* [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
@ 2015-12-02 4:48 Vladimir Zapolskiy
2015-12-02 9:48 ` Burton, Ross
0 siblings, 1 reply; 6+ messages in thread
From: Vladimir Zapolskiy @ 2015-12-02 4:48 UTC (permalink / raw)
To: openembedded-core
If user specific parameters to opkg are set in local.conf, they are
rewritten in package_ipk.bbclass and ignored, instead append
package_ipk specific arguments to the user defined ones.
The change is needed, if a user has to pass an alternative path to a
temporary directory for opkg, e.g.
OPKG_ARGS = "--tmp-dir=${TOPDIR}/tmp-opkg"
The default /tmp directory may be unusable for do_rootfs task, for
example if there is no enough space or /tmp is mounted with noexec
mount option, then an alternative path allows to complete do_rootfs
and fix the problems like this:
ERROR: Unable to install packages.
...
sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad interpreter: Permission denied
sh: /tmp/opkg-5jPLag/base-files-4hFwQS/preinst: /bin/sh: bad interpreter: Permission denied
sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad interpreter: Permission denied
sh: /tmp/opkg-5jPLag/busybox-syslog-sJmfbw/preinst: /bin/sh: bad interpreter: Permission denied
...
Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
---
meta/classes/package_ipk.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 4dd7a7e..51bee28 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -10,7 +10,7 @@ PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
# Program to be used to build opkg packages
OPKGBUILDCMD ??= "opkg-build"
-OPKG_ARGS = "--force_postinstall --prefer-arch-to-version"
+OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
OPKG_ARGS += "${@['', '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS", True) == "1"]}"
OPKG_ARGS += "${@['', '--add-exclude ' + ' --add-exclude '.join((d.getVar('PACKAGE_EXCLUDE', True) or "").split())][(d.getVar("PACKAGE_EXCLUDE", True) or "") != ""]}"
--
2.1.4
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
2015-12-02 4:48 [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf Vladimir Zapolskiy
@ 2015-12-02 9:48 ` Burton, Ross
2015-12-02 23:16 ` Alejandro del Castillo
2015-12-03 5:57 ` Vladimir Zapolskiy
0 siblings, 2 replies; 6+ messages in thread
From: Burton, Ross @ 2015-12-02 9:48 UTC (permalink / raw)
To: Vladimir Zapolskiy; +Cc: OE-core
[-- Attachment #1: Type: text/plain, Size: 344 bytes --]
On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com> wrote:
> sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
> interpreter: Permission denied
>
Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break
opkg. Maybe opkg should be changed to use something in /var for the
scripts?
Ross
[-- Attachment #2: Type: text/html, Size: 707 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
2015-12-02 9:48 ` Burton, Ross
@ 2015-12-02 23:16 ` Alejandro del Castillo
2015-12-02 23:19 ` Burton, Ross
2015-12-03 5:57 ` Vladimir Zapolskiy
1 sibling, 1 reply; 6+ messages in thread
From: Alejandro del Castillo @ 2015-12-02 23:16 UTC (permalink / raw)
To: Burton, Ross, Vladimir Zapolskiy; +Cc: OE-core
On 12/02/2015 03:48 AM, Burton, Ross wrote:
>
> On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com
> <mailto:vz@mleia.com>> wrote:
>
> sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
> interpreter: Permission denied
>
>
> Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break opkg.
> Maybe opkg should be changed to use something in /var for the scripts?
Could you expand on why it's better to use /var instead of /tmp as the default
sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
understand why that's better (to change opkg, if it makes sense)
--
Cheers,
Alejandro
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
2015-12-02 23:16 ` Alejandro del Castillo
@ 2015-12-02 23:19 ` Burton, Ross
2015-12-03 1:03 ` Alejandro del Castillo
0 siblings, 1 reply; 6+ messages in thread
From: Burton, Ross @ 2015-12-02 23:19 UTC (permalink / raw)
To: Alejandro del Castillo; +Cc: OE-core, Vladimir Zapolskiy
[-- Attachment #1: Type: text/plain, Size: 683 bytes --]
On 2 December 2015 at 23:16, Alejandro del Castillo <
alejandro.delcastillo@ni.com> wrote:
> > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't
> break opkg.
> > Maybe opkg should be changed to use something in /var for the scripts?
>
> Could you expand on why it's better to use /var instead of /tmp as the
> default
> sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
> understand why that's better (to change opkg, if it makes sense)
Well in this case it's fairly common to mount /tmp as noexec on security
grounds, and to be limited in size (say a small tmpfs), whereas /var
generally has less restrictions.
Ross
[-- Attachment #2: Type: text/html, Size: 1083 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
2015-12-02 23:19 ` Burton, Ross
@ 2015-12-03 1:03 ` Alejandro del Castillo
0 siblings, 0 replies; 6+ messages in thread
From: Alejandro del Castillo @ 2015-12-03 1:03 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core, Vladimir Zapolskiy
On 12/02/2015 05:19 PM, Burton, Ross wrote:
>
> On 2 December 2015 at 23:16, Alejandro del Castillo
> <alejandro.delcastillo@ni.com <mailto:alejandro.delcastillo@ni.com>> wrote:
>
> > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break opkg.
> > Maybe opkg should be changed to use something in /var for the scripts?
>
> Could you expand on why it's better to use /var instead of /tmp as the default
> sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
> understand why that's better (to change opkg, if it makes sense)
>
>
> Well in this case it's fairly common to mount /tmp as noexec on security
> grounds, and to be limited in size (say a small tmpfs), whereas /var generally
> has less restrictions.
I see, common attacks rely on being able to execute commands in /tmp. Do you
mind opening an issue for opkg on bugzilla?
--
Cheers,
Alejandro
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf
2015-12-02 9:48 ` Burton, Ross
2015-12-02 23:16 ` Alejandro del Castillo
@ 2015-12-03 5:57 ` Vladimir Zapolskiy
1 sibling, 0 replies; 6+ messages in thread
From: Vladimir Zapolskiy @ 2015-12-03 5:57 UTC (permalink / raw)
To: Burton, Ross; +Cc: OE-core
Hi Ross,
On 02.12.2015 11:48, Burton, Ross wrote:
>
> On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com
> <mailto:vz@mleia.com>> wrote:
>
> sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
> interpreter: Permission denied
>
>
> Whilst the patch is fine, this is worrying as noexec /tmp shouldn't
> break opkg. Maybe opkg should be changed to use something in /var for
> the scripts?
>
here IMHO two cases should be reviewed, build host side execution and
opkg on a target.
On a target /var/lib/opkg/$some_dir should be fine as a default
temporary directory, and it might be nice to have a config option in
/etc/opkg/opkg.conf
On a build host side /var/* may have permission restrictions also, so
* there should be a possibility to accept a user defined tmp dir,
* if /tmp is not good enough as a default opkg directory, probably some
subfolder of ${TOPDIR} should fit, either a fixed one or dynamic
somewhere in a working folder of bb recipe, which calls opkg.
Just my two cents.
With best wishes,
Vladimir
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-12-03 5:57 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-02 4:48 [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf Vladimir Zapolskiy
2015-12-02 9:48 ` Burton, Ross
2015-12-02 23:16 ` Alejandro del Castillo
2015-12-02 23:19 ` Burton, Ross
2015-12-03 1:03 ` Alejandro del Castillo
2015-12-03 5:57 ` Vladimir Zapolskiy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox