On Wed, Aug 15, 2018 at 11:26 PM, Martin Hundebøll <mar...@geanix.com> wrote: > Hi Andre, > > On 15/08/2018 21.47, Andre McCurdy wrote: >> >> On Wed, Aug 15, 2018 at 4:59 AM, Martin Hundebøll <mar...@geanix.com> >> wrote: >>> >>> When the read-only-rootfs image feature is enabled, and openssh is >>> installed into an image, the ssh daemon is reconfigured to use >>> /var/run/ssh when generating host keys. >>> >>> Fix up the creation of the volatile dir to actually match what sshd is >>> configured to. >>> >>> Signed-off-by: Martin Hundebøll <mar...@geanix.com> >>> --- >>> meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd >>> b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd >>> index a0d2af3c65..fcbc5ae9d5 100644 >>> --- a/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd >>> +++ b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd >>> @@ -1,2 +1,2 @@ >>> -d root root 0755 /var/run/sshd none >>> +d root root 0755 /var/run/ssh none >> >> This doesn't look right. >> >> /var/run/sshd is the directory used for privilege separation (grep for >> --with-privsep-path ), so it's not correct to remove it. > > I see - didn't know about openssh chrooting to do privilege separation. > >> Note that sshd_check_keys script runs "mkdir -p $SYSCONFDIR" (ie >> /var/run/ssh in the read-only rootfs case) at run time before creating >> any keys. > > Yes, it works without the volatile folder; for openssh at least. > >> What exactly was the problem that this patch tries to fix? > > I am running a custom image with the read-only-rootfs feature enabled, and > wanted to make the ssh host keys persistent across reboots.
That should be possible by following the steps described in: http://git.openembedded.org/openembedded-core/commit/?id=106b59d9f96f70d133fa1421091ad280d27a5b6a ie add something like the following to a .bbappend: export SYSCONFDIR = "/data/ssh" do_install_append () { sed 's|HostKey /var/run/ssh|HostKey /data/ssh|g' -i ${D}${sysconfdir}/ssh/sshd_config_readonly } The openssh init script has changed a little since then, but I think the same basic approach should still work (and if it doesn't we should fix things so it does). > At first, I tried adding a bind-mount entry to fstab from /data/ssh to > /var/run/ssh, but the latter don't exist when mountall.sh is executed by RC > (/data is the mountpoint of a persistent partition). > > I then looked at the volatile entries and noticed that it created the > (empty) /var/run/sshd, so changed it to (wrongly) create /var/run/ssh > instead. > > That wasn't enough though, since populate-volatiles.sh comes after > mountall.sh. > > In the end I simply added a new entry to volatiles to create a symlink from > /var/run/ssh to /data/ssh, which works for me :) > > Maybe I should change the patch to add a comment about the /var/run/sshd > entry, so we don't end up doing mistakes like the debian-predictable-keys > story. > > // Martin -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
