meta-virtualization@lists.yoctoproject.org

Home Messages Hashtags Subgroups

Expanded

Topics Messages Polls

Export Group Data

Between

and

[kirkstone][PATCH] singularity: Skip recipe on musl builds

Andrei Gherzan

#7527

From: Andrei Gherzan <andrei.gherzan@...>

This recipe explicitely rdepends on glibc so trying to build this with
musl will break world builds.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
 recipes-containers/singularity/singularity_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-containers/singularity/singularity_git.bb b/recipes-containers/singularity/singularity_git.bb
index 321a9a6..8e7ab76 100644
--- a/recipes-containers/singularity/singularity_git.bb
+++ b/recipes-containers/singularity/singularity_git.bb
@@ -28,3 +28,5 @@ pkg_postinst:${PN}() {
     rm -r $D${libdir}/ssl/certs
     ln -sr $D${sysconfdir}/ssl/certs $D${libdir}/ssl
 }
+
+COMPATIBLE_HOST:libc-musl:class-target = "null"
-- 
2.25.1

[PATCH] singularity: Skip recipe on musl builds

Andrei Gherzan

#7526

From: Andrei Gherzan <andrei.gherzan@...>

This recipe explicitely rdepends on glibc so trying to build this with
musl will break world builds.

Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
---
 recipes-containers/singularity/singularity_git.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/recipes-containers/singularity/singularity_git.bb b/recipes-containers/singularity/singularity_git.bb
index 321a9a6..8e7ab76 100644
--- a/recipes-containers/singularity/singularity_git.bb
+++ b/recipes-containers/singularity/singularity_git.bb
@@ -28,3 +28,5 @@ pkg_postinst:${PN}() {
     rm -r $D${libdir}/ssl/certs
     ln -sr $D${sysconfdir}/ssl/certs $D${libdir}/ssl
 }
+
+COMPATIBLE_HOST:libc-musl:class-target = "null"
-- 
2.25.1

[PATCH] podman: update to v4.2.0

Pascal Bach

#7525

From: Pascal Bach <pascal.bach@...>

The libseccomp patch was a backport and is included in the current release.

The GOBUILDFLAGS patch is replaced by explicitly setting BUILDFLAGS="${GOBUILDFLAGS}"
in the recipe.

Signed-off-by: Pascal Bach <pascal.bach@...>
---
 ...01-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch | 123 ------------------
 ...efine-ActKillThread-equal-to-ActKill.patch |  90 -------------
 recipes-containers/podman/podman_git.bb       |  11 +-
 3 files changed, 6 insertions(+), 218 deletions(-)
 delete mode 100644 recipes-containers/podman/podman/0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch
 delete mode 100644 recipes-containers/podman/podman/0002-Define-ActKillThread-equal-to-ActKill.patch

diff --git a/recipes-containers/podman/podman/0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch b/recipes-containers/podman/podman/0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch
deleted file mode 100644
index e27e1fa..0000000
--- a/recipes-containers/podman/podman/0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From 3e18f3a4db638a3df48f49aa0a539f8bb048afc9 Mon Sep 17 00:00:00 2001
-From: Andrei Gherzan <andrei.gherzan@...>
-Date: Tue, 5 Jul 2022 11:51:56 +0200
-Subject: [PATCH] Rename BUILDFLAGS to GOBUILDFLAGS
-
-Yocto uses GOBUILDFLAGS to pass the right build flags while the Makefile
-uses BUILDFLAGS. Align them accordingly.
-
-See go.bbclass for more information.
-
-Upstream-Status: Inappropriate [OE specific]
-Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
----
- Makefile | 24 ++++++++++++------------
- 1 file changed, 12 insertions(+), 12 deletions(-)
-
-Index: import/Makefile
-===================================================================
---- import.orig/Makefile
-+++ import/Makefile
-@@ -69,7 +69,7 @@
- # triggered.
- SOURCES = $(shell find . -path './.*' -prune -o \( \( -name '*.go' -o -name '*.c' \) -a ! -name '*_test.go' \) -print)
- 
--BUILDFLAGS := -mod=vendor $(BUILDFLAGS)
-+GOBUILDFLAGS := -mod=vendor $(GOBUILDFLAGS)
- 
- BUILDTAGS_CROSS ?= containers_image_openpgp exclude_graphdriver_btrfs exclude_graphdriver_devicemapper exclude_graphdriver_overlay
- CONTAINER_RUNTIME := $(shell command -v podman 2> /dev/null || echo docker)
-@@ -264,11 +264,11 @@
- 
- .PHONY: test/checkseccomp/checkseccomp
- test/checkseccomp/checkseccomp: .gopathok $(wildcard test/checkseccomp/*.go)
--	$(GOCMD) build $(BUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS)" -o $@ ./test/checkseccomp
-+	$(GOCMD) build $(GOBUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -tags "$(BUILDTAGS)" -o $@ ./test/checkseccomp
- 
- .PHONY: test/testvol/testvol
- test/testvol/testvol: .gopathok $(wildcard test/testvol/*.go)
--	$(GOCMD) build $(BUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -o $@ ./test/testvol
-+	$(GOCMD) build $(GOBUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -o $@ ./test/testvol
- 
- .PHONY: volume-plugin-test-image
- volume-plugin-test-img:
-@@ -276,7 +276,7 @@
- 
- .PHONY: test/goecho/goecho
- test/goecho/goecho: .gopathok $(wildcard test/goecho/*.go)
--	$(GOCMD) build $(BUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -o $@ ./test/goecho
-+	$(GOCMD) build $(GOBUILDFLAGS) $(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' -o $@ ./test/goecho
- 
- test/version/version: .gopathok version/version.go
- 	$(GO) build -o $@ ./test/version/
-@@ -318,7 +318,7 @@
- 		distro for journald support."
- endif
- 	$(GOCMD) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		$(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' \
- 		-tags "$(BUILDTAGS)" \
- 		-o $@ ./cmd/podman
-@@ -329,7 +329,7 @@
- 
- $(SRCBINDIR)/podman$(BINSFX): $(SRCBINDIR) .gopathok $(SOURCES) go.mod go.sum
- 	$(GOCMD) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		$(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' \
- 		-tags "${REMOTETAGS}" \
- 		-o $@ ./cmd/podman
-@@ -339,7 +339,7 @@
- 	GOOS=$(GOOS) \
- 	GOARCH=$(GOARCH) \
- 	$(GO) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		$(GO_LDFLAGS) '$(LDFLAGS_PODMAN_STATIC)' \
- 		-tags "${REMOTETAGS}" \
- 		-o $@ ./cmd/podman
-@@ -374,7 +374,7 @@
- 	CGO_ENABLED=0 \
- 		GOOS=windows \
- 		$(GO) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		-ldflags -H=windowsgui \
- 		-o bin/windows/winpath.exe \
- 		./cmd/winpath
-@@ -393,14 +393,14 @@
- 		GOOS=darwin \
- 		GOARCH=$(GOARCH) \
- 		$(GO) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		-o bin/darwin/podman-mac-helper \
- 		./cmd/podman-mac-helper
- 
- bin/rootlessport: .gopathok $(SOURCES) go.mod go.sum
- 	CGO_ENABLED=$(CGO_ENABLED) \
- 		$(GO) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		-o $@ ./cmd/rootlessport
- 
- .PHONY: rootlessport
-@@ -423,7 +423,7 @@
- 	GOARCH="$${TARGET##*.}"; \
- 	CGO_ENABLED=0 \
- 		$(GO) build \
--		$(BUILDFLAGS) \
-+		$(GOBUILDFLAGS) \
- 		$(GO_LDFLAGS) '$(LDFLAGS_PODMAN)' \
- 		-tags '$(BUILDTAGS_CROSS)' \
- 		-o "$@" ./cmd/podman
-@@ -871,7 +871,7 @@
- .PHONY: .install.ginkgo
- .install.ginkgo: .gopathok
- 	if [ ! -x "$(GOBIN)/ginkgo" ]; then \
--		$(GO) install $(BUILDFLAGS) ./vendor/github.com/onsi/ginkgo/ginkgo ; \
-+		$(GO) install $(GOBUILDFLAGS) ./vendor/github.com/onsi/ginkgo/ginkgo ; \
- 	fi
- 
- .PHONY: .install.gitvalidation
diff --git a/recipes-containers/podman/podman/0002-Define-ActKillThread-equal-to-ActKill.patch b/recipes-containers/podman/podman/0002-Define-ActKillThread-equal-to-ActKill.patch
deleted file mode 100644
index ba51d4a..0000000
--- a/recipes-containers/podman/podman/0002-Define-ActKillThread-equal-to-ActKill.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From f2aa0359bcc776239bda8a4eb84957b97ef55c35 Mon Sep 17 00:00:00 2001
-From: Tonis Tiigi <tonistiigi@...>
-Date: Fri, 28 Jan 2022 14:44:56 -0800
-Subject: [PATCH] Define ActKillThread equal to ActKill
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-These constants are equal in libseccomp but Go definitions
-were defined separately. This resulted in dead code that
-never executed due to identical case statements in switch.
-Go can usually detect these error cases and refuses to build
-but for some reason this detection doesn’t work with cgo+gcc.
-Clang detects the equal constants correctly and therefore
-libseccomp-golang builds with clang broke after ActKillThread
-was added.
-
-In order to fix the clang build only removal of the
-switch case is needed. But I assumed that the setter/getter
-logic is supposed to work for ActKillThread as well
-and only way to ensure that is to set them equal like they
-are in C.
-
-Signed-off-by: Tonis Tiigi <tonistiigi@...>
-Signed-off-by: Sebastiaan van Stijn <github@...>
-Acked-by: Tom Hromatka <tom.hromatka@...>
-Signed-off-by: Paul Moore <paul@...>
-Signed-off-by: Andrei Gherzan <andrei.gherzan@...>
-Upstream-status: Backport [https://github.com/seccomp/libseccomp-golang/commit/c35397d0ea8f285a0be78693bb2fd37b06952453]
----
- seccomp.go          | 8 ++++----
- seccomp_internal.go | 4 ----
- 2 files changed, 4 insertions(+), 8 deletions(-)
-
-diff --git a/seccomp.go b/seccomp.go
-index e9b92e2..32f6ab2 100644
---- a/seccomp.go
-+++ b/seccomp.go
-@@ -214,14 +214,14 @@ const (
- 	// This action is only usable when libseccomp API level 3 or higher is
- 	// supported.
- 	ActLog ScmpAction = iota
--	// ActKillThread kills the thread that violated the rule. It is the same as ActKill.
--	// All other threads from the same thread group will continue to execute.
--	ActKillThread ScmpAction = iota
- 	// ActKillProcess kills the process that violated the rule.
- 	// All threads in the thread group are also terminated.
- 	// This action is only usable when libseccomp API level 3 or higher is
- 	// supported.
- 	ActKillProcess ScmpAction = iota
-+	// ActKillThread kills the thread that violated the rule. It is the same as ActKill.
-+	// All other threads from the same thread group will continue to execute.
-+	ActKillThread = ActKill
- )
- 
- const (
-@@ -394,7 +394,7 @@ func (a ScmpCompareOp) String() string {
- // String returns a string representation of a seccomp match action
- func (a ScmpAction) String() string {
- 	switch a & 0xFFFF {
--	case ActKill, ActKillThread:
-+	case ActKillThread:
- 		return "Action: Kill thread"
- 	case ActKillProcess:
- 		return "Action: Kill process"
-diff --git a/seccomp_internal.go b/seccomp_internal.go
-index 8dc7b29..8fc9914 100644
---- a/seccomp_internal.go
-+++ b/seccomp_internal.go
-@@ -612,8 +612,6 @@ func (a ScmpCompareOp) toNative() C.int {
- func actionFromNative(a C.uint32_t) (ScmpAction, error) {
- 	aTmp := a & 0xFFFF
- 	switch a & 0xFFFF0000 {
--	case C.C_ACT_KILL:
--		return ActKill, nil
- 	case C.C_ACT_KILL_PROCESS:
- 		return ActKillProcess, nil
- 	case C.C_ACT_KILL_THREAD:
-@@ -638,8 +636,6 @@ func actionFromNative(a C.uint32_t) (ScmpAction, error) {
- // Only use with sanitized actions, no error handling
- func (a ScmpAction) toNative() C.uint32_t {
- 	switch a & 0xFFFF {
--	case ActKill:
--		return C.C_ACT_KILL
- 	case ActKillProcess:
- 		return C.C_ACT_KILL_PROCESS
- 	case ActKillThread:
--- 
-2.25.1
-
diff --git a/recipes-containers/podman/podman_git.bb b/recipes-containers/podman/podman_git.bb
index 9b92094..ea10f66 100644
--- a/recipes-containers/podman/podman_git.bb
+++ b/recipes-containers/podman/podman_git.bb
@@ -17,11 +17,9 @@ DEPENDS = " \
     ${@bb.utils.filter('DISTRO_FEATURES', 'systemd', d)} \
 "
 
-SRCREV = "cedbbfa543651a13055a1fe093a4d0a2a28ccdfd"
+SRCREV = "7fe5a419cfd2880df2028ad3d7fd9378a88a04f4"
 SRC_URI = " \
-    git://github.com/containers/libpod.git;branch=v4.1;protocol=https \
-    file://0001-Rename-BUILDFLAGS-to-GOBUILDFLAGS.patch;patchdir=src/import \
-    file://0002-Define-ActKillThread-equal-to-ActKill.patch;patchdir=src/import/vendor/github.com/seccomp/libseccomp-golang \
+    git://github.com/containers/libpod.git;branch=v4.2;protocol=https \
     ${@bb.utils.contains('PACKAGECONFIG', 'rootless', 'file://00-podman-rootless.conf', '', d)} \
 "
 
@@ -32,7 +30,7 @@ GO_IMPORT = "import"
 
 S = "${WORKDIR}/git"
 
-PV = "4.1.0+git${SRCPV}"
+PV = "4.2.0+git${SRCPV}"
 
 PACKAGES =+ "${PN}-contrib"
 
@@ -47,6 +45,9 @@ export LDFLAGS=""
 # https://github.com/llvm/llvm-project/issues/53999
 TOOLCHAIN = "gcc"
 
+# podmans Makefile expects BUILDFLAGS to be set but go.bbclass defines them in GOBUILDFLAGS
+export BUILDFLAGS="${GOBUILDFLAGS}"
+
 inherit go goarch
 inherit systemd pkgconfig
 
-- 
2.37.2

Re: Request for test! ... lxc

Bruce Ashfield

#7524

On Sun, Aug 14, 2022 at 11:12 PM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

If anyone is a lxc user, I just worked through a sizable update from 4.x to 5.x.

https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=67c13e9ec856ed3e9af0febad03d29581dd1f0ac

In particular, the build is now meson based .. and a lot of the old
options (and patches) don't really apply to the new structure.

