* [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations
@ 2023-10-31 8:37 Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import Quirin Gylstorff
` (10 more replies)
0 siblings, 11 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
cleanup the customizations scripts by:
- Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
- Move systemd service overrides to files instead of setting it in
postinst
- fix formatting
- fix scripting error in security customizations
Changes v2:
- Remove explicit installation of libtss2-esys* as it is required by
tpm2-tools.
- Add note about used style checker
Quirin Gylstorff (9):
scripts/deploy-kernelci: Format python code and remove unused import
customizations: Add variable to set the HOSTNAME
customizations: Move ssh configuration from postinst to sshd_config.d
security-customizations: Add dependency to customizations
security-customizations: Fix shell error
security-customizations: Extract sshd config from postinst to files
cip-core-image-security: Move packages to security-customization
customization-kernelci: Add dependency to customizations
kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
conf/layer.conf | 2 ++
kas/opt/reproducible.yml | 1 -
kas/opt/security.yml | 2 ++
recipes-core/customizations/common.inc | 6 +++-
recipes-core/customizations/customizations.bb | 10 ++++++
.../files/{postinst => postinst.tmpl} | 8 ++---
.../customizations/files/ssh-permit-root.conf | 1 +
.../images/cip-core-image-security.bb | 12 +------
.../kernelci-customizations/files/postinst | 11 -------
.../files/serial-getty-kernelci-override.conf | 3 ++
.../files/ssh-permit-empty-passwords.conf | 2 ++
.../kernelci-customizations.bb | 18 ++++++++---
.../security-customizations/files/postinst | 24 ++------------
.../files/ssh-pam-remote.conf | 4 +++
.../files/ssh-remote-session-term.conf | 5 +++
.../security-customizations.bb | 22 ++++++++++---
scripts/deploy-kernelci.py | 31 ++++++++++---------
17 files changed, 86 insertions(+), 76 deletions(-)
rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
--
2.42.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to set the HOSTNAME Quirin Gylstorff
` (9 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Use flake8 for to check for issues.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
scripts/deploy-kernelci.py | 31 ++++++++++++++++---------------
1 file changed, 16 insertions(+), 15 deletions(-)
diff --git a/scripts/deploy-kernelci.py b/scripts/deploy-kernelci.py
index 5a8adca..62f3f01 100755
--- a/scripts/deploy-kernelci.py
+++ b/scripts/deploy-kernelci.py
@@ -1,30 +1,30 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
-import subprocess
import requests
import os
import sys
import time
from urllib.parse import urljoin
-cdate=time.strftime("%Y%m%d")
-api="https://api.kernelci.org/upload"
-token=os.getenv("KERNELCI_TOKEN")
+cdate = time.strftime("%Y%m%d")
+api = "https://api.kernelci.org/upload"
+token = os.getenv("KERNELCI_TOKEN")
-release=sys.argv[1]
-target=sys.argv[2]
-extension=sys.argv[3]
+release = sys.argv[1]
+target = sys.argv[2]
+extension = sys.argv[3]
-rootfs_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
-initrd_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
-initrd_gz_filename="cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+rootfs_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+".tar.gz"
+initrd_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img"
+initrd_gz_filename = "cip-core-image-kernelci-cip-core-"+release+"-"+target+"-initrd.img.gz"
+
+input_dir = "build/tmp/deploy/images/"+target
+upload_path = "/images/rootfs/cip/"+cdate+"/"+target+"/"
+upload_path_latest = "/images/rootfs/cip/latest/"+target+"/"
+rootfs = input_dir+"/"+rootfs_filename
+initrd = input_dir+"/"+initrd_filename
-input_dir="build/tmp/deploy/images/"+target
-upload_path="/images/rootfs/cip/"+cdate+"/"+target+"/"
-upload_path_latest="/images/rootfs/cip/latest/"+target+"/"
-rootfs=input_dir+"/"+rootfs_filename
-initrd=input_dir+"/"+initrd_filename
def upload_file(api, token, path, input_file, input_filename):
headers = {
@@ -40,6 +40,7 @@ def upload_file(api, token, path, input_file, input_filename):
resp = requests.post(url, headers=headers, data=data, files=files)
resp.raise_for_status()
+
if os.path.exists(rootfs) and os.path.exists(initrd):
print("uploading rootfs to KernelCI")
upload_file(api, token, upload_path, rootfs, rootfs_filename)
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to set the HOSTNAME
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh configuration from postinst to sshd_config.d Quirin Gylstorff
` (8 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Add the variable CUSTOM_HOSTNAME to modify the hostname of
the image.
