Message ID | 20241107134752.2071720-1-ross.burton@arm.com |
---|---|
State | New |
Headers | show |
Series | classes-recipe/core-image: drop debug-tweaks IMAGE_FEATURE | expand |
Hi Ross, On 11/7/24 2:47 PM, Ross Burton via lists.openembedded.org wrote: > Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to > developers, but it results primarily in an image which root can login > remotely without a password. This is incredibly useful for local > development and testing purposes, but we really want to be explicit that > this is what is happening instead of hiding it behind a vague "debug > tweaks" statement. > > To preserve the eixsting behaviour, debug-tweaks should be replaced with s/eixsting/existing/ > these features: > > allow-empty-password empty-root-password allow-root-login post-install-logging > Sounds like a good idea! More explicit, more betterererer! Can I request you at least notify the docs people when this gets merged so the community/maintainer can update the docs for that? Or even better, sending a patch for it :) ? Cheers, Quentin
On 7 Nov 2024, at 14:14, Quentin Schulz <quentin.schulz@cherry.de> wrote: > > Hi Ross, > > On 11/7/24 2:47 PM, Ross Burton via lists.openembedded.org wrote: >> Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to >> developers, but it results primarily in an image which root can login >> remotely without a password. This is incredibly useful for local >> development and testing purposes, but we really want to be explicit that >> this is what is happening instead of hiding it behind a vague "debug >> tweaks" statement. >> To preserve the eixsting behaviour, debug-tweaks should be replaced with > > s/eixsting/existing/ > >> these features: >> allow-empty-password empty-root-password allow-root-login post-install-logging > > Sounds like a good idea! More explicit, more betterererer! > > Can I request you at least notify the docs people when this gets merged so the community/maintainer can update the docs for that? > > Or even better, sending a patch for it :) ? Yes, I’ll definitely be following up to ensure the docs are fixed. Ross
On 07/11/2024 13:47, Ross Burton wrote: > Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to > developers, but it results primarily in an image which root can login > remotely without a password. This is incredibly useful for local > development and testing purposes, but we really want to be explicit that > this is what is happening instead of hiding it behind a vague "debug > tweaks" statement. > > To preserve the eixsting behaviour, debug-tweaks should be replaced with > these features: > > allow-empty-password empty-root-password allow-root-login post-install-logging > > Signed-off-by: Ross Burton <ross.burton@arm.com> > --- > meta/classes-recipe/core-image.bbclass | 11 ++++++----- > meta/classes-recipe/image.bbclass | 2 +- > meta/classes-recipe/rootfs-postcommands.bbclass | 16 ++++++++-------- > 3 files changed, 15 insertions(+), 14 deletions(-) > > diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass > index 40fc15cb04f..4072e420c58 100644 > --- a/meta/classes-recipe/core-image.bbclass > +++ b/meta/classes-recipe/core-image.bbclass > @@ -26,11 +26,6 @@ > # - ssh-server-openssh - SSH server (openssh) > # - hwcodecs - Install hardware acceleration codecs > # - package-management - installs package management tools and preserves the package manager database > -# - debug-tweaks - makes an image suitable for development, e.g. allowing passwordless root logins > -# - empty-root-password > -# - allow-empty-password > -# - allow-root-login > -# - post-install-logging > # - serial-autologin-root - with 'empty-root-password': autologin 'root' on the serial console > # - dev-pkgs - development packages (headers, etc.) for all installed packages in the rootfs > # - dbg-pkgs - debug symbol packages for all installed packages in the rootfs > @@ -43,6 +38,12 @@ > # - stateless-rootfs - systemctl-native not run, image populated by systemd at runtime > # - splash - bootup splash screen > # > +# Features for development purposes (previously part of debug-tweaks): > +# - empty-root-password - the root user has no password set > +# - allow-empty-password - users can have an empty password > +# - allow-root-login - the root user can login We should clarify that this means allow root to login via SSH, login via the console doesn't depend on this feature. Other than that, this is a definite improvement. Ship it! Thanks,
Hello, Ross I hope this e-mail finds you well On 11/7/24 14:47, Ross Burton wrote: > Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to > developers, but it results primarily in an image which root can login > remotely without a password. This is incredibly useful for local > development and testing purposes, but we really want to be explicit that > this is what is happening instead of hiding it behind a vague "debug > tweaks" statement. > > To preserve the eixsting behaviour, debug-tweaks should be replaced with > these features: > > allow-empty-password empty-root-password allow-root-login post-install-logging > > Signed-off-by: Ross Burton<ross.burton@arm.com> > --- (...) What do you think about simply replacing 'debug-tweaks' with a more explicit term, like 'root-debug-no-password' or something similar? Using a clearer label would make the feature's purpose more transparent without being vague. Plus, it would avoid the need to list all four individual features each time.
diff --git a/meta/classes-recipe/core-image.bbclass b/meta/classes-recipe/core-image.bbclass index 40fc15cb04f..4072e420c58 100644 --- a/meta/classes-recipe/core-image.bbclass +++ b/meta/classes-recipe/core-image.bbclass @@ -26,11 +26,6 @@ # - ssh-server-openssh - SSH server (openssh) # - hwcodecs - Install hardware acceleration codecs # - package-management - installs package management tools and preserves the package manager database -# - debug-tweaks - makes an image suitable for development, e.g. allowing passwordless root logins -# - empty-root-password -# - allow-empty-password -# - allow-root-login -# - post-install-logging # - serial-autologin-root - with 'empty-root-password': autologin 'root' on the serial console # - dev-pkgs - development packages (headers, etc.) for all installed packages in the rootfs # - dbg-pkgs - debug symbol packages for all installed packages in the rootfs @@ -43,6 +38,12 @@ # - stateless-rootfs - systemctl-native not run, image populated by systemd at runtime # - splash - bootup splash screen # +# Features for development purposes (previously part of debug-tweaks): +# - empty-root-password - the root user has no password set +# - allow-empty-password - users can have an empty password +# - allow-root-login - the root user can login +# - post-install-logging - log the output of postinstall scriptlets +# FEATURE_PACKAGES_weston = "packagegroup-core-weston" FEATURE_PACKAGES_x11 = "packagegroup-core-x11" FEATURE_PACKAGES_x11-base = "packagegroup-core-x11-base" diff --git a/meta/classes-recipe/image.bbclass b/meta/classes-recipe/image.bbclass index 00f1d58f237..eda3c6d0f38 100644 --- a/meta/classes-recipe/image.bbclass +++ b/meta/classes-recipe/image.bbclass @@ -40,7 +40,7 @@ INHIBIT_DEFAULT_DEPS = "1" # IMAGE_FEATURES may contain any available package group IMAGE_FEATURES ?= "" IMAGE_FEATURES[type] = "list" -IMAGE_FEATURES[validitems] += "debug-tweaks read-only-rootfs read-only-rootfs-delayed-postinsts stateless-rootfs empty-root-password allow-empty-password allow-root-login serial-autologin-root post-install-logging overlayfs-etc" +IMAGE_FEATURES[validitems] += "read-only-rootfs read-only-rootfs-delayed-postinsts stateless-rootfs empty-root-password allow-empty-password allow-root-login serial-autologin-root post-install-logging overlayfs-etc" # Generate companion debugfs? IMAGE_GEN_DEBUGFS ?= "0" diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass b/meta/classes-recipe/rootfs-postcommands.bbclass index 5f4d67f93ca..50e77dca763 100644 --- a/meta/classes-recipe/rootfs-postcommands.bbclass +++ b/meta/classes-recipe/rootfs-postcommands.bbclass @@ -4,20 +4,20 @@ # SPDX-License-Identifier: MIT # -# Zap the root password if debug-tweaks and empty-root-password features are not enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'empty-root-password' ], "", "zap_empty_root_password ",d)}' +# Zap the root password if empty-root-password feature is not enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "empty-root-password", "", "zap_empty_root_password ",d)}' -# Allow dropbear/openssh to accept logins from accounts with an empty password string if debug-tweaks or allow-empty-password is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-empty-password' ], "ssh_allow_empty_password ", "",d)}' +# Allow dropbear/openssh to accept logins from accounts with an empty password string if allow-empty-password is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-empty-password", "ssh_allow_empty_password ", "",d)}' -# Allow dropbear/openssh to accept root logins if debug-tweaks or allow-root-login is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'allow-root-login' ], "ssh_allow_root_login ", "",d)}' +# Allow dropbear/openssh to accept root logins if allow-root-login is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "allow-root-login", "ssh_allow_root_login ", "",d)}' # Autologin the root user on the serial console, if empty-root-password and serial-autologin-root are active ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", [ 'empty-root-password', 'serial-autologin-root' ], "serial_autologin_root ", "",d)}' -# Enable postinst logging if debug-tweaks or post-install-logging is enabled -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains_any("IMAGE_FEATURES", [ 'debug-tweaks', 'post-install-logging' ], "postinst_enable_logging ", "",d)}' +# Enable postinst logging if post-install-logging is enabled +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", "post-install-logging", "postinst_enable_logging ", "",d)}' # Create /etc/timestamp during image construction to give a reasonably sane default time setting ROOTFS_POSTPROCESS_COMMAND += "rootfs_update_timestamp "
Remove the 'debug-tweaks' IMAGE_FEATURE. It sounds friendly and kind to developers, but it results primarily in an image which root can login remotely without a password. This is incredibly useful for local development and testing purposes, but we really want to be explicit that this is what is happening instead of hiding it behind a vague "debug tweaks" statement. To preserve the eixsting behaviour, debug-tweaks should be replaced with these features: allow-empty-password empty-root-password allow-root-login post-install-logging Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/classes-recipe/core-image.bbclass | 11 ++++++----- meta/classes-recipe/image.bbclass | 2 +- meta/classes-recipe/rootfs-postcommands.bbclass | 16 ++++++++-------- 3 files changed, 15 insertions(+), 14 deletions(-)