Ping Randy told me that this one was hold because the :append concern. I think I've stated the reason clearly. The function is not changing /etc/passwd and /etc/shadow. It's just checking them and changing /etc/issues.
Anyway, if anyone has some other approach. Please let me know. Regards, Qi -----Original Message----- From: Chen, Qi Sent: Friday, December 12, 2025 9:13 AM To: 'Paul Barker' <[email protected]>; [email protected] Cc: [email protected] Subject: RE: [OE-core][PATCH V5 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner Hi Paul, The :append is necessary. See the commit message. The function must run *after* the set_user_group function invoked by extrausers.bbclass. This is not related to zap_empty_root_password function. This functions checks the final status of root password and does modification on /etc/issues. Regards, Qi -----Original Message----- From: Paul Barker <[email protected]> Sent: Thursday, December 11, 2025 9:51 PM To: Chen, Qi <[email protected]>; [email protected] Cc: [email protected] Subject: Re: [OE-core][PATCH V5 2/2] rootfs-postcommands.bbclass: fix adding 'no password' banner On Thu, 2025-12-04 at 08:32 +0000, [email protected] wrote: > From: Chen Qi <[email protected]> > > It's possible that users use EXTRA_USERS_PARAMS to set password for > root or explicitly expire root password. So we need to check these two > cases to ensure the 'no password' banner is not misleading. > > As an example, below are configurations to make an image requiring > setting a root password on first boot, but without having to first > enter a static initial password: > > In conf/toolcfg.cfg: > OE_FRAGMENTS += "distro/poky core/yocto/root-login-with-empty-password > In local.conf: > INHERIT += "extrausers" > EXTRA_USERS_PARAMS += " passwd-expire root;" > > Checking and adding such a banner is ensured to run as last steps of > ROOTFS_POSTPROCESS_COMMAND, regardless of IMAGE_FEATURES. In > particualr, we want to ensure that the function runs after > set_user_group function from extrausers.bbclass. So unlike other > commands in this bbclass using the '+=', this function uses ':append'. > > Besides, adding such banner is only meaningful when base-passwd and > baes-files are installed. In case of container image, they might not > be installed (e.g., container-test-image). So add extra checking for it. > With the above logic, we avoid breaking the following oe-selftest test case: > containerimage.ContainerImageTests.test_expected_files > > Signed-off-by: Chen Qi <[email protected]> > --- > meta/classes-recipe/rootfs-postcommands.bbclass | 16 +++++++++++++--- > 1 file changed, 13 insertions(+), 3 deletions(-) > > diff --git a/meta/classes-recipe/rootfs-postcommands.bbclass > b/meta/classes-recipe/rootfs-postcommands.bbclass > index f4fbc4c57e..8d7e5e7652 100644 > --- a/meta/classes-recipe/rootfs-postcommands.bbclass > +++ b/meta/classes-recipe/rootfs-postcommands.bbclass > @@ -5,7 +5,7 @@ > # > > # Zap the root password if empty-root-password feature is not enabled > -ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "add_empty_root_password_note", > "zap_empty_root_password ",d)}' > +ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "empty-root-password", "", "zap_empty_root_password ",d)}' > > # Allow dropbear/openssh to accept logins from accounts with an empty > password string if allow-empty-password is enabled > ROOTFS_POSTPROCESS_COMMAND += '${@bb.utils.contains("IMAGE_FEATURES", > "allow-empty-password", "ssh_allow_empty_password ", "",d)}' > @@ -64,6 +64,10 @@ ROOTFS_POSTPROCESS_COMMAND += > '${SORT_PASSWD_POSTPROCESS_COMMAND}' > # > ROOTFS_POSTPROCESS_COMMAND += 'rootfs_reproducible' > > +# Check and add 'no root password' banner. > +# This needs to done at the end of ROOTFS_POSTPROCESS_COMMAND, thus using > :append. > +ROOTFS_POSTPROCESS_COMMAND:append = " add_empty_root_password_note" We should use += instead of :append in all cases unless the semantics of append are actually needed. My understanding is that we just need to ensure that add_empty_root_password_note appears after zap_empty_root_password in ROOTFS_POSTPROCESS_COMMAND, and we don't need to use append to do that. It would also be better to keep the root password related modifications of ROOTFS_POSTPROCESS_COMMAND together, so please move these lines up so they are immediately after the zap_empty_root_password change above. Thanks, -- Paul Barker
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#227756): https://lists.openembedded.org/g/openembedded-core/message/227756 Mute This Topic: https://lists.openembedded.org/mt/116609301/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
