Message ID | 20230728093950.12046-1-alex.kiernan@gmail.com |
---|---|
State | Accepted, archived |
Commit | a1c81ac4a869cc57394071ace2ca086eb8ac47a4 |
Headers | show |
Series | [1/2] base-passwd: Add the sgx group | expand |
On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote: > > To avoid errors from eudev/udev we need an sgx group, but if we add it > via groupadd that causes shadow login to be brought into an image, which > causes images which have CONFIG_MULTIUSER unset to fail with `setgid: > Function not implemented` as shadow's login doesn't implement the > heuristics which busybox has to handle this kernel configuration. Firstly, thank you very much for fixing this. I was having lots of trouble with it. I just wanted to point out that the underlying sgx issue is unique to Intel/x86. So, it might make sense to only apply this patch in this case. Thanks, Jon > Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> > --- > > .../0001-base-passwd-Add-the-sgx-group.patch | 30 +++++++++++++++++++ > .../base-passwd/base-passwd_3.6.1.bb | 1 + > 2 files changed, 31 insertions(+) > create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > > diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > new file mode 100644 > index 000000000000..e1340e1b70cf > --- /dev/null > +++ b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > @@ -0,0 +1,30 @@ > +From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001 > +From: Alex Kiernan <alexk@zuma.ai> > +Date: Fri, 28 Jul 2023 10:28:57 +0100 > +Subject: [PATCH] base-passwd: Add the sgx group > + > +To avoid errors from eudev/udev we need an sgx group, but if we add it > +via groupadd that causes shadow login to be brought into an image, which > +causes images which have CONFIG_MULTIUSER unset to fail with `setgid: > +Function not implemented` as shadow's login doesn't implement the > +heuristics which busybox has to handle this kernel configuration. > + > +Upstream-Status: Inappropriate [oe-specific] > + > +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> > +--- > + group.master | 1 + > + 1 file changed, 1 insertion(+) > + > +diff --git a/group.master b/group.master > +index d34d2b832d43..e54fd1d2c6dc 100644 > +--- a/group.master > ++++ b/group.master > +@@ -34,6 +34,7 @@ video:*:44: > + sasl:*:45: > + plugdev:*:46: > + kvm:*:47: > ++sgx:*:48: > + staff:*:50: > + games:*:60: > + shutdown:*:70: > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > index 204016b3e72e..44bcfb019930 100644 > --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > @@ -13,6 +13,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar > file://0005-Add-kvm-group.patch \ > file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \ > file://0007-Add-wheel-group.patch \ > + file://0001-base-passwd-Add-the-sgx-group.patch \ > " > > SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af" > -- > 2.39.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#185015): https://lists.openembedded.org/g/openembedded-core/message/185015 > Mute This Topic: https://lists.openembedded.org/mt/100407464/3616920 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jdmason@kudzu.us] > -=-=-=-=-=-=-=-=-=-=-=- >
On Fri, Jul 28, 2023 at 1:52 PM Jon Mason <jdmason@kudzu.us> wrote: > > On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote: > > > > To avoid errors from eudev/udev we need an sgx group, but if we add it > > via groupadd that causes shadow login to be brought into an image, which > > causes images which have CONFIG_MULTIUSER unset to fail with `setgid: > > Function not implemented` as shadow's login doesn't implement the > > heuristics which busybox has to handle this kernel configuration. > > Firstly, thank you very much for fixing this. I was having lots of > trouble with it. > > I just wanted to point out that the underlying sgx issue is unique to > Intel/x86. So, it might make sense to only apply this patch in this > case. > You get the noise from eudev on everything (I'm deploying onto aarch64), I guess because it fails at parse time and everyone gets the same rules. Obviously we could try for an sgx only rule on x86, but tbh that feels like way too much effort! I think we want something like this on poky-tiny so this doesn't regress: diff --git a/meta-poky/conf/distro/poky-tiny.conf b/meta-poky/conf/distro/poky-tiny.conf index f65d2dabf3af..728d161d59af 100644 --- a/meta-poky/conf/distro/poky-tiny.conf +++ b/meta-poky/conf/distro/poky-tiny.conf @@ -122,3 +122,7 @@ SKIP_RECIPE[core-image-weston] = "not buildable with poky-tiny" # Disable python usage in opkg-utils since it won't build with tiny config PACKAGECONFIG:remove:pn-opkg-utils = "python" + +# If shadow-base is brought into the image, logins will fail because it +# doesn't have the heuristics to work when CONFIG_MULTIUSER is unset. +PACKAGE_EXCLUDE:poky-tiny = "shadow-base" > Thanks, > Jon > > > Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> > > --- > > > > .../0001-base-passwd-Add-the-sgx-group.patch | 30 +++++++++++++++++++ > > .../base-passwd/base-passwd_3.6.1.bb | 1 + > > 2 files changed, 31 insertions(+) > > create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > > > > diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > > new file mode 100644 > > index 000000000000..e1340e1b70cf > > --- /dev/null > > +++ b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch > > @@ -0,0 +1,30 @@ > > +From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001 > > +From: Alex Kiernan <alexk@zuma.ai> > > +Date: Fri, 28 Jul 2023 10:28:57 +0100 > > +Subject: [PATCH] base-passwd: Add the sgx group > > + > > +To avoid errors from eudev/udev we need an sgx group, but if we add it > > +via groupadd that causes shadow login to be brought into an image, which > > +causes images which have CONFIG_MULTIUSER unset to fail with `setgid: > > +Function not implemented` as shadow's login doesn't implement the > > +heuristics which busybox has to handle this kernel configuration. > > + > > +Upstream-Status: Inappropriate [oe-specific] > > + > > +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> > > +--- > > + group.master | 1 + > > + 1 file changed, 1 insertion(+) > > + > > +diff --git a/group.master b/group.master > > +index d34d2b832d43..e54fd1d2c6dc 100644 > > +--- a/group.master > > ++++ b/group.master > > +@@ -34,6 +34,7 @@ video:*:44: > > + sasl:*:45: > > + plugdev:*:46: > > + kvm:*:47: > > ++sgx:*:48: > > + staff:*:50: > > + games:*:60: > > + shutdown:*:70: > > diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > > index 204016b3e72e..44bcfb019930 100644 > > --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > > +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb > > @@ -13,6 +13,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar > > file://0005-Add-kvm-group.patch \ > > file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \ > > file://0007-Add-wheel-group.patch \ > > + file://0001-base-passwd-Add-the-sgx-group.patch \ > > " > > > > SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af" > > -- > > 2.39.0 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#185015): https://lists.openembedded.org/g/openembedded-core/message/185015 > > Mute This Topic: https://lists.openembedded.org/mt/100407464/3616920 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [jdmason@kudzu.us] > > -=-=-=-=-=-=-=-=-=-=-=- > >
On Fri, 2023-07-28 at 15:01 +0100, Alex Kiernan wrote: > On Fri, Jul 28, 2023 at 1:52 PM Jon Mason <jdmason@kudzu.us> wrote: > > > > On Fri, Jul 28, 2023 at 5:40 AM Alex Kiernan <alex.kiernan@gmail.com> wrote: > > > > > > To avoid errors from eudev/udev we need an sgx group, but if we add it > > > via groupadd that causes shadow login to be brought into an image, which > > > causes images which have CONFIG_MULTIUSER unset to fail with `setgid: > > > Function not implemented` as shadow's login doesn't implement the > > > heuristics which busybox has to handle this kernel configuration. > > > > Firstly, thank you very much for fixing this. I was having lots of > > trouble with it. > > > > I just wanted to point out that the underlying sgx issue is unique to > > Intel/x86. So, it might make sense to only apply this patch in this > > case. > > > > You get the noise from eudev on everything (I'm deploying onto > aarch64), I guess because it fails at parse time and everyone gets the > same rules. Obviously we could try for an sgx only rule on x86, but > tbh that feels like way too much effort! FWIW I agree and merged this as the best of the bad options. > > I think we want something like this on poky-tiny so this doesn't regress: > > diff --git a/meta-poky/conf/distro/poky-tiny.conf > b/meta-poky/conf/distro/poky-tiny.conf > index f65d2dabf3af..728d161d59af 100644 > --- a/meta-poky/conf/distro/poky-tiny.conf > +++ b/meta-poky/conf/distro/poky-tiny.conf > @@ -122,3 +122,7 @@ SKIP_RECIPE[core-image-weston] = "not buildable > with poky-tiny" > > # Disable python usage in opkg-utils since it won't build with tiny config > PACKAGECONFIG:remove:pn-opkg-utils = "python" > + > +# If shadow-base is brought into the image, logins will fail because it > +# doesn't have the heuristics to work when CONFIG_MULTIUSER is unset. > +PACKAGE_EXCLUDE:poky-tiny = "shadow-base" A patch would be welcome for that please! Cheers, Richard
diff --git a/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch new file mode 100644 index 000000000000..e1340e1b70cf --- /dev/null +++ b/meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch @@ -0,0 +1,30 @@ +From 9e57771d138ac423d5139b984b8c869122ce4976 Mon Sep 17 00:00:00 2001 +From: Alex Kiernan <alexk@zuma.ai> +Date: Fri, 28 Jul 2023 10:28:57 +0100 +Subject: [PATCH] base-passwd: Add the sgx group + +To avoid errors from eudev/udev we need an sgx group, but if we add it +via groupadd that causes shadow login to be brought into an image, which +causes images which have CONFIG_MULTIUSER unset to fail with `setgid: +Function not implemented` as shadow's login doesn't implement the +heuristics which busybox has to handle this kernel configuration. + +Upstream-Status: Inappropriate [oe-specific] + +Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> +--- + group.master | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/group.master b/group.master +index d34d2b832d43..e54fd1d2c6dc 100644 +--- a/group.master ++++ b/group.master +@@ -34,6 +34,7 @@ video:*:44: + sasl:*:45: + plugdev:*:46: + kvm:*:47: ++sgx:*:48: + staff:*:50: + games:*:60: + shutdown:*:70: diff --git a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb index 204016b3e72e..44bcfb019930 100644 --- a/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb +++ b/meta/recipes-core/base-passwd/base-passwd_3.6.1.bb @@ -13,6 +13,7 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar file://0005-Add-kvm-group.patch \ file://0006-Make-it-possible-to-configure-whether-to-use-SELinux.patch \ file://0007-Add-wheel-group.patch \ + file://0001-base-passwd-Add-the-sgx-group.patch \ " SRC_URI[sha256sum] = "6ff369be59d586ba63c0c5fcb00f75f9953fe49db88bc6c6428f2c92866f79af"
To avoid errors from eudev/udev we need an sgx group, but if we add it via groupadd that causes shadow login to be brought into an image, which causes images which have CONFIG_MULTIUSER unset to fail with `setgid: Function not implemented` as shadow's login doesn't implement the heuristics which busybox has to handle this kernel configuration. Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com> --- .../0001-base-passwd-Add-the-sgx-group.patch | 30 +++++++++++++++++++ .../base-passwd/base-passwd_3.6.1.bb | 1 + 2 files changed, 31 insertions(+) create mode 100644 meta/recipes-core/base-passwd/base-passwd/0001-base-passwd-Add-the-sgx-group.patch