[Buildroot] [PATCH 1/2] package/skeleton-init-systemd: copy over etc-factory content

[Buildroot] [PATCH 1/2] package/skeleton-init-systemd: copy over etc-factory content

[James Knight]

The systemd package will prepare the folder `/usr/share/factory/etc/`,
which holds a series of default configuration files for a runtime
state [1]. For example, the etc-factory repository holds the default
template for `/etc/pam.d/system-auth` which is required in a default
environment configured to use systemd with SELinux. Without this file
prepared, login attempts will fail with the message:

    ... buildroot login[242]: PAM _pam_load_conf_file: unable to open config for system-auth
    ...

To avoid this, when preparing the initial skeleton structure for systemd
environments, copy over fallback configurations defined in etc-factory
into the target's `etc` folder. If a file is already prepared at this
state, these template files will be ignored.

[1]: https://www.freedesktop.org/software/systemd/man/file-hierarchy.html

Signed-off-by: James Knight <james.d.knight@live.com>
---
 package/skeleton-init-systemd/skeleton-init-systemd.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/skeleton-init-systemd/skeleton-init-systemd.mk b/package/skeleton-init-systemd/skeleton-init-systemd.mk
index fb15552f99eafcc90bc5fa9dfcee3ad465492b81..4076821c0c0429cf90681f4b16be114c44bde282 100644
--- a/package/skeleton-init-systemd/skeleton-init-systemd.mk
+++ b/package/skeleton-init-systemd/skeleton-init-systemd.mk
@@ -68,6 +68,13 @@ SKELETON_INIT_SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SKELETON_INIT_SYSTEMD_CREATE_TMPFI
 endif  # BR2_INIT_SYSTEMD_POPULATE_TMPFILES
 
 define SKELETON_INIT_SYSTEMD_INSTALL_TARGET_CMDS
+	if [ -d $(TARGET_DIR)/usr/share/factory/etc ]; then \
+		rsync -av --ignore-existing --remove-source-files \
+			$(TARGET_DIR)/usr/share/factory/etc/ $(TARGET_DIR)/etc/; \
+		rm -rf $(TARGET_DIR)/usr/share/factory/etc/; \
+		rmdir --ignore-fail-on-non-empty $(TARGET_DIR)/usr/share/factory; \
+	fi
+
 	mkdir -p $(TARGET_DIR)/home
 	mkdir -p $(TARGET_DIR)/srv
 	mkdir -p $(TARGET_DIR)/var
-- 
2.40.1.windows.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/skeleton-init-systemd: copy over etc-factory content

[Yann E. MORIN]

James, All,

On 2023-05-05 00:30 -0400, James Knight spake thusly:
> The systemd package will prepare the folder `/usr/share/factory/etc/`,
> which holds a series of default configuration files for a runtime
> state [1]. For example, the etc-factory repository holds the default
> template for `/etc/pam.d/system-auth` which is required in a default
> environment configured to use systemd with SELinux. Without this file
> prepared, login attempts will fail with the message:
> 
>     ... buildroot login[242]: PAM _pam_load_conf_file: unable to open config for system-auth
>     ...
> 
> To avoid this, when preparing the initial skeleton structure for systemd
> environments, copy over fallback configurations defined in etc-factory
> into the target's `etc` folder. If a file is already prepared at this
> state, these template files will be ignored.

Why is that not listed in the systemd tmpfiles, so that it is installed
when running systemd-tmpfiles, either at runtime by systemd on a r/w
filesystem, or at buildtime with BR2_INIT_SYSTEMD_POPULATE_TMPFILES ?

Also, none of our runtime tests for systemd exhibits this login issue:

    support/testing/tests/init/test_systemd.py
    support/testing/tests/init/test_systemd_selinux.py

Could you try to add a bit more explanations and context, please?

Regards,
Yann E. MORIN.

> [1]: https://www.freedesktop.org/software/systemd/man/file-hierarchy.html
> 
> Signed-off-by: James Knight <james.d.knight@live.com>
> ---
>  package/skeleton-init-systemd/skeleton-init-systemd.mk | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/package/skeleton-init-systemd/skeleton-init-systemd.mk b/package/skeleton-init-systemd/skeleton-init-systemd.mk
> index fb15552f99eafcc90bc5fa9dfcee3ad465492b81..4076821c0c0429cf90681f4b16be114c44bde282 100644
> --- a/package/skeleton-init-systemd/skeleton-init-systemd.mk
> +++ b/package/skeleton-init-systemd/skeleton-init-systemd.mk
> @@ -68,6 +68,13 @@ SKELETON_INIT_SYSTEMD_ROOTFS_PRE_CMD_HOOKS += SKELETON_INIT_SYSTEMD_CREATE_TMPFI
>  endif  # BR2_INIT_SYSTEMD_POPULATE_TMPFILES
>  
>  define SKELETON_INIT_SYSTEMD_INSTALL_TARGET_CMDS
> +	if [ -d $(TARGET_DIR)/usr/share/factory/etc ]; then \
> +		rsync -av --ignore-existing --remove-source-files \
> +			$(TARGET_DIR)/usr/share/factory/etc/ $(TARGET_DIR)/etc/; \
> +		rm -rf $(TARGET_DIR)/usr/share/factory/etc/; \
> +		rmdir --ignore-fail-on-non-empty $(TARGET_DIR)/usr/share/factory; \
> +	fi
> +
>  	mkdir -p $(TARGET_DIR)/home
>  	mkdir -p $(TARGET_DIR)/srv
>  	mkdir -p $(TARGET_DIR)/var
> -- 
> 2.40.1.windows.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/2] package/skeleton-init-systemd: copy over etc-factory content

[James Knight]

Yann,

On Sun, Oct 1, 2023 at 6:38 AM Yann E. MORIN <yann.morin.1998@free.fr> wrote:
> Why is that not listed in the systemd tmpfiles, so that it is installed
> when running systemd-tmpfiles, either at runtime by systemd on a r/w
> filesystem, or at buildtime with BR2_INIT_SYSTEMD_POPULATE_TMPFILES ?

Sorry, I am not too knowledgeable on the concepts of systemd tmpfiles
and tmpfiles pre-seed concepts (just recently stumbled upon a commit
[1] which provides some help information to learn more).

The proposed change was just me observing that the image I built
needed `/etc/pam.d/system-auth` to login. Noticed the stock file was
stored in this factory file and assumed it should have been copied at
build time (somewhat following what the catalog-db logic was doing).

> Also, none of our runtime tests for systemd exhibits this login issue:
> ...
> Could you try to add a bit more explanations and context, please?

The login issue appears to happen in a board configuration that is
using systemd, linux-pam and shadow packages installed (not
SELinux-specific). Another user has reported this scenario [2].

From what I can tell, the shadow package adds a PAM configuration
which requires `system-auth` [3] and leaves the responsibility of the
system to define this. systemd provides a stock configuration and also
notes that it should be used as a template only and tailored for the
specific environment. For my board configuration, I will most likely
be adding a custom version in a board-specific skeleton when I plan to
focus on authentication-related features/issues. However, for the
initial development of a board, I do not mind using the stock
template. I assumed having this file by default would help with
initial board configurations avoid login issues.

[1]: https://lore.kernel.org/buildroot/30918_1666122199_634F01D7_30918_364_1_3fe68afdbb79505161ac76e31e6054dc44dd340d.1666122184.git.yann.morin@orange.com/
[2]: https://lore.kernel.org/buildroot/20221224171920.11256-1-raphael.pavlidis@gmail.com/T/
[3]: https://github.com/shadow-maint/shadow/blob/cde08e422d8c179d4ba622da2290c31ec645c611/etc/pam.d/login#L3
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot