Fwd: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

Fwd: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Martyn Welch]

Note to self - remember to reply to list...

-------- Forwarded Message --------
From: Martyn Welch <martyn.welch@collabora.com>
To: Konrad Weihmann <kweihmann@outlook.com>
Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default
IMAGE_QA_PROHIBIT_PATHS variable
Date: Tue, 26 Oct 2021 12:12:11 +0100

On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
> 
> 
> On 26.10.21 12:50, Martyn Welch wrote:
> > From: Martyn Welch <martyn.welch@collabora.co.uk>
> > 
> > Add a default IMAGE_QA_PROHIBIT_PATHS variable containing paths
> > known to
> > be mounted in the default fstab, which are known mount points or
> > directories which should be populated at runtime.
> > 
> > Suggested-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> 
> That can't be true - or the initial idea is very very old :-) pls use
> Alex's gmail instead

It's a very old patch series, originally posted in 2017 (as mentioned
in patch 1/2). Just noticed it never got applied...

> > +# IMAGE_QA_PROHIBITED_PATHS
> > +# Ensure images aren't including files in places that will be used
> > as mount points or that are
> > +# reserved for runtime data.
> > +IMAGE_QA_PROHIBITED_PATHS ?=
> > "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:/var/t
> > mp/*:/var/volatile/*"
> 
> I like the idea, but wouldn't make more sense to do that on a package
> level, as here the user is more or less left alone in guessing where
> the 
> file actually does come from

I like that idea, however it would make to assumption that there wasn't
any tweaks being made as part of image generation that would end up
violating this. A quick check suggests the "build-appliance-
image_15.0.0.bb" image does this kind of thing in the core image types.

Martyn

Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Konrad Weihmann]

On 26.10.21 13:21, Martyn Welch wrote:
> Note to self - remember to reply to list...
> 
> -------- Forwarded Message --------
> From: Martyn Welch <martyn.welch@collabora.com>
> To: Konrad Weihmann <kweihmann@outlook.com>
> Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default
> IMAGE_QA_PROHIBIT_PATHS variable
> Date: Tue, 26 Oct 2021 12:12:11 +0100
> 
> On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
>>
>>
>> On 26.10.21 12:50, Martyn Welch wrote:
>>> From: Martyn Welch <martyn.welch@collabora.co.uk>
>>>
>>> Add a default IMAGE_QA_PROHIBIT_PATHS variable containing paths
>>> known to
>>> be mounted in the default fstab, which are known mount points or
>>> directories which should be populated at runtime.
>>>
>>> Suggested-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
>>
>> That can't be true - or the initial idea is very very old :-) pls use
>> Alex's gmail instead
> 
> It's a very old patch series, originally posted in 2017 (as mentioned
> in patch 1/2). Just noticed it never got applied...
> 
>>> +# IMAGE_QA_PROHIBITED_PATHS
>>> +# Ensure images aren't including files in places that will be used
>>> as mount points or that are
>>> +# reserved for runtime data.
>>> +IMAGE_QA_PROHIBITED_PATHS ?=
>>> "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:/var/t
>>> mp/*:/var/volatile/*"
>>
>> I like the idea, but wouldn't make more sense to do that on a package
>> level, as here the user is more or less left alone in guessing where
>> the
>> file actually does come from
> 
> I like that idea, however it would make to assumption that there wasn't
> any tweaks being made as part of image generation that would end up
> violating this. A quick check suggests the "build-appliance-
> image_15.0.0.bb" image does this kind of thing in the core image types.
> 

As Alex just wrote, I might be beneficial to do both

> Martyn
> 
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157387): https://lists.openembedded.org/g/openembedded-core/message/157387
> Mute This Topic: https://lists.openembedded.org/mt/86599458/3647476
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [kweihmann@outlook.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

RE: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Peter Kjellerstedt]

> -----Original Message-----
> From: openembedded-core@lists.openembedded.org <openembedded-
> core@lists.openembedded.org> On Behalf Of Konrad Weihmann
> Sent: den 26 oktober 2021 13:24
> To: Martyn Welch <martyn.welch@collabora.com>; OE-core <openembedded-
> core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default
> IMAGE_QA_PROHIBIT_PATHS variable
> 
> 
> 
> On 26.10.21 13:21, Martyn Welch wrote:
> > Note to self - remember to reply to list...
> >
> > -------- Forwarded Message --------
> > From: Martyn Welch <martyn.welch@collabora.com>
> > To: Konrad Weihmann <kweihmann@outlook.com>
> > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default
> > IMAGE_QA_PROHIBIT_PATHS variable
> > Date: Tue, 26 Oct 2021 12:12:11 +0100
> >
> > On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
> >>
> >>
> >> On 26.10.21 12:50, Martyn Welch wrote:
> >>> From: Martyn Welch <martyn.welch@collabora.co.uk>
> >>>
> >>> Add a default IMAGE_QA_PROHIBIT_PATHS variable containing paths
> >>> known to
> >>> be mounted in the default fstab, which are known mount points or
> >>> directories which should be populated at runtime.
> >>>
> >>> Suggested-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> >>
> >> That can't be true - or the initial idea is very very old :-) pls use
> >> Alex's gmail instead
> >
> > It's a very old patch series, originally posted in 2017 (as mentioned
> > in patch 1/2). Just noticed it never got applied...
> >
> >>> +# IMAGE_QA_PROHIBITED_PATHS
> >>> +# Ensure images aren't including files in places that will be used as mount points or that are
> >>> +# reserved for runtime data.
> >>> +IMAGE_QA_PROHIBITED_PATHS ?= "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:/var/tmp/*:/var/volatile/*"
> >>
> >> I like the idea, but wouldn't make more sense to do that on a package
> >> level, as here the user is more or less left alone in guessing where
> >> the file actually does come from
> >
> > I like that idea, however it would make to assumption that there wasn't
> > any tweaks being made as part of image generation that would end up
> > violating this. A quick check suggests the "build-appliance-
> > image_15.0.0.bb" image does this kind of thing in the core image types.
> 
> As Alex just wrote, I might be beneficial to do both
> 
> > Martyn

We have an alternative solution that hooks into the package QA. It 
focuses on directories that are supposed to be empty. In addition to 
failing the build if there are files in such a directory, it also 
allows to specify for each directory why it should be empty. We have 
used this, e.g., to mark common directories that have been renamed 
to give an indication of where the files were supposed to have been 
installed.

Do you want me to generalize this and send a patch for it?

//Peter

Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Martyn Welch]

On Tue, 2021-10-26 at 14:59 +0000, Peter Kjellerstedt wrote:
> > -----Original Message-----
> > From: openembedded-core@lists.openembedded.org <openembedded-
> > core@lists.openembedded.org> On Behalf Of Konrad Weihmann
> > Sent: den 26 oktober 2021 13:24
> > To: Martyn Welch <martyn.welch@collabora.com>; OE-core
> > <openembedded-
> > core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > default
> > IMAGE_QA_PROHIBIT_PATHS variable
> > 
> > 
> > 
> > On 26.10.21 13:21, Martyn Welch wrote:
> > > Note to self - remember to reply to list...
> > > 
> > > -------- Forwarded Message --------
> > > From: Martyn Welch <martyn.welch@collabora.com>
> > > To: Konrad Weihmann <kweihmann@outlook.com>
> > > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > > default
> > > IMAGE_QA_PROHIBIT_PATHS variable
> > > Date: Tue, 26 Oct 2021 12:12:11 +0100
> > > 
> > > On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
> > > > 
> > > > 
> > > > On 26.10.21 12:50, Martyn Welch wrote:

<snip>

> > > > > +# IMAGE_QA_PROHIBITED_PATHS
> > > > > +# Ensure images aren't including files in places that will
> > > > > be used as mount points or that are
> > > > > +# reserved for runtime data.
> > > > > +IMAGE_QA_PROHIBITED_PATHS ?=
> > > > > "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:
> > > > > /var/tmp/*:/var/volatile/*"
> > > > 
> > > > I like the idea, but wouldn't make more sense to do that on a
> > > > package
> > > > level, as here the user is more or less left alone in guessing
> > > > where
> > > > the file actually does come from
> > > 
> > > I like that idea, however it would make to assumption that there
> > > wasn't
> > > any tweaks being made as part of image generation that would end
> > > up
> > > violating this. A quick check suggests the "build-appliance-
> > > image_15.0.0.bb" image does this kind of thing in the core image
> > > types.
> > 
> > As Alex just wrote, I might be beneficial to do both
> > 
> > > Martyn
> 
> We have an alternative solution that hooks into the package QA. It 
> focuses on directories that are supposed to be empty. In addition to 
> failing the build if there are files in such a directory, it also 
> allows to specify for each directory why it should be empty. We have 
> used this, e.g., to mark common directories that have been renamed 
> to give an indication of where the files were supposed to have been 
> installed.
> 
> Do you want me to generalize this and send a patch for it?
> 

Hi Peter,

It would be great if we could merge these approaches, i.e. have one way
to specify directories that need to be empty and test both as part of
package QA and also image QA.

I was just working on adding some package QA support to what I've had,
but can pause that.

Would you be able to provide show how you'd propose managing the
prohibited directories? I'll try and tweak the image QA stuff already
posted to fit that.

Martyn

> //Peter
> 
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#157397):
> https://lists.openembedded.org/g/openembedded-core/message/157397
> Mute This Topic: https://lists.openembedded.org/mt/86599458/6512429
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [
> martyn.welch@collabora.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

RE: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Peter Kjellerstedt]

> -----Original Message-----
> From: Martyn Welch <martyn.welch@collabora.com>
> Sent: den 26 oktober 2021 17:32
> To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; Konrad Weihmann
> <kweihmann@outlook.com>; OE-core <openembedded-
> core@lists.openembedded.org>
> Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default
> IMAGE_QA_PROHIBIT_PATHS variable
> 
> On Tue, 2021-10-26 at 14:59 +0000, Peter Kjellerstedt wrote:
> > > -----Original Message-----
> > > From: openembedded-core@lists.openembedded.org <openembedded-
> > > core@lists.openembedded.org> On Behalf Of Konrad Weihmann
> > > Sent: den 26 oktober 2021 13:24
> > > To: Martyn Welch <martyn.welch@collabora.com>; OE-core
> > > <openembedded-
> > > core@lists.openembedded.org>
> > > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > > default
> > > IMAGE_QA_PROHIBIT_PATHS variable
> > >
> > >
> > >
> > > On 26.10.21 13:21, Martyn Welch wrote:
> > > > Note to self - remember to reply to list...
> > > >
> > > > -------- Forwarded Message --------
> > > > From: Martyn Welch <martyn.welch@collabora.com>
> > > > To: Konrad Weihmann <kweihmann@outlook.com>
> > > > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > > > default
> > > > IMAGE_QA_PROHIBIT_PATHS variable
> > > > Date: Tue, 26 Oct 2021 12:12:11 +0100
> > > >
> > > > On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
> > > > >
> > > > >
> > > > > On 26.10.21 12:50, Martyn Welch wrote:
> 
> <snip>
> 
> > > > > > +# IMAGE_QA_PROHIBITED_PATHS
> > > > > > +# Ensure images aren't including files in places that will
> > > > > > be used as mount points or that are
> > > > > > +# reserved for runtime data.
> > > > > > +IMAGE_QA_PROHIBITED_PATHS ?=
> > > > > > "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/run/*:
> > > > > > /var/tmp/*:/var/volatile/*"
> > > > >
> > > > > I like the idea, but wouldn't make more sense to do that on a
> > > > > package
> > > > > level, as here the user is more or less left alone in guessing
> > > > > where
> > > > > the file actually does come from
> > > >
> > > > I like that idea, however it would make to assumption that there
> > > > wasn't
> > > > any tweaks being made as part of image generation that would end
> > > > up
> > > > violating this. A quick check suggests the "build-appliance-
> > > > image_15.0.0.bb" image does this kind of thing in the core image
> > > > types.
> > >
> > > As Alex just wrote, I might be beneficial to do both
> > >
> > > > Martyn
> >
> > We have an alternative solution that hooks into the package QA. It
> > focuses on directories that are supposed to be empty. In addition to
> > failing the build if there are files in such a directory, it also
> > allows to specify for each directory why it should be empty. We have
> > used this, e.g., to mark common directories that have been renamed
> > to give an indication of where the files were supposed to have been
> > installed.
> >
> > Do you want me to generalize this and send a patch for it?
> 
> Hi Peter,
> 
> It would be great if we could merge these approaches, i.e. have one way
> to specify directories that need to be empty and test both as part of
> package QA and also image QA.
> 
> I was just working on adding some package QA support to what I've had,
> but can pause that.
> 
> Would you be able to provide show how you'd propose managing the
> prohibited directories? I'll try and tweak the image QA stuff already
> posted to fit that.
> 
> Martyn
> 
> > //Peter

I have sent two patches now. The first makes systemd not install 
anything in /var/log, as it otherwise conflicts with the suggested 
defaults. And then one patch that adds the package QA check for 
empty directories. I used the same defaults as suggested in your 
patch, except I removed /mnt since it is not obvious it should be 
empty. At least we use subdirectories in /mnt for our mountpoints.

