Re: [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services

["Gaël PORTAY" <gael.portay+rtone@gmail.com>]

Hello Romain,

On Wed Feb 5, 2025 at 11:30 AM CET, Romain Naour wrote:
> Hello Gaël, All,
>
> Le 04/02/2025 à 10:29, Gaël PORTAY a écrit :
>> TL;DR; This ignores the tmpfiles.d credential services since these lines
>> import credential contents from the host. It intends to shutdown the
>> error attached in the end of the commit message.
>> 
>> Note: The issue happens if the host system has credential services (i.e.
>> CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY set in its host
>> environment) and if the target is setup to run systemd on a read-only
>> filesystem:
>> 
>> 	BR2_INIT_SYSTEMD=y
>> 	BR2_INIT_SYSTEMD_POPULATE_TMPFILES=y
>
> I think it could be reproduced using InitSystemSystemdBaseOverlayfs test when
> the host set CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY.
>
> Maybe we could extend the systemd tests to catch this peculiar use case by
> setting one of theses option in the environment?
>

It is a good case to let me dig and use the automated tests.

>> 
>> Fixes:
>> 
>> 	>>>   Generating filesystem image rootfs.ext2
>> 	(... TMPDIR= TEMP= TMP= /home/gportay/src/buildroot/output/host/bin/systemd-tmpfiles --create --boot --root=/home/gportay/src/buildroot/output/build/buildroot-fs/ext2/target --exclude-prefix=/dev --exclude-prefix=/proc --exclude-prefix=/run --exclude-prefix=/sys --exclude-prefix=/tmp --exclude-prefix=/mnt -)
>> 	ignored spec: h /var/log/journal/%m - - - - +C
>> 	Failed to read credential 'login.motd': Permission denied
>> 	Failed to read credential 'login.issue': Permission denied
>> 	Failed to read credential 'network.hosts': Permission denied
>> 	Failed to read credential 'ssh.authorized_keys.root': Permission denied
>> 	ignored spec: x /var/tmp/systemd-private-%b-*
>> 	ignored spec: X /var/tmp/systemd-private-%b-*/tmp
>> 	ignored spec: x  /var/lib/systemd/coredump/.#core*.%b*
>> 	ignored spec: z /var/log/journal/%m 2755 root systemd-journal - -
>> 	ignored spec: z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
>
> It's not clear if they are harmful error or not?
> Is rootfs.ext2 generated and the build succeed?
>

They are! systemd-tmpfiles fails, then the script fails and make is
halted (not continuing the build).

I should have copy/paste the last line saying it (I will do it in v1).

>> Important: The issue happened on my setup for a while (256.8) and it has
>> silently disappeared without saying goodbye (257.2 as of today).
>> Therefore, I cannot reproduce it in a true situation as the environment
>> CREDENTIALS_DIRECTORY is not set anymore. I have no idea if it was an
>> host package misconfiguration, who knows. However, one can fake it using
>> the command below:
>> 
>> 	CREDENTIALS_DIRECTORY=/run/credentials/getty@tty1.service make
>
> Usually you shoud avoid using 'I' in the commit log, it's fine only under the
> --- sign below. This information is should be in the commit log since it explain
> how to reproduce the issue.
>

Usually, I never use I/you/we... in commit messages; this was an
exception because it is an RFC (I have not planned to write something
after the ---, and I did it in the end...).

I do not know how to keep such temporary things in the commits for "WIP"
commits.

So you right, I should have moved it before sending the mail; because
there is high chance I forgot to remove it.

>> +# disable credential host services (since v252)
>
> Can you extend this comment to explain that allow to avoid errors during the
> image build.
>

Okay, will do.

> Best regards,
> Romain
>

Regards,
Gaël
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot