[PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Vladimir Zapolskiy]

If user specific parameters to opkg are set in local.conf, they are
rewritten in package_ipk.bbclass and ignored, instead append
package_ipk specific arguments to the user defined ones.

The change is needed, if a user has to pass an alternative path to a
temporary directory for opkg, e.g.

  OPKG_ARGS = "--tmp-dir=${TOPDIR}/tmp-opkg"

The default /tmp directory may be unusable for do_rootfs task, for
example if there is no enough space or /tmp is mounted with noexec
mount option, then an alternative path allows to complete do_rootfs
and fix the problems like this:

  ERROR: Unable to install packages.
  ...
  sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad interpreter: Permission denied
  sh: /tmp/opkg-5jPLag/base-files-4hFwQS/preinst: /bin/sh: bad interpreter: Permission denied
  sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad interpreter: Permission denied
  sh: /tmp/opkg-5jPLag/busybox-syslog-sJmfbw/preinst: /bin/sh: bad interpreter: Permission denied
  ...

Signed-off-by: Vladimir Zapolskiy <vz@mleia.com>
---
 meta/classes/package_ipk.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/package_ipk.bbclass b/meta/classes/package_ipk.bbclass
index 4dd7a7e..51bee28 100644
--- a/meta/classes/package_ipk.bbclass
+++ b/meta/classes/package_ipk.bbclass
@@ -10,7 +10,7 @@ PKGWRITEDIRIPK = "${WORKDIR}/deploy-ipks"
 # Program to be used to build opkg packages
 OPKGBUILDCMD ??= "opkg-build"
 
-OPKG_ARGS = "--force_postinstall --prefer-arch-to-version"
+OPKG_ARGS += "--force_postinstall --prefer-arch-to-version"
 OPKG_ARGS += "${@['', '--no-install-recommends'][d.getVar("NO_RECOMMENDATIONS", True) == "1"]}"
 OPKG_ARGS += "${@['', '--add-exclude ' + ' --add-exclude '.join((d.getVar('PACKAGE_EXCLUDE', True) or "").split())][(d.getVar("PACKAGE_EXCLUDE", True) or "") != ""]}"
 
-- 
2.1.4

Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 344 bytes --]

On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com> wrote:

>   sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
> interpreter: Permission denied
>

Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break
opkg.  Maybe opkg should be changed to use something in /var for the
scripts?

Ross

[-- Attachment #2: Type: text/html, Size: 707 bytes --]

Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Alejandro del Castillo]

On 12/02/2015 03:48 AM, Burton, Ross wrote:
> 
> On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com
> <mailto:vz@mleia.com>> wrote:
> 
>       sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
>     interpreter: Permission denied
> 
> 
> Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break opkg. 
> Maybe opkg should be changed to use something in /var for the scripts?

Could you expand on why it's better to use /var instead of /tmp as the default
sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
understand why that's better (to change opkg, if it makes sense)

-- 
Cheers,

Alejandro

Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 683 bytes --]

On 2 December 2015 at 23:16, Alejandro del Castillo <
alejandro.delcastillo@ni.com> wrote:

> > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't
> break opkg.
> > Maybe opkg should be changed to use something in /var for the scripts?
>
> Could you expand on why it's better to use /var instead of /tmp as the
> default
> sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
> understand why that's better (to change opkg, if it makes sense)


Well in this case it's fairly common to mount /tmp as noexec on security
grounds, and to be limited in size (say a small tmpfs), whereas /var
generally has less restrictions.

Ross

[-- Attachment #2: Type: text/html, Size: 1083 bytes --]

Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Alejandro del Castillo]

On 12/02/2015 05:19 PM, Burton, Ross wrote:
> 
> On 2 December 2015 at 23:16, Alejandro del Castillo
> <alejandro.delcastillo@ni.com <mailto:alejandro.delcastillo@ni.com>> wrote:
> 
>     > Whilst the patch is fine, this is worrying as noexec /tmp shouldn't break opkg.
>     > Maybe opkg should be changed to use something in /var for the scripts?
> 
>     Could you expand on why it's better to use /var instead of /tmp as the default
>     sandbox location for opkg? I believe dpkg uses /var/lib/ and would like to
>     understand why that's better (to change opkg, if it makes sense)
> 
> 
> Well in this case it's fairly common to mount /tmp as noexec on security
> grounds, and to be limited in size (say a small tmpfs), whereas /var generally
> has less restrictions.

I see, common attacks rely on being able to execute commands in /tmp. Do you
mind opening an issue for opkg on bugzilla?

-- 
Cheers,

Alejandro

Re: [PATCH] package_ipk: allow to specify OPKG_ARGS in local.conf

[Vladimir Zapolskiy]

Hi Ross,

On 02.12.2015 11:48, Burton, Ross wrote:
> 
> On 2 December 2015 at 04:48, Vladimir Zapolskiy <vz@mleia.com
> <mailto:vz@mleia.com>> wrote:
> 
>       sh: /tmp/opkg-5jPLag/run-postinsts-UsUtaI/preinst: /bin/sh: bad
>     interpreter: Permission denied
> 
> 
> Whilst the patch is fine, this is worrying as noexec /tmp shouldn't
> break opkg.  Maybe opkg should be changed to use something in /var for
> the scripts?
> 

here IMHO two cases should be reviewed, build host side execution and
opkg on a target.

On a target /var/lib/opkg/$some_dir should be fine as a default
temporary directory, and it might be nice to have a config option in
/etc/opkg/opkg.conf

On a build host side /var/* may have permission restrictions also, so
* there should be a possibility to accept a user defined tmp dir,
* if /tmp is not good enough as a default opkg directory, probably some
subfolder of ${TOPDIR} should fit, either a fixed one or dynamic
somewhere in a working folder of bb recipe, which calls opkg.

Just my two cents.

With best wishes,
Vladimir