//Peter

Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add default IMAGE_QA_PROHIBIT_PATHS variable

[Martyn Welch]

On Wed, 2021-10-27 at 16:43 +0000, Peter Kjellerstedt wrote:
> > -----Original Message-----
> > From: Martyn Welch <martyn.welch@collabora.com>
> > Sent: den 26 oktober 2021 17:32
> > To: Peter Kjellerstedt <peter.kjellerstedt@axis.com>; Konrad
> > Weihmann
> > <kweihmann@outlook.com>; OE-core <openembedded-
> > core@lists.openembedded.org>
> > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > default
> > IMAGE_QA_PROHIBIT_PATHS variable
> > 
> > On Tue, 2021-10-26 at 14:59 +0000, Peter Kjellerstedt wrote:
> > > > -----Original Message-----
> > > > From: openembedded-core@lists.openembedded.org <openembedded-
> > > > core@lists.openembedded.org> On Behalf Of Konrad Weihmann
> > > > Sent: den 26 oktober 2021 13:24
> > > > To: Martyn Welch <martyn.welch@collabora.com>; OE-core
> > > > <openembedded-
> > > > core@lists.openembedded.org>
> > > > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > > > default
> > > > IMAGE_QA_PROHIBIT_PATHS variable
> > > > 
> > > > 
> > > > 
> > > > On 26.10.21 13:21, Martyn Welch wrote:
> > > > > Note to self - remember to reply to list...
> > > > > 
> > > > > -------- Forwarded Message --------
> > > > > From: Martyn Welch <martyn.welch@collabora.com>
> > > > > To: Konrad Weihmann <kweihmann@outlook.com>
> > > > > Subject: Re: [OE-core] [PATCH v6 2/2] core-image.bbclass: add
> > > > > default
> > > > > IMAGE_QA_PROHIBIT_PATHS variable
> > > > > Date: Tue, 26 Oct 2021 12:12:11 +0100
> > > > > 
> > > > > On Tue, 2021-10-26 at 12:56 +0200, Konrad Weihmann wrote:
> > > > > > 
> > > > > > 
> > > > > > On 26.10.21 12:50, Martyn Welch wrote:
> > 
> > <snip>
> > 
> > > > > > > +# IMAGE_QA_PROHIBITED_PATHS
> > > > > > > +# Ensure images aren't including files in places that
> > > > > > > will
> > > > > > > be used as mount points or that are
> > > > > > > +# reserved for runtime data.
> > > > > > > +IMAGE_QA_PROHIBITED_PATHS ?=
> > > > > > > "/dev/pts/*:/media/*:/mnt/*:/proc/*:/run/*:/tmp/*:/var/ru
> > > > > > > n/*:
> > > > > > > /var/tmp/*:/var/volatile/*"
> > > > > > 
> > > > > > I like the idea, but wouldn't make more sense to do that on
> > > > > > a
> > > > > > package
> > > > > > level, as here the user is more or less left alone in
> > > > > > guessing
> > > > > > where
> > > > > > the file actually does come from
> > > > > 
> > > > > I like that idea, however it would make to assumption that
> > > > > there
> > > > > wasn't
> > > > > any tweaks being made as part of image generation that would
> > > > > end
> > > > > up
> > > > > violating this. A quick check suggests the "build-appliance-
> > > > > image_15.0.0.bb" image does this kind of thing in the core
> > > > > image
> > > > > types.
> > > > 
> > > > As Alex just wrote, I might be beneficial to do both
> > > > 
> > > > > Martyn
> > > 
> > > We have an alternative solution that hooks into the package QA.
> > > It
> > > focuses on directories that are supposed to be empty. In addition
> > > to
> > > failing the build if there are files in such a directory, it also
> > > allows to specify for each directory why it should be empty. We
> > > have
> > > used this, e.g., to mark common directories that have been
> > > renamed
> > > to give an indication of where the files were supposed to have
> > > been
> > > installed.
> > > 
> > > Do you want me to generalize this and send a patch for it?
> > 
> > Hi Peter,
> > 
> > It would be great if we could merge these approaches, i.e. have one
> > way
> > to specify directories that need to be empty and test both as part
> > of
> > package QA and also image QA.
> > 
> > I was just working on adding some package QA support to what I've
> > had,
> > but can pause that.
> > 
> > Would you be able to provide show how you'd propose managing the
> > prohibited directories? I'll try and tweak the image QA stuff
> > already
> > posted to fit that.
> > 
> > Martyn
> > 
> > > //Peter
> 
> I have sent two patches now. The first makes systemd not install 
> anything in /var/log, as it otherwise conflicts with the suggested 
> defaults. And then one patch that adds the package QA check for 
> empty directories. I used the same defaults as suggested in your 
> patch, except I removed /mnt since it is not obvious it should be 
> empty. At least we use subdirectories in /mnt for our mountpoints.
> 

Thanks Peter,

Looks good to me. I'll adapt the mine to be an image QA test that
complements this.

Martyn

> //Peter
>