Hi Qi, This seems to solve the issue, though I'm not sure this behaviour was intended in the original commit by Richard. Anyways, thanks a lot!
--Adrian ________________________________ From: Chen, Qi <qi.c...@windriver.com> Sent: Wednesday, April 5, 2023 6:17 PM To: Chen, Qi <qi.c...@windriver.com>; Adrian Dudau <adrian.du...@keyfactor.com>; Bruce Ashfield <bruce.ashfi...@gmail.com> Cc: Khem Raj <raj.k...@gmail.com>; yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> Subject: RE: [yocto] error when try to use sudo command in recipe You don't often get email from qi.c...@windriver.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email info...@keyfactor.com with any questions. This problem just bumped into my head so I did a little more investigation. The root cause is that bitbake-worker uses a new user namespace if possible. The commit in bitbake/poky repo is the following one. “”” bitbake: utils: Add disable_network function “”” The key codes are: libc.unshare(CLONE_NEWNET | CLONE_NEWUSER) To make things work in your case, the simplest way is to set: do_install[network] = “1”, so that the above codes are not run for this task. Regards, Qi From: yocto@lists.yoctoproject.org <yocto@lists.yoctoproject.org> On Behalf Of Chen Qi via lists.yoctoproject.org Sent: Tuesday, April 4, 2023 6:02 PM To: Adrian Dudau <adrian.du...@keyfactor.com>; Bruce Ashfield <bruce.ashfi...@gmail.com> Cc: Khem Raj <raj.k...@gmail.com>; yocto@lists.yoctoproject.org Subject: Re: [yocto] error when try to use sudo command in recipe I haven’t done any further investigation, but I don’t think this problem is related to pseudo. On one hand, /usr directory is ignored as it’s in PSEUDO_IGNORE_PATHS; on the other hand, LD_PRELOAD does not have effect on setuid programs such as sudo. Unfortunately I don’t have any clue. Another trick Yocto does is uninative. Not sure if it’s related. Regards, Qi From: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> <yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>> On Behalf Of Adrian Dudau Sent: Tuesday, April 4, 2023 4:00 PM To: Bruce Ashfield <bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>> Cc: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>; yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> Subject: Re: [yocto] error when try to use sudo command in recipe I sent an email to the meta-virtualization list describing what I'm trying to achieve and see if others have further ideas. However, I would still like to continue investigating this sudo bug as it is quite annoying. Even when running under pseudo, I don't see why the binary would show as not owned by the root user. Dropping down to the devshell, the binary seems to have the right owner: ls -l /usr/bin/sudo -rwsr-xr-x 1 root root 232416 Mar 1 13:59 /usr/bin/sudo So any other input to put me on the right tracks would be appreciated. --Adrian ________________________________ From: Bruce Ashfield <bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>> Sent: Monday, April 3, 2023 5:59 PM To: Adrian Dudau <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> Cc: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>>; yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> <yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>> Subject: Re: [yocto] error when try to use sudo command in recipe You don't often get email from bruce.ashfi...@gmail.com<mailto:bruce.ashfi...@gmail.com>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_E0iZSbJQ$> CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email info...@keyfactor.com<mailto:info...@keyfactor.com> with any questions. On Mon, Apr 3, 2023 at 11:42 AM Adrian Dudau <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> wrote: Hi Khem, Thanks for the reply, though I am not sure I fully understand the first part of your answer. I'm trying to do something similar to the thread creator, i.e running "podman pull" at build time to populate an image store that I can later install into the target rootfs. FWIW. The above is something that I have almost working, but had to drop the completion of the support for the upcoming release (it was too late, and I had to get some kernel changes done). I'm hoping to have something usable in the next few months. If you are trying to generate containers (I don't recommend pulling them) and installing them into a container store that is part of the rootfs, then collaborating on the meta-virtualization mailing list is a good starting point. Bruce Still, I am failing to understand why /usr/bin/sudo doesn't show up as owned by the root user, even when running under pseudo. Also, why has this changed between Dunfell and master and where exactly has the changed happened.. Best regards, --Adrian ________________________________ From: Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>> Sent: Monday, April 3, 2023 4:57 PM To: Adrian Dudau <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> Cc: yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org> <yocto@lists.yoctoproject.org<mailto:yocto@lists.yoctoproject.org>> Subject: Re: [yocto] error when try to use sudo command in recipe You don't often get email from raj.k...@gmail.com<mailto:raj.k...@gmail.com>. Learn why this is important<https://urldefense.com/v3/__https:/aka.ms/LearnAboutSenderIdentification__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_E0iZSbJQ$> CAUTION: External Sender - Be cautious when clicking links or opening attachments. Please email info...@keyfactor.com<mailto:info...@keyfactor.com> with any questions. On Mon, Apr 3, 2023 at 12:25 AM <adrian.du...@keyfactor.com<mailto:adrian.du...@keyfactor.com>> wrote: On Mon, Feb 6, 2023 at 01:13 AM, Richard Purdie wrote: Hi Richard, Jumping on this thread to provide some clarifications as I hit the same bug. I can confirm that this is not an environment issue. I could reproduce it by adding a sudo call in an empty recipe like this: SUMMARY = "" HOMEPAGE = "" LICENSE = "" SECTION = "" DEPENDS = "" SRC_URI = "" do_install() { ls -l /usr/bin/sudo sudo ls -l /usr/bin/sudo } Build already use a fake root environment using pseudo to intercept the calls so this might not be out of line here. What is the original issue you are running into ? Running bitbake barebone on my x86 machine produces this error: | -rwxr-xr-x 1 nobody 65534 232416 Mar 1 13:59 /usr/bin/sudo | sudo: /etc/sudo.conf is owned by uid 65534, should be 0 | sudo: /etc/sudo.conf is owned by uid 65534, should be 0 | sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy" | sudo: /usr/libexec/sudo/sudoers.so<https://urldefense.com/v3/__http:/sudoers.so__;!!AjveYdw8EvQ!bCVRr1HPLpArLcLWGZ8guexuGI6P-mtViLkvOaqoTEec50HxhNr5MJU5YyEGoFz6H9KnzCOprmCRTwLuNYQfP_HvviZJJA$> must be owned by uid 0 | sudo: fatal error, unable to load plugins Indeed it seems that ownership is broken somehow in the bb environment. The issue was introduced somewhere between dunfell and kirkstone. I know it's a large timespan but it's a bit time consuming to narrow it down. Hoping to get some help on this. I would try to investigate further myself but I have no idea where to start to be honest. Best regards, --Adrian -- - Thou shalt not follow the NULL pointer, for chaos and madness await thee at its end - "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#59701): https://lists.yoctoproject.org/g/yocto/message/59701 Mute This Topic: https://lists.yoctoproject.org/mt/96733939/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
