On Thu, 2018-08-16 at 22:33 -0700, Andre McCurdy wrote: > On Wed, Aug 15, 2018 at 11:26 PM, Martin Hundebøll <mar...@geanix.com > > wrote: > > Hi Andre, > > > > On 15/08/2018 21.47, Andre McCurdy wrote: > > > > > > On Wed, Aug 15, 2018 at 4:59 AM, Martin Hundebøll <martin@geanix. > > > com> > > > wrote: > > > > > > > > When the read-only-rootfs image feature is enabled, and openssh > > > > is > > > > installed into an image, the ssh daemon is reconfigured to use > > > > /var/run/ssh when generating host keys. > > > > > > > > Fix up the creation of the volatile dir to actually match what > > > > sshd is > > > > configured to. > > > > > > > > Signed-off-by: Martin Hundebøll <mar...@geanix.com> > > > > --- > > > > meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd | > > > > 2 +- > > > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > > > > > diff --git a/meta/recipes- > > > > connectivity/openssh/openssh/volatiles.99_sshd > > > > b/meta/recipes-connectivity/openssh/openssh/volatiles.99_sshd > > > > index a0d2af3c65..fcbc5ae9d5 100644 > > > > --- a/meta/recipes- > > > > connectivity/openssh/openssh/volatiles.99_sshd > > > > +++ b/meta/recipes- > > > > connectivity/openssh/openssh/volatiles.99_sshd > > > > @@ -1,2 +1,2 @@ > > > > -d root root 0755 /var/run/sshd none > > > > +d root root 0755 /var/run/ssh none > > > > > > This doesn't look right. > > > > > > /var/run/sshd is the directory used for privilege separation > > > (grep for > > > --with-privsep-path ), so it's not correct to remove it. > > > > I see - didn't know about openssh chrooting to do privilege > > separation. > > > > > Note that sshd_check_keys script runs "mkdir -p $SYSCONFDIR" (ie > > > /var/run/ssh in the read-only rootfs case) at run time before > > > creating > > > any keys. > > > > Yes, it works without the volatile folder; for openssh at least. > > > > > What exactly was the problem that this patch tries to fix? > > > > I am running a custom image with the read-only-rootfs feature > > enabled, and > > wanted to make the ssh host keys persistent across reboots. > > That should be possible by following the steps described in: > > http://git.openembedded.org/openembedded-core/commit/?id=106b59d9f9 > 6f70d133fa1421091ad280d27a5b6a > > ie add something like the following to a .bbappend: > > export SYSCONFDIR = "/data/ssh" > > do_install_append () { > sed 's|HostKey /var/run/ssh|HostKey /data/ssh|g' -i > ${D}${sysconfdir}/ssh/sshd_config_readonly > } > > The openssh init script has changed a little since then, but I think > the same basic approach should still work (and if it doesn't we > should > fix things so it does).
FWIW, we use volatiles to accomplish something similar: # cat /etc/default/volatiles/99_sshd d root root 0755 /data/var/run/ssh none l root root 0755 /var/run/ssh /data/var/run/ssh > > > At first, I tried adding a bind-mount entry to fstab from /data/ssh > > to > > /var/run/ssh, but the latter don't exist when mountall.sh is > > executed by RC > > (/data is the mountpoint of a persistent partition). > > > > I then looked at the volatile entries and noticed that it created > > the > > (empty) /var/run/sshd, so changed it to (wrongly) create > > /var/run/ssh > > instead. > > > > That wasn't enough though, since populate-volatiles.sh comes after > > mountall.sh. > > > > In the end I simply added a new entry to volatiles to create a > > symlink from > > /var/run/ssh to /data/ssh, which works for me :) > > > > Maybe I should change the patch to add a comment about the > > /var/run/sshd > > entry, so we don't end up doing mistakes like the debian- > > predictable-keys > > story. > > > > // Martin -- Joshua Watt <jpewhac...@gmail.com> -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