The default value of CUSTOM_HOSTNAME is "demo".
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/customizations/common.inc | 6 +++++-
.../customizations/files/{postinst => postinst.tmpl} | 4 ++--
2 files changed, 7 insertions(+), 3 deletions(-)
rename recipes-core/customizations/files/{postinst => postinst.tmpl} (85%)
diff --git a/recipes-core/customizations/common.inc b/recipes-core/customizations/common.inc
index 680a4d6..79bf80d 100644
--- a/recipes-core/customizations/common.inc
+++ b/recipes-core/customizations/common.inc
@@ -14,16 +14,20 @@ inherit dpkg-raw
FILESPATH:append := ":${FILE_DIRNAME}/files"
SRC_URI = " \
- file://postinst \
+ file://postinst.tmpl \
file://ethernet \
file://99-silent-printk.conf \
file://99-watchdog.conf"
SRC_URI:append:swupdate = " file://swupdate.cfg"
+CUSTOM_HOSTNAME ??= "demo"
WIRELESS_FIRMWARE_PACKAGE ?= ""
INSTALL_WIRELESS_TOOLS ??= "0"
+TEMPLATE_FILES += "postinst.tmpl"
+TEMPLATE_VARS += "CUSTOM_HOSTNAME"
+
DEPENDS += "sshd-regen-keys change-root-homedir"
DEBIAN_DEPENDS = " \
diff --git a/recipes-core/customizations/files/postinst b/recipes-core/customizations/files/postinst.tmpl
similarity index 85%
rename from recipes-core/customizations/files/postinst
rename to recipes-core/customizations/files/postinst.tmpl
index 7e7ea36..2668a93 100644
--- a/recipes-core/customizations/files/postinst
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -2,7 +2,7 @@
#
# CIP Core, generic profile
#
-# Copyright (c) Siemens AG, 2019
+# Copyright (c) Siemens AG, 2019-2023
#
# Authors:
# Jan Kiszka <jan.kiszka@siemens.com>
@@ -18,6 +18,6 @@ if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
fi
-HOSTNAME=demo
+HOSTNAME="${CUSTOM_HOSTNAME}"
echo "$HOSTNAME" > /etc/hostname
echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh configuration from postinst to sshd_config.d
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to set the HOSTNAME Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add dependency to customizations Quirin Gylstorff
` (7 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
Make the ssh configuration in line with Debian guidelines by adding
an additional file to /etc/ssh/sshd_config.d/.
This also allows to disable these changes with a customization.bbappend
instead of overwritting the postinst script.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/customizations/customizations.bb | 8 ++++++++
recipes-core/customizations/files/postinst.tmpl | 4 ----
recipes-core/customizations/files/ssh-permit-root.conf | 1 +
3 files changed, 9 insertions(+), 4 deletions(-)
create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index ad16a90..3dbeb3f 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -11,6 +11,7 @@
require common.inc
+SRC_URI += "file://ssh-permit-root.conf"
DESCRIPTION = "CIP Core image demo & customizations"
do_prepare_build:prepend:qemu-riscv64() {
@@ -20,3 +21,10 @@ do_prepare_build:prepend:qemu-riscv64() {
echo "systemctl mask serial-getty@hvc0.service" >> ${WORKDIR}/postinst
fi
}
+
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install:append () {
+ if [ -f "${WORKDIR}/ssh-permit-root.conf" ]; then
+ install -v -m 644 ${WORKDIR}/ssh-permit-root.conf ${D}/etc/ssh/sshd_config.d/
+ fi
+}
diff --git a/recipes-core/customizations/files/postinst.tmpl b/recipes-core/customizations/files/postinst.tmpl
index 2668a93..62e9a1a 100644
--- a/recipes-core/customizations/files/postinst.tmpl
+++ b/recipes-core/customizations/files/postinst.tmpl
@@ -14,10 +14,6 @@ set -e
echo "CIP Core Demo & Test Image (login: root/root)" > /etc/issue
-if ! grep -e "^PermitRootLogin.*yes" -q /etc/ssh/sshd_config; then
- echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-fi
-
HOSTNAME="${CUSTOM_HOSTNAME}"
echo "$HOSTNAME" > /etc/hostname
echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/customizations/files/ssh-permit-root.conf b/recipes-core/customizations/files/ssh-permit-root.conf
new file mode 100644
index 0000000..1073982
--- /dev/null
+++ b/recipes-core/customizations/files/ssh-permit-root.conf
@@ -0,0 +1 @@
+PermitRootLogin yes
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add dependency to customizations
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (2 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh configuration from postinst to sshd_config.d Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix shell error Quirin Gylstorff
` (6 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
To simplify package structure Security customizations no
longer set the hostname and use a dependency instead of a include.
Add the OVERRIDE `security` to enable or disable security related
configuration settings.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
kas/opt/security.yml | 2 ++
recipes-core/customizations/customizations.bb | 2 ++
recipes-core/security-customizations/files/postinst | 4 ----
.../security-customizations/security-customizations.bb | 8 ++++----
4 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/kas/opt/security.yml b/kas/opt/security.yml
index d87235a..000c522 100644
--- a/kas/opt/security.yml
+++ b/kas/opt/security.yml
@@ -24,3 +24,5 @@ local_conf_header:
adjust-swupdate: |
ABROOTFS_IMAGE_RECIPE = "cip-core-image-security"
VERITY_IMAGE_RECIPE = "cip-core-image-security"
+ security-override: |
+ OVERRIDES .= ":security"
diff --git a/recipes-core/customizations/customizations.bb b/recipes-core/customizations/customizations.bb
index 3dbeb3f..3f6b5de 100644
--- a/recipes-core/customizations/customizations.bb
+++ b/recipes-core/customizations/customizations.bb
@@ -12,6 +12,8 @@
require common.inc
SRC_URI += "file://ssh-permit-root.conf"
+SRC_URI:remove:security = "file://ssh-permit-root.conf"
+
DESCRIPTION = "CIP Core image demo & customizations"
do_prepare_build:prepend:qemu-riscv64() {
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 620c863..bbd21bd 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -8,10 +8,6 @@ set -e
echo "CIP Core Security Image (login: root/CIPsecurity@123)" > /etc/issue
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
-
# CR1.7: Strength of password-based authentication
# Pam configuration to enforce password strength
PAM_PWD_FILE="/etc/pam.d/common-password"
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index 240a577..d5249a2 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -9,12 +9,12 @@
# SPDX-License-Identifier: MIT
#
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
-SRC_URI += "file://postinst"
+SRC_URI = "file://postinst"
-DEPENDS += "sshd-regen-keys"
-DEBIAN_DEPENDS += ", sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations, sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix shell error
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (3 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add dependency to customizations Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract sshd config from postinst to files Quirin Gylstorff
` (5 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
if [ -f ... ] does not work with globbing.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/security-customizations/files/postinst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index bbd21bd..717b7ac 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -32,11 +32,11 @@ fi
# Lock user account after unsuccessful login attempts
PAM_AUTH_FILE="/etc/pam.d/common-auth"
# pam_tally2 is deprecated from pam version 1.4.0-7
-if [ -f /lib/*-linux-gnu*/security/pam_tally2.so ]; then
+if readlink -f /lib/*-linux-gnu*/security/pam_tally2.so; then
PAM_MODULE="pam_tally2.so"
PAM_CONFIG="auth required pam_tally2.so deny=3 even_deny_root unlock_time=60 root_unlock_time=60
\naccount required pam_tally2.so"
-elif [ -f /lib/*-linux-gnu*/security/pam_faillock.so ]; then
+elif readlink -f /lib/*-linux-gnu*/security/pam_faillock.so; then
PAM_MODULE="pam_faillock.so"
PAM_CONFIG="auth required pam_faillock.so preauth silent deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
\nauth required pam_faillock.so .so authfail deny=3 even_deny_root unlock_time=60 root_unlock_time=60 \
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract sshd config from postinst to files
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (4 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix shell error Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move packages to security-customization Quirin Gylstorff
` (4 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
For easier maintenance extract the ssh configuration to
/etc/sshd_config.d/.
Configuration entries in sshd_config.d will overwrite elements in
sshd_config.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../security-customizations/files/postinst | 16 ----------------
.../files/ssh-pam-remote.conf | 4 ++++
.../files/ssh-remote-session-term.conf | 5 +++++
.../security-customizations.bb | 9 ++++++++-
4 files changed, 17 insertions(+), 17 deletions(-)
create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
diff --git a/recipes-core/security-customizations/files/postinst b/recipes-core/security-customizations/files/postinst
index 717b7ac..daade83 100755
--- a/recipes-core/security-customizations/files/postinst
+++ b/recipes-core/security-customizations/files/postinst
@@ -51,14 +51,6 @@ if grep -c "${PAM_MODULE}" "${PAM_AUTH_FILE}";then
fi
sed -i "0,/^auth.*/s/^auth.*/${PAM_CONFIG}\n&/" "${PAM_AUTH_FILE}"
-# CR2.6: Remote session termination
-# Terminate remote session after inactive time period
-SSHD_CONFIG="/etc/ssh/sshd_config"
-alive_interval=$(sed -n '/ClientAliveInterval/p' "${SSHD_CONFIG}")
-alive_countmax=$(sed -n '/ClientAliveCountMax/p' "${SSHD_CONFIG}")
-sed -i "/${alive_interval}/c ClientAliveInterval 120" "${SSHD_CONFIG}"
-sed -i "/${alive_countmax}/c ClientAliveCountMax 0" "${SSHD_CONFIG}"
-
# CR2.7: Concurrent session control
# Limit the concurrent login sessions
LIMITS_CONFIG="/etc/security/limits.conf"
@@ -80,12 +72,4 @@ if grep -c "pam_google_authenticator.so" "${SSHD_AUTH_CONFIG}";then
sed -i '/pam_google_authenticator.so/ s/^#*/#/' "${SSHD_AUTH_CONFIG}"
fi
echo "auth required pam_google_authenticator.so nullok" | tee -a "${SSHD_AUTH_CONFIG}"
-# Enable PAM configuration for Remote Session
-if grep -s -q "ChallengeResponseAuthentication" "${SSHD_CONFIG}";then
- sed -i 's/ChallengeResponseAuthentication no/ChallengeResponseAuthentication yes/g' "${SSHD_CONFIG}"
-fi
-if grep -s -q "KbdInteractiveAuthentication" "${SSHD_CONFIG}";then
- sed -i 's/KbdInteractiveAuthentication no/KbdInteractiveAuthentication yes/g' "${SSHD_CONFIG}"
-fi
-echo "AuthenticationMethods keyboard-interactive" | tee -a "${SSHD_CONFIG}"
diff --git a/recipes-core/security-customizations/files/ssh-pam-remote.conf b/recipes-core/security-customizations/files/ssh-pam-remote.conf
new file mode 100644
index 0000000..d460b0c
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-pam-remote.conf
@@ -0,0 +1,4 @@
+# Enable PAM configuration for Remote Session
+ChallengeResponseAuthentication yes
+KbdInteractiveAuthentication yes
+AuthenticationMethods keyboard-interactive
diff --git a/recipes-core/security-customizations/files/ssh-remote-session-term.conf b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
new file mode 100644
index 0000000..d11b92e
--- /dev/null
+++ b/recipes-core/security-customizations/files/ssh-remote-session-term.conf
@@ -0,0 +1,5 @@
+# CR2.6: Remote session termination
+# Terminate remote session after inactive time period
+
+ClientAliveInterval 120
+ClientAliveCountMax 0
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d5249a2..d3cede8 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -13,8 +13,15 @@ inherit dpkg-raw
DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
-SRC_URI = "file://postinst"
+SRC_URI = "file://postinst \
+ file://ssh-remote-session-term.conf \
+ file://ssh-pam-remote.conf"
DEPENDS = "customizations, sshd-regen-keys"
DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
+do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
+do_install () {
+ install -m 600 ${WORKDIR}/ssh-remote-session-term.conf ${D}/etc/ssh/sshd_config.d/
+ install -m 600 ${WORKDIR}/ssh-pam-remote.conf ${D}/etc/ssh/sshd_config.d/
+}
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move packages to security-customization
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (5 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract sshd config from postinst to files Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add dependency to customizations Quirin Gylstorff
` (3 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
To ensure that the package security-customizations is installable
move packages from cip-core-image-security as dependencies to
security-packges.
Remove libtss2-esys* as it is already installed together with
tpm2-tools.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
recipes-core/images/cip-core-image-security.bb | 12 +-----------
.../security-customizations.bb | 11 ++++++++---
2 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb
index 3421ce5..525a346 100644
--- a/recipes-core/images/cip-core-image-security.bb
+++ b/recipes-core/images/cip-core-image-security.bb
@@ -28,24 +28,14 @@ IMAGE_PREINSTALL += " \
tpm2-tools \
tpm2-abrmd \
acl \
- audispd-plugins auditd \
+ audispd-plugins \
uuid-runtime \
sudo \
aide-common \
- libpam-google-authenticator \
passwd \
login \
- libpam-runtime \
util-linux \
"
-# Package names based on the distro version
-IMAGE_PREINSTALL:append:buster = " libtss2-esys0 \
- libpam-cracklib"
-IMAGE_PREINSTALL:append:bullseye = " libtss2-esys-3.0.2-0 \
- libpam-cracklib"
-IMAGE_PREINSTALL:append:bookworm = " libtss2-esys-3.0.2-0 \
- libpam-passwdqc"
-
CIP_IMAGE_OPTIONS ?= ""
require ${CIP_IMAGE_OPTIONS}
diff --git a/recipes-core/security-customizations/security-customizations.bb b/recipes-core/security-customizations/security-customizations.bb
index d3cede8..75a6a99 100644
--- a/recipes-core/security-customizations/security-customizations.bb
+++ b/recipes-core/security-customizations/security-customizations.bb
@@ -11,14 +11,19 @@
inherit dpkg-raw
-DESCRIPTION = "CIP Security image for IEC62443-4-2 evaluation"
+DESCRIPTION = "CIP Security configuration for IEC62443-4-2 evaluation"
SRC_URI = "file://postinst \
file://ssh-remote-session-term.conf \
file://ssh-pam-remote.conf"
-DEPENDS = "customizations, sshd-regen-keys"
-DEBIAN_DEPENDS = "customizations , sshd-regen-keys, libpam-google-authenticator"
+DEPENDS = "customizations sshd-regen-keys"
+DEBIAN_DEPENDS = "customizations, sshd-regen-keys, libpam-google-authenticator, libpam-modules, libpam-runtime, auditd"
+
+# Package names based on the distro version
+DEBIAN_DEPENDS:append:buster = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bullseye = ", libpam-cracklib"
+DEBIAN_DEPENDS:append:bookworm = ", libpam-passwdqc"
do_install[cleandirs] += "${D}/etc/ssh/sshd_config.d/"
do_install () {
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add dependency to customizations
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (6 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move packages to security-customization Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf Quirin Gylstorff
` (2 subsequent siblings)
10 siblings, 0 replies; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This is to simplify maintenance.
Also extract serial getty override and sshd_config
changes from postinstall to seperate files.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
.../kernelci-customizations/files/postinst | 11 -----------
.../files/serial-getty-kernelci-override.conf | 3 +++
.../files/ssh-permit-empty-passwords.conf | 2 ++
.../kernelci-customizations.bb | 18 ++++++++++++++----
4 files changed, 19 insertions(+), 15 deletions(-)
create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
diff --git a/recipes-core/kernelci-customizations/files/postinst b/recipes-core/kernelci-customizations/files/postinst
index 7ae30e8..08544a4 100644
--- a/recipes-core/kernelci-customizations/files/postinst
+++ b/recipes-core/kernelci-customizations/files/postinst
@@ -15,20 +15,9 @@
echo "CIP Core Demo & Test Image" > /etc/issue
# permit root login without password
-echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
-echo "PermitEmptyPasswords yes" >> /etc/ssh/sshd_config
passwd root -d
-# serial getty service for autologin
-mkdir -p /etc/systemd/system/serial-getty@.service.d/
-echo "[Service]" > /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-echo "ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM" >> /etc/systemd/system/serial-getty@.service.d/override.conf
-
# set the profile for KernelCI
echo "PS1='\$(pwd) # '" > /root/.profile
echo "cd /" >> /root/.profile
-HOSTNAME=demo
-echo "$HOSTNAME" > /etc/hostname
-echo "127.0.0.1 $HOSTNAME" >> /etc/hosts
diff --git a/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
new file mode 100644
index 0000000..a1472c5
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin root --keep-baud 115200,38400,9600 %I $TERM
diff --git a/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
new file mode 100644
index 0000000..b958fec
--- /dev/null
+++ b/recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
@@ -0,0 +1,2 @@
+PermitEmptyPasswords yes
+
diff --git a/recipes-core/kernelci-customizations/kernelci-customizations.bb b/recipes-core/kernelci-customizations/kernelci-customizations.bb
index f972be5..3a99884 100644
--- a/recipes-core/kernelci-customizations/kernelci-customizations.bb
+++ b/recipes-core/kernelci-customizations/kernelci-customizations.bb
@@ -11,13 +11,23 @@
# SPDX-License-Identifier: MIT
#
-require recipes-core/customizations/common.inc
+inherit dpkg-raw
DESCRIPTION = "CIP Core KernelCI image customizations"
-SRC_URI += "file://dmesg.sh"
+DEPENDS += "customizations"
+DEBIAN_DEPENDS += "customizations"
-do_install:append() {
- install -v -d ${D}/opt/kernelci
+SRC_URI = "file://postinst \
+ file://dmesg.sh \
+ file://serial-getty-kernelci-override.conf \
+ file://ssh-permit-empty-passwords.conf"
+
+do_install[cleandirs] = "${D}/opt/kernelci/ \
+ ${D}/etc/systemd/system/serial-getty@.service.d/ \
+ ${D}/etc/ssh/sshd_config.d/"
+do_install() {
install -v -m 744 ${WORKDIR}/dmesg.sh ${D}/opt/kernelci/
+ install -v -m 644 ${WORKDIR}/serial-getty-kernelci-override.conf ${D}/etc/systemd/system/serial-getty@.service.d/serial-getty-kernelci-override.conf
+ install -v -m 600 ${WORKDIR}/ssh-permit-empty-passwords.conf ${D}/etc/ssh/sshd_config.d/ssh-permit-empty-passwords.conf
}
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (7 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add dependency to customizations Quirin Gylstorff
@ 2023-10-31 8:37 ` Quirin Gylstorff
2024-04-04 11:08 ` MOESSBAUER, Felix
2023-11-03 9:11 ` [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Venkata.Pyla
2023-11-03 9:38 ` Jan Kiszka
10 siblings, 1 reply; 13+ messages in thread
From: Quirin Gylstorff @ 2023-10-31 8:37 UTC (permalink / raw)
To: jan.kiszka, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
This ensures that all images are build reproducible.
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
conf/layer.conf | 2 ++
kas/opt/reproducible.yml | 1 -
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/conf/layer.conf b/conf/layer.conf
index 2c888b2..82b4084 100644
--- a/conf/layer.conf
+++ b/conf/layer.conf
@@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}"
LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
IMAGE_CLASSES += "squashfs verity swupdate"
+
+SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml
index 5d6a896..bc71f28 100644
--- a/kas/opt/reproducible.yml
+++ b/kas/opt/reproducible.yml
@@ -13,5 +13,4 @@ header:
local_conf_header:
reproducible-builds: |
- SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
WIC_DEPLOY_PARTITIONS = "1"
--
2.42.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* RE: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (8 preceding siblings ...)
