[Buildroot] systemd improvements V2

[Buildroot] systemd improvements V2

[Norbert Lange]

-   nss patch redone, now using the template from share/factory,
    and support all 4 plugins from systemd
-   added upstream patch for systemd-tmpfilesd
-   separate RPATH fixup, inlcude all systemd binaries
-   include fix when using an ro filesystem with timesyncd
    (still needs a writable /var/tmp)
-   remove some dbus/util linux subpackage seletion
    (I expect there be discussions)

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Norbert Lange]

This adds configuration of the nsswitch.conf file,
it does so by pathing the template provided by systemd.

The template is fully populated, the services that are
not available are removed.

If the plugin nss-compat is not available, the entries
will be replaced with nss-files.

nss-systemd is used for the DynamicUser features,
which is a defacto necessity for systemd.
It handles transient users/groups without
touching the /etc/{passwd,group} files on disk.

nss-myhostname allows resolving the hostname,
again without touching files in /etc.
Enabling this feature requires configuring the plugin.

nss-resolve is part of resolved, and required for
consistent dns lookups.

nss-mymachines adds name resolution from
containers.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index e61cec80f0..cf6c0f9576 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
 	touch $(TARGET_DIR)/etc/machine-id
 endef
 
+define SYSTEMD_NSSCONFIG_HOOK
+	[ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \
+		sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
+	[ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \
+		sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
+		-e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
+	[ "$(BR2_PACKAGE_SYSTEMD_MYHOSTNAME)" = "y" ] || \
+		sed -e 's,\bmyhostname[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
+		-e 's,\bmyhostname\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
+	[ "$(BR2_PACKAGE_SYSTEMD_MACHINED)" = "y" ] || \
+		sed -e 's,\bmymachines[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
+		-e 's,\bmymachines\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
+	install -m644 $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf $(TARGET_DIR)/etc/nsswitch.conf
+endef
+
 SYSTEMD_POST_INSTALL_TARGET_HOOKS += \
+	SYSTEMD_NSSCONFIG_HOOK \
 	SYSTEMD_INSTALL_INIT_HOOK \
 	SYSTEMD_INSTALL_MACHINEID_HOOK \
 	SYSTEMD_INSTALL_RESOLVCONF_HOOK
-- 
2.27.0

[Buildroot] [PATCH v2 02/14] package/systemd: remove unused user accounts

[Norbert Lange]

Since V235 the "gateway" and "upload" services use DynamicUsers,
requiring no entries in /etc/passwd.
This functionality requires nss-systemd, which is always
enabled in buildroot.

The "bus-proxy" user was removed in V230.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>
---
 package/systemd/systemd.mk | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index cf6c0f9576..8e82d8afa7 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -502,10 +502,7 @@ define SYSTEMD_USERS
 	- - systemd-journal -1 * - - - Journal
 	- - render -1 * - - - DRI rendering nodes
 	- - kvm -1 * - - - kvm nodes
-	systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus messages to/from a bus
-	systemd-journal-gateway -1 systemd-journal-gateway -1 * /var/log/journal - - Journal Gateway
 	systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
-	systemd-journal-upload -1 systemd-journal-upload -1 * - - - Journal Upload
 	$(SYSTEMD_COREDUMP_USER)
 	$(SYSTEMD_NETWORKD_USER)
 	$(SYSTEMD_RESOLVED_USER)
-- 
2.27.0

[Buildroot] [PATCH v2 03/14] package/systemd: create "remote" user if the feature is enabled

[Norbert Lange]

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>
---
 package/systemd/systemd.mk | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 8e82d8afa7..ead4e70f95 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -214,6 +214,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE),y)
 SYSTEMD_CONF_OPTS += -Dremote=true
+SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
 else
 SYSTEMD_CONF_OPTS += -Dremote=false
 endif
@@ -502,7 +503,7 @@ define SYSTEMD_USERS
 	- - systemd-journal -1 * - - - Journal
 	- - render -1 * - - - DRI rendering nodes
 	- - kvm -1 * - - - kvm nodes
-	systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
+	$(SYSTEMD_REMOTE_USER)
 	$(SYSTEMD_COREDUMP_USER)
 	$(SYSTEMD_NETWORKD_USER)
 	$(SYSTEMD_RESOLVED_USER)
-- 
2.27.0

[Buildroot] [PATCH v2 04/14] package/systemd: cosmetic rearrange list of users

[Norbert Lange]

Group the udev users first, to make clear which software
requires them.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>
---
 package/systemd/systemd.mk | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index ead4e70f95..6629c933cd 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -499,10 +499,12 @@ define SYSTEMD_INSTALL_IMAGES_CMDS
 endef
 
 define SYSTEMD_USERS
+	# udev user groups
 	- - input -1 * - - - Input device group
-	- - systemd-journal -1 * - - - Journal
 	- - render -1 * - - - DRI rendering nodes
 	- - kvm -1 * - - - kvm nodes
+	# systemd user groups
+	- - systemd-journal -1 * - - - Journal
 	$(SYSTEMD_REMOTE_USER)
 	$(SYSTEMD_COREDUMP_USER)
 	$(SYSTEMD_NETWORKD_USER)
-- 
2.27.0

[Buildroot] [PATCH v2 05/14] package/systemd: sync user comments to upstream

[Norbert Lange]

The necessary system users are documented in the projects README.

Description is matched to the ones in the upstream sysusers.d
files. Remove homedirectory (upstream doesnt care either).

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 6629c933cd..2cc71ee667 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -214,7 +214,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE),y)
 SYSTEMD_CONF_OPTS += -Dremote=true
-SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
+SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * - - - systemd Journal Remote
 else
 SYSTEMD_CONF_OPTS += -Dremote=false
 endif
@@ -358,7 +358,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD_COREDUMP),y)
 SYSTEMD_CONF_OPTS += -Dcoredump=true
-SYSTEMD_COREDUMP_USER = systemd-coredump -1 systemd-coredump -1 * /var/lib/systemd/coredump - - Core Dumper
+SYSTEMD_COREDUMP_USER = systemd-coredump -1 systemd-coredump -1 * - - - systemd core dump processing
 else
 SYSTEMD_CONF_OPTS += -Dcoredump=false
 endif
@@ -378,7 +378,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD_NETWORKD),y)
 SYSTEMD_CONF_OPTS += -Dnetworkd=true
-SYSTEMD_NETWORKD_USER = systemd-network -1 systemd-network -1 * - - - Network Manager
+SYSTEMD_NETWORKD_USER = systemd-network -1 systemd-network -1 * - - - systemd Network Management
 SYSTEMD_NETWORKD_DHCP_IFACE = $(call qstrip,$(BR2_SYSTEM_DHCP))
 ifneq ($(SYSTEMD_NETWORKD_DHCP_IFACE),)
 define SYSTEMD_INSTALL_NETWORK_CONFS
@@ -397,7 +397,7 @@ define SYSTEMD_INSTALL_RESOLVCONF_HOOK
 		$(TARGET_DIR)/etc/resolv.conf
 endef
 SYSTEMD_CONF_OPTS += -Dnss-resolve=true -Dresolve=true
-SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - Network Name Resolution Manager
+SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - systemd Resolver
 else
 SYSTEMD_CONF_OPTS += -Dnss-resolve=false -Dresolve=false
 endif
@@ -414,7 +414,7 @@ endif
 
 ifeq ($(BR2_PACKAGE_SYSTEMD_TIMESYNCD),y)
 SYSTEMD_CONF_OPTS += -Dtimesyncd=true
-SYSTEMD_TIMESYNCD_USER = systemd-timesync -1 systemd-timesync -1 * - - - Network Time Synchronization
+SYSTEMD_TIMESYNCD_USER = systemd-timesync -1 systemd-timesync -1 * - - - systemd Time Synchronization
 else
 SYSTEMD_CONF_OPTS += -Dtimesyncd=false
 endif
-- 
2.27.0

[Buildroot] [PATCH v2 06/14] Makefile: Handle systemd catalogs in PURGE_LOCALES

[Norbert Lange]

journald supports localization with Catalog files with
a naming scheme <name>.<lang>.catalog.
We want to purge them like other locales.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 Makefile | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/Makefile b/Makefile
index ce1c08a6f6..dd4cc4c4c2 100644
--- a/Makefile
+++ b/Makefile
@@ -709,6 +709,14 @@ define PURGE_LOCALES
 			fi \
 		done; \
 	done
+	for cfile in $(wildcard $(TARGET_DIR)/usr/lib/systemd/catalog/*.catalog); \
+	do \
+		basename=$${cfile##*/}; \
+		basename=$${basename%.catalog}; \
+		langext=$${basename#*.}; \
+		[ "$$langext" != "$${basename}" ] || continue; \
+		grep -qx "$${langext}" $(LOCALE_WHITELIST) || rm -f "$$cfile"; \
+	done
 	if [ -d $(TARGET_DIR)/usr/share/X11/locale ]; \
 	then \
 		for lang in $(LOCALE_NOPURGE); \
-- 
2.27.0

[Buildroot] [PATCH v2 07/14] package/systemd: fixup RPATH for more systemd host binaries

[Norbert Lange]

All systemd binaries depend on libsystemd-shared and need their
RPATH fixed. Use a glob to catch them all

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 2cc71ee667..2c7f35bf25 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -659,6 +659,8 @@ HOST_SYSTEMD_DEPENDENCIES = \
 	host-libcap \
 	host-gperf
 
+HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
+
 # Fix RPATH After installation
 # * systemd provides a install_rpath instruction to meson because the binaries
 #   need to link with libsystemd which is not in a standard path
@@ -667,20 +669,11 @@ HOST_SYSTEMD_DEPENDENCIES = \
 # * the original path had been tweaked by buildroot via LDFLAGS to add
 #   $(HOST_DIR)/lib
 # * thus re-tweak rpath after the installation for all binaries that need it
-HOST_SYSTEMD_HOST_TOOLS = \
-	systemd-analyze \
-	systemd-machine-id-setup \
-	systemd-mount \
-	systemd-nspawn \
-	systemctl \
-	udevadm
-
-HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
 
 define HOST_SYSTEMD_FIX_RPATH
-	$(foreach f,$(HOST_SYSTEMD_HOST_TOOLS), \
-		$(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $(HOST_DIR)/bin/$(f)
-	)
+	cd $(HOST_DIR)/bin && for f in journalctl systemctl udevadm systemd-*; do \
+	  [ ! -x $$f ] || $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $$f; \
+	  done
 endef
 HOST_SYSTEMD_POST_INSTALL_HOOKS += HOST_SYSTEMD_FIX_RPATH
 
-- 
2.27.0

[Buildroot] [PATCH v2 08/14] package/systemd: add hook to update journalctl catalogs

[Norbert Lange]

journald supports catalog files, or rather a binary database of
those.
This add a hook to create said database from the available
catalog source files (which are not needed afterwards).

One ugly workaround is or ensuring that PURGE_LOCALES is
called before, we do this by adding this hook
(will then run twice during the finalize target step).

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index 2c7f35bf25..d3be92b78c 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -579,6 +579,16 @@ define SYSTEMD_PRESET_ALL
 endef
 SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_PRESET_ALL
 
+define SYSTEMD_UPDATE_CATALOGS
+	$(HOST_DIR)/bin/journalctl --root=$(TARGET_DIR) --update-catalog
+endef
+
+# SYSTEMD_UPDATE_CATALOGS needs to run after PURGE_LOCALES
+ifeq ($(BR2_ENABLE_LOCALE_PURGE),y)
+SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
+endif
+SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
+
 SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
 SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
 
-- 
2.27.0

[Buildroot] [PATCH v2 09/14] package/systemd: option to delete all catalog files

[Norbert Lange]

Unless you need to rebuild the database, there is
no need for the (source) catalog files.

This option removes the files, and the service
in a ROOTFS_PRE_CMD_HOOK.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/Config.in  | 12 ++++++++++++
 package/systemd/systemd.mk | 10 ++++++++++
 2 files changed, 22 insertions(+)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index dd3b8c534d..b09bd36ab6 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -251,6 +251,18 @@ config BR2_PACKAGE_SYSTEMD_IMPORTD
 
 	  http://www.freedesktop.org/software/systemd/man/machinectl.html#Image%20Transfer%20Commands
 
+config BR2_PACKAGE_SYSTEMD_RETAIN_CATALOGS
+	bool "retain source catalog files"
+	help
+	  catalog files are used to provide extended and potentially localized
+	  messages for the journal.
+	  The files reside in /usr/lib/systemd/catalog, but arent used directly,
+	  instead a binary database will be built using these files.
+
+	  Only if the database needs to be rebuilt later they need to be retained.
+
+	  https://www.freedesktop.org/wiki/Software/systemd/catalog/
+
 config BR2_PACKAGE_SYSTEMD_LOCALED
 	bool "enable locale daemon"
 	help
diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index d3be92b78c..e117e3a082 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -464,6 +464,16 @@ ifneq ($(SYSTEMD_FALLBACK_HOSTNAME),)
 SYSTEMD_CONF_OPTS += -Dfallback-hostname=$(SYSTEMD_FALLBACK_HOSTNAME)
 endif
 
+ifneq ($(BR2_PACKAGE_SYSTEMD_RETAIN_CATALOGS),y)
+define SYSTEMD_RM_SOURCE_CATALOGS_HOOK
+	rm -rf $(TARGET_DIR)/usr/lib/systemd/catalog
+	find $(TARGET_DIR)/usr/lib/systemd/system \
+		-name systemd-journal-catalog-update.service -delete
+endef
+
+SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_RM_SOURCE_CATALOGS_HOOK
+endif
+
 define SYSTEMD_INSTALL_INIT_HOOK
 	ln -fs multi-user.target \
 		$(TARGET_DIR)/usr/lib/systemd/system/default.target
-- 
2.27.0

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Norbert Lange]

Especially for read-only filesystems it is helpfull to
pre-create all folders for non-volatile paths.

This needs to run under fakeroot to allow setting
uids/gids/perms for the target fs.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index e117e3a082..cb0278f3b7 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -599,6 +599,12 @@ SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
 endif
 SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
 
+define SYSTEMD_CREATE_TMPFILES_HOOK
+	$(HOST_DIR)/bin/systemd-tmpfiles --root=$(TARGET_DIR) --create --boot \
+		$(addprefix --exclude-prefix=/,dev mnt proc run sys tmp) || :
+endef
+SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_CREATE_TMPFILES_HOOK
+
 SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
 SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
 
@@ -652,7 +658,7 @@ HOST_SYSTEMD_CONF_OPTS = \
 	-Dvconsole=false \
 	-Dquotacheck=false \
 	-Dsysusers=false \
-	-Dtmpfiles=false \
+	-Dtmpfiles=true \
 	-Dimportd=false \
 	-Dhwdb=false \
 	-Drfkill=false \
-- 
2.27.0

[Buildroot] [PATCH v2 11/14] package/systemd: use an upstream patch for tmpfiles

[Norbert Lange]

running systemd-tmpfiles will currently use the hosts
user/group uids, even when specifying --root=.
The next systemd release v245 will include this change.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 ...e-rootfs-database-for-tmpfiles.patch.patch | 300 ++++++++++++++++++
 1 file changed, 300 insertions(+)
 create mode 100644 package/systemd/0001-use-rootfs-database-for-tmpfiles.patch.patch

diff --git a/package/systemd/0001-use-rootfs-database-for-tmpfiles.patch.patch b/package/systemd/0001-use-rootfs-database-for-tmpfiles.patch.patch
new file mode 100644
index 0000000000..5847bbd673
--- /dev/null
+++ b/package/systemd/0001-use-rootfs-database-for-tmpfiles.patch.patch
@@ -0,0 +1,300 @@
+From ab5b7df682c9e779e859a9caf9c2012d3db92dc3 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 5 May 2020 22:45:54 +0200
+Subject: [PATCH 1/3] tmpfiles: optionally, read /etc/passwd + /etc/group
+ without NSS
+
+There are two libc APIs for accessing the user database: NSS/getpwuid(),
+and fgetpwent(). if we run in --root= mode (i.e. "offline" mode), let's
+use the latter. Otherwise the former. This means tmpfiles can use the
+database included in the root environment for chowning, which is a lot
+more appropriate.
+
+Fixes: #14806
+Signed-off-by: Norbert Lange <nolange79@gmail.com>
+
+---
+ src/tmpfiles/tmpfiles.c | 145 +++++++++++++++++++++++++++++++++++++---
+ 1 file changed, 137 insertions(+), 8 deletions(-)
+
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 7137e9fbd72..6ece1b5ed16 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -2487,7 +2487,139 @@ static int patch_var_run(const char *fname, unsigned line, char **path) {
+         return 0;
+ }
+
+-static int parse_line(const char *fname, unsigned line, const char *buffer, bool *invalid_config) {
++DEFINE_HASH_OPS_WITH_KEY_DESTRUCTOR(uid_gid_hash_ops, char, string_hash_func, string_compare_func, free);
++
++static int find_uid(const char *user, uid_t *ret_uid, Hashmap **cache) {
++        void *found;
++        int r;
++
++        assert(user);
++        assert(ret_uid);
++        assert(cache);
++
++        /* First: parse as numeric UID string */
++        r = parse_uid(user, ret_uid);
++        if (r >= 0)
++                return r;
++
++        /* Second: pass to NSS if we are running "online" */
++        if (!arg_root)
++                return get_user_creds(&user, ret_uid, NULL, NULL, NULL, 0);
++
++        /* Third: use fgetpwent() to read /etc/passwd directly, if we are "offline" */
++        if (!*cache) {
++                _cleanup_(hashmap_freep) Hashmap *uid_by_name = NULL;
++                _cleanup_fclose_ FILE *f = NULL;
++                struct passwd *pw;
++                const char *passwd_path;
++
++                passwd_path = prefix_roota(arg_root, "/etc/passwd");
++                f = fopen(passwd_path, "re");
++                if (!f)
++                        return errno == ENOENT ? -ESRCH : -errno;
++
++                uid_by_name = hashmap_new(&uid_gid_hash_ops);
++                if (!uid_by_name)
++                        return -ENOMEM;
++
++                while ((r = fgetpwent_sane(f, &pw)) > 0) {
++                        _cleanup_free_ char *n = NULL;
++
++                        n = strdup(pw->pw_name);
++                        if (!n)
++                                return -ENOMEM;
++
++                        r = hashmap_put(uid_by_name, n, UID_TO_PTR(pw->pw_uid));
++                        if (r == -EEXIST) {
++                                log_warning_errno(r, "Duplicate entry in %s for %s: %m", passwd_path, pw->pw_name);
++                                continue;
++                        }
++                        if (r < 0)
++                                return r;
++
++                        TAKE_PTR(n);
++                }
++
++                *cache = TAKE_PTR(uid_by_name);
++        }
++
++        found = hashmap_get(*cache, user);
++        if (!found)
++                return -ESRCH;
++
++        *ret_uid = PTR_TO_UID(found);
++        return 0;
++}
++
++static int find_gid(const char *group, gid_t *ret_gid, Hashmap **cache) {
++        void *found;
++        int r;
++
++        assert(group);
++        assert(ret_gid);
++        assert(cache);
++
++        /* First: parse as numeric GID string */
++        r = parse_gid(group, ret_gid);
++        if (r >= 0)
++                return r;
++
++        /* Second: pass to NSS if we are running "online" */
++        if (!arg_root)
++                return get_group_creds(&group, ret_gid, 0);
++
++        /* Third: use fgetgrent() to read /etc/group directly, if we are "offline" */
++        if (!*cache) {
++                _cleanup_(hashmap_freep) Hashmap *gid_by_name = NULL;
++                _cleanup_fclose_ FILE *f = NULL;
++                struct group *gr;
++                const char *group_path;
++
++                group_path = prefix_roota(arg_root, "/etc/group");
++                f = fopen(group_path, "re");
++                if (!f)
++                        return errno == ENOENT ? -ESRCH : -errno;
++
++                gid_by_name = hashmap_new(&uid_gid_hash_ops);
++                if (!gid_by_name)
++                        return -ENOMEM;
++
++                while ((r = fgetgrent_sane(f, &gr)) > 0) {
++                        _cleanup_free_ char *n = NULL;
++
++                        n = strdup(gr->gr_name);
++                        if (!n)
++                                return -ENOMEM;
++
++                        r = hashmap_put(gid_by_name, n, GID_TO_PTR(gr->gr_gid));
++                        if (r == -EEXIST) {
++                                log_warning_errno(r, "Duplicate entry in %s for %s: %m", group_path, gr->gr_name);
++                                continue;
++                        }
++                        if (r < 0)
++                                return r;
++
++                        TAKE_PTR(n);
++                }
++
++                *cache = TAKE_PTR(gid_by_name);
++        }
++
++        found = hashmap_get(*cache, group);
++        if (!found)
++                return -ESRCH;
++
++        *ret_gid = PTR_TO_GID(found);
++        return 0;
++}
++
++static int parse_line(
++                const char *fname,
++                unsigned line,
++                const char *buffer,
++                bool *invalid_config,
++                Hashmap **uid_cache,
++                Hashmap **gid_cache) {
+
+         _cleanup_free_ char *action = NULL, *mode = NULL, *user = NULL, *group = NULL, *age = NULL, *path = NULL;
+         _cleanup_(item_free_contents) Item i = {};
+@@ -2718,9 +2850,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer, bool
+         }
+
+         if (!empty_or_dash(user)) {
+-                const char *u = user;
+-
+-                r = get_user_creds(&u, &i.uid, NULL, NULL, NULL, USER_CREDS_ALLOW_MISSING);
++                r = find_uid(user, &i.uid, uid_cache);
+                 if (r < 0) {
+                         *invalid_config = true;
+                         return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve user '%s': %m", user);
+@@ -2730,9 +2860,7 @@ static int parse_line(const char *fname, unsigned line, const char *buffer, bool
+         }
+
+         if (!empty_or_dash(group)) {
+-                const char *g = group;
+-
+-                r = get_group_creds(&g, &i.gid, USER_CREDS_ALLOW_MISSING);
++                r = find_gid(group, &i.gid, gid_cache);
+                 if (r < 0) {
+                         *invalid_config = true;
+                         return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to resolve group '%s'.", group);
+@@ -2981,6 +3109,7 @@ static int parse_argv(int argc, char *argv[]) {
+ }
+
+ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoent, bool *invalid_config) {
++        _cleanup_(hashmap_freep) Hashmap *uid_cache = NULL, *gid_cache = NULL;
+         _cleanup_fclose_ FILE *_f = NULL;
+         Iterator iterator;
+         unsigned v = 0;
+@@ -3026,7 +3155,7 @@ static int read_config_file(char **config_dirs, const char *fn, bool ignore_enoe
+                 if (IN_SET(*l, 0, '#'))
+                         continue;
+
+-                k = parse_line(fn, v, l, &invalid_line);
++                k = parse_line(fn, v, l, &invalid_line, &uid_cache, &gid_cache);
+                 if (k < 0) {
+                         if (invalid_line)
+                                 /* Allow reporting with a special code if the caller requested this */
+
+From cc0ff79bd0f94336fc53407da7a20ff3c779456f Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 5 May 2020 22:48:50 +0200
+Subject: [PATCH 2/3] sysusers/tmpfiles: use --root=/ as way to force offline
+ operation (i.e.  without NSS)
+
+---
+ src/sysusers/sysusers.c |  2 +-
+ src/tmpfiles/tmpfiles.c | 10 ++++++----
+ 2 files changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
+index a36cfb210f6..9b57f0f933a 100644
+--- a/src/sysusers/sysusers.c
++++ b/src/sysusers/sysusers.c
+@@ -1813,7 +1813,7 @@ static int parse_argv(int argc, char *argv[]) {
+                         break;
+
+                 case ARG_ROOT:
+-                        r = parse_path_argument_and_warn(optarg, true, &arg_root);
++                        r = parse_path_argument_and_warn(optarg, /* suppress_root= */ false, &arg_root);
+                         if (r < 0)
+                                 return r;
+                         break;
+diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
+index 6ece1b5ed16..dc1dd89aecc 100644
+--- a/src/tmpfiles/tmpfiles.c
++++ b/src/tmpfiles/tmpfiles.c
+@@ -2741,7 +2741,7 @@ static int parse_line(
+
+         case COPY_FILES:
+                 if (!i.argument) {
+-                        i.argument = path_join(arg_root, "/usr/share/factory", i.path);
++                        i.argument = path_join("/usr/share/factory", i.path);
+                         if (!i.argument)
+                                 return log_oom();
+
+@@ -2749,7 +2749,9 @@ static int parse_line(
+                         *invalid_config = true;
+                         return log_syntax(NULL, LOG_ERR, fname, line, SYNTHETIC_ERRNO(EBADMSG), "Source path '%s' is not absolute.", i.argument);
+
+-                } else if (arg_root) {
++                }
++
++                if (!empty_or_root(arg_root)) {
+                         char *p;
+
+                         p = path_join(arg_root, i.argument);
+@@ -2840,7 +2842,7 @@ static int parse_line(
+                 return log_syntax(NULL, LOG_ERR, fname, line, r, "Failed to substitute specifiers in argument: %m");
+         }
+
+-        if (arg_root) {
++        if (!empty_or_root(arg_root)) {
+                 char *p;
+
+                 p = path_join(arg_root, i.path);
+@@ -3068,7 +3070,7 @@ static int parse_argv(int argc, char *argv[]) {
+                         break;
+
+                 case ARG_ROOT:
+-                        r = parse_path_argument_and_warn(optarg, true, &arg_root);
++                        r = parse_path_argument_and_warn(optarg, /* suppress_root= */ false, &arg_root);
+                         if (r < 0)
+                                 return r;
+                         break;
+
+From 4ae0e6b69fff5ed93ec2762bc40ea59f69c68a93 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Tue, 5 May 2020 23:23:00 +0200
+Subject: [PATCH 3/3] man: document the new tmpfiles --root= behaviour
+ regarding users
+
+---
+ man/systemd-tmpfiles.xml | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/man/systemd-tmpfiles.xml b/man/systemd-tmpfiles.xml
+index 7720ef53fa1..998fd0911ba 100644
+--- a/man/systemd-tmpfiles.xml
++++ b/man/systemd-tmpfiles.xml
+@@ -161,10 +161,10 @@
+         <listitem><para>Takes a directory path as an argument. All paths will be prefixed with the given alternate
+         <replaceable>root</replaceable> path, including config search paths.</para>
+
+-        <para>Note that this option does not alter how the users and groups specified in the configuration files are
+-        resolved. With or without this option, users and groups are always resolved according to the host's user and
+-        group databases, any such databases stored under the specified root directories are not
+-        consulted.</para></listitem>
++        <para>When this option is used, the libc Name Service Switch (NSS) is bypassed for resolving users
++        and groups. Instead the files <filename>/etc/passwd</filename> and <filename>/etc/group</filename>
++        inside the alternate root are read directly. This means that users/groups not listed in these files
++        will not be resolved, i.e. LDAP NIS and other complex databases are not considered.</para></listitem>
+       </varlistentry>
+
+       <varlistentry>
-- 
2.27.0

[Buildroot] [PATCH v2 12/14] package/systemd: pre-create directory for timesync user

[Norbert Lange]

On an read-only filesystem the timesync service will not start
as the state directory cant be created.
If the directory exists, then the service can start,
obviously wont safe its state, but will otherwise work.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/systemd.mk | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
index cb0278f3b7..a4f0f2ef33 100644
--- a/package/systemd/systemd.mk
+++ b/package/systemd/systemd.mk
@@ -475,6 +475,7 @@ SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_RM_SOURCE_CATALOGS_HOOK
 endif
 
 define SYSTEMD_INSTALL_INIT_HOOK
+	$(if $(SYSTEMD_TIMESYNCD_USER),mkdir -p $(TARGET_DIR)/var/lib/systemd/timesync)
 	ln -fs multi-user.target \
 		$(TARGET_DIR)/usr/lib/systemd/system/default.target
 endef
@@ -522,6 +523,10 @@ define SYSTEMD_USERS
 	$(SYSTEMD_TIMESYNCD_USER)
 endef
 
+define SYSTEMD_PERMISSIONS
+	$(if $(SYSTEMD_TIMESYNCD_USER),/var/lib/systemd/timesync d 755 systemd-timesync systemd-timesync - - - - -)
+endef
+
 ifneq ($(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT)),)
 # systemd provides multiple units to autospawn getty as neede
 # * getty at .service to start a getty on normal TTY
-- 
2.27.0

[Buildroot] [PATCH v2 13/14] systemd: remove hard dependency on dbus

[Norbert Lange]

A substantial functionality of systemd does not
depend on dbus anymore.
It is certainly possible to used most of its core
system managment functionality inclusive logging.

In other words, most commands from systemctl and
loginctl do work, aslong as used from root.

These features will need dbus (incomplete list):

-   Access to systemd from non-root
-   Loginctl
-   Timedatectl

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/Config.in | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index b09bd36ab6..a7f41d2a38 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -25,7 +25,6 @@ menuconfig BR2_PACKAGE_SYSTEMD
 	depends on BR2_TOOLCHAIN_GCC_AT_LEAST_5
 	depends on BR2_HOST_GCC_AT_LEAST_5 # host-systemd
 	select BR2_PACKAGE_HAS_UDEV
-	select BR2_PACKAGE_DBUS # runtime dependency only
 	select BR2_PACKAGE_LIBCAP
 	select BR2_PACKAGE_UTIL_LINUX
 	select BR2_PACKAGE_UTIL_LINUX_LIBBLKID
@@ -90,6 +89,10 @@ if BR2_PACKAGE_SYSTEMD
 config BR2_PACKAGE_PROVIDES_UDEV
 	default "systemd"
 
+comment "systemd recommends enabling a dbus daemon"
+	depends on !BR2_PACKAGE_DBUS
+	depends on !BR2_PACKAGE_DBUS_BROKER
+
 config BR2_PACKAGE_SYSTEMD_BOOT
 	bool "systemd-boot"
 	depends on BR2_i386 || BR2_x86_64
-- 
2.27.0

[Buildroot] [PATCH v2 14/14] systemd: remove util-linux dependencies

[Norbert Lange]

systemd used only a small part of the util-linux binaries.
definitely needed are mount and umount from coreutils,
the rest of the tools could be provided by busybox aswell.

Signed-off-by: Norbert Lange <nolange79@gmail.com>
---
 package/systemd/Config.in | 2 --
 1 file changed, 2 deletions(-)

diff --git a/package/systemd/Config.in b/package/systemd/Config.in
index a7f41d2a38..0fbc1de432 100644
--- a/package/systemd/Config.in
+++ b/package/systemd/Config.in
@@ -29,10 +29,8 @@ menuconfig BR2_PACKAGE_SYSTEMD
 	select BR2_PACKAGE_UTIL_LINUX
 	select BR2_PACKAGE_UTIL_LINUX_LIBBLKID
 	select BR2_PACKAGE_UTIL_LINUX_LIBMOUNT
-	select BR2_PACKAGE_UTIL_LINUX_BINARIES
 	select BR2_PACKAGE_UTIL_LINUX_AGETTY
 	select BR2_PACKAGE_UTIL_LINUX_MOUNT
-	select BR2_PACKAGE_UTIL_LINUX_NOLOGIN
 	select BR2_PACKAGE_UTIL_LINUX_FSCK
 	select BR2_PACKAGE_KMOD
 	select BR2_PACKAGE_BUSYBOX_SHOW_OTHERS # kmod-tools
-- 
2.27.0

[Buildroot] [PATCH v2 02/14] package/systemd: remove unused user accounts

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> Since V235 the "gateway" and "upload" services use DynamicUsers,
> requiring no entries in /etc/passwd.
> This functionality requires nss-systemd, which is always
> enabled in buildroot.
> 
> The "bus-proxy" user was removed in V230.
> 
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/systemd/systemd.mk | 3 ---
>  1 file changed, 3 deletions(-)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index cf6c0f9576..8e82d8afa7 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -502,10 +502,7 @@ define SYSTEMD_USERS
>  	- - systemd-journal -1 * - - - Journal
>  	- - render -1 * - - - DRI rendering nodes
>  	- - kvm -1 * - - - kvm nodes
> -	systemd-bus-proxy -1 systemd-bus-proxy -1 * - - - Proxy D-Bus messages to/from a bus
> -	systemd-journal-gateway -1 systemd-journal-gateway -1 * /var/log/journal - - Journal Gateway
>  	systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
> -	systemd-journal-upload -1 systemd-journal-upload -1 * - - - Journal Upload
>  	$(SYSTEMD_COREDUMP_USER)
>  	$(SYSTEMD_NETWORKD_USER)
>  	$(SYSTEMD_RESOLVED_USER)
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 03/14] package/systemd: create "remote" user if the feature is enabled

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/systemd/systemd.mk | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index 8e82d8afa7..ead4e70f95 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -214,6 +214,7 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE),y)
>  SYSTEMD_CONF_OPTS += -Dremote=true
> +SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
>  else
>  SYSTEMD_CONF_OPTS += -Dremote=false
>  endif
> @@ -502,7 +503,7 @@ define SYSTEMD_USERS
>  	- - systemd-journal -1 * - - - Journal
>  	- - render -1 * - - - DRI rendering nodes
>  	- - kvm -1 * - - - kvm nodes
> -	systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
> +	$(SYSTEMD_REMOTE_USER)
>  	$(SYSTEMD_COREDUMP_USER)
>  	$(SYSTEMD_NETWORKD_USER)
>  	$(SYSTEMD_RESOLVED_USER)
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 05/14] package/systemd: sync user comments to upstream

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> The necessary system users are documented in the projects README.
> 
> Description is matched to the ones in the upstream sysusers.d
> files. Remove homedirectory (upstream doesnt care either).
> 
> Signed-off-by: Norbert Lange <nolange79@gmail.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/systemd/systemd.mk | 10 +++++-----
>  1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index 6629c933cd..2cc71ee667 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -214,7 +214,7 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_SYSTEMD_JOURNAL_REMOTE),y)
>  SYSTEMD_CONF_OPTS += -Dremote=true
> -SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * /var/log/journal/remote - - Journal Remote
> +SYSTEMD_REMOTE_USER = systemd-journal-remote -1 systemd-journal-remote -1 * - - - systemd Journal Remote
>  else
>  SYSTEMD_CONF_OPTS += -Dremote=false
>  endif
> @@ -358,7 +358,7 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_SYSTEMD_COREDUMP),y)
>  SYSTEMD_CONF_OPTS += -Dcoredump=true
> -SYSTEMD_COREDUMP_USER = systemd-coredump -1 systemd-coredump -1 * /var/lib/systemd/coredump - - Core Dumper
> +SYSTEMD_COREDUMP_USER = systemd-coredump -1 systemd-coredump -1 * - - - systemd core dump processing
>  else
>  SYSTEMD_CONF_OPTS += -Dcoredump=false
>  endif
> @@ -378,7 +378,7 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_SYSTEMD_NETWORKD),y)
>  SYSTEMD_CONF_OPTS += -Dnetworkd=true
> -SYSTEMD_NETWORKD_USER = systemd-network -1 systemd-network -1 * - - - Network Manager
> +SYSTEMD_NETWORKD_USER = systemd-network -1 systemd-network -1 * - - - systemd Network Management
>  SYSTEMD_NETWORKD_DHCP_IFACE = $(call qstrip,$(BR2_SYSTEM_DHCP))
>  ifneq ($(SYSTEMD_NETWORKD_DHCP_IFACE),)
>  define SYSTEMD_INSTALL_NETWORK_CONFS
> @@ -397,7 +397,7 @@ define SYSTEMD_INSTALL_RESOLVCONF_HOOK
>  		$(TARGET_DIR)/etc/resolv.conf
>  endef
>  SYSTEMD_CONF_OPTS += -Dnss-resolve=true -Dresolve=true
> -SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - Network Name Resolution Manager
> +SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - systemd Resolver
>  else
>  SYSTEMD_CONF_OPTS += -Dnss-resolve=false -Dresolve=false
>  endif
> @@ -414,7 +414,7 @@ endif
>  
>  ifeq ($(BR2_PACKAGE_SYSTEMD_TIMESYNCD),y)
>  SYSTEMD_CONF_OPTS += -Dtimesyncd=true
> -SYSTEMD_TIMESYNCD_USER = systemd-timesync -1 systemd-timesync -1 * - - - Network Time Synchronization
> +SYSTEMD_TIMESYNCD_USER = systemd-timesync -1 systemd-timesync -1 * - - - systemd Time Synchronization
>  else
>  SYSTEMD_CONF_OPTS += -Dtimesyncd=false
>  endif
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 07/14] package/systemd: fixup RPATH for more systemd host binaries

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> All systemd binaries depend on libsystemd-shared and need their
> RPATH fixed. Use a glob to catch them all
> 
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
>  package/systemd/systemd.mk | 17 +++++------------
>  1 file changed, 5 insertions(+), 12 deletions(-)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index 2cc71ee667..2c7f35bf25 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -659,6 +659,8 @@ HOST_SYSTEMD_DEPENDENCIES = \
>  	host-libcap \
>  	host-gperf
>  
> +HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
> +
>  # Fix RPATH After installation
>  # * systemd provides a install_rpath instruction to meson because the binaries
>  #   need to link with libsystemd which is not in a standard path
> @@ -667,20 +669,11 @@ HOST_SYSTEMD_DEPENDENCIES = \
>  # * the original path had been tweaked by buildroot via LDFLAGS to add
>  #   $(HOST_DIR)/lib
>  # * thus re-tweak rpath after the installation for all binaries that need it
> -HOST_SYSTEMD_HOST_TOOLS = \
> -	systemd-analyze \
> -	systemd-machine-id-setup \
> -	systemd-mount \
> -	systemd-nspawn \
> -	systemctl \
> -	udevadm
> -
> -HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
>  
>  define HOST_SYSTEMD_FIX_RPATH
> -	$(foreach f,$(HOST_SYSTEMD_HOST_TOOLS), \
> -		$(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $(HOST_DIR)/bin/$(f)
> -	)
> +	cd $(HOST_DIR)/bin && for f in journalctl systemctl udevadm systemd-*; do \
> +	  [ ! -x $$f ] || $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $$f; \
> +	  done

You fell in the usual trap: if patchelf fails, then the error is not
caught, and the loop continues and ends succesfully, while in fact there
was an error...

There are two solutions to fix that:

  - with the loop implemented in shell, terminate the command in the
    loop with:  || exit 1

      $(HOST_DIR)/bin/patchelf [...] $$f || exit 1;

  - keep the loop implemented in Makefile:

    HOST_SYSTEMD_HOST_TOOLS = $(wildcard $(addprefix $(HOST_DIR)/bin,journalctl systemctl udevadm systemd-*))
    $(foreach f,$(HOST_SYSTEMD_HOST_TOOLS), \
        $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $(HOST_DIR)/bin/$(f)
    )

Needless to say that we tend to prefer the second solution.

Regards,
Yann E. MORIN.

>  endef
>  HOST_SYSTEMD_POST_INSTALL_HOOKS += HOST_SYSTEMD_FIX_RPATH
>  
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 07/14] package/systemd: fixup RPATH for more systemd host binaries

[Norbert Lange]

Am Mo., 15. Juni 2020 um 11:53 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Norbert, All,
>
> On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > All systemd binaries depend on libsystemd-shared and need their
> > RPATH fixed. Use a glob to catch them all
> >
> > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > ---
> >  package/systemd/systemd.mk | 17 +++++------------
> >  1 file changed, 5 insertions(+), 12 deletions(-)
> >
> > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> > index 2cc71ee667..2c7f35bf25 100644
> > --- a/package/systemd/systemd.mk
> > +++ b/package/systemd/systemd.mk
> > @@ -659,6 +659,8 @@ HOST_SYSTEMD_DEPENDENCIES = \
> >       host-libcap \
> >       host-gperf
> >
> > +HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
> > +
> >  # Fix RPATH After installation
> >  # * systemd provides a install_rpath instruction to meson because the binaries
> >  #   need to link with libsystemd which is not in a standard path
> > @@ -667,20 +669,11 @@ HOST_SYSTEMD_DEPENDENCIES = \
> >  # * the original path had been tweaked by buildroot via LDFLAGS to add
> >  #   $(HOST_DIR)/lib
> >  # * thus re-tweak rpath after the installation for all binaries that need it
> > -HOST_SYSTEMD_HOST_TOOLS = \
> > -     systemd-analyze \
> > -     systemd-machine-id-setup \
> > -     systemd-mount \
> > -     systemd-nspawn \
> > -     systemctl \
> > -     udevadm
> > -
> > -HOST_SYSTEMD_NINJA_ENV = DESTDIR=$(HOST_DIR)
> >
> >  define HOST_SYSTEMD_FIX_RPATH
> > -     $(foreach f,$(HOST_SYSTEMD_HOST_TOOLS), \
> > -             $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $(HOST_DIR)/bin/$(f)
> > -     )
> > +     cd $(HOST_DIR)/bin && for f in journalctl systemctl udevadm systemd-*; do \
> > +       [ ! -x $$f ] || $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $$f; \
> > +       done
>
> You fell in the usual trap: if patchelf fails, then the error is not
> caught, and the loop continues and ends succesfully, while in fact there
> was an error...
>
> There are two solutions to fix that:
>
>   - with the loop implemented in shell, terminate the command in the
>     loop with:  || exit 1
>
>       $(HOST_DIR)/bin/patchelf [...] $$f || exit 1;
>
>   - keep the loop implemented in Makefile:
>
>     HOST_SYSTEMD_HOST_TOOLS = $(wildcard $(addprefix $(HOST_DIR)/bin,journalctl systemctl udevadm systemd-*))
>     $(foreach f,$(HOST_SYSTEMD_HOST_TOOLS), \
>         $(HOST_DIR)/bin/patchelf --set-rpath $(HOST_DIR)/lib:$(HOST_DIR)/lib/systemd $(HOST_DIR)/bin/$(f)
>     )
>
> Needless to say that we tend to prefer the second solution.

ACK. I will fix this up this evening.
(was already curious about the use of wildcard elsewhere)

Norbert

[Buildroot] [PATCH v2 02/14] package/systemd: remove unused user accounts

[Norbert Lange]

Am Mo., 15. Juni 2020 um 11:42 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Norbert, All,
>
> On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > Since V235 the "gateway" and "upload" services use DynamicUsers,
> > requiring no entries in /etc/passwd.
> > This functionality requires nss-systemd, which is always
> > enabled in buildroot.
> >
> > The "bus-proxy" user was removed in V230.
> >
> > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>
>
> Applied to master, thanks.
>
> Regards,
> Yann E. MORIN.
>

Hi,

unfortunately this depends on nss-systemd being available and
configured (Patch #1).
I dont know if removing those users made the current status worse for
these services,
but any service with DynamicUser=yes might not work correctly without
a configured nss-systemd.

Tests this:

# save this as /run/systemd/system/test.service
# systemctl daemon-reload
# systemct start test
----------------------------------------------------------
[Unit]
Description=Test DynamicUser

[Service]
ExecStart=id -n -u
DynamicUser=yes
----------------------------------------------------------

This should give you as name "test", not a number and not an error

Norbert

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> This adds configuration of the nsswitch.conf file,
> it does so by pathing the template provided by systemd.
> 
> The template is fully populated, the services that are
> not available are removed.
> 
> If the plugin nss-compat is not available, the entries
> will be replaced with nss-files.

systemd is glibc-only, and libnss_compat.so* is provided by glibc. What
glibc does not provide it?

> nss-systemd is used for the DynamicUser features,
> which is a defacto necessity for systemd.
> It handles transient users/groups without
> touching the /etc/{passwd,group} files on disk.
> 
> nss-myhostname allows resolving the hostname,
> again without touching files in /etc.
> Enabling this feature requires configuring the plugin.
> 
> nss-resolve is part of resolved, and required for
> consistent dns lookups.
> 
> nss-mymachines adds name resolution from
> containers.
> 
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
>  package/systemd/systemd.mk | 16 ++++++++++++++++
>  1 file changed, 16 insertions(+)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index e61cec80f0..cf6c0f9576 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
>  	touch $(TARGET_DIR)/etc/machine-id
>  endef
>  
> +define SYSTEMD_NSSCONFIG_HOOK
> +	[ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \

As said above, this is supposed to always exist in a glibc-based
toolchain, which is all that systemd supports, so I don;t see why we
would want to replace the 'compat' plugin by the 'files' one.

> +		sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf

We already have a variable that does 'sed -i' :

    $(SED) 's,\bcompat\b,files,g' $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf 

> +	[ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \

Usually, we do not test configuration-level conditions in shell, but in
Makefile:

    ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
    define SYSTEMD_NSSWITCH_CONF_RESOLVED
        sed blablabla...
    endef
    SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED   # See below, point 3...
    endif

> +		sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \

"[[:space:]][:space:]]*" is equivalent to "[[:space:]]+".

> +		-e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf

As I understand it, you are trying to remove the 'resolve' plugin,
whether it has a follwing "[action]" or not, right? If so, here's my
proposal of a simpler regexp that cactches both cases:

    's,\bresolve[[:space:]]+(\[[^]]+\])?[[:space:]],,g'

> +	[ "$(BR2_PACKAGE_SYSTEMD_MYHOSTNAME)" = "y" ] || \
> +		sed -e 's,\bmyhostname[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> +		-e 's,\bmyhostname\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf

Ditto the condition and the sed regexp.

> +	[ "$(BR2_PACKAGE_SYSTEMD_MACHINED)" = "y" ] || \
> +		sed -e 's,\bmymachines[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> +		-e 's,\bmymachines\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf

Ditto the condition and the sed regexp.

> +	install -m644 $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf $(TARGET_DIR)/etc/nsswitch.conf

I'm definitely not happy with all those hacks, because:

 1. /etc/nsswitch.conf is already provided by the glibc package, so
    overwriting it will not play nicely with per-package directories,

 2. we already have other packages that may tweak that file, like:
    package/nss-mdns/nss-mdns.mk
    package/nss-myhostname/nss-myhostname.mk

 3. which brings us to the point that this file should be tweaked as a
    target-finalize hook

Regards,
Yann E. MORIN.

> +endef
> +
>  SYSTEMD_POST_INSTALL_TARGET_HOOKS += \
> +	SYSTEMD_NSSCONFIG_HOOK \
>  	SYSTEMD_INSTALL_INIT_HOOK \
>  	SYSTEMD_INSTALL_MACHINEID_HOOK \
>  	SYSTEMD_INSTALL_RESOLVCONF_HOOK
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Norbert Lange]

Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Norbert, All,
>
> On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > This adds configuration of the nsswitch.conf file,
> > it does so by pathing the template provided by systemd.
> >
> > The template is fully populated, the services that are
> > not available are removed.
> >
> > If the plugin nss-compat is not available, the entries
> > will be replaced with nss-files.
>
> systemd is glibc-only, and libnss_compat.so* is provided by glibc. What
> glibc does not provide it?

see: toolchain/toolchain-external/pkg-toolchain-external.mk
you only copy over ibnss_files there.

>
> > nss-systemd is used for the DynamicUser features,
> > which is a defacto necessity for systemd.
> > It handles transient users/groups without
> > touching the /etc/{passwd,group} files on disk.
> >
> > nss-myhostname allows resolving the hostname,
> > again without touching files in /etc.
> > Enabling this feature requires configuring the plugin.
> >
> > nss-resolve is part of resolved, and required for
> > consistent dns lookups.
> >
> > nss-mymachines adds name resolution from
> > containers.
> >
> > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > ---
> >  package/systemd/systemd.mk | 16 ++++++++++++++++
> >  1 file changed, 16 insertions(+)
> >
> > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> > index e61cec80f0..cf6c0f9576 100644
> > --- a/package/systemd/systemd.mk
> > +++ b/package/systemd/systemd.mk
> > @@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
> >       touch $(TARGET_DIR)/etc/machine-id
> >  endef
> >
> > +define SYSTEMD_NSSCONFIG_HOOK
> > +     [ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \
>
> As said above, this is supposed to always exist in a glibc-based
> toolchain, which is all that systemd supports, so I don;t see why we
> would want to replace the 'compat' plugin by the 'files' one.

Well, until now, buildroot did use nothing but 'files'. I am not
against changing that,
but I dont complain about having the choice.
the 'compat' plugin doesn't add anything I care about, if it adds IPC
then I would
actually prefer not using it.

>
> > +             sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
>
> We already have a variable that does 'sed -i' :
>
>     $(SED) 's,\bcompat\b,files,g' $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
>
> > +     [ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \
>
> Usually, we do not test configuration-level conditions in shell, but in
> Makefile:
>
>     ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
>     define SYSTEMD_NSSWITCH_CONF_RESOLVED
>         sed blablabla...
>     endef
>     SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED   # See below, point 3...
>     endif

That's overly fragmented IHMO,
I thought about $(if $(BR2_PACKAGE_SYSTEMD_RESOLVED),sed blahblah),
that would need replacing of the commas.

>
> > +             sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
>
> "[[:space:]][:space:]]*" is equivalent to "[[:space:]]+".
>
> > +             -e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
>
> As I understand it, you are trying to remove the 'resolve' plugin,
> whether it has a follwing "[action]" or not, right? If so, here's my
> proposal of a simpler regexp that cactches both cases:
>
>     's,\bresolve[[:space:]]+(\[[^]]+\])?[[:space:]],,g'

I suppose $(SED) enables extended regex?

>
> > +     [ "$(BR2_PACKAGE_SYSTEMD_MYHOSTNAME)" = "y" ] || \
> > +             sed -e 's,\bmyhostname[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> > +             -e 's,\bmyhostname\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
>
> Ditto the condition and the sed regexp.
>
> > +     [ "$(BR2_PACKAGE_SYSTEMD_MACHINED)" = "y" ] || \
> > +             sed -e 's,\bmymachines[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> > +             -e 's,\bmymachines\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
>
> Ditto the condition and the sed regexp.
>
> > +     install -m644 $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf $(TARGET_DIR)/etc/nsswitch.conf
>
> I'm definitely not happy with all those hacks, because:
>
>  1. /etc/nsswitch.conf is already provided by the glibc package, so
>     overwriting it will not play nicely with per-package directories,

using a separate default for systemd might make sense in the glibc package?
what about your arguments about 'compat' vs 'files' here?

At any rate, the file in /usr/share/factory/etc/nsswitch.conf should
prolly be kept in sync or removed.

>
>  2. we already have other packages that may tweak that file, like:
>     package/nss-mdns/nss-mdns.mk
>     package/nss-myhostname/nss-myhostname.mk
>
>  3. which brings us to the point that this file should be tweaked as a
>     target-finalize hook

kinda like this ?:
https://github.com/nolange/buildroot/commit/237eebe9c29c3b8ab68d3abead52e1b7b08e1649

Note that I am missing the line for mymachines, my sed-foo is too weak
to add that at the correct position.

Norbert

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Norbert Lange]

Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:

>  2. we already have other packages that may tweak that file, like:
>     package/nss-mdns/nss-mdns.mk
>     package/nss-myhostname/nss-myhostname.mk

The package nss-myhostname should be marked as conflicting with
BR2_PACKAGE_SYSTEMD_MYHOSTNAME.
(the plugin got assimilated by systemd)

Norbert

[Buildroot] [PATCH v2 09/14] package/systemd: option to delete all catalog files

[Jérémy ROSEN]

Hey Norbert

this is similar to the way hwdb source files are handled and,
if my understanding is correct, the general buildroot
philosophy is that that sort of files are not needed on the
target at all, since buildroot does not support on-target
updates. So i don't think an option is required, just
remove the files. (I'm a bit fuzzy on the buildroot philosophy,
but that's my understanding. If a real dev disagree, follow their
advice...)

Le lun. 15 juin 2020 ? 09:21, Norbert Lange <nolange79@gmail.com> a ?crit :

> Unless you need to rebuild the database, there is
> no need for the (source) catalog files.
>
> This option removes the files, and the service
> in a ROOTFS_PRE_CMD_HOOK.
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
>  package/systemd/Config.in  | 12 ++++++++++++
>  package/systemd/systemd.mk | 10 ++++++++++
>  2 files changed, 22 insertions(+)
>
> diff --git a/package/systemd/Config.in b/package/systemd/Config.in
> index dd3b8c534d..b09bd36ab6 100644
> --- a/package/systemd/Config.in
> +++ b/package/systemd/Config.in
> @@ -251,6 +251,18 @@ config BR2_PACKAGE_SYSTEMD_IMPORTD
>
>
> http://www.freedesktop.org/software/systemd/man/machinectl.html#Image%20Transfer%20Commands
>
> +config BR2_PACKAGE_SYSTEMD_RETAIN_CATALOGS
> +       bool "retain source catalog files"
> +       help
> +         catalog files are used to provide extended and potentially
> localized
> +         messages for the journal.
> +         The files reside in /usr/lib/systemd/catalog, but arent used
> directly,
> +         instead a binary database will be built using these files.
> +
> +         Only if the database needs to be rebuilt later they need to be
> retained.
> +
> +         https://www.freedesktop.org/wiki/Software/systemd/catalog/
> +
>  config BR2_PACKAGE_SYSTEMD_LOCALED
>         bool "enable locale daemon"
>         help
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index d3be92b78c..e117e3a082 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -464,6 +464,16 @@ ifneq ($(SYSTEMD_FALLBACK_HOSTNAME),)
>  SYSTEMD_CONF_OPTS += -Dfallback-hostname=$(SYSTEMD_FALLBACK_HOSTNAME)
>  endif
>
> +ifneq ($(BR2_PACKAGE_SYSTEMD_RETAIN_CATALOGS),y)
> +define SYSTEMD_RM_SOURCE_CATALOGS_HOOK
> +       rm -rf $(TARGET_DIR)/usr/lib/systemd/catalog
> +       find $(TARGET_DIR)/usr/lib/systemd/system \
> +               -name systemd-journal-catalog-update.service -delete
> +endef
> +
> +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_RM_SOURCE_CATALOGS_HOOK
> +endif
> +
>  define SYSTEMD_INSTALL_INIT_HOOK
>         ln -fs multi-user.target \
>                 $(TARGET_DIR)/usr/lib/systemd/system/default.target
> --
> 2.27.0
>
>

-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200615/d363d117/attachment.html>

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Jérémy ROSEN]

I wonder how that would work with lines that contain %b (boot id)
and %m (machine-id)
my educated guest would be that it would create files with the host's
boot-id/machine-id. Thus leaking the host's information. This is not
good, especially the machine-id of the host which is confidential
information (not crypto-grade, but still shouldn't be leaked)

if systemd-tmpile supports that correctly (maybe skipping all %b %m
when --root is used) it's all fine. But I don't remember seeing that.

does it ?

Cheers
Jeremy


Le lun. 15 juin 2020 ? 09:21, Norbert Lange <nolange79@gmail.com> a ?crit :

> Especially for read-only filesystems it is helpfull to
> pre-create all folders for non-volatile paths.
>
> This needs to run under fakeroot to allow setting
> uids/gids/perms for the target fs.
>
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> ---
>  package/systemd/systemd.mk | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
>
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index e117e3a082..cb0278f3b7 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -599,6 +599,12 @@ SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
>  endif
>  SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
>
> +define SYSTEMD_CREATE_TMPFILES_HOOK
> +       $(HOST_DIR)/bin/systemd-tmpfiles --root=$(TARGET_DIR) --create
> --boot \
> +               $(addprefix --exclude-prefix=/,dev mnt proc run sys tmp)
> || :
> +endef
> +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_CREATE_TMPFILES_HOOK
> +
>  SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
>  SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
>
> @@ -652,7 +658,7 @@ HOST_SYSTEMD_CONF_OPTS = \
>         -Dvconsole=false \
>         -Dquotacheck=false \
>         -Dsysusers=false \
> -       -Dtmpfiles=false \
> +       -Dtmpfiles=true \
>         -Dimportd=false \
>         -Dhwdb=false \
>         -Drfkill=false \
> --
> 2.27.0
>
>

-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200615/d63d4561/attachment.html>

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Norbert Lange]

Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb J?r?my ROSEN <
jeremy.rosen@smile.fr>:

> I wonder how that would work with lines that contain %b (boot id)
> and %m (machine-id)
> my educated guest would be that it would create files with the host's
> boot-id/machine-id. Thus leaking the host's information. This is not
> good, especially the machine-id of the host which is confidential
> information (not crypto-grade, but still shouldn't be leaked)
>

> if systemd-tmpile supports that correctly (maybe skipping all %b %m
> when --root is used) it's all fine. But I don't remember seeing that.
>
> does it ?
>

The default config files don't create files with machine-id, and %b is not
replaced at all AFAIR.
But I believe you are right that systemd-tmpfiles picks up the host
machine-id and would replace it.
Good catch, need to check.


>
> Cheers
> Jeremy
>
>
> Le lun. 15 juin 2020 ? 09:21, Norbert Lange <nolange79@gmail.com> a
> ?crit :
>
>> Especially for read-only filesystems it is helpfull to
>> pre-create all folders for non-volatile paths.
>>
>> This needs to run under fakeroot to allow setting
>> uids/gids/perms for the target fs.
>>
>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>> ---
>>  package/systemd/systemd.mk | 8 +++++++-
>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>
>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>> index e117e3a082..cb0278f3b7 100644
>> --- a/package/systemd/systemd.mk
>> +++ b/package/systemd/systemd.mk
>> @@ -599,6 +599,12 @@ SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
>>  endif
>>  SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
>>
>> +define SYSTEMD_CREATE_TMPFILES_HOOK
>> +       $(HOST_DIR)/bin/systemd-tmpfiles --root=$(TARGET_DIR) --create
>> --boot \
>> +               $(addprefix --exclude-prefix=/,dev mnt proc run sys tmp)
>> || :
>> +endef
>> +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_CREATE_TMPFILES_HOOK
>> +
>>  SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
>>  SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
>>
>> @@ -652,7 +658,7 @@ HOST_SYSTEMD_CONF_OPTS = \
>>         -Dvconsole=false \
>>         -Dquotacheck=false \
>>         -Dsysusers=false \
>> -       -Dtmpfiles=false \
>> +       -Dtmpfiles=true \
>>         -Dimportd=false \
>>         -Dhwdb=false \
>>         -Drfkill=false \
>> --
>> 2.27.0
>>
>>
>
> --
> [image: SMILE]  <http://www.smile.eu/>
>
> 20 rue des Jardins
> 92600 Asni?res-sur-Seine
> *J?r?my ROSEN*
> Architecte technique
>
> [image: email] jeremy.rosen at smile.fr
> [image: phone]  +33 6 88 25 87 42
> [image: url] http://www.smile.eu
>
> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
> <https://www.facebook.com/smileopensource> [image: LinkedIn]
> <https://www.linkedin.com/company/smile> [image: Github]
> <https://github.com/Smile-SA>
>
> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200615/9a4489b3/attachment.html>

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 14:14 +0200, Norbert Lange spake thusly:
> Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> >
> > Norbert, All,
> >
> > On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > > This adds configuration of the nsswitch.conf file,
> > > it does so by pathing the template provided by systemd.
> > >
> > > The template is fully populated, the services that are
> > > not available are removed.
> > >
> > > If the plugin nss-compat is not available, the entries
> > > will be replaced with nss-files.
> >
> > systemd is glibc-only, and libnss_compat.so* is provided by glibc. What
> > glibc does not provide it?
> see: toolchain/toolchain-external/pkg-toolchain-external.mk
> you only copy over ibnss_files there.

Aha. But then I think this is more an oversight than a deliberate
filtering. In my opinion, the list should include libnss_*.so.*.

> > > nss-systemd is used for the DynamicUser features,
> > > which is a defacto necessity for systemd.
> > > It handles transient users/groups without
> > > touching the /etc/{passwd,group} files on disk.
> > >
> > > nss-myhostname allows resolving the hostname,
> > > again without touching files in /etc.
> > > Enabling this feature requires configuring the plugin.
> > >
> > > nss-resolve is part of resolved, and required for
> > > consistent dns lookups.
> > >
> > > nss-mymachines adds name resolution from
> > > containers.
> > >
> > > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > > ---
> > >  package/systemd/systemd.mk | 16 ++++++++++++++++
> > >  1 file changed, 16 insertions(+)
> > >
> > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> > > index e61cec80f0..cf6c0f9576 100644
> > > --- a/package/systemd/systemd.mk
> > > +++ b/package/systemd/systemd.mk
> > > @@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
> > >       touch $(TARGET_DIR)/etc/machine-id
> > >  endef
> > >
> > > +define SYSTEMD_NSSCONFIG_HOOK
> > > +     [ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \
> >
> > As said above, this is supposed to always exist in a glibc-based
> > toolchain, which is all that systemd supports, so I don;t see why we
> > would want to replace the 'compat' plugin by the 'files' one.
> 
> Well, until now, buildroot did use nothing but 'files'. I am not
> against changing that,
> but I dont complain about having the choice.
> the 'compat' plugin doesn't add anything I care about, if it adds IPC
> then I would
> actually prefer not using it.

So I had a look at the nsswitch.conf man page, and the 'compat' plugin
is described as:

    The NSS "compat" service is similar to "files" except that it
    additionally permits special entries in corresponding files for
    granting users or members of netgroups access to the system.

So, in the context of Buildroot, we can just plain replace 'compat' with
'files' uncondtionally.

> > > +             sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> >
> > We already have a variable that does 'sed -i' :
> >
> >     $(SED) 's,\bcompat\b,files,g' $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> >
> > > +     [ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \
> >
> > Usually, we do not test configuration-level conditions in shell, but in
> > Makefile:
> >
> >     ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
> >     define SYSTEMD_NSSWITCH_CONF_RESOLVED
> >         sed blablabla...
> >     endef
> >     SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED   # See below, point 3...
> >     endif
> That's overly fragmented IHMO,

... but much more in line with how we do it elsewhere.

> I thought about $(if $(BR2_PACKAGE_SYSTEMD_RESOLVED),sed blahblah),
> that would need replacing of the commas.

Alternatively, that could be used, yes, but I still prefer the one-hook
per option, even if it is still fragmented.

But the conditional options already exist elsewhere in the file, so the
corresponding conditional blocks can be re-used and extended. For example,
there is already a conditional block for BR2_PACKAGE_SYSTEMD_RESOLVED:

    https://git.buildroot.org/buildroot/tree/package/systemd/systemd.mk#n394

     ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
     define SYSTEMD_INSTALL_RESOLVCONF_HOOK
         ln -sf ../run/systemd/resolve/resolv.conf \
             $(TARGET_DIR)/etc/resolv.conf
     endef
     SYSTEMD_CONF_OPTS += -Dnss-resolve=true -Dresolve=true
     SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - systemd Resolver
    +define SYSTEMD_NSSWITCH_CONF_RESOLVED
    +    sed blablabla...
    +endef
    +SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED
     else
     SYSTEMD_CONF_OPTS += -Dnss-resolve=false -Dresolve=false
     endif

> > > +             sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> >
> > "[[:space:]][:space:]]*" is equivalent to "[[:space:]]+".
> >
> > > +             -e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> >
> > As I understand it, you are trying to remove the 'resolve' plugin,
> > whether it has a follwing "[action]" or not, right? If so, here's my
> > proposal of a simpler regexp that cactches both cases:
> >
> >     's,\bresolve[[:space:]]+(\[[^]]+\])?[[:space:]],,g'
> I suppose $(SED) enables extended regex?

