[PATCH 0/9] Make read-only rootfs work well with live images

[PATCH 0/9] Make read-only rootfs work well with live images

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

Previously, if no unification filesystem mechanism is compiled into kernel
and we are booting a live image, it's very likely the image cannot run correctly.

Now if we have 'read-only-rootfs' in IMAGE_FEATURES, the live image could start
correctly even if there's no unionfs like feature compiled in kernel.

//Chen Qi

The following changes since commit dc198141f6d158250bc13ad1130eb57975043270:

  initrdscripts: mount / as read-only when live-booting (2013-07-23 10:23:37 +0800)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib ChenQi/read-only-rootfs-in-live-images
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/read-only-rootfs-in-live-images

Chen Qi (9):
  init-live.sh: make $ROOT_MOUNT/media writable when necessary
  use a uniform way to determine whether rootfs is read-only
  udev: remove implicit dependency on initscripts
  populate-volatile.sh: use $ROOT_DIR/var/volatile/tmp as TMPDIR
  runqemu-internal: fix to start X correctly in live images
  initscripts: use a uniform way to handle directories in read-only
    rootfs
  irda-utils: make /etc/sysconfig writable in read-only rootfs
  lighttpd: make /www diretory writable in read-only rootfs
  Generate ssh keys at rootfs creation time in case of a read-only
    rootfs

 meta/classes/image.bbclass                         |   19 +++++++---
 .../irda-utils/irda-utils_0.9.18.bb                |    4 +++
 meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 ++++--
 meta/recipes-core/dropbear/dropbear.inc            |    6 +++-
 meta/recipes-core/dropbear/dropbear/init           |   19 ++--------
 meta/recipes-core/initrdscripts/files/init-live.sh |    2 ++
 .../initscripts/initscripts-1.0/functions          |   14 ++++++++
 .../initscripts-1.0/populate-volatile.sh           |    6 +++-
 .../initscripts-1.0/read-only-rootfs-hook.sh       |   21 ++++++++---
 meta/recipes-core/initscripts/initscripts_1.0.bb   |    5 +++
 meta/recipes-core/sysvinit/sysvinit/rcS-default    |    4 ---
 meta/recipes-core/udev/udev/init                   |   21 ++++++++---
 meta/recipes-core/udev/udev/udev-cache             |    5 +++
 meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb  |    3 ++
 .../0001-add-is_rootfs_readonly-to-functions.patch |   37 ++++++++++++++++++++
 meta/recipes-extended/lsb/lsbinitscripts_9.48.bb   |    1 +
 scripts/runqemu-internal                           |    2 +-
 17 files changed, 140 insertions(+), 39 deletions(-)
 create mode 100644 meta/recipes-extended/lsb/lsbinitscripts/0001-add-is_rootfs_readonly-to-functions.patch

-- 
1.7.9.5

[PATCH 1/9] init-live.sh: make $ROOT_MOUNT/media writable when necessary

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

If the live image is mounted as read-only, we cannot make necessary
directories under $ROOT_MOUNT/media, so trying to move the mount points
lead to errors.

So in case that no unification filesystem mechanism is available in kernel
and the rootfs is mounted as read-only, we mount tmpfs on $ROOT_MOUNT/media
so that it's possible to make necessary directories under it.

[YOCTO #4881]
[YOCTO #4103]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-core/initrdscripts/files/init-live.sh |    2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-core/initrdscripts/files/init-live.sh b/meta/recipes-core/initrdscripts/files/init-live.sh
index ade7279..063a0f1 100644
--- a/meta/recipes-core/initrdscripts/files/init-live.sh
+++ b/meta/recipes-core/initrdscripts/files/init-live.sh
@@ -200,6 +200,8 @@ mount_and_boot() {
 	"")
 	    if ! mount -o ro,loop,noatime,nodiratime /media/$i/$ISOLINUX/$ROOT_IMAGE $ROOT_MOUNT ; then
 		fatal "Could not mount rootfs image"
+	    else
+		mount -t tmpfs -o rw,noatime,mode=755 tmpfs $ROOT_MOUNT/media
 	    fi
 	    ;;
     esac
-- 
1.7.9.5

[PATCH 2/9] use a uniform way to determine whether rootfs is read-only

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

Previously, we had two ways to check whether the rootfs was read-only.
In some part of the system, we determined whether the rootfs is read-only
by checking the fstab or /proc/mounts; in other part of the system, we
used the value of ROOTFS_READ_ONLY in /etc/default/rcS as a criteria.

Having two ways to check the rootfs is confusing and makes systems inconsistent.

We should drop the use of ROOTFS_READ_ONLY and figure out a uniform and
consistent way to determine whether rootfs is read-only.

This patch fixes this problem by using the following strategy.

On target, we use /proc/mounts to check whether / is read-only; on host, we
use $ROOT_DIR/etc/fstab to check whether the rootfs is going to be mounted
as read-only or not.

[YOCTO #4880]
[YOCTO #4103]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/classes/image.bbclass                         |    4 ---
 .../initscripts/initscripts-1.0/functions          |   14 ++++++++
 .../initscripts-1.0/populate-volatile.sh           |    4 +++
 .../initscripts-1.0/read-only-rootfs-hook.sh       |    4 ++-
 meta/recipes-core/sysvinit/sysvinit/rcS-default    |    4 ---
 meta/recipes-core/udev/udev/init                   |    5 +++
 meta/recipes-core/udev/udev/udev-cache             |    5 +++
 .../0001-add-is_rootfs_readonly-to-functions.patch |   37 ++++++++++++++++++++
 meta/recipes-extended/lsb/lsbinitscripts_9.48.bb   |    1 +
 9 files changed, 69 insertions(+), 9 deletions(-)
 create mode 100644 meta/recipes-extended/lsb/lsbinitscripts/0001-add-is_rootfs_readonly-to-functions.patch

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 380ed8e..3bc57d3 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -258,10 +258,6 @@ read_only_rootfs_hook () {
 	if ${@base_contains("DISTRO_FEATURES", "sysvinit", "true", "false", d)}; then
 	        # Tweak the mount option and fs_passno for rootfs in fstab
 		sed -i -e '/^[#[:space:]]*rootfs/{s/defaults/ro/;s/\([[:space:]]*[[:digit:]]\)\([[:space:]]*\)[[:digit:]]$/\1\20/}' ${IMAGE_ROOTFS}/etc/fstab
-	        # Change the value of ROOTFS_READ_ONLY in /etc/default/rcS to yes
-		if [ -e ${IMAGE_ROOTFS}/etc/default/rcS ]; then
-			sed -i 's/ROOTFS_READ_ONLY=no/ROOTFS_READ_ONLY=yes/' ${IMAGE_ROOTFS}/etc/default/rcS
-		fi
 	        # Run populate-volatile.sh at rootfs time to set up basic files
 	        # and directories to support read-only rootfs.
 		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/functions b/meta/recipes-core/initscripts/initscripts-1.0/functions
index 8e15762..ca477b7 100644
--- a/meta/recipes-core/initscripts/initscripts-1.0/functions
+++ b/meta/recipes-core/initscripts/initscripts-1.0/functions
@@ -58,3 +58,17 @@ status() {
     fi
     return 3
 }
+
+# Determine whether rootfs is read-only or not according to /proc/mounts or /etc/fstab.
+is_rootfs_readonly () {
+    local DIRNAME=`dirname $0`
+    local ROOT_DIR=`echo $DIRNAME | sed -ne 's:/etc/.*::p'`
+    local criteria_file
+    [ -n "$ROOT_DIR" ] && criteria_file="$ROOT_DIR/etc/fstab" || criteria_file="/proc/mounts"
+    local flag
+    for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' < $criteria_file`; do
+	[ "$flag" = "ro" ] && { echo "yes"; return 0; }
+    done
+    echo "no"
+    return 0
+}
\ No newline at end of file
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh b/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
index 91c70efb..a760081 100755
--- a/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
@@ -13,8 +13,12 @@ DIRNAME=`dirname $0`
 ROOT_DIR=`echo $DIRNAME | sed -ne 's:/etc/.*::p'`
 
 [ -e ${ROOT_DIR}/etc/default/rcS ] && . ${ROOT_DIR}/etc/default/rcS
+FUNCTIONS_FILE="${ROOT_DIR}`readlink -f ${ROOT_DIR}/etc/init.d/functions`"
+. $FUNCTIONS_FILE
 # When running populate-volatile.sh at rootfs time, disable cache.
 [ -n "$ROOT_DIR" ] && VOLATILE_ENABLE_CACHE=no
+# Determine whether the rootfs is read-only
+ROOTFS_READ_ONLY=`is_rootfs_readonly`
 # If rootfs is read-only, disable cache.
 [ "$ROOTFS_READ_ONLY" = "yes" ] && VOLATILE_ENABLE_CACHE=no
 
diff --git a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
index 9cf0921..d523924 100644
--- a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
@@ -1,6 +1,8 @@
 #!/bin/sh
 
-. /etc/default/rcS
+. /etc/init.d/functions
+
+ROOTFS_READ_ONLY=`is_rootfs_readonly`
 
 [ "$ROOTFS_READ_ONLY" = "no" ] && exit 0
 
diff --git a/meta/recipes-core/sysvinit/sysvinit/rcS-default b/meta/recipes-core/sysvinit/sysvinit/rcS-default
index 709cdf6..3c9dea9 100644
--- a/meta/recipes-core/sysvinit/sysvinit/rcS-default
+++ b/meta/recipes-core/sysvinit/sysvinit/rcS-default
@@ -23,7 +23,3 @@ FSCKFIX=yes
 #TICKADJ=10000
 # Enable caching in populate-volatile.sh
 VOLATILE_ENABLE_CACHE=yes
-# Indicate whether the rootfs is intended to be read-only or not.
-# Setting ROOTFS_READ_ONLY to yes and rebooting will give you a read-only rootfs.
-# Normally you should not change this value.
-ROOTFS_READ_ONLY=no
diff --git a/meta/recipes-core/udev/udev/init b/meta/recipes-core/udev/udev/init
index d90d446..4e5094a 100644
--- a/meta/recipes-core/udev/udev/init
+++ b/meta/recipes-core/udev/udev/init
@@ -79,6 +79,11 @@ case "$1" in
 			    echo "$NEWDATA" > /dev/shm/udev.cache
                     fi
 	    else
+		    # Determine whether the rootfs is read-only or not
+		    ROOTFS_READ_ONLY="no"
+		    for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
+			    [ "$flag" = "ro" ] && ROOTFS_READ_ONLY="yes"
+		    done
 		    if [ "$ROOTFS_READ_ONLY" != "yes" ]; then
 			    # If rootfs is not read-only, it's possible that a new udev cache would be generated;
 			    # otherwise, we do not bother to read files.
diff --git a/meta/recipes-core/udev/udev/udev-cache b/meta/recipes-core/udev/udev/udev-cache
index db5a513..862e0e6 100644
--- a/meta/recipes-core/udev/udev/udev-cache
+++ b/meta/recipes-core/udev/udev/udev-cache
@@ -18,6 +18,11 @@ export TZ=/etc/localtime
 [ -f /etc/default/rcS ] && . /etc/default/rcS
 [ -f /etc/default/udev-cache ] && . /etc/default/udev-cache
 
+ROOTFS_READ_ONLY="no"
+for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
+    [ "$flag" = "ro" ] && ROOTFS_READ_ONLY="yes"
+done
+
 if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
     [ "$VERBOSE" != "no" ] && echo "udev-cache: read-only rootfs, skip generating udev-cache"
     exit 0
diff --git a/meta/recipes-extended/lsb/lsbinitscripts/0001-add-is_rootfs_readonly-to-functions.patch b/meta/recipes-extended/lsb/lsbinitscripts/0001-add-is_rootfs_readonly-to-functions.patch
new file mode 100644
index 0000000..0efcf25
--- /dev/null
+++ b/meta/recipes-extended/lsb/lsbinitscripts/0001-add-is_rootfs_readonly-to-functions.patch
@@ -0,0 +1,37 @@
+From b8e8e7f93aca54561cc1d7945ef3ec7aca5f6f43 Mon Sep 17 00:00:00 2001
+From: Chen Qi <Qi.Chen@windriver.com>
+Date: Tue, 23 Jul 2013 10:48:32 +0800
+Subject: [PATCH] add is_rootfs_readonly to functions
+
+---
+ rc.d/init.d/functions |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/rc.d/init.d/functions b/rc.d/init.d/functions
+index a5b2b9e..0663c7f 100644
+--- a/rc.d/init.d/functions
++++ b/rc.d/init.d/functions
+@@ -577,6 +577,20 @@ apply_sysctl() {
+     fi
+ }
+ 
++# Determine whether rootfs is read-only or not according to /proc/mounts or /etc/fstab.
++is_rootfs_readonly () {
++    local DIRNAME=`dirname $0`
++    local ROOT_DIR=`echo $DIRNAME | sed -ne 's:/etc/.*::p'`
++    local criteria_file
++    [ -n "$ROOT_DIR" ] && criteria_file="$ROOT_DIR/etc/fstab" || criteria_file="/proc/mounts"
++    local flag
++    for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' < $criteria_file`; do
++	[ "$flag" = "ro" ] && { echo "yes"; return 0; }
++    done
++    echo "no"
++    return 0
++}
++
+ # A sed expression to filter out the files that is_ignored_file recognizes
+ __sed_discard_ignored_files='/\(~\|\.bak\|\.orig\|\.rpmnew\|\.rpmorig\|\.rpmsave\)$/d'
+ 
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-extended/lsb/lsbinitscripts_9.48.bb b/meta/recipes-extended/lsb/lsbinitscripts_9.48.bb
index 94f4bfe..87e65cf 100644
--- a/meta/recipes-extended/lsb/lsbinitscripts_9.48.bb
+++ b/meta/recipes-extended/lsb/lsbinitscripts_9.48.bb
@@ -8,6 +8,7 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=ebf4e8b49780ab187d51bd26aaa022c6"
 S="${WORKDIR}/initscripts-${PV}"
 SRC_URI = "http://pkgs.fedoraproject.org/repo/pkgs/initscripts/initscripts-9.48.tar.bz2/7dfab81a5a8d3f0dea5ba55e391c26f3/initscripts-9.48.tar.bz2 \
            file://functions.patch \
+           file://0001-add-is_rootfs_readonly-to-functions.patch \
           " 
 
 SRC_URI[md5sum] = "7dfab81a5a8d3f0dea5ba55e391c26f3"
-- 
1.7.9.5

[PATCH 3/9] udev: remove implicit dependency on initscripts

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

At some point, the udev was modified to source the functions from
initscripts or lsbinitscripts. This dependency is actually not needed.
If we use udev in a system where initscripts from oe-core is not available,
there will be errors.

This patch fixes this problem by removing the implicit dependency.

