* [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services
@ 2025-02-04 9:29 Gaël PORTAY
2025-02-05 10:30 ` Romain Naour via buildroot
0 siblings, 1 reply; 3+ messages in thread
From: Gaël PORTAY @ 2025-02-04 9:29 UTC (permalink / raw)
To: buildroot; +Cc: Gaël PORTAY
TL;DR; This ignores the tmpfiles.d credential services since these lines
import credential contents from the host. It intends to shutdown the
error attached in the end of the commit message.
Note: The issue happens if the host system has credential services (i.e.
CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY set in its host
environment) and if the target is setup to run systemd on a read-only
filesystem:
BR2_INIT_SYSTEMD=y
BR2_INIT_SYSTEMD_POPULATE_TMPFILES=y
Let's step back a bit..
The script package/skeleton-init-systemd/fakeroot_tmpfiles.sh has been
introduced by the commit d18176396a (package/skeleton-systemd: host the
tmpfiles preparation script) to address at buildtime the creation of the
runtime tmpfiles for the targets using read-only filesystem. It uses
tmpfiles.d underneath.
systemd has introduced Credentials in tmpfiles.d since a v252[3]. The
lines starting by a charet[4], reads data from the credential host
service defined by the name set in the 6th argument.
See tmpfiles.d(5)[1]:
If the caret character ("^") is used, the argument (i.e. 6th)
column takes a service credential name to read the argument data
from. See System and Service Credentials[2] for details about
the credentials concept. This modifier is only supported on line
types that can write file contents, i.e. f, f+, w, w+. This is
useful for writing arbitrary files with contents sourced from
elsewhere, including from VM or container managers further up.
If the specified credential is not set for the systemd-tmpfiles
service, the line is silently skipped. If "^" and "~" are
combined Base64 decoding is applied to the credential contents.
The credentials data are pulled by the tmpfiles.d provision.conf[5] if
the either CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY are
set in the user environment; the files located in these directories
belong to root and thus cause tmpfiles.d to end with a Permission
denied.
gportay@archlinux ~ $ echo $CREDENTIALS_DIRECTORY
/run/credentials/getty@tty1.service
This fixes the error below attached below by ignoring any credential
services by unsetting the two credential environment variables
CREDENTIALS_DIRECTORY and ENCRYPTED_CREDENTIALS_DIRECTORY before running
tmpfiles.d.
Fixes:
>>> Generating filesystem image rootfs.ext2
(... TMPDIR= TEMP= TMP= /home/gportay/src/buildroot/output/host/bin/systemd-tmpfiles --create --boot --root=/home/gportay/src/buildroot/output/build/buildroot-fs/ext2/target --exclude-prefix=/dev --exclude-prefix=/proc --exclude-prefix=/run --exclude-prefix=/sys --exclude-prefix=/tmp --exclude-prefix=/mnt -)
ignored spec: h /var/log/journal/%m - - - - +C
Failed to read credential 'login.motd': Permission denied
Failed to read credential 'login.issue': Permission denied
Failed to read credential 'network.hosts': Permission denied
Failed to read credential 'ssh.authorized_keys.root': Permission denied
ignored spec: x /var/tmp/systemd-private-%b-*
ignored spec: X /var/tmp/systemd-private-%b-*/tmp
ignored spec: x /var/lib/systemd/coredump/.#core*.%b*
ignored spec: z /var/log/journal/%m 2755 root systemd-journal - -
ignored spec: z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
gportay@archlinux ~ $ systemctl --version
systemd 256 (256.8-1-arch)
+PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE
gportay@archlinux ~ $ echo $CREDENTIALS_DIRECTORY
/run/credentials/getty@tty1.service
Important: The issue happened on my setup for a while (256.8) and it has
silently disappeared without saying goodbye (257.2 as of today).
Therefore, I cannot reproduce it in a true situation as the environment
CREDENTIALS_DIRECTORY is not set anymore. I have no idea if it was an
host package misconfiguration, who knows. However, one can fake it using
the command below:
CREDENTIALS_DIRECTORY=/run/credentials/getty@tty1.service make
[1]: https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type%20Modifiers
[2]: https://systemd.io/CREDENTIALS/
[3]: https://github.com/systemd/systemd/commit/1d77721f30a821464cd715a63b89ef18419de7b0
[4]: https://github.com/systemd/systemd/commit/e52f6f6358e515f55c26c5aed1eb2dc1fbc8efec
[5]: https://github.com/systemd/systemd/blob/v256/tmpfiles.d/provision.conf
Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
---
Hello,
Despiste the fact the issue has gone, I do think the scripts should
sanitize the environment before running tmpfiles.d.
Note: I have not found a way to disable the credential with the CLI,
therefore, I came to the conclusion that unset the variables is the only
way to fix that issue.
Regards,
Gaël
package/skeleton-init-systemd/fakeroot_tmpfiles.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/package/skeleton-init-systemd/fakeroot_tmpfiles.sh b/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
index 8c28ccfa14..88dd27a006 100755
--- a/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
+++ b/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
@@ -30,6 +30,10 @@
[ -n "${1-}" -a -d "${1-}"/usr/lib/tmpfiles.d ] ||
{ echo 1>&2 "$0: need ROOTFS argument"; exit 1; }
+# disable credential host services (since v252)
+unset CREDENTIALS_DIRECTORY
+unset ENCRYPTED_CREDENTIALS_DIRECTORY
+
${HOST_SYSTEMD_TMPFILES} --no-pager --cat-config --root="$1" |
sed -e '/^[[:space:]]*#/d' -e 's,^[[:space:]]*,,' -e '/^$/d' |
while read -r line; do
--
2.48.1
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services
2025-02-04 9:29 [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services Gaël PORTAY
@ 2025-02-05 10:30 ` Romain Naour via buildroot
2025-02-09 20:57 ` Gaël PORTAY
0 siblings, 1 reply; 3+ messages in thread
From: Romain Naour via buildroot @ 2025-02-05 10:30 UTC (permalink / raw)
To: Gaël PORTAY, buildroot
Hello Gaël, All,
Le 04/02/2025 à 10:29, Gaël PORTAY a écrit :
> TL;DR; This ignores the tmpfiles.d credential services since these lines
> import credential contents from the host. It intends to shutdown the
> error attached in the end of the commit message.
>
> Note: The issue happens if the host system has credential services (i.e.
> CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY set in its host
> environment) and if the target is setup to run systemd on a read-only
> filesystem:
>
> BR2_INIT_SYSTEMD=y
> BR2_INIT_SYSTEMD_POPULATE_TMPFILES=y
I think it could be reproduced using InitSystemSystemdBaseOverlayfs test when
the host set CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY.
Maybe we could extend the systemd tests to catch this peculiar use case by
setting one of theses option in the environment?
>
> Let's step back a bit..
>
> The script package/skeleton-init-systemd/fakeroot_tmpfiles.sh has been
> introduced by the commit d18176396a (package/skeleton-systemd: host the
> tmpfiles preparation script) to address at buildtime the creation of the
> runtime tmpfiles for the targets using read-only filesystem. It uses
> tmpfiles.d underneath.
>
> systemd has introduced Credentials in tmpfiles.d since a v252[3]. The
> lines starting by a charet[4], reads data from the credential host
> service defined by the name set in the 6th argument.
>
> See tmpfiles.d(5)[1]:
>
> If the caret character ("^") is used, the argument (i.e. 6th)
> column takes a service credential name to read the argument data
> from. See System and Service Credentials[2] for details about
> the credentials concept. This modifier is only supported on line
> types that can write file contents, i.e. f, f+, w, w+. This is
> useful for writing arbitrary files with contents sourced from
> elsewhere, including from VM or container managers further up.
> If the specified credential is not set for the systemd-tmpfiles
> service, the line is silently skipped. If "^" and "~" are
> combined Base64 decoding is applied to the credential contents.
>
> The credentials data are pulled by the tmpfiles.d provision.conf[5] if
> the either CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY are
> set in the user environment; the files located in these directories
> belong to root and thus cause tmpfiles.d to end with a Permission
> denied.
>
> gportay@archlinux ~ $ echo $CREDENTIALS_DIRECTORY
> /run/credentials/getty@tty1.service
>
> This fixes the error below attached below by ignoring any credential
> services by unsetting the two credential environment variables
> CREDENTIALS_DIRECTORY and ENCRYPTED_CREDENTIALS_DIRECTORY before running
> tmpfiles.d.
>
> Fixes:
>
> >>> Generating filesystem image rootfs.ext2
> (... TMPDIR= TEMP= TMP= /home/gportay/src/buildroot/output/host/bin/systemd-tmpfiles --create --boot --root=/home/gportay/src/buildroot/output/build/buildroot-fs/ext2/target --exclude-prefix=/dev --exclude-prefix=/proc --exclude-prefix=/run --exclude-prefix=/sys --exclude-prefix=/tmp --exclude-prefix=/mnt -)
> ignored spec: h /var/log/journal/%m - - - - +C
> Failed to read credential 'login.motd': Permission denied
> Failed to read credential 'login.issue': Permission denied
> Failed to read credential 'network.hosts': Permission denied
> Failed to read credential 'ssh.authorized_keys.root': Permission denied
> ignored spec: x /var/tmp/systemd-private-%b-*
> ignored spec: X /var/tmp/systemd-private-%b-*/tmp
> ignored spec: x /var/lib/systemd/coredump/.#core*.%b*
> ignored spec: z /var/log/journal/%m 2755 root systemd-journal - -
> ignored spec: z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
It's not clear if they are harmful error or not?
Is rootfs.ext2 generated and the build succeed?
>
> gportay@archlinux ~ $ systemctl --version
> systemd 256 (256.8-1-arch)
> +PAM +AUDIT -SELINUX -APPARMOR -IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK +XKBCOMMON +UTMP -SYSVINIT +LIBARCHIVE
>
> gportay@archlinux ~ $ echo $CREDENTIALS_DIRECTORY
> /run/credentials/getty@tty1.service
>
> Important: The issue happened on my setup for a while (256.8) and it has
> silently disappeared without saying goodbye (257.2 as of today).
> Therefore, I cannot reproduce it in a true situation as the environment
> CREDENTIALS_DIRECTORY is not set anymore. I have no idea if it was an
> host package misconfiguration, who knows. However, one can fake it using
> the command below:
>
> CREDENTIALS_DIRECTORY=/run/credentials/getty@tty1.service make
Usually you shoud avoid using 'I' in the commit log, it's fine only under the
--- sign below. This information is should be in the commit log since it explain
how to reproduce the issue.
>
> [1]: https://www.freedesktop.org/software/systemd/man/latest/tmpfiles.d.html#Type%20Modifiers
> [2]: https://systemd.io/CREDENTIALS/
> [3]: https://github.com/systemd/systemd/commit/1d77721f30a821464cd715a63b89ef18419de7b0
> [4]: https://github.com/systemd/systemd/commit/e52f6f6358e515f55c26c5aed1eb2dc1fbc8efec
> [5]: https://github.com/systemd/systemd/blob/v256/tmpfiles.d/provision.conf
>
> Signed-off-by: Gaël PORTAY <gael.portay+rtone@gmail.com>
> ---
> Hello,
>
> Despiste the fact the issue has gone, I do think the scripts should
> sanitize the environment before running tmpfiles.d.
>
> Note: I have not found a way to disable the credential with the CLI,
> therefore, I came to the conclusion that unset the variables is the only
> way to fix that issue.
>
> Regards,
> Gaël
> package/skeleton-init-systemd/fakeroot_tmpfiles.sh | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/package/skeleton-init-systemd/fakeroot_tmpfiles.sh b/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
> index 8c28ccfa14..88dd27a006 100755
> --- a/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
> +++ b/package/skeleton-init-systemd/fakeroot_tmpfiles.sh
> @@ -30,6 +30,10 @@
> [ -n "${1-}" -a -d "${1-}"/usr/lib/tmpfiles.d ] ||
> { echo 1>&2 "$0: need ROOTFS argument"; exit 1; }
>
> +# disable credential host services (since v252)
Can you extend this comment to explain that allow to avoid errors during the
image build.
Best regards,
Romain
> +unset CREDENTIALS_DIRECTORY
> +unset ENCRYPTED_CREDENTIALS_DIRECTORY
> +
> ${HOST_SYSTEMD_TMPFILES} --no-pager --cat-config --root="$1" |
> sed -e '/^[[:space:]]*#/d' -e 's,^[[:space:]]*,,' -e '/^$/d' |
> while read -r line; do
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services
2025-02-05 10:30 ` Romain Naour via buildroot
@ 2025-02-09 20:57 ` Gaël PORTAY
0 siblings, 0 replies; 3+ messages in thread
From: Gaël PORTAY @ 2025-02-09 20:57 UTC (permalink / raw)
To: Romain Naour, buildroot
Hello Romain,
On Wed Feb 5, 2025 at 11:30 AM CET, Romain Naour wrote:
> Hello Gaël, All,
>
> Le 04/02/2025 à 10:29, Gaël PORTAY a écrit :
>> TL;DR; This ignores the tmpfiles.d credential services since these lines
>> import credential contents from the host. It intends to shutdown the
>> error attached in the end of the commit message.
>>
>> Note: The issue happens if the host system has credential services (i.e.
>> CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY set in its host
>> environment) and if the target is setup to run systemd on a read-only
>> filesystem:
>>
>> BR2_INIT_SYSTEMD=y
>> BR2_INIT_SYSTEMD_POPULATE_TMPFILES=y
>
> I think it could be reproduced using InitSystemSystemdBaseOverlayfs test when
> the host set CREDENTIALS_DIRECTORY or ENCRYPTED_CREDENTIALS_DIRECTORY.
>
> Maybe we could extend the systemd tests to catch this peculiar use case by
> setting one of theses option in the environment?
>
It is a good case to let me dig and use the automated tests.
>>
>> Fixes:
>>
>> >>> Generating filesystem image rootfs.ext2
>> (... TMPDIR= TEMP= TMP= /home/gportay/src/buildroot/output/host/bin/systemd-tmpfiles --create --boot --root=/home/gportay/src/buildroot/output/build/buildroot-fs/ext2/target --exclude-prefix=/dev --exclude-prefix=/proc --exclude-prefix=/run --exclude-prefix=/sys --exclude-prefix=/tmp --exclude-prefix=/mnt -)
>> ignored spec: h /var/log/journal/%m - - - - +C
>> Failed to read credential 'login.motd': Permission denied
>> Failed to read credential 'login.issue': Permission denied
>> Failed to read credential 'network.hosts': Permission denied
>> Failed to read credential 'ssh.authorized_keys.root': Permission denied
>> ignored spec: x /var/tmp/systemd-private-%b-*
>> ignored spec: X /var/tmp/systemd-private-%b-*/tmp
>> ignored spec: x /var/lib/systemd/coredump/.#core*.%b*
>> ignored spec: z /var/log/journal/%m 2755 root systemd-journal - -
>> ignored spec: z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
>
> It's not clear if they are harmful error or not?
> Is rootfs.ext2 generated and the build succeed?
>
They are! systemd-tmpfiles fails, then the script fails and make is
halted (not continuing the build).
I should have copy/paste the last line saying it (I will do it in v1).
>> Important: The issue happened on my setup for a while (256.8) and it has
>> silently disappeared without saying goodbye (257.2 as of today).
>> Therefore, I cannot reproduce it in a true situation as the environment
>> CREDENTIALS_DIRECTORY is not set anymore. I have no idea if it was an
>> host package misconfiguration, who knows. However, one can fake it using
>> the command below:
>>
>> CREDENTIALS_DIRECTORY=/run/credentials/getty@tty1.service make
>
> Usually you shoud avoid using 'I' in the commit log, it's fine only under the
> --- sign below. This information is should be in the commit log since it explain
> how to reproduce the issue.
>
Usually, I never use I/you/we... in commit messages; this was an
exception because it is an RFC (I have not planned to write something
after the ---, and I did it in the end...).
I do not know how to keep such temporary things in the commits for "WIP"
commits.
So you right, I should have moved it before sending the mail; because
there is high chance I forgot to remove it.
>> +# disable credential host services (since v252)
>
> Can you extend this comment to explain that allow to avoid errors during the
> image build.
>
Okay, will do.
> Best regards,
> Romain
>
Regards,
Gaël
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-02-09 20:57 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-04 9:29 [Buildroot] [RFC 1/1] package/skeleton-init-systemd: ignore credential services Gaël PORTAY
2025-02-05 10:30 ` Romain Naour via buildroot
2025-02-09 20:57 ` Gaël PORTAY
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.