I've tested the update through a basic smoke test, in a systemd based image.

So now is the heads up to test other workflows and send patches if
something is broken!after updating my oe-core and other layers today, I'm seeing a build
error in the new LXC, not sure if it is also in the old.

So if anyone tries this out, and sees a compilation problem, I'm aware
of it and looking into it.

Bruce


Cheers,

Bruce


--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II



-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

[kirkstone][meta-virtualization][PATCH] ceph: upgrade v15.2.15 -> v15.2.17

sakib.sajal@...

#7523

Upgrade ceph to latest v15.x.
Minor upgrade containing fix for CVE-2022-0670.

Signed-off-by: Sakib Sajal <sakib.sajal@...>
---
 recipes-extended/ceph/{ceph_15.2.15.bb => ceph_15.2.17.bb} | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename recipes-extended/ceph/{ceph_15.2.15.bb => ceph_15.2.17.bb} (98%)

diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.17.bb
similarity index 98%
rename from recipes-extended/ceph/ceph_15.2.15.bb
rename to recipes-extended/ceph/ceph_15.2.17.bb
index 17dbcf3..9fb2e72 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.17.bb
@@ -16,7 +16,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
 "
 
-SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
+SRC_URI[sha256sum] = "d8efe4996aeb01dd2f1cc939c5e434e5a7e2aeaf3f659c0510ffd550477a32e2"
 
 DEPENDS = "boost bzip2 curl expat gperf-native \
            keyutils libaio libibverbs lz4 \
-- 
2.33.0

Request for test! ... lxc

Bruce Ashfield

#7522

If anyone is a lxc user, I just worked through a sizable update from 4.x to 5.x.

https://git.yoctoproject.org/meta-virtualization/commit/?h=master-next&id=67c13e9ec856ed3e9af0febad03d29581dd1f0ac

In particular, the build is now meson based .. and a lot of the old
options (and patches) don't really apply to the new structure.

I've tested the update through a basic smoke test, in a systemd based image.

So now is the heads up to test other workflows and send patches if
something is broken!

Cheers,

Bruce


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [PATCH] dynamic-layers/raspberrypi: drop linux-yocto 5.10 bbappend

Bruce Ashfield

#7521

merged.

Bruce

In message: [meta-virtualization] [PATCH] dynamic-layers/raspberrypi: drop linux-yocto 5.10 bbappend
on 12/08/2022 Martin Jansa wrote:

Show quoted text

* the inc file was dropped in:
  58f5ac6 kernel: drop 5.10 .inc
  but this .bbappend still causes parsing error, because 5.10 recipes
  were removed from oe-core
---
 .../recipes-kernel/linux/linux-yocto_5.10.bbappend          | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend

diff --git a/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend b/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend
deleted file mode 100644
index f279ef7..0000000
--- a/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend
+++ /dev/null
@@ -1,6 +0,0 @@
-# Enable use of the linux-yocto 5.10 kernel for the Raspberry Pi 4
-KBRANCH:raspberrypi4-64 ?= "v5.10/standard/bcm-2xxx-rpi"
-KMACHINE:raspberrypi4-64 ?= "bcm-2xxx-rpi4"
-COMPATIBLE_MACHINE:raspberrypi4-64 = "(raspberrypi4-64)"
-
-require linux-yocto_xen-rpi.inc
-- 
2.35.1

[PATCH] dynamic-layers/raspberrypi: drop linux-yocto 5.10 bbappend

Martin Jansa

#7520

* the inc file was dropped in:
  58f5ac6 kernel: drop 5.10 .inc
  but this .bbappend still causes parsing error, because 5.10 recipes
  were removed from oe-core
---
 .../recipes-kernel/linux/linux-yocto_5.10.bbappend          | 6 ------
 1 file changed, 6 deletions(-)
 delete mode 100644 dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend

diff --git a/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend b/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend
deleted file mode 100644
index f279ef7..0000000
--- a/dynamic-layers/raspberrypi/recipes-kernel/linux/linux-yocto_5.10.bbappend
+++ /dev/null
@@ -1,6 +0,0 @@
-# Enable use of the linux-yocto 5.10 kernel for the Raspberry Pi 4
-KBRANCH:raspberrypi4-64 ?= "v5.10/standard/bcm-2xxx-rpi"
-KMACHINE:raspberrypi4-64 ?= "bcm-2xxx-rpi4"
-COMPATIBLE_MACHINE:raspberrypi4-64 = "(raspberrypi4-64)"
-
-require linux-yocto_xen-rpi.inc
-- 
2.35.1

[meta-virt][PATCH 1/1] ceph: Fix CVE-2021-3979

Joe Slater

#7519

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+ 
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+ 
+ class TestStatus(object):
+ 
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+ 
+ class TestDmcryptKey(object):
+ 
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+ 
+ logger = logging.getLogger(__name__)
+ 
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+ 
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests for device
+-- 
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 0fb32b26..f2ece8c7 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -16,6 +16,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
            file://0001-buffer.h-add-missing-header-file-due-to-gcc-upgrade.patch \
            file://0002-common-fix-FTBFS-due-to-dout-need_dynamic-on-GCC-12.patch \
+           file://CVE-2021-3979.patch \
 "
 
 SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
-- 
2.35.1

Re: [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979

Joe Slater

#7518

No, you didn't miss it.  I'll send it in an hour or so.   Joe

Show quoted text

-----Original Message-----
From: Bruce Ashfield <bruce.ashfield@...>
Sent: Wednesday, August 10, 2022 11:35 AM
To: Slater, Joseph <joe.slater@...>
Cc: meta-virtualization@...; MacLeod, Randy
<Randy.MacLeod@...>
Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
CVE-1021-3979

On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <joe.slater@...>
wrote:



-----Original Message-----
From: Bruce Ashfield <bruce.ashfield@...>
Sent: Wednesday, August 10, 2022 11:03 AM
To: Slater, Joseph <joe.slater@...>
Cc: meta-virtualization@...; MacLeod, Randy
<Randy.MacLeod@...>
Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1]
ceph: Fix
CVE-1021-3979

What about master ? Does it have the same issue ?Yes, and I have the patch for that.  You cannot cherry-pick between
the branches because recipe context is different.  The source patch is thesame.  I used kirkstone first for internal reasons.
In order to merge this to kirkstone, it needs to be on master first.

So there should be two sends of the patch, one for master and then another for
kirkstone (if it can't be cherry picked).

If you sent the one to master and I missed it, my apologies ... gmail threads
strangely at times.

Bruce

Joe


Bruce

On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@...>wrote:

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)  create mode 100644
recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 1700:00:00
+2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with
+> the -soption.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit
+47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git
+a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
+b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
+get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conffallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt
++the VolumeKey.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM)
+requests for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI =
"http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \

file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2021-3979.patch \
 "

 SRC_URI[sha256sum] ="5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness
await thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979

Bruce Ashfield

#7517

On Wed, Aug 10, 2022 at 2:26 PM Slater, Joseph <joe.slater@...> wrote:



-----Original Message-----
From: Bruce Ashfield <bruce.ashfield@...>
Sent: Wednesday, August 10, 2022 11:03 AM
To: Slater, Joseph <joe.slater@...>
Cc: meta-virtualization@...; MacLeod, Randy
<Randy.MacLeod@...>
Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
CVE-1021-3979

What about master ? Does it have the same issue ?Yes, and I have the patch for that.  You cannot cherry-pick between the branches because
recipe context is different.  The source patch is the same.  I used kirkstone first for internal reasons.
In order to merge this to kirkstone, it needs to be on master first.

So there should be two sends of the patch, one for master and then
another for kirkstone (if it can't be cherry picked).

If you sent the one to master and I missed it, my apologies ... gmail
threads strangely at times.

Bruce

Joe


Bruce

On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@...> wrote:

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00
+2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -soption.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit
+47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git
+a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
+b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
+get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the VolumeKey.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests
+for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \

file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2021-3979.patch \
 "

 SRC_URI[sha256sum] ="5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979

Joe Slater

#7516

Show quoted text

-----Original Message-----
From: Bruce Ashfield <bruce.ashfield@...>
Sent: Wednesday, August 10, 2022 11:03 AM
To: Slater, Joseph <joe.slater@...>
Cc: meta-virtualization@...; MacLeod, Randy
<Randy.MacLeod@...>
Subject: Re: [meta-virtualization] [meta-virt][kirkstone][PATCH 1/1] ceph: Fix
CVE-1021-3979

What about master ? Does it have the same issue ?Yes, and I have the patch for that.  You cannot cherry-pick between the branches because
recipe context is different.  The source patch is the same.  I used kirkstone first for internal reasons.

Joe


Bruce

On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@...> wrote:

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch
b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00
+2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -soption.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit
+47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git
+a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py
+b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family,
+get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the VolumeKey.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests
+for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb
b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \

file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2021-3979.patch \
 "

 SRC_URI[sha256sum] ="5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979

Bruce Ashfield

#7515

What about master ? Does it have the same issue ?

Bruce

Show quoted text

On Wed, Aug 10, 2022 at 1:39 PM Joe Slater <joe.slater@...> wrote:

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+
+ class TestStatus(object):
+
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+
+ class TestDmcryptKey(object):
+
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+
+ logger = logging.getLogger(__name__)
+
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests for device
+--
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \
            file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2021-3979.patch \
 "

 SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
--
2.35.1

-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

[meta-virt][kirkstone][PATCH 1/1] ceph: Fix CVE-1021-3979

Joe Slater

#7514

Ceph-volume does not properly control key sizes.

Cherry-pick from github.com/ceph/ceph.git.

Signed-off-by: Joe Slater <joe.slater@...>
---
 .../ceph/ceph/CVE-2021-3979.patch             | 158 ++++++++++++++++++
 recipes-extended/ceph/ceph_15.2.15.bb         |   1 +
 2 files changed, 159 insertions(+)
 create mode 100644 recipes-extended/ceph/ceph/CVE-2021-3979.patch

diff --git a/recipes-extended/ceph/ceph/CVE-2021-3979.patch b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
new file mode 100644
index 00000000..081b32ba
--- /dev/null
+++ b/recipes-extended/ceph/ceph/CVE-2021-3979.patch
@@ -0,0 +1,158 @@
+From 47c33179f9a15ae95cc1579a421be89378602656 Mon Sep 17 00:00:00 2001
+From: Guillaume Abrioux <gabrioux@...>
+Date: Tue, 25 Jan 2022 10:25:53 +0100
+Subject: [PATCH] ceph-volume: honour osd_dmcrypt_key_size option
+
+ceph-volume doesn't honour osd_dmcrypt_key_size.
+It means the default size is always applied.
+
+It also changes the default value in `get_key_size_from_conf()`
+
+From cryptsetup manpage:
+
+> For XTS mode you can optionally set a key size of 512 bits with the -s option.
+
+Using more than 512bits will end up with the following error message:
+
+```
+Key size in XTS mode must be 256 or 512 bits.
+```
+
+Fixes: https://tracker.ceph.com/issues/54006
+
+Signed-off-by: Guillaume Abrioux <gabrioux@...>
+
+Upstream-Status: Backport
+ github.com/ceph/ceph.git
+ equivalent to cherry-pick of commit 47c33179f9a15ae95cc1579a421be89378602656
+
+CVE: CVE-2021-3979
+
+Signed-off-by: Joe Slater <joe.slater@...>
+---
+ .../ceph_volume/tests/util/test_encryption.py | 41 +++++++++++++------
+ .../ceph_volume/util/encryption.py            | 34 ++++++++++-----
+ 2 files changed, 51 insertions(+), 24 deletions(-)
+
+diff --git a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+index e1420b440d3..c86dc50b7c7 100644
+--- a/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
++++ b/src/ceph-volume/ceph_volume/tests/util/test_encryption.py
+@@ -1,5 +1,31 @@
+ from ceph_volume.util import encryption
++import base64
+ 
++class TestGetKeySize(object):
++    def test_get_size_from_conf_default(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
++
++    def test_get_size_from_conf_custom(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=256
++        ''')
++        assert encryption.get_key_size_from_conf() == '256'
++
++    def test_get_size_from_conf_custom_invalid(self, conf_ceph_stub):
++        conf_ceph_stub('''
++        [global]
++        fsid=asdf
++        [osd]
++        osd_dmcrypt_key_size=1024
++        ''')
++        assert encryption.get_key_size_from_conf() == '512'
+ 
+ class TestStatus(object):
+ 
+@@ -37,17 +63,6 @@ class TestDmcryptClose(object):
+ 
+ class TestDmcryptKey(object):
+ 
+-    def test_dmcrypt_with_default_size(self, conf_ceph_stub):
+-        conf_ceph_stub('[global]\nfsid=asdf-lkjh')
+-        result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
+-
+-    def test_dmcrypt_with_custom_size(self, conf_ceph_stub):
+-        conf_ceph_stub('''
+-        [global]
+-        fsid=asdf
+-        [osd]
+-        osd_dmcrypt_size=8
+-        ''')
++    def test_dmcrypt(self):
+         result = encryption.create_dmcrypt_key()
+-        assert len(result) == 172
++        assert len(base64.b64decode(result)) == 128
+diff --git a/src/ceph-volume/ceph_volume/util/encryption.py b/src/ceph-volume/ceph_volume/util/encryption.py
+index 72a0ccf121e..2a2c03337b6 100644
+--- a/src/ceph-volume/ceph_volume/util/encryption.py
++++ b/src/ceph-volume/ceph_volume/util/encryption.py
+@@ -9,21 +9,29 @@ from .disk import lsblk, device_family, get_part_entry_type
+ 
+ logger = logging.getLogger(__name__)
+ 
+-
+-def create_dmcrypt_key():
++def get_key_size_from_conf():
+     """
+-    Create the secret dm-crypt key used to decrypt a device.
++    Return the osd dmcrypt key size from config file.
++    Default is 512.
+     """
+-    # get the customizable dmcrypt key size (in bits) from ceph.conf fallback
+-    # to the default of 1024
+-    dmcrypt_key_size = conf.ceph.get_safe(
++    default_key_size = '512'
++    key_size = conf.ceph.get_safe(
+         'osd',
+         'osd_dmcrypt_key_size',
+-        default=1024,
+-    )
+-    # The size of the key is defined in bits, so we must transform that
+-    # value to bytes (dividing by 8) because we read in bytes, not bits
+-    random_string = os.urandom(int(dmcrypt_key_size / 8))
++        default='512')
++
++    if key_size not in ['256', '512']:
++        logger.warning(("Invalid value set for osd_dmcrypt_key_size ({}). "
++                        "Falling back to {}bits".format(key_size, default_key_size)))
++        return default_key_size
++
++    return key_size
++
++def create_dmcrypt_key():
++    """
++    Create the secret dm-crypt key (KEK) used to encrypt/decrypt the Volume Key.
++    """
++    random_string = os.urandom(128)
+     key = base64.b64encode(random_string).decode('utf-8')
+     return key
+ 
+@@ -38,6 +46,8 @@ def luks_format(key, device):
+     command = [
+         'cryptsetup',
+         '--batch-mode', # do not prompt
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file', # misnomer, should be key
+         '-',          # because we indicate stdin for the key here
+         'luksFormat',
+@@ -83,6 +93,8 @@ def luks_open(key, device, mapping):
+     """
+     command = [
+         'cryptsetup',
++        '--key-size',
++        get_key_size_from_conf(),
+         '--key-file',
+         '-',
+         '--allow-discards',  # allow discards (aka TRIM) requests for device
+-- 
+2.35.1
+
diff --git a/recipes-extended/ceph/ceph_15.2.15.bb b/recipes-extended/ceph/ceph_15.2.15.bb
index 17dbcf35..b13ebb70 100644
--- a/recipes-extended/ceph/ceph_15.2.15.bb
+++ b/recipes-extended/ceph/ceph_15.2.15.bb
@@ -14,6 +14,7 @@ SRC_URI = "http://download.ceph.com/tarballs/ceph-${PV}.tar.gz \
            file://ceph.conf \
            file://0001-cmake-add-support-for-python3.10.patch \
            file://0001-SnappyCompressor.h-fix-snappy-compiler-error.patch \
+           file://CVE-2021-3979.patch \
 "
 
 SRC_URI[sha256sum] = "5dccdaff2ebe18d435b32bfc06f8b5f474bf6ac0432a6a07d144b7c56700d0bf"
-- 
2.35.1

Re: [kirkstone][master][PATCH 2/4] kubernetes: install the binaries in OE standard places

Bruce Ashfield

#7513

On Tue, Aug 9, 2022 at 1:36 PM Jose Quaresma <quaresma.jose@...> wrote:



Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 18:07:

On Tue, Aug 9, 2022 at 12:36 PM Jose Quaresma <quaresma.jose@...> wrote:



Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 16:05:

On Tue, Aug 9, 2022 at 10:21 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

On Tue, Aug 9, 2022 at 10:02 AM Jose Quaresma <quaresma.jose@...> wrote:



Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:43:

On Tue, Aug 9, 2022 at 9:34 AM Jose Quaresma <quaresma.jose@...> wrote:

Hi Bruce,

Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:19:

You must have something different in your environment, I'm not seeing
any of these same issues.
Maybe because you have the BIN_PREFIX defined somewhere in your distro or local.conf
BIN_PREFIX is defined only in k3s recipe BIN_PREFIX ?= "${exec_prefix}/local"
I'm building a plain OE + meta-virt. BIN_PREFIX isn't in the
environment anywhere (which is admittedly strange .. but that's
consistent with how it has been).

Also, there's no other reports of this ever on the mailing list,
including demos for conferences, etc. ... that fails the "how can this
be working for everyone else ?" test.

So there's definitely something different that I'm not seeing. I use
OE nodistro or poky, others are using some other distros .. so I need
to figure out what is the difference.

That being said, even if we tweaked the binaries install, we don't
want them changing where they've been installed previously, there
could be any number of scripts expecting those locations in layers
that I don't maintain.

i.e. there's no way we should be patching the .service file, since
that indicates the binaries have moved from where they were before.

Bruce
By default with BIN_PREFIX="" the binaries seem to be installed on /bin/k8s-init so they will work as this is in the PATH.
For OE nodistro maybe this QA is disabled (need to confirm that) but for distros that have this QA enabled it will fire up.
The installed but not shipped, isn't inhibited anywhere that I know
of. Certainly not on poky, which is where most of the nightly builds
happen for this.

About moving the binaries for another place is mainly because /bin is not the right place for them IMO.
https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/bin.htmlBut that's not where they are going for all the rest of the builds :)
I'm aware of the various filesystem standards.


But I forgot to update all the services involved in this patch set so please drop it all and I will update all services as well in V2.
I wouldn't bother with that for v2, since again, they are using
/usr/bin and /usr/local/bin from all the .service files I recall, and
that's where we want the binaries to continue to be.
aha. I see that k3s does set BIN_PREFIX, but it has been lost for
kubernetes and nerdctl.
right, maybe you don't see the QA because it will only shon for files installed in /bin when usrmerge is enabled.That could very well be it.


for nerdctl, the BIN_PREFIX is there from the beginning so the recipe allway install it in /bin.
for kubernetes, BIN_PREFIX is added in [1] and this only install k8s-init in /bin and all the other binaries
continue where they were installed (in /usr/bin in this case).

[1] - https://git.yoctoproject.org/meta-virtualization/commit/?id=4d0f0a5ca2338e5f6ed3fe3a18c602447cf60eb4


The easiest / lowest footprint route is to just add the variable back
in for kubernetes and nerdctl, to the current default location. That
allows folks to override it and/or keep their scripts/service files
unmodified.
This is what I did but using ${bindir} instead of ${BIN_PREFIX}.
Adding the BIN_PREFIX ?= "${exec_prefix}/local" will change install location so
since we have to change, we can use the ${bindir} and put the files in the right place.I'm really only interested in the BIN_PREFIX being set in those
recipes. The smallest
footprint change.
kubernetes is installing all binaries files to ${D}/${bindir}:
install -m 755 -D ${S}/src/import/_output/local/bin/${TARGET_GOOS}/${TARGET_GOARCH}/* ${D}/${bindir}I realize that.


and you are suggesting to install only k8s-init with BIN_PREFIX:
install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"No, I'm suggesting the smallest footprint change, but that is more for
the other recipes, versus the single use of it in this kubernetes
recipe.


this will end up with BIN_PREFIX = "/usr" to be consistent with the other binaries in the recipe
or BIN_PREFIX = "${exec_prefix}/local" to use something not defined in bitbake.conf.
I don't really know what you prefer BIN_PREFIX = "/usr" or BIN_PREFIX = "${exec_prefix}/local"
as the two will change the installation path and you said that:
"even if we tweaked the binaries install, we don't want them changing where they've been installed previously"That comment was more for the k3s recipe, this helper is being
installed to the wrong place, and likely I'm the only one that uses
it.

For this specific recipe, I'd make it consistent with the other
binaries and set it to ${prefix} which is "/usr", which of course is
the same as ${exec_prefix}


sorry but changing this patch and using BIN_PREFIX doesn't make much sense in my opinion.
That's the style of the recipes as they stand, keeping them consistent
to that has value .. in particular, since I end up spending the
majority of time debugging system level runtime issues. There were
many issues found during the creation of the recipes and stack with
binaries being assumed in one location and then someone changing their
bitbake configuration and them not being present. So the control was
pulled into the recipes under BIN_PREFIX to make it explicit and to
save many hours debugging. That's the same reason why many of the go
build settings are in the recipes when for the most part they could be
used from the bbclasses.

That being said, we could change k8s and nerdctl to just use
${bindir}, but k3s should be left as-is.

Bruce

Jose



So as the series currently stands, it isn't something I'll merge.

Cheers,

Bruce



The last patch for k3s is more invasive as it touches many places and the systemd services as well.
I will send it separate because this one don't fix anything and only change the installation of binaries
from /usr/local/bin to /usr/bin

Jose


Bruce

Bruce

Jose



Jose



Cheers,

Bruce

On Tue, Aug 9, 2022 at 8:16 AM Jose Quaresma <quaresma.jose@...> wrote:

- The env BIN_PREFIX is there from the beginning but there are no references to it,
also fix a fatal QA errors installed-vs-shipped.

ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: QA Issue: kubernetes: Files/directories were installed but not shipped in any package:
  /bin
  /bin/k8s-init
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
kubernetes: 2 installed and not shipped files. [installed-vs-shipped]
ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: Fatal QA errors were found, failing task.

Signed-off-by: Jose Quaresma <jose.quaresma@...>
---
 recipes-containers/kubernetes/kubernetes_git.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index e9460d4..82b75b1 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -103,8 +103,8 @@ do_install() {
     install -m 0644 ${WORKDIR}/git/release/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf  ${D}${systemd_unitdir}/system/kubelet.service.d/

     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-       install -d "${D}${BIN_PREFIX}/bin"
-       install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"
+       install -d ${D}${bindir}
+       install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}

        install -d ${D}${sysconfdir}/sysctl.d
        install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
@@ -141,7 +141,7 @@ FILES:kube-proxy = "${bindir}/kube-proxy"
 FILES:${PN}-misc = "${bindir} ${sysconfdir}/sysctl.d"

 ALLOW_EMPTY:${PN}-host = "1"
-FILE:${PN}-host = "${BIN_PREFIX}/bin/k8s-init"
+FILE:${PN}-host = "${bindir}/k8s-init"
 RDEPENDS:${PN}-host = "${PN}"

 RRECOMMENDS:${PN} = "\
--
2.37.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II


--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [kirkstone][master][PATCH 2/4] kubernetes: install the binaries in OE standard places

Jose Quaresma

#7512

Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 18:07:

On Tue, Aug 9, 2022 at 12:36 PM Jose Quaresma <quaresma.jose@...> wrote:
>
>
>
> Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 16:05:
>>
>> On Tue, Aug 9, 2022 at 10:21 AM Bruce Ashfield via
>> lists.yoctoproject.org
>> <bruce.ashfield=gmail.com@...> wrote:
>> >
>> > On Tue, Aug 9, 2022 at 10:02 AM Jose Quaresma <quaresma.jose@...> wrote:
>> > >
>> > >
>> > >
>> > > Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:43:
>> > >>
>> > >> On Tue, Aug 9, 2022 at 9:34 AM Jose Quaresma <quaresma.jose@...> wrote:
>> > >> >
>> > >> > Hi Bruce,
>> > >> >
>> > >> > Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:19:
>> > >> >>
>> > >> >> You must have something different in your environment, I'm not seeing
>> > >> >> any of these same issues.
>> > >> >
>> > >> >
>> > >> > Maybe because you have the BIN_PREFIX defined somewhere in your distro or local.conf
>> > >> > BIN_PREFIX is defined only in k3s recipe BIN_PREFIX ?= "${exec_prefix}/local"
>> > >> >
>> > >>
>> > >> I'm building a plain OE + meta-virt. BIN_PREFIX isn't in the
>> > >> environment anywhere (which is admittedly strange .. but that's
>> > >> consistent with how it has been).
>> > >>
>> > >> Also, there's no other reports of this ever on the mailing list,
>> > >> including demos for conferences, etc. ... that fails the "how can this
>> > >> be working for everyone else ?" test.
>> > >>
>> > >> So there's definitely something different that I'm not seeing. I use
>> > >> OE nodistro or poky, others are using some other distros .. so I need
>> > >> to figure out what is the difference.
>> > >>
>> > >> That being said, even if we tweaked the binaries install, we don't
>> > >> want them changing where they've been installed previously, there
>> > >> could be any number of scripts expecting those locations in layers
>> > >> that I don't maintain.
>> > >>
>> > >> i.e. there's no way we should be patching the .service file, since
>> > >> that indicates the binaries have moved from where they were before.
>> > >>
>> > >> Bruce
>> > >>
>> > >
>> > > By default with BIN_PREFIX="" the binaries seem to be installed on /bin/k8s-init so they will work as this is in the PATH.
>> > > For OE nodistro maybe this QA is disabled (need to confirm that) but for distros that have this QA enabled it will fire up.
>> > >
>> >
>> > The installed but not shipped, isn't inhibited anywhere that I know
>> > of. Certainly not on poky, which is where most of the nightly builds
>> > happen for this.
>> >
>> > > About moving the binaries for another place is mainly because /bin is not the right place for them IMO.
>> > > https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/bin.html
>> >
>> > But that's not where they are going for all the rest of the builds :)
>> > I'm aware of the various filesystem standards.
>> >
>> > >
>> > > But I forgot to update all the services involved in this patch set so please drop it all and I will update all services as well in V2.
>> > >
>> >
>> > I wouldn't bother with that for v2, since again, they are using
>> > /usr/bin and /usr/local/bin from all the .service files I recall, and
>> > that's where we want the binaries to continue to be.
>> >
>>
>> aha. I see that k3s does set BIN_PREFIX, but it has been lost for
>> kubernetes and nerdctl.
>
>
> right, maybe you don't see the QA because it will only shon for files installed in /bin when usrmerge is enabled.

That could very well be it.

>
> for nerdctl, the BIN_PREFIX is there from the beginning so the recipe allway install it in /bin.
> for kubernetes, BIN_PREFIX is added in [1] and this only install k8s-init in /bin and all the other binaries
> continue where they were installed (in /usr/bin in this case).
>
> [1] - https://git.yoctoproject.org/meta-virtualization/commit/?id=4d0f0a5ca2338e5f6ed3fe3a18c602447cf60eb4
>
>>
>> The easiest / lowest footprint route is to just add the variable back
>> in for kubernetes and nerdctl, to the current default location. That
>> allows folks to override it and/or keep their scripts/service files
>> unmodified.
>
>
> This is what I did but using ${bindir} instead of ${BIN_PREFIX}.
> Adding the BIN_PREFIX ?= "${exec_prefix}/local" will change install location so
> since we have to change, we can use the ${bindir} and put the files in the right place.

I'm really only interested in the BIN_PREFIX being set in those
recipes. The smallest
footprint change.

kubernetes is installing all binaries files to ${D}/${bindir}:
install -m 755 -D ${S}/src/import/_output/local/bin/${TARGET_GOOS}/${TARGET_GOARCH}/* ${D}/${bindir}

and you are suggesting to install only k8s-init with BIN_PREFIX:
install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"

this will end up with BIN_PREFIX = "/usr" to be consistent with the other binaries in the recipe

or BIN_PREFIX = "${exec_prefix}/local" to use something not defined in bitbake.conf.

I don't really know what you prefer BIN_PREFIX = "/usr" or BIN_PREFIX = "${exec_prefix}/local"

as the two will change the installation path and you said that:

"even if we tweaked the binaries install, we don't want them changing where they've been installed previously"

sorry but changing this patch and using BIN_PREFIX doesn't make much sense in my opinion.

Jose

So as the series currently stands, it isn't something I'll merge.

Cheers,

Bruce

>
> The last patch for k3s is more invasive as it touches many places and the systemd services as well.
> I will send it separate because this one don't fix anything and only change the installation of binaries
> from /usr/local/bin to /usr/bin
>
> Jose
>
>>
>> Bruce
>>
>> > Bruce
>> >
>> > > Jose
>> > >
>> > >>
>> > >>
>> > >> > Jose
>> > >> >
>> > >> >>
>> > >> >>
>> > >> >> Cheers,
>> > >> >>
>> > >> >> Bruce
>> > >> >>
>> > >> >> On Tue, Aug 9, 2022 at 8:16 AM Jose Quaresma <quaresma.jose@...> wrote:
>> > >> >> >
>> > >> >> > - The env BIN_PREFIX is there from the beginning but there are no references to it,
>> > >> >> > also fix a fatal QA errors installed-vs-shipped.
>> > >> >> >
>> > >> >> > ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: QA Issue: kubernetes: Files/directories were installed but not shipped in any package:
>> > >> >> > /bin
>> > >> >> > /bin/k8s-init
>> > >> >> > Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
>> > >> >> > kubernetes: 2 installed and not shipped files. [installed-vs-shipped]
>> > >> >> > ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: Fatal QA errors were found, failing task.
>> > >> >> >
>> > >> >> > Signed-off-by: Jose Quaresma <jose.quaresma@...>
>> > >> >> > ---
>> > >> >> > recipes-containers/kubernetes/kubernetes_git.bb | 6 +++---
>> > >> >> > 1 file changed, 3 insertions(+), 3 deletions(-)
>> > >> >> >
>> > >> >> > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
>> > >> >> > index e9460d4..82b75b1 100644
>> > >> >> > --- a/recipes-containers/kubernetes/kubernetes_git.bb
>> > >> >> > +++ b/recipes-containers/kubernetes/kubernetes_git.bb
>> > >> >> > @@ -103,8 +103,8 @@ do_install() {
>> > >> >> > install -m 0644 ${WORKDIR}/git/release/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf ${D}${systemd_unitdir}/system/kubelet.service.d/
>> > >> >> >
>> > >> >> > if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
>> > >> >> > - install -d "${D}${BIN_PREFIX}/bin"
>> > >> >> > - install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"
>> > >> >> > + install -d ${D}${bindir}
>> > >> >> > + install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}
>> > >> >> >
>> > >> >> > install -d ${D}${sysconfdir}/sysctl.d
>> > >> >> > install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
>> > >> >> > @@ -141,7 +141,7 @@ FILES:kube-proxy = "${bindir}/kube-proxy"
>> > >> >> > FILES:${PN}-misc = "${bindir} ${sysconfdir}/sysctl.d"
>> > >> >> >
>> > >> >> > ALLOW_EMPTY:${PN}-host = "1"
>> > >> >> > -FILE:${PN}-host = "${BIN_PREFIX}/bin/k8s-init"
>> > >> >> > +FILE:${PN}-host = "${bindir}/k8s-init"
>> > >> >> > RDEPENDS:${PN}-host = "${PN}"
>> > >> >> >
>> > >> >> > RRECOMMENDS:${PN} = "\
>> > >> >> > --
>> > >> >> > 2.37.1
>> > >> >> >
>> > >> >> >
>> > >> >> >
>> > >> >> >
>> > >> >>
>> > >> >>
>> > >> >> --
>> > >> >> - Thou shalt not follow the NULL pointer, for chaos and madness await
>> > >> >> thee at its end
>> > >> >> - "Use the force Harry" - Gandalf, Star Trek II
>> > >> >
>> > >> >
>> > >> >
>> > >> > --
>> > >> > Best regards,
>> > >> >
>> > >> > José Quaresma
>> > >>
>> > >>
>> > >>
>> > >> --
>> > >> - Thou shalt not follow the NULL pointer, for chaos and madness await
>> > >> thee at its end
>> > >> - "Use the force Harry" - Gandalf, Star Trek II
>> > >
>> > >
>> > >
>> > > --
>> > > Best regards,
>> > >
>> > > José Quaresma
>> >
>> >
>> >
>> > --
>> > - Thou shalt not follow the NULL pointer, for chaos and madness await
>> > thee at its end
>> > - "Use the force Harry" - Gandalf, Star Trek II
>> >
>> >
>> >
>>
>>
>> --
>> - Thou shalt not follow the NULL pointer, for chaos and madness await
>> thee at its end
>> - "Use the force Harry" - Gandalf, Star Trek II
>
>
>
> --
> Best regards,
>
> José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Best regards,

José Quaresma

Re: [kirkstone][master][PATCH 2/4] kubernetes: install the binaries in OE standard places

Bruce Ashfield

#7511

On Tue, Aug 9, 2022 at 12:36 PM Jose Quaresma <quaresma.jose@...> wrote:



Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 16:05:

On Tue, Aug 9, 2022 at 10:21 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:

On Tue, Aug 9, 2022 at 10:02 AM Jose Quaresma <quaresma.jose@...> wrote:



Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:43:

On Tue, Aug 9, 2022 at 9:34 AM Jose Quaresma <quaresma.jose@...> wrote:

Hi Bruce,

Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:19:

You must have something different in your environment, I'm not seeing
any of these same issues.
Maybe because you have the BIN_PREFIX defined somewhere in your distro or local.conf
BIN_PREFIX is defined only in k3s recipe BIN_PREFIX ?= "${exec_prefix}/local"
I'm building a plain OE + meta-virt. BIN_PREFIX isn't in the
environment anywhere (which is admittedly strange .. but that's
consistent with how it has been).