Unfortunately, it does not (so it matches your usage):

    https://git.buildroot.org/buildroot/tree/Makefile#n313

Hmm... But see below, using $(SED) might not be a good idea.

[--SNIP--]
> >  1. /etc/nsswitch.conf is already provided by the glibc package, so
> >     overwriting it will not play nicely with per-package directories,
> using a separate default for systemd might make sense in the glibc package?
> what about your arguments about 'compat' vs 'files' here?

Moot now: switch to using 'files' unconditionally.

> At any rate, the file in /usr/share/factory/etc/nsswitch.conf should
> prolly be kept in sync or removed.

Not sure I understand that one...

> >  2. we already have other packages that may tweak that file, like:
> >     package/nss-mdns/nss-mdns.mk
> >     package/nss-myhostname/nss-myhostname.mk
> >
> >  3. which brings us to the point that this file should be tweaked as a
> >     target-finalize hook
> 
> kinda like this ?:
> https://github.com/nolange/buildroot/commit/237eebe9c29c3b8ab68d3abead52e1b7b08e1649

I still think it should be made to be target-finalize hooks, one for
each option.

Also, I don;t get why you want to use the one in factory, rather than
tweak the existing /etc/nsswitch.conf that has already been installed,
like the other nss plugins do.

And then, at the end. copy the one from /etc/nsswitch.conf over to the
one in factory. That last one is a bit more tricky to come up with
correctly, as this must be done after all nss plugins have had a chance
to tweak nsswitch.conf. So I guess we should extend SYSTEMD_ROOTFS_PRE_CMD_HOOKS
with a new hook that copies /etc/nsswitch.conf over to the factory.

Regards,
Yann E. MORIN.

> Note that I am missing the line for mymachines, my sed-foo is too weak
> to add that at the correct position.
> 
> Norbert

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Jérémy ROSEN]

>
>
>
> > At any rate, the file in /usr/share/factory/etc/nsswitch.conf should
> > prolly be kept in sync or removed.
>
> Not sure I understand that one...
>
>
the directories /usr/share/factory/etc and /usr/share/factory/var  will
be automatically copied to /etv and /var very early at boot if those
directories are empty or do not exist.

the point is to be able to boot a totally empty rootfs except for /usr.
Apparently this is a common practice in datacenters, allowing to
have '/' be a tmpfs, /usr being read-only and having a completely
stateless boot.

That's actually pretty cool, and I had the idea of enabling this in
buildroot at some point.
For me there are two cases that buildroot should handle

* either empty entirely /usr/share/factory at the end of the boot
  and disable the feature entirely to save staff
* or automatically copy /etc and /var to the factory at the end
  of the boot to make this feature work reliably.

Anyway, a proper handling of that feature is probably a
completely different patchset...


> > >  2. we already have other packages that may tweak that file, like:
> > >     package/nss-mdns/nss-mdns.mk
> > >     package/nss-myhostname/nss-myhostname.mk
> > >
> > >  3. which brings us to the point that this file should be tweaked as a
> > >     target-finalize hook
> >
> > kinda like this ?:
> >
> https://github.com/nolange/buildroot/commit/237eebe9c29c3b8ab68d3abead52e1b7b08e1649
>
> I still think it should be made to be target-finalize hooks, one for
> each option.
>
> Also, I don;t get why you want to use the one in factory, rather than
> tweak the existing /etc/nsswitch.conf that has already been installed,
> like the other nss plugins do.
>
> And then, at the end. copy the one from /etc/nsswitch.conf over to the
> one in factory. That last one is a bit more tricky to come up with
> correctly, as this must be done after all nss plugins have had a chance
> to tweak nsswitch.conf. So I guess we should extend
> SYSTEMD_ROOTFS_PRE_CMD_HOOKS
> with a new hook that copies /etc/nsswitch.conf over to the factory.
>
> Regards,
> Yann E. MORIN.
>
> > Note that I am missing the line for mymachines, my sed-foo is too weak
> > to add that at the correct position.
> >
> > Norbert
>
> --
>
> .-----------------.--------------------.------------------.--------------------.
> |  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics'
> conspiracy: |
> | +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___
>      |
> | +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is
> no  |
> | http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v
>  conspiracy.  |
>
> '------------------------------^-------^------------------^--------------------'
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200616/6f6bd8ed/attachment.html>

[Buildroot] [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 14:28 +0200, Norbert Lange spake thusly:
> Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> >  2. we already have other packages that may tweak that file, like:
> >     package/nss-mdns/nss-mdns.mk
> >     package/nss-myhostname/nss-myhostname.mk
> The package nss-myhostname should be marked as conflicting with
> BR2_PACKAGE_SYSTEMD_MYHOSTNAME.
> (the plugin got assimilated by systemd)

That's already the case.

Regards,
Yann E. MORIN.

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] Fwd: [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Norbert Lange]

Seems I missed the reply all,
would like to know if I can add something like this in *systemd.mk*,
or if this is against buildroots policy:

GLIBC_NSS_PLUGIN_RESOLVE = resolve

Norbert

---------- Forwarded message ---------
Von: Norbert Lange <nolange79@gmail.com>
Date: Mo., 15. Juni 2020 um 20:12 Uhr
Subject: Re: [PATCH v2 01/14] package/systemd: configure nss plugins
in nsswitch.conf
To: Yann E. MORIN <yann.morin.1998@free.fr>


Am Mo., 15. Juni 2020 um 18:54 Uhr schrieb Yann E. MORIN
<yann.morin.1998@free.fr>:
>
> Norbert, All,
>
> On 2020-06-15 14:14 +0200, Norbert Lange spake thusly:
> > Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
> > <yann.morin.1998@free.fr>:
> > >
> > > Norbert, All,
> > >
> > > On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > > > This adds configuration of the nsswitch.conf file,
> > > > it does so by pathing the template provided by systemd.
> > > >
> > > > The template is fully populated, the services that are
> > > > not available are removed.
> > > >
> > > > If the plugin nss-compat is not available, the entries
> > > > will be replaced with nss-files.
> > >
> > > systemd is glibc-only, and libnss_compat.so* is provided by glibc. What
> > > glibc does not provide it?
> > see: toolchain/toolchain-external/pkg-toolchain-external.mk
> > you only copy over ibnss_files there.
>
> Aha. But then I think this is more an oversight than a deliberate
> filtering. In my opinion, the list should include libnss_*.so.*.
>
> > > > nss-systemd is used for the DynamicUser features,
> > > > which is a defacto necessity for systemd.
> > > > It handles transient users/groups without
> > > > touching the /etc/{passwd,group} files on disk.
> > > >
> > > > nss-myhostname allows resolving the hostname,
> > > > again without touching files in /etc.
> > > > Enabling this feature requires configuring the plugin.
> > > >
> > > > nss-resolve is part of resolved, and required for
> > > > consistent dns lookups.
> > > >
> > > > nss-mymachines adds name resolution from
> > > > containers.
> > > >
> > > > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > > > ---
> > > >  package/systemd/systemd.mk | 16 ++++++++++++++++
> > > >  1 file changed, 16 insertions(+)
> > > >
> > > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> > > > index e61cec80f0..cf6c0f9576 100644
> > > > --- a/package/systemd/systemd.mk
> > > > +++ b/package/systemd/systemd.mk
> > > > @@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
> > > >       touch $(TARGET_DIR)/etc/machine-id
> > > >  endef
> > > >
> > > > +define SYSTEMD_NSSCONFIG_HOOK
> > > > +     [ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \
> > >
> > > As said above, this is supposed to always exist in a glibc-based
> > > toolchain, which is all that systemd supports, so I don;t see why we
> > > would want to replace the 'compat' plugin by the 'files' one.
> >
> > Well, until now, buildroot did use nothing but 'files'. I am not
> > against changing that,
> > but I dont complain about having the choice.
> > the 'compat' plugin doesn't add anything I care about, if it adds IPC
> > then I would
> > actually prefer not using it.
>
> So I had a look at the nsswitch.conf man page, and the 'compat' plugin
> is described as:
>
>     The NSS "compat" service is similar to "files" except that it
>     additionally permits special entries in corresponding files for
>     granting users or members of netgroups access to the system.
>
> So, in the context of Buildroot, we can just plain replace 'compat' with
> 'files' uncondtionally.
>
> > > > +             sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > >
> > > We already have a variable that does 'sed -i' :
> > >
> > >     $(SED) 's,\bcompat\b,files,g' $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > >
> > > > +     [ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \
> > >
> > > Usually, we do not test configuration-level conditions in shell, but in
> > > Makefile:
> > >
> > >     ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
> > >     define SYSTEMD_NSSWITCH_CONF_RESOLVED
> > >         sed blablabla...
> > >     endef
> > >     SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED   # See below, point 3...
> > >     endif
> > That's overly fragmented IHMO,
>
> ... but much more in line with how we do it elsewhere.
>
> > I thought about $(if $(BR2_PACKAGE_SYSTEMD_RESOLVED),sed blahblah),
> > that would need replacing of the commas.
>
> Alternatively, that could be used, yes, but I still prefer the one-hook
> per option, even if it is still fragmented.
>
> But the conditional options already exist elsewhere in the file, so the
> corresponding conditional blocks can be re-used and extended. For example,
> there is already a conditional block for BR2_PACKAGE_SYSTEMD_RESOLVED:
>
>     https://git.buildroot.org/buildroot/tree/package/systemd/systemd.mk#n394
>
>      ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
>      define SYSTEMD_INSTALL_RESOLVCONF_HOOK
>          ln -sf ../run/systemd/resolve/resolv.conf \
>              $(TARGET_DIR)/etc/resolv.conf
>      endef
>      SYSTEMD_CONF_OPTS += -Dnss-resolve=true -Dresolve=true
>      SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - systemd Resolver
>     +define SYSTEMD_NSSWITCH_CONF_RESOLVED
>     +    sed blablabla...
>     +endef
>     +SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED
>      else
>      SYSTEMD_CONF_OPTS += -Dnss-resolve=false -Dresolve=false
>      endif
>
> > > > +             sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> > >
> > > "[[:space:]][:space:]]*" is equivalent to "[[:space:]]+".
> > >
> > > > +             -e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > >
> > > As I understand it, you are trying to remove the 'resolve' plugin,
> > > whether it has a follwing "[action]" or not, right? If so, here's my
> > > proposal of a simpler regexp that cactches both cases:
> > >
> > >     's,\bresolve[[:space:]]+(\[[^]]+\])?[[:space:]],,g'
> > I suppose $(SED) enables extended regex?
>
> Unfortunately, it does not (so it matches your usage):
>
>     https://git.buildroot.org/buildroot/tree/Makefile#n313
>
> Hmm... But see below, using $(SED) might not be a good idea.

The "below" seems missing, dont see where this is picked up again.

>
> [--SNIP--]
> > >  1. /etc/nsswitch.conf is already provided by the glibc package, so
> > >     overwriting it will not play nicely with per-package directories,
> > using a separate default for systemd might make sense in the glibc package?
> > what about your arguments about 'compat' vs 'files' here?
>
> Moot now: switch to using 'files' unconditionally.
>
> > At any rate, the file in /usr/share/factory/etc/nsswitch.conf should
> > prolly be kept in sync or removed.
>
> Not sure I understand that one...

The files should be identical on the rootfs, or just
/etc/nsswitch.conf should remain.

>
> > >  2. we already have other packages that may tweak that file, like:
> > >     package/nss-mdns/nss-mdns.mk
> > >     package/nss-myhostname/nss-myhostname.mk
> > >
> > >  3. which brings us to the point that this file should be tweaked as a
> > >     target-finalize hook
> >
> > kinda like this ?:
> > https://github.com/nolange/buildroot/commit/237eebe9c29c3b8ab68d3abead52e1b7b08e1649
>
> I still think it should be made to be target-finalize hooks, one for
> each option.
>
> Also, I don;t get why you want to use the one in factory, rather than
> tweak the existing /etc/nsswitch.conf that has already been installed,
> like the other nss plugins do.

I did not know about other nss plugins, I blindly assumed buildroot consequently
ignored nsswitch.conf.
I use the one in the factory to use a known template, instead potentially
messing up after multiple target installs (I know, not official supported,
but I bet its common to dir-clean a package and make again).

>
> And then, at the end. copy the one from /etc/nsswitch.conf over to the
> one in factory. That last one is a bit more tricky to come up with
> correctly, as this must be done after all nss plugins have had a chance
> to tweak nsswitch.conf. So I guess we should extend SYSTEMD_ROOTFS_PRE_CMD_HOOKS
> with a new hook that copies /etc/nsswitch.conf over to the factory.

I brought this up before, what about adding a full featured
/etc/nsswitch.conf in
either glibc or one of the skeletons?

Or even crazier, add one with placeholders for *all* packages in buildroot
in package glibc, and packages wanting to hook
a nss plugin would set a variable, in the form:

# (this is in systemd.mk, hope a variable with GLIBC prefix is allowed?)
GLIBC_NSS_PLUGIN_RESOLVE = resolve

# this is in glibc.mk
define GLIBC_INSTALL_NSSWITCH_HOOK
  sed $(SYSTEMD_PKGDIR)/nsswitch.tmp > $(TARGET_DIR)/etc/nsswitch.conf \
    -e 's, at resolve@,$(GLIBC_NSS_PLUGIN_RESOLVE),g'
    ......
endef
GLIBC_TARGET_FINALIZE_HOOKS += GLIBC_INSTALL_NSSWITCH_HOOK

I'd work out the details, so tell me if that's a viable solution.
The advantages would be that you can have a consistent order of nss
plugins in the template,
and that the file is generated at one place, instead in a potentially
changing order of
sed's

The downside of course would be that this place would need to know
about all nss plugins,
but if you want to hook up a new plugin you should need to think about
the correct order
relative to all other plugins.


>
> Regards,
> Yann E. MORIN.
>
> > Note that I am missing the line for mymachines, my sed-foo is too weak
> > to add that at the correct position.

Case in point.

(I hope its not this line you meant with "using $(SED) might not be a
good idea")

Norbert

[Buildroot] Fwd: [PATCH v2 01/14] package/systemd: configure nss plugins in nsswitch.conf

[Yann E. MORIN]

Norbert, All,

On 2020-06-26 00:27 +0200, Norbert Lange spake thusly:
> Seems I missed the reply all,
> would like to know if I can add something like this in *systemd.mk*,
> or if this is against buildroots policy:
> 
> GLIBC_NSS_PLUGIN_RESOLVE = resolve

No, this is not acceptable. Packages must not mess with other packages.

As I already explained, tweaking the nsswitch,conf file *must* be done
as target-finalize hooks, like is already used in systemd to generate
the hwdb for example.

Additionally, if you really want to have the factory nsswitch.conf to be
up-to-date with the one in ./etc, then copy if from the one in /etc
after it has been tweaked.

Regards,
Yann E. MORIN.

> Norbert
> 
> ---------- Forwarded message ---------
> Von: Norbert Lange <nolange79@gmail.com>
> Date: Mo., 15. Juni 2020 um 20:12 Uhr
> Subject: Re: [PATCH v2 01/14] package/systemd: configure nss plugins
> in nsswitch.conf
> To: Yann E. MORIN <yann.morin.1998@free.fr>
> 
> 
> Am Mo., 15. Juni 2020 um 18:54 Uhr schrieb Yann E. MORIN
> <yann.morin.1998@free.fr>:
> >
> > Norbert, All,
> >
> > On 2020-06-15 14:14 +0200, Norbert Lange spake thusly:
> > > Am Mo., 15. Juni 2020 um 13:48 Uhr schrieb Yann E. MORIN
> > > <yann.morin.1998@free.fr>:
> > > >
> > > > Norbert, All,
> > > >
> > > > On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> > > > > This adds configuration of the nsswitch.conf file,
> > > > > it does so by pathing the template provided by systemd.
> > > > >
> > > > > The template is fully populated, the services that are
> > > > > not available are removed.
> > > > >
> > > > > If the plugin nss-compat is not available, the entries
> > > > > will be replaced with nss-files.
> > > >
> > > > systemd is glibc-only, and libnss_compat.so* is provided by glibc. What
> > > > glibc does not provide it?
> > > see: toolchain/toolchain-external/pkg-toolchain-external.mk
> > > you only copy over ibnss_files there.
> >
> > Aha. But then I think this is more an oversight than a deliberate
> > filtering. In my opinion, the list should include libnss_*.so.*.
> >
> > > > > nss-systemd is used for the DynamicUser features,
> > > > > which is a defacto necessity for systemd.
> > > > > It handles transient users/groups without
> > > > > touching the /etc/{passwd,group} files on disk.
> > > > >
> > > > > nss-myhostname allows resolving the hostname,
> > > > > again without touching files in /etc.
> > > > > Enabling this feature requires configuring the plugin.
> > > > >
> > > > > nss-resolve is part of resolved, and required for
> > > > > consistent dns lookups.
> > > > >
> > > > > nss-mymachines adds name resolution from
> > > > > containers.
> > > > >
> > > > > Signed-off-by: Norbert Lange <nolange79@gmail.com>
> > > > > ---
> > > > >  package/systemd/systemd.mk | 16 ++++++++++++++++
> > > > >  1 file changed, 16 insertions(+)
> > > > >
> > > > > diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> > > > > index e61cec80f0..cf6c0f9576 100644
> > > > > --- a/package/systemd/systemd.mk
> > > > > +++ b/package/systemd/systemd.mk
> > > > > @@ -472,7 +472,23 @@ define SYSTEMD_INSTALL_MACHINEID_HOOK
> > > > >       touch $(TARGET_DIR)/etc/machine-id
> > > > >  endef
> > > > >
> > > > > +define SYSTEMD_NSSCONFIG_HOOK
> > > > > +     [ -r "$$(find $(TARGET_DIR)/usr/lib -name libnss_compat.so.*)" ] || \
> > > >
> > > > As said above, this is supposed to always exist in a glibc-based
> > > > toolchain, which is all that systemd supports, so I don;t see why we
> > > > would want to replace the 'compat' plugin by the 'files' one.
> > >
> > > Well, until now, buildroot did use nothing but 'files'. I am not
> > > against changing that,
> > > but I dont complain about having the choice.
> > > the 'compat' plugin doesn't add anything I care about, if it adds IPC
> > > then I would
> > > actually prefer not using it.
> >
> > So I had a look at the nsswitch.conf man page, and the 'compat' plugin
> > is described as:
> >
> >     The NSS "compat" service is similar to "files" except that it
> >     additionally permits special entries in corresponding files for
> >     granting users or members of netgroups access to the system.
> >
> > So, in the context of Buildroot, we can just plain replace 'compat' with
> > 'files' uncondtionally.
> >
> > > > > +             sed 's,\bcompat\b,files,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > > >
> > > > We already have a variable that does 'sed -i' :
> > > >
> > > >     $(SED) 's,\bcompat\b,files,g' $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > > >
> > > > > +     [ "$(BR2_PACKAGE_SYSTEMD_RESOLVED)" = "y" ] || \
> > > >
> > > > Usually, we do not test configuration-level conditions in shell, but in
> > > > Makefile:
> > > >
> > > >     ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
> > > >     define SYSTEMD_NSSWITCH_CONF_RESOLVED
> > > >         sed blablabla...
> > > >     endef
> > > >     SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED   # See below, point 3...
> > > >     endif
> > > That's overly fragmented IHMO,
> >
> > ... but much more in line with how we do it elsewhere.
> >
> > > I thought about $(if $(BR2_PACKAGE_SYSTEMD_RESOLVED),sed blahblah),
> > > that would need replacing of the commas.
> >
> > Alternatively, that could be used, yes, but I still prefer the one-hook
> > per option, even if it is still fragmented.
> >
> > But the conditional options already exist elsewhere in the file, so the
> > corresponding conditional blocks can be re-used and extended. For example,
> > there is already a conditional block for BR2_PACKAGE_SYSTEMD_RESOLVED:
> >
> >     https://git.buildroot.org/buildroot/tree/package/systemd/systemd.mk#n394
> >
> >      ifeq ($(BR2_PACKAGE_SYSTEMD_RESOLVED),y)
> >      define SYSTEMD_INSTALL_RESOLVCONF_HOOK
> >          ln -sf ../run/systemd/resolve/resolv.conf \
> >              $(TARGET_DIR)/etc/resolv.conf
> >      endef
> >      SYSTEMD_CONF_OPTS += -Dnss-resolve=true -Dresolve=true
> >      SYSTEMD_RESOLVED_USER = systemd-resolve -1 systemd-resolve -1 * - - - systemd Resolver
> >     +define SYSTEMD_NSSWITCH_CONF_RESOLVED
> >     +    sed blablabla...
> >     +endef
> >     +SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_NSSWITCH_CONF_RESOLVED
> >      else
> >      SYSTEMD_CONF_OPTS += -Dnss-resolve=false -Dresolve=false
> >      endif
> >
> > > > > +             sed -e 's,\bresolve[[:space:]][[:space:]]*\[[^]]*\][[:space:]]*,,g' \
> > > >
> > > > "[[:space:]][:space:]]*" is equivalent to "[[:space:]]+".
> > > >
> > > > > +             -e 's,\bresolve\b[[:space:]]*,,g' -i $(TARGET_DIR)/usr/share/factory/etc/nsswitch.conf
> > > >
> > > > As I understand it, you are trying to remove the 'resolve' plugin,
> > > > whether it has a follwing "[action]" or not, right? If so, here's my
> > > > proposal of a simpler regexp that cactches both cases:
> > > >
> > > >     's,\bresolve[[:space:]]+(\[[^]]+\])?[[:space:]],,g'
> > > I suppose $(SED) enables extended regex?
> >
> > Unfortunately, it does not (so it matches your usage):
> >
> >     https://git.buildroot.org/buildroot/tree/Makefile#n313
> >
> > Hmm... But see below, using $(SED) might not be a good idea.
> 
> The "below" seems missing, dont see where this is picked up again.
> 
> >
> > [--SNIP--]
> > > >  1. /etc/nsswitch.conf is already provided by the glibc package, so
> > > >     overwriting it will not play nicely with per-package directories,
> > > using a separate default for systemd might make sense in the glibc package?
> > > what about your arguments about 'compat' vs 'files' here?
> >
> > Moot now: switch to using 'files' unconditionally.
> >
> > > At any rate, the file in /usr/share/factory/etc/nsswitch.conf should
> > > prolly be kept in sync or removed.
> >
> > Not sure I understand that one...
> 
> The files should be identical on the rootfs, or just
> /etc/nsswitch.conf should remain.
> 
> >
> > > >  2. we already have other packages that may tweak that file, like:
> > > >     package/nss-mdns/nss-mdns.mk
> > > >     package/nss-myhostname/nss-myhostname.mk
> > > >
> > > >  3. which brings us to the point that this file should be tweaked as a
> > > >     target-finalize hook
> > >
> > > kinda like this ?:
> > > https://github.com/nolange/buildroot/commit/237eebe9c29c3b8ab68d3abead52e1b7b08e1649
> >
> > I still think it should be made to be target-finalize hooks, one for
> > each option.
> >
> > Also, I don;t get why you want to use the one in factory, rather than
> > tweak the existing /etc/nsswitch.conf that has already been installed,
> > like the other nss plugins do.
> 
> I did not know about other nss plugins, I blindly assumed buildroot consequently
> ignored nsswitch.conf.
> I use the one in the factory to use a known template, instead potentially
> messing up after multiple target installs (I know, not official supported,
> but I bet its common to dir-clean a package and make again).
> 
> >
> > And then, at the end. copy the one from /etc/nsswitch.conf over to the
> > one in factory. That last one is a bit more tricky to come up with
> > correctly, as this must be done after all nss plugins have had a chance
> > to tweak nsswitch.conf. So I guess we should extend SYSTEMD_ROOTFS_PRE_CMD_HOOKS
> > with a new hook that copies /etc/nsswitch.conf over to the factory.
> 
> I brought this up before, what about adding a full featured
> /etc/nsswitch.conf in
> either glibc or one of the skeletons?
> 
> Or even crazier, add one with placeholders for *all* packages in buildroot
> in package glibc, and packages wanting to hook
> a nss plugin would set a variable, in the form:
> 
> # (this is in systemd.mk, hope a variable with GLIBC prefix is allowed?)
> GLIBC_NSS_PLUGIN_RESOLVE = resolve
> 
> # this is in glibc.mk
> define GLIBC_INSTALL_NSSWITCH_HOOK
>   sed $(SYSTEMD_PKGDIR)/nsswitch.tmp > $(TARGET_DIR)/etc/nsswitch.conf \
>     -e 's, at resolve@,$(GLIBC_NSS_PLUGIN_RESOLVE),g'
>     ......
> endef
> GLIBC_TARGET_FINALIZE_HOOKS += GLIBC_INSTALL_NSSWITCH_HOOK
> 
> I'd work out the details, so tell me if that's a viable solution.
> The advantages would be that you can have a consistent order of nss
> plugins in the template,
> and that the file is generated at one place, instead in a potentially
> changing order of
> sed's
> 
> The downside of course would be that this place would need to know
> about all nss plugins,
> but if you want to hook up a new plugin you should need to think about
> the correct order
> relative to all other plugins.
> 
> 
> >
> > Regards,
> > Yann E. MORIN.
> >
> > > Note that I am missing the line for mymachines, my sed-foo is too weak
> > > to add that at the correct position.
> 
> Case in point.
> 
> (I hope its not this line you meant with "using $(SED) might not be a
> good idea")
> 
> Norbert

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 04/14] package/systemd: cosmetic rearrange list of users

[Yann E. MORIN]

Norbert, All,

On 2020-06-15 09:20 +0200, Norbert Lange spake thusly:
> Group the udev users first, to make clear which software
> requires them.
> 
> Signed-off-by: Norbert Lange <nolange79@gmail.com>
> Reviewed-by: J?r?my Rosen <jeremy.rosen@smile.fr>

I don;t care much about the separation: indeed, this is the systemd
package, and thus all users defined herein arwe needed by any one of
the systemd component. That they be sorted I don;t care much, as long as
the conditional ones come after the non-conditional ones.

If I had been slightly more pedant, I'd have re-ordered them
alphabetically. But oh well... ;-)

Applied to mster, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/systemd/systemd.mk | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
> index ead4e70f95..6629c933cd 100644
> --- a/package/systemd/systemd.mk
> +++ b/package/systemd/systemd.mk
> @@ -499,10 +499,12 @@ define SYSTEMD_INSTALL_IMAGES_CMDS
>  endef
>  
>  define SYSTEMD_USERS
> +	# udev user groups
>  	- - input -1 * - - - Input device group
> -	- - systemd-journal -1 * - - - Journal
>  	- - render -1 * - - - DRI rendering nodes
>  	- - kvm -1 * - - - kvm nodes
> +	# systemd user groups
> +	- - systemd-journal -1 * - - - Journal
>  	$(SYSTEMD_REMOTE_USER)
>  	$(SYSTEMD_COREDUMP_USER)
>  	$(SYSTEMD_NETWORKD_USER)
> -- 
> 2.27.0
> 

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Adam Duskett]

On Mon, Jun 15, 2020 at 7:59 AM Norbert Lange <nolange79@gmail.com> wrote:

>
>
> Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
>
>> I wonder how that would work with lines that contain %b (boot id)
>> and %m (machine-id)
>> my educated guest would be that it would create files with the host's
>> boot-id/machine-id. Thus leaking the host's information. This is not
>> good, especially the machine-id of the host which is confidential
>> information (not crypto-grade, but still shouldn't be leaked)
>>
>
>> if systemd-tmpile supports that correctly (maybe skipping all %b %m
>> when --root is used) it's all fine. But I don't remember seeing that.
>>
>> does it ?
>>
>
> The default config files don't create files with machine-id, and %b is not
> replaced at all AFAIR.
> But I believe you are right that systemd-tmpfiles picks up the host
> machine-id and would replace it.
> Good catch, need to check.
>


>  FYI, this issue is being worked on:
> https://github.com/systemd/systemd/pull/16187
>


>
>> Cheers
>> Jeremy
>>
>>
>> Le lun. 15 juin 2020 ? 09:21, Norbert Lange <nolange79@gmail.com> a
>> ?crit :
>>
>>> Especially for read-only filesystems it is helpfull to
>>> pre-create all folders for non-volatile paths.
>>>
>>> This needs to run under fakeroot to allow setting
>>> uids/gids/perms for the target fs.
>>>
>>> Signed-off-by: Norbert Lange <nolange79@gmail.com>
>>> ---
>>>  package/systemd/systemd.mk | 8 +++++++-
>>>  1 file changed, 7 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/package/systemd/systemd.mk b/package/systemd/systemd.mk
>>> index e117e3a082..cb0278f3b7 100644
>>> --- a/package/systemd/systemd.mk
>>> +++ b/package/systemd/systemd.mk
>>> @@ -599,6 +599,12 @@ SYSTEMD_TARGET_FINALIZE_HOOKS += PURGE_LOCALES
>>>  endif
>>>  SYSTEMD_TARGET_FINALIZE_HOOKS += SYSTEMD_UPDATE_CATALOGS
>>>
>>> +define SYSTEMD_CREATE_TMPFILES_HOOK
>>> +       $(HOST_DIR)/bin/systemd-tmpfiles --root=$(TARGET_DIR) --create
>>> --boot \
>>> +               $(addprefix --exclude-prefix=/,dev mnt proc run sys tmp)
>>> || :
>>> +endef
>>> +SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SYSTEMD_CREATE_TMPFILES_HOOK
>>> +
>>>  SYSTEMD_CONF_ENV = $(HOST_UTF8_LOCALE_ENV)
>>>  SYSTEMD_NINJA_ENV = $(HOST_UTF8_LOCALE_ENV)
>>>
>>> @@ -652,7 +658,7 @@ HOST_SYSTEMD_CONF_OPTS = \
>>>         -Dvconsole=false \
>>>         -Dquotacheck=false \
>>>         -Dsysusers=false \
>>> -       -Dtmpfiles=false \
>>> +       -Dtmpfiles=true \
>>>         -Dimportd=false \
>>>         -Dhwdb=false \
>>>         -Drfkill=false \
>>> --
>>> 2.27.0
>>>
>>>
>>
>> --
>> [image: SMILE]  <http://www.smile.eu/>
>>
>> 20 rue des Jardins
>> 92600 Asni?res-sur-Seine
>> *J?r?my ROSEN*
>> Architecte technique
>>
>> [image: email] jeremy.rosen at smile.fr
>> [image: phone]  +33 6 88 25 87 42
>> [image: url] http://www.smile.eu
>>
>> [image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
>> <https://www.facebook.com/smileopensource> [image: LinkedIn]
>> <https://www.linkedin.com/company/smile> [image: Github]
>> <https://github.com/Smile-SA>
>>
>> [image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
>> <https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200928/3e28f12b/attachment.html>

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Norbert Lange]

Am Montag, 28. September 2020 schrieb Adam Duskett <aduskett@gmail.com>:

>
>
> On Mon, Jun 15, 2020 at 7:59 AM Norbert Lange <nolange79@gmail.com> wrote:
>
>>
>>
>> Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb J?r?my ROSEN <
>> jeremy.rosen at smile.fr>:
>>
>>> I wonder how that would work with lines that contain %b (boot id)
>>> and %m (machine-id)
>>> my educated guest would be that it would create files with the host's
>>> boot-id/machine-id. Thus leaking the host's information. This is not
>>> good, especially the machine-id of the host which is confidential
>>> information (not crypto-grade, but still shouldn't be leaked)
>>>
>>
>>> if systemd-tmpile supports that correctly (maybe skipping all %b %m
>>> when --root is used) it's all fine. But I don't remember seeing that.
>>>
>>> does it ?
>>>
>>
>> The default config files don't create files with machine-id, and %b is
>> not replaced at all AFAIR.
>> But I believe you are right that systemd-tmpfiles picks up the host
>> machine-id and would replace it.
>> Good catch, need to check.
>>
>
>
>>  FYI, this issue is being worked on:
>> https://github.com/systemd/systemd/pull/16187
>>
>
That PR is from a guy with an username matching my initials. Weird ;)

I seem to be unable to get simple questions about the how unanswered (until
pushes that raises issues that I wanted to solve before spending time
coding, testing and adhering to coding guidelines).

Now I am thinking, that maybe a small separate tool supporting the
systemd-tmpfiles, systemd-sysusers and busybox makeusers "setup
functionality" might get done faster and might allow the config to be used.

I'm not motivated to face this head on for a while, at any rate.

Norbert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200928/db2f0eae/attachment.html>

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Adam Duskett]

On Mon, Sep 28, 2020 at 12:00 PM Norbert Lange <nolange79@gmail.com> wrote:
>
>
>
> Am Montag, 28. September 2020 schrieb Adam Duskett <aduskett@gmail.com>:
>>
>>
>>
>> On Mon, Jun 15, 2020 at 7:59 AM Norbert Lange <nolange79@gmail.com> wrote:
>>>
>>>
>>>
>>> Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb J?r?my ROSEN <jeremy.rosen@smile.fr>:
>>>>
>>>> I wonder how that would work with lines that contain %b (boot id)
>>>> and %m (machine-id)
>>>> my educated guest would be that it would create files with the host's
>>>> boot-id/machine-id. Thus leaking the host's information. This is not
>>>> good, especially the machine-id of the host which is confidential
>>>> information (not crypto-grade, but still shouldn't be leaked)
>>>>
>>>>
>>>> if systemd-tmpile supports that correctly (maybe skipping all %b %m
>>>> when --root is used) it's all fine. But I don't remember seeing that.
>>>>
>>>> does it ?
>>>
>>>
>>> The default config files don't create files with machine-id, and %b is not replaced at all AFAIR.
>>> But I believe you are right that systemd-tmpfiles picks up the host machine-id and would replace it.
>>> Good catch, need to check.
>>
>>
>>>
>>>  FYI, this issue is being worked on:
>>> https://github.com/systemd/systemd/pull/16187
>
>
> That PR is from a guy with an username matching my initials. Weird ;)
>
Crazy coincidence!

> I seem to be unable to get simple questions about the how unanswered (until pushes that raises issues that I wanted to solve before spending time coding, testing and adhering to coding guidelines).
>
> Now I am thinking, that maybe a small separate tool supporting the systemd-tmpfiles, systemd-sysusers and busybox makeusers "setup functionality" might get done faster and might allow the config to be used.
>
> I'm not motivated to face this head on for a while, at any rate.
>
To be fair, I did test your PR (updated to work with 246.5) and it
works perfectly. It's a shame it's so difficult to get Pottering
to respond to these things.


Adam
> Norbert

[Buildroot] [PATCH v2 10/14] package/systemd: invoke systemd-tmpfilesd on final image

[Jérémy ROSEN]

Agreed, he seems to have trouble grasping the embedded use-case...
(I am monitoring this PR too...)

The only thing I can say is "Hang on there, Norbert" these kind of things
take an unfortunate amount of time, but the systemd project tends to not
forget patches... even after a long time asleep.

Le lun. 28 sept. 2020 ? 22:27, Adam Duskett <aduskett@gmail.com> a ?crit :

> On Mon, Sep 28, 2020 at 12:00 PM Norbert Lange <nolange79@gmail.com>
> wrote:
> >
> >
> >
> > Am Montag, 28. September 2020 schrieb Adam Duskett <aduskett@gmail.com>:
> >>
> >>
> >>
> >> On Mon, Jun 15, 2020 at 7:59 AM Norbert Lange <nolange79@gmail.com>
> wrote:
> >>>
> >>>
> >>>
> >>> Am Mo., 15. Juni 2020 um 16:32 Uhr schrieb J?r?my ROSEN <
> jeremy.rosen at smile.fr>:
> >>>>
> >>>> I wonder how that would work with lines that contain %b (boot id)
> >>>> and %m (machine-id)
> >>>> my educated guest would be that it would create files with the host's
> >>>> boot-id/machine-id. Thus leaking the host's information. This is not
> >>>> good, especially the machine-id of the host which is confidential
> >>>> information (not crypto-grade, but still shouldn't be leaked)
> >>>>
> >>>>
> >>>> if systemd-tmpile supports that correctly (maybe skipping all %b %m
> >>>> when --root is used) it's all fine. But I don't remember seeing that.
> >>>>
> >>>> does it ?
> >>>
> >>>
> >>> The default config files don't create files with machine-id, and %b is
> not replaced at all AFAIR.
> >>> But I believe you are right that systemd-tmpfiles picks up the host
> machine-id and would replace it.
> >>> Good catch, need to check.
> >>
> >>
> >>>
> >>>  FYI, this issue is being worked on:
> >>> https://github.com/systemd/systemd/pull/16187
> >
> >
> > That PR is from a guy with an username matching my initials. Weird ;)
> >
> Crazy coincidence!
>
> > I seem to be unable to get simple questions about the how unanswered
> (until pushes that raises issues that I wanted to solve before spending
> time coding, testing and adhering to coding guidelines).
> >
> > Now I am thinking, that maybe a small separate tool supporting the
> systemd-tmpfiles, systemd-sysusers and busybox makeusers "setup
> functionality" might get done faster and might allow the config to be used.
> >
> > I'm not motivated to face this head on for a while, at any rate.
> >
> To be fair, I did test your PR (updated to work with 246.5) and it
> works perfectly. It's a shame it's so difficult to get Pottering
> to respond to these things.
>
>
> Adam
> > Norbert
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asni?res-sur-Seine
*J?r?my ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: D?couvrez l?univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200929/3765cd81/attachment.html>