cip-dev.lists.cip-project.org archive mirror
 help / color / mirror / Atom feed
* [cip-dev] [isar-cip-core] export dpkg status for debsecan
@ 2020-09-30  2:08 Daniel Sangorrin
  2020-09-30  2:08 ` [cip-dev] [isar-cip-core] image: export dpkg status file " Daniel Sangorrin
  0 siblings, 1 reply; 6+ messages in thread
From: Daniel Sangorrin @ 2020-09-30  2:08 UTC (permalink / raw)
  To: jan.kiszka; +Cc: cip-dev

[-- Attachment #1: Type: text/plain, Size: 470 bytes --]

Hi Jan,

This is a patch to isar-cip-core for exporting the dpkg 
status file which is needed by debsecan and its wrapper
cip-core-sec.

At the moment the code is duplicated for each image target.
I could use the trick of putting the code in customizations.bb
instead if you prefer, because currently it is imported from 
both image targets (cip-core-image.bb and cip-core-image-security.bb)

[isar-cip-core] image: export dpkg status file for debsecan

Thanks,
Daniel


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5481): https://lists.cip-project.org/g/cip-dev/message/5481
Mute This Topic: https://lists.cip-project.org/mt/77210405/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 6+ messages in thread

* [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
  2020-09-30  2:08 [cip-dev] [isar-cip-core] export dpkg status for debsecan Daniel Sangorrin
@ 2020-09-30  2:08 ` Daniel Sangorrin
  2020-09-30  7:11   ` Jan Kiszka
  0 siblings, 1 reply; 6+ messages in thread
From: Daniel Sangorrin @ 2020-09-30  2:08 UTC (permalink / raw)
  To: jan.kiszka; +Cc: cip-dev

[-- Attachment #1: Type: text/plain, Size: 1600 bytes --]

Although the currently exported manifest probably has
enough information, the tool debsecan and our wrapper
cip-core-sec depend on the dpkg status format.

Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
 recipes-core/images/cip-core-image-security.bb | 8 ++++++++
 recipes-core/images/cip-core-image.bb          | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 61ddc39..928774c 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
 	uuid-runtime \
 	sudo \
 "
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+        cat /var/lib/dpkg/status > \
+        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
+}
diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
index 2cecde3..0139819 100644
--- a/recipes-core/images/cip-core-image.bb
+++ b/recipes-core/images/cip-core-image.bb
@@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
 # for swupdate
 SWU_DESCRIPTION ??= "swupdate"
 include ${SWU_DESCRIPTION}.inc
+
+# for cip-core-sec/debsecan
+ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
+export_dpkg_status() {
+    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
+        cat /var/lib/dpkg/status > \
+        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
+}
-- 
2.25.1


[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5480): https://lists.cip-project.org/g/cip-dev/message/5480
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply related	[flat|nested] 6+ messages in thread

* Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
  2020-09-30  2:08 ` [cip-dev] [isar-cip-core] image: export dpkg status file " Daniel Sangorrin
@ 2020-09-30  7:11   ` Jan Kiszka
  2020-10-01  0:20     ` Daniel Sangorrin
                       ` (2 more replies)
  0 siblings, 3 replies; 6+ messages in thread
From: Jan Kiszka @ 2020-09-30  7:11 UTC (permalink / raw)
  To: cip-dev, Daniel Sangorrin

[-- Attachment #1: Type: text/plain, Size: 2047 bytes --]

On 30.09.20 04:08, Daniel Sangorrin wrote:
> Although the currently exported manifest probably has
> enough information, the tool debsecan and our wrapper
> cip-core-sec depend on the dpkg status format.
>
> Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> ---
>  recipes-core/images/cip-core-image-security.bb | 8 ++++++++
>  recipes-core/images/cip-core-image.bb          | 8 ++++++++
>  2 files changed, 16 insertions(+)
>
> diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
> index 61ddc39..928774c 100644
> --- a/recipes-core/images/cip-core-image-security.bb
> +++ b/recipes-core/images/cip-core-image-security.bb
> @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
>  	uuid-runtime \
>  	sudo \
>  "
> +
> +# for cip-core-sec/debsecan
> +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> +export_dpkg_status() {
> +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> +        cat /var/lib/dpkg/status > \
> +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status

This is just a copy-out, I don't see the chroot need here.

> +}
> diff --git a/recipes-core/images/cip-core-image.bb b/recipes-core/images/cip-core-image.bb
> index 2cecde3..0139819 100644
> --- a/recipes-core/images/cip-core-image.bb
> +++ b/recipes-core/images/cip-core-image.bb
> @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
>  # for swupdate
>  SWU_DESCRIPTION ??= "swupdate"
>  include ${SWU_DESCRIPTION}.inc
> +
> +# for cip-core-sec/debsecan
> +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> +export_dpkg_status() {
> +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> +        cat /var/lib/dpkg/status > \
> +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> +}
>

Please avoid code duplication. We have means like "require some.inc" in
bitbake.

I'm also wondering if this should go to isar upstream directly. debsecan
is a generic Debian tool, nothing CIP-specific per se.

Jan

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5496): https://lists.cip-project.org/g/cip-dev/message/5496
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
  2020-09-30  7:11   ` Jan Kiszka
@ 2020-10-01  0:20     ` Daniel Sangorrin
  2020-10-01  0:23     ` Daniel Sangorrin
  2020-10-01  3:03     ` Daniel Sangorrin
  2 siblings, 0 replies; 6+ messages in thread
From: Daniel Sangorrin @ 2020-10-01  0:20 UTC (permalink / raw)
  To: jan.kiszka, cip-dev

[-- Attachment #1: Type: text/plain, Size: 2547 bytes --]

OK, I will send it to ISAR then.

> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@web.de>
> Sent: Wednesday, September 30, 2020 4:12 PM
> To: cip-dev@lists.cip-project.org; sangorrin daniel(サンゴリン ダニエル □SWC◯ACT) <daniel.sangorrin@toshiba.co.jp>
> Subject: Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
> 
> On 30.09.20 04:08, Daniel Sangorrin wrote:
> > Although the currently exported manifest probably has enough
> > information, the tool debsecan and our wrapper cip-core-sec depend on
> > the dpkg status format.
> >
> > Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> > ---
> >  recipes-core/images/cip-core-image-security.bb | 8 ++++++++
> >  recipes-core/images/cip-core-image.bb          | 8 ++++++++
> >  2 files changed, 16 insertions(+)
> >
> > diff --git a/recipes-core/images/cip-core-image-security.bb
> > b/recipes-core/images/cip-core-image-security.bb
> > index 61ddc39..928774c 100644
> > --- a/recipes-core/images/cip-core-image-security.bb
> > +++ b/recipes-core/images/cip-core-image-security.bb
> > @@ -34,3 +34,11 @@ IMAGE_PREINSTALL += " \
> >  	uuid-runtime \
> >  	sudo \
> >  "
> > +
> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> 
> This is just a copy-out, I don't see the chroot need here.
> 
> > +}
> > diff --git a/recipes-core/images/cip-core-image.bb
> > b/recipes-core/images/cip-core-image.bb
> > index 2cecde3..0139819 100644
> > --- a/recipes-core/images/cip-core-image.bb
> > +++ b/recipes-core/images/cip-core-image.bb
> > @@ -19,3 +19,11 @@ IMAGE_INSTALL += "customizations"
> >  # for swupdate
> >  SWU_DESCRIPTION ??= "swupdate"
> >  include ${SWU_DESCRIPTION}.inc
> > +
> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> > +}
> >
> 
> Please avoid code duplication. We have means like "require some.inc" in bitbake.
> 
> I'm also wondering if this should go to isar upstream directly. debsecan is a generic Debian tool, nothing CIP-specific per se.
> 
> Jan

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5483): https://lists.cip-project.org/g/cip-dev/message/5483
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
  2020-09-30  7:11   ` Jan Kiszka
  2020-10-01  0:20     ` Daniel Sangorrin
@ 2020-10-01  0:23     ` Daniel Sangorrin
  2020-10-01  3:03     ` Daniel Sangorrin
  2 siblings, 0 replies; 6+ messages in thread
From: Daniel Sangorrin @ 2020-10-01  0:23 UTC (permalink / raw)
  To: jan.kiszka, cip-dev

[-- Attachment #1: Type: text/plain, Size: 570 bytes --]

Hi Jan,

I forgot to reply one comment.

> > +# for cip-core-sec/debsecan
> > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > +export_dpkg_status() {
> > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > +        cat /var/lib/dpkg/status > \
> > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> 
> This is just a copy-out, I don't see the chroot need here.

This was based on the generate_manifest function.
For some reason, copying without chroot didn't work for me. I will give it another try.

Thanks,
Daniel

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5484): https://lists.cip-project.org/g/cip-dev/message/5484
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
  2020-09-30  7:11   ` Jan Kiszka
  2020-10-01  0:20     ` Daniel Sangorrin
  2020-10-01  0:23     ` Daniel Sangorrin
@ 2020-10-01  3:03     ` Daniel Sangorrin
  2 siblings, 0 replies; 6+ messages in thread
From: Daniel Sangorrin @ 2020-10-01  3:03 UTC (permalink / raw)
  To: jan.kiszka, cip-dev

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

Hi Jan,

Now it seems to work. I think it was some subtle issue with the use of quotes.

Thanks,
Daniel

> -----Original Message-----
> From: sangorrin daniel(サンゴリン ダニエル □SWC◯ACT)
> Sent: Thursday, October 1, 2020 9:23 AM
> To: 'Jan Kiszka' <jan.kiszka@web.de>; cip-dev@lists.cip-project.org
> Subject: RE: [cip-dev] [isar-cip-core] image: export dpkg status file for debsecan
> 
> Hi Jan,
> 
> I forgot to reply one comment.
> 
> > > +# for cip-core-sec/debsecan
> > > +ROOTFS_POSTPROCESS_COMMAND += "export_dpkg_status"
> > > +export_dpkg_status() {
> > > +    sudo -E chroot --userspec=$(id -u):$(id -g) '${ROOTFSDIR}' \
> > > +        cat /var/lib/dpkg/status > \
> > > +        ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".dpkg_status
> >
> > This is just a copy-out, I don't see the chroot need here.
> 
> This was based on the generate_manifest function.
> For some reason, copying without chroot didn't work for me. I will give it another try.
> 
> Thanks,
> Daniel

[-- Attachment #2: Type: text/plain, Size: 420 bytes --]


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5486): https://lists.cip-project.org/g/cip-dev/message/5486
Mute This Topic: https://lists.cip-project.org/mt/77210404/4520388
Group Owner: cip-dev+owner@lists.cip-project.org
Unsubscribe: https://lists.cip-project.org/g/cip-dev/leave/8129055/727948398/xyzzy [cip-dev@archiver.kernel.org]
-=-=-=-=-=-=-=-=-=-=-=-


^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2020-10-04 14:58 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-30  2:08 [cip-dev] [isar-cip-core] export dpkg status for debsecan Daniel Sangorrin
2020-09-30  2:08 ` [cip-dev] [isar-cip-core] image: export dpkg status file " Daniel Sangorrin
2020-09-30  7:11   ` Jan Kiszka
2020-10-01  0:20     ` Daniel Sangorrin
2020-10-01  0:23     ` Daniel Sangorrin
2020-10-01  3:03     ` Daniel Sangorrin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).