Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: ChenQi <Qi.Chen@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a read-only rootfs
Date: Mon, 29 Jul 2013 09:55:05 +0800	[thread overview]
Message-ID: <51F5CB79.6080101@windriver.com> (raw)
In-Reply-To: <5dc3be245a9757c51dadd7ce446c5116ce79496d.1374642547.git.Qi.Chen@windriver.com>

Thanks for all the reviews and comments.
I'll drop this patch and send out a version 2 of this patchset.

Best Regards,
Chen Qi

On 07/26/2013 03:39 PM, Qi.Chen@windriver.com wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> To avoid generating ssh keys every time a system with read-only rootfs
> starts, we generate ssh keys at rootfs creation time.
>
> This change only has effect for systems with read-only rootfs.
>
> [YOCTO #4103]
> [YOCTO #4887]
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> ---
>   meta/classes/image.bbclass                         |   15 +++++++++++++++
>   meta/recipes-connectivity/openssh/openssh_6.2p2.bb |   10 +++++++---
>   meta/recipes-core/dropbear/dropbear.inc            |    6 +++++-
>   meta/recipes-core/dropbear/dropbear/init           |   19 ++-----------------
>   4 files changed, 29 insertions(+), 21 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index 3bc57d3..9a0692a 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -263,6 +263,21 @@ read_only_rootfs_hook () {
>   		if [ -x ${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh ]; then
>   			${IMAGE_ROOTFS}/etc/init.d/populate-volatile.sh
>   		fi
> +	        # Generate ssh keys at rootfs time
> +		if [ -d ${IMAGE_ROOTFS}/etc/dropbear ]; then
> +			[ -r ${IMAGE_ROOTFS}/etc/default/dropbear ] && . ${IMAGE_ROOTFS}/etc/default/dropbear
> +			DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +			DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> +			test -n "$DROPBEAR_RSAKEY" || DROPBEAR_RSAKEY=$DROPBEAR_RSAKEY_DEFAULT
> +			test -n "$DROPBEAR_DSSKEY" || DROPBEAR_DSSKEY=$DROPBEAR_DSSKEY_DEFAULT
> +			dropbearkey -t rsa -f ${IMAGE_ROOTFS}$DROPBEAR_RSAKEY
> +			dropbearkey -t dss -f ${IMAGE_ROOTFS}$DROPBEAR_DSSKEY
> +		fi
> +		if [ -d ${IMAGE_ROOTFS}/etc/ssh ]; then
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_rsa_key -N '' -t rsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
> +			ssh-keygen -q -f ${IMAGE_ROOTFS}/etc/ssh/ssh_host_dsa_key -N '' -t dsa
> +		fi
>   	fi
>   }
>   
> diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> index ab2eefb..40dc4ca 100644
> --- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> +++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
> @@ -9,7 +9,8 @@ LIC_FILES_CHKSUM = "file://LICENCE;md5=e326045657e842541d3f35aada442507"
>   
>   PR = "r0"
>   
> -DEPENDS = "zlib openssl"
> +DEPENDS = "zlib openssl openssh-native"
> +DEPENDS_class-native = "zlib-native openssl-native"
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
>   RPROVIDES_${PN}-ssh = "ssh"
> @@ -41,7 +42,7 @@ INITSCRIPT_PACKAGES = "${PN}-sshd"
>   INITSCRIPT_NAME_${PN}-sshd = "sshd"
>   INITSCRIPT_PARAMS_${PN}-sshd = "defaults 9"
>   
> -PACKAGECONFIG ??= "tcp-wrappers"
> +PACKAGECONFIG_class-target ??= "tcp-wrappers"
>   PACKAGECONFIG[tcp-wrappers] = "--with-tcp-wrappers,,tcp-wrappers"
>   
>   inherit autotools
> @@ -49,6 +50,7 @@ inherit autotools
>   # LFS support:
>   CFLAGS += "-D__FILE_OFFSET_BITS=64"
>   export LD = "${CC}"
> +export LD_class-native = "${CC}"
>   
>   EXTRA_OECONF = "--with-rand-helper=no \
>                   ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
> @@ -74,7 +76,7 @@ do_compile_append () {
>   	install -m 0644 ${WORKDIR}/ssh_config ${S}/
>   }
>   
> -do_install_append () {
> +do_install_append_class-target () {
>   	for i in ${DISTRO_FEATURES};
>   	do
>   		if [ ${i} = "pam" ];  then
> @@ -102,6 +104,7 @@ FILES_${PN}-keygen = "${bindir}/ssh-keygen"
>   
>   RDEPENDS_${PN} += "${PN}-scp ${PN}-ssh ${PN}-sshd ${PN}-keygen"
>   RDEPENDS_${PN}-sshd += "${PN}-keygen"
> +RDEPENDS_${PN}_class-native = ""
>   
>   CONFFILES_${PN}-sshd = "${sysconfdir}/ssh/sshd_config"
>   CONFFILES_${PN}-ssh = "${sysconfdir}/ssh/ssh_config"
> @@ -110,3 +113,4 @@ ALTERNATIVE_PRIORITY = "90"
>   ALTERNATIVE_${PN}-scp = "scp"
>   ALTERNATIVE_${PN}-ssh = "ssh"
>   
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear.inc b/meta/recipes-core/dropbear/dropbear.inc
> index be93d60..381b8aa 100644
> --- a/meta/recipes-core/dropbear/dropbear.inc
> +++ b/meta/recipes-core/dropbear/dropbear.inc
> @@ -9,11 +9,13 @@ INC_PR = "r1"
>   LICENSE = "MIT"
>   LIC_FILES_CHKSUM = "file://LICENSE;md5=3a5b0c2f0d0c49dfde9558ae2036683c"
>   
> -DEPENDS = "zlib"
> +DEPENDS = "zlib dropbear-native"
>   RPROVIDES_${PN} = "ssh sshd"
>   
>   DEPENDS += "${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
>   
> +DEPENDS_class-native = "zlib-native"
> +
>   SRC_URI = "http://matt.ucc.asn.au/dropbear/releases/dropbear-${PV}.tar.bz2 \
>              file://0001-urandom-xauth-changes-to-options.h.patch \
>              file://0002-static_build_fix.patch \
> @@ -88,3 +90,5 @@ pkg_postrm_append_${PN} () {
>           rm ${sysconfdir}/dropbear/dropbear_dss_host_key
>     fi
>   }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-core/dropbear/dropbear/init b/meta/recipes-core/dropbear/dropbear/init
> index e8fed3f..5140b0b 100755
> --- a/meta/recipes-core/dropbear/dropbear/init
> +++ b/meta/recipes-core/dropbear/dropbear/init
> @@ -28,23 +28,8 @@ test "$NO_START" = "0" || exit 0
>   test -x "$DAEMON" || exit 0
>   test ! -h /var/service/dropbear || exit 0
>   
> -readonly_rootfs=0
> -for flag in `awk '{ if ($2 == "/") { split($4,FLAGS,",") } }; END { for (f in FLAGS) print FLAGS[f] }' </proc/mounts`; do
> -  case $flag in
> -   ro)
> -     readonly_rootfs=1
> -     ;;
> -  esac
> -done
> -
> -if [ $readonly_rootfs = "1" ]; then
> -  mkdir -p /var/lib/dropbear
> -  DROPBEAR_RSAKEY_DEFAULT="/var/lib/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/var/lib/dropbear/dropbear_dss_host_key"
> -else
> -  DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> -  DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
> -fi
> +DROPBEAR_RSAKEY_DEFAULT="/etc/dropbear/dropbear_rsa_host_key"
> +DROPBEAR_DSSKEY_DEFAULT="/etc/dropbear/dropbear_dss_host_key"
>   
>   test -z "$DROPBEAR_BANNER" || \
>     DROPBEAR_EXTRA_ARGS="$DROPBEAR_EXTRA_ARGS -b $DROPBEAR_BANNER"

     prev parent reply	other threads:[~2013-07-29  1:54 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-07-26  7:39 [PATCH 0/9] Make read-only rootfs work well with live images Qi.Chen
2013-07-26  7:39 ` [PATCH 1/9] init-live.sh: make $ROOT_MOUNT/media writable when necessary Qi.Chen
2013-07-26  7:39 ` [PATCH 2/9] use a uniform way to determine whether rootfs is read-only Qi.Chen
2013-07-26  7:39 ` [PATCH 3/9] udev: remove implicit dependency on initscripts Qi.Chen
2013-07-26  7:39 ` [PATCH 4/9] populate-volatile.sh: use $ROOT_DIR/var/volatile/tmp as TMPDIR Qi.Chen
2013-07-26  7:39 ` [PATCH 5/9] runqemu-internal: fix to start X correctly in live images Qi.Chen
2013-07-26  7:39 ` [PATCH 6/9] initscripts: use a uniform way to handle directories in read-only rootfs Qi.Chen
2013-07-26  7:39 ` [PATCH 7/9] irda-utils: make /etc/sysconfig writable " Qi.Chen
2013-07-26  7:39 ` [PATCH 8/9] lighttpd: make /www diretory " Qi.Chen
2013-07-26  7:39 ` [PATCH 9/9] Generate ssh keys at rootfs creation time in case of a " Qi.Chen
2013-07-26  9:28   ` Martin Jansa
2013-07-26  9:52     ` Phil Blundell
2013-07-26 11:08     ` Mike Looijmans
2013-07-26 11:22       ` Burton, Ross
2013-07-26 10:39   ` Enrico Scholz
2013-07-29  1:55   ` ChenQi [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51F5CB79.6080101@windriver.com \
    --to=qi.chen@windriver.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox