* [PATCH RESEND 0/3] openssh: Package server configuration
@ 2017-06-09 7:04 David Vincent
2017-06-09 7:04 ` [PATCH RESEND 1/3] " David Vincent
` (3 more replies)
0 siblings, 4 replies; 8+ messages in thread
From: David Vincent @ 2017-06-09 7:04 UTC (permalink / raw)
To: openembedded-core
This serie of patches provides a way to package OpenSSH sshd configuration. This
way, it should be easier to change the configuration either in distro and/or BSP
layers.
It also simplifies management for R/O rootfs
David Vincent (3):
openssh: Package server configuration
core-image: Set default sshd configuration
rootfs-postcommands: Modify ssh-related commands
meta/classes/core-image.bbclass | 3 +-
meta/classes/rootfs-postcommands.bbclass | 17 +++-----
meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51 ++++++++++++++++++----
3 files changed, 50 insertions(+), 21 deletions(-)
--
2.13.0
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH RESEND 1/3] openssh: Package server configuration
2017-06-09 7:04 [PATCH RESEND 0/3] openssh: Package server configuration David Vincent
@ 2017-06-09 7:04 ` David Vincent
2017-06-09 9:41 ` Peter Kjellerstedt
2017-06-09 7:04 ` [PATCH RESEND 2/3] core-image: Set default sshd configuration David Vincent
` (2 subsequent siblings)
3 siblings, 1 reply; 8+ messages in thread
From: David Vincent @ 2017-06-09 7:04 UTC (permalink / raw)
To: openembedded-core
Split sshd configuration for read-write/read-only rootfs in two distinct
packages. Also, add a package dependency between openssh-sshd package
and a provider of sshd-config.
Signed-off-by: David Vincent <freesilicon@gmail.com>
---
meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51 ++++++++++++++++++----
1 file changed, 42 insertions(+), 9 deletions(-)
diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
index 5b96745aae..e22e6c672d 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
@@ -91,13 +91,17 @@ do_compile_ptest() {
}
do_install_append () {
- if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
+ # Create default config files
+ install -m 0644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_default
+ rm -f ${D}${sysconfdir}/ssh/sshd_config
+
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
- sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
+ sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config_default
fi
- if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
- sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then
+ sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config_default
fi
install -d ${D}${sysconfdir}/init.d
@@ -110,7 +114,7 @@ do_install_append () {
# Create config files for read-only rootfs
install -d ${D}${sysconfdir}/ssh
- install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
+ install -m 644 ${D}${sysconfdir}/ssh/sshd_config_default ${D}${sysconfdir}/ssh/sshd_config_readonly
sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
@@ -134,30 +138,59 @@ do_install_ptest () {
ALLOW_EMPTY_${PN} = "1"
-PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
+PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd-config ${PN}-sshd-config-readonly ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
FILES_${PN}-scp = "${bindir}/scp.${BPN}"
FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
+FILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
+FILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
-FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
+FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
FILES_${PN}-sftp = "${bindir}/sftp"
FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
FILES_${PN}-keygen = "${bindir}/ssh-keygen"
RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
-RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
+RDEPENDS_${PN}-sshd += "${PN}-keygen sshd-config ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make"
RPROVIDES_${PN}-ssh = "ssh"
+RPROVIDES_${PN}-sshd-config = "sshd-config"
+RPROVIDES_${PN}-sshd-config-readonly = "sshd-config"
RPROVIDES_${PN}-sshd = "sshd"
RCONFLICTS_${PN} = "dropbear"
+RCONFLICTS_${PN}-sshd-config = "${PN}-sshd-config-readonly"
+RCONFLICTS_${PN}-sshd-config-readonly = "${PN}-sshd-config"
RCONFLICTS_${PN}-sshd = "dropbear"
RCONFLICTS_${PN}-keygen = "ssh-keygen"
-CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
+CONFFILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
+CONFFILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
+pkg_postinst_${PN}-sshd-config () {
+#!/bin/sh
+if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
+ rm $D${sysconfdir}/ssh/sshd_config
+fi
+
+# Make sure destination directory exists, before creating the symlink
+mkdir -p $D${sysconfdir}/ssh
+ln -s sshd_config_default $D${sysconfdir}/ssh/sshd_config
+}
+
+pkg_postinst_${PN}-sshd-config-readonly () {
+#!/bin/sh
+if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
+ rm $D${sysconfdir}/ssh/sshd_config
+fi
+
+# Make sure destination directory exists, before creating the symlink
+mkdir -p $D${sysconfdir}/ssh
+ln -s sshd_config_readonly $D${sysconfdir}/ssh/sshd_config
+}
+
ALTERNATIVE_PRIORITY = "90"
ALTERNATIVE_${PN}-scp = "scp"
ALTERNATIVE_${PN}-ssh = "ssh"
--
2.13.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH RESEND 2/3] core-image: Set default sshd configuration
2017-06-09 7:04 [PATCH RESEND 0/3] openssh: Package server configuration David Vincent
2017-06-09 7:04 ` [PATCH RESEND 1/3] " David Vincent
@ 2017-06-09 7:04 ` David Vincent
2017-06-09 7:04 ` [PATCH RESEND 3/3] rootfs-postcommands: Modify ssh-related commands David Vincent
2017-06-09 13:53 ` [PATCH RESEND 0/3] openssh: Package server configuration André Draszik
3 siblings, 0 replies; 8+ messages in thread
From: David Vincent @ 2017-06-09 7:04 UTC (permalink / raw)
To: openembedded-core
When selecting OpenSSH as ssh server provider instead of dropbear, also
install the correct configuration depending on whether the final rootfs
is read-only or not.
Signed-off-by: David Vincent <freesilicon@gmail.com>
---
meta/classes/core-image.bbclass | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/classes/core-image.bbclass b/meta/classes/core-image.bbclass
index a9a2cec68f..77f3c19494 100644
--- a/meta/classes/core-image.bbclass
+++ b/meta/classes/core-image.bbclass
@@ -45,7 +45,7 @@ FEATURE_PACKAGES_tools-sdk = "packagegroup-core-sdk packagegroup-core-standalone
FEATURE_PACKAGES_nfs-server = "packagegroup-core-nfs-server"
FEATURE_PACKAGES_nfs-client = "packagegroup-core-nfs-client"
FEATURE_PACKAGES_ssh-server-dropbear = "packagegroup-core-ssh-dropbear"
-FEATURE_PACKAGES_ssh-server-openssh = "packagegroup-core-ssh-openssh"
+FEATURE_PACKAGES_ssh-server-openssh = "packagegroup-core-ssh-openssh ${SSHD_CONFIG}"
FEATURE_PACKAGES_hwcodecs = "${MACHINE_HWCODECS}"
@@ -56,6 +56,7 @@ IMAGE_FEATURES_REPLACES_ssh-server-openssh = "ssh-server-dropbear"
# IMAGE_FEATURES_CONFLICTS_foo = 'bar1 bar2'
# An error exception would be raised if both image features foo and bar1(or bar2) are included
+SSHD_CONFIG ??= "${@bb.utils.contains('IMAGE_FEATURES','read-only-rootfs','openssh-sshd-config-readonly','openssh-sshd-config',d)}"
MACHINE_HWCODECS ??= ""
CORE_IMAGE_BASE_INSTALL = '\
--
2.13.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH RESEND 3/3] rootfs-postcommands: Modify ssh-related commands
2017-06-09 7:04 [PATCH RESEND 0/3] openssh: Package server configuration David Vincent
2017-06-09 7:04 ` [PATCH RESEND 1/3] " David Vincent
2017-06-09 7:04 ` [PATCH RESEND 2/3] core-image: Set default sshd configuration David Vincent
@ 2017-06-09 7:04 ` David Vincent
2017-06-09 13:53 ` [PATCH RESEND 0/3] openssh: Package server configuration André Draszik
3 siblings, 0 replies; 8+ messages in thread
From: David Vincent @ 2017-06-09 7:04 UTC (permalink / raw)
To: openembedded-core
OpenSSH configuration is now a symlink which points to the desired
configuration, so the functions that modified it must be updated to
modify the target and not override it.
Signed-off-by: David Vincent <freesilicon@gmail.com>
---
meta/classes/rootfs-postcommands.bbclass | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
diff --git a/meta/classes/rootfs-postcommands.bbclass b/meta/classes/rootfs-postcommands.bbclass
index 1d66a42953..1c0af87c9f 100644
--- a/meta/classes/rootfs-postcommands.bbclass
+++ b/meta/classes/rootfs-postcommands.bbclass
@@ -89,15 +89,12 @@ read_only_rootfs_hook () {
fi
# If we're using openssh and the /etc/ssh directory has no pre-generated keys,
- # we should configure openssh to use the configuration file /etc/ssh/sshd_config_readonly
- # and the keys under /var/run/ssh.