[YOCTO #4882]
[YOCTO #4103]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-core/udev/udev/init |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/meta/recipes-core/udev/udev/init b/meta/recipes-core/udev/udev/init
index 4e5094a..52c7925 100644
--- a/meta/recipes-core/udev/udev/init
+++ b/meta/recipes-core/udev/udev/init
@@ -9,8 +9,6 @@
 # Short-Description: Start udevd, populate /dev and load drivers.
 ### END INIT INFO
 
-. /etc/init.d/functions
-
 export TZ=/etc/localtime
 
 [ -d /sys/class ] || exit 1
@@ -31,6 +29,11 @@ readfiles () {
    done
 }
 
+kill_udevd () {
+    pid=`pidof -x udevd`
+    [ -n "$pid" ] && kill $pid
+}
+
 case "$1" in
   start)
     export ACTION=add
@@ -94,7 +97,7 @@ case "$1" in
     fi
 
     # make_extra_nodes
-    killproc udevd > "/dev/null" 2>&1
+    kill_udevd > "/dev/null" 2>&1
 
     # trigger the sorted events
     echo -e '\000\000\000\000' > /proc/sys/kernel/hotplug
@@ -119,7 +122,12 @@ case "$1" in
     $0 start
     ;;
   status)
-    status udevd
+    pid=`pidof -x udevd`
+    if [ -n "$pid" ]; then
+	echo "udevd (pid $pid) is running ..."
+    else
+	echo "udevd is stopped"
+    fi
     ;;
   *)
     echo "Usage: $0 {start|stop|status|restart}"
-- 
1.7.9.5

[PATCH 4/9] populate-volatile.sh: use $ROOT_DIR/var/volatile/tmp as TMPDIR

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

It's possible that a 'No such directory' error occurs when doing
check_requirement in populate-volatile.sh at rootfs time. This is
because the $ROOT_DIR/var/tmp might be a dead link.

Use $ROOT_DIR/var/volatile/tmp as the TMPDIR instead to avoid this
error.

[YOCTO #4883]
[YOCTO #4103]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../initscripts-1.0/populate-volatile.sh           |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh b/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
index a760081..d8ae14e 100755
--- a/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/populate-volatile.sh
@@ -23,7 +23,7 @@ ROOTFS_READ_ONLY=`is_rootfs_readonly`
 [ "$ROOTFS_READ_ONLY" = "yes" ] && VOLATILE_ENABLE_CACHE=no
 
 CFGDIR="${ROOT_DIR}/etc/default/volatiles"
-TMPROOT="${ROOT_DIR}/var/tmp"
+TMPROOT="${ROOT_DIR}/var/volatile/tmp"
 COREDEF="00_core"
 
 [ "${VERBOSE}" != "no" ] && echo "Populating volatile Filesystems."
-- 
1.7.9.5

[PATCH 5/9] runqemu-internal: fix to start X correctly in live images

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

The QEMUOPTIONS for ISOFS was not complete, leading to failures when
trying to start X in live images.

This patch fixes this problem.

[YOCTO #4103]
[YOCTO #4884]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 scripts/runqemu-internal |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/runqemu-internal b/scripts/runqemu-internal
index 9619bec..8a6e551 100755
--- a/scripts/runqemu-internal
+++ b/scripts/runqemu-internal
@@ -526,7 +526,7 @@ if [ "x$RAMFS" = "xtrue" ]; then
 fi
 
 if [ "x$ISOFS" = "xtrue" ]; then
-    QEMUOPTIONS="-cdrom $ROOTFS"
+    QEMUOPTIONS="$QEMU_NETWORK_CMD -cdrom $ROOTFS $QEMU_UI_OPTIONS"
 fi
 
 if [ "x$QEMUOPTIONS" = "x" ]; then
-- 
1.7.9.5

[PATCH 6/9] initscripts: use a uniform way to handle directories in read-only rootfs

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

Packages in our system may need to write to some directories to function
correctly. In read-only rootfs, these directories should be made writable.

This patch uses a convenient and uniform way to handle such situations.
The read-only-rootfs-hook.sh script searches the /etc/default/readonly
diretory for config files and then apply them one by one.

The config files simply have the following format.
<original diretory> <corresponding directory in volatile story>

For example, /etc/default/readonly/initscripts have the following content.
/var/lib /var/volatile/lib

This patch only has effect for systems with read-only rootfs.

[YOCTO #4103]
[YOCTO #4888]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../initscripts-1.0/read-only-rootfs-hook.sh       |   17 ++++++++++++++---
 meta/recipes-core/initscripts/initscripts_1.0.bb   |    5 +++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
index d523924..b61f420 100644
--- a/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
+++ b/meta/recipes-core/initscripts/initscripts-1.0/read-only-rootfs-hook.sh
@@ -1,15 +1,26 @@
 #!/bin/sh
 
 . /etc/init.d/functions
+READONLY_CFGDIR="/etc/default/readonly"
 
