Skip to content
This repository has been archived by the owner on Jan 6, 2023. It is now read-only.

Commit

Permalink
Merge pull request #246 from pohly/static-ids
Browse files Browse the repository at this point in the history
ostro: enable static user and group IDs
  • Loading branch information
okartau authored Jul 28, 2016
2 parents 34d0681 + 2037f1f commit 0cd7136
Show file tree
Hide file tree
Showing 4 changed files with 135 additions and 0 deletions.
44 changes: 44 additions & 0 deletions meta-ostro/classes/systemd-sysusers.bbclass
Original file line number Diff line number Diff line change
@@ -1,5 +1,35 @@
inherit useradd_base

# Generates shell code for systemd_sysusers_create() which looks up
# $name in the gid or uid tables to determine a new value for $id.
# Very simplistic, better solution is expected to come from OE-core
# (see below).
# Example output:
# case $name in foo) id=10;; bar) id=20;; *) bbfatal "...";; esac
def systemd_sysusers_lookup_staticid(tables_variable, d):
if d.getVar('USERADDEXTENSION', True) != 'useradd-staticids':
return ''
result = [ 'case $name in' ]
bbpath = d.getVar('BBPATH', True)
tables = d.getVar(tables_variable, True)
for conf_file in tables.split():
path = bb.utils.which(bbpath, conf_file)
with open(path) as f:
for line in f:
if not line.startswith('#'):
columns = line.strip().split(':')
if len(columns) >= 3:
# Same format for passwd and groups. Only these two
# entries are supported for systemd sysusers, the
# rest is ignored.
name = columns[0]
id = columns[2]
result.append('%s) id=%s;;' % (name, id))
if d.getVar('USERADD_ERROR_DYNAMIC', True) in ('1', 'error'):
result.append('*) bbfatal "systemd sysuser $name of type $type in $conf has no static ID. Search for ' + tables_variable + ' in ostro.conf for further information.";;')
result.append('esac')
return ' '.join(result)

systemd_sysusers_create () {
set -x
opts="--system --root ${IMAGE_ROOTFS}"
Expand All @@ -10,6 +40,10 @@ systemd_sysusers_create () {
g)
if [ "$id" = "-" ]; then
gid=""
${@systemd_sysusers_lookup_staticid('USERADD_GID_TABLES', d)}
if [ "$id" != "-" ]; then
gid="--gid $id"
fi
else
gid="--gid $id"
fi
Expand All @@ -18,6 +52,10 @@ systemd_sysusers_create () {
u)
if [ "$id" = "-" ]; then
uid=""
${@systemd_sysusers_lookup_staticid('USERADD_UID_TABLES', d)}
if [ "$id" != "-" ]; then
uid="--uid $id"
fi
else
uid="--uid $id"
fi
Expand All @@ -37,3 +75,9 @@ systemd_sysusers_create () {
}

ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd_sysusers_create;', '', d)}"

# The code above was written before some similar code was made
# available in OE-core. However, that code is still not suitable
# (https://bugzilla.yoctoproject.org/show_bug.cgi?id=9789) and thus we
# have to use our own version.
ROOTFS_POSTPROCESS_COMMAND_remove = "systemd_create_users"
34 changes: 34 additions & 0 deletions meta-ostro/conf/distro/include/ostro-group
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
adm:x:990:
appfwtest-commonapp:x:1004:
audio:x:986:
cdrom:x:985:
dbus:1501
dbus-x11:1500
dialout:x:984:
disk:x:983:
evil-bad-groups:x:1003:
foodine-pythontest:x:1002:
input:x:982:
iodine-nodetest:x:1001:
kmem:x:988:
lock:x:997:
lp:x:981:
messagebus:x:998:
netdev:x:999:
nobody:x:65534:
nogroup:x:65533:
restful:x:991:
rfkill:x:50:
root:x:0:
sshd:x:992:
systemd-bus-proxy:x:993:
systemd-journal:x:996:
systemd-network:x:994:
systemd-timesync:x:995:
tape:x:980:
tty:x:5:
users:x:978:
utmp:x:987:
video:x:979:
wheel:x:989:
yoyodine-nativetest:x:1000:
13 changes: 13 additions & 0 deletions meta-ostro/conf/distro/include/ostro-passwd
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
appfwtest-commonapp:x:1004:1004::/home/appfwtest-commonapp:/sbin/nologin
evil-bad-groups:x:1003:1003::/home/evil-bad-groups:/sbin/nologin
foodine-pythontest:x:1002:1002::/home/foodine-pythontest:/sbin/nologin
iodine-nodetest:x:1001:1001::/home/iodine-nodetest:/sbin/nologin
messagebus:x:998:998::/var/lib/dbus:/bin/false
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
restful:x:991:991::/var/lib/empty:/bin/false
root:x:0:0:root:/home/root:/bin/sh
sshd:x:992:992::/var/run/sshd:/bin/false
systemd-bus-proxy:x:993:993::/:/bin/nologin
systemd-network:x:994:994::/:/bin/nologin
systemd-timesync:x:995:995::/:/bin/nologin
yoyodine-nativetest:x:1000:1000::/home/yoyodine-nativetest:/sbin/nologin
44 changes: 44 additions & 0 deletions meta-ostro/conf/distro/ostro.conf
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,50 @@ ERROR_QA_append = " ${WARN_TO_ERROR_QA}"
# Add some Ostro OS specific checks in addition to those provided by sanity.bbclass.
INHERIT += "ostro-sanity"

# The swupd update mechanism currently does not cope with user or
# group IDs that change between builds
# (https://github.com/clearlinux/swupd-client/issues/101). Even if it
# did, changing IDs would make the update more complicated (larger
# delta, daemons need to be restarted, etc.), so it is better to
# ensure that IDs are static.
#
# Ostro OS uses the static uid and gid mechanism from OE-core for that
# (http://www.yoctoproject.org/docs/latest/mega-manual/mega-manual.html#ref-classes-useradd),
# with custom support for adding systemd sysusers in Ostro's
# systemd-sysusers.bbclass. The OE-core mechanism for that currently
# lacks support for static IDs and thus cannot be used yet
# (https://bugzilla.yoctoproject.org/show_bug.cgi?id=9789).
#
# Dynamically assigned IDs are detected and lead to an error during
# the build. For example, the dbus recipe creates a "messagebus"
# group. Not defining that group causes an error when parsing the
# recipe and makes it unusable, leading to the following errors
# during "bitbake dbus":
# ERROR: Nothing PROVIDES 'dbus'
# ERROR: dbus was skipped: Function failed: dbus - dbus: username messagebus does not have a static ID defined.
#
# When building images, the errors shows up as missing components
# which are required for the build, as in "bitbake ostro-image-noswupd":
# ERROR: Nothing RPROVIDES 'udev' (but /work/ostro-os/meta/recipes-core/packagegroups/packagegroup-core-boot.bb, /work/ostro-os/meta/recipes-core/initrdscripts/initramfs-framework_1.0.bb RDEPENDS on or otherwise requires it)
# ERROR: Required build target 'ostro-image-noswupd' has no buildable providers.
#
# The advantage of this mechanism is the decentralized assignment of
# IDs without modifying the OS or recipes.
#
# Developers who need to add new entries should add their own mapping
# file to USERADD_UID_TABLES and/or USERADD_GID_TABLES, either in a
# derived distro config or in their local.conf. Ostro OS reserves
# the value range < 2000.
#
# For experiments and builds not involving swupd it is also possible to
# disable the mechanism by modifying USERADD_ERROR_DYNAMIC:
# "warn" merely prints a warning, empty value silently allows dynamic
# ID allocation.
USERADDEXTENSION = "useradd-staticids"
USERADD_ERROR_DYNAMIC ??= "error"
USERADD_UID_TABLES += "conf/distro/include/ostro-passwd"
USERADD_GID_TABLES += "conf/distro/include/ostro-group"

# Only specific recipes are supported by the Ostro Project. Those
# recipes are listed in the following file.
#
Expand Down

0 comments on commit 0cd7136

Please sign in to comment.