Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ChenQi <Qi.Chen@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs
Date: Mon, 29 Jul 2013 09:55:05 +0800	[thread overview]
Message-ID: <51F5CB79.6080101@windriver.com> (raw)
In-Reply-To: <5dc3be245a9757c51dadd7ce446c5116ce79496d.1374642547.git.Qi.Chen@windriver.com>

Thanks for all the reviews and comments.
I'll drop this patch and send out a version 2 of this patchset.

Best Regards,
Chen Qi

On 07/26/2013 03:39 PM, Qi.Chen@windriver.com wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.
>
> This change only has effect for systems with read-only rootfs.
>
> [YOCTO #4103]
> [YOCTO #4887]
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>   meta/classes/image.bbclass                         |   15 +++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 +++++++---
>   meta/recipes-core/dropbear/dropbear.inc            |    6 +++++-
>   meta/recipes-core/dropbear/dropbear/init           |   19 ++-----------------
>   4 files changed, 29 insertions(+), 21 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 3bc57d3..9a0692a 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -263,6 +263,21 @@ read_only_rootfs_hook () {
>   		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
>   			${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
>   		fi
> +	        # Generate ssh keys at rootfs time
> +		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> +			[ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
> +			DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +			DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> +			test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> +			test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
> +			dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
> +			dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
> +		fi
> +		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
> +		fi
>   	fi
>   }
>   
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..40dc4ca 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>   
>   PR = "r0"
>   
> -DEPENDS = "zlib openssl"
> +DEPENDS = "zlib openssl openssh-native"
> +DEPENDS_class-native = "zlib-native openssl-native"
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
>   RPROVIDES_${PN}-ssh = "ssh"
> @@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
>   INITSCRIPT_NAME_${PN}-sshd = "sshd"
>   INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
>   
> -PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG_class-target ??= "tcp-wrappers"
>   PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>   
>   inherit autotools
> @@ -49,6 +50,7 @@ inherit autotools
>   # LFS support:
>   CFLAGS += "-D__FILE_OFFSET_BITS=64"
>   export LD = "${CC}"
> +export LD_class-native = "${CC}"
>   
>   EXTRA_OECONF = "--with-rand-helper=no \
>                   ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> @@ -74,7 +76,7 @@ do_compile_append () {
>   	install -m 0644 ${WORKDIR}/ssh_config ${S}/
>   }
>   
> -do_install_append () {
> +do_install_append_class-target () {
>   	for i in ${DISTRO_FEATURES};
>   	do
>   		if [ ${i} = "pam" ];  then
> @@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>   
>   RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
>   RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +RDEPENDS_${PN}_class-native = ""
>   
>   CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
>   CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> @@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
>   ALTERNATIVE_${PN}-scp = "scp"
>   ALTERNATIVE_${PN}-ssh = "ssh"
>   
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index be93d60..381b8aa 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -9,11 +9,13 @@ INC_PR = "r1"
>   LICENSE = "MIT"
>   LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
>   
> -DEPENDS = "zlib"
> +DEPENDS = "zlib dropbear-native"
>   RPROVIDES_${PN} = "ssh sshd"
>   
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
> +DEPENDS_class-native = "zlib-native"
> +
>   SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
>              file://0001-urandom-xauth-changes-to-options.h.patch \
>              file://0002-static_build_fix.patch \
> @@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
>           rm ${sysconfdir}/dropbear/dropbear_dss_host_key
>     fi
>   }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
> index e8fed3f..5140b0b 100755
> --- a/meta/recipes-core/dropbear/dropbear/init
> +++ b/meta/recipes-core/dropbear/dropbear/init
> @@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
>   test -x "$DAEMON" || exit 0
>   test ! -h /var/service/dropbear || exit 0
>   
> -readonly_rootfs=0
> -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
> -  case $flag in
> -   ro)
> -     readonly_rootfs=1
> -     ;;
> -  esac
> -done
> -
> -if [ $readonly_rootfs = "1" ]; then
> -  mkdir -p /var/lib/dropbear
> -  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
> -else
> -  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> -fi
> +DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
>   
>   test -z "$DROPBEAR_BANNER" || \
>     DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"

     prev parent reply	other threads:[~2013-07-29  1:54 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-26  7:39 [PATCH 0/9] Make read-only rootfs work well with live images Qi.Chen
2013-07-26  7:39 ` [PATCH 1/9] init-live.sh: make $ROOT_MOUNT/media writable when necessary Qi.Chen
2013-07-26  7:39 ` [PATCH 2/9] use a uniform way to determine whether rootfs is read-only Qi.Chen
2013-07-26  7:39 ` [PATCH 3/9] udev: remove implicit dependency on initscripts Qi.Chen
2013-07-26  7:39 ` [PATCH 4/9] populate-volatile.sh: use $ROOT_DIR/var/volatile/tmp as TMPDIR Qi.Chen
2013-07-26  7:39 ` [PATCH 5/9] runqemu-internal: fix to start X correctly in live images Qi.Chen
2013-07-26  7:39 ` [PATCH 6/9] initscripts: use a uniform way to handle directories in read-only rootfs Qi.Chen
2013-07-26  7:39 ` [PATCH 7/9] irda-utils: make /etc/sysconfig writable " Qi.Chen
2013-07-26  7:39 ` [PATCH 8/9] lighttpd: make /www diretory " Qi.Chen
2013-07-26  7:39 ` [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a " Qi.Chen
2013-07-26  9:28   ` Martin Jansa
2013-07-26  9:52     ` Phil Blundell
2013-07-26 11:08     ` Mike Looijmans
2013-07-26 11:22       ` Burton, Ross
2013-07-26 10:39   ` Enrico Scholz
2013-07-29  1:55   ` ChenQi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51F5CB79.6080101@windriver.com \
    --to=qi.chen@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.