[OE-core] [PATCH 2/3] iptables: Allow overriding rules file location
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
Signed-off-by: Niko Mauno
---
.../iptables/iptables/iptables.service| 4 ++--
meta/recipes-extended/iptables/iptables_1.8.3.bb | 11 ---
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service
b/meta/recipes-extended/iptables/iptables/iptables.service
index 041316e457..5a8aa3f298 100644
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -5,8 +5,8 @@ Wants=network-pre.target
[Service]
Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
RemainAfterExit=yes
[Install]
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 563c8ae354..73680207b4 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -38,14 +38,19 @@ do_configure_prepend() {
rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
}
+IPTABLES_RULES_DIR ?= "${sysconfdir}/${BPN}"
+
do_install_append() {
-install -d ${D}${sysconfdir}/iptables
-install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+install -d ${D}${IPTABLES_RULES_DIR}
+install -m 0644 ${WORKDIR}/iptables.rules ${D}${IPTABLES_RULES_DIR}
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
-sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
+sed -i \
+-e 's,@SBINDIR@,${sbindir},g' \
+-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+${D}${systemd_system_unitdir}/iptables.service
}
PACKAGES += "${PN}-modules"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 3/3] iptables: Add systemd helper unit for IPv6 too
Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
Signed-off-by: Niko Mauno
---
.../iptables/iptables/ip6tables.rules | 0
.../iptables/iptables/ip6tables.service | 13
.../iptables/iptables/iptables.service| 6 +++---
.../iptables/iptables_1.8.3.bb| 21 ++-
4 files changed, 36 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.service
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules
b/meta/recipes-extended/iptables/iptables/ip6tables.rules
new file mode 100644
index 00..e69de29bb2
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.service
b/meta/recipes-extended/iptables/iptables/ip6tables.service
new file mode 100644
index 00..6c059fca49
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+ExecReload=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service
b/meta/recipes-extended/iptables/iptables/iptables.service
index 5a8aa3f298..0eb3c343de 100644
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -1,12 +1,12 @@
[Unit]
-Description=Packet Filtering Framework
+Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
RemainAfterExit=yes
[Install]
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 73680207b4..96d195d9d0 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -13,11 +13,16 @@ SRC_URI =
"http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
file://iptables.service \
file://iptables.rules \
+ file://ip6tables.service \
+ file://ip6tables.rules \
"
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] =
"a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
-SYSTEMD_SERVICE_${PN} = "iptables.service"
+SYSTEMD_SERVICE_${PN} = "\
+iptables.service \
+${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'ip6tables.service', '', d)}
\
+"
inherit autotools pkgconfig systemd
@@ -51,6 +56,16 @@ do_install_append() {
-e 's,@SBINDIR@,${sbindir},g' \
-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
${D}${systemd_system_unitdir}/iptables.service
+
+if ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'true', 'false', d)} ;
then
+install -m 0644 ${WORKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
+install -m 0644 ${WORKDIR}/ip6tables.service
${D}${systemd_system_unitdir}
+
+sed -i \
+-e 's,@SBINDIR@,${sbindir},g' \
+-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+${D}${systemd_system_unitdir}/ip6tables.service
+fi
}
PACKAGES += "${PN}-modules"
@@ -75,6 +90,10 @@ RRECOMMENDS_${PN} = " \
kernel-module-nf-conntrack-ipv4 \
kernel-module-nf-nat \
kernel-module-ipt-masquerade \
+${@bb.utils.contains('PACKAGECONFIG', 'ipv6', '\
+kernel-module-ip6table-filter \
+kernel-module-ip6-tables \
+', '', d)} \
"
FILES_${PN} += "${datadir}/xtables"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/3] iptables: Cosmetic fixes to recipe
Introduce cosmetic changes to recipe content, most notably
- Change indentation style to four spaces in task statements
- Reorder several entries according to oe-stylize.py suggestions
Signed-off-by: Niko Mauno
---
.../iptables/iptables_1.8.3.bb| 60 +--
1 file changed, 29 insertions(+), 31 deletions(-)
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index ff9fcb1b53..563c8ae354 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -4,8 +4,9 @@ filtering code in Linux."
HOMEPAGE = "http://www.netfilter.org/";
BUGTRACKER = "http://bugzilla.netfilter.org/";
LICENSE = "GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
-
file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+
file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc
\
+"
SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2
\
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
@@ -13,16 +14,16 @@ SRC_URI =
"http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://iptables.service \
file://iptables.rules \
"
-
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] =
"a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
+SYSTEMD_SERVICE_${PN} = "iptables.service"
+
inherit autotools pkgconfig systemd
EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
-
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
# libnfnetlink recipe is in meta-networking layer
@@ -32,9 +33,19 @@ PACKAGECONFIG[libnfnetlink] =
"--enable-libnfnetlink,--disable-libnfnetlink,libn
PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
do_configure_prepend() {
- # Remove some libtool m4 files
- # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
- rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+# Remove some libtool m4 files
+# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
+rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+}
+
+do_install_append() {
+install -d ${D}${sysconfdir}/iptables
+install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+install -d ${D}${systemd_system_unitdir}
+install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+
+sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
}
PACKAGES += "${PN}-modules"
@@ -47,30 +58,6 @@ python populate_packages_prepend() {
d.appendVar('RDEPENDS_' + metapkg, ' ' + ' '.join(modules))
}
-FILES_${PN} += "${datadir}/xtables"
-
-# Include the symlinks as well in respective packages
-FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
-FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
-
-INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
-INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
-
-ALLOW_EMPTY_${PN}-modules = "1"
-
-do_install_append() {
-
-install -d ${D}${sysconfdir}/iptables
-install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
-
-install -d ${D}${systemd_system_unitdir}
-install -m 0644 ${WORKDIR}/iptables.service
${D}${systemd_system_unitdir}
-
- sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
-}
-
-SYSTEMD_SERVICE_${PN} = "iptables.service"
-
RDEPENDS_${PN} = "${PN}-module-xt-standard"
RRECOMMENDS_${PN} = " \
${PN}-modules \
@@ -84,3 +71,14 @@ RRECOMMENDS_${PN} = " \
kernel-module-nf-nat \
kernel-module-ipt-masquerade \
"
+
+FILES_${PN} += "${datadir}/xtables"
+
+# Include the symlinks as well in respective packages
+FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+
+ALLOW_EMPTY_${PN}-modules = "1"
+
+INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] Fix missing leading whitespace with ':append'
On 7/9/24 18:43, Richard Purdie wrote: On Tue, 2024-07-09 at 16:10 +0200, Alexandre Belloni via lists.openembedded.org wrote: Hello, Can you submit one patch per recipe? FWIW I tweaked the shortlog prefix in master-next to mesa/dnf: which resolves this case. Cheers, Richard Apologies, I failed to realize this before submitting a v2 of the commit as a series of two separate patches. Please ignore it. - Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201670): https://lists.openembedded.org/g/openembedded-core/message/201670 Mute This Topic: https://lists.openembedded.org/mt/107121031/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
On 8/2/24 17:25, Guðni Már Gilbert wrote: I wonder if it would be good to backport this to Scarthgap. I'm getting the following warning for unpatched CVE on latest scarthgap: WARNING: libyaml-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check /home/builder/yocto/build/tmp/work/cortexa9t2hf-neon-tdx-linux-gnueabi/libyaml/0.2.5/temp/cve.log Would this patch silence it? Thanks, I've submitted https://lists.openembedded.org/g/openembedded-core/message/202933 which should fix the issue if it gets incorporated. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202934): https://lists.openembedded.org/g/openembedded-core/message/202934 Mute This Topic: https://lists.openembedded.org/mt/107662504/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] icu: Fix 'buildpaths' QA error
On 9/1/24 13:55, Richard Purdie wrote: On Sat, 2024-08-31 at 16:01 +0300, Niko Mauno via lists.openembedded.org wrote: Add stripping of STAGING_DIR_NATIVE during target/nativesdk specific do_install, which mitigates following BitBake failure: ERROR: icu-75-1-r0 do_package_qa: QA Issue: File /usr/lib/icu/75.1/pkgdata.inc in package icu-dev contains reference to TMPDIR [buildpaths] ERROR: icu-75-1-r0 do_package_qa: Fatal QA errors were found, failing task. While doing so, we also drop HOSTTOOLS_DIR stripping, as it's value does not appear in the content of either file that are manipulated here. Signed-off-by: Niko Mauno --- meta/recipes-support/icu/icu_75-1.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Why aren't we seeing this issue in automated test? I should have known better, in a new workspace I was unable to reproduce to issue. Apologies for the noise. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204051): https://lists.openembedded.org/g/openembedded-core/message/204051 Mute This Topic: https://lists.openembedded.org/mt/108194777/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [pyro][PATCH] package_manager.py: Explicit complementary fail
When running bitbake -c populate_sdk , it is expected that
packages matching SDKIMAGE_INSTALL_COMPLEMENTARY name mask (unless
declared in PACKAGE_EXCLUDE_COMPLEMENTARY) are installed to resulting
SDK. Underlying mechanism issues a package manager install call for set
of complementary packages. However the mechanism doesn't seem to inform
the user all too obviously in case the package manager command behind
install_complementary() method fails -- and since it is combined with
attempt_only=True option, user might end up wondering why several *-dev,
*-dbg packages are missing from resulting SDK.
Improve associated install() method behaviour in affected OpkgPM and
DpkgPM classes so that a problematic state of affairs becomes directly
obvious for bitbake user, resulting in shell output like:
WARNING: someimage-1.0-r0 do_populate_sdk: Unable to install packages.
Command '...' returned 1:
Collected errors:
* Solver encountered 1 problem(s):
* Problem 1/1:
* - package somepkg-dev-1.0-r0.x86 requires somepkg = 1.0-r0, but
none of the providers can be installed
*
* Solution 1:
* - allow deinstallation of someotherpkg-1.1-r1.x86
* - do not ask to install a package providing somepkg-dev
* Solution 2:
* - do not ask to install a package providing somepkg-dev
(From OE-Core rev: 2502bd591c37bf532d02dc6b37fc1e8b5224fb0a)
Signed-off-by: Niko Mauno
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit 0d4459e7086fced5e9e0b4ad10378c9eddec56a8)
---
meta/lib/oe/package_manager.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index a907d6c7b9..1a2914fedc 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -1078,7 +1078,7 @@ class OpkgPM(OpkgDpkgPM):
output = subprocess.check_output(cmd.split(),
stderr=subprocess.STDOUT).decode("utf-8")
bb.note(output)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
@@ -1377,7 +1377,7 @@ class DpkgPM(OpkgDpkgPM):
bb.note("Installing the following packages: %s" % ' '.join(pkgs))
subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
--
2.16.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [rocko][PATCH] package_manager.py: Explicit complementary fail
When running bitbake -c populate_sdk , it is expected that
packages matching SDKIMAGE_INSTALL_COMPLEMENTARY name mask (unless
declared in PACKAGE_EXCLUDE_COMPLEMENTARY) are installed to resulting
SDK. Underlying mechanism issues a package manager install call for set
of complementary packages. However the mechanism doesn't seem to inform
the user all too obviously in case the package manager command behind
install_complementary() method fails -- and since it is combined with
attempt_only=True option, user might end up wondering why several *-dev,
*-dbg packages are missing from resulting SDK.
Improve associated install() method behaviour in affected OpkgPM and
DpkgPM classes so that a problematic state of affairs becomes directly
obvious for bitbake user, resulting in shell output like:
WARNING: someimage-1.0-r0 do_populate_sdk: Unable to install packages.
Command '...' returned 1:
Collected errors:
* Solver encountered 1 problem(s):
* Problem 1/1:
* - package somepkg-dev-1.0-r0.x86 requires somepkg = 1.0-r0, but
none of the providers can be installed
*
* Solution 1:
* - allow deinstallation of someotherpkg-1.1-r1.x86
* - do not ask to install a package providing somepkg-dev
* Solution 2:
* - do not ask to install a package providing somepkg-dev
(From OE-Core rev: 2502bd591c37bf532d02dc6b37fc1e8b5224fb0a)
Signed-off-by: Niko Mauno
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit 0d4459e7086fced5e9e0b4ad10378c9eddec56a8)
---
meta/lib/oe/package_manager.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index db8bf2f39c..ed8fec8509 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -1089,7 +1089,7 @@ class OpkgPM(OpkgDpkgPM):
output = subprocess.check_output(cmd.split(),
stderr=subprocess.STDOUT).decode("utf-8")
bb.note(output)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
@@ -1388,7 +1388,7 @@ class DpkgPM(OpkgDpkgPM):
bb.note("Installing the following packages: %s" % ' '.join(pkgs))
subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
--
2.16.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] run-postinsts: Replace pi_dir variable test
Since commit 5159ddcb62682e1b7e63a20a9218ea96e3fe10a2 string length test
performed against pi_dir has effectively never been able to succeed.
Change this to rather test if pi_dir is not an existing directory. By
doing we remove the chance of seeing the following console error message
during first boot to a pristine rootfs:
'ls: /etc/ipk-postinsts: No such file or directory'
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts | 2 +-
meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb| 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
index 50c0a1afea..307feb7187 100755
--- a/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts/run-postinsts
@@ -43,7 +43,7 @@ remove_rcsd_link () {
fi
}
-if [ -z "$pi_dir" ]; then
+if ! [ -d $pi_dir ]; then
remove_rcsd_link
exit 0
fi
diff --git a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
index 31c98ec99c..85b3fc867e 100644
--- a/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
+++ b/meta/recipes-devtools/run-postinsts/run-postinsts_1.0.bb
@@ -1,6 +1,6 @@
SUMMARY = "Runs postinstall scripts on first boot of the target device"
SECTION = "devel"
-PR = "r9"
+PR = "r10"
LICENSE = "MIT"
LIC_FILES_CHKSUM =
"file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
--
2.16.3
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 2/3] e2fsprogs: Complement update-alternatives scope
Avoid collision of e2fsprogs provided tune2fs, mke2fs and mkfs.ext2
commands with corresponding BusyBox provided applets in case both
packages are installed to same rootfs, by adding these commands to
update-alternatives scope
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
index 56abb3b5d3..cda432460f 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
@@ -100,6 +100,13 @@ ALTERNATIVE_TARGET[chattr] =
"${base_bindir}/chattr.e2fsprogs"
ALTERNATIVE_${PN}-doc = "fsck.8"
ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
+ALTERNATIVE_${PN}-tune2fs = "tune2fs"
+ALTERNATIVE_LINK_NAME[tune2fs] = "${base_sbindir}/tune2fs"
+
+ALTERNATIVE_${PN}-mke2fs = "mke2fs mkfs.ext2"
+ALTERNATIVE_LINK_NAME[mke2fs] = "${base_sbindir}/mke2fs"
+ALTERNATIVE_LINK_NAME[mkfs.ext2] = "${base_sbindir}/mkfs.ext2"
+
RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash"
do_compile_ptest() {
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 1/3] procps: Complement update-alternatives scope
Avoid collision of propcs provided w binary with BusyBox-provided
applet in case both are installed to same rootfs, by adding w to
update-alternatives scope via bindir_progs variable
Signed-off-by: Niko Mauno
---
meta/recipes-extended/procps/procps_3.3.12.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-extended/procps/procps_3.3.12.bb
b/meta/recipes-extended/procps/procps_3.3.12.bb
index 99e43c5349..ecf215fecf 100644
--- a/meta/recipes-extended/procps/procps_3.3.12.bb
+++ b/meta/recipes-extended/procps/procps_3.3.12.bb
@@ -42,7 +42,7 @@ do_install_append () {
CONFFILES_${PN} = "${sysconfdir}/sysctl.conf"
-bindir_progs = "free pkill pmap pgrep pwdx skill snice top uptime"
+bindir_progs = "free pkill pmap pgrep pwdx skill snice top uptime w"
base_bindir_progs += "kill pidof ps watch"
base_sbindir_progs += "sysctl"
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH 3/3] mtd-utils: Complement update-alternatives scope
Avoid collision of mtd-utils and mtd-utils-ubifs provided binaries
with identically named BusyBox provided applets in case packages
are installed to same rootfs, by adding relevant binaries to
update-alternatives scope
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/mtd/mtd-utils_git.bb | 23 ---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/meta/recipes-devtools/mtd/mtd-utils_git.bb
b/meta/recipes-devtools/mtd/mtd-utils_git.bb
index d09d633022..f50a42cf0e 100644
--- a/meta/recipes-devtools/mtd/mtd-utils_git.bb
+++ b/meta/recipes-devtools/mtd/mtd-utils_git.bb
@@ -28,10 +28,27 @@ CPPFLAGS_append_riscv64 = " -pthread -D_REENTRANT"
EXTRA_OEMAKE = "'CC=${CC}' 'RANLIB=${RANLIB}' 'AR=${AR}' 'CFLAGS=${CFLAGS}
${@bb.utils.contains('PACKAGECONFIG', 'xattr', '', '-DWITHOUT_XATTR', d)}
-I${S}/include' 'BUILDDIR=${S}'"
-ALTERNATIVE_${PN} = "flash_eraseall"
+# Use higher priority than corresponding BusyBox-provided applets
+ALTERNATIVE_PRIORITY = "100"
+
+ALTERNATIVE_${PN} = "flashcp flash_eraseall flash_lock flash_unlock nanddump
nandwrite"
+ALTERNATIVE_${PN}-ubifs = "ubiattach ubidetach ubimkvol ubirename ubirmvol
ubirsvol ubiupdatevol"
+
+ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall"
+ALTERNATIVE_LINK_NAME[nandwrite] = "${sbindir}/nandwrite"
+ALTERNATIVE_LINK_NAME[nanddump] = "${sbindir}/nanddump"
+ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
+ALTERNATIVE_LINK_NAME[ubiattach] = "${sbindir}/ubiattach"
+ALTERNATIVE_LINK_NAME[ubidetach] = "${sbindir}/ubidetach"
+ALTERNATIVE_LINK_NAME[ubimkvol] = "${sbindir}/ubimkvol"
+ALTERNATIVE_LINK_NAME[ubirename] = "${sbindir}/ubirename"
+ALTERNATIVE_LINK_NAME[ubirmvol] = "${sbindir}/ubirmvol"
+ALTERNATIVE_LINK_NAME[ubirsvol] = "${sbindir}/ubirsvol"
+ALTERNATIVE_LINK_NAME[ubiupdatevol] = "${sbindir}/ubiupdatevol"
ALTERNATIVE_LINK_NAME[flash_eraseall] = "${sbindir}/flash_eraseall"
-# Use higher priority than busybox's flash_eraseall (created when built with
CONFIG_FLASH_ERASEALL)
-ALTERNATIVE_PRIORITY[flash_eraseall] = "100"
+ALTERNATIVE_LINK_NAME[flash_lock] = "${sbindir}/flash_lock"
+ALTERNATIVE_LINK_NAME[flash_unlock] = "${sbindir}/flash_unlock"
+ALTERNATIVE_LINK_NAME[flashcp] = "${sbindir}/flashcp"
do_install () {
oe_runmake install DESTDIR=${D} SBINDIR=${sbindir} MANDIR=${mandir}
INCLUDEDIR=${includedir}
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2 2/3] e2fsprogs: Complement update-alternatives scope
Avoid collision of e2fsprogs provided tune2fs, mke2fs and mkfs.ext2
commands with corresponding BusyBox provided applets in case both
packages are installed to same rootfs, by adding these commands to
update-alternatives scope
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
index 56abb3b5d3..989d47394b 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
@@ -75,6 +75,12 @@ do_install_append_class-nativesdk() {
e2fsprogs_conf_fixup
}
+do_install_append_class-target() {
+ mv ${D}${base_sbindir}/mke2fs ${D}${base_sbindir}/mke2fs.e2fsprogs
+ mv ${D}${base_sbindir}/mkfs.ext2 ${D}${base_sbindir}/mkfs.ext2.e2fsprogs
+ mv ${D}${base_sbindir}/tune2fs ${D}${base_sbindir}/tune2fs.e2fsprogs
+}
+
RDEPENDS_e2fsprogs = "e2fsprogs-badblocks"
RRECOMMENDS_e2fsprogs = "e2fsprogs-mke2fs e2fsprogs-e2fsck"
@@ -83,8 +89,8 @@ PACKAGES =+ "libcomerr libss libe2p libext2fs"
FILES_e2fsprogs-resize2fs = "${base_sbindir}/resize2fs*"
FILES_e2fsprogs-e2fsck = "${base_sbindir}/e2fsck ${base_sbindir}/fsck.ext*"
-FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs ${base_sbindir}/mkfs.ext*
${sysconfdir}/mke2fs.conf"
-FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs ${base_sbindir}/e2label"
+FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs.e2fsprogs
${base_sbindir}/mkfs.ext* ${sysconfdir}/mke2fs.conf"
+FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs.e2fsprogs
${base_sbindir}/e2label"
FILES_e2fsprogs-badblocks = "${base_sbindir}/badblocks"
FILES_libcomerr = "${base_libdir}/libcom_err.so.*"
FILES_libss = "${base_libdir}/libss.so.*"
@@ -100,6 +106,13 @@ ALTERNATIVE_TARGET[chattr] =
"${base_bindir}/chattr.e2fsprogs"
ALTERNATIVE_${PN}-doc = "fsck.8"
ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
+ALTERNATIVE_${PN}-mke2fs = "mke2fs mkfs.ext2"
+ALTERNATIVE_LINK_NAME[mke2fs] = "${base_sbindir}/mke2fs"
+ALTERNATIVE_LINK_NAME[mkfs.ext2] = "${base_sbindir}/mkfs.ext2"
+
+ALTERNATIVE_${PN}-tune2fs = "tune2fs"
+ALTERNATIVE_LINK_NAME[tune2fs] = "${base_sbindir}/tune2fs"
+
RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash"
do_compile_ptest() {
--
2.16.3
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 2/3] e2fsprogs: Complement update-alternatives scope
On 05/03/2018 03:56 PM, Burton, Ross wrote: > Breaks packaging: > > packages/corei7-64-poky-linux/e2fsprogs/e2fsprogs-mke2fs: FILELIST: removed > "/sbin/mkfs.ext2 /sbin/mke2fs", added "/sbin/mkfs.ext2.e2fsprogs" > packages/corei7-64-poky-linux/e2fsprogs/e2fsprogs-tune2fs: FILELIST: > removed "/sbin/tune2fs" > packages/corei7-64-poky-linux/e2fsprogs/e2fsprogs: PKGSIZE changed from > 419692 to 645500 (+54%) > packages/corei7-64-poky-linux/e2fsprogs/e2fsprogs: FILELIST: added > "/sbin/mke2fs.e2fsprogs /sbin/tune2fs.e2fsprogs" Thanks, submitted v2: http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150468.html With v2 I got: $ buildhistory-diff packages/i586-poky-linux/e2fsprogs/e2fsprogs-mke2fs: FILELIST: removed "/sbin/mkfs.ext2 /sbin/mke2fs", added "/sbin/mkfs.ext2.e2fsprogs /sbin/mke2fs.e2fsprogs" * FILES: removed "/sbin/mke2fs", added "/sbin/mke2fs.e2fsprogs" packages/i586-poky-linux/e2fsprogs/e2fsprogs-mke2fs: RDEPENDS: added "update-alternatives-opkg" packages/i586-poky-linux/e2fsprogs/e2fsprogs-tune2fs: FILELIST: removed "/sbin/tune2fs", added "/sbin/tune2fs.e2fsprogs" * FILES: removed "/sbin/tune2fs", added "/sbin/tune2fs.e2fsprogs" packages/i586-poky-linux/e2fsprogs/e2fsprogs-tune2fs: RDEPENDS: added "update-alternatives-opkg" packages/i586-poky-linux/e2fsprogs/e2fsprogs-mke2fs: pkg_postinst added: @@ -0,0 +1 @@ +#!/bin/sh\nset -e\n\tupdate-alternatives --install /sbin/mke2fs mke2fs /sbin/mke2fs.e2fsprogs 100\n\tupdate-alternatives --install /sbin/mkfs.ext2 mkfs.ext2 /sbin/mkfs.ext2.e2fsprogs 100\n -- packages/i586-poky-linux/e2fsprogs/e2fsprogs-mke2fs: pkg_prerm added: @@ -0,0 +1 @@ +#!/bin/sh\nset -e\n\tupdate-alternatives --remove mke2fs /sbin/mke2fs.e2fsprogs\n\tupdate-alternatives --remove mkfs.ext2 /sbin/mkfs.ext2.e2fsprogs\n -- packages/i586-poky-linux/e2fsprogs/e2fsprogs-tune2fs: pkg_postinst added: @@ -0,0 +1 @@ +#!/bin/sh\nset -e\n\tupdate-alternatives --install /sbin/tune2fs tune2fs /sbin/tune2fs.e2fsprogs 100\n -- packages/i586-poky-linux/e2fsprogs/e2fsprogs-tune2fs: pkg_prerm added: @@ -0,0 +1 @@ +#!/bin/sh\nset -e\n\tupdate-alternatives --remove tune2fs /sbin/tune2fs.e2fsprogs\n -- -Niko -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v3 2/3] e2fsprogs: Complement update-alternatives scope
Avoid collision of e2fsprogs provided tune2fs, mke2fs and mkfs.ext2
commands with corresponding BusyBox provided applets in case both
packages are installed to same rootfs, by adding these commands to
update-alternatives scope
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
index 56abb3b5d3..c4739b98c8 100644
--- a/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
+++ b/meta/recipes-devtools/e2fsprogs/e2fsprogs_1.43.8.bb
@@ -75,6 +75,12 @@ do_install_append_class-nativesdk() {
e2fsprogs_conf_fixup
}
+do_install_append_class-target() {
+ mv ${D}${base_sbindir}/mke2fs ${D}${base_sbindir}/mke2fs.e2fsprogs
+ mv ${D}${base_sbindir}/mkfs.ext2 ${D}${base_sbindir}/mkfs.ext2.e2fsprogs
+ mv ${D}${base_sbindir}/tune2fs ${D}${base_sbindir}/tune2fs.e2fsprogs
+}
+
RDEPENDS_e2fsprogs = "e2fsprogs-badblocks"
RRECOMMENDS_e2fsprogs = "e2fsprogs-mke2fs e2fsprogs-e2fsck"
@@ -83,8 +89,8 @@ PACKAGES =+ "libcomerr libss libe2p libext2fs"
FILES_e2fsprogs-resize2fs = "${base_sbindir}/resize2fs*"
FILES_e2fsprogs-e2fsck = "${base_sbindir}/e2fsck ${base_sbindir}/fsck.ext*"
-FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs ${base_sbindir}/mkfs.ext*
${sysconfdir}/mke2fs.conf"
-FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs ${base_sbindir}/e2label"
+FILES_e2fsprogs-mke2fs = "${base_sbindir}/mke2fs.e2fsprogs
${base_sbindir}/mkfs.ext* ${sysconfdir}/mke2fs.conf"
+FILES_e2fsprogs-tune2fs = "${base_sbindir}/tune2fs.e2fsprogs
${base_sbindir}/e2label"
FILES_e2fsprogs-badblocks = "${base_sbindir}/badblocks"
FILES_libcomerr = "${base_libdir}/libcom_err.so.*"
FILES_libss = "${base_libdir}/libss.so.*"
@@ -100,6 +106,13 @@ ALTERNATIVE_TARGET[chattr] =
"${base_bindir}/chattr.e2fsprogs"
ALTERNATIVE_${PN}-doc = "fsck.8"
ALTERNATIVE_LINK_NAME[fsck.8] = "${mandir}/man8/fsck.8"
+ALTERNATIVE_e2fsprogs-mke2fs = "mke2fs mkfs.ext2"
+ALTERNATIVE_LINK_NAME[mke2fs] = "${base_sbindir}/mke2fs"
+ALTERNATIVE_LINK_NAME[mkfs.ext2] = "${base_sbindir}/mkfs.ext2"
+
+ALTERNATIVE_e2fsprogs-tune2fs = "tune2fs"
+ALTERNATIVE_LINK_NAME[tune2fs] = "${base_sbindir}/tune2fs"
+
RDEPENDS_${PN}-ptest += "${PN} ${PN}-tune2fs coreutils procps bash"
do_compile_ptest() {
--
2.16.3
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH 2/3] e2fsprogs: Complement update-alternatives scope
On 05/03/2018 03:56 PM, Burton, Ross wrote:
> Breaks packaging:
Submitted v3 still in which I changed the added 'ALTERNATIVE_${PN}-...' lines
to 'ALTERNATIVE_e2fsprogs-...':
http://lists.openembedded.org/pipermail/openembedded-core/2018-May/150471.html
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] cmake: Export SSH_AUTH_SOCK for cmake at configure
Update cmake_do_configure() to export a set SSH_AUTH_SOCK variable
before calling cmake.
Otherwise, if cmake call during cmake_do_configure() resorts to
ExternalProject directive containing a GIT_REPOSITORY entry, and git
authentication scheme is based on SSH agent forwarding, it fails
followingly
| Cloning into 'foo'...
| Permission denied (publickey).
| fatal: Could not read from remote repository.
|
| Please make sure you have the correct access rights
| and the repository exists.
|
| ...
|
| CMake Error at .../tmp/foo-gitclone.cmake:66 (message):
| Failed to clone repository: 'ssh://...
Signed-off-by: Niko Mauno
---
meta/classes/cmake.bbclass | 5 +
1 file changed, 5 insertions(+)
diff --git a/meta/classes/cmake.bbclass b/meta/classes/cmake.bbclass
index fcfd5dda4f..82d36be8ff 100644
--- a/meta/classes/cmake.bbclass
+++ b/meta/classes/cmake.bbclass
@@ -137,6 +137,11 @@ cmake_do_configure() {
oecmake_sitefile=
fi
+ # Allow cmake to perform eg. git clone in context where authentication
relies on SSH agent forwarding
+ if [ "${SSH_AUTH_SOCK}" ] ; then
+ export SSH_AUTH_SOCK=${SSH_AUTH_SOCK}
+ fi
+
cmake \
${OECMAKE_GENERATOR_ARGS} \
$oecmake_sitefile \
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] recipes-kernel/linux-libc-headers/linux-libc-headers.inc question
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=eb24d4aeacaad9d41ddcbefd8d2ac96e95548183
apparently is needed for 4.15, but it breaks with 4.14 as we get
ERROR: linux-libc-headers-4.14-r0 do_install: oe_multilib_header:
Unable to find header asm/bpf_perf_event.h.
I used following to work this around in our own linux-libc-headers_4.14.bb:
do_install_armmultilib_prepend() {
touch ${D}${includedir}/asm/bpf_perf_event.h
}
but curious if somebody could suggest a better mitigation
-Niko
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] recipes-kernel/linux-libc-headers/linux-libc-headers.inc question
https://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=eb24d4aeacaad9d41ddcbefd8d2ac96e95548183
apparently is needed for 4.15, but it breaks with 4.14 as we get
ERROR: linux-libc-headers-4.14-r0 do_install: oe_multilib_header:
Unable to find header asm/bpf_perf_event.h.
I used following to work this around in our own linux-libc-headers_4.14.bb:
do_install_armmultilib_prepend() {
touch ${D}${includedir}/asm/bpf_perf_event.h
}
but curious if somebody could suggest a better mitigation
-Niko
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] util-linux: make alternatives for rev and ionice work with busybox
On 11/9/18 2:24 AM, Burton, Ross wrote:
On Thu, 8 Nov 2018 at 10:58, Pascal Bach wrote:
Busybox can provide ionice and rev. They are both installed to /bin
The corresponding util-linux variant is installed to /usr/bin
This causes the following error during the do_rootfs task:
update-alternatives: renaming ionice link from /bin/ionice to /usr/bin/ionice
mv: cannot stat '/bin/ionice': No such file or directory
Moving the util-linux binaries to /bin avoids this error.
Isn't it simpler to just set ALTERNATIVE_LINK_NAME[ionice] =
"${base_bindir}/ionice" (so the system knows to use the same symlink
for this and busybox) instead of actually moving the binary too?
Ross
Case being that busybox has ionice and rev under /bin/ whereas
util-linux under /usr/bin/, I wonder would the prudent course of action
at this point rather be to revert the 'ionice' and 'rev' specific bits
that were introduced (along 'cal') in
http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-core/util-linux/util-linux.inc?id=78db831a7b0c2361a266eb37c7cbf2e368d2280a
-Niko
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] opkg-utils: Fix update-alternatives link relocation
Recently Debian-style support for link relocation was added to
'update-alternatives' script, but it fails under circumstances where
host rootfs root directory differs from target rootfs root directory
and two alternative packages provide a symbolic link with source
located in different directories.
An example of the case is busybox provided /bin/rev (symlinking to
/bin/busybox.nosuid) and util-linux provided /usr/bin/rev (symlinking
to /usr/bin/rev.util-linux) in which case following failure occurs
during image recipe's do_rootfs() task:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Postinstall scriptlets of
['util-linux'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in
.../tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/temp/log.do_rootfs.
ERROR: core-image-minimal-1.0-r0 do_rootfs: Function failed: do_rootfs
Looking in log.do_rootfs file, following relevant lines can be observed:
update-alternatives: renaming rev link from /bin/rev to /usr/bin/rev
mv: cannot stat '/bin/rev': No such file or directory
Mitigate issue by applying patch which adds target root filesystem root
directory path prefix to failing 'mv' calls relevant variable references
Signed-off-by: Niko Mauno
---
...rnatives-Fix-link-relocation-support.patch | 40 +++
.../opkg-utils/opkg-utils_0.3.6.bb| 1 +
2 files changed, 41 insertions(+)
create mode 100644
meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
diff --git
a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
new file mode 100644
index 00..e1836dbb34
--- /dev/null
+++
b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
@@ -0,0 +1,40 @@
+From 18562ccae6996431d37767653b061d4e9e1b9424 Mon Sep 17 00:00:00 2001
+From: Niko Mauno
+Date: Sun, 11 Nov 2018 15:50:22 +0200
+Subject: [opkg-utils PATCH] update-alternatives: Fix link relocation support
+
+Commit fcb2633921eb9bb711aa264247aebcfdd4ae which added Debian-style
+support for link relocation tries to relocate symbolic link on host OS,
+resulting in following-like error when two alternative packages have
+symbolic link source located in different directories (/bin/rev ->
+/bin/busybox.nosuid and /usr/bin/rev -> /usr/bin/rev.util-linux):
+
+ update-alternatives: renaming rev link from /bin/rev to /usr/bin/rev
+ mv: cannot stat '/bin/rev': No such file or directory
+
+Fix the issue by prefixing 'olink' and 'link' variable references with
+path to targeted root filesystem's root directory.
+
+Upstream-Status: Pending
+
+Signed-off-by: Niko Mauno
+---
+ update-alternatives | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/update-alternatives b/update-alternatives
+index 89a440b..d4fa7eb 100644
+--- a/update-alternatives
b/update-alternatives
+@@ -58,7 +58,7 @@ register_alt() {
+ local link_str=`echo $link | protect_slashes`
+ sed -e "1s/.*/$link_str/" $ad/$name > $ad/$name.new
+ mv $ad/$name.new $ad/$name
+- mv $olink $link
++ mv $OPKG_OFFLINE_ROOT$olink $OPKG_OFFLINE_ROOT$link
+ fi
+ else
+ echo "$link" > "$ad/$name"
+--
+2.19.1
+
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
b/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
index cb3775d9c9..4c41774c39 100644
--- a/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
+++ b/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
@@ -13,6 +13,7 @@ SRC_URI =
"http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV
file://0002-opkg-build-Use-local-time-for-build_date-since-opkg-.patch \
file://threaded-xz.patch \
file://pigz.patch \
+ file://0001-update-alternatives-Fix-link-relocation-support.patch \
"
SRC_URI_append_class-native = " file://tar_ignore_error.patch"
UPSTREAM_CHECK_URI =
"http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/refs/";
--
2.19.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] util-linux: make alternatives for rev and ionice work with busybox
On 11/9/18 7:36 PM, Niko Mauno wrote:
> On 11/9/18 2:24 AM, Burton, Ross wrote:
>> On Thu, 8 Nov 2018 at 10:58, Pascal Bach wrote:
>>> Busybox can provide ionice and rev. They are both installed to /bin
>>> The corresponding util-linux variant is installed to /usr/bin
>>>
>>> This causes the following error during the do_rootfs task:
>>>
>>>> update-alternatives: renaming ionice link from /bin/ionice to
>>>> /usr/bin/ionice
>>>> mv: cannot stat '/bin/ionice': No such file or directory
>>>
>>> Moving the util-linux binaries to /bin avoids this error.
>>
>> Isn't it simpler to just set ALTERNATIVE_LINK_NAME[ionice] =
>> "${base_bindir}/ionice" (so the system knows to use the same symlink
>> for this and busybox) instead of actually moving the binary too?
>>
>> Ross
>>
>
> Case being that busybox has ionice and rev under /bin/ whereas
> util-linux under /usr/bin/, I wonder would the prudent course of action
> at this point rather be to revert the 'ionice' and 'rev' specific bits
> that were introduced (along 'cal') in
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/meta/recipes-core/util-linux/util-linux.inc?id=78db831a7b0c2361a266eb37c7cbf2e368d2280a
>
>
>
> -Niko
I believe I've pinpointed this issue to
https://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/commit/?id=fcb2633921eb9bb711aa264247aebcfdd4ae
which added link relocation support to update-alternatives script (it used to
error outright in case the new symlink source differed from old one, which
deviated from Debian's update-alternatives behaviour). However in the added
implementation, handling of case where target rootfs root directory did not
match host rootfs root directory (such as in Yocto do_rootfs context) the 'mv'
call tried to relocate the symlink on host rootfs rather than target rootfs
resulting in 'cannot stat' error.
I submitted a patch a moment ago to opkg-utils upstream, as well as oe-core
patch to opkg-utils recipe (just in case the former takes time to propagate to
Yocto):
https://lists.yoctoproject.org/pipermail/yocto/2018-November/043249.html
http://lists.openembedded.org/pipermail/openembedded-core/2018-November/275959.html
-Niko
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH v2] opkg-utils: Fix update-alternatives link relocation
Recently Debian-style support for link relocation was added to
'update-alternatives' script, but it fails under circumstances where
host rootfs root directory differs from target rootfs root directory
and two alternative packages provide a symbolic link with source
located in different directories.
An example of the case is busybox provided /bin/rev (symlinking to
/bin/busybox.nosuid) and util-linux provided /usr/bin/rev (symlinking
to /usr/bin/rev.util-linux) in which case following failure occurs
during image recipe's do_rootfs() task:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Postinstall scriptlets of
['util-linux'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.
Details of the failure are in
.../tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/temp/log.do_rootfs.
ERROR: core-image-minimal-1.0-r0 do_rootfs: Function failed: do_rootfs
Looking in log.do_rootfs file, following relevant lines can be observed:
update-alternatives: renaming rev link from /bin/rev to /usr/bin/rev
mv: cannot stat '/bin/rev': No such file or directory
Mitigate issue by applying patch which adds target root filesystem root
directory path prefix to failing 'mv' calls relevant variable references
Signed-off-by: Niko Mauno
---
...rnatives-Fix-link-relocation-support.patch | 40 +++
.../opkg-utils/opkg-utils_0.3.6.bb| 1 +
2 files changed, 41 insertions(+)
create mode 100644
meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
diff --git
a/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
new file mode 100644
index 00..9dc488b7aa
--- /dev/null
+++
b/meta/recipes-devtools/opkg-utils/opkg-utils/0001-update-alternatives-Fix-link-relocation-support.patch
@@ -0,0 +1,40 @@
+From 18562ccae6996431d37767653b061d4e9e1b9424 Mon Sep 17 00:00:00 2001
+From: Niko Mauno
+Date: Sun, 11 Nov 2018 15:50:22 +0200
+Subject: [opkg-utils PATCH] update-alternatives: Fix link relocation support
+
+Commit fcb2633921eb9bb711aa264247aebcfdd4ae which added Debian-style
+support for link relocation tries to relocate symbolic link on host OS,
+resulting in following-like error when two alternative packages have
+symbolic link source located in different directories (/bin/rev ->
+/bin/busybox.nosuid and /usr/bin/rev -> /usr/bin/rev.util-linux):
+
+ update-alternatives: renaming rev link from /bin/rev to /usr/bin/rev
+ mv: cannot stat '/bin/rev': No such file or directory
+
+Fix the issue by prefixing 'olink' and 'link' variable references with
+path to targeted root filesystem's root directory.
+
+Upstream-Status: Submitted [opkg-utils]
+
+Signed-off-by: Niko Mauno
+---
+ update-alternatives | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/update-alternatives b/update-alternatives
+index 89a440b..d4fa7eb 100644
+--- a/update-alternatives
b/update-alternatives
+@@ -58,7 +58,7 @@ register_alt() {
+ local link_str=`echo $link | protect_slashes`
+ sed -e "1s/.*/$link_str/" $ad/$name > $ad/$name.new
+ mv $ad/$name.new $ad/$name
+- mv $olink $link
++ mv $OPKG_OFFLINE_ROOT$olink $OPKG_OFFLINE_ROOT$link
+ fi
+ else
+ echo "$link" > "$ad/$name"
+--
+2.19.1
+
diff --git a/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
b/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
index cb3775d9c9..4c41774c39 100644
--- a/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
+++ b/meta/recipes-devtools/opkg-utils/opkg-utils_0.3.6.bb
@@ -13,6 +13,7 @@ SRC_URI =
"http://git.yoctoproject.org/cgit/cgit.cgi/${BPN}/snapshot/${BPN}-${PV
file://0002-opkg-build-Use-local-time-for-build_date-since-opkg-.patch \
file://threaded-xz.patch \
file://pigz.patch \
+ file://0001-update-alternatives-Fix-link-relocation-support.patch \
"
SRC_URI_append_class-native = " file://tar_ignore_error.patch"
UPSTREAM_CHECK_URI =
"http://git.yoctoproject.org/cgit/cgit.cgi/opkg-utils/refs/";
--
2.19.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [PATCH] opkg-utils: Fix update-alternatives link relocation
On 11/12/18 12:55 PM, Burton, Ross wrote: > On Sun, 11 Nov 2018 at 15:44, Niko Mauno wrote: >> +Upstream-Status: Pending > > I saw you post this to yocto@, so this is definitely Submitted. Thanks, submitted v2 in which I corrected this to Upstream-Status: Submitted [opkg-utils] -Niko -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [zeus][PATCH 1/3] iptables: Cosmetic fixes to recipe
Introduce cosmetic changes to recipe content, most notably
- Change indentation style to four spaces in task statements
- Reorder several entries according to oe-stylize.py suggestions
(From OE-Core rev: c1d162b6165f11b7b5ae5c6066e7683d5e1379fc)
Signed-off-by: Niko Mauno
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
.../iptables/iptables_1.8.3.bb| 60 +--
1 file changed, 29 insertions(+), 31 deletions(-)
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index ff9fcb1b53..563c8ae354 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -4,8 +4,9 @@ filtering code in Linux."
HOMEPAGE = "http://www.netfilter.org/";
BUGTRACKER = "http://bugzilla.netfilter.org/";
LICENSE = "GPLv2+"
-LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
-
file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc"
+LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
+
file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc
\
+"
SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2
\
file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
@@ -13,16 +14,16 @@ SRC_URI =
"http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://iptables.service \
file://iptables.rules \
"
-
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] =
"a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
+SYSTEMD_SERVICE_${PN} = "iptables.service"
+
inherit autotools pkgconfig systemd
EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
-
PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
# libnfnetlink recipe is in meta-networking layer
@@ -32,9 +33,19 @@ PACKAGECONFIG[libnfnetlink] =
"--enable-libnfnetlink,--disable-libnfnetlink,libn
PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
do_configure_prepend() {
- # Remove some libtool m4 files
- # Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
- rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+# Remove some libtool m4 files
+# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
+rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
+}
+
+do_install_append() {
+install -d ${D}${sysconfdir}/iptables
+install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+
+install -d ${D}${systemd_system_unitdir}
+install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
+
+sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
}
PACKAGES += "${PN}-modules"
@@ -47,30 +58,6 @@ python populate_packages_prepend() {
d.appendVar('RDEPENDS_' + metapkg, ' ' + ' '.join(modules))
}
-FILES_${PN} += "${datadir}/xtables"
-
-# Include the symlinks as well in respective packages
-FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
-FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
-
-INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
-INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
-
-ALLOW_EMPTY_${PN}-modules = "1"
-
-do_install_append() {
-
-install -d ${D}${sysconfdir}/iptables
-install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
-
-install -d ${D}${systemd_system_unitdir}
-install -m 0644 ${WORKDIR}/iptables.service
${D}${systemd_system_unitdir}
-
- sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
-}
-
-SYSTEMD_SERVICE_${PN} = "iptables.service"
-
RDEPENDS_${PN} = "${PN}-module-xt-standard"
RRECOMMENDS_${PN} = " \
${PN}-modules \
@@ -84,3 +71,14 @@ RRECOMMENDS_${PN} = " \
kernel-module-nf-nat \
kernel-module-ipt-masquerade \
"
+
+FILES_${PN} += "${datadir}/xtables"
+
+# Include the symlinks as well in respective packages
+FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
+FILES_${PN}-module-xt-ct += "${libdir}/xtables/libxt_NOTRACK.so"
+
+ALLOW_EMPTY_${PN}-modules = "1"
+
+INSANE_SKIP_${PN}-module-xt-conntrack = "dev-so"
+INSANE_SKIP_${PN}-module-xt-ct = "dev-so"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [zeus][PATCH 2/3] iptables: Allow overriding rules file location
In some cases a distribution may want to install rules file into a
location other than /etc/iptables/ so introduce custom recipe-level
IPTABLES_RULES_DIR parameter which allows conveniently overriding
the rules directory location.
(From OE-Core rev: 64eeedcdc586c221e3684861ba85e8e4bc9c5dd1)
Signed-off-by: Niko Mauno
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
.../iptables/iptables/iptables.service| 4 ++--
meta/recipes-extended/iptables/iptables_1.8.3.bb | 11 ---
2 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service
b/meta/recipes-extended/iptables/iptables/iptables.service
index 041316e457..5a8aa3f298 100644
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -5,8 +5,8 @@ Wants=network-pre.target
[Service]
Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore /etc/iptables/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
RemainAfterExit=yes
[Install]
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 563c8ae354..73680207b4 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -38,14 +38,19 @@ do_configure_prepend() {
rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
}
+IPTABLES_RULES_DIR ?= "${sysconfdir}/${BPN}"
+
do_install_append() {
-install -d ${D}${sysconfdir}/iptables
-install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
+install -d ${D}${IPTABLES_RULES_DIR}
+install -m 0644 ${WORKDIR}/iptables.rules ${D}${IPTABLES_RULES_DIR}
install -d ${D}${systemd_system_unitdir}
install -m 0644 ${WORKDIR}/iptables.service ${D}${systemd_system_unitdir}
-sed -i -e 's,@SBINDIR@,${sbindir},g'
${D}${systemd_system_unitdir}/iptables.service
+sed -i \
+-e 's,@SBINDIR@,${sbindir},g' \
+-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+${D}${systemd_system_unitdir}/iptables.service
}
PACKAGES += "${PN}-modules"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [zeus][PATCH 3/3] iptables: Add systemd helper unit for IPv6 too
Commit bc66b2f45ade2c63cfd14d5388f6ca0905a23bb0 added systemd helper
unit for automatic IPv4 rule loading. Complement the effort by adding
systemd helper unit also for automatic IPv6 rule loading.
(From OE-Core rev: 3b8df6b6aba3632de7c3c01c8468fbcedb032493)
Signed-off-by: Niko Mauno
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
.../iptables/iptables/ip6tables.rules | 0
.../iptables/iptables/ip6tables.service | 13
.../iptables/iptables/iptables.service| 6 +++---
.../iptables/iptables_1.8.3.bb| 21 ++-
4 files changed, 36 insertions(+), 4 deletions(-)
create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.rules
create mode 100644 meta/recipes-extended/iptables/iptables/ip6tables.service
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.rules
b/meta/recipes-extended/iptables/iptables/ip6tables.rules
new file mode 100644
index 00..e69de29bb2
diff --git a/meta/recipes-extended/iptables/iptables/ip6tables.service
b/meta/recipes-extended/iptables/iptables/ip6tables.service
new file mode 100644
index 00..6c059fca49
--- /dev/null
+++ b/meta/recipes-extended/iptables/iptables/ip6tables.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=IPv6 Packet Filtering Framework
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+ExecReload=@SBINDIR@/ip6tables-restore -w -- @RULESDIR@/ip6tables.rules
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/meta/recipes-extended/iptables/iptables/iptables.service
b/meta/recipes-extended/iptables/iptables/iptables.service
index 5a8aa3f298..0eb3c343de 100644
--- a/meta/recipes-extended/iptables/iptables/iptables.service
+++ b/meta/recipes-extended/iptables/iptables/iptables.service
@@ -1,12 +1,12 @@
[Unit]
-Description=Packet Filtering Framework
+Description=IPv4 Packet Filtering Framework
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
-ExecStart=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
-ExecReload=@SBINDIR@/iptables-restore @RULESDIR@/iptables.rules
+ExecStart=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
+ExecReload=@SBINDIR@/iptables-restore -w -- @RULESDIR@/iptables.rules
RemainAfterExit=yes
[Install]
diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
b/meta/recipes-extended/iptables/iptables_1.8.3.bb
index 73680207b4..96d195d9d0 100644
--- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
+++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
@@ -13,11 +13,16 @@ SRC_URI =
"http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
file://0002-configure.ac-only-check-conntrack-when-libnfnetlink-enabled.patch \
file://iptables.service \
file://iptables.rules \
+ file://ip6tables.service \
+ file://ip6tables.rules \
"
SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
SRC_URI[sha256sum] =
"a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
-SYSTEMD_SERVICE_${PN} = "iptables.service"
+SYSTEMD_SERVICE_${PN} = "\
+iptables.service \
+${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'ip6tables.service', '', d)}
\
+"
inherit autotools pkgconfig systemd
@@ -51,6 +56,16 @@ do_install_append() {
-e 's,@SBINDIR@,${sbindir},g' \
-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
${D}${systemd_system_unitdir}/iptables.service
+
+if ${@bb.utils.contains('PACKAGECONFIG', 'ipv6', 'true', 'false', d)} ;
then
+install -m 0644 ${WORKDIR}/ip6tables.rules ${D}${IPTABLES_RULES_DIR}
+install -m 0644 ${WORKDIR}/ip6tables.service
${D}${systemd_system_unitdir}
+
+sed -i \
+-e 's,@SBINDIR@,${sbindir},g' \
+-e 's,@RULESDIR@,${IPTABLES_RULES_DIR},g' \
+${D}${systemd_system_unitdir}/ip6tables.service
+fi
}
PACKAGES += "${PN}-modules"
@@ -75,6 +90,10 @@ RRECOMMENDS_${PN} = " \
kernel-module-nf-conntrack-ipv4 \
kernel-module-nf-nat \
kernel-module-ipt-masquerade \
+${@bb.utils.contains('PACKAGECONFIG', 'ipv6', '\
+kernel-module-ip6table-filter \
+kernel-module-ip6-tables \
+', '', d)} \
"
FILES_${PN} += "${datadir}/xtables"
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] cve-check: Switch to NVD CVE JSON feed version 1.1
Switch to recently released version 1.1 of NVD CVE JSON feed, as in
https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
it is mentioned that
Due to changes required to support CVSS v3.1 scoring, the JSON
vulnerability feeds must be modified. This will require the consumers
of this data to update their internal processes. We will be providing
the JSON 1.1 schema on the data feeds page and the information below
to prepare for this transition.
...
The JSON 1.1 data feeds will be available on September 9th, 2019. At
that time the current JSON 1.0 data feeds will no longer available.
This change was tested briefly by issuing 'bitbake core-image-minimal'
with 'cve-check.bbclass' inherited via local.conf, and then comparing
the content between the resulting two
'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not
seem to contain any other change, except total of 167 entries like
CVSS v3 BASE SCORE: 0.0
were replaced with similar 'CVSS v3 BASE SCORE:' entries which had
scores that were greater than '0.0' (up to '9.8').
Signed-off-by: Niko Mauno
---
meta/classes/cve-check.bbclass | 2 +-
meta/recipes-core/meta/cve-update-db-native.bb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed5548b3..01b3637469 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a28e..575254af40 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
bb.utils.export_proxies(d)
-BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-";
+BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-";
YEAR_START = 2002
db_file = d.getVar("CVE_CHECK_DB_FILE")
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 01/11] cve-check: backport rewrite from master
From: Ross Burton
As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.
To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:
546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than
operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not
loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning
[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement
(From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb)
Signed-off-by: Ross Burton
Signed-off-by: Armin Kuster
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass| 142 +++-
meta/conf/distro/include/maintainers.inc | 1 +
meta/recipes-core/glibc/glibc-locale.inc | 3 +
meta/recipes-core/glibc/glibc-mtrace.inc | 3 +
meta/recipes-core/glibc/glibc-scripts.inc | 3 +
.../recipes-core/meta/cve-update-db-native.bb | 195
.../cve-check-tool/cve-check-tool_5.6.4.bb| 62 -
...x-freeing-memory-allocated-by-sqlite.patch | 50
...erriding-default-CA-certificate-file.patch | 215 --
...s-in-percent-when-downloading-CVE-db.patch | 135 ---
...omputed-vs-expected-sha256-digit-str.patch | 52 -
...heck-for-malloc_trim-before-using-it.patch | 51 -
12 files changed, 292 insertions(+), 620 deletions(-)
create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb
delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
delete mode 100644
meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
delete mode 100644
meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
delete mode 100644
meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch
delete mode 100644
meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
delete mode 100644
meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..c00d2910be 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -37,32 +37,33 @@ CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
# Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
-glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
-'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+#
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+#
+CVE_CHECK_WHITELIST ?= ""
python do_cve_check () {
"""
Check recipe for patched and unpatched CVEs
"""
-if os.path.exists(d.getVar("
[OE-core] [thud-next][PATCH 02/11] cve-check: ensure all known CVEs are in the report
From: Ross Burton
CVEs that are whitelisted or were not vulnerable when there are version
comparisons were not included in the report, so alter the logic to ensure that
all relevant CVEs are in the report for completeness.
(From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 9 +++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d2910be..f87bcc9dc6 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv,
cve))
+# TODO: this should be in the report as 'whitelisted'
+patched_cves.add(cve)
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
else:
to_append = False
if (operator_start == '=' and pv == version_start):
-cves_unpatched.append(cve)
+to_append = True
else:
if operator_start:
try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
to_append = to_append_start or to_append_end
if to_append:
+bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
-bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+else:
+bb.note("%s-%s is not vulnerable to %s" % (product, pv,
cve))
+patched_cves.add(cve)
conn.close()
return (list(patched_cves), cves_unpatched)
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 03/11] cve-check: failure to parse versions should be more visible
From: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f87bcc9dc6..1c8b2223a2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -222,7 +222,7 @@ def check_cves(d, patched_cves):
to_append_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
to_append_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
except:
-bb.note("%s: Failed to compare %s %s %s for %s" %
+bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start,
version_start, cve))
to_append_start = False
else:
@@ -233,7 +233,7 @@ def check_cves(d, patched_cves):
to_append_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
to_append_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
except:
-bb.note("%s: Failed to compare %s %s %s for %s" %
+bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end,
cve))
to_append_end = False
else:
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 05/11] cve-update-db-native: don't refresh more than once an hour
From: Ross Burton
We already fetch the yearly CVE metadata and check that for updates before
downloading the full data, but we can speed up CVE checking further by only
checking the CVE metadata once an hour.
(From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/recipes-core/meta/cve-update-db-native.bb | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 2c427a5884..19875a49b1 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -31,8 +31,16 @@ python do_populate_cve_db() {
db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
-proxy = d.getVar("https_proxy")
+# Don't refresh the database more than once an hour
+try:
+import time
+if time.time() - os.path.getmtime(db_file) < (60*60):
+return
+except OSError:
+pass
+
+proxy = d.getVar("https_proxy")
if proxy:
# instantiate an opener but do not install it as the global
# opener unless if we're really sure it's applicable for all
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 04/11] cve-check: we don't actually need to unpack to check
From: Ross Burton
The patch scanner works with patch files in the layer, not in the workdir, so it
doesn't need to unpack.
(From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1c8b2223a2..3326944d79 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -62,7 +62,7 @@ python do_cve_check () {
}
-addtask cve_check after do_unpack before do_build
+addtask cve_check before do_build
do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db"
do_cve_check[nostamp] = "1"
@@ -70,7 +70,6 @@ python cve_check_cleanup () {
"""
Delete the file used to gather all the CVE information.
"""
-
bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE"))
}
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 06/11] cve-update-db-native: don't hardcode the database name
From: Ross Burton
Don't hardcode the database filename, there's a variable for this in
cve-check.bbclass.
(From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/recipes-core/meta/cve-update-db-native.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 19875a49b1..c15534de08 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -28,8 +28,8 @@ python do_populate_cve_db() {
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-";
YEAR_START = 2002
-db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK')
-db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
+db_file = d.getVar("CVE_CHECK_DB_FILE")
+db_dir = os.path.dirname(db_file)
json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
# Don't refresh the database more than once an hour
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 09/11] cve-check: rewrite look to fix false negatives
From: Ross Burton
A previous optimisation was premature and resulted in false-negatives in the
report.
Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not. By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.
(From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 63 ++
1 file changed, 34 insertions(+), 29 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3326944d79..c1cbdbde7b 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -165,7 +165,6 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
-import ast, csv, tempfile, subprocess, io
from distutils.version import LooseVersion
cves_unpatched = []
@@ -187,68 +186,74 @@ def check_cves(d, patched_cves):
cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
-db_file = d.getVar("CVE_CHECK_DB_FILE")
-conn = sqlite3.connect(db_file)
+db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
+conn = sqlite3.connect(db_file, uri=True)
+# For each of the known product names (e.g. curl has CPEs using curl and
libcurl)...
for product in products:
-c = conn.cursor()
if ":" in product:
vendor, product = product.split(":", 1)
-c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS
?", (product, vendor))
else:
-c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+vendor = "%"
-for row in c:
-cve = row[0]
-version_start = row[3]
-operator_start = row[4]
-version_end = row[5]
-operator_end = row[6]
+# Find all relevant CVE IDs.
+for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE
PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+cve = cverow[0]
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv,
cve))
# TODO: this should be in the report as 'whitelisted'
patched_cves.add(cve)
+continue
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
-else:
-to_append = False
+continue
+
+vulnerable = False
+for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND
PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+(_, _, _, version_start, operator_start, version_end,
operator_end) = row
+#bb.debug(2, "Evaluating row " + str(row))
+
if (operator_start == '=' and pv == version_start):
-to_append = True
+vulnerable = True
else:
if operator_start:
try:
-to_append_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
-to_append_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
+vulnerable_start = (operator_start == '>=' and
LooseVersion(pv) >= LooseVersion(version_start))
+vulnerable_start |= (operator_start == '>' and
LooseVersion(pv) > LooseVersion(version_start))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start,
version_start, cve))
-to_append_start = False
+vulnerable_start = False
else:
-to_append_start = False
+vulnerable_start = False
if operator_end:
try:
-to_append_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
-to_append_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
+vulnerable_end = (operator_end == '<=' and
LooseVersion(pv) <= LooseVersion(version_end))
+vulnerable_end |= (operator_end == '<' and
LooseVersion(pv) < LooseVersion(version_end))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end,
cve))
-to_appe
[OE-core] [thud-next][PATCH 07/11] cve-update-db-native: add an index on the CVE ID column
From: Ross Burton
Create an index on the PRODUCTS table which contains a row for each CPE,
drastically increasing the performance of lookups for a specific CVE.
(From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/recipes-core/meta/cve-update-db-native.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index c15534de08..08b18f064f 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -120,11 +120,14 @@ python do_populate_cve_db() {
def initialize_db(c):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE
TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
VERSION_END TEXT, OPERATOR_END TEXT)")
+c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
def parse_node_and_insert(c, node, cveId):
# Parse children node if needed
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 08/11] cve-update-db-native: clean up proxy handling
From: Ross Burton
urllib handles adding proxy handlers if the proxies are set in the environment,
so call bb.utils.export_proxies() to do that and remove the manual setup.
(From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
.../recipes-core/meta/cve-update-db-native.bb | 31 +++
1 file changed, 5 insertions(+), 26 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index 08b18f064f..db1d69a28e 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -21,10 +21,12 @@ python do_populate_cve_db() {
"""
Update NVD database with json data feed
"""
-
+import bb.utils
import sqlite3, urllib, urllib.parse, shutil, gzip
from datetime import date
+bb.utils.export_proxies(d)
+
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-";
YEAR_START = 2002
@@ -40,16 +42,6 @@ python do_populate_cve_db() {
except OSError:
pass
-proxy = d.getVar("https_proxy")
-if proxy:
-# instantiate an opener but do not install it as the global
-# opener unless if we're really sure it's applicable for all
-# urllib requests
-proxy_handler = urllib.request.ProxyHandler({'https': proxy})
-proxy_opener = urllib.request.build_opener(proxy_handler)
-else:
-proxy_opener = None
-
cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
if not os.path.isdir(db_dir):
@@ -67,15 +59,7 @@ python do_populate_cve_db() {
json_url = year_url + ".json.gz"
# Retrieve meta last modified date
-
-response = None
-
-if proxy_opener:
-response = proxy_opener.open(meta_url)
-else:
-req = urllib.request.Request(meta_url)
-response = urllib.request.urlopen(req)
-
+response = urllib.request.urlopen(meta_url)
if response:
for l in response.read().decode("utf-8").splitlines():
key, value = l.split(":", 1)
@@ -95,12 +79,7 @@ python do_populate_cve_db() {
# Update db with current year json file
try:
-if proxy_opener:
-response = proxy_opener.open(json_url)
-else:
-req = urllib.request.Request(json_url)
-response = urllib.request.urlopen(req)
-
+response = urllib.request.urlopen(json_url)
if response:
update_db(c,
gzip.decompress(response.read()).decode('utf-8'))
c.execute("insert or replace into META values (?, ?)", [year,
last_modified])
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 10/11] cve-check: neaten get_cve_info
From: Ross Burton
Remove obsolete Python 2 code, and use convenience methods for neatness.
(From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 18 +-
1 file changed, 5 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c1cbdbde7b..e95716d9de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -261,23 +261,15 @@ def check_cves(d, patched_cves):
def get_cve_info(d, cves):
"""
Get CVE information from the database.
-
-Unfortunately the only way to get CVE info is set the output to
-html (hard to parse) or query directly the database.
"""
-try:
-import sqlite3
-except ImportError:
-from pysqlite2 import dbapi2 as sqlite3
+import sqlite3
cve_data = {}
-db_file = d.getVar("CVE_CHECK_DB_FILE")
-placeholder = ",".join("?" * len(cves))
-query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder
-conn = sqlite3.connect(db_file)
-cur = conn.cursor()
-for row in cur.execute(query, tuple(cves)):
+conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
+placeholders = ",".join("?" * len(cves))
+query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
+for row in conn.execute(query, tuple(cves)):
cve_data[row[0]] = {}
cve_data[row[0]]["summary"] = row[1]
cve_data[row[0]]["scorev2"] = row[2]
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud-next][PATCH 11/11] cve-check: fetch CVE data once at a time instead of in a single call
From: Ross Burton
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested. For recipes such as the kernel where there are over 2000
CVEs to report this can hit the variable count limit and the query fails with
"sqlite3.OperationalError: too many SQL variables". The default limit is 999
variables, but some distributions such as Debian set the default to 25.
As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.
(From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99)
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 20 ++--
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d9de..19ed5548b3 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@ def get_cve_info(d, cves):
cve_data = {}
conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
-placeholders = ",".join("?" * len(cves))
-query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
-for row in conn.execute(query, tuple(cves)):
-cve_data[row[0]] = {}
-cve_data[row[0]]["summary"] = row[1]
-cve_data[row[0]]["scorev2"] = row[2]
-cve_data[row[0]]["scorev3"] = row[3]
-cve_data[row[0]]["modified"] = row[4]
-cve_data[row[0]]["vector"] = row[5]
-conn.close()
+for cve in cves:
+for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+cve_data[row[0]] = {}
+cve_data[row[0]]["summary"] = row[1]
+cve_data[row[0]]["scorev2"] = row[2]
+cve_data[row[0]]["scorev3"] = row[3]
+cve_data[row[0]]["modified"] = row[4]
+cve_data[row[0]]["vector"] = row[5]
+
+conn.close()
return cve_data
def cve_write_data(d, patched, unpatched, cve_data):
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [zeus][PATCH 1/3] iptables: Cosmetic fixes to recipe
On 12/6/19 12:45 AM, Peter Kjellerstedt wrote:
>> -Original Message-
>> From: openembedded-core-boun...@lists.openembedded.org > boun...@lists.openembedded.org> On Behalf Of Niko Mauno
>> Sent: den 5 december 2019 21:05
>> To: openembedded-core@lists.openembedded.org
>> Subject: [OE-core] [zeus][PATCH 1/3] iptables: Cosmetic fixes to recipe
>>
>> Introduce cosmetic changes to recipe content, most notably
>> - Change indentation style to four spaces in task statements
>
> Unless I'm wrong, the standard for shell code in recipes in
> OE-Core is still to indent using tabs. (OpenEmbedded on the
> other hand uses four spaces for indentation also for shell
> code.)
>
> //Peter
>
Thanks Peter,
indeed looking at
https://www.openembedded.org/wiki/Styleguide#Format_Guidelines mentions that
"Shell functions in OE-Core usually use tabs for indentation, but other layers
usually use consistent indentation with 4 spaces (in shell functions, python
functions and for indentation of multi-line variables)", thus this commits
indentation changes in particular could be questioned. I'll try to keep this in
mind.
Out of curiousity, I now also looked at current master branch's .bb/.inc files
(under poky/meta/recipes-*), and it would seem there's about 150 files which
resort to 4-space indentation in shell funcs (excluding here cases of 8-space
and even 2-space indentation used in some files). Considering the excerpt, are
you aware if there has been any discussion wrt. OE-Core also switching to
4-space indentation prevalent in other layers? Just feels it would make sense
as currently e.g. a discontinuity in indentation style is implied when
bbappending OE-core shell functions from other layers.
-Niko
>> - Reorder several entries according to oe-stylize.py suggestions
>>
>> (From OE-Core rev: c1d162b6165f11b7b5ae5c6066e7683d5e1379fc)
>>
>> Signed-off-by: Niko Mauno
>> Signed-off-by: Ross Burton
>> Signed-off-by: Richard Purdie
>> ---
>> .../iptables/iptables_1.8.3.bb| 60 +--
>> 1 file changed, 29 insertions(+), 31 deletions(-)
>>
>> diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> b/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> index ff9fcb1b53..563c8ae354 100644
>> --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> @@ -4,8 +4,9 @@ filtering code in Linux."
>> HOMEPAGE = "http://www.netfilter.org/";
>> BUGTRACKER = "http://bugzilla.netfilter.org/";
>> LICENSE = "GPLv2+"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
>> -
>> file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d
>> 0f763df2a12dc"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>> +
>> file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d
>> 0f763df2a12dc \
>> +"
>>
>> SRC_URI = "http://netfilter.org/projects/iptables/files/iptables-
>> ${PV}.tar.bz2 \
>> file://0001-configure-Add-option-to-enable-disable-
>> libnfnetlink.patch \
>> @@ -13,16 +14,16 @@ SRC_URI =
>> "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
>> file://iptables.service \
>> file://iptables.rules \
>> "
>> -
>> SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
>> SRC_URI[sha256sum] =
>> "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
>>
>> +SYSTEMD_SERVICE_${PN} = "iptables.service"
>> +
>> inherit autotools pkgconfig systemd
>>
>> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
>>
>> PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
>> -
>> PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
>>
>> # libnfnetlink recipe is in meta-networking layer
>> @@ -32,9 +33,19 @@ PACKAGECONFIG[libnfnetlink] = "--enable-libnfnetlink,--
>> disable-libnfnetlink,libn
>> PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
>>
>> do_configure_prepend() {
>> -# Remove some libtool m4 files
>> -# Keep ax_check_linker_flags.m4 which belongs to autoconf-
>> archive.
>> -rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4
>> ltversion.m4
>> +# Remove some libtool m4 files
>> +# Keep ax_check_linker_flags.m4 which be
Re: [OE-core] [zeus][PATCH 1/3] iptables: Cosmetic fixes to recipe
On 12/6/19 1:32 AM, akuster808 wrote:
>
>
> On 12/5/19 12:05 PM, Niko Mauno wrote:
>> Introduce cosmetic changes to recipe content, most notably
>> - Change indentation style to four spaces in task statements
>> - Reorder several entries according to oe-stylize.py suggestions
>>
>> (From OE-Core rev: c1d162b6165f11b7b5ae5c6066e7683d5e1379fc)
>>
>> Signed-off-by: Niko Mauno
>> Signed-off-by: Ross Burton
>> Signed-off-by: Richard Purdie
>
> These changes do not pass the 'stable' bar for backporting. Unless a
> more compelling reason is give, this series is being "NACKed" at this time.
>
> - armin
Thanks for checking Armin. For the record, proposed mainly for complementing
the existing systemd-specific automatic ipv4 rules loading functionality with
ipv6, particularly since both 'ipv4' and 'ipv6' are enabled in DISTRO_FEATURES
by default.
-Niko
>> ---
>> .../iptables/iptables_1.8.3.bb| 60 +--
>> 1 file changed, 29 insertions(+), 31 deletions(-)
>>
>> diff --git a/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> b/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> index ff9fcb1b53..563c8ae354 100644
>> --- a/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> +++ b/meta/recipes-extended/iptables/iptables_1.8.3.bb
>> @@ -4,8 +4,9 @@ filtering code in Linux."
>> HOMEPAGE = "http://www.netfilter.org/";
>> BUGTRACKER = "http://bugzilla.netfilter.org/";
>> LICENSE = "GPLv2+"
>> -LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263\
>> -
>> file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc"
>> +LIC_FILES_CHKSUM = "file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
>> +
>> file://iptables/iptables.c;beginline=13;endline=25;md5=c5cffd09974558cf27d0f763df2a12dc
>> \
>> +"
>>
>> SRC_URI =
>> "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
>>
>> file://0001-configure-Add-option-to-enable-disable-libnfnetlink.patch \
>> @@ -13,16 +14,16 @@ SRC_URI =
>> "http://netfilter.org/projects/iptables/files/iptables-${PV}.tar.bz2 \
>> file://iptables.service \
>> file://iptables.rules \
>> "
>> -
>> SRC_URI[md5sum] = "29de711d15c040c402cf3038c69ff513"
>> SRC_URI[sha256sum] =
>> "a23cac034181206b4545f4e7e730e76e08b5f3dd78771ba9645a6756de9cdd80"
>>
>> +SYSTEMD_SERVICE_${PN} = "iptables.service"
>> +
>> inherit autotools pkgconfig systemd
>>
>> EXTRA_OECONF = "--with-kernel=${STAGING_INCDIR}"
>>
>> PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)}"
>> -
>> PACKAGECONFIG[ipv6] = "--enable-ipv6,--disable-ipv6,"
>>
>> # libnfnetlink recipe is in meta-networking layer
>> @@ -32,9 +33,19 @@ PACKAGECONFIG[libnfnetlink] =
>> "--enable-libnfnetlink,--disable-libnfnetlink,libn
>> PACKAGECONFIG[libnftnl] = "--enable-nftables,--disable-nftables,libnftnl"
>>
>> do_configure_prepend() {
>> -# Remove some libtool m4 files
>> -# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
>> -rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
>> +# Remove some libtool m4 files
>> +# Keep ax_check_linker_flags.m4 which belongs to autoconf-archive.
>> +rm -f libtool.m4 lt~obsolete.m4 ltoptions.m4 ltsugar.m4 ltversion.m4
>> +}
>> +
>> +do_install_append() {
>> +install -d ${D}${sysconfdir}/iptables
>> +install -m 0644 ${WORKDIR}/iptables.rules ${D}${sysconfdir}/iptables
>> +
>> +install -d ${D}${systemd_system_unitdir}
>> +install -m 0644 ${WORKDIR}/iptables.service
>> ${D}${systemd_system_unitdir}
>> +
>> +sed -i -e 's,@SBINDIR@,${sbindir},g'
>> ${D}${systemd_system_unitdir}/iptables.service
>> }
>>
>> PACKAGES += "${PN}-modules"
>> @@ -47,30 +58,6 @@ python populate_packages_prepend() {
>> d.appendVar('RDEPENDS_' + metapkg, ' ' + ' '.join(modules))
>> }
>>
>> -FILES_${PN} += "${datadir}/xtables"
>> -
>> -# Include the symlinks as well in respective packages
>> -FILES_${PN}-module-xt-conntrack += "${libdir}/xtables/libxt_state.so"
>> -FILES_${
[OE-core] [zeus][PATCH] cve-check: Switch to NVD CVE JSON feed version 1.1
Switch to recently released version 1.1 of NVD CVE JSON feed, as in
https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
it is mentioned that
Due to changes required to support CVSS v3.1 scoring, the JSON
vulnerability feeds must be modified. This will require the consumers
of this data to update their internal processes. We will be providing
the JSON 1.1 schema on the data feeds page and the information below
to prepare for this transition.
...
The JSON 1.1 data feeds will be available on September 9th, 2019. At
that time the current JSON 1.0 data feeds will no longer available.
This change was tested briefly by issuing 'bitbake core-image-minimal'
with 'cve-check.bbclass' inherited via local.conf, and then comparing
the content between the resulting two
'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not
seem to contain any other change, except total of 167 entries like
CVSS v3 BASE SCORE: 0.0
were replaced with similar 'CVSS v3 BASE SCORE:' entries which had
scores that were greater than '0.0' (up to '9.8').
(From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 2 +-
meta/recipes-core/meta/cve-update-db-native.bb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed5548b3..01b3637469 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a28e..575254af40 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
bb.utils.export_proxies(d)
-BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-";
+BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-";
YEAR_START = 2002
db_file = d.getVar("CVE_CHECK_DB_FILE")
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [thud][PATCH] cve-check: Switch to NVD CVE JSON feed version 1.1
Switch to recently released version 1.1 of NVD CVE JSON feed, as in
https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release
it is mentioned that
Due to changes required to support CVSS v3.1 scoring, the JSON
vulnerability feeds must be modified. This will require the consumers
of this data to update their internal processes. We will be providing
the JSON 1.1 schema on the data feeds page and the information below
to prepare for this transition.
...
The JSON 1.1 data feeds will be available on September 9th, 2019. At
that time the current JSON 1.0 data feeds will no longer available.
This change was tested briefly by issuing 'bitbake core-image-minimal'
with 'cve-check.bbclass' inherited via local.conf, and then comparing
the content between the resulting two
'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not
seem to contain any other change, except total of 167 entries like
CVSS v3 BASE SCORE: 0.0
were replaced with similar 'CVSS v3 BASE SCORE:' entries which had
scores that were greater than '0.0' (up to '9.8').
(From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/classes/cve-check.bbclass | 2 +-
meta/recipes-core/meta/cve-update-db-native.bb | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 19ed5548b3..01b3637469 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index db1d69a28e..575254af40 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -27,7 +27,7 @@ python do_populate_cve_db() {
bb.utils.export_proxies(d)
-BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-";
+BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-";
YEAR_START = 2002
db_file = d.getVar("CVE_CHECK_DB_FILE")
--
2.20.1
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [meta-oe][PATCH] u-boot: Add coreutils-native to DEPENDS
Coreutils provides 'comm' command which is called during do_compile()
from scripts/check-config.sh. This fixes following issues which are
otherwise quietly ignored:
.../scripts/check-config.sh: line 33: comm: command not found
.../scripts/check-config.sh: line 38: comm: command not found
Signed-off-by: Niko Mauno
---
meta/recipes-bsp/u-boot/u-boot_2017.01.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-bsp/u-boot/u-boot_2017.01.bb
b/meta/recipes-bsp/u-boot/u-boot_2017.01.bb
index 37c21dcaa3..8b00a8d294 100644
--- a/meta/recipes-bsp/u-boot/u-boot_2017.01.bb
+++ b/meta/recipes-bsp/u-boot/u-boot_2017.01.bb
@@ -1,4 +1,4 @@
require u-boot-common_${PV}.inc
require u-boot.inc
-DEPENDS += "bc-native dtc-native"
+DEPENDS += "bc-native coreutils-native dtc-native"
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] bitbake.conf: Add comm to HOSTTOOLS
This mitigates following issues during u-boot do_compile() step --
otherwise, if comm is not available, they are quietly ignored:
.../scripts/check-config.sh: line 33: comm: command not found
.../scripts/check-config.sh: line 39: comm: command not found
Since 'comm' is provided by coreutils package, adding it to HOSTTOOLS
was considered a lower impact fix compared to adding coreutils-native
buildtime dependency to u-boot recipe.
Signed-off-by: Niko Mauno
---
meta/conf/bitbake.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 93afb13166..e1d2f3c3e2 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -473,7 +473,7 @@ HOSTTOOLS_DIR = "${TMPDIR}/hosttools"
# Tools needed to run builds with OE-Core
HOSTTOOLS += " \
-[ ar as awk basename bash bzip2 cat chgrp chmod chown chrpath cmp cp cpio \
+[ ar as awk basename bash bzip2 cat chgrp chmod chown chrpath cmp comm cp
cpio \
cpp cut date dd diff diffstat dirname du echo egrep env expand expr false \
fgrep file find flock g++ gawk gcc getconf getopt git grep gunzip gzip \
head hostname id install ld ldd ln ls make makeinfo md5sum mkdir mknod \
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] bitbake.conf: Add xattr to DISTRO_FEATURES_NATIVE
Commit db1f1adace58763c35774e3fdfeaac5c3ca646fd disabled 'xattr' from
DISTRO_FEATURES when native packages are built, whereas for target
packages it was retained. This changed eg. mtd-utils-native to build
without extended attributes (capabilities) support from there on.
Thus even setcap was called succesfully for a binary during pkg_postinst
on build host, the capabilities did not exist on target rootfs due to
now xattr-less host-side mkfs utility.
Adding xattr to DISTRO_FEATURES_NATIVE restores previous behaviour,
fixing the discontinuity in capability propagation to target
device rootfs.
Signed-off-by: Niko Mauno
---
meta/conf/bitbake.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 93afb13166..411d7cf6f5 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -808,7 +808,7 @@ IMAGE_FEATURES += "${EXTRA_IMAGE_FEATURES}"
# Native distro features (will always be used for -native, even if they
# are not enabled for target)
-DISTRO_FEATURES_NATIVE ?= "x11 ipv6"
+DISTRO_FEATURES_NATIVE ?= "x11 ipv6 xattr"
DISTRO_FEATURES_NATIVESDK ?= "x11 libc-charsets libc-locales libc-locale-code"
# Normally target distro features will not be applied to native builds:
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] package_manager.py: Explicit complementary fail
When running bitbake -c populate_sdk , it is expected that
packages matching SDKIMAGE_INSTALL_COMPLEMENTARY name mask (unless
declared in PACKAGE_EXCLUDE_COMPLEMENTARY) are installed to resulting
SDK. Underlying mechanism issues a package manager install call for set
of complementary packages. However the mechanism doesn't seem to inform
the user all too obviously in case the package manager command behind
install_complementary() method fails -- and since it is combined with
attempt_only=True option, user might end up wondering why several *-dev,
*-dbg packages are missing from resulting SDK.
Improve associated install() method behaviour in affected OpkgPM and
DpkgPM classes so that a problematic state of affairs becomes directly
obvious for bitbake user, resulting in shell output like:
WARNING: someimage-1.0-r0 do_populate_sdk: Unable to install packages.
Command '...' returned 1:
Collected errors:
* Solver encountered 1 problem(s):
* Problem 1/1:
* - package somepkg-dev-1.0-r0.x86 requires somepkg = 1.0-r0, but
none of the providers can be installed
*
* Solution 1:
* - allow deinstallation of someotherpkg-1.1-r1.x86
* - do not ask to install a package providing somepkg-dev
* Solution 2:
* - do not ask to install a package providing somepkg-dev
Signed-off-by: Niko Mauno
---
meta/lib/oe/package_manager.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/lib/oe/package_manager.py b/meta/lib/oe/package_manager.py
index f7e013437c..4d15d71736 100644
--- a/meta/lib/oe/package_manager.py
+++ b/meta/lib/oe/package_manager.py
@@ -1069,7 +1069,7 @@ class OpkgPM(OpkgDpkgPM):
output = subprocess.check_output(cmd.split(),
stderr=subprocess.STDOUT).decode("utf-8")
bb.note(output)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
@@ -1368,7 +1368,7 @@ class DpkgPM(OpkgDpkgPM):
bb.note("Installing the following packages: %s" % ' '.join(pkgs))
subprocess.check_output(cmd.split(), stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as e:
-(bb.fatal, bb.note)[attempt_only]("Unable to install packages. "
+(bb.fatal, bb.warn)[attempt_only]("Unable to install packages. "
"Command '%s' returned %d:\n%s" %
(cmd, e.returncode,
e.output.decode("utf-8")))
--
2.11.0
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
Re: [OE-core] [RFC PATCH 1/3] Try to ensure 64 bit time on 32 bit glibcful hosts
On related note, in this RFC series I was basing on reference set in
https://github.com/lmajewski/meta-y2038/blob/master/conf/distro/y2038.inc#L8
where the author has opted to use TARGET_CPPFLAGS.
-Niko
On 11/8/22 12:51, Ola x Nilsson wrote:
I'm working on the same thing, but I put GLIBC_64BIT_TIME_CPPFLAGS in
TARGET_CC_ARCH instead to make sure they applied everywhere.
I'd be interested to hear what others think is the best place to put
these flags.
I'm also looking at QA tests to make sure that no application or shared
object is still using 32bit time or file functions from glibc.
/Ola
On Tue, Nov 08 2022, Niko Mauno via lists.openembedded.org wrote:
Add default C Preprocessor flags that ensure Y2038 compatible 64 bit
time on 32 bit host applications when glibc is used. Prerequisites
are glibc version 2.34 or newer and Linux kernel version 5.1 or newer.
Example of impact on 32 bit 'qemuarm' machine running
core-image-minimal. Before this change:
root@qemuarm:~# /bin/busybox date
Sun Nov 6 06:09:39 UTC 2022
root@qemuarm:~# /sbin/hwclock.util-linux -w
root@qemuarm:~# /sbin/hwclock.util-linux
2022-11-06 06:09:49.994249+00:00
root@qemuarm:~# /bin/busybox date -s 2040-01-01
date: invalid date '2040-01-01'
root@qemuarm:~# /bin/date.coreutils -s 2040-01-01
Sun Jan 1 00:00:00 UTC 2040
root@qemuarm:~# /sbin/hwclock.util-linux -w
root@qemuarm:~# /sbin/hwclock.util-linux
1931-03-04 06:26:23.00+00:00
root@qemuarm:~#
After this change:
root@qemuarm:~# /bin/busybox date
Sun Nov 6 06:02:20 UTC 2022
root@qemuarm:~# /sbin/hwclock.util-linux -w
root@qemuarm:~# /sbin/hwclock.util-linux
2022-11-06 06:02:27.989730+00:00
root@qemuarm:~# /bin/busybox date -s 2040-01-01
Sun Jan 1 00:00:00 UTC 2040
root@qemuarm:~# /sbin/hwclock.util-linux -w
root@qemuarm:~# /sbin/hwclock.util-linux
2040-01-01 00:00:20.992954+00:00
root@qemuarm:~#
From here on, the adding of new flags can be disabled on recipe or
global level by resetting the value of associated variable containing
the CPPFLAGS specific for 64 bit time
GLIBC_64BIT_TIME_CPPFLAGS = ""
which can be useful e.g. when working around failure to compile a
component due to lack of 64 bit time support on 32 bit build in the
component's source code.
Signed-off-by: Niko Mauno
---
meta/conf/distro/include/tclibc-glibc.inc| 3 +++
meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb | 2 ++
meta/recipes-devtools/pseudo/pseudo_git.bb | 2 ++
3 files changed, 7 insertions(+)
diff --git a/meta/conf/distro/include/tclibc-glibc.inc
b/meta/conf/distro/include/tclibc-glibc.inc
index f48d16939e..95770298e9 100644
--- a/meta/conf/distro/include/tclibc-glibc.inc
+++ b/meta/conf/distro/include/tclibc-glibc.inc
@@ -17,6 +17,9 @@ PREFERRED_PROVIDER_virtual/crypt ?= "libxcrypt"
CXXFLAGS += "-fvisibility-inlines-hidden"
+GLIBC_64BIT_TIME_CPPFLAGS = "-D_TIME_BITS=64 -D_FILE_OFFSET_BITS=64"
+TARGET_CPPFLAGS += "${GLIBC_64BIT_TIME_CPPFLAGS}"
+
LIBC_DEPENDENCIES = "\
glibc \
glibc-dbg \
diff --git a/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb
b/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb
index 8bda2ccad6..b3fafa0ea4 100644
--- a/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb
+++ b/meta/recipes-devtools/gcc/gcc-sanitizers_12.2.bb
@@ -5,3 +5,5 @@ require gcc-sanitizers.inc
# sanitizer_linux.s:5749: Error: lo register required -- `ldr ip,[sp],#8'
ARM_INSTRUCTION_SET:armv4 = "arm"
ARM_INSTRUCTION_SET:armv5 = "arm"
+
+GLIBC_64BIT_TIME_CPPFLAGS = ""
diff --git a/meta/recipes-devtools/pseudo/pseudo_git.bb
b/meta/recipes-devtools/pseudo/pseudo_git.bb
index c34580b4ff..7734d0fbb0 100644
--- a/meta/recipes-devtools/pseudo/pseudo_git.bb
+++ b/meta/recipes-devtools/pseudo/pseudo_git.bb
@@ -19,3 +19,5 @@ PV = "1.9.0+git${SRCPV}"
# error: use of undeclared identifier '_STAT_VER'
COMPATIBLE_HOST:libc-musl = 'null'
+
+GLIBC_64BIT_TIME_CPPFLAGS = ""
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#173011):
https://lists.openembedded.org/g/openembedded-core/message/173011
Mute This Topic: https://lists.openembedded.org/mt/94880624/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/2] systemd: Mitigate /var/tmp type mismatch issue
From: Niko Mauno The base-files recipe provides /var/tmp -> /var/volatile/tmp symlink which is in conflict with systemd upstream tmpfiles.d/tmp.conf which defines it as a directory (or subvolume on btrfs). This generates following error in journal: Jul 03 15:37:21 qemux86-64 systemd-tmpfiles[158]: "/var/tmp" already exists and is not a directory. Mitigate the issue by defining /var/tmp as symlink corresponding to the one created by base-files. Signed-off-by: Niko Mauno --- meta/recipes-core/systemd/systemd/00-create-volatile.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf index c4277221a2..043b2ef1d8 100644 --- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf +++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf @@ -6,3 +6,4 @@ d /run/lock 1777- - - d /var/volatile/log - - - - d /var/volatile/tmp 1777- - +L /var/tmp- - - - /var/volatile/tmp -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201520): https://lists.openembedded.org/g/openembedded-core/message/201520 Mute This Topic: https://lists.openembedded.org/mt/107033957/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 2/2] systemd: Mitigate /var/log type mismatch issue
From: Niko Mauno
When VOLATILE_LOG_DIR evaluates as True, the base-files recipe provides
/var/log -> /var/volatile/log symlink which is in conflict with systemd
upstream tmpfiles.d/var.conf.in which defines it as a directory.
This generates following error in journal:
Jul 03 14:28:00 qemux86-64 systemd-tmpfiles[165]: "/var/log" already exists
and is not a directory.
Mitigate the issue by defining /var/log as symlink corresponding to
the one created by base-files, when appropriate.
Signed-off-by: Niko Mauno
---
meta/recipes-core/systemd/systemd_255.6.bb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/systemd/systemd_255.6.bb
b/meta/recipes-core/systemd/systemd_255.6.bb
index 0376412f61..db37776fd6 100644
--- a/meta/recipes-core/systemd/systemd_255.6.bb
+++ b/meta/recipes-core/systemd/systemd_255.6.bb
@@ -313,9 +313,10 @@ do_install() {
fi
if "${@'true' if oe.types.boolean(d.getVar('VOLATILE_LOG_DIR')) else
'false'}"; then
- # /var/log is typically a symbolic link to inside /var/volatile,
- # which is expected to be empty.
+ # base-files recipe provides /var/log which is a symlink to
/var/volatile/log
rm -rf ${D}${localstatedir}/log
+ printf 'L\t\t%s/log\t\t-\t-\t-\t-\t%s/volatile/log\n'
"${localstatedir}" \
+ "${localstatedir}"
>>${D}${nonarch_libdir}/tmpfiles.d/00-create-volatile.conf
elif [ -e ${D}${localstatedir}/log/journal ]; then
chown root:systemd-journal ${D}${localstatedir}/log/journal
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201521):
https://lists.openembedded.org/g/openembedded-core/message/201521
Mute This Topic: https://lists.openembedded.org/mt/107033958/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] Fix missing leading whitespace with ':append'
From: Niko Mauno
Mitigate occurrences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/dnf/dnf_4.20.0.bb | 2 +-
meta/recipes-graphics/mesa/mesa.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/dnf/dnf_4.20.0.bb
b/meta/recipes-devtools/dnf/dnf_4.20.0.bb
index 4757346cbf..98edab0614 100644
--- a/meta/recipes-devtools/dnf/dnf_4.20.0.bb
+++ b/meta/recipes-devtools/dnf/dnf_4.20.0.bb
@@ -18,7 +18,7 @@ SRC_URI =
"git://github.com/rpm-software-management/dnf.git;branch=master;protoc
file://0001-lock.py-fix-Exception-handling.patch \
"
-SRC_URI:append:class-native =
"file://0001-dnf-write-the-log-lock-to-root.patch"
+SRC_URI:append:class-native = "
file://0001-dnf-write-the-log-lock-to-root.patch"
SRCREV = "e3cb438c0fd08c79676c0f3276aa7d75cd8557c6"
UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)"
diff --git a/meta/recipes-graphics/mesa/mesa.inc
b/meta/recipes-graphics/mesa/mesa.inc
index 272d57c749..d56def2916 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -91,7 +91,7 @@ PACKAGECONFIG = " \
${@bb.utils.contains('DISTRO_FEATURES', 'vulkan', 'zink', '', d)} \
"
-PACKAGECONFIG:append:class-native = "gallium-llvm r600"
+PACKAGECONFIG:append:class-native = " gallium-llvm r600"
# "gbm" requires "opengl"
PACKAGECONFIG[gbm] = "-Dgbm=enabled,-Dgbm=disabled"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201655):
https://lists.openembedded.org/g/openembedded-core/message/201655
Mute This Topic: https://lists.openembedded.org/mt/107121031/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] systemd: Mitigate /var/log type mismatch issue
From: Niko Mauno
When VOLATILE_LOG_DIR evaluates as True, the base-files recipe provides
/var/log -> /var/volatile/log symlink which is in conflict with systemd
upstream tmpfiles.d/var.conf.in which defines it as a directory.
This generates following error in journal:
Jul 03 14:28:00 qemux86-64 systemd-tmpfiles[165]: "/var/log" already exists
and is not a directory.
Mitigate the issue by defining /var/log as symlink corresponding to
the one created by base-files, when appropriate.
Signed-off-by: Niko Mauno
---
meta/recipes-core/systemd/systemd_255.6.bb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/systemd/systemd_255.6.bb
b/meta/recipes-core/systemd/systemd_255.6.bb
index 0376412f61..db37776fd6 100644
--- a/meta/recipes-core/systemd/systemd_255.6.bb
+++ b/meta/recipes-core/systemd/systemd_255.6.bb
@@ -313,9 +313,10 @@ do_install() {
fi
if "${@'true' if oe.types.boolean(d.getVar('VOLATILE_LOG_DIR')) else
'false'}"; then
- # /var/log is typically a symbolic link to inside /var/volatile,
- # which is expected to be empty.
+ # base-files recipe provides /var/log which is a symlink to
/var/volatile/log
rm -rf ${D}${localstatedir}/log
+ printf 'L\t\t%s/log\t\t-\t-\t-\t-\t%s/volatile/log\n'
"${localstatedir}" \
+ "${localstatedir}"
>>${D}${nonarch_libdir}/tmpfiles.d/00-create-volatile.conf
elif [ -e ${D}${localstatedir}/log/journal ]; then
chown root:systemd-journal ${D}${localstatedir}/log/journal
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201656):
https://lists.openembedded.org/g/openembedded-core/message/201656
Mute This Topic: https://lists.openembedded.org/mt/107121266/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 1/2] systemd: Mitigate /var/tmp type mismatch issue
On 7/4/24 10:49, ChenQi wrote: There's a pending patch from Changqing, which also handles /var/tmp. The title is: [OE-core] [PATCH] VOLATILE_TMP_DIR: Extend to specify the persistence of /var/tmp I think we'd better handle that patch first because you may need to change to the way you used in your second patch to handle this /var/tmp link. Regards, Qi Thanks for pointing this out. While waiting to see what will be the outcome of the aforementioned /var/tmp change, I have resubmitted my /var/log specific patch as v2, as these two patches are independent of each other. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201657): https://lists.openembedded.org/g/openembedded-core/message/201657 Mute This Topic: https://lists.openembedded.org/mt/107033957/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2 1/2] mesa: Fix missing leading whitespace with ':append'
From: Niko Mauno
By adding a leading space character in the value field of appended
BitBake variable, we avoid the risk of inadvertent string
concatenation.
Signed-off-by: Niko Mauno
---
meta/recipes-graphics/mesa/mesa.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-graphics/mesa/mesa.inc
b/meta/recipes-graphics/mesa/mesa.inc
index 272d57c749..d56def2916 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -91,7 +91,7 @@ PACKAGECONFIG = " \
${@bb.utils.contains('DISTRO_FEATURES', 'vulkan', 'zink', '', d)} \
"
-PACKAGECONFIG:append:class-native = "gallium-llvm r600"
+PACKAGECONFIG:append:class-native = " gallium-llvm r600"
# "gbm" requires "opengl"
PACKAGECONFIG[gbm] = "-Dgbm=enabled,-Dgbm=disabled"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201668):
https://lists.openembedded.org/g/openembedded-core/message/201668
Mute This Topic: https://lists.openembedded.org/mt/107126512/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2 2/2] dnf: Fix missing leading whitespace with ':append'
From: Niko Mauno By adding a leading space character in the value field of appended BitBake variable, we avoid the risk of inadvertent string concatenation. Signed-off-by: Niko Mauno --- meta/recipes-devtools/dnf/dnf_4.20.0.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-devtools/dnf/dnf_4.20.0.bb b/meta/recipes-devtools/dnf/dnf_4.20.0.bb index 4757346cbf..98edab0614 100644 --- a/meta/recipes-devtools/dnf/dnf_4.20.0.bb +++ b/meta/recipes-devtools/dnf/dnf_4.20.0.bb @@ -18,7 +18,7 @@ SRC_URI = "git://github.com/rpm-software-management/dnf.git;branch=master;protoc file://0001-lock.py-fix-Exception-handling.patch \ " -SRC_URI:append:class-native = "file://0001-dnf-write-the-log-lock-to-root.patch" +SRC_URI:append:class-native = " file://0001-dnf-write-the-log-lock-to-root.patch" SRCREV = "e3cb438c0fd08c79676c0f3276aa7d75cd8557c6" UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)" -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201669): https://lists.openembedded.org/g/openembedded-core/message/201669 Mute This Topic: https://lists.openembedded.org/mt/107126515/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH] dnf/mesa: Fix missing leading whitespace with ':append'
From: Niko Mauno
Mitigate occurrences where ':append' operator is used and leading
whitespace character is obviously missing, risking inadvertent
string concatenation.
(From OE-Core rev: 314041fd126a4800a5a5d9fcd84c525319479256)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
(cherry picked from commit 0b6ca9beeff927bbb6158c71596ac475550559d8)
---
meta/recipes-devtools/dnf/dnf_4.19.0.bb | 2 +-
meta/recipes-graphics/mesa/mesa.inc | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-devtools/dnf/dnf_4.19.0.bb
b/meta/recipes-devtools/dnf/dnf_4.19.0.bb
index 184dbea963..37a2cc7de2 100644
--- a/meta/recipes-devtools/dnf/dnf_4.19.0.bb
+++ b/meta/recipes-devtools/dnf/dnf_4.19.0.bb
@@ -18,7 +18,7 @@ SRC_URI =
"git://github.com/rpm-software-management/dnf.git;branch=master;protoc
file://0001-lock.py-fix-Exception-handling.patch \
"
-SRC_URI:append:class-native =
"file://0001-dnf-write-the-log-lock-to-root.patch"
+SRC_URI:append:class-native = "
file://0001-dnf-write-the-log-lock-to-root.patch"
SRCREV = "566a61f9d8a2830ac6dcc3a94c59224cef1c3d03"
UPSTREAM_CHECK_GITTAGREGEX = "(?P\d+(\.\d+)+)"
diff --git a/meta/recipes-graphics/mesa/mesa.inc
b/meta/recipes-graphics/mesa/mesa.inc
index 77e9c80fcb..a43fd2c701 100644
--- a/meta/recipes-graphics/mesa/mesa.inc
+++ b/meta/recipes-graphics/mesa/mesa.inc
@@ -91,7 +91,7 @@ PACKAGECONFIG = " \
${@bb.utils.contains('DISTRO_FEATURES', 'vulkan', 'zink', '', d)} \
"
-PACKAGECONFIG:append:class-native = "gallium-llvm r600"
+PACKAGECONFIG:append:class-native = " gallium-llvm r600"
# "gbm" requires "opengl"
PACKAGECONFIG[gbm] = "-Dgbm=enabled,-Dgbm=disabled"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#201747):
https://lists.openembedded.org/g/openembedded-core/message/201747
Mute This Topic: https://lists.openembedded.org/mt/107151006/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] libyaml: Amend CVE status as 'upstream-wontfix'
From: Niko Mauno Use an existing defined CVE_CHECK_STATUSMAP key in meta/lib/oe/cve_check.py in order to avoid following complaint from BitBake: WARNING: libyaml-native-0.2.5-r0 do_create_spdx: Invalid detail "wontfix" for CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302";, fallback to Unpatched Signed-off-by: Niko Mauno --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb index 2154910d0c..1c6a5fcb45 100644 --- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb +++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb @@ -18,6 +18,6 @@ inherit autotools DISABLE_STATIC:class-nativesdk = "" DISABLE_STATIC:class-native = "" -CVE_STATUS[CVE-2024-35328] = "wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"; +CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"; BBCLASSEXTEND = "native nativesdk" -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202729): https://lists.openembedded.org/g/openembedded-core/message/202729 Mute This Topic: https://lists.openembedded.org/mt/107662504/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH] libyaml: Fix warning regarding unpatched CVE
This commit incorporates changes in following master branch commits: f3479f74c9 libyaml: Amend CVE status as 'upstream-wontfix' 3ebb2ca832 libyaml: Change CVE status to wontfix 56b6b35626 libyaml: Update status of CVE-2024-35328 which mitigate the following warning with cve-check.bbclass: WARNING: libyaml-native-0.2.5-r0 do_cve_check: Found unpatched CVE (CVE-2024-35328), for more information check .../tmp/work/x86_64-linux/libyaml-native/0.2.5/temp/cve.log Signed-off-by: Niko Mauno --- meta/recipes-support/libyaml/libyaml_0.2.5.bb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta/recipes-support/libyaml/libyaml_0.2.5.bb b/meta/recipes-support/libyaml/libyaml_0.2.5.bb index 4cb5717ece..1c6a5fcb45 100644 --- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb +++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb @@ -18,4 +18,6 @@ inherit autotools DISABLE_STATIC:class-nativesdk = "" DISABLE_STATIC:class-native = "" +CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"; + BBCLASSEXTEND = "native nativesdk" -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202933): https://lists.openembedded.org/g/openembedded-core/message/202933 Mute This Topic: https://lists.openembedded.org/mt/107699684/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH 1/2] systemd: Mitigate /var/log type mismatch issue
When VOLATILE_LOG_DIR evaluates as True, the base-files recipe provides
/var/log -> /var/volatile/log symlink which is in conflict with systemd
upstream tmpfiles.d/var.conf.in which defines it as a directory.
This generates following error in journal:
Jul 03 14:28:00 qemux86-64 systemd-tmpfiles[165]: "/var/log" already exists
and is not a directory.
Mitigate the issue by defining /var/log as symlink corresponding to
the one created by base-files, when appropriate.
(From OE-Core rev: 711ee36e88c8968e3c45ea787b3adcf64352adf9)
Signed-off-by: Niko Mauno
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
---
meta/recipes-core/systemd/systemd_255.4.bb | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/systemd/systemd_255.4.bb
b/meta/recipes-core/systemd/systemd_255.4.bb
index f58a1bc2b6..0ccca8a567 100644
--- a/meta/recipes-core/systemd/systemd_255.4.bb
+++ b/meta/recipes-core/systemd/systemd_255.4.bb
@@ -307,9 +307,10 @@ do_install() {
fi
if "${@'true' if oe.types.boolean(d.getVar('VOLATILE_LOG_DIR')) else
'false'}"; then
- # /var/log is typically a symbolic link to inside /var/volatile,
- # which is expected to be empty.
+ # base-files recipe provides /var/log which is a symlink to
/var/volatile/log
rm -rf ${D}${localstatedir}/log
+ printf 'L\t\t%s/log\t\t-\t-\t-\t-\t%s/volatile/log\n'
"${localstatedir}" \
+ "${localstatedir}"
>>${D}${nonarch_libdir}/tmpfiles.d/00-create-volatile.conf
elif [ -e ${D}${localstatedir}/log/journal ]; then
chown root:systemd-journal ${D}${localstatedir}/log/journal
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203176):
https://lists.openembedded.org/g/openembedded-core/message/203176
Mute This Topic: https://lists.openembedded.org/mt/107809461/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH 2/2] systemd: Mitigate /var/tmp type mismatch issue
The base-files recipe provides /var/tmp -> /var/volatile/tmp symlink which is in conflict with systemd upstream tmpfiles.d/tmp.conf which defines it as a directory (or subvolume on btrfs). This generates following error in journal: Jul 03 15:37:21 qemux86-64 systemd-tmpfiles[158]: "/var/tmp" already exists and is not a directory. Mitigate the issue by defining /var/tmp as symlink corresponding to the one created by base-files. (From OE-Core rev: 1f1f6f45e3cfe24dfee8a09d01a5d32f3080e381) Signed-off-by: Niko Mauno Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- meta/recipes-core/systemd/systemd/00-create-volatile.conf | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-core/systemd/systemd/00-create-volatile.conf b/meta/recipes-core/systemd/systemd/00-create-volatile.conf index c4277221a2..043b2ef1d8 100644 --- a/meta/recipes-core/systemd/systemd/00-create-volatile.conf +++ b/meta/recipes-core/systemd/systemd/00-create-volatile.conf @@ -6,3 +6,4 @@ d /run/lock 1777- - - d /var/volatile/log - - - - d /var/volatile/tmp 1777- - +L /var/tmp- - - - /var/volatile/tmp -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203177): https://lists.openembedded.org/g/openembedded-core/message/203177 Mute This Topic: https://lists.openembedded.org/mt/107809464/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] image_types.bbclass: Use --force also with lz4,lzop
Several conversion commands already make use of 'force' option in the
compression, which enables overwriting existing files without
prompting.
Since occasionally an existing residual destination file from a
previously aborted or failed task can prevent the re-execution of the
conversion command task, by enabling the 'force' option also for lz4
and lzop compression commands we can avoid following kind of BitBake
failures with these compressors:
| DEBUG: Executing shell function do_image_cpio
| 117685 blocks
| 2 blocks
| example-image.cpio.lz4 already exists; do you want to overwrite (y/N) ?
not overwritten
| Error 20 : example-image.cpio : open file error
| WARNING: exit code 20 from a shell command.
ERROR: Task (.../recipes-core/images/example-image.bb:do_image_cpio) failed
with exit code '1'
Signed-off-by: Niko Mauno
---
meta/classes-recipe/image_types.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/image_types.bbclass
b/meta/classes-recipe/image_types.bbclass
index 506b9934cb..b230add314 100644
--- a/meta/classes-recipe/image_types.bbclass
+++ b/meta/classes-recipe/image_types.bbclass
@@ -337,8 +337,8 @@ CONVERSION_CMD:lzma = "lzma -k -f -7 ${IMAGE_NAME}.${type}"
CONVERSION_CMD:gz = "gzip -f -9 -n -c --rsyncable ${IMAGE_NAME}.${type} >
${IMAGE_NAME}.${type}.gz"
CONVERSION_CMD:bz2 = "pbzip2 -f -k ${IMAGE_NAME}.${type}"
CONVERSION_CMD:xz = "xz -f -k -c ${XZ_COMPRESSION_LEVEL} ${XZ_DEFAULTS}
--check=${XZ_INTEGRITY_CHECK} ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.xz"
-CONVERSION_CMD:lz4 = "lz4 -9 -z -l ${IMAGE_NAME}.${type}
${IMAGE_NAME}.${type}.lz4"
-CONVERSION_CMD:lzo = "lzop -9 ${IMAGE_NAME}.${type}"
+CONVERSION_CMD:lz4 = "lz4 -f -9 -z -l ${IMAGE_NAME}.${type}
${IMAGE_NAME}.${type}.lz4"
+CONVERSION_CMD:lzo = "lzop -f -9 ${IMAGE_NAME}.${type}"
CONVERSION_CMD:zip = "zip ${ZIP_COMPRESSION_LEVEL} ${IMAGE_NAME}.${type}.zip
${IMAGE_NAME}.${type}"
CONVERSION_CMD:7zip = "7za a -mx=${7ZIP_COMPRESSION_LEVEL}
-mm=${7ZIP_COMPRESSION_METHOD} ${IMAGE_NAME}.${type}.${7ZIP_EXTENSION}
${IMAGE_NAME}.${type}"
CONVERSION_CMD:zst = "zstd -f -k -c ${ZSTD_DEFAULTS} ${IMAGE_NAME}.${type} >
${IMAGE_NAME}.${type}.zst"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203226):
https://lists.openembedded.org/g/openembedded-core/message/203226
Mute This Topic: https://lists.openembedded.org/mt/107857522/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH] image_types.bbclass: Use --force also with lz4,lzop
Several conversion commands already make use of 'force' option in the
compression, which enables overwriting existing files without
prompting.
Since occasionally an existing residual destination file from a
previously aborted or failed task can prevent the re-execution of the
conversion command task, by enabling the 'force' option also for lz4
and lzop compression commands we can avoid following kind of BitBake
failures with these compressors:
| DEBUG: Executing shell function do_image_cpio
| 117685 blocks
| 2 blocks
| example-image.cpio.lz4 already exists; do you want to overwrite (y/N) ?
not overwritten
| Error 20 : example-image.cpio : open file error
| WARNING: exit code 20 from a shell command.
ERROR: Task (.../recipes-core/images/example-image.bb:do_image_cpio) failed
with exit code '1'
(From OE-Core rev: 623ab22434909f10aaf613cd3032cc2a2c6e3ff9)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/classes-recipe/image_types.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes-recipe/image_types.bbclass
b/meta/classes-recipe/image_types.bbclass
index 2f948ecbf8..28afff4571 100644
--- a/meta/classes-recipe/image_types.bbclass
+++ b/meta/classes-recipe/image_types.bbclass
@@ -335,8 +335,8 @@ CONVERSION_CMD:lzma = "lzma -k -f -7 ${IMAGE_NAME}.${type}"
CONVERSION_CMD:gz = "gzip -f -9 -n -c --rsyncable ${IMAGE_NAME}.${type} >
${IMAGE_NAME}.${type}.gz"
CONVERSION_CMD:bz2 = "pbzip2 -f -k ${IMAGE_NAME}.${type}"
CONVERSION_CMD:xz = "xz -f -k -c ${XZ_COMPRESSION_LEVEL} ${XZ_DEFAULTS}
--check=${XZ_INTEGRITY_CHECK} ${IMAGE_NAME}.${type} > ${IMAGE_NAME}.${type}.xz"
-CONVERSION_CMD:lz4 = "lz4 -9 -z -l ${IMAGE_NAME}.${type}
${IMAGE_NAME}.${type}.lz4"
-CONVERSION_CMD:lzo = "lzop -9 ${IMAGE_NAME}.${type}"
+CONVERSION_CMD:lz4 = "lz4 -f -9 -z -l ${IMAGE_NAME}.${type}
${IMAGE_NAME}.${type}.lz4"
+CONVERSION_CMD:lzo = "lzop -f -9 ${IMAGE_NAME}.${type}"
CONVERSION_CMD:zip = "zip ${ZIP_COMPRESSION_LEVEL} ${IMAGE_NAME}.${type}.zip
${IMAGE_NAME}.${type}"
CONVERSION_CMD:7zip = "7za a -mx=${7ZIP_COMPRESSION_LEVEL}
-mm=${7ZIP_COMPRESSION_METHOD} ${IMAGE_NAME}.${type}.${7ZIP_EXTENSION}
${IMAGE_NAME}.${type}"
CONVERSION_CMD:zst = "zstd -f -k -c ${ZSTD_DEFAULTS} ${IMAGE_NAME}.${type} >
${IMAGE_NAME}.${type}.zst"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203260):
https://lists.openembedded.org/g/openembedded-core/message/203260
Mute This Topic: https://lists.openembedded.org/mt/107873199/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] util-linux: Add 'no-libmount-mountfd' PACKAGECONFIG option
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
While testing with a board using a 6.1 version kernel, an initramfs
rootfs based boot flow contains the error
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
on closer inspection:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurs at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
however the failure didn't occur when using qemuarm64 with 6.6 version
kernel to boot a corresponding initramfs image, in that case the exact
same call under strace returned 0.
Taking the above findings into consideration, add a new PACKAGECONFIG
option which allows to conveniently opt-out from prematurely using a
feature which can cause issues with a bit older kernels.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..3ecc55f61e 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -107,6 +107,7 @@ PACKAGECONFIG[cryptsetup] =
"--with-cryptsetup,--without-cryptsetup,cryptsetup"
PACKAGECONFIG[chfn-chsh] = "--enable-chfn-chsh,--disable-chfn-chsh,"
PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
PACKAGECONFIG[lastlog2] = "--enable-liblastlog2,--disable-liblastlog2,sqlite3"
+PACKAGECONFIG[no-libmount-mountfd] = "--disable-libmount-mountfd-support"
EXTRA_OEMAKE = "ARCH=${TARGET_ARCH} CPU= CPUOPT= 'OPT=${CFLAGS}'"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203466):
https://lists.openembedded.org/g/openembedded-core/message/203466
Mute This Topic: https://lists.openembedded.org/mt/107932364/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] image_types.bbclass: Use --force also with lz4,lzop
Several conversion commands already make use of 'force' option in the
compression, which enables overwriting existing files without
prompting.
Since occasionally an existing residual destination file from a
previously aborted or failed task can prevent the re-execution of the
conversion command task, by enabling the 'force' option also for lz4
and lzop compression commands we can avoid following kind of BitBake
failures with these compressors:
| DEBUG: Executing shell function do_image_cpio
| 117685 blocks
| 2 blocks
| example-image.cpio.lz4 already exists; do you want to overwrite (y/N) ?
not overwritten
| Error 20 : example-image.cpio : open file error
| WARNING: exit code 20 from a shell command.
ERROR: Task (.../recipes-core/images/example-image.bb:do_image_cpio) failed
with exit code '1'
(From OE-Core rev: 623ab22434909f10aaf613cd3032cc2a2c6e3ff9)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/classes/image_types.bbclass | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/classes/image_types.bbclass b/meta/classes/image_types.bbclass
index 9d5f8c68a4..72245019f4 100644
--- a/meta/classes/image_types.bbclass
+++ b/meta/classes/image_types.bbclass
@@ -292,8 +292,8 @@ CONVERSION_CMD:lzma = "lzma -k -f -7
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
CONVERSION_CMD:gz = "gzip -f -9 -n -c --rsyncable
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} >
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.gz"
CONVERSION_CMD:bz2 = "pbzip2 -f -k ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
CONVERSION_CMD:xz = "xz -f -k -c ${XZ_COMPRESSION_LEVEL} ${XZ_DEFAULTS}
--check=${XZ_INTEGRITY_CHECK} ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} >
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.xz"
-CONVERSION_CMD:lz4 = "lz4 -9 -z -l ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.lz4"
-CONVERSION_CMD:lzo = "lzop -9 ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
+CONVERSION_CMD:lz4 = "lz4 -f -9 -z -l
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.lz4"
+CONVERSION_CMD:lzo = "lzop -f -9 ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
CONVERSION_CMD:zip = "zip ${ZIP_COMPRESSION_LEVEL}
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.zip
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}"
CONVERSION_CMD:zst = "zstd -f -k -T0 -c ${ZSTD_COMPRESSION_LEVEL}
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} >
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.zst"
CONVERSION_CMD:sum = "sumtool -i ${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type} -o
${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.${type}.sum ${JFFS2_SUM_EXTRA_ARGS}"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203468):
https://lists.openembedded.org/g/openembedded-core/message/203468
Mute This Topic: https://lists.openembedded.org/mt/107932951/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v2] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option which by default opts users out from using the feature which
can cause issues with some older kernels.
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested but the issue
was not reproduced with those versions - using strace showed that the
mount_setattr call associated with the new mount API problem was not
issued with these LTS kernel versions, which seemed to be confirmed
also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was
tested also briefly using the current latest kernel versions 6.1.104,
6.6.45 and 6.10.3 that using the old mount API with newest kernels
did not introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..2d89eb6745 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -107,6 +107,13 @@ PACKAGECONFIG[cryptsetup] =
"--with-cryptsetup,--without-cryptsetup,cryptsetup"
PACKAGECONFIG[chfn-chsh] = "--enable-chfn-chsh,--disable-chfn-chsh,"
PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
PACKAGECONFIG[lastlog2] = "--enable-liblastlog2,--disable-liblastlog2,sqlite3"
+# Using the new file descriptors based mount kernel API can cause root
Re: [OE-core] [PATCH] util-linux: Add 'no-libmount-mountfd' PACKAGECONFIG option
On 16.8.2024 17.24, Alexander Kanavin wrote: On Fri, 16 Aug 2024 at 16:04, Niko Mauno via lists.openembedded.org wrote: Taking the above findings into consideration, add a new PACKAGECONFIG option which allows to conveniently opt-out from prematurely using a feature which can cause issues with a bit older kernels. +PACKAGECONFIG[no-libmount-mountfd] = "--disable-libmount-mountfd-support" The option's definition should include both enabling and disabling options so that the resulting component configuration is deterministic (e.g. not left to autodetection by upstream) both when it's enabled and when it is not. It also helps to add a comment just above explaining that only the newer kernels have the required API, and ideally also mention which is the minimum required kernel version. Thanks, submitted v2 which addresses aforementioned aspects, and also now defaults to disabling the new mount API by default. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203487): https://lists.openembedded.org/g/openembedded-core/message/203487 Mute This Topic: https://lists.openembedded.org/mt/107932364/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v3] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option which allows to conveniently opt-out from prematurely using a
feature which can cause issues with a bit older kernels.
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested but the issue
was not reproduced with those versions - using strace showed that the
mount_setattr call associated with the new mount API problem was not
issued with these LTS kernel versions, which seemed to be confirmed
also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was
tested also briefly using the current latest kernel versions 6.1.104,
6.6.45 and 6.10.3 that using the old mount API with newest kernels
did not introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..e87657cc70 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -107,6 +107,13 @@ PACKAGECONFIG[cryptsetup] =
"--with-cryptsetup,--without-cryptsetup,cryptsetup"
PACKAGECONFIG[chfn-chsh] = "--enable-chfn-chsh,--disable-chfn-chsh,"
PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
PACKAGECONFIG[lastlog2] = "--enable-liblastlog2,--disable-liblastlog2,sqlite3"
+# Using the new file descriptors based mount kernel API
Re: [OE-core] [PATCH v2] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
On 19.8.2024 11.27, Alexander Kanavin wrote: I don’t think this should be disabled by default actually. If the default upstream behavior is to enable, and all current linux-yocto kernels have the needed support, then we should follow that. Thanks, addressed in v3 which I just submitted. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203496): https://lists.openembedded.org/g/openembedded-core/message/203496 Mute This Topic: https://lists.openembedded.org/mt/107977031/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v3] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
Sorry, the comments added in this v3 still adhere to v2 content. I will
still submit v4 soon which amends to added comment lines.
-Niko
On 19.8.2024 12.29, Alexander Kanavin wrote:
Thanks, this version lgtm.
Alex
On Mon, 19 Aug 2024 at 11:27, Niko Mauno via lists.openembedded.org
wrote:
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for /
exited with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed
with result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and
Kernel File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option which allows to conveniently opt-out from prematurely using a
feature which can cause issues with a bit older kernels.
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested but the issue
was not reproduced with those versions - using strace showed that the
mount_setattr call associated with the new mount API problem was not
issued with these LTS kernel versions, which seemed to be confirmed
also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was
tested also briefly using the current latest kernel versions 6.1.104,
6.6.45 and 6.10.3 that using the old mount API with newest kernels
did not introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..e87657cc70 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -107,6 +107,13 @@ PACKAGECONFIG[cryptsetup] =
"--with-cryptsetup,--without-cryptsetup,crypt
[OE-core] [PATCH v4] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option which allows to conveniently opt-out from prematurely using a
feature which can cause issues with a bit older kernels.
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested but the issue
was not reproduced with those versions - using strace showed that the
mount_setattr call associated with the new mount API problem was not
issued with these LTS kernel versions, which seemed to be confirmed
also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was
tested also briefly using the current latest kernel versions 6.1.104,
6.6.45 and 6.10.3 that using the old mount API with newest kernels
did not introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 7 +++
1 file changed, 7 insertions(+)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..0b36df8e1b 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -107,6 +107,13 @@ PACKAGECONFIG[cryptsetup] =
"--with-cryptsetup,--without-cryptsetup,cryptsetup"
PACKAGECONFIG[chfn-chsh] = "--enable-chfn-chsh,--disable-chfn-chsh,"
PACKAGECONFIG[selinux] = "--with-selinux,--without-selinux,libselinux"
PACKAGECONFIG[lastlog2] = "--enable-liblastlog2,--disable-liblastlog2,sqlite3"
+# Using the new file descriptors based mount kernel API c
[OE-core] [PATCH v5] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option removing which enables users to opt-out from using the feature
which can cause issues with a bit older kernels.
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested but the issue
was not reproduced with those versions - using strace showed that the
mount_setattr call associated with the new mount API problem was not
issued with these LTS kernel versions, which seemed to be confirmed
also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was
tested also briefly using the current latest kernel versions 6.1.104,
6.6.45 and 6.10.3 that using the old mount API with newest kernels
did not introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
.../util-linux/util-linux_2.40.1.bb | 17 +++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..ef2384fe52 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -89,8 +89,14 @@ EXTRA_OECONF:append = " --disable-hwclock-gplv3"
# this helps to keep same expectations when using the SDK or
# build host versions during development
#
-PACKAGECONFIG ?= "pcre2"
-PACKAGECONFIG:class-target ?= "${@bb.utils.contains('DISTRO_FEATURES', 'pam',
'chfn-chsh pam lastlog2', '', d)}"
+P
Re: [OE-core] [PATCH v4] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
On 8/19/24 18:23, Peter Kjellerstedt wrote: Please avoid negative PACKAGECONFIGs. Instead use: PACKAGECONFIG[new-mount-api] = "--enable-libmount-mountfd-support,--disable-libmount-mountfd-support" and add "new-mount-api" to the default for PACKAGECONFIG. Also, how long will the "new" in "new-mount-api" be valid, i.e., what happens when the next mount API comes along? It might be better to match the feature name to the configuration option, e.g.: PACKAGECONFIG[libmount-mountfd-support] = "--enable-libmount-mountfd-support,--disable-libmount-mountfd-support" Thanks, updated accordingly to latter in v5.-Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203519): https://lists.openembedded.org/g/openembedded-core/message/203519 Mute This Topic: https://lists.openembedded.org/mt/107977721/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v5] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
On 20.8.2024 22.19, Alexandre Belloni wrote: Hello, arm64 fails to build with this patch: https://autobuilder.yoctoproject.org/typhoon/#/builders/42/builds/9356/steps/13/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/131/builds/4727/steps/13/logs/stdio Thanks, indeed it seems that on the older Debian build host, the mountfd_api requirement fails for util-linux-native recipe: | configure: error: libmount_mountfd_support selected, but required mount FDs based API not available Ref. https://github.com/util-linux/util-linux/blob/v2.40.1/configure.ac#L1315 I.e. failure stems from the added explicit --enable-libmount-mountfd-support option that extends also to -native scope I wonder if there are any proposals? -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203585): https://lists.openembedded.org/g/openembedded-core/message/203585 Mute This Topic: https://lists.openembedded.org/mt/107986659/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH v6] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option removing which enables users to opt-out from using the feature
which can cause issues with a bit older kernels. The option is enabled
only for class-target here, since it otherwise causes following error
during util-linux-native's do_configure task on Debian 11 build host
(mountfd_api requirement fails):
| configure: error: libmount_mountfd_support selected, but required mount
FDs based API not available
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested with qemuarm64
but the issue was not reproduced with those versions - using strace
showed that the mount_setattr call associated with the new mount API
problem was not issued with these LTS kernel versions, which seemed to
be confirmed also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was tested also
briefly using the current latest kernel versions 6.1.104, 6.6.45 and
6.10.3 that using the old mount API with newest kernels did not
introduce any observable regression to the boot flow.
Signed-off-by: Niko Mauno
---
meta/recipes-core/util-linux/util-linux_2.40.1.bb | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
index a1aab94055..a8e346539a 100644
--- a/meta/recipes-core/util-linux/util-linux_2.40.1.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.40.1.bb
@@ -90,7 +90,10 @@ EXTRA_OECONF:append = " --disable-hwclock-gplv3&
Re: [OE-core] [PATCH v5] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
Thanks, submitted v6 which adds the new PACKAGECONFIG option for class-target only. -Niko On 21.8.2024 15.17, Alexander Kanavin wrote: I guess this new API should not be enabled for -native variants? Alex On Wed, 21 Aug 2024 at 14:01, Niko Mauno via lists.openembedded.org wrote: On 20.8.2024 22.19, Alexandre Belloni wrote: Hello, arm64 fails to build with this patch: https://autobuilder.yoctoproject.org/typhoon/#/builders/42/builds/9356/steps/13/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/131/builds/4727/steps/13/logs/stdio Thanks, indeed it seems that on the older Debian build host, the mountfd_api requirement fails for util-linux-native recipe: | configure: error: libmount_mountfd_support selected, but required mount FDs based API not available Ref. https://github.com/util-linux/util-linux/blob/v2.40.1/configure.ac#L1315 I.e. failure stems from the added explicit --enable-libmount-mountfd-support option that extends also to -native scope I wonder if there are any proposals? -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203608): https://lists.openembedded.org/g/openembedded-core/message/203608 Mute This Topic: https://lists.openembedded.org/mt/107986659/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [scarthgap][PATCH] util-linux: Add PACKAGECONFIG option to mitigate rootfs remount error
The 2.39 version of util-linux took new file descriptors based mount
kernel API into use. In relation to this change, the upstream release
notes in
https://github.com/util-linux/util-linux/blob/v2.39/Documentation/releases/v2.39-ReleaseNotes#L14-L21
mention that
This change is very aggressive to libmount code, but hopefully, it does not
introduce regressions in traditional mount(8) behavior.
After observing following failure when booting a board using a bit
older 6.1 series kernel together with initramfs rootfs based boot flow
[FAILED] Failed to start Remount Root and Kernel File Systems.
See 'systemctl status systemd-remount-fs.service' for details.
closer inspection revealed:
demoboard ~ # systemctl status -l systemd-remount-fs.service
x systemd-remount-fs.service - Remount Root and Kernel File Systems
Loaded: loaded (/usr/lib/systemd/system/systemd-remount-fs.service;
enabled-runtime; preset: disabled)
Active: failed (Result: exit-code) since Wed 2024-08-14 14:53:48 UTC;
1min 22s ago
Docs: man:systemd-remount-fs.service(8)
https://www.freedesktop.org/wiki/Software/systemd/APIFileSystems
Process: 76 ExecStart=/usr/lib/systemd/systemd-remount-fs (code=exited,
status=1/FAILURE)
Main PID: 76 (code=exited, status=1/FAILURE)
Aug 14 14:53:48 demoboard systemd-remount-fs[76]: /usr/bin/mount for / exited
with exit status 32.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]: mount: /: mount point not
mounted or bad option.
Aug 14 14:53:48 demoboard systemd-remount-fs[81]:dmesg(1) may have
more information after failed mount system call.
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Main
process exited, code=exited, status=1/FAILURE
Aug 14 14:53:48 demoboard systemd[1]: systemd-remount-fs.service: Failed with
result 'exit-code'.
Aug 14 14:53:48 demoboard systemd[1]: Failed to start Remount Root and Kernel
File Systems.
also consequentially, 'systemctl status' reported:
State: degraded
When issuing 'strace -ff mount -o remount /' the failure occurred at
mount_setattr(3, "", AT_EMPTY_PATH,
{attr_set=MOUNT_ATTR_RDONLY|MOUNT_ATTR_NOATIME|MOUNT_ATTR_NODIRATIME,
attr_clr=MOUNT_ATTR_NOSUID|MOUNT_ATTR_NODEV|MOUNT_ATTR_NOEXEC|MOUNT_ATTR_NOATIME|MOUNT_ATTR_STRICTATIME|MOUNT_ATTR_NOSYMFOLLOW|0x40,
propagation=0 /* MS_??? */, userns_fd=0}, 32) = -1 EINVAL (Invalid argument)
After further investigation, The issue was pinpointed to lack of Linux
kernel commit
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=95de4ad173ca0e61034f3145d66917970961c210
("fs: relax mount_setattr() permission checks") in the kernel version
that was being used. Above mitigation was discussed in email related to
then-rejected CVE-2024-26821:
https://lore.kernel.org/linux-cve-announce/2024051606-imaging-entrench-b327@gregkh/T/
After testing with qemuarm64 machine different linux-yocto versions,
it was observed that the issue impacts following versions of currently
supported LTS kernels:
- 6.6.17 (fixed since 6.6.18 i.e. mount_setattr() returns 0)
- 6.1.78 (fixed since 6.1.79 i.e. mount_setattr() returns 0)
- 5.15.164 which is currently the newest of 5.15.y series (i.e. no
known working version)
Taking the above findings into consideration, add a new PACKAGECONFIG
option removing which enables users to opt-out from using the feature
which can cause issues with a bit older kernels. The option is enabled
only for class-target here, since it otherwise causes following error
during util-linux-native's do_configure task on Debian 11 build host
(mountfd_api requirement fails):
| configure: error: libmount_mountfd_support selected, but required mount
FDs based API not available
Versions 5.10.223, 5.4.279 and 4.10.317 were also tested with qemuarm64
but the issue was not reproduced with those versions - using strace
showed that the mount_setattr call associated with the new mount API
problem was not issued with these LTS kernel versions, which seemed to
be confirmed also by following libmount debug message in these cases:
415: libmount: HOOK: [0x7fa115e818]: failed to init new API
Note: In addition to the aforementioned, this change was tested also
briefly using the current latest kernel versions 6.1.104, 6.6.45 and
6.10.3 that using the old mount API with newest kernels did not
introduce any observable regression to the boot flow.
(From OE-Core rev: dc086d9a8613143607af3583c72ed892e20b4d66)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/recipes-core/util-linux/util-linux_2.39.3.bb | 12 +++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/util-linux/util-linux_2.39.3.bb
b/meta/recipes-core/util-linux/util-linux_2.39.3.bb
index 83b3f4e05b..79ddf2d115 100644
--- a/meta/recipes-core/util-linux/util-linux_2.39.3.bb
+++ b/meta/recipes-core/util-linux/util-linux_2.39.
[OE-core] [PATCH] icu: Fix 'buildpaths' QA error
Add stripping of STAGING_DIR_NATIVE during target/nativesdk specific
do_install, which mitigates following BitBake failure:
ERROR: icu-75-1-r0 do_package_qa: QA Issue: File
/usr/lib/icu/75.1/pkgdata.inc in package icu-dev contains reference to TMPDIR
[buildpaths]
ERROR: icu-75-1-r0 do_package_qa: Fatal QA errors were found, failing task.
While doing so, we also drop HOSTTOOLS_DIR stripping, as it's value
does not appear in the content of either file that are manipulated
here.
Signed-off-by: Niko Mauno
---
meta/recipes-support/icu/icu_75-1.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-support/icu/icu_75-1.bb
b/meta/recipes-support/icu/icu_75-1.bb
index 8f7f5e6cc7..9922469672 100644
--- a/meta/recipes-support/icu/icu_75-1.bb
+++ b/meta/recipes-support/icu/icu_75-1.bb
@@ -60,7 +60,7 @@ remove_build_host_references() {
sed -i \
-e 's,--sysroot=${STAGING_DIR_TARGET},,g' \
-e 's|${DEBUG_PREFIX_MAP}||g' \
- -e 's:${HOSTTOOLS_DIR}/::g' \
+ -e 's:${STAGING_DIR_NATIVE}::g' \
${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/Makefile.inc \
${D}/${libdir}/${BPN}/${@icu_install_folder(d)}/pkgdata.inc
}
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203976):
https://lists.openembedded.org/g/openembedded-core/message/203976
Mute This Topic: https://lists.openembedded.org/mt/108194777/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] iw: Fix LICENSE
The contents of the COPYING file included in the source code match
those of ISC license:
https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git/tree/COPYING?h=v6.9
which seems to have been in effect since 2008 commit
https://git.kernel.org/pub/scm/linux/kernel/git/jberg/iw.git/commit?id=622c36ae94a880fb53f7f051f1b26616f5b553c1
("license under ISC").
Signed-off-by: Niko Mauno
---
meta/recipes-connectivity/iw/iw_6.9.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-connectivity/iw/iw_6.9.bb
b/meta/recipes-connectivity/iw/iw_6.9.bb
index dc570d1124..e34400e18b 100644
--- a/meta/recipes-connectivity/iw/iw_6.9.bb
+++ b/meta/recipes-connectivity/iw/iw_6.9.bb
@@ -4,7 +4,7 @@ wireless devices. It supports almost all new drivers that have
been added \
to the kernel recently. "
HOMEPAGE = "https://wireless.wiki.kernel.org/en/users/documentation/iw";
SECTION = "base"
-LICENSE = "BSD-2-Clause"
+LICENSE = "ISC"
LIC_FILES_CHKSUM = "file://COPYING;md5=878618a5c4af25e9b93ef0be1a93f774"
DEPENDS = "libnl"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203981):
https://lists.openembedded.org/g/openembedded-core/message/203981
Mute This Topic: https://lists.openembedded.org/mt/108206266/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] dejagnu: Fix LICENSE
The contents of the COPYING file included in the current source code
package match those of GPL-3.0-only license, which seems to have been
the case since 2008 commit
http://git.savannah.gnu.org/gitweb/?p=dejagnu.git;a=commitdiff;h=9bebe7b9bfb9b02e5e4d86ad74e8ce3eb32a36b9;hp=50fbdd118dba066e201c73a8b0155381cd65a32d
("* COPYING: Update to GPL version 3.")
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb
b/meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb
index 895f6d3b36..c6002d5e45 100644
--- a/meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb
+++ b/meta/recipes-devtools/dejagnu/dejagnu_1.6.3.bb
@@ -2,7 +2,7 @@ SUMMARY = "GNU unit testing framework, written in Expect and
Tcl"
DESCRIPTION = "DejaGnu is a framework for testing other programs. Its purpose \
is to provide a single front end for all tests."
HOMEPAGE = "https://www.gnu.org/software/dejagnu/";
-LICENSE = "GPL-2.0-only"
+LICENSE = "GPL-3.0-only"
LIC_FILES_CHKSUM = "file://COPYING;md5=d32239bcb673463ab874e80d47fae504"
SECTION = "devel"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#204094):
https://lists.openembedded.org/g/openembedded-core/message/204094
Mute This Topic: https://lists.openembedded.org/mt/108224636/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] rust-llvm: Allow overriding LLVM target archs
From: Niko Mauno
Move the default value into a variable which can be overridden to
match more accurately the use case specific scenario.
Signed-off-by: Niko Mauno
---
meta/recipes-devtools/rust/rust-llvm_1.70.0.bb | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/rust/rust-llvm_1.70.0.bb
b/meta/recipes-devtools/rust/rust-llvm_1.70.0.bb
index 57bbe79cdf..5bfc1faea8 100644
--- a/meta/recipes-devtools/rust/rust-llvm_1.70.0.bb
+++ b/meta/recipes-devtools/rust/rust-llvm_1.70.0.bb
@@ -30,9 +30,11 @@ CXXFLAGS:remove = "-g"
LLVM_DIR = "llvm${LLVM_RELEASE}"
+RUST_LLVM_TARGETS ?= "ARM;AArch64;Mips;PowerPC;RISCV;X86"
+
EXTRA_OECMAKE = " \
-DCMAKE_BUILD_TYPE=Release \
--DLLVM_TARGETS_TO_BUILD='ARM;AArch64;Mips;PowerPC;RISCV;X86' \
+-DLLVM_TARGETS_TO_BUILD='${RUST_LLVM_TARGETS}' \
-DLLVM_BUILD_DOCS=OFF \
-DLLVM_ENABLE_TERMINFO=OFF \
-DLLVM_ENABLE_ZLIB=OFF \
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191455):
https://lists.openembedded.org/g/openembedded-core/message/191455
Mute This Topic: https://lists.openembedded.org/mt/102873673/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] rust-llvm: Allow overriding LLVM target archs
From: Niko Mauno
Move the default value into a variable which can be overridden to
match more accurately the use case specific scenario.
(From OE-Core rev: 645370e85d8742d0614cd52ca7507b5df2d38ad8)
Signed-off-by: Niko Mauno
Signed-off-by: Alexandre Belloni
Signed-off-by: Richard Purdie
---
meta/recipes-devtools/rust/rust-llvm.inc | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/rust/rust-llvm.inc
b/meta/recipes-devtools/rust/rust-llvm.inc
index e645e7a7ac..416a07cd40 100644
--- a/meta/recipes-devtools/rust/rust-llvm.inc
+++ b/meta/recipes-devtools/rust/rust-llvm.inc
@@ -25,9 +25,11 @@ CXXFLAGS:remove = "-g"
LLVM_DIR = "llvm${LLVM_RELEASE}"
+RUST_LLVM_TARGETS ?= "ARM;AArch64;Mips;PowerPC;RISCV;X86"
+
EXTRA_OECMAKE = " \
-DCMAKE_BUILD_TYPE=Release \
--DLLVM_TARGETS_TO_BUILD='ARM;AArch64;Mips;PowerPC;RISCV;X86' \
+-DLLVM_TARGETS_TO_BUILD='${RUST_LLVM_TARGETS}' \
-DLLVM_BUILD_DOCS=OFF \
-DLLVM_ENABLE_TERMINFO=OFF \
-DLLVM_ENABLE_ZLIB=OFF \
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#191738):
https://lists.openembedded.org/g/openembedded-core/message/191738
Mute This Topic: https://lists.openembedded.org/mt/102970153/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] openssl: Move microblaze to linux-latomic config
From: Mark Hatle
When building with the previous a number of atomic functions come back as
undefined. Switching to linux-latomic fixes this.
(From OE-Core rev: 88d5bf78ffb1d120df48139b1ed3c2e3fa8310d0)
Signed-off-by: Mark Hatle
Signed-off-by: Mark Hatle
Signed-off-by: Luca Ceresoli
Signed-off-by: Richard Purdie
---
meta/recipes-connectivity/openssl/openssl_3.0.8.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
index e1f30d7a47..82f3e18dd7 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.8.bb
@@ -80,7 +80,7 @@ do_configure () {
esac
target="$os-${HOST_ARCH}"
case $target in
- linux-arc)
+ linux-arc | linux-microblaze*)
target=linux-latomic
;;
linux-arm*)
@@ -108,7 +108,7 @@ do_configure () {
linux-*-mips64 | linux-mips64 | linux-*-mips64el | linux-mips64el)
target=linux64-mips64
;;
- linux-microblaze* | linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
+ linux-nios2* | linux-sh3 | linux-sh4 | linux-arc*)
target=linux-generic32
;;
linux-powerpc)
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#179943):
https://lists.openembedded.org/g/openembedded-core/message/179943
Mute This Topic: https://lists.openembedded.org/mt/98215250/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] gcc-runtime: Use static dummy libstdc++
From: Khem Raj
some standalone targets e.g. riscv64-elf disable shared linking for
baremetal ELF ABI in ld, therefore lets make it a static library
(From OE-Core rev: 3c6219dfcbcbde314648ba8cc54a90b32ea1c952)
Signed-off-by: Khem Raj
Signed-off-by: Richard Purdie
---
meta/recipes-devtools/gcc/gcc-runtime.inc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc
b/meta/recipes-devtools/gcc/gcc-runtime.inc
index 8074bf1025..d019b0790b 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -68,7 +68,8 @@ do_configure () {
# libstdc++ isn't built yet so CXX would error not able to find it
which breaks stdc++'s configure
# tests. Create a dummy empty lib for the purposes of configure.
mkdir -p ${WORKDIR}/dummylib
- ${CC} -x c /dev/null -nostartfiles -shared -o
${WORKDIR}/dummylib/libstdc++.so
+ ${CC} -x c /dev/null -c -o ${WORKDIR}/dummylib/dummylib.o
+ ${AR} rcs ${WORKDIR}/dummylib/libstdc++.a ${WORKDIR}/dummylib/dummylib.o
for d in libgcc ${RUNTIMETARGET}; do
echo "Configuring $d"
rm -rf ${B}/${TARGET_SYS}/$d/
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181484):
https://lists.openembedded.org/g/openembedded-core/message/181484
Mute This Topic: https://lists.openembedded.org/mt/98944818/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [kirkstone][PATCH] gcc-runtime: Use static dummy libstdc++
Hi Steve, I must admit this is surprising to me as I am unable to
reproduce the failure You describe by issuing
$ git checkout poky/kirkstone
Note: switching to 'poky/kirkstone'.
HEAD is now at f53ab3a2ff build-appliance-image: Update to kirkstone
head revision
$ git cherry-pick 591f14c698f43ca4ae6431c8cd96225d1ed5dbf5
Auto-merging meta/recipes-devtools/gcc/gcc-runtime.inc
[detached HEAD 935862b25f] gcc-runtime: Use static dummy libstdc++
Author: Khem Raj
Date: Sun Jul 24 08:10:21 2022 -0700
1 file changed, 2 insertions(+), 1 deletion(-)
Could you provide any further pointers/hints regarding what could be
wrong..?
-Niko
On 5/17/23 18:21, Steve Sakoman wrote:
This patch does not apply to current kirkstone HEAD:
Applying: gcc-runtime: Use static dummy libstdc++
Using index info to reconstruct a base tree...
M meta/recipes-devtools/gcc/gcc-runtime.inc
Falling back to patching base and 3-way merge...
Auto-merging meta/recipes-devtools/gcc/gcc-runtime.inc
CONFLICT (content): Merge conflict in meta/recipes-devtools/gcc/gcc-runtime.inc
error: Failed to merge in the changes.
Patch failed at 0001 gcc-runtime: Use static dummy libstdc++
Steve
On Wed, May 17, 2023 at 12:06 AM Niko Mauno via lists.openembedded.org
wrote:
From: Khem Raj
some standalone targets e.g. riscv64-elf disable shared linking for
baremetal ELF ABI in ld, therefore lets make it a static library
(From OE-Core rev: 3c6219dfcbcbde314648ba8cc54a90b32ea1c952)
Signed-off-by: Khem Raj
Signed-off-by: Richard Purdie
---
meta/recipes-devtools/gcc/gcc-runtime.inc | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-devtools/gcc/gcc-runtime.inc
b/meta/recipes-devtools/gcc/gcc-runtime.inc
index 8074bf1025..d019b0790b 100644
--- a/meta/recipes-devtools/gcc/gcc-runtime.inc
+++ b/meta/recipes-devtools/gcc/gcc-runtime.inc
@@ -68,7 +68,8 @@ do_configure () {
# libstdc++ isn't built yet so CXX would error not able to find it
which breaks stdc++'s configure
# tests. Create a dummy empty lib for the purposes of configure.
mkdir -p ${WORKDIR}/dummylib
- ${CC} -x c /dev/null -nostartfiles -shared -o
${WORKDIR}/dummylib/libstdc++.so
+ ${CC} -x c /dev/null -c -o ${WORKDIR}/dummylib/dummylib.o
+ ${AR} rcs ${WORKDIR}/dummylib/libstdc++.a ${WORKDIR}/dummylib/dummylib.o
for d in libgcc ${RUNTIMETARGET}; do
echo "Configuring $d"
rm -rf ${B}/${TARGET_SYS}/$d/
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181498):
https://lists.openembedded.org/g/openembedded-core/message/181498
Mute This Topic: https://lists.openembedded.org/mt/98944818/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] ref-manual: Fix invalid feature name
Replace the invalid feature name with correct one which helps to avoid following bitbake error ERROR: Nothing PROVIDES 'core-image-minimal' core-image-minimal was skipped: 'empty-root-passwd' in IMAGE_FEATURES (added via EXTRA_IMAGE_FEATURES) is not a valid image feature. Signed-off-by: Niko Mauno --- documentation/ref-manual/features.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/documentation/ref-manual/features.rst b/documentation/ref-manual/features.rst index 794a6fd15b..051bf9320a 100644 --- a/documentation/ref-manual/features.rst +++ b/documentation/ref-manual/features.rst @@ -294,11 +294,11 @@ Here are the image features available for all images: forced in ``/etc/passwd`` and ``/etc/shadow`` if such files exist. .. note:: - ``empty-root-passwd`` doesn't set an empty root password by itself. + ``empty-root-password`` doesn't set an empty root password by itself. You get an initial empty root password thanks to the :oe_git:`base-passwd ` and :oe_git:`shadow ` - recipes, and the presence of ``empty-root-passwd`` or ``debug-tweaks`` + recipes, and the presence of ``empty-root-password`` or ``debug-tweaks`` just disables the mechanism which forces an non-empty password for the root user. -- 2.39.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177332): https://lists.openembedded.org/g/openembedded-core/message/177332 Mute This Topic: https://lists.openembedded.org/mt/97066768/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] ref-manual: Fix invalid feature name
On 20.2.2023 19.45, Michael Opdenacker wrote: Thanks for the patch! You also have an issue with the way your e-mails are received here. Here is a workaround: https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity I fixed the commit manually, but doing this will help for next time. Thanks for pointing the issue Michael, I've now applied the mitigation. BR, Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#177491): https://lists.openembedded.org/g/openembedded-core/message/177491 Mute This Topic: https://lists.openembedded.org/mt/97066768/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/4] package_rpm.bbclass: Fix some pycodestyle issues
From: Niko Mauno
Fix following subset of observations reported by version 2.10.0 of
pycodestyle utility:
meta/classes-global/package_rpm.bbclass:65:46: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:66:46: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:107:19: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:109:69: E202 whitespace before ')'
meta/classes-global/package_rpm.bbclass:122:103: W291 trailing whitespace
meta/classes-global/package_rpm.bbclass:194:74: W291 trailing whitespace
meta/classes-global/package_rpm.bbclass:448:16: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:450:16: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:520:1: W293 blank line contains
whitespace
meta/classes-global/package_rpm.bbclass:521:15: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:542:12: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:544:12: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:647:67: W291 trailing whitespace
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 26 -
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 85d0bd7fce..992446a033 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -62,8 +62,8 @@ def write_rpm_perfiledata(srcname, d):
for dep in depends_dict:
ver = depends_dict[dep]
if dep and ver:
-ver = ver.replace("(","")
-ver = ver.replace(")","")
+ver = ver.replace("(", "")
+ver = ver.replace(")", "")
outfile.write(dep + " " + ver + " ")
else:
outfile.write(dep + " ")
@@ -104,9 +104,9 @@ python write_specfile () {
import oe.packagedata
# append information for logs and patches to %prep
-def add_prep(d,spec_files_bottom):
+def add_prep(d, spec_files_bottom):
if d.getVarFlag('ARCHIVER_MODE', 'srpm') == '1' and
bb.data.inherits_class('archiver', d):
-spec_files_bottom.append('%%prep -n %s' % d.getVar('PN') )
+spec_files_bottom.append('%%prep -n %s' % d.getVar('PN'))
spec_files_bottom.append('%s' % "echo \"include logs and patches,
Please check them in SOURCES\"")
spec_files_bottom.append('')
@@ -119,7 +119,7 @@ python write_specfile () {
source_list = os.listdir(ar_outdir)
source_number = 0
for source in source_list:
-# do_deploy_archives may have already run (from sstate)
meaning a .src.rpm may already
+# do_deploy_archives may have already run (from sstate)
meaning a .src.rpm may already
# exist in ARCHIVER_OUTDIR so skip if present.
if source.endswith(".src.rpm"):
continue
@@ -191,7 +191,7 @@ python write_specfile () {
def walk_files(walkpath, target, conffiles, dirfiles):
# We can race against the ipk/deb backends which create CONTROL or
DEBIAN directories
-# when packaging. We just ignore these files which are created in
+# when packaging. We just ignore these files which are created in
# packages-split/ and not package/
# We have the odd situation where the CONTROL/DEBIAN directory can be
removed in the middle of
# of the walk, the isdir() test would then fail and the walk code
would assume its a file
@@ -445,9 +445,9 @@ python write_specfile () {
rprovides = bb.utils.explode_dep_versions2(splitrprovides)
rreplaces = bb.utils.explode_dep_versions2(splitrreplaces)
for dep in rreplaces:
-if not dep in robsoletes:
+if dep not in robsoletes:
robsoletes[dep] = rreplaces[dep]
-if not dep in rprovides:
+if dep not in rprovides:
rprovides[dep] = rreplaces[dep]
splitrobsoletes = bb.utils.join_deps(robsoletes, commasep=False)
splitrprovides = bb.utils.join_deps(rprovides, commasep=False)
@@ -517,8 +517,8 @@ python write_specfile () {
spec_files_bottom.append('')
del localdata
-
-add_prep(d,spec_files_bottom)
+
+add_prep(d, spe
[OE-core] [PATCH 2/4] package_rpm.bbclass: Minor cosmetic and style fixes
From: Niko Mauno
Add the missing conventional space characters around bitbake variable
assignment operators. Also fix a typo on a comment line.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 992446a033..402fa5c4e8 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -8,12 +8,12 @@ inherit package
IMAGE_PKGTYPE ?= "rpm"
-RPM="rpm"
-RPMBUILD="rpmbuild"
+RPM = "rpm"
+RPMBUILD = "rpmbuild"
PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
-# Maintaining the perfile dependencies has singificant overhead when writing
the
+# Maintaining the perfile dependencies has significant overhead when writing
the
# packages. When set, this value merges them for efficiency.
MERGEPERFILEDEPS = "1"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189521):
https://lists.openembedded.org/g/openembedded-core/message/189521
Mute This Topic: https://lists.openembedded.org/mt/102080104/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 3/4] package_rpm.bbclass: Remove unused definitions
From: Niko Mauno
Some local variables defined in do_package_rpm() are not referenced, so
remove such dead code lines.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 4
1 file changed, 4 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 402fa5c4e8..246106ea4f 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -633,7 +633,6 @@ python do_package_rpm () {
workdir = d.getVar('WORKDIR')
tmpdir = d.getVar('TMPDIR')
pkgd = d.getVar('PKGD')
-pkgdest = d.getVar('PKGDEST')
if not workdir or not pkgd or not tmpdir:
bb.error("Variables incorrectly set, unable to package")
return
@@ -660,8 +659,6 @@ python do_package_rpm () {
# Setup the rpmbuild arguments...
rpmbuild = d.getVar('RPMBUILD')
-targetsys = d.getVar('TARGET_SYS')
-targetvendor = d.getVar('HOST_VENDOR')
# Too many places in dnf stack assume that arch-independent packages are
"noarch".