 ROOTFS_READ_ONLY=`is_rootfs_readonly`
 
 [ "$ROOTFS_READ_ONLY" = "no" ] && exit 0
 
+apply_conf () {
+	cfgfile=$1
+	cat $cfgfile | while read line; do
+		eval `echo "$line" | sed -n "s/\(.*\)\ \(.*\)/DIR_READONLY=\1; DIR_VOLATILE=\2;/p"`
+		mkdir -p $DIR_VOLATILE
+		cp -a $DIR_READONLY/* $DIR_VOLATILE
+		mount --bind $DIR_VOLATILE $DIR_READONLY
+	done
+}
+
 if [ "$1" = "start" ] ; then
 	grep -q "tmpfs /var/volatile" /proc/mounts || mount /var/volatile
-	mkdir -p /var/volatile/lib
-	cp -a /var/lib/* /var/volatile/lib
-	mount --bind /var/volatile/lib /var/lib
+	for file in `ls -1 "$READONLY_CFGDIR"`; do
+		apply_conf "$READONLY_CFGDIR/$file"
+	done
 fi
 
diff --git a/meta/recipes-core/initscripts/initscripts_1.0.bb b/meta/recipes-core/initscripts/initscripts_1.0.bb
index 52e1c9c..46c4c99 100644
--- a/meta/recipes-core/initscripts/initscripts_1.0.bb
+++ b/meta/recipes-core/initscripts/initscripts_1.0.bb
@@ -105,6 +105,11 @@ do_install () {
 	install -m 0755 ${WORKDIR}/umountfs	${D}${sysconfdir}/init.d/umountfs
 	install -m 0755		${WORKDIR}/device_table.txt		${D}${sysconfdir}/device_table
 #
+# Create config files for read-only rootfs
+#
+	install -d ${D}${sysconfdir}/default/readonly
+	echo "/var/lib /var/volatile/lib" > ${D}${sysconfdir}/default/readonly/initscripts
+#
 # Create runlevel links
 #
 	update-rc.d -r ${D} rmnologin.sh start 99 2 3 4 5 .
-- 
1.7.9.5

[PATCH 7/9] irda-utils: make /etc/sysconfig writable in read-only rootfs

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

This diretory needs to be writable, the following error will appear
at system start-up.

   /etc/rc5.d/S20irattach: /etc/sysconfig/irda: Read-only file system

[YOCTO #4103]
[YOCTO #4886]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 .../irda-utils/irda-utils_0.9.18.bb                |    4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb b/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
index 575b0b1..4c8723e 100644
--- a/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
+++ b/meta/recipes-connectivity/irda-utils/irda-utils_0.9.18.bb
@@ -37,4 +37,8 @@ do_install () {
 
 	install -d ${D}${sysconfdir}/init.d
 	install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/${INITSCRIPT_NAME}
+
+	# Create config files for read-only rootfs
+	install -d ${D}${sysconfdir}/default/readonly
+	echo "/etc/sysconfig /var/volatile/etc/sysconfig" > ${D}${sysconfdir}/default/readonly/irda-utils
 }
-- 
1.7.9.5

[PATCH 8/9] lighttpd: make /www diretory writable in read-only rootfs

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

This directory needs to be writable for system to work correctly.

[YOCTO #4103]
[YOCTO #4885]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb b/meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb
index df6ce97..c2f757d 100644
--- a/meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb
+++ b/meta/recipes-extended/lighttpd/lighttpd_1.4.32.bb
@@ -49,6 +49,9 @@ do_install_append() {
     install -m 0755 ${WORKDIR}/lighttpd ${D}${sysconfdir}/init.d
     install -m 0755 ${WORKDIR}/lighttpd.conf ${D}${sysconfdir}
     install -m 0644 ${WORKDIR}/index.html.lighttpd ${D}/www/pages/index.html
+    # Create config files for read-only rootfs
+    install -d ${D}${sysconfdir}/default/readonly
+    echo "/www /var/volatile/www" > ${D}${sysconfdir}/default/readonly/lighttpd
 }
 
 FILES_${PN} += "${sysconfdir} /www"
-- 
1.7.9.5

[PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Qi.Chen]

From: Chen Qi <Qi.Chen@windriver.com>

To avoid generating ssh keys every time a system with read-only rootfs
starts, we generate ssh keys at rootfs creation time.

This change only has effect for systems with read-only rootfs.

[YOCTO #4103]
[YOCTO #4887]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/classes/image.bbclass                         |   15 +++++++++++++++
 meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 +++++++---
 meta/recipes-core/dropbear/dropbear.inc            |    6 +++++-
 meta/recipes-core/dropbear/dropbear/init           |   19 ++-----------------
 4 files changed, 29 insertions(+), 21 deletions(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index 3bc57d3..9a0692a 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -263,6 +263,21 @@ read_only_rootfs_hook () {
 		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
 			${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
 		fi
+	        # Generate ssh keys at rootfs time
+		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
+			[ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
+			DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
+			DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
+			test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
+			test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
+			dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
+			dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
+		fi
+		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
+			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
+			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
+			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
+		fi
 	fi
 }
 
diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
index ab2eefb..40dc4ca 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
@@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
 
 PR = "r0"
 
-DEPENDS = "zlib openssl"
+DEPENDS = "zlib openssl openssh-native"
+DEPENDS_class-native = "zlib-native openssl-native"
 DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 RPROVIDES_${PN}-ssh = "ssh"
@@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
 INITSCRIPT_NAME_${PN}-sshd = "sshd"
 INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
 
-PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG_class-target ??= "tcp-wrappers"
 PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
 
 inherit autotools
@@ -49,6 +50,7 @@ inherit autotools
 # LFS support:
 CFLAGS += "-D__FILE_OFFSET_BITS=64"
 export LD = "${CC}"
+export LD_class-native = "${CC}"
 
