@@ -236,7 +236,7 @@ Here is an example of ``image-info.txt``:
DISTRO_VERSION = 3.4+snapshot-a0245d7be08f3d24ea1875e9f8872aa6bbff93be
USER_CLASSES = buildstats
IMAGE_CLASSES = qemuboot qemuboot license_image
- IMAGE_FEATURES = debug-tweaks
+ IMAGE_FEATURES = allow-empty-password empty-root-password allow-root-login post-install-logging
IMAGE_LINGUAS =
IMAGE_INSTALL = packagegroup-core-boot speex speexdsp
BAD_RECOMMENDATIONS =
@@ -62,8 +62,7 @@ To understand how these features work, the best reference is
:ref:`meta/classes-recipe/image.bbclass <ref-classes-image>`.
This class lists out the available
:term:`IMAGE_FEATURES` of which most map to package groups while some, such
-as ``debug-tweaks`` and ``read-only-rootfs``, resolve as general
-configuration settings.
+as ``read-only-rootfs``, resolve as general configuration settings.
In summary, the file looks at the contents of the :term:`IMAGE_FEATURES`
variable and then maps or configures the feature accordingly. Based on
@@ -107,18 +107,18 @@ Considerations Specific to the OpenEmbedded Build System
You can take some steps that are specific to the OpenEmbedded build
system to make your images more secure:
-- Ensure "debug-tweaks" is not one of your selected
- :term:`IMAGE_FEATURES`.
+- Ensure that "allow-empty-password", "allow-root-login", or
+ "empty-root-password" are not one of your selected :term:`IMAGE_FEATURES`.
When creating a new project, the default is to provide you with an
- initial ``local.conf`` file that enables this feature using the
+ initial ``local.conf`` file that enables these features using the
:term:`EXTRA_IMAGE_FEATURES`
variable with the line::
- EXTRA_IMAGE_FEATURES = "debug-tweaks"
+ EXTRA_IMAGE_FEATURES = "allow-empty-password empty-root-password allow-root-login"
- To disable that feature, simply comment out that line in your
+ To disable these features, simply comment out that line in your
``local.conf`` file, or make sure :term:`IMAGE_FEATURES` does not contain
- "debug-tweaks" before producing your final image. Among other things,
+ any of these features before producing your final image. Among other things,
leaving this in place sets the root password as blank, which makes
logging in for debugging or inspection easy during development but
also means anyone can easily log in during production.
@@ -43,7 +43,7 @@ an ``sdk`` image, perhaps one of::
Alternatively, you can add ``tools-profile`` to the :term:`EXTRA_IMAGE_FEATURES` line in
your ``local.conf`` file::
- EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile"
+ EXTRA_IMAGE_FEATURES:append = " tools-profile"
If you use the ``tools-profile`` method, you don't need to build an sdk image ---
the tracing and profiling tools will be included in non-sdk images as well e.g.::
@@ -69,7 +69,7 @@ packages (xxx-dbg) which you can manually install as needed.
To generate debug info for packages, you can add ``dbg-pkgs`` to
:term:`EXTRA_IMAGE_FEATURES` in ``local.conf``. For example::
- EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
+ EXTRA_IMAGE_FEATURES:append = " dbg-pkgs"
Additionally, in order to generate the right type of debug info, we also need to
set :term:`PACKAGE_DEBUG_SPLIT_STYLE` in the ``local.conf`` file::
@@ -308,7 +308,7 @@ install the debugging information for the BusyBox package.
To generate the debug info for the packages in the image, we can add
``dbg-pkgs`` to :term:`EXTRA_IMAGE_FEATURES` in ``local.conf``. For example::
- EXTRA_IMAGE_FEATURES = "debug-tweaks tools-profile dbg-pkgs"
+ EXTRA_IMAGE_FEATURES:append = " dbg-pkgs"
Additionally, in order to generate the type of debugging information that perf
understands, we also need to set :term:`PACKAGE_DEBUG_SPLIT_STYLE`
@@ -285,31 +285,24 @@ The image features available for all images are:
- *dbg-pkgs:* Installs debug symbol packages for all packages installed
in a given image.
-- *debug-tweaks:* Makes an image suitable for development (e.g. allows
- root logins, logins without passwords ---including root ones, and enables
- post-installation logging). See the ``allow-empty-password``,
- ``allow-root-login``, ``empty-root-password``, and ``post-install-logging``
- features in this list for additional information.
-
- *dev-pkgs:* Installs development packages (headers and extra library
links) for all packages installed in a given image.
- *doc-pkgs:* Installs documentation packages for all packages
installed in a given image.
-- *empty-root-password:* This feature or ``debug-tweaks`` is required if
- you want to allow root login with an empty password. If these features
- are not present in :term:`IMAGE_FEATURES`, a non-empty password is
- forced in ``/etc/passwd`` and ``/etc/shadow`` if such files exist.
+- *empty-root-password:* This feature can be used if you want to allow root
+ login with an empty password. If this feature is not present in
+ :term:`IMAGE_FEATURES`, a non-empty password is forced in ``/etc/passwd`` and
+ ``/etc/shadow`` if such files exist.
.. note::
``empty-root-password`` doesn't set an empty root password by itself.
You get an initial empty root password thanks to the
:oe_git:`base-passwd </openembedded-core/tree/meta/recipes-core/base-passwd/>`
and :oe_git:`shadow </openembedded-core/tree/meta/recipes-extended/shadow/>`
- recipes, and the presence of ``empty-root-password`` or ``debug-tweaks``
- just disables the mechanism which forces an non-empty password for the
- root user.
+ recipes, and the presence of ``empty-root-password`` just disables the
+ mechanism which forces an non-empty password for the root user.
- *lic-pkgs:* Installs license packages for all packages installed in a
given image.
@@ -2605,10 +2605,14 @@ system and gives an overview of their function and contents.
- "dbg-pkgs" --- adds -dbg packages for all installed packages including
symbol information for debugging and profiling.
- - "debug-tweaks" --- makes an image suitable for debugging. For example, allows root logins without passwords and
- enables post-installation logging. See the 'allow-empty-password' and
- 'post-install-logging' features in the ":ref:`ref-features-image`"
- section for more information.
+ - "empty-root-password" --- This feature can be used if you want to
+ allow root login with an empty password.
+ - "allow-empty-password" --- Allows Dropbear and OpenSSH to accept
+ logins from accounts having an empty password string.
+ - "allow-root-login" --- Allows Dropbear and OpenSSH to accept root logins.
+ - "post-install-logging" --- Enables logging postinstall script runs to
+ the ``/var/log/postinstall.log`` file on first boot of the image on
+ the target system.
- "dev-pkgs" --- adds -dev packages for all installed packages. This is
useful if you want to develop against the libraries in the image.
- "read-only-rootfs" --- creates an image whose root filesystem is
@@ -655,7 +655,10 @@ The extensible SDK supports two different development modes.
# SSH is mandatory, no password simplifies the usage
EXTRA_IMAGE_FEATURES += "\
ssh-server-openssh \
- debug-tweaks \
+ allow-empty-password \
+ allow-root-login \
+ empty-root-password \
+ post-install-logging \
"
# Remote debugging needs gdbserver on the target device
We no longer provide this feature, so remove documentation for it. In most cases, we can replace occurrences of "debug-tweaks" by "allow-empty-password empty-root-password allow-root-login post-install-logging" to achieve what this feature previously enabled. Subtle, but the default local.conf does not include post-install-logging, so in parts where there is mention of the default local.conf file, adjust the documentation to only mention the first three above. In the intro manual, instead of providing instructions that replace EXTRA_IMAGE_FEATURES entirely, provide ones that append EXTRA_IMAGE_FEATURES. Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- documentation/dev-manual/build-quality.rst | 2 +- documentation/dev-manual/customizing-images.rst | 3 +-- documentation/dev-manual/securing-images.rst | 12 ++++++------ documentation/profile-manual/intro.rst | 4 ++-- documentation/profile-manual/usage.rst | 2 +- documentation/ref-manual/features.rst | 19 ++++++------------- documentation/ref-manual/variables.rst | 12 ++++++++---- documentation/sdk-manual/extensible.rst | 5 ++++- 8 files changed, 29 insertions(+), 30 deletions(-)