[PATCH 0/2] [RFC] fix systemd-resolved and connman boot in read only rootfs

[PATCH 0/2] [RFC] fix systemd-resolved and connman boot in read only rootfs

[Maxin B. John]

1. Enable systemd-resolved and systemd-networkd by default
2. Fix systemd-resolved in read only rootfs
3. Fix connman for read-only rootfs
4. Resolve the conflict with systemd-resolved and connman

Maxin B. John (2):
  systemd: enable resolved and networkd
  connman: correct the systemd boot in read only rootfs

 meta/recipes-connectivity/connman/connman.inc      | 15 ++++++++++-
 ...vice-stop-systemd-resolved-when-we-use-co.patch | 29 ++++++++++++++++++++++
 meta/recipes-connectivity/connman/connman_1.34.bb  |  1 +
 meta/recipes-core/systemd/systemd_232.bb           | 13 +++++++---
 4 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch

-- 
2.4.0

[PATCH 1/2] systemd: enable resolved and networkd

[Maxin B. John]

Enable systemd-resolved and systemd-networkd by default.
Make it co-exist with connman and  Fix associated problems
in read-only rootfs.

Fixes [YOCTO #11331]

Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
 meta/recipes-core/systemd/systemd_232.bb | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/systemd/systemd_232.bb b/meta/recipes-core/systemd/systemd_232.bb
index f843c58..6aeccbd 100644
--- a/meta/recipes-core/systemd/systemd_232.bb
+++ b/meta/recipes-core/systemd/systemd_232.bb
@@ -62,6 +62,8 @@ PACKAGECONFIG ??= "xz \
                    firstboot \
                    utmp \
                    polkit \
+                   resolved \
+                   networkd \
 "
 PACKAGECONFIG_remove_libc-musl = "selinux"
 PACKAGECONFIG_remove_libc-musl = "smack"
@@ -244,9 +246,10 @@ do_install() {
 		echo 'L! ${sysconfdir}/resolv.conf - - - - ../run/systemd/resolve/resolv.conf' >>${D}${exec_prefix}/lib/tmpfiles.d/etc.conf
 		echo 'd /run/systemd/resolve 0755 root root -' >>${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf
 		echo 'f /run/systemd/resolve/resolv.conf 0644 root root' >>${D}${exec_prefix}/lib/tmpfiles.d/systemd.conf
-		ln -s ../run/systemd/resolve/resolv.conf ${D}${sysconfdir}/resolv.conf
+		ln -s ../run/systemd/resolve/resolv.conf ${D}${sysconfdir}/resolv-conf.systemd
 	else
 		sed -i -e "s%^L! /etc/resolv.conf.*$%L! /etc/resolv.conf - - - - ../run/systemd/resolve/resolv.conf%g" ${D}${exec_prefix}/lib/tmpfiles.d/etc.conf
+		ln -s ../run/systemd/resolve/resolv.conf ${D}${sysconfdir}/resolv-conf.systemd
 	fi
 	install -Dm 0755 ${S}/src/systemctl/systemd-sysv-install.SKELETON ${D}${systemd_unitdir}/systemd-sysv-install
 }
@@ -451,7 +454,7 @@ FILES_${PN} = " ${base_bindir}/* \
                 ${sysconfdir}/tmpfiles.d/ \
                 ${sysconfdir}/xdg/ \
                 ${sysconfdir}/init.d/README \
-                ${sysconfdir}/resolv.conf \
+                ${sysconfdir}/resolv-conf.systemd \
                 ${rootlibexecdir}/systemd/* \
                 ${systemd_unitdir}/* \
                 ${base_libdir}/security/*.so \
@@ -535,7 +538,7 @@ python __anonymous() {
 # TODO:
 # u-a for runlevel and telinit
 
-ALTERNATIVE_${PN} = "init halt reboot shutdown poweroff runlevel"
+ALTERNATIVE_${PN} = "init halt reboot shutdown poweroff runlevel resolv-conf"
 
 ALTERNATIVE_TARGET[init] = "${rootlibexecdir}/systemd/systemd"
 ALTERNATIVE_LINK_NAME[init] = "${base_sbindir}/init"
@@ -561,6 +564,10 @@ ALTERNATIVE_TARGET[runlevel] = "${base_bindir}/systemctl"
 ALTERNATIVE_LINK_NAME[runlevel] = "${base_sbindir}/runlevel"
 ALTERNATIVE_PRIORITY[runlevel] ?= "300"
 
+ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-conf.systemd"
+ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf"
+ALTERNATIVE_PRIORITY[resolv-conf] ?= "50"
+
 pkg_postinst_${PN} () {
 	sed -e '/^hosts:/s/\s*\<myhostname\>//' \
 		-e 's/\(^hosts:.*\)\(\<files\>\)\(.*\)\(\<dns\>\)\(.*\)/\1\2 myhostname \3\4\5/' \
-- 
2.4.0

[PATCH 2/2] connman: correct the systemd boot in read only rootfs

[Maxin B. John]

connman fails to start in systemd based read-only images while creating links:

Jun 08 12:53:56 qemux86-64 systemd[1]: Starting Create Volatile Files
and Directories...
Jun 08 12:53:56 qemux86-64 systemd-tmpfiles[366]:
[[0;1;31msymlink(/var/run/connman/resolv.conf, /etc/resolv.conf) failed:
Read-only file system[[0m

Fix this failure and make connman co-exist with systemd-resolved.

Signed-off-by: Maxin B. John <maxin.john@intel.com>
---
 meta/recipes-connectivity/connman/connman.inc      | 15 ++++++++++-
 ...vice-stop-systemd-resolved-when-we-use-co.patch | 29 ++++++++++++++++++++++
 meta/recipes-connectivity/connman/connman_1.34.bb  |  1 +
 3 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch

diff --git a/meta/recipes-connectivity/connman/connman.inc b/meta/recipes-connectivity/connman/connman.inc
index cc2d469..ab18f2f 100644
--- a/meta/recipes-connectivity/connman/connman.inc
+++ b/meta/recipes-connectivity/connman/connman.inc
@@ -13,7 +13,7 @@ LICENSE  = "GPLv2"
 LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
                     file://src/main.c;beginline=1;endline=20;md5=486a279a6ab0c8d152bcda3a5b5edc36"
 
-inherit autotools pkgconfig systemd update-rc.d bluetooth
+inherit autotools pkgconfig systemd update-rc.d bluetooth update-alternatives
 
 DEPENDS  = "dbus glib-2.0 ppp readline"
 
@@ -69,6 +69,11 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
 SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
 SYSTEMD_SERVICE_${PN}-wait-online = "connman-wait-online.service"
 
+ALTERNATIVE_PRIORITY = "100"
+ALTERNATIVE_${PN} ="resolv-conf"
+ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-conf.connman"
+ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf"
+
 do_install_append() {
 	if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true','false',d)}; then
 		install -d ${D}${sysconfdir}/init.d
@@ -89,6 +94,14 @@ do_install_append() {
 	# Automake 1.12 won't install empty directories, but we need the
 	# plugins directory to be present for ownership
 	mkdir -p ${D}${libdir}/connman/plugins
+
+    # For read-only filesystem, do not create links during bootup
+    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
+        if ${@bb.utils.contains('IMAGE_FEATURES','read-only-rootfs','true','false',d)}; then
+            echo "d    /var/run/connman    - - - -" > ${D}${sysconfdir}/tmpfiles.d/connman_resolvconf.conf
+        fi
+        ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-conf.connman
+    fi
 }
 
 # These used to be plugins, but now they are core
diff --git a/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
new file mode 100644
index 0000000..8e2e0bd
--- /dev/null
+++ b/meta/recipes-connectivity/connman/connman/0001-connman.service-stop-systemd-resolved-when-we-use-co.patch
@@ -0,0 +1,29 @@
+From 9f70b94ebf18f52c115634642652830fa77f27a1 Mon Sep 17 00:00:00 2001
+From: "Maxin B. John" <maxin.john@intel.com>
+Date: Mon, 12 Jun 2017 16:52:39 +0300
+Subject: [PATCH] connman.service: stop systemd-resolved when we use connman
+
+Stop systemd-resolved service when we use connman as network manager.
+
+Upstream-Status: Inappropriate [configuration]
+
+Signed-off-by: Maxin B. John <maxin.john@intel.com>
+---
+ src/connman.service.in | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/connman.service.in b/src/connman.service.in
+index 9f5c10f..dab48bc 100644
+--- a/src/connman.service.in
++++ b/src/connman.service.in
+@@ -6,6 +6,7 @@ RequiresMountsFor=@localstatedir@/lib/connman
+ After=dbus.service network-pre.target systemd-sysusers.service
+ Before=network.target multi-user.target shutdown.target
+ Wants=network.target
++Conflicts=systemd-resolved.service
+ 
+ [Service]
+ Type=dbus
+-- 
+2.4.0
+
diff --git a/meta/recipes-connectivity/connman/connman_1.34.bb b/meta/recipes-connectivity/connman/connman_1.34.bb
index 5d0f242..d520568 100644
--- a/meta/recipes-connectivity/connman/connman_1.34.bb
+++ b/meta/recipes-connectivity/connman/connman_1.34.bb
@@ -3,6 +3,7 @@ require connman.inc
 SRC_URI  = "${KERNELORG_MIRROR}/linux/network/${BPN}/${BP}.tar.xz \
             file://0001-plugin.h-Change-visibility-to-default-for-debug-symb.patch \
             file://0001-firewall-nftables-fix-build-with-libnftnl-1.0.7.patch \
+            file://0001-connman.service-stop-systemd-resolved-when-we-use-co.patch \
             file://connman \
             file://no-version-scripts.patch \
             file://includes.patch \
-- 
2.4.0

Re: [PATCH 1/2] systemd: enable resolved and networkd

[Patrick Ohly]

On Mon, 2017-06-12 at 18:10 +0300, Maxin B. John wrote:
> Enable systemd-resolved and systemd-networkd by default.
> Make it co-exist with connman and  Fix associated problems
> in read-only rootfs.
> 
> Fixes [YOCTO #11331]

Let me come back to this, because I think it is not quite working as
intended yet.

The goal is that the "right" resolver is chosen via alternative
priorities, right? So during build time, we set /etc/resolv.conf to what
is the desired resolver.

However, there's still a L+ entry for /etc/resolv.conf
in /usr/lib/tmpfiles.d/connman_resolvconf.conf:

L+	/etc/resolv.conf	- - - -	/var/run/connman/resolv.conf

As a result, when systemd is used and the rootfs is read/write, then
systemd overwrites /etc/resolv.conf, leading to:

# ls -l /etc/resolv.conf 
lrwxrwxrwx    1 root     root            28 Jul  6 14:44 /etc/resolv.conf -> /var/run/connman/resolv.conf

That happens even if systemd-resolved has a higher priority and should
be used.

Maxin, do you agree? Can you finish this work and patch the ConnMan
recipe so that it behaves as expected?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: [PATCH 1/2] systemd: enable resolved and networkd

[Maxin B. John]

Hi Patrick,

On Thu, Jul 06, 2017 at 05:12:05PM +0200, Patrick Ohly wrote:
> On Mon, 2017-06-12 at 18:10 +0300, Maxin B. John wrote:
> > Enable systemd-resolved and systemd-networkd by default.
> > Make it co-exist with connman and  Fix associated problems
> > in read-only rootfs.
> > 
> > Fixes [YOCTO #11331]
> 
> Let me come back to this, because I think it is not quite working as
> intended yet.
> 
> The goal is that the "right" resolver is chosen via alternative
> priorities, right? So during build time, we set /etc/resolv.conf to what
> is the desired resolver.

Yes. Eventhough for practical reasons, ConnMan's resolver is preferred when
we use ConnMan in the image. That is the reason why we have
"Conflicts=systemd-resolved.service" in "connman.service.in"

> However, there's still a L+ entry for /etc/resolv.conf
> in /usr/lib/tmpfiles.d/connman_resolvconf.conf:
> 
> L+	/etc/resolv.conf	- - - -	/var/run/connman/resolv.conf
> As a result, when systemd is used and the rootfs is read/write, then
> systemd overwrites /etc/resolv.conf, leading to:
> 
> # ls -l /etc/resolv.conf 
> lrwxrwxrwx    1 root     root            28 Jul  6 14:44 /etc/resolv.conf -> /var/run/connman/resolv.conf
> 
> That happens even if systemd-resolved has a higher priority and should
> be used.
> 
> Maxin, do you agree? Can you finish this work and patch the ConnMan
> recipe so that it behaves as expected?

Looks reasonable to me. Thanks for suggesting this. Will update the recipe.

> -- 
> Best Regards, Patrick Ohly

Best Regards,
Maxin

Re: [PATCH 2/2] connman: correct the systemd boot in read only rootfs

[Patrick Ohly]

On Mon, 2017-06-12 at 18:10 +0300, Maxin B. John wrote:
> connman fails to start in systemd based read-only images while
> creating links:
> 
> Jun 08 12:53:56 qemux86-64 systemd[1]: Starting Create Volatile Files
> and Directories...
> Jun 08 12:53:56 qemux86-64 systemd-tmpfiles[366]:
> [[0;1;31msymlink(/var/run/connman/resolv.conf, /etc/resolv.conf)
> failed:
> Read-only file system[[0m
> 
> Fix this failure and make connman co-exist with systemd-resolved.
> 
> Signed-off-by: Maxin B. John <maxin.john@intel.com>
> ---
>  meta/recipes-connectivity/connman/connman.inc      | 15 ++++++++++-
>  ...vice-stop-systemd-resolved-when-we-use-co.patch | 29
> ++++++++++++++++++++++
>  meta/recipes-connectivity/connman/connman_1.34.bb  |  1 +
>  3 files changed, 44 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-connectivity/connman/connman/0001-
> connman.service-stop-systemd-resolved-when-we-use-co.patch
> 
> diff --git a/meta/recipes-connectivity/connman/connman.inc
> b/meta/recipes-connectivity/connman/connman.inc
> index cc2d469..ab18f2f 100644
> --- a/meta/recipes-connectivity/connman/connman.inc
> +++ b/meta/recipes-connectivity/connman/connman.inc
> @@ -13,7 +13,7 @@ LICENSE  = "GPLv2"
>  LIC_FILES_CHKSUM =
> "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
>                      file://src/main.c;beginline=1;endline=20;md5=486
> a279a6ab0c8d152bcda3a5b5edc36"
>  
> -inherit autotools pkgconfig systemd update-rc.d bluetooth
> +inherit autotools pkgconfig systemd update-rc.d bluetooth update-
> alternatives
>  
>  DEPENDS  = "dbus glib-2.0 ppp readline"
>  
> @@ -69,6 +69,11 @@ SYSTEMD_SERVICE_${PN} = "connman.service"
>  SYSTEMD_SERVICE_${PN}-vpn = "connman-vpn.service"
>  SYSTEMD_SERVICE_${PN}-wait-online = "connman-wait-online.service"
>  
> +ALTERNATIVE_PRIORITY = "100"
> +ALTERNATIVE_${PN} ="resolv-conf"
> +ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-
> conf.connman"
> +ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf"
> +
>  do_install_append() {
>  	if ${@bb.utils.contains('DISTRO_FEATURES','sysvinit','true',
> 'false',d)}; then
>  		install -d ${D}${sysconfdir}/init.d
> @@ -89,6 +94,14 @@ do_install_append() {
>  	# Automake 1.12 won't install empty directories, but we need
> the
>  	# plugins directory to be present for ownership
>  	mkdir -p ${D}${libdir}/connman/plugins
> +
> +    # For read-only filesystem, do not create links during bootup
> +    if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','fals
> e',d)}; then
> +        if ${@bb.utils.contains('IMAGE_FEATURES','re
> ad-only-rootfs','true','false',d)}; then
> +            echo "d    /var/run/connman    - - - -" >
> ${D}${sysconfdir}/tmpfiles.d/connman_resolvconf.conf
> +        fi
> +        ln -sf ../run/connman/resolv.conf ${D}${sysconfdir}/resolv-
> conf.connman
> +    fi
>  }

This check for 'IMAGE_FEATURES' is bogus: that's a per-image recipe
variable, which can't be assumed to be set consistently for all images
in the base configuration and therefore the connman recipe can't depend
 on it. The effect is that the tmpfiles.d entry doesn't get created
when setting IMAGE_FEATURES only for some images.

It still works for me (refkit, based on OE-core Rocko at the moment).
Something has created /var/run/connman (perhaps connman itself?) and
the resolv.conf inside it, so /etc/resolv.conf -> /etc/resolv-
conf.connman -> ../run/connman/resolv.conf = /run/connman/resolv.conf
exists.

But the bogus lines should be removed nonetheless, because it causes
the connman recipe to depend on IMAGE_FEATURES.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.