 EXTRA_OECONF = "--with-rand-helper=no \
                 ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
@@ -74,7 +76,7 @@ do_compile_append () {
 	install -m 0644 ${WORKDIR}/ssh_config ${S}/
 }
 
-do_install_append () {
+do_install_append_class-target () {
 	for i in ${DISTRO_FEATURES};
 	do
 		if [ ${i} = "pam" ];  then
@@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
 
 RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
 RDEPENDS_${PN}-sshd += "${PN}-keygen"
+RDEPENDS_${PN}_class-native = ""
 
 CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
 CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
@@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
 ALTERNATIVE_${PN}-scp = "scp"
 ALTERNATIVE_${PN}-ssh = "ssh"
 
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
index be93d60..381b8aa 100644
--- a/meta/recipes-core/dropbear/dropbear.inc
+++ b/meta/recipes-core/dropbear/dropbear.inc
@@ -9,11 +9,13 @@ INC_PR = "r1"
 LICENSE = "MIT"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
 
-DEPENDS = "zlib"
+DEPENDS = "zlib dropbear-native"
 RPROVIDES_${PN} = "ssh sshd" 
 
 DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
+DEPENDS_class-native = "zlib-native"
+
 SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
            file://0001-urandom-xauth-changes-to-options.h.patch \
            file://0002-static_build_fix.patch \
@@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
         rm ${sysconfdir}/dropbear/dropbear_dss_host_key
   fi
 }
+
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
index e8fed3f..5140b0b 100755
--- a/meta/recipes-core/dropbear/dropbear/init
+++ b/meta/recipes-core/dropbear/dropbear/init
@@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
 test -x "$DAEMON" || exit 0
 test ! -h /var/service/dropbear || exit 0
 
-readonly_rootfs=0
-for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
-  case $flag in
-   ro)
-     readonly_rootfs=1
-     ;;
-  esac
-done
-
-if [ $readonly_rootfs = "1" ]; then
-  mkdir -p /var/lib/dropbear
-  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
-  DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
-else
-  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
-  DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
-fi
+DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
+DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
 
 test -z "$DROPBEAR_BANNER" || \
   DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
-- 
1.7.9.5

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 6804 bytes --]

On Fri, Jul 26, 2013 at 03:39:36PM +0800, Qi.Chen@windriver.com wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
> 
> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.
> 
> This change only has effect for systems with read-only rootfs.

I'm not sure if having the same keys on all devices installed from the
same image is always desired behavior, imho it should be controlled by
another variable, because some people want read-only rootfs and keys
generated in some other write-able partition.

> [YOCTO #4103]
> [YOCTO #4887]
> 
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>  meta/classes/image.bbclass                         |   15 +++++++++++++++
>  meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 +++++++---
>  meta/recipes-core/dropbear/dropbear.inc            |    6 +++++-
>  meta/recipes-core/dropbear/dropbear/init           |   19 ++-----------------
>  4 files changed, 29 insertions(+), 21 deletions(-)
> 
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 3bc57d3..9a0692a 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -263,6 +263,21 @@ read_only_rootfs_hook () {
>  		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
>  			${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
>  		fi
> +	        # Generate ssh keys at rootfs time
> +		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> +			[ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
> +			DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +			DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> +			test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> +			test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
> +			dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
> +			dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
> +		fi
> +		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
> +		fi
>  	fi
>  }
>  
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..40dc4ca 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>  
>  PR = "r0"
>  
> -DEPENDS = "zlib openssl"
> +DEPENDS = "zlib openssl openssh-native"
> +DEPENDS_class-native = "zlib-native openssl-native"
>  DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>  
>  RPROVIDES_${PN}-ssh = "ssh"
> @@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
>  INITSCRIPT_NAME_${PN}-sshd = "sshd"
>  INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
>  
> -PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG_class-target ??= "tcp-wrappers"
>  PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>  
>  inherit autotools
> @@ -49,6 +50,7 @@ inherit autotools
>  # LFS support:
>  CFLAGS += "-D__FILE_OFFSET_BITS=64"
>  export LD = "${CC}"
> +export LD_class-native = "${CC}"
>  
>  EXTRA_OECONF = "--with-rand-helper=no \
>                  ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> @@ -74,7 +76,7 @@ do_compile_append () {
>  	install -m 0644 ${WORKDIR}/ssh_config ${S}/
>  }
>  
> -do_install_append () {
> +do_install_append_class-target () {
>  	for i in ${DISTRO_FEATURES};
>  	do
>  		if [ ${i} = "pam" ];  then
> @@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>  
>  RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
>  RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +RDEPENDS_${PN}_class-native = ""
>  
>  CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
>  CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> @@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
>  ALTERNATIVE_${PN}-scp = "scp"
>  ALTERNATIVE_${PN}-ssh = "ssh"
>  
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index be93d60..381b8aa 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -9,11 +9,13 @@ INC_PR = "r1"
>  LICENSE = "MIT"
>  LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
>  
> -DEPENDS = "zlib"
> +DEPENDS = "zlib dropbear-native"
>  RPROVIDES_${PN} = "ssh sshd" 
>  
>  DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>  
> +DEPENDS_class-native = "zlib-native"
> +
>  SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
>             file://0001-urandom-xauth-changes-to-options.h.patch \
>             file://0002-static_build_fix.patch \
> @@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
>          rm ${sysconfdir}/dropbear/dropbear_dss_host_key
>    fi
>  }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
> index e8fed3f..5140b0b 100755
> --- a/meta/recipes-core/dropbear/dropbear/init
> +++ b/meta/recipes-core/dropbear/dropbear/init
> @@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
>  test -x "$DAEMON" || exit 0
>  test ! -h /var/service/dropbear || exit 0
>  
> -readonly_rootfs=0
> -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
> -  case $flag in
> -   ro)
> -     readonly_rootfs=1
> -     ;;
> -  esac
> -done
> -
> -if [ $readonly_rootfs = "1" ]; then
> -  mkdir -p /var/lib/dropbear
> -  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
> -else
> -  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> -fi
> +DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
>  
>  test -z "$DROPBEAR_BANNER" || \
>    DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> -- 
> 1.7.9.5
> 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Phil Blundell]

