From: Martin Jansa <martin.jansa@gmail.com>
To: Qi.Chen@windriver.com
Cc: Zhangle.Yang@windriver.com, openembedded-core@lists.openembedded.org
Subject: Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs
Date: Fri, 26 Jul 2013 11:28:12 +0200 [thread overview]
Message-ID: <20130726092812.GD3280@jama> (raw)
In-Reply-To: <5dc3be245a9757c51dadd7ce446c5116ce79496d.1374642547.git.Qi.Chen@windriver.com>
[-- Attachment #1: Type: text/plain, Size: 6804 bytes --]
On Fri, Jul 26, 2013 at 03:39:36PM +0800, Qi.Chen@windriver.com wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.
>
> This change only has effect for systems with read-only rootfs.
I'm not sure if having the same keys on all devices installed from the
same image is always desired behavior, imho it should be controlled by
another variable, because some people want read-only rootfs and keys
generated in some other write-able partition.
> [YOCTO #4103]
> [YOCTO #4887]
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
> meta/classes/image.bbclass | 15 +++++++++++++++
> meta/recipes-connectivity/openssh/openssh_6.2p2.bb | 10 +++++++---
> meta/recipes-core/dropbear/dropbear.inc | 6 +++++-
> meta/recipes-core/dropbear/dropbear/init | 19 ++-----------------
> 4 files changed, 29 insertions(+), 21 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 3bc57d3..9a0692a 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -263,6 +263,21 @@ read_only_rootfs_hook () {
> if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
> ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
> fi
> + # Generate ssh keys at rootfs time
> + if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> + [ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
> + DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> + DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> + test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> + test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
> + dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
> + dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
> + fi
> + if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> + ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
> + ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> + ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
> + fi
> fi
> }
>
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..40dc4ca 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>
> PR = "r0"
>
> -DEPENDS = "zlib openssl"
> +DEPENDS = "zlib openssl openssh-native"
> +DEPENDS_class-native = "zlib-native openssl-native"
> DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
> RPROVIDES_${PN}-ssh = "ssh"
> @@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
> INITSCRIPT_NAME_${PN}-sshd = "sshd"
> INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
>
> -PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG_class-target ??= "tcp-wrappers"
> PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>
> inherit autotools
> @@ -49,6 +50,7 @@ inherit autotools
> # LFS support:
> CFLAGS += "-D__FILE_OFFSET_BITS=64"
> export LD = "${CC}"
> +export LD_class-native = "${CC}"
>
> EXTRA_OECONF = "--with-rand-helper=no \
> ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> @@ -74,7 +76,7 @@ do_compile_append () {
> install -m 0644 ${WORKDIR}/ssh_config ${S}/
> }
>
> -do_install_append () {
> +do_install_append_class-target () {
> for i in ${DISTRO_FEATURES};
> do
> if [ ${i} = "pam" ]; then
> @@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>
> RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
> RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +RDEPENDS_${PN}_class-native = ""
>
> CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
> CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> @@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
> ALTERNATIVE_${PN}-scp = "scp"
> ALTERNATIVE_${PN}-ssh = "ssh"
>
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index be93d60..381b8aa 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -9,11 +9,13 @@ INC_PR = "r1"
> LICENSE = "MIT"
> LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
>
> -DEPENDS = "zlib"
> +DEPENDS = "zlib dropbear-native"
> RPROVIDES_${PN} = "ssh sshd"
>
> DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>
> +DEPENDS_class-native = "zlib-native"
> +
> SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
> file://0001-urandom-xauth-changes-to-options.h.patch \
> file://0002-static_build_fix.patch \
> @@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
> rm ${sysconfdir}/dropbear/dropbear_dss_host_key
> fi
> }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
> index e8fed3f..5140b0b 100755
> --- a/meta/recipes-core/dropbear/dropbear/init
> +++ b/meta/recipes-core/dropbear/dropbear/init
> @@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
> test -x "$DAEMON" || exit 0
> test ! -h /var/service/dropbear || exit 0
>
> -readonly_rootfs=0
> -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
> - case $flag in
> - ro)
> - readonly_rootfs=1
> - ;;
> - esac
> -done
> -
> -if [ $readonly_rootfs = "1" ]; then
> - mkdir -p /var/lib/dropbear
> - DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
> - DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
> -else
> - DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> - DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> -fi
> +DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
>
> test -z "$DROPBEAR_BANNER" || \
> DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"
> --
> 1.7.9.5
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
--
Martin 'JaMa' Jansa jabber: Martin.Jansa@gmail.com
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 205 bytes --]
next prev parent reply other threads:[~2013-07-26 9:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-26 7:39 [PATCH 0/9] Make read-only rootfs work well with live images Qi.Chen
2013-07-26 7:39 ` [PATCH 1/9] init-live.sh: make $ROOT_MOUNT/media writable when necessary Qi.Chen
2013-07-26 7:39 ` [PATCH 2/9] use a uniform way to determine whether rootfs is read-only Qi.Chen
2013-07-26 7:39 ` [PATCH 3/9] udev: remove implicit dependency on initscripts Qi.Chen
2013-07-26 7:39 ` [PATCH 4/9] populate-volatile.sh: use $ROOT_DIR/var/volatile/tmp as TMPDIR Qi.Chen
2013-07-26 7:39 ` [PATCH 5/9] runqemu-internal: fix to start X correctly in live images Qi.Chen
2013-07-26 7:39 ` [PATCH 6/9] initscripts: use a uniform way to handle directories in read-only rootfs Qi.Chen
2013-07-26 7:39 ` [PATCH 7/9] irda-utils: make /etc/sysconfig writable " Qi.Chen
2013-07-26 7:39 ` [PATCH 8/9] lighttpd: make /www diretory " Qi.Chen
2013-07-26 7:39 ` [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a " Qi.Chen
2013-07-26 9:28 ` Martin Jansa [this message]
2013-07-26 9:52 ` Phil Blundell
2013-07-26 11:08 ` Mike Looijmans
2013-07-26 11:22 ` Burton, Ross
2013-07-26 10:39 ` Enrico Scholz
2013-07-29 1:55 ` ChenQi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130726092812.GD3280@jama \
--to=martin.jansa@gmail.com \
--cc=Qi.Chen@windriver.com \
--cc=Zhangle.Yang@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox