On Thu, 2025-12-04 at 08:32 +0000, [email protected] wrote: > From: Chen Qi <[email protected]> > > It's possible that users use EXTRA_USERS_PARAMS to set password > for root or explicitly expire root password. So we need to check > these two cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first enter > a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In particualr, > we want to ensure that the function runs after set_user_group function > from extrausers.bbclass. So unlike other commands in this bbclass using > the '+=', this function uses ':append'. > > Besides, adding such banner is only meaningful when base-passwd and > baes-files are installed. In case of container image, they might not > be installed (e.g., container-test-image). So add extra checking for it. > With the above logic, we avoid breaking the following oe-selftest test case: > containerimage.ContainerImageTests.test_expected_files > > Signed-off-by: Chen Qi <[email protected]> > --- > meta/classes-recipe/rootfs-postcommands.bbclass | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass > b/meta/classes-recipe/rootfs-postcommands.bbclass > index f4fbc4c57e..8d7e5e7652 100644 > --- a/meta/classes-recipe/rootfs-postcommands.bbclass > +++ b/meta/classes-recipe/rootfs-postcommands.bbclass > @@ -5,7 +5,7 @@ > # > > # Zap the root password if empty-root-password feature is not enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "add_empty_root_password_note", > "zap_empty_root_password ",d)}' > +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "", "zap_empty_root_password ",d)}' > > # Allow dropbear/openssh to accept logins from accounts with an empty > password string if allow-empty-password is enabled > ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "allow-empty-password", "ssh_allow_empty_password ", "",d)}' > @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += > '${SORT_PASSWD_POSTPROCESS_COMMAND}' > # > ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' > > +# Check and add 'no root password' banner. > +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using > :append. > +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note"
We should use += instead of :append in all cases unless the semantics of append are actually needed. My understanding is that we just need to ensure that add_empty_root_password_note appears after zap_empty_root_password in ROOTFS_POSTPROCESS_COMMAND, and we don't need to use append to do that. It would also be better to keep the root password related modifications of ROOTFS_POSTPROCESS_COMMAND together, so please move these lines up so they are immediately after the zap_empty_root_password change above. Thanks, -- Paul Barker
signature.asc
Description: This is a digitally signed message part
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227530): https://lists.openembedded.org/g/openembedded-core/message/227530 Mute This Topic: https://lists.openembedded.org/mt/116609301/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
