package_manager: support for signed DEB package feeds

package_manager: support for signed DEB package feeds

[Ferry Toth]

[PATCH v2 0/3] package_manager: support for signed DEB package feeds
[PATCH v2 1/3] gpg-sign: Add parameters to gpg signature function
[PATCH v2 2/3] package_manager: sign DEB package feeds
[PATCH v2 3/3] apt: add apt selftest to test signed package feeds

Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
Currently when building images this requirement is worked around by using [allow-insecure=yes] and
equivalently when performing selftest.
    
Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign deb package feeds"
enable signed deb package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
management. To be able to install the key the gnupg package is added to the testimage.
    
These patches makes deb a first class citizen as ipk and rpm.

Patches have been in use in meta-intel-edison since Gatesgarth, 
see https://edison-fw.github.io/meta-intel-edison/5.0-Creating-a-deb-repository.html

Changes in V2:
 - Added runtime test for signed deb package feeds (Richard Purdie)

[PATCH v2 0/3] *** SUBJECT HERE ***

[Ferry Toth]

From: Ferry Toth <ftoth@exalondelft.nl>

*** BLURB HERE ***

Ferry Toth (2):
  package_manager: sign DEB package feeds
  apt: add apt selftest to test signed package feeds

Xavier Berger (1):
  gpg-sign: Add parameters to gpg signature function

 meta/lib/oe/gpg_sign.py                      |  6 +++-
 meta/lib/oe/package_manager/deb/__init__.py  | 19 ++++++++--
 meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
 meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
 4 files changed, 70 insertions(+), 9 deletions(-)

-- 
2.32.0

[PATCH v2 1/3] gpg-sign: Add parameters to gpg signature function

[Ferry Toth]

From: Xavier Berger <xavier.berger@bio-logic.net>

output_suffix: If defined, add output_suffix as file name extension.
use_sha256: If True, use sha256 for gpg as digest algorithm

Signed-off-by: Xavier Berger <xavier.berger@bio-logic.net>
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
---
 meta/lib/oe/gpg_sign.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/lib/oe/gpg_sign.py b/meta/lib/oe/gpg_sign.py
index 1bce6cb792..aa9bb49f2c 100644
--- a/meta/lib/oe/gpg_sign.py
+++ b/meta/lib/oe/gpg_sign.py
@@ -58,7 +58,7 @@ class LocalSigner(object):
         for i in range(0, len(files), sign_chunk):
             subprocess.check_output(shlex.split(cmd + ' '.join(files[i:i+sign_chunk])), stderr=subprocess.STDOUT)
 
-    def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True):
+    def detach_sign(self, input_file, keyid, passphrase_file, passphrase=None, armor=True, output_suffix=None, use_sha256=False):
         """Create a detached signature of a file"""
 
         if passphrase_file and passphrase:
@@ -71,6 +71,10 @@ class LocalSigner(object):
             cmd += ['--homedir', self.gpg_path]
         if armor:
             cmd += ['--armor']
+        if output_suffix:
+            cmd += ['-o', input_file + "." + output_suffix]
+        if use_sha256:
+            cmd += ['--digest-algo', "SHA256"]
 
         #gpg > 2.1 supports password pipes only through the loopback interface
         #gpg < 2.1 errors out if given unknown parameters
-- 
2.32.0

[PATCH v2 2/3] package_manager: sign DEB package feeds

[Ferry Toth]

From: Ferry Toth <ftoth@exalondelft.nl>

Implement debian package repository signature.
For each Release file created in repository subdirectory, a signature
Release.gpg is created.

Signature is performed using gpg backend when the following variables
are set in local.conf:
PACKAGE_CLASSES += "sign_package_feed"
PACKAGE_FEED_GPG_NAME = "<Id of GPG key>"
PACKAGE_FEED_GPG_PASSPHRASE_FILE="<path to password file>"

Signed-off-by: Xavier Berger <xavier.berger@bio-logic.net>
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
---
 meta/lib/oe/package_manager/deb/__init__.py | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/meta/lib/oe/package_manager/deb/__init__.py b/meta/lib/oe/package_manager/deb/__init__.py
index 9f112ae25b..86ddb130ad 100644
--- a/meta/lib/oe/package_manager/deb/__init__.py
+++ b/meta/lib/oe/package_manager/deb/__init__.py
@@ -53,6 +53,7 @@ class DpkgIndexer(Indexer):
 
         index_cmds = []
         deb_dirs_found = False
+        index_sign_files = set()
         for arch in arch_list:
             arch_dir = os.path.join(self.deploy_dir, arch)
             if not os.path.isdir(arch_dir):
@@ -62,7 +63,10 @@ class DpkgIndexer(Indexer):
 
             cmd += "%s -fcn Packages > Packages.gz;" % gzip
 
-            with open(os.path.join(arch_dir, "Release"), "w+") as release:
+            release_file = os.path.join(arch_dir, "Release")
+            index_sign_files.add(release_file)
+
+            with open(release_file, "w+") as release:
                 release.write("Label: %s\n" % arch)
 
             cmd += "PSEUDO_UNLOAD=1 %s release . >> Release" % apt_ftparchive
@@ -76,8 +80,17 @@ class DpkgIndexer(Indexer):
             return
 
         oe.utils.multiprocess_launch(create_index, index_cmds, self.d)
-        if self.d.getVar('PACKAGE_FEED_SIGN') == '1':
-            raise NotImplementedError('Package feed signing not implementd for dpkg')
+        if self.d.getVar('PACKAGE_FEED_SIGN', True) == '1':
+            signer = get_signer(self.d, self.d.getVar('PACKAGE_FEED_GPG_BACKEND', True))
+        else:
+            signer = None
+        if signer:
+            for f in index_sign_files:
+                signer.detach_sign(f,
+                                   self.d.getVar('PACKAGE_FEED_GPG_NAME', True),
+                                   self.d.getVar('PACKAGE_FEED_GPG_PASSPHRASE_FILE', True),
+                                   output_suffix="gpg",
+                                   use_sha256=True)
 
 class PMPkgsList(PkgsList):
 
-- 
2.32.0

[PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

From: Ferry Toth <ftoth@exalondelft.nl>

Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
Currently when building images this requirement is worked around by using [allow-insecure=yes] and
equivalently when performing selftest.

Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
management. To be able to install the key the gnupg package is added to the testimage.

Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
---
 meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
 meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
 2 files changed, 49 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
index 53745df93f..49f8714730 100644
--- a/meta/lib/oeqa/runtime/cases/apt.py
+++ b/meta/lib/oeqa/runtime/cases/apt.py
@@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
 
     @classmethod
     def setUpClass(cls):
-        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
+        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
         cls.repo_server = HTTPService(service_repo,
                                       '0.0.0.0', port=cls.tc.target.server_port,
                                       logger=cls.tc.logger)
@@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
         cls.repo_server.stop()
 
     def setup_source_config_for_package_install(self):
-        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
+        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
         apt_get_sourceslist_dir = '/etc/apt/'
-        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
+        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
 
     def cleanup_source_config_for_package_install(self):
         apt_get_sourceslist_dir = '/etc/apt/'
-        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
+        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
+
+    def setup_key(self):
+        # the key is found on the target /etc/pki/packagefeed-gpg/
+        # named PACKAGEFEED-GPG-KEY-poky-branch
+        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
 
     @skipIfNotFeature('package-management',
                       'Test requires package-management to be in IMAGE_FEATURES')
@@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
     @OEHasPackage(['apt'])
     def test_apt_install_from_repo(self):
         self.setup_source_config_for_package_install()
+        self.setup_key()
         self.pkg('update')
         self.pkg('remove --yes run-postinsts-dev')
-        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
+        self.pkg('install --yes run-postinsts-dev')
         self.cleanup_source_config_for_package_install()
diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
index 642f0eb637..7a75b95a99 100644
--- a/meta/lib/oeqa/selftest/cases/runtime_test.py
+++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
@@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
         bitbake('core-image-full-cmdline socat')
         bitbake('-c testimage core-image-full-cmdline')
 
+    def test_testimage_apt(self):
+        """
+        Summary: Check package feeds functionality for apt
+        Expected: 1. Check that remote package feeds can be accessed
+        Product: oe-core
+        Author: Ferry Toth <fntoth@gmail.com>
+        """
+        if get_bb_var('DISTRO') == 'poky-tiny':
+            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
+
+        features = 'INHERIT += "testimage"\n'
+        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
+        # We don't yet know what the server ip and port will be - they will be patched
+        # in at the start of the on-image test
+        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
+        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
+        features += 'PACKAGE_CLASSES = "package_deb"\n'
+        # We need  gnupg on the target to install keys
+        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
+
+        bitbake('gnupg-native -c addto_recipe_sysroot')
+
+        # Enable package feed signing
+        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
+        self.track_for_cleanup(self.gpg_home)
+        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
+        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
+        features += 'INHERIT += "sign_package_feed"\n'
+        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
+        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
+        features += 'GPG_PATH = "%s"\n' % self.gpg_home
+        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
+        self.write_config(features)
+
+        # Build core-image-sato and testimage
+        bitbake('core-image-full-cmdline socat')
+        bitbake('-c testimage core-image-full-cmdline')
+
     def test_testimage_virgl_gtk_sdl(self):
         """
         Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
-- 
2.32.0

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Richard Purdie]

On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> From: Ferry Toth <ftoth@exalondelft.nl>
> 
> Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
> Currently when building images this requirement is worked around by using [allow-insecure=yes] and
> equivalently when performing selftest.
> 
> Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
> enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
> test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
> management. To be able to install the key the gnupg package is added to the testimage.
> 
> Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
> ---
>  meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
>  meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
>  2 files changed, 49 insertions(+), 5 deletions(-)
> 
> diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
> index 53745df93f..49f8714730 100644
> --- a/meta/lib/oeqa/runtime/cases/apt.py
> +++ b/meta/lib/oeqa/runtime/cases/apt.py
> @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
>  
>      @classmethod
>      def setUpClass(cls):
> -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
> +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
>          cls.repo_server = HTTPService(service_repo,
>                                        '0.0.0.0', port=cls.tc.target.server_port,
>                                        logger=cls.tc.logger)
> @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
>          cls.repo_server.stop()
>  
>      def setup_source_config_for_package_install(self):
> -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
> +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
>          apt_get_sourceslist_dir = '/etc/apt/'
> -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
> +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
>  
>      def cleanup_source_config_for_package_install(self):
>          apt_get_sourceslist_dir = '/etc/apt/'
> -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
> +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
> +
> +    def setup_key(self):
> +        # the key is found on the target /etc/pki/packagefeed-gpg/
> +        # named PACKAGEFEED-GPG-KEY-poky-branch
> +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
>  
>      @skipIfNotFeature('package-management',
>                        'Test requires package-management to be in IMAGE_FEATURES')
> @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
>      @OEHasPackage(['apt'])
>      def test_apt_install_from_repo(self):
>          self.setup_source_config_for_package_install()
> +        self.setup_key()
>          self.pkg('update')
>          self.pkg('remove --yes run-postinsts-dev')
> -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
> +        self.pkg('install --yes run-postinsts-dev')
>          self.cleanup_source_config_for_package_install()
> diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
> index 642f0eb637..7a75b95a99 100644
> --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
>          bitbake('core-image-full-cmdline socat')
>          bitbake('-c testimage core-image-full-cmdline')
>  
> +    def test_testimage_apt(self):
> +        """
> +        Summary: Check package feeds functionality for apt
> +        Expected: 1. Check that remote package feeds can be accessed
> +        Product: oe-core
> +        Author: Ferry Toth <fntoth@gmail.com>
> +        """
> +        if get_bb_var('DISTRO') == 'poky-tiny':
> +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
> +
> +        features = 'INHERIT += "testimage"\n'
> +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
> +        # We don't yet know what the server ip and port will be - they will be patched
> +        # in at the start of the on-image test
> +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
> +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
> +        features += 'PACKAGE_CLASSES = "package_deb"\n'
> +        # We need  gnupg on the target to install keys
> +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
> +
> +        bitbake('gnupg-native -c addto_recipe_sysroot')
> +
> +        # Enable package feed signing
> +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
> +        self.track_for_cleanup(self.gpg_home)
> +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
> +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
> +        features += 'INHERIT += "sign_package_feed"\n'
> +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
> +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
> +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
> +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
> +        self.write_config(features)
> +
> +        # Build core-image-sato and testimage
> +        bitbake('core-image-full-cmdline socat')
> +        bitbake('-c testimage core-image-full-cmdline')
> +
>      def test_testimage_virgl_gtk_sdl(self):
>          """
>          Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends

Thanks for working on this!

Looking at the patches I wondered if this would break testimage and
unfortunately it does:

https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975

however hopefully these shouldn't be too hard to fix?

The rest of the build is still running.

Cheers,

Richard

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

Hi,

Op 04-04-2022 om 15:58 schreef Richard Purdie:
> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>> From: Ferry Toth <ftoth@exalondelft.nl>
>>
>> Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
>> Currently when building images this requirement is worked around by using [allow-insecure=yes] and
>> equivalently when performing selftest.
>>
>> Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
>> enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
>> test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
>> management. To be able to install the key the gnupg package is added to the testimage.
>>
>> Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
>> ---
>>   meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
>>   meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
>>   2 files changed, 49 insertions(+), 5 deletions(-)
>>
>> diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
>> index 53745df93f..49f8714730 100644
>> --- a/meta/lib/oeqa/runtime/cases/apt.py
>> +++ b/meta/lib/oeqa/runtime/cases/apt.py
>> @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
>>   
>>       @classmethod
>>       def setUpClass(cls):
>> -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
>> +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
>>           cls.repo_server = HTTPService(service_repo,
>>                                         '0.0.0.0', port=cls.tc.target.server_port,
>>                                         logger=cls.tc.logger)
>> @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
>>           cls.repo_server.stop()
>>   
>>       def setup_source_config_for_package_install(self):
>> -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
>> +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
>>           apt_get_sourceslist_dir = '/etc/apt/'
>> -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
>> +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
>>   
>>       def cleanup_source_config_for_package_install(self):
>>           apt_get_sourceslist_dir = '/etc/apt/'
>> -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
>> +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
>> +
>> +    def setup_key(self):
>> +        # the key is found on the target /etc/pki/packagefeed-gpg/
>> +        # named PACKAGEFEED-GPG-KEY-poky-branch
>> +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
>>   
>>       @skipIfNotFeature('package-management',
>>                         'Test requires package-management to be in IMAGE_FEATURES')
>> @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
>>       @OEHasPackage(['apt'])
>>       def test_apt_install_from_repo(self):
>>           self.setup_source_config_for_package_install()
>> +        self.setup_key()
>>           self.pkg('update')
>>           self.pkg('remove --yes run-postinsts-dev')
>> -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
>> +        self.pkg('install --yes run-postinsts-dev')
>>           self.cleanup_source_config_for_package_install()
>> diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
>> index 642f0eb637..7a75b95a99 100644
>> --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
>> +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
>> @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
>>           bitbake('core-image-full-cmdline socat')
>>           bitbake('-c testimage core-image-full-cmdline')
>>   
>> +    def test_testimage_apt(self):
>> +        """
>> +        Summary: Check package feeds functionality for apt
>> +        Expected: 1. Check that remote package feeds can be accessed
>> +        Product: oe-core
>> +        Author: Ferry Toth <fntoth@gmail.com>
>> +        """
>> +        if get_bb_var('DISTRO') == 'poky-tiny':
>> +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
>> +
>> +        features = 'INHERIT += "testimage"\n'
>> +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
>> +        # We don't yet know what the server ip and port will be - they will be patched
>> +        # in at the start of the on-image test
>> +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
>> +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
>> +        features += 'PACKAGE_CLASSES = "package_deb"\n'
>> +        # We need  gnupg on the target to install keys
>> +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
>> +
>> +        bitbake('gnupg-native -c addto_recipe_sysroot')
>> +
>> +        # Enable package feed signing
>> +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
>> +        self.track_for_cleanup(self.gpg_home)
>> +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
>> +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
>> +        features += 'INHERIT += "sign_package_feed"\n'
>> +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
>> +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
>> +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
>> +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
>> +        self.write_config(features)
>> +
>> +        # Build core-image-sato and testimage
>> +        bitbake('core-image-full-cmdline socat')
>> +        bitbake('-c testimage core-image-full-cmdline')
>> +
>>       def test_testimage_virgl_gtk_sdl(self):
>>           """
>>           Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
> 
> Thanks for working on this!
> 
> Looking at the patches I wondered if this would break testimage and
> unfortunately it does:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975

That is weird, do I understand correctly that it fails on:
  apt-get remove --yes run-postinsts-dev
Reading package lists...
Building dependency tree...
E: Unable to locate package run-postinsts-dev

That is actually *) one line I didn't touch. I did note while testing 
that I saw this exact message, however that was not counted as a fail.

What could cause this? Because the complaint is it can't remove the 
package because it was not installed.

It would be trivial to remove the line

*) self.pkg('remove --yes run-postinsts-dev')

but how could it have passed the test before?

> however hopefully these shouldn't be too hard to fix?
> 
> The rest of the build is still running.
> 
> Cheers,
> 
> Richard
> 

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Richard Purdie]

On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
> Hi,
> 
> Op 04-04-2022 om 15:58 schreef Richard Purdie:
> > On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> > > From: Ferry Toth <ftoth@exalondelft.nl>
> > > 
> > > Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
> > > Currently when building images this requirement is worked around by using [allow-insecure=yes] and
> > > equivalently when performing selftest.
> > > 
> > > Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
> > > enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
> > > test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
> > > management. To be able to install the key the gnupg package is added to the testimage.
> > > 
> > > Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
> > > ---
> > >   meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
> > >   meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
> > >   2 files changed, 49 insertions(+), 5 deletions(-)
> > > 
> > > diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
> > > index 53745df93f..49f8714730 100644
> > > --- a/meta/lib/oeqa/runtime/cases/apt.py
> > > +++ b/meta/lib/oeqa/runtime/cases/apt.py
> > > @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
> > >   
> > >       @classmethod
> > >       def setUpClass(cls):
> > > -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
> > > +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
> > >           cls.repo_server = HTTPService(service_repo,
> > >                                         '0.0.0.0', port=cls.tc.target.server_port,
> > >                                         logger=cls.tc.logger)
> > > @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
> > >           cls.repo_server.stop()
> > >   
> > >       def setup_source_config_for_package_install(self):
> > > -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
> > > +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
> > >           apt_get_sourceslist_dir = '/etc/apt/'
> > > -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
> > > +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
> > >   
> > >       def cleanup_source_config_for_package_install(self):
> > >           apt_get_sourceslist_dir = '/etc/apt/'
> > > -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
> > > +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
> > > +
> > > +    def setup_key(self):
> > > +        # the key is found on the target /etc/pki/packagefeed-gpg/
> > > +        # named PACKAGEFEED-GPG-KEY-poky-branch
> > > +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
> > >   
> > >       @skipIfNotFeature('package-management',
> > >                         'Test requires package-management to be in IMAGE_FEATURES')
> > > @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
> > >       @OEHasPackage(['apt'])
> > >       def test_apt_install_from_repo(self):
> > >           self.setup_source_config_for_package_install()
> > > +        self.setup_key()
> > >           self.pkg('update')
> > >           self.pkg('remove --yes run-postinsts-dev')
> > > -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
> > > +        self.pkg('install --yes run-postinsts-dev')
> > >           self.cleanup_source_config_for_package_install()
> > > diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > index 642f0eb637..7a75b95a99 100644
> > > --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > > @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
> > >           bitbake('core-image-full-cmdline socat')
> > >           bitbake('-c testimage core-image-full-cmdline')
> > >   
> > > +    def test_testimage_apt(self):
> > > +        """
> > > +        Summary: Check package feeds functionality for apt
> > > +        Expected: 1. Check that remote package feeds can be accessed
> > > +        Product: oe-core
> > > +        Author: Ferry Toth <fntoth@gmail.com>
> > > +        """
> > > +        if get_bb_var('DISTRO') == 'poky-tiny':
> > > +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
> > > +
> > > +        features = 'INHERIT += "testimage"\n'
> > > +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
> > > +        # We don't yet know what the server ip and port will be - they will be patched
> > > +        # in at the start of the on-image test
> > > +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
> > > +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
> > > +        features += 'PACKAGE_CLASSES = "package_deb"\n'
> > > +        # We need  gnupg on the target to install keys
> > > +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
> > > +
> > > +        bitbake('gnupg-native -c addto_recipe_sysroot')
> > > +
> > > +        # Enable package feed signing
> > > +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
> > > +        self.track_for_cleanup(self.gpg_home)
> > > +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
> > > +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
> > > +        features += 'INHERIT += "sign_package_feed"\n'
> > > +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
> > > +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
> > > +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
> > > +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
> > > +        self.write_config(features)
> > > +
> > > +        # Build core-image-sato and testimage
> > > +        bitbake('core-image-full-cmdline socat')
> > > +        bitbake('-c testimage core-image-full-cmdline')
> > > +
> > >       def test_testimage_virgl_gtk_sdl(self):
> > >           """
> > >           Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
> > 
> > Thanks for working on this!
> > 
> > Looking at the patches I wondered if this would break testimage and
> > unfortunately it does:
> > 
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
> > https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
> 
> That is weird, do I understand correctly that it fails on:
>   apt-get remove --yes run-postinsts-dev
> Reading package lists...
> Building dependency tree...
> E: Unable to locate package run-postinsts-dev
> 
> That is actually *) one line I didn't touch. I did note while testing 
> that I saw this exact message, however that was not counted as a fail.
> 
> What could cause this? Because the complaint is it can't remove the 
> package because it was not installed.
> 
> It would be trivial to remove the line
> 
> *) self.pkg('remove --yes run-postinsts-dev')
> 
> but how could it have passed the test before?


I think the issue is you edited testimage which is a different set of tests
which aren't just called by oe-selftest but by things like 

"bitbake core-image-sato -c testimage"

as well. I'd suggest making the changes in testimage conditional on signing
being configured.

Cheers,

Richard

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

[-- Attachment #1: Type: text/plain, Size: 9640 bytes --]

Hi,

Op 04-04-2022 om 22:39 schreef Richard Purdie:
> On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
>> Hi,
>>
>> Op 04-04-2022 om 15:58 schreef Richard Purdie:
>>> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>>>> From: Ferry Toth<ftoth@exalondelft.nl>
>>>>
>>>> Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
>>>> Currently when building images this requirement is worked around by using [allow-insecure=yes] and
>>>> equivalently when performing selftest.
>>>>
>>>> Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
>>>> enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
>>>> test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
>>>> management. To be able to install the key the gnupg package is added to the testimage.
>>>>
>>>> Signed-off-by: Ferry Toth<ftoth@exalondelft.nl>
>>>> ---
>>>>    meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
>>>>    meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
>>>>    2 files changed, 49 insertions(+), 5 deletions(-)
>>>>
>>>> diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
>>>> index 53745df93f..49f8714730 100644
>>>> --- a/meta/lib/oeqa/runtime/cases/apt.py
>>>> +++ b/meta/lib/oeqa/runtime/cases/apt.py
>>>> @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
>>>>    
>>>>        @classmethod
>>>>        def setUpClass(cls):
>>>> -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
>>>> +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
>>>>            cls.repo_server = HTTPService(service_repo,
>>>>                                          '0.0.0.0', port=cls.tc.target.server_port,
>>>>                                          logger=cls.tc.logger)
>>>> @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
>>>>            cls.repo_server.stop()
>>>>    
>>>>        def setup_source_config_for_package_install(self):
>>>> -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
>>>> +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
>>>>            apt_get_sourceslist_dir = '/etc/apt/'
>>>> -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
>>>> +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
>>>>    
>>>>        def cleanup_source_config_for_package_install(self):
>>>>            apt_get_sourceslist_dir = '/etc/apt/'
>>>> -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
>>>> +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
>>>> +
>>>> +    def setup_key(self):
>>>> +        # the key is found on the target /etc/pki/packagefeed-gpg/
>>>> +        # named PACKAGEFEED-GPG-KEY-poky-branch
>>>> +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
>>>>    
>>>>        @skipIfNotFeature('package-management',
>>>>                          'Test requires package-management to be in IMAGE_FEATURES')
>>>> @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
>>>>        @OEHasPackage(['apt'])
>>>>        def test_apt_install_from_repo(self):
>>>>            self.setup_source_config_for_package_install()
>>>> +        self.setup_key()
>>>>            self.pkg('update')
>>>>            self.pkg('remove --yes run-postinsts-dev')
>>>> -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
>>>> +        self.pkg('install --yes run-postinsts-dev')
>>>>            self.cleanup_source_config_for_package_install()
>>>> diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
>>>> index 642f0eb637..7a75b95a99 100644
>>>> --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
>>>> +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
>>>> @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
>>>>            bitbake('core-image-full-cmdline socat')
>>>>            bitbake('-c testimage core-image-full-cmdline')
>>>>    
>>>> +    def test_testimage_apt(self):
>>>> +        """
>>>> +        Summary: Check package feeds functionality for apt
>>>> +        Expected: 1. Check that remote package feeds can be accessed
>>>> +        Product: oe-core
>>>> +        Author: Ferry Toth<fntoth@gmail.com>
>>>> +        """
>>>> +        if get_bb_var('DISTRO') == 'poky-tiny':
>>>> +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
>>>> +
>>>> +        features = 'INHERIT += "testimage"\n'
>>>> +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
>>>> +        # We don't yet know what the server ip and port will be - they will be patched
>>>> +        # in at the start of the on-image test
>>>> +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
>>>> +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
>>>> +        features += 'PACKAGE_CLASSES = "package_deb"\n'
>>>> +        # We need  gnupg on the target to install keys
>>>> +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
>>>> +
>>>> +        bitbake('gnupg-native -c addto_recipe_sysroot')
>>>> +
>>>> +        # Enable package feed signing
>>>> +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
>>>> +        self.track_for_cleanup(self.gpg_home)
>>>> +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
>>>> +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
>>>> +        features += 'INHERIT += "sign_package_feed"\n'
>>>> +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
>>>> +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
>>>> +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
>>>> +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
>>>> +        self.write_config(features)
>>>> +
>>>> +        # Build core-image-sato and testimage
>>>> +        bitbake('core-image-full-cmdline socat')
>>>> +        bitbake('-c testimage core-image-full-cmdline')
>>>> +
>>>>        def test_testimage_virgl_gtk_sdl(self):
>>>>            """
>>>>            Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
>>> Thanks for working on this!
>>>
>>> Looking at the patches I wondered if this would break testimage and
>>> unfortunately it does:
>>>
>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
>> That is weird, do I understand correctly that it fails on:
>>    apt-get remove --yes run-postinsts-dev
>> Reading package lists...
>> Building dependency tree...
>> E: Unable to locate package run-postinsts-dev
>>
>> That is actually *) one line I didn't touch. I did note while testing
>> that I saw this exact message, however that was not counted as a fail.
>>
>> What could cause this? Because the complaint is it can't remove the
>> package because it was not installed.
>>
>> It would be trivial to remove the line
>>
>> *) self.pkg('remove --yes run-postinsts-dev')
>>
>> but how could it have passed the test before?
>
> I think the issue is you edited testimage which is a different set of tests
> which aren't just called by oe-selftest but by things like

That would be my first thought too, but...

because the failure seems to be on the line self.pkg('remove --yes 
run-postinsts-dev'),  that would mean the line self.pkg('update') passed.

And that should only pass if it finds a signed repository and has the 
key installed (and believe me, I saw a log of that in the last week).

So, there may be a second thing wrong?

Do you know where I can find the log files referred to:

<..>tmp/work/qemux86-poky-linux/core-image-sato/1.0-r0/temp/log.do_testimage.35553

<..>tmp/work/qemux86-poky-linux/core-image-sato-sdk/1.0-r0/temp/log.do_testimage.35362

or could we do a 'quick' check by changing

         self.pkg('update')
         self.pkg('remove --yes run-postinsts-dev')
         self.pkg('install --yes run-postinsts-dev')
to
         self.pkg('update')
         self.pkg('install --yes run-postinsts-dev')
         self.pkg('remove --yes run-postinsts-dev')
?

>
> "bitbake core-image-sato -c testimage"
>
> as well. I'd suggest making the changes in testimage conditional on signing
> being configured.

Yes, regardless the above, we need to either make signing always enabled 
in all test cases or detect whether signing is used.

Do you have a hint if there is a variable to test in class AptRepoTest 
if PACKAGE_FEED_GPG_NAME has been set?

Otherwise I could just duplicate code and create 
apt.AptRepoTest.test_apt_install_from_repo_signed.

What would you prefer?

> Cheers,
>
> Richard
>
>

[-- Attachment #2: Type: text/html, Size: 10907 bytes --]

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Richard Purdie]

On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
> Op 04-04-2022 om 22:39 schreef Richard Purdie:
>  On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
> >  Op 04-04-2022 om 15:58 schreef Richard Purdie:
> > > 
> > > > On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> > > > Looking at the patches I wondered if this would break testimage and
> > > > unfortunately it does:
> > > > 
> > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/s
> > > > teps/12/logs/stdio
> > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
> > > That is weird, do I understand correctly that it fails on:
> > >   apt-get remove --yes run-postinsts-dev
> > > Reading package lists...
> > > Building dependency tree...
> > > E: Unable to locate package run-postinsts-dev
> > > 
> > > That is actually *) one line I didn't touch. I did note while testing 
> > > that I saw this exact message, however that was not counted as a fail.
> > > 
> > > What could cause this? Because the complaint is it can't remove the 
> > > package because it was not installed.
> > > 
> > > It would be trivial to remove the line
> > > 
> > > *) self.pkg('remove --yes run-postinsts-dev')
> > > 
> > > but how could it have passed the test before?
> > 
> > I think the issue is you edited testimage which is a different set of tests
> > which aren't just called by oe-selftest but by things like 
> That would be my first thought too, but...
> because the failure seems to be on the line self.pkg('remove --yes run-
> postinsts-dev'),  that would mean the line self.pkg('update') passed.
> And that should only pass if it finds a signed repository and has the key
> installed (and believe me, I saw a log of that in the last week).
> So, there may be a second thing wrong?

I was easily able to reproduce this locally and it shows the
setup_source_config_for_package_install() step fails and hence the sources
aren't setup correctly, hence the update probably works.

> Do you know where I can find the log files referred to:
> <..>tmp/work/qemux86-poky-linux/core-image-sato/1.0-
> r0/temp/log.do_testimage.35553
> <..>tmp/work/qemux86-poky-linux/core-image-sato-sdk/1.0-
> r0/temp/log.do_testimage.35362

We can get them off the autobuilder if needed but someone would have to manually
go in and find/share them. The issue does locally reproduce for me with a
"bitbake core-image-sato -c testimage" with package_deb set as the backend.

> or could we do a 'quick' check by changing
>         self.pkg('update')
>         self.pkg('remove --yes run-postinsts-dev')
>         self.pkg('install --yes run-postinsts-dev')
> to 
>         self.pkg('update')
>         self.pkg('install --yes run-postinsts-dev')
>         self.pkg('remove --yes run-postinsts-dev')
> ?

I'm not convinced that would help us...

>  
> > 
> > "bitbake core-image-sato -c testimage"
> > 
> > as well. I'd suggest making the changes in testimage conditional on signing
> > being configured.
> Yes, regardless the above, we need to either make signing always enabled in
> all test cases or detect whether signing is used.
> Do you have a hint if there is a variable to test in class AptRepoTest if
> PACKAGE_FEED_GPG_NAME has been set?
> Otherwise I could just duplicate code and create
> apt.AptRepoTest.test_apt_install_from_repo_signed.
> What would you prefer?
> 

We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the test
and handle accordingly?

I did merge the base changes into the release since I thought it was fair to get
the fixes in before it was built. We just need to get the test sorted now, I
think it is close.

Cheers,

Richard

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

[-- Attachment #1: Type: text/plain, Size: 4362 bytes --]

Hi,

Op 06-04-2022 om 13:40 schreef Richard Purdie:
> On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
>> Op 04-04-2022 om 22:39 schreef Richard Purdie:
>>   On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
>>>   Op 04-04-2022 om 15:58 schreef Richard Purdie:
>>>>> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>>>>> Looking at the patches I wondered if this would break testimage and
>>>>> unfortunately it does:
>>>>>
>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/s
>>>>> teps/12/logs/stdio
>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
>>>> That is weird, do I understand correctly that it fails on:
>>>>    apt-get remove --yes run-postinsts-dev
>>>> Reading package lists...
>>>> Building dependency tree...
>>>> E: Unable to locate package run-postinsts-dev
>>>>
>>>> That is actually *) one line I didn't touch. I did note while testing
>>>> that I saw this exact message, however that was not counted as a fail.
>>>>
>>>> What could cause this? Because the complaint is it can't remove the
>>>> package because it was not installed.
>>>>
>>>> It would be trivial to remove the line
>>>>
>>>> *) self.pkg('remove --yes run-postinsts-dev')
>>>>
>>>> but how could it have passed the test before?
>>> I think the issue is you edited testimage which is a different set of tests
>>> which aren't just called by oe-selftest but by things like
>> That would be my first thought too, but...
>> because the failure seems to be on the line self.pkg('remove --yes run-
>> postinsts-dev'),  that would mean the line self.pkg('update') passed.
>> And that should only pass if it finds a signed repository and has the key
>> installed (and believe me, I saw a log of that in the last week).
>> So, there may be a second thing wrong?
> I was easily able to reproduce this locally and it shows the
> setup_source_config_for_package_install() step fails and hence the sources
> aren't setup correctly, hence the update probably works.
not correct, hence works. You lost me here, but I'll try to reproduce.
>> Do you know where I can find the log files referred to:
>> <..>tmp/work/qemux86-poky-linux/core-image-sato/1.0-
>> r0/temp/log.do_testimage.35553
>> <..>tmp/work/qemux86-poky-linux/core-image-sato-sdk/1.0-
>> r0/temp/log.do_testimage.35362
> We can get them off the autobuilder if needed but someone would have to manually
No, that would be too much work. I'll try to reproduce myself.
> go in and find/share them. The issue does locally reproduce for me with a
> "bitbake core-image-sato -c testimage" with package_deb set as the backend.

..in conf. But without PACKAGE_CLASSES, PACKAGE_FEED_GPG_NAME, 
PACKAGE_FEED_GPG_PASSPHRASE_FILE?

>> or could we do a 'quick' check by changing
>>          self.pkg('update')
>>          self.pkg('remove --yes run-postinsts-dev')
>>          self.pkg('install --yes run-postinsts-dev')
>> to
>>          self.pkg('update')
>>          self.pkg('install --yes run-postinsts-dev')
>>          self.pkg('remove --yes run-postinsts-dev')
>> ?
> I'm not convinced that would help us...
I'll try locally.
>>   
>>> "bitbake core-image-sato -c testimage"
>>>
>>> as well. I'd suggest making the changes in testimage conditional on signing
>>> being configured.
>> Yes, regardless the above, we need to either make signing always enabled in
>> all test cases or detect whether signing is used.
>> Do you have a hint if there is a variable to test in class AptRepoTest if
>> PACKAGE_FEED_GPG_NAME has been set?
>> Otherwise I could just duplicate code and create
>> apt.AptRepoTest.test_apt_install_from_repo_signed.
>> What would you prefer?
>>
> We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the test
> and handle accordingly?
>
> I did merge the base changes into the release since I thought it was fair to get
> the fixes in before it was built. We just need to get the test sorted now, I
> think it is close.

Thanks for merging.

I'll fix the test, that's only fair.

One thing, the test "test_testimage_apt" is new. It needs to be 
scheduled somewhere (where "test_testimage_dnf" is called i guess), I 
didn't add that. Is that correct?

>
> Cheers,
>
> Richard
>
>
>

[-- Attachment #2: Type: text/html, Size: 7024 bytes --]

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Richard Purdie]

On Wed, 2022-04-06 at 16:43 +0200, Ferry Toth wrote:
> Op 06-04-2022 om 13:40 schreef Richard Purdie:
> > On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
> > > Op 04-04-2022 om 22:39 schreef Richard Purdie:
> > >  On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
> > > >  Op 04-04-2022 om 15:58 schreef Richard Purdie:
> > > > > > On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> > > > > > Looking at the patches I wondered if this would break testimage and
> > > > > > unfortunately it does:
> > > > > > 
> > > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/50
> > > > > > 13/s
> > > > > > teps/12/logs/stdio
> > > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/49
> > > > > > 75
> > > > > That is weird, do I understand correctly that it fails on:
> > > > >   apt-get remove --yes run-postinsts-dev
> > > > > Reading package lists...
> > > > > Building dependency tree...
> > > > > E: Unable to locate package run-postinsts-dev
> > > > > 
> > > > > That is actually *) one line I didn't touch. I did note while testing 
> > > > > that I saw this exact message, however that was not counted as a fail.
> > > > > 
> > > > > What could cause this? Because the complaint is it can't remove the 
> > > > > package because it was not installed.
> > > > > 
> > > > > It would be trivial to remove the line
> > > > > 
> > > > > *) self.pkg('remove --yes run-postinsts-dev')
> > > > > 
> > > > > but how could it have passed the test before?
> > > > I think the issue is you edited testimage which is a different set of
> > > > tests
> > > > which aren't just called by oe-selftest but by things like 
> > > That would be my first thought too, but...
> > > because the failure seems to be on the line self.pkg('remove --yes run-
> > > postinsts-dev'),  that would mean the line self.pkg('update') passed.
> > > And that should only pass if it finds a signed repository and has the key
> > > installed (and believe me, I saw a log of that in the last week).
> > > So, there may be a second thing wrong?
> > I was easily able to reproduce this locally and it shows the
> > setup_source_config_for_package_install() step fails and hence the sources
> > aren't setup correctly, hence the update probably works.
>  not correct, hence works. You lost me here, but I'll try to reproduce.

I mean the command doesn't work correctly. In my local logs I see:

DEBUG: Command: cd /etc/apt/; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/http:\/\/192.168.7.1:46599/g' sources.list
Status: 1 Output:  cp: can't stat 'sources.list': No such file or directory
sed: sources.list: No such file or directory

> 
>  
> > go in and find/share them. The issue does locally reproduce for me with a
> > "bitbake core-image-sato -c testimage" with package_deb set as the backend.
> ..in conf. But without PACKAGE_CLASSES, PACKAGE_FEED_GPG_NAME,
> PACKAGE_FEED_GPG_PASSPHRASE_FILE?

Yes.

> > 
> > > Yes, regardless the above, we need to either make signing always enabled
> > > in
> > > all test cases or detect whether signing is used.
> > > Do you have a hint if there is a variable to test in class AptRepoTest if
> > > PACKAGE_FEED_GPG_NAME has been set?
> > > Otherwise I could just duplicate code and create
> > > apt.AptRepoTest.test_apt_install_from_repo_signed.
> > > What would you prefer?
> > > 
> > We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the
> > test
> > and handle accordingly?
> > 
> > I did merge the base changes into the release since I thought it was fair to
> > get
> > the fixes in before it was built. We just need to get the test sorted now, I
> > think it is close.
> Thanks for merging.
> I'll fix the test, that's only fair. 
> One thing, the test "test_testimage_apt" is new. It needs to be scheduled
> somewhere (where "test_testimage_dnf" is called i guess), I didn't add that.
> Is that correct?
>  

No, the autobuilder runs all the tests in oe-selftest so it should be covered
(and is why we saw the failures on the autobuilder).

Cheers,

Richard

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

Hi

Op 06-04-2022 om 17:23 schreef Richard Purdie:
> On Wed, 2022-04-06 at 16:43 +0200, Ferry Toth wrote:
>> Op 06-04-2022 om 13:40 schreef Richard Purdie:
>>> On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
>>>> Op 04-04-2022 om 22:39 schreef Richard Purdie:
>>>>   On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
>>>>>   Op 04-04-2022 om 15:58 schreef Richard Purdie:
>>>>>>> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>>>>>>> Looking at the patches I wondered if this would break testimage and
>>>>>>> unfortunately it does:
>>>>>>>
>>>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/50
>>>>>>> 13/s
>>>>>>> teps/12/logs/stdio
>>>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/49
>>>>>>> 75
>>>>>> That is weird, do I understand correctly that it fails on:
>>>>>>    apt-get remove --yes run-postinsts-dev
>>>>>> Reading package lists...
>>>>>> Building dependency tree...
>>>>>> E: Unable to locate package run-postinsts-dev
>>>>>>
>>>>>> That is actually *) one line I didn't touch. I did note while testing
>>>>>> that I saw this exact message, however that was not counted as a fail.
>>>>>>
>>>>>> What could cause this? Because the complaint is it can't remove the
>>>>>> package because it was not installed.
>>>>>>
>>>>>> It would be trivial to remove the line
>>>>>>
>>>>>> *) self.pkg('remove --yes run-postinsts-dev')
>>>>>>
>>>>>> but how could it have passed the test before?
>>>>> I think the issue is you edited testimage which is a different set of
>>>>> tests
>>>>> which aren't just called by oe-selftest but by things like
>>>> That would be my first thought too, but...
>>>> because the failure seems to be on the line self.pkg('remove --yes run-
>>>> postinsts-dev'),  that would mean the line self.pkg('update') passed.
>>>> And that should only pass if it finds a signed repository and has the key
>>>> installed (and believe me, I saw a log of that in the last week).
>>>> So, there may be a second thing wrong?
>>> I was easily able to reproduce this locally and it shows the
>>> setup_source_config_for_package_install() step fails and hence the sources
>>> aren't setup correctly, hence the update probably works.
>>   not correct, hence works. You lost me here, but I'll try to reproduce.
> I mean the command doesn't work correctly. In my local logs I see:
>
> DEBUG: Command: cd /etc/apt/; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/http:\/\/192.168.7.1:46599/g' sources.list
> Status: 1 Output:  cp: can't stat 'sources.list': No such file or directory
> sed: sources.list: No such file or directory
>
>>   
>>> go in and find/share them. The issue does locally reproduce for me with a
>>> "bitbake core-image-sato -c testimage" with package_deb set as the backend.
>> ..in conf. But without PACKAGE_CLASSES, PACKAGE_FEED_GPG_NAME,
>> PACKAGE_FEED_GPG_PASSPHRASE_FILE?
> Yes.
>
>>>> Yes, regardless the above, we need to either make signing always enabled
>>>> in
>>>> all test cases or detect whether signing is used.
>>>> Do you have a hint if there is a variable to test in class AptRepoTest if
>>>> PACKAGE_FEED_GPG_NAME has been set?
>>>> Otherwise I could just duplicate code and create
>>>> apt.AptRepoTest.test_apt_install_from_repo_signed.
>>>> What would you prefer?
>>>>
>>> We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the
>>> test
>>> and handle accordingly?
>>>
>>> I did merge the base changes into the release since I thought it was fair to
>>> get
>>> the fixes in before it was built. We just need to get the test sorted now, I
>>> think it is close.
>> Thanks for merging.
>> I'll fix the test, that's only fair.
>> One thing, the test "test_testimage_apt" is new. It needs to be scheduled
>> somewhere (where "test_testimage_dnf" is called i guess), I didn't add that.
>> Is that correct?
>>   
> No, the autobuilder runs all the tests in oe-selftest so it should be covered
> (and is why we saw the failures on the autobuilder).

I was running 'oe-selftest -K -r 
runtime_test.TestImage.test_testimage_apt' whereas buildbot seems to be 
running 'apt.AptRepoTest.test_apt_install_from_repo' directly.

However, test_testimage_apt is where keys are setup (keys found in 
meta-selftest). So, where/when is test_testimage_apt called (or 
test_testimage_dnf for that matter)?

> Cheers,
>
> Richard
>

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Richard Purdie]

On Wed, 2022-04-06 at 21:44 +0200, Ferry Toth wrote:
> Hi
> 
> Op 06-04-2022 om 17:23 schreef Richard Purdie:
> > On Wed, 2022-04-06 at 16:43 +0200, Ferry Toth wrote:
> > > Op 06-04-2022 om 13:40 schreef Richard Purdie:
> > > > On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
> > > > > Op 04-04-2022 om 22:39 schreef Richard Purdie:
> > > > >   On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
> > > > > >   Op 04-04-2022 om 15:58 schreef Richard Purdie:
> > > > > > > > On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> > > > > > > > Looking at the patches I wondered if this would break testimage and
> > > > > > > > unfortunately it does:
> > > > > > > > 
> > > > > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/50
> > > > > > > > 13/s
> > > > > > > > teps/12/logs/stdio
> > > > > > > > https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/49
> > > > > > > > 75
> > > > > > > That is weird, do I understand correctly that it fails on:
> > > > > > >    apt-get remove --yes run-postinsts-dev
> > > > > > > Reading package lists...
> > > > > > > Building dependency tree...
> > > > > > > E: Unable to locate package run-postinsts-dev
> > > > > > > 
> > > > > > > That is actually *) one line I didn't touch. I did note while testing
> > > > > > > that I saw this exact message, however that was not counted as a fail.
> > > > > > > 
> > > > > > > What could cause this? Because the complaint is it can't remove the
> > > > > > > package because it was not installed.
> > > > > > > 
> > > > > > > It would be trivial to remove the line
> > > > > > > 
> > > > > > > *) self.pkg('remove --yes run-postinsts-dev')
> > > > > > > 
> > > > > > > but how could it have passed the test before?
> > > > > > I think the issue is you edited testimage which is a different set of
> > > > > > tests
> > > > > > which aren't just called by oe-selftest but by things like
> > > > > That would be my first thought too, but...
> > > > > because the failure seems to be on the line self.pkg('remove --yes run-
> > > > > postinsts-dev'),  that would mean the line self.pkg('update') passed.
> > > > > And that should only pass if it finds a signed repository and has the key
> > > > > installed (and believe me, I saw a log of that in the last week).
> > > > > So, there may be a second thing wrong?
> > > > I was easily able to reproduce this locally and it shows the
> > > > setup_source_config_for_package_install() step fails and hence the sources
> > > > aren't setup correctly, hence the update probably works.
> > >   not correct, hence works. You lost me here, but I'll try to reproduce.
> > I mean the command doesn't work correctly. In my local logs I see:
> > 
> > DEBUG: Command: cd /etc/apt/; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/http:\/\/192.168.7.1:46599/g' sources.list
> > Status: 1 Output:  cp: can't stat 'sources.list': No such file or directory
> > sed: sources.list: No such file or directory
> > 
> > >   
> > > > go in and find/share them. The issue does locally reproduce for me with a
> > > > "bitbake core-image-sato -c testimage" with package_deb set as the backend.
> > > ..in conf. But without PACKAGE_CLASSES, PACKAGE_FEED_GPG_NAME,
> > > PACKAGE_FEED_GPG_PASSPHRASE_FILE?
> > Yes.
> > 
> > > > > Yes, regardless the above, we need to either make signing always enabled
> > > > > in
> > > > > all test cases or detect whether signing is used.
> > > > > Do you have a hint if there is a variable to test in class AptRepoTest if
> > > > > PACKAGE_FEED_GPG_NAME has been set?
> > > > > Otherwise I could just duplicate code and create
> > > > > apt.AptRepoTest.test_apt_install_from_repo_signed.
> > > > > What would you prefer?
> > > > > 
> > > > We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the
> > > > test
> > > > and handle accordingly?
> > > > 
> > > > I did merge the base changes into the release since I thought it was fair to
> > > > get
> > > > the fixes in before it was built. We just need to get the test sorted now, I
> > > > think it is close.
> > > Thanks for merging.
> > > I'll fix the test, that's only fair.
> > > One thing, the test "test_testimage_apt" is new. It needs to be scheduled
> > > somewhere (where "test_testimage_dnf" is called i guess), I didn't add that.
> > > Is that correct?
> > >   
> > No, the autobuilder runs all the tests in oe-selftest so it should be covered
> > (and is why we saw the failures on the autobuilder).
> 
> I was running 'oe-selftest -K -r 
> runtime_test.TestImage.test_testimage_apt' whereas buildbot seems to be 
> running 'apt.AptRepoTest.test_apt_install_from_repo' directly.

We have several types of test. There are two types in play here,

"oe-selftest -K -r runtime_test.TestImage.test_testimage_apt"

and

"bitbake core-image-sato -c testimage"

The latter testimage tests are often run every time we create images and running
testimage will trigger 'apt.AptRepoTest.test_apt_install_from_repo' if the image
has apt present and is built using debian package management.

We also run oe-selftest which triggers a testimage of it's own for a specfic
test case.

So we'd expect the normal testimage calls to not have the package signing
enabled and then we'd have the oe-selftest which specifically tests signing.

> However, test_testimage_apt is where keys are setup (keys found in 
> meta-selftest). So, where/when is test_testimage_apt called (or 
> test_testimage_dnf for that matter)?

Those are called by the oe-selftest call on the autobuilder. We run the oe-
selftest with a mask on the autobuilder so pretty much all of them run.

Cheers,

Richard

Re: [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

Op 06-04-2022 om 23:05 schreef Richard Purdie:
> On Wed, 2022-04-06 at 21:44 +0200, Ferry Toth wrote:
>> Hi
>>
>> Op 06-04-2022 om 17:23 schreef Richard Purdie:
>>> On Wed, 2022-04-06 at 16:43 +0200, Ferry Toth wrote:
>>>> Op 06-04-2022 om 13:40 schreef Richard Purdie:
>>>>> On Tue, 2022-04-05 at 17:23 +0200, Ferry Toth wrote:
>>>>>> Op 04-04-2022 om 22:39 schreef Richard Purdie:
>>>>>>    On Mon, 2022-04-04 at 19:35 +0200, Ferry Toth wrote:
>>>>>>>    Op 04-04-2022 om 15:58 schreef Richard Purdie:
>>>>>>>>> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>>>>>>>>> Looking at the patches I wondered if this would break testimage and
>>>>>>>>> unfortunately it does:
>>>>>>>>>
>>>>>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/50
>>>>>>>>> 13/s
>>>>>>>>> teps/12/logs/stdio
>>>>>>>>> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/49
>>>>>>>>> 75
>>>>>>>> That is weird, do I understand correctly that it fails on:
>>>>>>>>     apt-get remove --yes run-postinsts-dev
>>>>>>>> Reading package lists...
>>>>>>>> Building dependency tree...
>>>>>>>> E: Unable to locate package run-postinsts-dev
>>>>>>>>
>>>>>>>> That is actually *) one line I didn't touch. I did note while testing
>>>>>>>> that I saw this exact message, however that was not counted as a fail.
>>>>>>>>
>>>>>>>> What could cause this? Because the complaint is it can't remove the
>>>>>>>> package because it was not installed.
>>>>>>>>
>>>>>>>> It would be trivial to remove the line
>>>>>>>>
>>>>>>>> *) self.pkg('remove --yes run-postinsts-dev')
>>>>>>>>
>>>>>>>> but how could it have passed the test before?
>>>>>>> I think the issue is you edited testimage which is a different set of
>>>>>>> tests
>>>>>>> which aren't just called by oe-selftest but by things like
>>>>>> That would be my first thought too, but...
>>>>>> because the failure seems to be on the line self.pkg('remove --yes run-
>>>>>> postinsts-dev'),  that would mean the line self.pkg('update') passed.
>>>>>> And that should only pass if it finds a signed repository and has the key
>>>>>> installed (and believe me, I saw a log of that in the last week).
>>>>>> So, there may be a second thing wrong?
>>>>> I was easily able to reproduce this locally and it shows the
>>>>> setup_source_config_for_package_install() step fails and hence the sources
>>>>> aren't setup correctly, hence the update probably works.
>>>>    not correct, hence works. You lost me here, but I'll try to reproduce.
>>> I mean the command doesn't work correctly. In my local logs I see:
>>>
>>> DEBUG: Command: cd /etc/apt/; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/http:\/\/192.168.7.1:46599/g' sources.list
>>> Status: 1 Output:  cp: can't stat 'sources.list': No such file or directory
>>> sed: sources.list: No such file or directory
>>>
>>>>    
>>>>> go in and find/share them. The issue does locally reproduce for me with a
>>>>> "bitbake core-image-sato -c testimage" with package_deb set as the backend.
>>>> ..in conf. But without PACKAGE_CLASSES, PACKAGE_FEED_GPG_NAME,
>>>> PACKAGE_FEED_GPG_PASSPHRASE_FILE?
>>> Yes.
>>>
>>>>>> Yes, regardless the above, we need to either make signing always enabled
>>>>>> in
>>>>>> all test cases or detect whether signing is used.
>>>>>> Do you have a hint if there is a variable to test in class AptRepoTest if
>>>>>> PACKAGE_FEED_GPG_NAME has been set?
>>>>>> Otherwise I could just duplicate code and create
>>>>>> apt.AptRepoTest.test_apt_install_from_repo_signed.
>>>>>> What would you prefer?
>>>>>>
>>>>> We should be able to test self.tc.td.get('PACKAGE_FEED_GPG_NAME') in the
>>>>> test
>>>>> and handle accordingly?
I'll try this for autodetecting the test case.
>>>>>
>>>>> I did merge the base changes into the release since I thought it was fair to
>>>>> get
>>>>> the fixes in before it was built. We just need to get the test sorted now, I
>>>>> think it is close.
>>>> Thanks for merging.
>>>> I'll fix the test, that's only fair.
>>>> One thing, the test "test_testimage_apt" is new. It needs to be scheduled
>>>> somewhere (where "test_testimage_dnf" is called i guess), I didn't add that.
>>>> Is that correct?
>>>>    
>>> No, the autobuilder runs all the tests in oe-selftest so it should be covered
>>> (and is why we saw the failures on the autobuilder).
>> I was running 'oe-selftest -K -r
>> runtime_test.TestImage.test_testimage_apt' whereas buildbot seems to be
>> running 'apt.AptRepoTest.test_apt_install_from_repo' directly.
> We have several types of test. There are two types in play here,
>
> "oe-selftest -K -r runtime_test.TestImage.test_testimage_apt"
>
> and
>
> "bitbake core-image-sato -c testimage"

Thanks for the explanation. Yesterday evening I built Sato and was able 
to reproduce  the issue.

(that was a big build with half of build time spent on building Rust).

core-image-sato does not have a /etc/apt/sources.list, the selftest public key is not on the image and gpg is not installed. This explains the errors in the log.

> The latter testimage tests are often run every time we create images and running
> testimage will trigger 'apt.AptRepoTest.test_apt_install_from_repo' if the image
> has apt present and is built using debian package management.
>
> We also run oe-selftest which triggers a testimage of it's own for a specfic
> test case.
Got it.
> So we'd expect the normal testimage calls to not have the package signing
> enabled and then we'd have the oe-selftest which specifically tests signing.
>
>> However, test_testimage_apt is where keys are setup (keys found in
>> meta-selftest). So, where/when is test_testimage_apt called (or
>> test_testimage_dnf for that matter)?
> Those are called by the oe-selftest call on the autobuilder. We run the oe-
> selftest with a mask on the autobuilder so pretty much all of them run.
After looking at more detail at autobuilder schedules I get it.
> Cheers,
>
> Richard
>
>

Re: [OE-core] [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Alexandre Belloni]

Hello,

On 04/04/2022 14:58:07+0100, Richard Purdie wrote:
> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
> > From: Ferry Toth <ftoth@exalondelft.nl>
> > 
> > Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
> > Currently when building images this requirement is worked around by using [allow-insecure=yes] and
> > equivalently when performing selftest.
> > 
> > Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
> > enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
> > test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
> > management. To be able to install the key the gnupg package is added to the testimage.
> > 
> > Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
> > ---
> >  meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
> >  meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
> >  2 files changed, 49 insertions(+), 5 deletions(-)
> > 
> > diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
> > index 53745df93f..49f8714730 100644
> > --- a/meta/lib/oeqa/runtime/cases/apt.py
> > +++ b/meta/lib/oeqa/runtime/cases/apt.py
> > @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
> >  
> >      @classmethod
> >      def setUpClass(cls):
> > -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
> > +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
> >          cls.repo_server = HTTPService(service_repo,
> >                                        '0.0.0.0', port=cls.tc.target.server_port,
> >                                        logger=cls.tc.logger)
> > @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
> >          cls.repo_server.stop()
> >  
> >      def setup_source_config_for_package_install(self):
> > -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
> > +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
> >          apt_get_sourceslist_dir = '/etc/apt/'
> > -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
> > +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
> >  
> >      def cleanup_source_config_for_package_install(self):
> >          apt_get_sourceslist_dir = '/etc/apt/'
> > -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
> > +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
> > +
> > +    def setup_key(self):
> > +        # the key is found on the target /etc/pki/packagefeed-gpg/
> > +        # named PACKAGEFEED-GPG-KEY-poky-branch
> > +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
> >  
> >      @skipIfNotFeature('package-management',
> >                        'Test requires package-management to be in IMAGE_FEATURES')
> > @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
> >      @OEHasPackage(['apt'])
> >      def test_apt_install_from_repo(self):
> >          self.setup_source_config_for_package_install()
> > +        self.setup_key()
> >          self.pkg('update')
> >          self.pkg('remove --yes run-postinsts-dev')
> > -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
> > +        self.pkg('install --yes run-postinsts-dev')
> >          self.cleanup_source_config_for_package_install()
> > diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > index 642f0eb637..7a75b95a99 100644
> > --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
> > +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
> > @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
> >          bitbake('core-image-full-cmdline socat')
> >          bitbake('-c testimage core-image-full-cmdline')
> >  
> > +    def test_testimage_apt(self):
> > +        """
> > +        Summary: Check package feeds functionality for apt
> > +        Expected: 1. Check that remote package feeds can be accessed
> > +        Product: oe-core
> > +        Author: Ferry Toth <fntoth@gmail.com>
> > +        """
> > +        if get_bb_var('DISTRO') == 'poky-tiny':
> > +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
> > +
> > +        features = 'INHERIT += "testimage"\n'
> > +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
> > +        # We don't yet know what the server ip and port will be - they will be patched
> > +        # in at the start of the on-image test
> > +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
> > +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
> > +        features += 'PACKAGE_CLASSES = "package_deb"\n'
> > +        # We need  gnupg on the target to install keys
> > +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
> > +
> > +        bitbake('gnupg-native -c addto_recipe_sysroot')
> > +
> > +        # Enable package feed signing
> > +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
> > +        self.track_for_cleanup(self.gpg_home)
> > +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
> > +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
> > +        features += 'INHERIT += "sign_package_feed"\n'
> > +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
> > +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
> > +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
> > +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
> > +        self.write_config(features)
> > +
> > +        # Build core-image-sato and testimage
> > +        bitbake('core-image-full-cmdline socat')
> > +        bitbake('-c testimage core-image-full-cmdline')
> > +
> >      def test_testimage_virgl_gtk_sdl(self):
> >          """
> >          Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
> 
> Thanks for working on this!
> 
> Looking at the patches I wondered if this would break testimage and
> unfortunately it does:
> 
> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
> 
> however hopefully these shouldn't be too hard to fix?
> 
> The rest of the build is still running.

I missed it at the time but I believe this is also the cause of:

https://autobuilder.yoctoproject.org/typhoon/#/builders/80/builds/3352/steps/15/logs/stdio

ERROR: package-index-1.0-r0 do_package_index: GPG exited with code 2: gpg: can't connect to the agent: IPC connect call failed
gpg: skipped "testuser": No secret key
gpg: signing failed: No secret key



-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH v2 3/3] apt: add apt selftest to test signed package feeds

[Ferry Toth]

[-- Attachment #1: Type: text/plain, Size: 7885 bytes --]

Hi

Op 06-04-2022 om 12:10 schreef Alexandre Belloni:
> Hello,
>
> On 04/04/2022 14:58:07+0100, Richard Purdie wrote:
>> On Sun, 2022-04-03 at 21:50 +0200, Ferry Toth wrote:
>>> From: Ferry Toth<ftoth@exalondelft.nl>
>>>
>>> Since Gatesgarth apt (1.8.2) has become more strict and doesn’t allow unsigned repositories by default.
>>> Currently when building images this requirement is worked around by using [allow-insecure=yes] and
>>> equivalently when performing selftest.
>>>
>>> Patches "gpg-sign: Add parameters to gpg signature function" and "package_manager: sign DEB package feeds"
>>> enable signed DEB package feeds. This patch adds a runtime test for apt derived from the test_testimage_dnf
>>> test. It creates a signed deb package feed, runs a qemu image to install the key and performs some package
>>> management. To be able to install the key the gnupg package is added to the testimage.
>>>
>>> Signed-off-by: Ferry Toth<ftoth@exalondelft.nl>
>>> ---
>>>   meta/lib/oeqa/runtime/cases/apt.py           | 16 ++++++---
>>>   meta/lib/oeqa/selftest/cases/runtime_test.py | 38 ++++++++++++++++++++
>>>   2 files changed, 49 insertions(+), 5 deletions(-)
>>>
>>> diff --git a/meta/lib/oeqa/runtime/cases/apt.py b/meta/lib/oeqa/runtime/cases/apt.py
>>> index 53745df93f..49f8714730 100644
>>> --- a/meta/lib/oeqa/runtime/cases/apt.py
>>> +++ b/meta/lib/oeqa/runtime/cases/apt.py
>>> @@ -21,7 +21,7 @@ class AptRepoTest(AptTest):
>>>   
>>>       @classmethod
>>>       def setUpClass(cls):
>>> -        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], 'all')
>>> +        service_repo = os.path.join(cls.tc.td['DEPLOY_DIR_DEB'], '')
>>>           cls.repo_server = HTTPService(service_repo,
>>>                                         '0.0.0.0', port=cls.tc.target.server_port,
>>>                                         logger=cls.tc.logger)
>>> @@ -32,13 +32,18 @@ class AptRepoTest(AptTest):
>>>           cls.repo_server.stop()
>>>   
>>>       def setup_source_config_for_package_install(self):
>>> -        apt_get_source_server = 'http://%s:%s/' % (self.tc.target.server_ip, self.repo_server.port)
>>> +        apt_get_source_server = 'http:\/\/%s:%s' % (self.tc.target.server_ip, self.repo_server.port)
>>>           apt_get_sourceslist_dir = '/etc/apt/'
>>> -        self.target.run('cd %s; echo deb [ allow-insecure=yes ] %s ./ > sources.list' % (apt_get_sourceslist_dir, apt_get_source_server))
>>> +        self.target.run("cd %s; cp sources.list sources.list.bak; sed -i 's/\[trusted=yes\] http:\/\/bogus_ip:bogus_port/%s/g' sources.list" % (apt_get_sourceslist_dir, apt_get_source_server))
>>>   
>>>       def cleanup_source_config_for_package_install(self):
>>>           apt_get_sourceslist_dir = '/etc/apt/'
>>> -        self.target.run('cd %s; rm sources.list' % (apt_get_sourceslist_dir))
>>> +        self.target.run('cd %s; mv sources.list.bak sources.list' % (apt_get_sourceslist_dir))
>>> +
>>> +    def setup_key(self):
>>> +        # the key is found on the target /etc/pki/packagefeed-gpg/
>>> +        # named PACKAGEFEED-GPG-KEY-poky-branch
>>> +        self.target.run('cd %s; apt-key add P*' % ('/etc/pki/packagefeed-gpg'))
>>>   
>>>       @skipIfNotFeature('package-management',
>>>                         'Test requires package-management to be in IMAGE_FEATURES')
>>> @@ -47,7 +52,8 @@ class AptRepoTest(AptTest):
>>>       @OEHasPackage(['apt'])
>>>       def test_apt_install_from_repo(self):
>>>           self.setup_source_config_for_package_install()
>>> +        self.setup_key()
>>>           self.pkg('update')
>>>           self.pkg('remove --yes run-postinsts-dev')
>>> -        self.pkg('install --yes --allow-unauthenticated run-postinsts-dev')
>>> +        self.pkg('install --yes run-postinsts-dev')
>>>           self.cleanup_source_config_for_package_install()
>>> diff --git a/meta/lib/oeqa/selftest/cases/runtime_test.py b/meta/lib/oeqa/selftest/cases/runtime_test.py
>>> index 642f0eb637..7a75b95a99 100644
>>> --- a/meta/lib/oeqa/selftest/cases/runtime_test.py
>>> +++ b/meta/lib/oeqa/selftest/cases/runtime_test.py
>>> @@ -162,6 +162,44 @@ class TestImage(OESelftestTestCase):
>>>           bitbake('core-image-full-cmdline socat')
>>>           bitbake('-c testimage core-image-full-cmdline')
>>>   
>>> +    def test_testimage_apt(self):
>>> +        """
>>> +        Summary: Check package feeds functionality for apt
>>> +        Expected: 1. Check that remote package feeds can be accessed
>>> +        Product: oe-core
>>> +        Author: Ferry Toth<fntoth@gmail.com>
>>> +        """
>>> +        if get_bb_var('DISTRO') == 'poky-tiny':
>>> +            self.skipTest('core-image-full-cmdline not buildable for poky-tiny')
>>> +
>>> +        features = 'INHERIT += "testimage"\n'
>>> +        features += 'TEST_SUITES = "ping ssh apt.AptRepoTest.test_apt_install_from_repo"\n'
>>> +        # We don't yet know what the server ip and port will be - they will be patched
>>> +        # in at the start of the on-image test
>>> +        features += 'PACKAGE_FEED_URIS = "http://bogus_ip:bogus_port"\n'
>>> +        features += 'EXTRA_IMAGE_FEATURES += "package-management"\n'
>>> +        features += 'PACKAGE_CLASSES = "package_deb"\n'
>>> +        # We need  gnupg on the target to install keys
>>> +        features += 'IMAGE_INSTALL:append:pn-core-image-full-cmdline = " gnupg"\n'
>>> +
>>> +        bitbake('gnupg-native -c addto_recipe_sysroot')
>>> +
>>> +        # Enable package feed signing
>>> +        self.gpg_home = tempfile.mkdtemp(prefix="oeqa-feed-sign-")
>>> +        self.track_for_cleanup(self.gpg_home)
>>> +        signing_key_dir = os.path.join(self.testlayer_path, 'files', 'signing')
>>> +        runCmd('gpgconf --list-dirs --homedir %s; gpg -v --batch --homedir %s --import %s' % (self.gpg_home, self.gpg_home, os.path.join(signing_key_dir, 'key.secret')), native_sysroot=get_bb_var("RECIPE_SYSROOT_NATIVE", "gnupg-native"), shell=True)
>>> +        features += 'INHERIT += "sign_package_feed"\n'
>>> +        features += 'PACKAGE_FEED_GPG_NAME = "testuser"\n'
>>> +        features += 'PACKAGE_FEED_GPG_PASSPHRASE_FILE = "%s"\n' % os.path.join(signing_key_dir, 'key.passphrase')
>>> +        features += 'GPG_PATH = "%s"\n' % self.gpg_home
>>> +        features += 'PSEUDO_IGNORE_PATHS .= ",%s"\n' % self.gpg_home
>>> +        self.write_config(features)
>>> +
>>> +        # Build core-image-sato and testimage
>>> +        bitbake('core-image-full-cmdline socat')
>>> +        bitbake('-c testimage core-image-full-cmdline')
>>> +
>>>       def test_testimage_virgl_gtk_sdl(self):
>>>           """
>>>           Summary: Check host-assisted accelerate OpenGL functionality in qemu with gtk and SDL frontends
>> Thanks for working on this!
>>
>> Looking at the patches I wondered if this would break testimage and
>> unfortunately it does:
>>
>> https://autobuilder.yoctoproject.org/typhoon/#/builders/50/builds/5013/steps/12/logs/stdio
>> https://autobuilder.yoctoproject.org/typhoon/#/builders/76/builds/4975
>>
>> however hopefully these shouldn't be too hard to fix?
>>
>> The rest of the build is still running.
> I missed it at the time but I believe this is also the cause of:
>
> https://autobuilder.yoctoproject.org/typhoon/#/builders/80/builds/3352/steps/15/logs/stdio
>
> ERROR: package-index-1.0-r0 do_package_index: GPG exited with code 2: gpg: can't connect to the agent: IPC connect call failed
> gpg: skipped "testuser": No secret key
> gpg: signing failed: No secret key

This seems related but not exact the same.

It seems do_package_index wants to generate a signed deb repo but no key 
is provided. But IIUC you have PACKAGE_CLASSES = "package_rpm", so why 
is runtime_test.TestImage.test_testimage_apt run?

[-- Attachment #2: Type: text/html, Size: 8783 bytes --]

[PATCH 1/3] ethdev: support metadata as flow rule criteria

[Dekel Peled]

As described in [1], a new rte_flow item is added to support metadata
to use as flow rule match pattern.
The metadata is an opaque item, fully controlled by the application.

The use of metadata is relevant for egress rules only.
It can be set in the flow rule using the RTE_FLOW_ITEM_META.

In order to avoid change in mbuf API, exisitng field buf.hash.fdir.hi
is used to carry the metadata item. This field is used only in
ingress packets, so using it for egress metadata will not cause
conflicts.

Application should set the packet metadata in the mbuf dedicated field,
and set the PKT_TX_METADATA flag in the mbuf->ol_flags.
The NIC will use the packet metadata as match criteria for relevant
flow rules.

This patch introduces metadata item type for rte_flow RTE_FLOW_ITEM_META,
along with corresponding struct rte_flow_item_meta and ol_flag
PKT_TX_METADATA.

[1] "[RFC,v2] ethdev: support metadata as flow rule criteria"

Signeoff-by: Dekel Peled <dekelp@mellanox.com>
---
 doc/guides/prog_guide/rte_flow.rst | 21 +++++++++++++++++++++
 lib/librte_ethdev/rte_ethdev.c     |  1 +
 lib/librte_ethdev/rte_ethdev.h     |  5 +++++
 lib/librte_ethdev/rte_flow.c       |  1 +
 lib/librte_ethdev/rte_flow.h       | 25 +++++++++++++++++++++++++
 lib/librte_mbuf/rte_mbuf.c         |  2 ++
 lib/librte_mbuf/rte_mbuf.h         | 16 ++++++++++++++--
 7 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/doc/guides/prog_guide/rte_flow.rst b/doc/guides/prog_guide/rte_flow.rst
index b305a72..560e45a 100644
--- a/doc/guides/prog_guide/rte_flow.rst
+++ b/doc/guides/prog_guide/rte_flow.rst
@@ -1191,6 +1191,27 @@ Normally preceded by any of:
 - `Item: ICMP6_ND_NS`_
 - `Item: ICMP6_ND_OPT`_
 
+Item: ``META``
+^^^^^^^^^^^^^^
+
+Matches an application specific 32 bit metadata item.
+
+- Default ``mask`` matches any 32 bit value.
+
+.. _table_rte_flow_item_meta:
+
+.. table:: META
+
+   +----------+----------+---------------------------+
+   | Field    | Subfield | Value                     |
+   +==========+==========+===========================+
+   | ``spec`` | ``data`` | 32 bit metadata value     |
+   +----------+--------------------------------------+
+   | ``last`` | ``data`` | upper range value         |
+   +----------+----------+---------------------------+
+   | ``mask`` | ``data`` | zeroed to match any value |
+   +----------+----------+---------------------------+
+
 Actions
 ~~~~~~~
 
diff --git a/lib/librte_ethdev/rte_ethdev.c b/lib/librte_ethdev/rte_ethdev.c
index f790d42..1ae7694 100644
--- a/lib/librte_ethdev/rte_ethdev.c
+++ b/lib/librte_ethdev/rte_ethdev.c
@@ -158,6 +158,7 @@ struct rte_eth_xstats_name_off {
 	RTE_TX_OFFLOAD_BIT2STR(SECURITY),
 	RTE_TX_OFFLOAD_BIT2STR(UDP_TNL_TSO),
 	RTE_TX_OFFLOAD_BIT2STR(IP_TNL_TSO),
+	RTE_TX_OFFLOAD_BIT2STR(MATCH_METADATA),
 };
 
 #undef RTE_TX_OFFLOAD_BIT2STR
diff --git a/lib/librte_ethdev/rte_ethdev.h b/lib/librte_ethdev/rte_ethdev.h
index 7070e9a..a0da16c 100644
--- a/lib/librte_ethdev/rte_ethdev.h
+++ b/lib/librte_ethdev/rte_ethdev.h
@@ -953,6 +953,11 @@ struct rte_eth_conf {
  * for tunnel TSO.
  */
 #define DEV_TX_OFFLOAD_IP_TNL_TSO       0x00080000
+/**
+ * Device supports match on metadata Tx offload..
+ * Application must set PKT_TX_METADATA and mbuf metadata field.
+ */
+#define DEV_TX_OFFLOAD_MATCH_METADATA   0x00100000
 
 #define RTE_ETH_DEV_CAPA_RUNTIME_RX_QUEUE_SETUP 0x00000001
 /**< Device supports Rx queue setup after device started*/
diff --git a/lib/librte_ethdev/rte_flow.c b/lib/librte_ethdev/rte_flow.c
index cff4b52..54e5ef8 100644
--- a/lib/librte_ethdev/rte_flow.c
+++ b/lib/librte_ethdev/rte_flow.c
@@ -66,6 +66,7 @@ struct rte_flow_desc_data {
 		     sizeof(struct rte_flow_item_icmp6_nd_opt_sla_eth)),
 	MK_FLOW_ITEM(ICMP6_ND_OPT_TLA_ETH,
 		     sizeof(struct rte_flow_item_icmp6_nd_opt_tla_eth)),
+	MK_FLOW_ITEM(META, sizeof(struct rte_flow_item_meta)),
 };
 
 /** Generate flow_action[] entry. */
diff --git a/lib/librte_ethdev/rte_flow.h b/lib/librte_ethdev/rte_flow.h
index f8ba71c..d3264be 100644
--- a/lib/librte_ethdev/rte_flow.h
+++ b/lib/librte_ethdev/rte_flow.h
@@ -413,6 +413,15 @@ enum rte_flow_item_type {
 	 * See struct rte_flow_item_mark.
 	 */
 	RTE_FLOW_ITEM_TYPE_MARK,
+
+	/**
+	* [META]
+	*
+	* Matches a metadata value specified in mbuf metadata field.
+	*
+	* See struct rte_flow_item_meta.
+	*/
+	RTE_FLOW_ITEM_TYPE_META,
 };
 
 /**
@@ -1156,6 +1165,22 @@ struct rte_flow_item_icmp6_nd_opt_tla_eth {
 #endif
 
 /**
+ * RTE_FLOW_ITEM_TYPE_META.
+ *
+ * Matches a specified metadata value.
+ */
+struct rte_flow_item_meta {
+	uint32_t data;
+};
+
+/** Default mask for RTE_FLOW_ITEM_TYPE_META. */
+#ifndef __cplusplus
+static const struct rte_flow_item_meta rte_flow_item_meta_mask = {
+	.data = RTE_BE32(UINT32_MAX),
+};
+#endif
+
+/**
  * @warning
  * @b EXPERIMENTAL: this structure may change without prior notice
  *
diff --git a/lib/librte_mbuf/rte_mbuf.c b/lib/librte_mbuf/rte_mbuf.c
index e714c5a..4b25ae8 100644
--- a/lib/librte_mbuf/rte_mbuf.c
+++ b/lib/librte_mbuf/rte_mbuf.c
@@ -395,6 +395,7 @@ const char *rte_get_tx_ol_flag_name(uint64_t mask)
 	case PKT_TX_TUNNEL_UDP: return "PKT_TX_TUNNEL_UDP";
 	case PKT_TX_MACSEC: return "PKT_TX_MACSEC";
 	case PKT_TX_SEC_OFFLOAD: return "PKT_TX_SEC_OFFLOAD";
+	case PKT_TX_METADATA: return "PKT_TX_METADATA";
 	default: return NULL;
 	}
 }
@@ -435,6 +436,7 @@ const char *rte_get_tx_ol_flag_name(uint64_t mask)
 		  "PKT_TX_TUNNEL_NONE" },
 		{ PKT_TX_MACSEC, PKT_TX_MACSEC, NULL },
 		{ PKT_TX_SEC_OFFLOAD, PKT_TX_SEC_OFFLOAD, NULL },
+		{ PKT_TX_METADATA, PKT_TX_METADATA, NULL },
 	};
 	const char *name;
 	unsigned int i;
diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index 9ce5d76..ea75ad0 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -182,6 +182,11 @@
 /* add new TX flags here */
 
 /**
+ * Indicate that the metadata field in the mbuf is in use.
+ */
+#define PKT_TX_METADATA	(1ULL << 41)
+
+/**
  * UDP Fragmentation Offload flag. This flag is used for enabling UDP
  * fragmentation in SW or in HW. When use UFO, mbuf->tso_segsz is used
  * to store the MSS of UDP fragments.
@@ -342,8 +347,9 @@
 		PKT_TX_QINQ_PKT |        \
 		PKT_TX_VLAN_PKT |        \
 		PKT_TX_TUNNEL_MASK |	 \
-		PKT_TX_MACSEC |		 \
-		PKT_TX_SEC_OFFLOAD)
+		PKT_TX_MACSEC |          \
+		PKT_TX_SEC_OFFLOAD |	 \
+		PKT_TX_METADATA)
 
 /**
  * Mbuf having an external buffer attached. shinfo in mbuf must be filled.
@@ -526,6 +532,12 @@ struct rte_mbuf {
 			uint32_t hi;
 			/**< First 4 flexible bytes or FD ID, dependent on
 			     PKT_RX_FDIR_* flag in ol_flags. */
+			/**
+			 * Above member has optional use on egress:
+			 * Application specific metadata value
+			 * for flow rule match.
+			 * Valid if PKT_TX_METADATA is set.
+			 */
 		} fdir;           /**< Filter identifier if FDIR enabled */
 		struct {
 			uint32_t lo;
-- 
1.8.3.1

[PATCH v2 0/3] *** SUBJECT HERE ***

[Dekel Peled]

This series implements the match-metadata feature described in [1].

[1] "[RFC,v2] ethdev: support metadata as flow rule criteria"

V2:
* Fix some checkpatch coding style issues (wrongly sent).

Dekel Peled (3):
  ethdev: support metadata as flow rule criteria
  app/testpmd: support metadata as flow rule criteria
  app/testpmd: add debug command Tx metadata set

 app/test-pmd/cmdline.c                      | 60 ++++++++++++++++++++++++++---
 app/test-pmd/cmdline_flow.c                 | 25 ++++++++++++
 app/test-pmd/config.c                       |  7 ++++
 app/test-pmd/testpmd.c                      |  5 +++
 app/test-pmd/testpmd.h                      |  4 ++
 app/test-pmd/txonly.c                       |  9 +++++
 doc/guides/prog_guide/rte_flow.rst          | 21 ++++++++++
 doc/guides/testpmd_app_ug/testpmd_funcs.rst | 12 ++++--
 lib/librte_ethdev/rte_ethdev.c              |  1 +
 lib/librte_ethdev/rte_ethdev.h              |  5 +++
 lib/librte_ethdev/rte_flow.c                |  1 +
 lib/librte_ethdev/rte_flow.h                | 24 ++++++++++++
 lib/librte_mbuf/rte_mbuf.c                  |  2 +
 lib/librte_mbuf/rte_mbuf.h                  | 16 +++++++-
 14 files changed, 181 insertions(+), 11 deletions(-)

-- 
1.8.3.1

Re: [PATCH v2 0/3] *** SUBJECT HERE ***

[David Cohen]

On Tue, Mar 8, 2011 at 10:04 PM, David Cohen <dacohen@gmail.com> wrote:
> *** BLURB HERE ***

Sorry for this garbage :/

Br,

David

>
> David Cohen (2):
>  omap3: change ISP's IOMMU da_start address
>  omap: iovmm: don't check 'da' to set IOVMF_DA_FIXED flag
>
> Michael Jones (1):
>  omap: iovmm: disallow mapping NULL address
>
>  arch/arm/mach-omap2/omap-iommu.c        |    2 +-
>  arch/arm/plat-omap/include/plat/iovmm.h |    2 --
>  arch/arm/plat-omap/iovmm.c              |   30 +++++++++++++++---------------
>  3 files changed, 16 insertions(+), 18 deletions(-)
>
>

Re: [PATCH v2 0/3] *** SUBJECT HERE ***

[David Cohen]

On Tue, Mar 8, 2011 at 10:04 PM, David Cohen <dacohen@gmail.com> wrote:
> *** BLURB HERE ***

Sorry for this garbage :/

Br,

David

>
> David Cohen (2):
>  omap3: change ISP's IOMMU da_start address
>  omap: iovmm: don't check 'da' to set IOVMF_DA_FIXED flag
>
> Michael Jones (1):
>  omap: iovmm: disallow mapping NULL address
>
>  arch/arm/mach-omap2/omap-iommu.c        |    2 +-
>  arch/arm/plat-omap/include/plat/iovmm.h |    2 --
>  arch/arm/plat-omap/iovmm.c              |   30 +++++++++++++++---------------
>  3 files changed, 16 insertions(+), 18 deletions(-)
>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-omap" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 0/3] *** SUBJECT HERE ***

[Mike Rapoport]

These patches enable PCI Express support on Tegra2.
The implementation is based on original NVidia code from (1), but it
is heavily reworked to avoid custom PCI enumeration and make the code
more Linux friendly.

This implementation assumes that the PCIe subsystem is fully powered
and ungated by the bootloader.

[1] git://nv-tegra.nvidia.com/linux-2.6.git

v2 changes:
   * Update PCIe clocks implementation as per Colin and Gary suggestions
   * Update I/O space access as suggested by Arnd and Russell.
   * Remove debug leftovers and unify error reporting

The following changes since commit b30a3f6257ed2105259b404d419b4964e363928c:
  Linus Torvalds (1):
        Linux 2.6.36-rc5

Mike Rapoport (3):
  [ARM] tegra: add PCI Express clocks
  [ARM] tegra: add PCI Express support
  [ARM] tegra: harmony: enable PCI Express

 arch/arm/mach-tegra/Kconfig                 |    4 +
 arch/arm/mach-tegra/Makefile                |    2 +
 arch/arm/mach-tegra/board-harmony-pcie.c    |   52 ++
 arch/arm/mach-tegra/board.h                 |    1 +
 arch/arm/mach-tegra/include/mach/hardware.h |    4 +
 arch/arm/mach-tegra/include/mach/io.h       |   12 +-
 arch/arm/mach-tegra/pcie.c                  |  915 +++++++++++++++++++++++++++
 arch/arm/mach-tegra/tegra2_clocks.c         |   46 ++
 8 files changed, 1035 insertions(+), 1 deletions(-)
 create mode 100644 arch/arm/mach-tegra/board-harmony-pcie.c
 create mode 100644 arch/arm/mach-tegra/pcie.c

[PATCH v2 0/3] *** SUBJECT HERE ***

[Jon Seymour]

This series fixes git stash branch so that it is more tolerant of
stash-like commits created with git stash create.

It particular, it doesn't require there to be a stash stack if a
stash-like argument is specified and it doesn't attempt to drop
non-stash references after applying the stash.

This series replaces my previous patch that just included a test 
that demonstrated the existance of the issue.

  stash: It looks like a stash, but doesn't quack like a stash...
  stash: Allow git stash branch to process commits that look like
    stashes but are not stash references.
  stash: modify tests to reflect stash branch fixes.

 git-stash.sh     |   10 ++++++++--
 t/t3903-stash.sh |   28 ++++++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 2 deletions(-)

-- 
1.7.2.1.111.g8fc90

[PATCH v2 0/3] *** SUBJECT HERE ***

[Brian Gernhardt]

Changes from v1:
  - Moves valid FQDN conditions from line-ending conditions to a new
    function
  - Adds sendemail.smtpdomain to the list in config.txt

Patch 2/3 is unchanged.

Brian Gernhardt (3):
  send-email: Don't use FQDNs without a '.'
  Document send-email --smtp-domain
  send-email: Add sendemail.smtpdomain

 Documentation/config.txt         |    1 +
 Documentation/git-send-email.txt |    7 +++++++
 git-send-email.perl              |   32 ++++++++++++++++++--------------
 3 files changed, 26 insertions(+), 14 deletions(-)