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf Quirin Gylstorff
@ 2023-11-03 9:11 ` Venkata.Pyla
2023-11-03 9:38 ` Jan Kiszka
10 siblings, 0 replies; 13+ messages in thread
From: Venkata.Pyla @ 2023-11-03 9:11 UTC (permalink / raw)
To: cip-dev, jan.kiszka, dinesh.kumar, kazuhiro3.hayashi
> -----Original Message-----
> From: cip-dev@lists.cip-project.org <cip-dev@lists.cip-project.org> On Behalf
> Of Quirin Gylstorff via lists.cip-project.org
> Sent: Tuesday, October 31, 2023 2:08 PM
> To: jan.kiszka@siemens.com; cip-dev@lists.cip-project.org; pyla
> venkata(TSIP TMIEC ODG Porting) <Venkata.Pyla@toshiba-tsip.com>;
> dinesh kumar(TSIP TMIEC ODG Porting) <dinesh.kumar@toshiba-
> tsip.com>; hayashi kazuhiro(林 和宏 DME ○DIG□MPS○MP4)
> <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations
>
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> cleanup the customizations scripts by:
> - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
> - Move systemd service overrides to files instead of setting it in
> postinst
> - fix formatting
> - fix scripting error in security customizations
>
> Changes v2:
> - Remove explicit installation of libtss2-esys* as it is required by
> tpm2-tools.
LGTM, I don't have any other comments thanks.
> - Add note about used style checker
>
> Quirin Gylstorff (9):
> scripts/deploy-kernelci: Format python code and remove unused import
> customizations: Add variable to set the HOSTNAME
> customizations: Move ssh configuration from postinst to sshd_config.d
> security-customizations: Add dependency to customizations
> security-customizations: Fix shell error
> security-customizations: Extract sshd config from postinst to files
> cip-core-image-security: Move packages to security-customization
> customization-kernelci: Add dependency to customizations
> kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
>
> conf/layer.conf | 2 ++
> kas/opt/reproducible.yml | 1 -
> kas/opt/security.yml | 2 ++
> recipes-core/customizations/common.inc | 6 +++-
> recipes-core/customizations/customizations.bb | 10 ++++++
> .../files/{postinst => postinst.tmpl} | 8 ++---
> .../customizations/files/ssh-permit-root.conf | 1 +
> .../images/cip-core-image-security.bb | 12 +------
> .../kernelci-customizations/files/postinst | 11 -------
> .../files/serial-getty-kernelci-override.conf | 3 ++
> .../files/ssh-permit-empty-passwords.conf | 2 ++
> .../kernelci-customizations.bb | 18 ++++++++---
> .../security-customizations/files/postinst | 24 ++------------
> .../files/ssh-pam-remote.conf | 4 +++
> .../files/ssh-remote-session-term.conf | 5 +++
> .../security-customizations.bb | 22 ++++++++++---
> scripts/deploy-kernelci.py | 31 ++++++++++---------
> 17 files changed, 86 insertions(+), 76 deletions(-) rename recipes-
> core/customizations/files/{postinst => postinst.tmpl} (62%) create mode
> 100644 recipes-core/customizations/files/ssh-permit-root.conf
> create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-
> kernelci-override.conf
> create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-
> empty-passwords.conf
> create mode 100644 recipes-core/security-customizations/files/ssh-pam-
> remote.conf
> create mode 100644 recipes-core/security-customizations/files/ssh-remote-
> session-term.conf
>
> --
> 2.42.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
` (9 preceding siblings ...)
2023-11-03 9:11 ` [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Venkata.Pyla
@ 2023-11-03 9:38 ` Jan Kiszka
10 siblings, 0 replies; 13+ messages in thread
From: Jan Kiszka @ 2023-11-03 9:38 UTC (permalink / raw)
To: Quirin Gylstorff, cip-dev, venkata.pyla, dinesh.kumar, kazuhiro3.hayashi
On 31.10.23 09:37, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> cleanup the customizations scripts by:
> - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
> - Move systemd service overrides to files instead of setting it in
> postinst
> - fix formatting
> - fix scripting error in security customizations
>
> Changes v2:
> - Remove explicit installation of libtss2-esys* as it is required by
> tpm2-tools.
> - Add note about used style checker
>
> Quirin Gylstorff (9):
> scripts/deploy-kernelci: Format python code and remove unused import
> customizations: Add variable to set the HOSTNAME
> customizations: Move ssh configuration from postinst to sshd_config.d
> security-customizations: Add dependency to customizations
> security-customizations: Fix shell error
> security-customizations: Extract sshd config from postinst to files
> cip-core-image-security: Move packages to security-customization
> customization-kernelci: Add dependency to customizations
> kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
>
> conf/layer.conf | 2 ++
> kas/opt/reproducible.yml | 1 -
> kas/opt/security.yml | 2 ++
> recipes-core/customizations/common.inc | 6 +++-
> recipes-core/customizations/customizations.bb | 10 ++++++
> .../files/{postinst => postinst.tmpl} | 8 ++---
> .../customizations/files/ssh-permit-root.conf | 1 +
> .../images/cip-core-image-security.bb | 12 +------
> .../kernelci-customizations/files/postinst | 11 -------
> .../files/serial-getty-kernelci-override.conf | 3 ++
> .../files/ssh-permit-empty-passwords.conf | 2 ++
> .../kernelci-customizations.bb | 18 ++++++++---
> .../security-customizations/files/postinst | 24 ++------------
> .../files/ssh-pam-remote.conf | 4 +++
> .../files/ssh-remote-session-term.conf | 5 +++
> .../security-customizations.bb | 22 ++++++++++---
> scripts/deploy-kernelci.py | 31 ++++++++++---------
> 17 files changed, 86 insertions(+), 76 deletions(-)
> rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
> create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
> create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
> create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
> create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
> create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
>
Thanks, applied.
Jan
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf Quirin Gylstorff
@ 2024-04-04 11:08 ` MOESSBAUER, Felix
0 siblings, 0 replies; 13+ messages in thread
From: MOESSBAUER, Felix @ 2024-04-04 11:08 UTC (permalink / raw)
To: cip-dev, quirin.gylstorff, Kiszka, Jan, dinesh.kumar,
venkata.pyla, kazuhiro3.hayashi
On Tue, 2023-10-31 at 09:37 +0100, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
>
> This ensures that all images are build reproducible.
>
> Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> ---
> conf/layer.conf | 2 ++
> kas/opt/reproducible.yml | 1 -
> 2 files changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/conf/layer.conf b/conf/layer.conf
> index 2c888b2..82b4084 100644
> --- a/conf/layer.conf
> +++ b/conf/layer.conf
> @@ -24,3 +24,5 @@ LAYERDIR_cip-core = "${LAYERDIR}"
> LAYERDIR_cip-core[vardepvalue] = "isar-cip-core"
>
> IMAGE_CLASSES += "squashfs verity swupdate"
> +
> +SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-core}
This change needs to be reverted, as it is too invasive.
The layer.conf is read after the local conf. By that, there is no way
for a downstream user to set it to a different value.
In fact, all downstream images now have a SDE based on the commit date
of CIP.
@Jan: please revert.
Felix
> log -1 --pretty=%ct | tr -d '\n'")[0]}"
> diff --git a/kas/opt/reproducible.yml b/kas/opt/reproducible.yml
> index 5d6a896..bc71f28 100644
> --- a/kas/opt/reproducible.yml
> +++ b/kas/opt/reproducible.yml
> @@ -13,5 +13,4 @@ header:
>
> local_conf_header:
> reproducible-builds: |
> - SOURCE_DATE_EPOCH := "${@bb.process.run("git -C ${LAYERDIR_cip-
> core} log -1 --pretty=%ct | tr -d '\n'")[0]}"
> WIC_DEPLOY_PARTITIONS = "1"
--
Siemens AG, Technology
Linux Expert Center
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2024-04-04 11:42 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-31 8:37 [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 1/9] scripts/deploy-kernelci: Format python code and remove unused import Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 2/9] customizations: Add variable to set the HOSTNAME Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 3/9] customizations: Move ssh configuration from postinst to sshd_config.d Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 4/9] security-customizations: Add dependency to customizations Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 5/9] security-customizations: Fix shell error Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 6/9] security-customizations: Extract sshd config from postinst to files Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 7/9] cip-core-image-security: Move packages to security-customization Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 8/9] customization-kernelci: Add dependency to customizations Quirin Gylstorff
2023-10-31 8:37 ` [cip-dev][isar-cip-core][RFC v2 9/9] kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf Quirin Gylstorff
2024-04-04 11:08 ` MOESSBAUER, Felix
2023-11-03 9:11 ` [cip-dev][isar-cip-core][RFC v2 0/9] cleanup of customizations Venkata.Pyla
2023-11-03 9:38 ` Jan Kiszka
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).