Patchwork [V2,10/10] openssh: make /etc/ssh directory writable in read-only rootfs

login
register
mail settings
Submitter Qi.Chen@windriver.com
Date July 29, 2013, 2:33 a.m.
Message ID <6e09df864b4a870ac23c7e443dfee302962b811b.1375065009.git.Qi.Chen@windriver.com>
Download mbox | patch
Permalink /patch/54651/
State New
Headers show

Comments

Qi.Chen@windriver.com - July 29, 2013, 2:33 a.m.
From: Chen Qi <Qi.Chen@windriver.com>

If the rootfs is read-only and the ssh keys are not available at system
start-up, the init script will generate ssh keys into /etc/ssh, thus
causing a 'read-only file system' error.

Make this directory writable in case of a read-only rootfs.
Note that if the ssh keys are pregenerated, they will not be lost,
as there's a copying process before bind mounting.

[YOCTO #4887]

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/recipes-connectivity/openssh/openssh_6.2p2.bb |    3 +++
 1 file changed, 3 insertions(+)
Ross Burton - July 29, 2013, 3:59 p.m.
On 29 July 2013 03:33,  <Qi.Chen@windriver.com> wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> If the rootfs is read-only and the ssh keys are not available at system
> start-up, the init script will generate ssh keys into /etc/ssh, thus
> causing a 'read-only file system' error.
>
> Make this directory writable in case of a read-only rootfs.
> Note that if the ssh keys are pregenerated, they will not be lost,
> as there's a copying process before bind mounting.

I'm not very keen on the idea of every oe-core system having a tmpfs
on /etc/openssh just for read-only-root configurations where there
isn't a pre-generated key.

At least one better option would be to handle the read-only / with no
pre-generated keys situation in the init script, and write keys to
/run.

Ross
Qi.Chen@windriver.com - July 30, 2013, 5:24 a.m.
On 07/29/2013 11:59 PM, Burton, Ross wrote:
> On 29 July 2013 03:33,  <Qi.Chen@windriver.com> wrote:
>> From: Chen Qi <Qi.Chen@windriver.com>
>>
>> If the rootfs is read-only and the ssh keys are not available at system
>> start-up, the init script will generate ssh keys into /etc/ssh, thus
>> causing a 'read-only file system' error.
>>
>> Make this directory writable in case of a read-only rootfs.
>> Note that if the ssh keys are pregenerated, they will not be lost,
>> as there's a copying process before bind mounting.
> I'm not very keen on the idea of every oe-core system having a tmpfs
> on /etc/openssh just for read-only-root configurations

I agree, especially when the configuration is not likely to change at 
runtime.

>   where there
> isn't a pre-generated key.
>
> At least one better option would be to handle the read-only / with no
> pre-generated keys situation in the init script, and write keys to
> /run.
For now, I want to use the following logic.

If the rootfs is not read-only, everything remains the same as before.

If the rootfs is read-only and there are pre-generated keys under 
/etc/ssh, we use the pre-generated keys. The pre-generated keys are 
mainly for debugging or development purpose.

If the rootfs is read-only and there are no pre-generated keys under 
/etc/ssh, we use /var/run/ssh as the location for ssh keys. That is, at 
system boot-up, the generated ssh keys will be put into /var/run/ssh.

What do you think about it? If it's OK, I'll send out a V3.

Best Regards,
Chen Qi

Patch

diff --git a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
index ab2eefb..a1b5e51 100644
--- a/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
+++ b/meta/recipes-connectivity/openssh/openssh_6.2p2.bb
@@ -86,6 +86,9 @@  do_install_append () {
 	install -m 0755 ${WORKDIR}/init ${D}${sysconfdir}/init.d/sshd
 	rm -f ${D}${bindir}/slogin ${D}${datadir}/Ssh.bin
 	rmdir ${D}${localstatedir}/run/sshd ${D}${localstatedir}/run ${D}${localstatedir}
+        # Create config files for read-only rootfs
+        install -d ${D}${sysconfdir}/default/readonly
+        echo "/etc/ssh /var/volatile/etc/ssh" > ${D}${sysconfdir}/default/readonly/openssh
 }
 
 ALLOW_EMPTY_${PN} = "1"