* [OE-core][PATCH V4 1/2] rootfs-postcommands.bbclass: fix echo + '\n' in 'no password' banner @ 2025-12-01 5:25 Qi.Chen 2025-12-01 5:25 ` [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding " Qi.Chen 0 siblings, 1 reply; 5+ messages in thread From: Qi.Chen @ 2025-12-01 5:25 UTC (permalink / raw) To: openembedded-core; +Cc: alex From: Chen Qi <Qi.Chen@windriver.com> The '\n' means hostname instead of new line in /etc/issues. bash and dash have different behavior on echo + '\n'. So we avoid this '\n' and use an extra echo "" instead. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- meta/classes-recipe/rootfs-postcommands.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index d3a569ba3e..f4fbc4c57e 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -259,7 +259,8 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked).\n" >> ${IMAGE_ROOTFS}/etc/issue + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue + echo "" >> ${IMAGE_ROOTFS}/etc/issue } # -- 2.43.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner 2025-12-01 5:25 [OE-core][PATCH V4 1/2] rootfs-postcommands.bbclass: fix echo + '\n' in 'no password' banner Qi.Chen @ 2025-12-01 5:25 ` Qi.Chen 2025-12-01 11:05 ` Alexander Kanavin 2025-12-03 19:37 ` Mathieu Dubois-Briand 0 siblings, 2 replies; 5+ messages in thread From: Qi.Chen @ 2025-12-01 5:25 UTC (permalink / raw) To: openembedded-core; +Cc: alex From: Chen Qi <Qi.Chen@windriver.com> It's possible that users use EXTRA_USERS_PARAMS to set password for root or explicitly expire root password. So we need to check these two cases to ensure the 'no password' banner is not misleading. As an example, below are configurations to make an image requiring setting a root password on first boot, but without having to first enter a static initial password: In conf/toolcfg.cfg: OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password In local.conf: INHERIT += "extrausers" EXTRA_USERS_PARAMS += " passwd-expire root;" Checking and adding such a banner is ensured to run as last steps of ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, we want to ensure that the function runs after set_user_group function from extrausers.bbclass. So unlike other commands in this bbclass using the '+=', this function uses ':append'. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- meta/classes-recipe/rootfs-postcommands.bbclass | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index f4fbc4c57e..f57782b87b 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -5,7 +5,7 @@ # # Zap the root password if empty-root-password feature is not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' # ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' +# Check and add 'no root password' banner. +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append. +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" + # Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it # automatic or it can be a path. In the latter, the uid/gid matches the @@ -259,8 +263,12 @@ zap_empty_root_password () { # This function adds a note to the login banner that the system is configured for root logins without password # add_empty_root_password_note () { - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue - echo "" >> ${IMAGE_ROOTFS}/etc/issue + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue + echo "" >> ${IMAGE_ROOTFS}/etc/issue + fi } # -- 2.43.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner 2025-12-01 5:25 ` [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding " Qi.Chen @ 2025-12-01 11:05 ` Alexander Kanavin 2025-12-03 19:37 ` Mathieu Dubois-Briand 1 sibling, 0 replies; 5+ messages in thread From: Alexander Kanavin @ 2025-12-01 11:05 UTC (permalink / raw) To: Qi.Chen; +Cc: openembedded-core, alex Thanks, I think this is fine. Alex On Mon, 1 Dec 2025 at 06:25, Chen Qi via lists.openembedded.org <Qi.Chen=windriver.com@lists.openembedded.org> wrote: > > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > meta/classes-recipe/rootfs-postcommands.bbclass | 14 +++++++++++--- > 1 file changed, 11 insertions(+), 3 deletions(-) > > diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass > index f4fbc4c57e..f57782b87b 100644 > --- a/meta/classes-recipe/rootfs-postcommands.bbclass > +++ b/meta/classes-recipe/rootfs-postcommands.bbclass > @@ -5,7 +5,7 @@ > # > > # Zap the root password if empty-root-password feature is not enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "add_empty_root_password_note", "zap_empty_root_password ",d)}' > +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' > > # Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled > ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' > @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += '${SORT_PASSWD_POSTPROCESS_COMMAND}' > # > ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' > > +# Check and add 'no root password' banner. > +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using :append. > +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" > + > # Resolve the ID as described in the sysusers.d(5) manual: ID can be a numeric > # uid, a couple uid:gid or uid:groupname or it is '-' meaning leaving it > # automatic or it can be a path. In the latter, the uid/gid matches the > @@ -259,8 +263,12 @@ zap_empty_root_password () { > # This function adds a note to the login banner that the system is configured for root logins without password > # > add_empty_root_password_note () { > - echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > - echo "" >> ${IMAGE_ROOTFS}/etc/issue > + rootpw="`grep '^root:' ${IMAGE_ROOTFS}/etc/shadow | cut -d':' -f2`" > + rootpw_lastchanged="`grep "^root:" ${IMAGE_ROOTFS}/etc/shadow | cut -d: -f3`" > + if [ -z "$rootpw" -a "$rootpw_lastchanged" != "0" ]; then > + echo "Type 'root' to login with superuser privileges (no password will be asked)." >> ${IMAGE_ROOTFS}/etc/issue > + echo "" >> ${IMAGE_ROOTFS}/etc/issue > + fi > } > > # > -- > 2.43.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#227114): https://lists.openembedded.org/g/openembedded-core/message/227114 > Mute This Topic: https://lists.openembedded.org/mt/116551793/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner 2025-12-01 5:25 ` [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding " Qi.Chen 2025-12-01 11:05 ` Alexander Kanavin @ 2025-12-03 19:37 ` Mathieu Dubois-Briand 2025-12-04 3:13 ` Chen, Qi 1 sibling, 1 reply; 5+ messages in thread From: Mathieu Dubois-Briand @ 2025-12-03 19:37 UTC (permalink / raw) To: Qi.Chen, openembedded-core; +Cc: alex On Mon Dec 1, 2025 at 6:25 AM CET, Chen Qi via lists.openembedded.org wrote: > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- Hi Chen, Thanks for your patch. It looks like this is breaking the containerimage.ContainerImageTests.test_expected_files selftest: 2025-12-03 13:55:47,169 - oe-selftest - INFO - containerimage.ContainerImageTests.test_expected_files (subunit.RemotedTestCase) 2025-12-03 13:55:47,176 - oe-selftest - INFO - ... FAIL ... AssertionError: Lists differ: ['./'[14 chars]/etc/issue', './etc/ld.so.cache', './etc/times[112 chars]ib/'] != ['./'[14 chars]/etc/ld.so.cache', './etc/timestamp', './etc/v[97 chars]ib/'] First differing element 2: './etc/issue' './etc/ld.so.cache' First list contains 1 additional elements. First extra element 12: './var/lib/' ['./', './etc/', - './etc/issue', './etc/ld.so.cache', './etc/timestamp', './etc/version', './run/', './usr/', './usr/bin/', './usr/bin/theapp', './var/', './var/cache/', './var/lib/'] https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/2787 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/2682 https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/2926 Can you have a look at this? Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* RE: [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner 2025-12-03 19:37 ` Mathieu Dubois-Briand @ 2025-12-04 3:13 ` Chen, Qi 0 siblings, 0 replies; 5+ messages in thread From: Chen, Qi @ 2025-12-04 3:13 UTC (permalink / raw) To: Mathieu Dubois-Briand, openembedded-core@lists.openembedded.org Cc: alex@linutronix.de Yes, of course. I'll look into it. Regards, Qi -----Original Message----- From: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Sent: Thursday, December 4, 2025 3:37 AM To: Chen, Qi <Qi.Chen@windriver.com>; openembedded-core@lists.openembedded.org Cc: alex@linutronix.de Subject: Re: [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner On Mon Dec 1, 2025 at 6:25 AM CET, Chen Qi via lists.openembedded.org wrote: > From: Chen Qi <Qi.Chen@windriver.com> > > It's possible that users use EXTRA_USERS_PARAMS to set password for > root or explicitly expire root password. So we need to check these two > cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first > enter a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In > particualr, we want to ensure that the function runs after > set_user_group function from extrausers.bbclass. So unlike other > commands in this bbclass using the '+=', this function uses ':append'. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- Hi Chen, Thanks for your patch. It looks like this is breaking the containerimage.ContainerImageTests.test_expected_files selftest: 2025-12-03 13:55:47,169 - oe-selftest - INFO - containerimage.ContainerImageTests.test_expected_files (subunit.RemotedTestCase) 2025-12-03 13:55:47,176 - oe-selftest - INFO - ... FAIL ... AssertionError: Lists differ: ['./'[14 chars]/etc/issue', './etc/ld.so.cache', './etc/times[112 chars]ib/'] != ['./'[14 chars]/etc/ld.so.cache', './etc/timestamp', './etc/v[97 chars]ib/'] First differing element 2: './etc/issue' './etc/ld.so.cache' First list contains 1 additional elements. First extra element 12: './var/lib/' ['./', './etc/', - './etc/issue', './etc/ld.so.cache', './etc/timestamp', './etc/version', './run/', './usr/', './usr/bin/', './usr/bin/theapp', './var/', './var/cache/', './var/lib/'] https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/2787 https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/2682 https://autobuilder.yoctoproject.org/valkyrie/#/builders/23/builds/2926 Can you have a look at this? Thanks, Mathieu -- Mathieu Dubois-Briand, Bootlin Embedded Linux and Kernel engineering https://bootlin.com ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-12-04 3:13 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-12-01 5:25 [OE-core][PATCH V4 1/2] rootfs-postcommands.bbclass: fix echo + '\n' in 'no password' banner Qi.Chen 2025-12-01 5:25 ` [OE-core][PATCH V4 2/2] rootfs-postcommands.bbclass: fix adding " Qi.Chen 2025-12-01 11:05 ` Alexander Kanavin 2025-12-03 19:37 ` Mathieu Dubois-Briand 2025-12-04 3:13 ` Chen, Qi
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.