Injecting public key into openbmc image for CI integration

Injecting public key into openbmc image for CI integration

[Verdun, Jean-Marie]

[-- Attachment #1: Type: text/plain, Size: 2359 bytes --]

Hi,

I am working at bridging osfci.tech interactive CI to a testing automation framework as to scale basic testing and offer both mode. I spent some time looking at various options, and must admit that I am curious to look at the contest framework that facebook published a couple of months ago (https://github.com/facebookincubator/contest). It is written in Go like many part of osfci, and seems to be lightweight as well as easy to understand.

One of the challenge to use it might be that there is no published test, and we might have to write some, but that is mostly the case with the many other framework I looked at.

As to manage such framework osfci will work in a client server mode, and I was looking at launching command through ssh (this assume that the network stack is properly setup on openbmc and linuxboot, but the CI is soon able to identify such failure), and using a private/public key solution.

I looked into openbmc and it doesn’t seem that there is any standard recipes to create a test user and inject into the account a public key. Does I am wrong ? I wrote a very basic recipe to make it happens, and was wondering if it could be relevant to upstream it ?

OSFCI workflow is starting from a github repo and a branch. I would like to avoid as much as possible to patch the input provided by the end user with a recipe which would be required to inject the public key before that the build happens. Does anybody else ever met such requirement ? If yes how did you addressed it ?

Right now the stack is able to:

  *   Get a github repo and a branch from openbmc , compile it and generate a ready to use OpenBMC HPE image
  *   Get a github repo and a branch from linuxboot, compile it and generate a ready to use host bios HPE image
  *   Provide a USB installed O/S image to validate that O/S installer works and we could deploy linux on the newly create firmware stack
  *   Boot these images on a physical machine to validate that everything starts smoothly
  *   All of this is under the control of the end user through interactive session, the next step is to automatize everything and focus on writing test. Right now every user actions are performed through the control of a web API written in go which is dispatching commands to the relevant backend systems

Thanks, have a great day,

vejmarie


[-- Attachment #2: Type: text/html, Size: 7984 bytes --]

Re: Injecting public key into openbmc image for CI integration

[Patrick Williams]

[-- Attachment #1: Type: text/plain, Size: 1434 bytes --]

On Tue, Oct 06, 2020 at 05:45:07PM +0000, Verdun, Jean-Marie wrote:
Hi JM,

> I looked into openbmc and it doesn’t seem that there is any standard recipes to create a test user and inject into the account a public key. Does I am wrong ? I wrote a very basic recipe to make it happens, and was wondering if it could be relevant to upstream it ?

Yocto already has the 'extrausers' bbclass, which is typically inherited
by an image in order to add additional users.  What you are asking for
is slightly more than that because you also want an SSH pubkey, but it
doesn't seem to support that out of the box (it appears as if
EXTRA_USERS_PARAMS is a variable containing a shell-snippet, but the
bbclass explicitly prohibits arbitrary commands).  I think you could add
a new package to add your SSH key though.

What I would suggest you do is:

    - Create a bbclass that:
        1. leverages EXTRA_USERS_PARAMS to add your test user.
        2. adds a package to the image RDEPENDS to include your test ssh keys.

    - Submit said bbclass upstream here.

    - When you build your test images, append to conf/local.conf an
      INHERIT += "your-test-key.bbclass".

This will give others a pattern to follow for other networks /
configurations (by upstreaming it) and allow you to build special images
for test that include what you want and mostly leverage existing Yocto
hooks.

-- 
Patrick Williams

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Injecting public key into openbmc image for CI integration

[Verdun, Jean-Marie]

Hi Patrick,

Thanks for the feedback. I will follow your recommendations. I did implemented my initial recipes by using the extra users params to create the test user. So I will integrate that into a bbclass and propose a solution to upstream this code.

vejmarie

On 10/6/20, 7:01 PM, "Patrick Williams" <patrick@stwcx.xyz> wrote:

    On Tue, Oct 06, 2020 at 05:45:07PM +0000, Verdun, Jean-Marie wrote:
    Hi JM,

    > I looked into openbmc and it doesn’t seem that there is any standard recipes to create a test user and inject into the account a public key. Does I am wrong ? I wrote a very basic recipe to make it happens, and was wondering if it could be relevant to upstream it ?

    Yocto already has the 'extrausers' bbclass, which is typically inherited
    by an image in order to add additional users.  What you are asking for
    is slightly more than that because you also want an SSH pubkey, but it
    doesn't seem to support that out of the box (it appears as if
    EXTRA_USERS_PARAMS is a variable containing a shell-snippet, but the
    bbclass explicitly prohibits arbitrary commands).  I think you could add
    a new package to add your SSH key though.

    What I would suggest you do is:

        - Create a bbclass that:
            1. leverages EXTRA_USERS_PARAMS to add your test user.
            2. adds a package to the image RDEPENDS to include your test ssh keys.

        - Submit said bbclass upstream here.

        - When you build your test images, append to conf/local.conf an
          INHERIT += "your-test-key.bbclass".

    This will give others a pattern to follow for other networks /
    configurations (by upstreaming it) and allow you to build special images
    for test that include what you want and mostly leverage existing Yocto
    hooks.

    -- 
    Patrick Williams