @@ -15,7 +15,16 @@ ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'deb
> ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp ; "
>
> # Tweak the mount options for rootfs in /etc/fstab if read-only-rootfs is enabled
> -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_rootfs_hook; ", "",d)}'
> +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_fstab; ", "",d)}'
> +
> +# Change the default sshd_config if read-only-rootfs is enabled
These comments describing the individual functions should perhaps be
moved to be next to functions themselves.
> +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_sshd; ", "",d)}'
> +
> +# Change the default key locations for dropbear if read-only-rootfs is enabled
> +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_dropbear; ", "",d)}'
> +
> +# Tweaks for sysvinit if read-only-rootfs is enabled
> +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "read-only-rootfs", "read_only_sysvinit; ", "",d)}'
>
> # We also need to do the same for the kernel boot parameters,
> # otherwise kernel or initramfs end up mounting the rootfs read/write
> @@ -86,15 +95,14 @@ systemd_create_users () {
> done
> }
>
> -#
> -# A hook function to support read-only-rootfs IMAGE_FEATURES
> -#
> -read_only_rootfs_hook () {
> +read_only_fstab () {
> # Tweak the mount option and fs_passno for rootfs in fstab
> if [ -f ${IMAGE_ROOTFS}/etc/fstab ]; then
> sed -i -e '/^[#[:space:]]*\/dev\/root/{s/defaults/ro/;s/\([[:space:]]*[[:digit:]]\)\([[:space:]]*\)[[:digit:]]$/\1\20/}' ${IMAGE_ROOTFS}/etc/fstab
> fi
> +}
>
> +read_only_sshd () {
> # If we're using openssh and the /etc/ssh directory has no pre-generated keys,
> # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
> # and the keys under /var/run/ssh.
> @@ -107,14 +115,18 @@ read_only_rootfs_hook () {
> echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
> fi
> fi
> +}
>
> +read_only_dropbear () {
> # Also tweak the key location for dropbear in the same way.
> if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> if [ ! -e ${IMAGE_ROOTFS}/etc/dropbear/dropbear_rsa_host_key ]; then
> echo "DROPBEAR_RSAKEY_DIR=/var/lib/dropbear" >> ${IMAGE_ROOTFS}/etc/default/dropbear
> fi
> fi
> +}
>
> +read_only_sysvinit () {
> if ${@bb.utils.contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
> # Change the value of ROOTFS_READ_ONLY in /etc/default/rcS to yes
> if [ -e ${IMAGE_ROOTFS}/etc/default/rcS ]; then
> --
> 2.17.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list