+ # we should configure openssh to use the keys under /var/run/ssh.
if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
if [ -e ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key ]; then
echo "SYSCONFDIR=/etc/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS=" >> ${IMAGE_ROOTFS}/etc/default/ssh
else
echo "SYSCONFDIR=/var/run/ssh" >> ${IMAGE_ROOTFS}/etc/default/ssh
- echo "SSHD_OPTS='-f /etc/ssh/sshd_config_readonly'" >> ${IMAGE_ROOTFS}/etc/default/ssh
fi
fi
@@ -140,12 +137,10 @@ zap_empty_root_password () {
# allow dropbear/openssh to accept root logins and logins from accounts with an empty password string
#
ssh_allow_empty_password () {
- for config in sshd_config sshd_config_readonly; do
- if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config ]; then
- sed -i 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
- sed -i 's/^[#[:space:]]*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/$config
- fi
- done
+ if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
+ sed -i --follow-symlinks 's/^[#[:space:]]*PermitRootLogin.*/PermitRootLogin yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
+ sed -i --follow-symlinks 's/^[#[:space:]]*PermitEmptyPasswords.*/PermitEmptyPasswords yes/' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
+ fi
if [ -e ${IMAGE_ROOTFS}${sbindir}/dropbear ] ; then
if grep -q DROPBEAR_EXTRA_ARGS ${IMAGE_ROOTFS}${sysconfdir}/default/dropbear 2>/dev/null ; then
@@ -164,7 +159,7 @@ ssh_allow_empty_password () {
ssh_disable_dns_lookup () {
if [ -e ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config ]; then
- sed -i -e 's:#UseDNS yes:UseDNS no:' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
+ sed -i --follow-symlinks -e 's:#UseDNS yes:UseDNS no:' ${IMAGE_ROOTFS}${sysconfdir}/ssh/sshd_config
fi
}
--
2.13.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND 1/3] openssh: Package server configuration
2017-06-09 7:04 ` [PATCH RESEND 1/3] " David Vincent
@ 2017-06-09 9:41 ` Peter Kjellerstedt
2017-06-13 7:33 ` David Vincent
0 siblings, 1 reply; 8+ messages in thread
From: Peter Kjellerstedt @ 2017-06-09 9:41 UTC (permalink / raw)
To: David Vincent; +Cc: openembedded-core
> -----Original Message-----
> From: openembedded-core-bounces@lists.openembedded.org
> [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> David Vincent
> Sent: den 9 juni 2017 09:04
> To: openembedded-core@lists.openembedded.org
> Subject: [OE-core] [PATCH RESEND 1/3] openssh: Package server
> configuration
>
> Split sshd configuration for read-write/read-only rootfs in two
> distinct
> packages. Also, add a package dependency between openssh-sshd package
> and a provider of sshd-config.
>
> Signed-off-by: David Vincent <freesilicon@gmail.com>
> ---
> meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51
> ++++++++++++++++++----
> 1 file changed, 42 insertions(+), 9 deletions(-)
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> index 5b96745aae..e22e6c672d 100644
> --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> @@ -91,13 +91,17 @@ do_compile_ptest() {
> }
>
> do_install_append () {
> - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
> + # Create default config files
> + install -m 0644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_default
> + rm -f ${D}${sysconfdir}/ssh/sshd_config
> +
> + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
> install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
> - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config
> + sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/sshd_config_default
> fi
>
> - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
> - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config
> + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11" ]; then
> + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:' ${D}${sysconfdir}/ssh/sshd_config_default
> fi
Instead of all the changes above you could just do this here instead:
mv ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_default
> install -d ${D}${sysconfdir}/init.d
> @@ -110,7 +114,7 @@ do_install_append () {
>
> # Create config files for read-only rootfs
> install -d ${D}${sysconfdir}/ssh
Creating the directory here again is unnecessary.
> - install -m 644 ${D}${sysconfdir}/ssh/sshd_config ${D}${sysconfdir}/ssh/sshd_config_readonly
> + install -m 644 ${D}${sysconfdir}/ssh/sshd_config_default ${D}${sysconfdir}/ssh/sshd_config_readonly
> sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
> echo "HostKey /var/run/ssh/ssh_host_rsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
> echo "HostKey /var/run/ssh/ssh_host_dsa_key" >> ${D}${sysconfdir}/ssh/sshd_config_readonly
> @@ -134,30 +138,59 @@ do_install_ptest () {
>
> ALLOW_EMPTY_${PN} = "1"
>
> -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> +PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd-config ${PN}-sshd-config-readonly ${PN}-sshd ${PN}-sftp ${PN}-misc ${PN}-sftp-server"
> FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> +FILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> +FILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
> FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd ${systemd_unitdir}/system"
> -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
> +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
> FILES_${PN}-sftp = "${bindir}/sftp"
> FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>
> RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> -RDEPENDS_${PN}-sshd += "${PN}-keygen ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
> +RDEPENDS_${PN}-sshd += "${PN}-keygen sshd-config ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}"
> RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make"
>
> RPROVIDES_${PN}-ssh = "ssh"
> +RPROVIDES_${PN}-sshd-config = "sshd-config"
> +RPROVIDES_${PN}-sshd-config-readonly = "sshd-config"
> RPROVIDES_${PN}-sshd = "sshd"
>
> RCONFLICTS_${PN} = "dropbear"
> +RCONFLICTS_${PN}-sshd-config = "${PN}-sshd-config-readonly"
> +RCONFLICTS_${PN}-sshd-config-readonly = "${PN}-sshd-config"
> RCONFLICTS_${PN}-sshd = "dropbear"
> RCONFLICTS_${PN}-keygen = "ssh-keygen"
>
> -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> +CONFFILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> +CONFFILES_${PN}-sshd-config-readonly = "${sysconfdir}/ssh/sshd_config_readonly"
> CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
>
> +pkg_postinst_${PN}-sshd-config () {
> +#!/bin/sh
> +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> + rm $D${sysconfdir}/ssh/sshd_config
> +fi
> +
> +# Make sure destination directory exists, before creating the symlink
> +mkdir -p $D${sysconfdir}/ssh
> +ln -s sshd_config_default $D${sysconfdir}/ssh/sshd_config
> +}
> +
> +pkg_postinst_${PN}-sshd-config-readonly () {
> +#!/bin/sh
> +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> + rm $D${sysconfdir}/ssh/sshd_config
> +fi
> +
> +# Make sure destination directory exists, before creating the symlink
> +mkdir -p $D${sysconfdir}/ssh
> +ln -s sshd_config_readonly $D${sysconfdir}/ssh/sshd_config
> +}
> +
I do not like changing /etc/ssh/sshd_config to be a link. I know at least
we have our own rootfs-postcommands that will be affected by such a change.
How about you use a PACKAGESPLITFUNCS function instead and move the files
back into place before they are packaged, so that both configuration
packages contain the /etc/ssh/sshd_config file.
Something like this should work (totally untested):
PACKAGESPLITFUNCS += "restore_sshd_config"
restore_sshd_config() {
for file in ${PKGDEST}/*${sysconfdir}/sshd/sshd_config_*; do
mv $file ${file%_*}
done
}
> ALTERNATIVE_PRIORITY = "90"
> ALTERNATIVE_${PN}-scp = "scp"
> ALTERNATIVE_${PN}-ssh = "ssh"
> --
> 2.13.0
//Peter
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND 0/3] openssh: Package server configuration
2017-06-09 7:04 [PATCH RESEND 0/3] openssh: Package server configuration David Vincent
` (2 preceding siblings ...)
2017-06-09 7:04 ` [PATCH RESEND 3/3] rootfs-postcommands: Modify ssh-related commands David Vincent
@ 2017-06-09 13:53 ` André Draszik
2017-06-13 7:42 ` David Vincent
3 siblings, 1 reply; 8+ messages in thread
From: André Draszik @ 2017-06-09 13:53 UTC (permalink / raw)
To: openembedded-core
Hi.
On Fri, 2017-06-09 at 09:04 +0200, David Vincent wrote:
> This serie of patches provides a way to package OpenSSH sshd
> configuration. This
> way, it should be easier to change the configuration either in distro
> and/or BSP
> layers.
> It also simplifies management for R/O rootfs
Looking at some previous patches and comments, this split seems to have been
done with the intention to better support R/O rootfs.
I have a sent a patch that addresses the R/O rootfs issue in a different
way, which I believe to be a simpler and less intrusive approach. We've been
using this for a while.
http://lists.openembedded.org/pipermail/openembedded-core/2017-June/137848.html
Let me know what you think.
Cheers,
Andre'
> David Vincent (3):
> openssh: Package server configuration
> core-image: Set default sshd configuration
> rootfs-postcommands: Modify ssh-related commands
>
> meta/classes/core-image.bbclass | 3 +-
> meta/classes/rootfs-postcommands.bbclass | 17 +++-----
> meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51
> ++++++++++++++++++----
> 3 files changed, 50 insertions(+), 21 deletions(-)
>
> --
> 2.13.0
>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND 1/3] openssh: Package server configuration
2017-06-09 9:41 ` Peter Kjellerstedt
@ 2017-06-13 7:33 ` David Vincent
0 siblings, 0 replies; 8+ messages in thread
From: David Vincent @ 2017-06-13 7:33 UTC (permalink / raw)
To: Peter Kjellerstedt; +Cc: openembedded-core
On vendredi 9 juin 2017 11:41:25 CEST Peter Kjellerstedt wrote:
> > -----Original Message-----
> > From: openembedded-core-bounces@lists.openembedded.org
> > [mailto:openembedded-core-bounces@lists.openembedded.org] On Behalf Of
> > David Vincent
> > Sent: den 9 juni 2017 09:04
> > To: openembedded-core@lists.openembedded.org
> > Subject: [OE-core] [PATCH RESEND 1/3] openssh: Package server
> > configuration
> >
> > Split sshd configuration for read-write/read-only rootfs in two
> > distinct
> > packages. Also, add a package dependency between openssh-sshd package
> > and a provider of sshd-config.
> >
> > Signed-off-by: David Vincent <freesilicon@gmail.com>
> > ---
> >
> > meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51
> >
> > ++++++++++++++++++----
> >
> > 1 file changed, 42 insertions(+), 9 deletions(-)
> >
> > diff --git a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > index 5b96745aae..e22e6c672d 100644
> > --- a/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > +++ b/meta/recipes-connectivity/openssh/openssh_7.5p1.bb
> > @@ -91,13 +91,17 @@ do_compile_ptest() {
> >
> > }
> >
> > do_install_append () {
> >
> > - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" ]; then
> > + # Create default config files
> > + install -m 0644 ${D}${sysconfdir}/ssh/sshd_config
> > ${D}${sysconfdir}/ssh/sshd_config_default + rm -f
> > ${D}${sysconfdir}/ssh/sshd_config
> > +
> > + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" =
> > "pam" ]; then>
> > install -D -m 0644 ${WORKDIR}/sshd ${D}${sysconfdir}/pam.d/sshd
> >
> > - sed -i -e 's:#UsePAM no:UsePAM yes:' ${D}${sysconfdir}/ssh/
sshd_config
> > + sed -i -e 's:#UsePAM no:UsePAM yes:'
> > ${D}${sysconfdir}/ssh/sshd_config_default>
> > fi
> >
> > - if [ "${@bb.utils.filter('DISTRO_FEATURES', 'x11', d)}" ]; then
> > - sed -i -e 's:#X11Forwarding no:X11Forwarding yes:'
> > ${D}${sysconfdir}/ssh/sshd_config + if [
> > "${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11', '', d)}" = "x11"
> > ]; then + sed -i -e 's:#X11Forwarding no:X11Forwarding yes:'
> > ${D}${sysconfdir}/ssh/sshd_config_default>
> > fi
>
> Instead of all the changes above you could just do this here instead:
Yes, it is simpler that way. If a v2 is to be sent, I will do that change.
>
> mv ${D}${sysconfdir}/ssh/sshd_config
> ${D}${sysconfdir}/ssh/sshd_config_default
> > install -d ${D}${sysconfdir}/init.d
> >
> > @@ -110,7 +114,7 @@ do_install_append () {
> >
> > # Create config files for read-only rootfs
> > install -d ${D}${sysconfdir}/ssh
>
> Creating the directory here again is unnecessary.
That's the old code, maybe it should be dropped.
>
> > - install -m 644 ${D}${sysconfdir}/ssh/sshd_config
> > ${D}${sysconfdir}/ssh/sshd_config_readonly + install -m 644
> > ${D}${sysconfdir}/ssh/sshd_config_default
> > ${D}${sysconfdir}/ssh/sshd_config_readonly>
> > sed -i '/HostKey/d' ${D}${sysconfdir}/ssh/sshd_config_readonly
> > echo "HostKey /var/run/ssh/ssh_host_rsa_key" >>
> > ${D}${sysconfdir}/ssh/sshd_config_readonly echo "HostKey
> > /var/run/ssh/ssh_host_dsa_key" >>
> > ${D}${sysconfdir}/ssh/sshd_config_readonly>
> > @@ -134,30 +138,59 @@ do_install_ptest () {
> >
> > ALLOW_EMPTY_${PN} = "1"
> >
> > -PACKAGES =+ "${PN}-keygen ${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-sftp
> > ${PN}-misc ${PN}-sftp-server" +PACKAGES =+ "${PN}-keygen ${PN}-scp
> > ${PN}-ssh ${PN}-sshd-config ${PN}-sshd-config-readonly ${PN}-sshd
> > ${PN}-sftp ${PN}-misc ${PN}-sftp-server">
> > FILES_${PN}-scp = "${bindir}/scp.${BPN}"
> > FILES_${PN}-ssh = "${bindir}/ssh.${BPN} ${sysconfdir}/ssh/ssh_config"
> >
> > +FILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> > +FILES_${PN}-sshd-config-readonly =
> > "${sysconfdir}/ssh/sshd_config_readonly">
> > FILES_${PN}-sshd = "${sbindir}/sshd ${sysconfdir}/init.d/sshd
> > ${systemd_unitdir}/system">
> > -FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli
> > ${sysconfdir}/ssh/sshd_config ${sysconfdir}/ssh/sshd_config_readonly
> > ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd"
> > +FILES_${PN}-sshd += "${sysconfdir}/ssh/moduli
> > ${sysconfdir}/default/volatiles/99_sshd ${sysconfdir}/pam.d/sshd">
> > FILES_${PN}-sftp = "${bindir}/sftp"
> > FILES_${PN}-sftp-server = "${libexecdir}/sftp-server"
> > FILES_${PN}-misc = "${bindir}/ssh* ${libexecdir}/ssh*"
> > FILES_${PN}-keygen = "${bindir}/ssh-keygen"
> >
> > RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> >
> > -RDEPENDS_${PN}-sshd += "${PN}-keygen
> > ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-keyinit
> > pam-plugin-loginuid', '', d)}" +RDEPENDS_${PN}-sshd += "${PN}-keygen
> > sshd-config ${@bb.utils.contains('DISTRO_FEATURES', 'pam',
> > 'pam-plugin-keyinit pam-plugin-loginuid', '', d)}">
> > RDEPENDS_${PN}-ptest += "${PN}-sftp ${PN}-misc ${PN}-sftp-server make"
> >
> > RPROVIDES_${PN}-ssh = "ssh"
> >
> > +RPROVIDES_${PN}-sshd-config = "sshd-config"
> > +RPROVIDES_${PN}-sshd-config-readonly = "sshd-config"
> >
> > RPROVIDES_${PN}-sshd = "sshd"
> >
> > RCONFLICTS_${PN} = "dropbear"
> >
> > +RCONFLICTS_${PN}-sshd-config = "${PN}-sshd-config-readonly"
> > +RCONFLICTS_${PN}-sshd-config-readonly = "${PN}-sshd-config"
> >
> > RCONFLICTS_${PN}-sshd = "dropbear"
> > RCONFLICTS_${PN}-keygen = "ssh-keygen"
> >
> > -CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> > +CONFFILES_${PN}-sshd-config = "${sysconfdir}/ssh/sshd_config_default"
> > +CONFFILES_${PN}-sshd-config-readonly =
> > "${sysconfdir}/ssh/sshd_config_readonly">
> > CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> >
> > +pkg_postinst_${PN}-sshd-config () {
> > +#!/bin/sh
> > +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> > + rm $D${sysconfdir}/ssh/sshd_config
> > +fi
> > +
> > +# Make sure destination directory exists, before creating the symlink
> > +mkdir -p $D${sysconfdir}/ssh
> > +ln -s sshd_config_default $D${sysconfdir}/ssh/sshd_config
> > +}
> > +
> > +pkg_postinst_${PN}-sshd-config-readonly () {
> > +#!/bin/sh
> > +if [ -e $D${sysconfdir}/ssh/sshd_config ]; then
> > + rm $D${sysconfdir}/ssh/sshd_config
> > +fi
> > +
> > +# Make sure destination directory exists, before creating the symlink
> > +mkdir -p $D${sysconfdir}/ssh
> > +ln -s sshd_config_readonly $D${sysconfdir}/ssh/sshd_config
> > +}
> > +
>
> I do not like changing /etc/ssh/sshd_config to be a link. I know at least
> we have our own rootfs-postcommands that will be affected by such a change.
>
> How about you use a PACKAGESPLITFUNCS function instead and move the files
> back into place before they are packaged, so that both configuration
> packages contain the /etc/ssh/sshd_config file.
I have another problem, when I package my configuration, I do not want any
postcommand tasks to modify it unpredictibly in my release builds. Maybe I
should find another workaround to not break the current workflows.
>
> Something like this should work (totally untested):
>
> PACKAGESPLITFUNCS += "restore_sshd_config"
>
> restore_sshd_config() {
> for file in ${PKGDEST}/*${sysconfdir}/sshd/sshd_config_*; do
> mv $file ${file%_*}
> done
> }
>
> > ALTERNATIVE_PRIORITY = "90"
> > ALTERNATIVE_${PN}-scp = "scp"
> > ALTERNATIVE_${PN}-ssh = "ssh"
> >
> > --
> > 2.13.0
>
> //Peter
--
David
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH RESEND 0/3] openssh: Package server configuration
2017-06-09 13:53 ` [PATCH RESEND 0/3] openssh: Package server configuration André Draszik
@ 2017-06-13 7:42 ` David Vincent
0 siblings, 0 replies; 8+ messages in thread
From: David Vincent @ 2017-06-13 7:42 UTC (permalink / raw)
To: openembedded-core
On vendredi 9 juin 2017 15:53:40 CEST André Draszik wrote:
> Hi.
>
> On Fri, 2017-06-09 at 09:04 +0200, David Vincent wrote:
> > This serie of patches provides a way to package OpenSSH sshd
> > configuration. This
> > way, it should be easier to change the configuration either in distro
> > and/or BSP
> > layers.
> > It also simplifies management for R/O rootfs
>
> Looking at some previous patches and comments, this split seems to have been
> done with the intention to better support R/O rootfs.
Not only, it has been done with the intention of providing a completely custom
configuration. But maybe it wasn't the proper way to do it.
> I have a sent a patch that addresses the R/O rootfs issue in a different
> way, which I believe to be a simpler and less intrusive approach. We've been
> using this for a while.
Yes, I saw it has been merged recently. I'm not sure it addresses the problem
I had in mind but I agree it simplifies the configuration for R/O rootfs.
>
> http://lists.openembedded.org/pipermail/openembedded-core/2017-June/137848.h
> tml
>
> Let me know what you think.
>
>
> Cheers,
> Andre'
>
> > David Vincent (3):
> > openssh: Package server configuration
> > core-image: Set default sshd configuration
> > rootfs-postcommands: Modify ssh-related commands
> >
> > meta/classes/core-image.bbclass | 3 +-
> > meta/classes/rootfs-postcommands.bbclass | 17 +++-----
> > meta/recipes-connectivity/openssh/openssh_7.5p1.bb | 51
> > ++++++++++++++++++----
> > 3 files changed, 50 insertions(+), 21 deletions(-)
> >
> > --
> > 2.13.0
--
David
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-06-13 7:42 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-06-09 7:04 [PATCH RESEND 0/3] openssh: Package server configuration David Vincent
2017-06-09 7:04 ` [PATCH RESEND 1/3] " David Vincent
2017-06-09 9:41 ` Peter Kjellerstedt
2017-06-13 7:33 ` David Vincent
2017-06-09 7:04 ` [PATCH RESEND 2/3] core-image: Set default sshd configuration David Vincent
2017-06-09 7:04 ` [PATCH RESEND 3/3] rootfs-postcommands: Modify ssh-related commands David Vincent
2017-06-09 13:53 ` [PATCH RESEND 0/3] openssh: Package server configuration André Draszik
2017-06-13 7:42 ` David Vincent
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.