# Let's not fight against this.
@@ -669,7 +666,6 @@ python do_package_rpm () {
if package_arch == "all":
package_arch = "noarch"
-sdkpkgsuffix = (d.getVar('SDKPKGSUFFIX') or "nativesdk").replace("-", "_")
d.setVar('PACKAGE_ARCH_EXTEND', package_arch)
pkgwritedir = d.expand('${PKGWRITEDIRRPM}/${PACKAGE_ARCH_EXTEND}')
d.setVar('RPM_PKGWRITEDIR', pkgwritedir)
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189522):
https://lists.openembedded.org/g/openembedded-core/message/189522
Mute This Topic: https://lists.openembedded.org/mt/102080112/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 4/4] package_rpm.bbclass: Support compression override
From: Niko Mauno
Commit 4a4d5f78a6962dda5f63e9891825c80a8a87bf66 ("package_rpm: use zstd
instead of xz") changed the rpm package compressor from 'xz' to 'zstd'
which results in decompression failure with BusyBox-provided 'rpm2cpio'
applet and 'rpm' applet when given the '-i' (Install package) option:
rpm2cpio: no gzip/bzip2/xz magic
In order to maintain compatibility with BusyBox introduce new variable
which can be overridden like:
RPM_COMPRESSION = "xz"
to enable rpm decompression without including the full rpm package in
the resulting root filesystem.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 246106ea4f..da25b7682c 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -13,6 +13,9 @@ RPMBUILD = "rpmbuild"
PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
+# Override variable to use alternative 'xz' or 'none' compression
+RPM_COMPRESSION ?= "zstd"
+
# Maintaining the perfile dependencies has significant overhead when writing
the
# packages. When set, this value merges them for efficiency.
MERGEPERFILEDEPS = "1"
@@ -659,6 +662,7 @@ python do_package_rpm () {
# Setup the rpmbuild arguments...
rpmbuild = d.getVar('RPMBUILD')
+rpmcomp = d.getVar('RPM_COMPRESSION')
# Too many places in dnf stack assume that arch-independent packages are
"noarch".
# Let's not fight against this.
@@ -682,8 +686,16 @@ python do_package_rpm () {
cmd = cmd + " --define '_use_internal_dependency_generator 0'"
cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
cmd = cmd + " --define '_build_id_links none'"
-cmd = cmd + " --define '_binary_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
-cmd = cmd + " --define '_source_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
+if rpmcomp == "zstd":
+cmd = cmd + " --define '_binary_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
+cmd = cmd + " --define '_source_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
+elif rpmcomp == 'xz':
+cmd = cmd + " --define '_binary_payload w6T%d.xzdio'" %
int(d.getVar("XZ_THREADS"))
+cmd = cmd + " --define '_source_payload w6T%d.xzdio'" %
int(d.getVar("XZ_THREADS"))
+elif rpmcomp == 'none':
+pass
+else:
+bb.fatal('unsupported rpm compression method: "%s"' % rpmcomp)
cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
cmd = cmd + " --define '_buildhost reproducible'"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189523):
https://lists.openembedded.org/g/openembedded-core/message/189523
Mute This Topic: https://lists.openembedded.org/mt/102080114/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 4/4] package_rpm.bbclass: Support compression override
On 20.10.2023 16.00, Richard Purdie wrote: Is it common for people to need to manipulate rpms on target without rpm being present using busybox? Do you know if busybox plans to add zstd support? As far as I could tell when we looked at this, the rpm world was moving over to zstd so adding in conditional xz support for a limited use case probably just creates a maintenance headache going forward as it isn't something we test or plan to test? Are you using this on an LTS release or master? Hi Richard, After moving to Yocto Kirkstone (LTS) which we currently use, we started getting developer reports of 'no gzip/bzip2/xz magic' error from BusyBox applet. For example developer uploads an rpm file to target device and then unpacks it in runtime using 'rpm2cpio | cpio -idmv' command. We don't include rpm package on target filesystems as that would increase rootfs footprint approximately 5 MB. Including only rpm2cpio from rpm package needs still accompanying libraries, increasing the size by 2.5 MB approximately which also feels too big. I checked the discussions from BusyBox mailing list and found that in 2021 the maintainer seemed reluctant to accept the proposed zstd support because it was not optimized for embedded systems. http://lists.busybox.net/pipermail/busybox/2021-September/089179.html BR, Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189532): https://lists.openembedded.org/g/openembedded-core/message/189532 Mute This Topic: https://lists.openembedded.org/mt/102080114/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCHv2 1/4] package_rpm.bbclass: Fix some pycodestyle issues
From: Niko Mauno
Fix following subset of observations reported by version 2.10.0 of
pycodestyle utility:
meta/classes-global/package_rpm.bbclass:65:46: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:66:46: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:107:19: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:109:69: E202 whitespace before ')'
meta/classes-global/package_rpm.bbclass:122:103: W291 trailing whitespace
meta/classes-global/package_rpm.bbclass:194:74: W291 trailing whitespace
meta/classes-global/package_rpm.bbclass:448:16: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:450:16: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:520:1: W293 blank line contains
whitespace
meta/classes-global/package_rpm.bbclass:521:15: E231 missing whitespace after
','
meta/classes-global/package_rpm.bbclass:542:12: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:544:12: E713 test for membership
should be 'not in'
meta/classes-global/package_rpm.bbclass:647:67: W291 trailing whitespace
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 26 -
1 file changed, 13 insertions(+), 13 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 85d0bd7fce..992446a033 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -62,8 +62,8 @@ def write_rpm_perfiledata(srcname, d):
for dep in depends_dict:
ver = depends_dict[dep]
if dep and ver:
-ver = ver.replace("(","")
-ver = ver.replace(")","")
+ver = ver.replace("(", "")
+ver = ver.replace(")", "")
outfile.write(dep + " " + ver + " ")
else:
outfile.write(dep + " ")
@@ -104,9 +104,9 @@ python write_specfile () {
import oe.packagedata
# append information for logs and patches to %prep
-def add_prep(d,spec_files_bottom):
+def add_prep(d, spec_files_bottom):
if d.getVarFlag('ARCHIVER_MODE', 'srpm') == '1' and
bb.data.inherits_class('archiver', d):
-spec_files_bottom.append('%%prep -n %s' % d.getVar('PN') )
+spec_files_bottom.append('%%prep -n %s' % d.getVar('PN'))
spec_files_bottom.append('%s' % "echo \"include logs and patches,
Please check them in SOURCES\"")
spec_files_bottom.append('')
@@ -119,7 +119,7 @@ python write_specfile () {
source_list = os.listdir(ar_outdir)
source_number = 0
for source in source_list:
-# do_deploy_archives may have already run (from sstate)
meaning a .src.rpm may already
+# do_deploy_archives may have already run (from sstate)
meaning a .src.rpm may already
# exist in ARCHIVER_OUTDIR so skip if present.
if source.endswith(".src.rpm"):
continue
@@ -191,7 +191,7 @@ python write_specfile () {
def walk_files(walkpath, target, conffiles, dirfiles):
# We can race against the ipk/deb backends which create CONTROL or
DEBIAN directories
-# when packaging. We just ignore these files which are created in
+# when packaging. We just ignore these files which are created in
# packages-split/ and not package/
# We have the odd situation where the CONTROL/DEBIAN directory can be
removed in the middle of
# of the walk, the isdir() test would then fail and the walk code
would assume its a file
@@ -445,9 +445,9 @@ python write_specfile () {
rprovides = bb.utils.explode_dep_versions2(splitrprovides)
rreplaces = bb.utils.explode_dep_versions2(splitrreplaces)
for dep in rreplaces:
-if not dep in robsoletes:
+if dep not in robsoletes:
robsoletes[dep] = rreplaces[dep]
-if not dep in rprovides:
+if dep not in rprovides:
rprovides[dep] = rreplaces[dep]
splitrobsoletes = bb.utils.join_deps(robsoletes, commasep=False)
splitrprovides = bb.utils.join_deps(rprovides, commasep=False)
@@ -517,8 +517,8 @@ python write_specfile () {
spec_files_bottom.append('')
del localdata
-
-add_prep(d,spec_files_bottom)
+
+add_prep(d, spe
[OE-core] [PATCHv2 2/4] package_rpm.bbclass: Minor cosmetic and style fixes
From: Niko Mauno
Add the missing conventional space characters around bitbake variable
assignment operators. Also fix a typo on a comment line.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 992446a033..402fa5c4e8 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -8,12 +8,12 @@ inherit package
IMAGE_PKGTYPE ?= "rpm"
-RPM="rpm"
-RPMBUILD="rpmbuild"
+RPM = "rpm"
+RPMBUILD = "rpmbuild"
PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
-# Maintaining the perfile dependencies has singificant overhead when writing
the
+# Maintaining the perfile dependencies has significant overhead when writing
the
# packages. When set, this value merges them for efficiency.
MERGEPERFILEDEPS = "1"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189595):
https://lists.openembedded.org/g/openembedded-core/message/189595
Mute This Topic: https://lists.openembedded.org/mt/102102138/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCHv2 3/4] package_rpm.bbclass: Remove unused definitions
From: Niko Mauno
Some local variables defined in do_package_rpm() are not referenced, so
remove such dead code lines.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 4
1 file changed, 4 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 402fa5c4e8..246106ea4f 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -633,7 +633,6 @@ python do_package_rpm () {
workdir = d.getVar('WORKDIR')
tmpdir = d.getVar('TMPDIR')
pkgd = d.getVar('PKGD')
-pkgdest = d.getVar('PKGDEST')
if not workdir or not pkgd or not tmpdir:
bb.error("Variables incorrectly set, unable to package")
return
@@ -660,8 +659,6 @@ python do_package_rpm () {
# Setup the rpmbuild arguments...
rpmbuild = d.getVar('RPMBUILD')
-targetsys = d.getVar('TARGET_SYS')
-targetvendor = d.getVar('HOST_VENDOR')
# Too many places in dnf stack assume that arch-independent packages are
"noarch".
# Let's not fight against this.
@@ -669,7 +666,6 @@ python do_package_rpm () {
if package_arch == "all":
package_arch = "noarch"
-sdkpkgsuffix = (d.getVar('SDKPKGSUFFIX') or "nativesdk").replace("-", "_")
d.setVar('PACKAGE_ARCH_EXTEND', package_arch)
pkgwritedir = d.expand('${PKGWRITEDIRRPM}/${PACKAGE_ARCH_EXTEND}')
d.setVar('RPM_PKGWRITEDIR', pkgwritedir)
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189596):
https://lists.openembedded.org/g/openembedded-core/message/189596
Mute This Topic: https://lists.openembedded.org/mt/102102139/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCHv2 4/4] package_rpm.bbclass: Allow compression mode override
From: Niko Mauno
Commit 4a4d5f78a6962dda5f63e9891825c80a8a87bf66 ("package_rpm: use zstd
instead of xz") changed the rpm package compressor from 'xz' to 'zstd'
which results in decompression failure with BusyBox-provided 'rpm2cpio'
applet and 'rpm' applet when given the '-i' (Install package) option:
rpm2cpio: no gzip/bzip2/xz magic
Introduce a variable which makes it possible to use a different
compression mode, making it possible to override the default value for
example like
RPMBUILD_COMPMODE = "${@'w6T%d.xzdio' % int(d.getVar('XZ_THREADS'))}"
to enable rpm decompression without including the full rpm package in
the resulting root filesystem.
Signed-off-by: Niko Mauno
---
meta/classes-global/package_rpm.bbclass | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/meta/classes-global/package_rpm.bbclass
b/meta/classes-global/package_rpm.bbclass
index 246106ea4f..5d35962aff 100644
--- a/meta/classes-global/package_rpm.bbclass
+++ b/meta/classes-global/package_rpm.bbclass
@@ -10,6 +10,7 @@ IMAGE_PKGTYPE ?= "rpm"
RPM = "rpm"
RPMBUILD = "rpmbuild"
+RPMBUILD_COMPMODE ?= "${@'w19T%d.zstdio' % int(d.getVar('ZSTD_THREADS'))}"
PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
@@ -659,6 +660,7 @@ python do_package_rpm () {
# Setup the rpmbuild arguments...
rpmbuild = d.getVar('RPMBUILD')
+rpmbuild_compmode = d.getVar('RPMBUILD_COMPMODE')
# Too many places in dnf stack assume that arch-independent packages are
"noarch".
# Let's not fight against this.
@@ -682,8 +684,8 @@ python do_package_rpm () {
cmd = cmd + " --define '_use_internal_dependency_generator 0'"
cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
cmd = cmd + " --define '_build_id_links none'"
-cmd = cmd + " --define '_binary_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
-cmd = cmd + " --define '_source_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
+cmd = cmd + " --define '_source_payload %s'" % rpmbuild_compmode
+cmd = cmd + " --define '_binary_payload %s'" % rpmbuild_compmode
cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
cmd = cmd + " --define '_buildhost reproducible'"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189597):
https://lists.openembedded.org/g/openembedded-core/message/189597
Mute This Topic: https://lists.openembedded.org/mt/102102142/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 4/4] package_rpm.bbclass: Support compression override
On 10/20/23 16:00, Richard Purdie wrote: As far as I could tell when we looked at this, the rpm world was moving over to zstd so adding in conditional xz support for a limited use case probably just creates a maintenance headache going forward as it isn't something we test or plan to test? I now submitted a v2 for your consideration, but assuming it still introduces a maintenance challenge for YP, we will look into other means to work around the issue. -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189598): https://lists.openembedded.org/g/openembedded-core/message/189598 Mute This Topic: https://lists.openembedded.org/mt/102080114/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 4/4] package_rpm.bbclass: Support compression override
On 20.10.2023 19.34, Khem Raj wrote: > it seems you are quite sensitive to size, I wonder if opkg backend is > better suited for your usecase than rpm. Hi Khem, thanks for the idea. We used opkg a few years ago, however certain technical reasons were in favor of rpm which we have used since. Perhaps we have a bit different view, smaller image means for us spending less time building, booting and flashing firmware (i.e. not just disk space consumption alone). -Niko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189644): https://lists.openembedded.org/g/openembedded-core/message/189644 Mute This Topic: https://lists.openembedded.org/mt/102080114/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [kirkstone][PATCH] package_rpm: Allow compression mode override
From: Niko Mauno
Commit 4a4d5f78a6962dda5f63e9891825c80a8a87bf66 ("package_rpm: use zstd
instead of xz") changed the rpm package compressor from 'xz' to 'zstd'
which results in decompression failure with BusyBox-provided 'rpm2cpio'
applet and 'rpm' applet when given the '-i' (Install package) option:
rpm2cpio: no gzip/bzip2/xz magic
Introduce a variable which makes it possible to use a different
compression mode, making it possible to override the default value for
example like
RPMBUILD_COMPMODE = "${@'w6T%d.xzdio' % int(d.getVar('XZ_THREADS'))}"
to enable rpm decompression without including the full rpm package in
the resulting root filesystem.
(From OE-Core rev: a40d9258148e28cbee2168c93179cd4c1232fb62)
Signed-off-by: Niko Mauno
Signed-off-by: Richard Purdie
---
meta/classes/package_rpm.bbclass | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/meta/classes/package_rpm.bbclass b/meta/classes/package_rpm.bbclass
index bbbef3793f..f403af5343 100644
--- a/meta/classes/package_rpm.bbclass
+++ b/meta/classes/package_rpm.bbclass
@@ -4,6 +4,7 @@ IMAGE_PKGTYPE ?= "rpm"
RPM="rpm"
RPMBUILD="rpmbuild"
+RPMBUILD_COMPMODE ?= "${@'w19T%d.zstdio' % int(d.getVar('ZSTD_THREADS'))}"
PKGWRITEDIRRPM = "${WORKDIR}/deploy-rpms"
@@ -652,6 +653,7 @@ python do_package_rpm () {
# Setup the rpmbuild arguments...
rpmbuild = d.getVar('RPMBUILD')
+rpmbuild_compmode = d.getVar('RPMBUILD_COMPMODE')
targetsys = d.getVar('TARGET_SYS')
targetvendor = d.getVar('HOST_VENDOR')
@@ -678,8 +680,8 @@ python do_package_rpm () {
cmd = cmd + " --define '_use_internal_dependency_generator 0'"
cmd = cmd + " --define '_binaries_in_noarch_packages_terminate_build 0'"
cmd = cmd + " --define '_build_id_links none'"
-cmd = cmd + " --define '_binary_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
-cmd = cmd + " --define '_source_payload w19T%d.zstdio'" %
int(d.getVar("ZSTD_THREADS"))
+cmd = cmd + " --define '_source_payload %s'" % rpmbuild_compmode
+cmd = cmd + " --define '_binary_payload %s'" % rpmbuild_compmode
cmd = cmd + " --define 'clamp_mtime_to_source_date_epoch 1'"
cmd = cmd + " --define 'use_source_date_epoch_as_buildtime 1'"
cmd = cmd + " --define '_buildhost reproducible'"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189734):
https://lists.openembedded.org/g/openembedded-core/message/189734
Mute This Topic: https://lists.openembedded.org/mt/102203010/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] image_types.bbclass: Use xz default compression preset level
From: Niko Mauno
Commit ef0654f1453ff0afe98d7e921626b2a96cf2f6f6
("Set XZ_COMPRESSION_LEVEL to -9") changed the xz compression preset
level from previous value of -3 to -9. The commit message explains that
the change was made in order to be consistent with other compressors
that also use their best compression. However looking at xz man page,
under the compression preset level selection chapter there is mentioned
that
The differences between the presets are more significant than with
gzip(1) and
bzip2(1). The selected compression settings determine the memory
requirements of
the decompressor, thus using a too high preset level might make it
painful to
decompress the file on an old system with little RAM. Specifically, it's
not a
good idea to blindly use -9 for everything like it often is with
gzip(1) and
bzip2(1).
which is then followed by a table, which mentions that the decompressor
memory requirement for preset -9 is 65 MiB, whereas for xz default
preset -6 it is just 9 MiB. Given that the use case where a device
running a Yocto generated Linux OS decompresses an ext4 root filesystem
image to non-volatile memory as part of firmware upgrade process is not
far-fetched, and considering that a range of these devices can run low
on available RAM when there are other applications running at the same
time, the lower decompressor memory requirement of the default preset
level makes sense in order to prevent an OOM situation from occurring.
This change was tested on a 32 CPU core build host with 128 GB RAM by
issuing
$ bitbake -c cleansstate core-image-minimal core-image-sato
$ time bitbake core-image-minimal
$ time bitbake core-image-sato
With MACHINE="qemux86-64" and IMAGE_FSTYPES="ext4 ext4.xz" using
XZ_COMPRESSION_LEVEL values "-6" and "-9". In both cases the resulting
'ext4' image size remained same, 38141952 bytes for core-image-minimal,
and 565043200 bytes for core-image-sato.
The observation was that with this change there is a small increase in
the resulting 'ext4.xz' file size, and a build speed improvement that
was significant for larger rootfs image.
core-image XZ real timetime deltaext4.xz size size delta
---
minimal -9 0m44.992s 15932508
minimal -6 0m42.445s-5.66%16243484 +1.95%
sato-9 2m40.828s 85080416
sato-6 1m38.891s -38.51%87447456 +2.78%
Regarding decompression speed, issuing following command in qemux86-64
target OS
$ time xz -dkc --memlimit=MEMLIMIT core-image-sato-qemux86-64.rootfs.ext4.xz
> /dev/null
using the lowest accepted value for MEMLIMIT for each case (providing a
lower value caused xz to exit with 'Memory usage limit reached' error)
showed that decompression time saw a minuscule improvement with the -6
compression preset level:
XZ MEMLIMIT real time
-
-965M0m43.83s
-6 9M0m43.28s
(In the above tables, XZ refers to XZ_COMPRESSION_LEVEL value used when
images were generated with Yocto).
Signed-off-by: Niko Mauno
---
meta/classes-recipe/image_types.bbclass | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/classes-recipe/image_types.bbclass
b/meta/classes-recipe/image_types.bbclass
index 4aed64e27f..d615b41ed1 100644
--- a/meta/classes-recipe/image_types.bbclass
+++ b/meta/classes-recipe/image_types.bbclass
@@ -54,7 +54,7 @@ def imagetypes_getdepends(d):
# Sort the set so that ordering is consistant
return " ".join(sorted(deps))
-XZ_COMPRESSION_LEVEL ?= "-9"
+XZ_COMPRESSION_LEVEL ?= "-6"
XZ_INTEGRITY_CHECK ?= "crc32"
ZIP_COMPRESSION_LEVEL ?= "-9"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#189794):
https://lists.openembedded.org/g/openembedded-core/message/189794
Mute This Topic: https://lists.openembedded.org/mt/102274378/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] ccache.conf: Remove obsolete configuration option
From: Niko Mauno Since ccache version 4.0, according to https://github.com/ccache/ccache/blob/master/doc/NEWS.adoc#ccache-40 * An appropriate cache directory level structure is now chosen automatically. The cache_dir_levels (CCACHE_NLEVELS) configuration option has therefore been removed. Therefore remove the option which has not been supported by ccache recipe version since Yocto Hardknott. Signed-off-by: Niko Mauno --- meta/conf/ccache.conf | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/conf/ccache.conf b/meta/conf/ccache.conf index 931012dec9..4406ae561b 100644 --- a/meta/conf/ccache.conf +++ b/meta/conf/ccache.conf @@ -1,2 +1 @@ max_size = 0 -cache_dir_levels = 1 -- 2.39.2 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#189844): https://lists.openembedded.org/g/openembedded-core/message/189844 Mute This Topic: https://lists.openembedded.org/mt/102297730/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