On Fri, 2013-07-26 at 11:28 +0200, Martin Jansa wrote:
> On Fri, Jul 26, 2013 at 03:39:36PM +0800, Qi.Chen@windriver.com wrote:
> > From: Chen Qi <Qi.Chen@windriver.com>
> > 
> > To avoid generating ssh keys every time a system with read-only rootfs
> > starts, we generate ssh keys at rootfs creation time.
> > 
> > This change only has effect for systems with read-only rootfs.
> 
> I'm not sure if having the same keys on all devices installed from the
> same image is always desired behavior, imho it should be controlled by
> another variable, because some people want read-only rootfs and keys
> generated in some other write-able partition.

Agreed.  In fact, I suspect that most folks who would be happy with all
devices getting identical keys would want to go even further and have
the keys be pre-generated so they were the same in every version of the
image, rather than having them change every time the rootfs is
regenerated.  Otherwise you still get the "host key has changed" warning
whenever you install a new rootfs.

If we're going to add this "generate keys at rootfs time" thing as an
option then that's fine, but it needs to be configurable under control
of IMAGE_FEATURES and/or DISTRO_FEATURES and/or PACKAGECONFIG.

Some other observations on this patch:

- the subject line is in the wrong format
- there are quite a lot of changes to the openssh recipe in here, some
of which look a bit hokey.  For example, this change:

-PACKAGECONFIG ??= "tcp-wrappers"
+PACKAGECONFIG_class-target ??= "tcp-wrappers"

... is going to be a trap for the unwary and probably shouldn't be done
this way.

p.

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Enrico Scholz]

<Qi.Chen-CWA4WttNNZF54TAoqtyWWQ@public.gmane.org> writes:

> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.

This is security wise a very bad and dangerous change because all devices
will get the same key which can be extracted very easy from (public)
images.


Enrico

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Mike Looijmans]

On 07/26/2013 11:28 AM, Martin Jansa wrote:
> On Fri, Jul 26, 2013 at 03:39:36PM +0800, Qi.Chen@windriver.com wrote:
>> From: Chen Qi <Qi.Chen@windriver.com>
>>
>> To avoid generating ssh keys every time a system with read-only rootfs
>> starts, we generate ssh keys at rootfs creation time.
>>
>> This change only has effect for systems with read-only rootfs.
>
> I'm not sure if having the same keys on all devices installed from the
> same image is always desired behavior, imho it should be controlled by
> another variable, because some people want read-only rootfs and keys
> generated in some other write-able partition.
>

Agree.

I would suggest creating a separate recipe that places a ssh key on the 
filesystem. That would be about equally useful, and it gives people a 
choice. During development, such a feature is very nice to have, as it 
lets the test board keep its current ssh key. It's a recipe that I'd be 
happy to contribute. I alread have one that puts my pulic key on the box 
so i can safely log in and/or run automated test software with passwords 
disabled.




Met vriendelijke groet / kind regards,

Mike Looijmans


TOPIC Embedded Systems
Eindhovenseweg 32-C, NL-5683 KH Best
Postbus 440, NL-5680 AK Best
Telefoon: (+31) – (0)499 - 33.69.79
Telefax: (+31) - (0)499 - 33.69.70
E-mail: mike.looijmans@topic.nl
Website: www.topic.nl

Dit e-mail bericht en de eventueel daarbij behorende bijlagen zijn uitsluitend bestemd voor de geadresseerde, zoals die blijkt uit het e-mail bericht en/of de bijlagen. Er kunnen gegevens met betrekking tot een derde instaan. Indien u als niet-geadresseerde dit bericht en de bijlagen ontvangt, terwijl u niet bevoegd of gemachtigd bent om dit bericht namens de geadresseerde te ontvangen, wordt u verzocht de afzender hierover direct te informeren en het e-mail bericht met de bijlagen te vernietigen. Ieder gebruik van de inhoud van het e-mail bericht, waaronder de daarbij behorende bijlagen, door een ander dan de geadresseerde is onrechtmatig jegens ons dan wel de eventueel in het e-mail bericht of de bijlagen voorkomende andere personen. TOPIC Embedded Systems is niet aansprakelijk voor enigerlei schade voortvloeiend uit het gebruik en/of acceptatie van dit e-mail bericht of de daarbij behorende bijlagen.

The contents of this message, as well as any enclosures, are addressed personally to, and thus solely intended for the addressee. They may contain information regarding a third party. A recipient who is neither the addressee, nor empowered to receive this message on behalf of the addressee, is kindly requested to immediately inform the sender of receipt, and to destroy the message and the enclosures. Any use of the contents of this message and/or the enclosures by any other person than the addressee or person who is empowered to receive this message, is illegal towards the sender and/or the aforementioned third party. TOPIC Embedded Systems is not  liable for any damage as a result of the use and/or acceptance of this message and as well as any enclosures.

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[Burton, Ross]

On 26 July 2013 12:08, Mike Looijmans <mike.looijmans@topic.nl> wrote:
> I would suggest creating a separate recipe that places a ssh key on the
> filesystem. That would be about equally useful, and it gives people a
> choice. During development, such a feature is very nice to have, as it lets
> the test board keep its current ssh key. It's a recipe that I'd be happy to
> contribute. I alread have one that puts my pulic key on the box so i can
> safely log in and/or run automated test software with passwords disabled.

Please do that, I'd appreciate this too. :)

Ross

Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

[ChenQi]

Thanks for all the reviews and comments.
I'll drop this patch and send out a version 2 of this patchset.

Best Regards,
Chen Qi

On 07/26/2013 03:39 PM, Qi.Chen@windriver.com wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.
>
> This change only has effect for systems with read-only rootfs.
>
> [YOCTO #4103]
> [YOCTO #4887]
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>   meta/classes/image.bbclass                         |   15 +++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 +++++++---
>   meta/recipes-core/dropbear/dropbear.inc            |    6 +++++-
>   meta/recipes-core/dropbear/dropbear/init           |   19 ++-----------------
>   4 files changed, 29 insertions(+), 21 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 3bc57d3..9a0692a 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -263,6 +263,21 @@ read_only_rootfs_hook () {
>   		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
>   			${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
>   		fi
> +	        # Generate ssh keys at rootfs time
> +		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> +			[ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
> +			DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +			DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> +			test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> +			test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
> +			dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
> +			dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
> +		fi
> +		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
> +		fi
>   	fi
>   }
>   
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..40dc4ca 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>   
>   PR = "r0"
>   
> -DEPENDS = "zlib openssl"
> +DEPENDS = "zlib openssl openssh-native"
> +DEPENDS_class-native = "zlib-native openssl-native"
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
>   RPROVIDES_${PN}-ssh = "ssh"
> @@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
>   INITSCRIPT_NAME_${PN}-sshd = "sshd"
>   INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
>   
> -PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG_class-target ??= "tcp-wrappers"
>   PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>   
>   inherit autotools
> @@ -49,6 +50,7 @@ inherit autotools
>   # LFS support:
>   CFLAGS += "-D__FILE_OFFSET_BITS=64"
>   export LD = "${CC}"
> +export LD_class-native = "${CC}"
>   
>   EXTRA_OECONF = "--with-rand-helper=no \
>                   ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> @@ -74,7 +76,7 @@ do_compile_append () {
>   	install -m 0644 ${WORKDIR}/ssh_config ${S}/
>   }
>   
> -do_install_append () {
> +do_install_append_class-target () {
>   	for i in ${DISTRO_FEATURES};
>   	do
>   		if [ ${i} = "pam" ];  then
> @@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>   
>   RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
>   RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +RDEPENDS_${PN}_class-native = ""
>   
>   CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
>   CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> @@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
>   ALTERNATIVE_${PN}-scp = "scp"
>   ALTERNATIVE_${PN}-ssh = "ssh"
>   
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index be93d60..381b8aa 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -9,11 +9,13 @@ INC_PR = "r1"
>   LICENSE = "MIT"
>   LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
>   
> -DEPENDS = "zlib"
> +DEPENDS = "zlib dropbear-native"
>   RPROVIDES_${PN} = "ssh sshd"
>   
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
> +DEPENDS_class-native = "zlib-native"
> +
>   SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
>              file://0001-urandom-xauth-changes-to-options.h.patch \
>              file://0002-static_build_fix.patch \
> @@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
>           rm ${sysconfdir}/dropbear/dropbear_dss_host_key
>     fi
>   }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
> index e8fed3f..5140b0b 100755
> --- a/meta/recipes-core/dropbear/dropbear/init
> +++ b/meta/recipes-core/dropbear/dropbear/init
> @@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
>   test -x "$DAEMON" || exit 0
>   test ! -h /var/service/dropbear || exit 0
>   
> -readonly_rootfs=0
> -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
> -  case $flag in
> -   ro)
> -     readonly_rootfs=1
> -     ;;
> -  esac
> -done
> -
> -if [ $readonly_rootfs = "1" ]; then
> -  mkdir -p /var/lib/dropbear
> -  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
> -else
> -  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> -fi
> +DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
>   
>   test -z "$DROPBEAR_BANNER" || \
>     DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"