Also, there's no other reports of this ever on the mailing list,
including demos for conferences, etc. ... that fails the "how can this
be working for everyone else ?" test.

So there's definitely something different that I'm not seeing. I use
OE nodistro or poky, others are using some other distros .. so I need
to figure out what is the difference.

That being said, even if we tweaked the binaries install, we don't
want them changing where they've been installed previously, there
could be any number of scripts expecting those locations in layers
that I don't maintain.

i.e. there's no way we should be patching the .service file, since
that indicates the binaries have moved from where they were before.

Bruce
By default with BIN_PREFIX="" the binaries seem to be installed on /bin/k8s-init so they will work as this is in the PATH.
For OE nodistro maybe this QA is disabled (need to confirm that) but for distros that have this QA enabled it will fire up.
The installed but not shipped, isn't inhibited anywhere that I know
of. Certainly not on poky, which is where most of the nightly builds
happen for this.

About moving the binaries for another place is mainly because /bin is not the right place for them IMO.
https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/bin.htmlBut that's not where they are going for all the rest of the builds :)
I'm aware of the various filesystem standards.


But I forgot to update all the services involved in this patch set so please drop it all and I will update all services as well in V2.
I wouldn't bother with that for v2, since again, they are using
/usr/bin and /usr/local/bin from all the .service files I recall, and
that's where we want the binaries to continue to be.
aha. I see that k3s does set BIN_PREFIX, but it has been lost for
kubernetes and nerdctl.
right, maybe you don't see the QA because it will only shon for files installed in /bin when usrmerge is enabled.That could very well be it.


for nerdctl, the BIN_PREFIX is there from the beginning so the recipe allway install it in /bin.
for kubernetes, BIN_PREFIX is added in [1] and this only install k8s-init in /bin and all the other binaries
continue where they were installed (in /usr/bin in this case).

[1] - https://git.yoctoproject.org/meta-virtualization/commit/?id=4d0f0a5ca2338e5f6ed3fe3a18c602447cf60eb4


The easiest / lowest footprint route is to just add the variable back
in for kubernetes and nerdctl, to the current default location. That
allows folks to override it and/or keep their scripts/service files
unmodified.
This is what I did but using ${bindir} instead of ${BIN_PREFIX}.
Adding the BIN_PREFIX ?= "${exec_prefix}/local" will change install location so
since we have to change, we can use the ${bindir} and put the files in the right place.I'm really only interested in the BIN_PREFIX being set in those
recipes. The smallest
footprint change.

So as the series currently stands, it isn't something I'll merge.

Cheers,

Bruce



The last patch for k3s is more invasive as it touches many places and the systemd services as well.
I will send it separate because this one don't fix anything and only change the installation of binaries
from /usr/local/bin to /usr/bin

Jose


Bruce

Bruce

Jose



Jose



Cheers,

Bruce

On Tue, Aug 9, 2022 at 8:16 AM Jose Quaresma <quaresma.jose@...> wrote:

- The env BIN_PREFIX is there from the beginning but there are no references to it,
also fix a fatal QA errors installed-vs-shipped.

ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: QA Issue: kubernetes: Files/directories were installed but not shipped in any package:
  /bin
  /bin/k8s-init
Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
kubernetes: 2 installed and not shipped files. [installed-vs-shipped]
ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: Fatal QA errors were found, failing task.

Signed-off-by: Jose Quaresma <jose.quaresma@...>
---
 recipes-containers/kubernetes/kubernetes_git.bb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index e9460d4..82b75b1 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -103,8 +103,8 @@ do_install() {
     install -m 0644 ${WORKDIR}/git/release/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf  ${D}${systemd_unitdir}/system/kubelet.service.d/

     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-       install -d "${D}${BIN_PREFIX}/bin"
-       install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"
+       install -d ${D}${bindir}
+       install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}

        install -d ${D}${sysconfdir}/sysctl.d
        install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
@@ -141,7 +141,7 @@ FILES:kube-proxy = "${bindir}/kube-proxy"
 FILES:${PN}-misc = "${bindir} ${sysconfdir}/sysctl.d"

 ALLOW_EMPTY:${PN}-host = "1"
-FILE:${PN}-host = "${BIN_PREFIX}/bin/k8s-init"
+FILE:${PN}-host = "${bindir}/k8s-init"
 RDEPENDS:${PN}-host = "${PN}"

 RRECOMMENDS:${PN} = "\
--
2.37.1




--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II



--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

--
Best regards,

José Quaresma

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Re: [kirkstone][master][PATCH 2/4] kubernetes: install the binaries in OE standard places

Jose Quaresma

#7510

Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 16:05:

On Tue, Aug 9, 2022 at 10:21 AM Bruce Ashfield via
lists.yoctoproject.org
<bruce.ashfield=gmail.com@...> wrote:
>
> On Tue, Aug 9, 2022 at 10:02 AM Jose Quaresma <quaresma.jose@...> wrote:
> >
> >
> >
> > Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:43:
> >>
> >> On Tue, Aug 9, 2022 at 9:34 AM Jose Quaresma <quaresma.jose@...> wrote:
> >> >
> >> > Hi Bruce,
> >> >
> >> > Bruce Ashfield <bruce.ashfield@...> escreveu no dia terça, 9/08/2022 à(s) 14:19:
> >> >>
> >> >> You must have something different in your environment, I'm not seeing
> >> >> any of these same issues.
> >> >
> >> >
> >> > Maybe because you have the BIN_PREFIX defined somewhere in your distro or local.conf
> >> > BIN_PREFIX is defined only in k3s recipe BIN_PREFIX ?= "${exec_prefix}/local"
> >> >
> >>
> >> I'm building a plain OE + meta-virt. BIN_PREFIX isn't in the
> >> environment anywhere (which is admittedly strange .. but that's
> >> consistent with how it has been).
> >>
> >> Also, there's no other reports of this ever on the mailing list,
> >> including demos for conferences, etc. ... that fails the "how can this
> >> be working for everyone else ?" test.
> >>
> >> So there's definitely something different that I'm not seeing. I use
> >> OE nodistro or poky, others are using some other distros .. so I need
> >> to figure out what is the difference.
> >>
> >> That being said, even if we tweaked the binaries install, we don't
> >> want them changing where they've been installed previously, there
> >> could be any number of scripts expecting those locations in layers
> >> that I don't maintain.
> >>
> >> i.e. there's no way we should be patching the .service file, since
> >> that indicates the binaries have moved from where they were before.
> >>
> >> Bruce
> >>
> >
> > By default with BIN_PREFIX="" the binaries seem to be installed on /bin/k8s-init so they will work as this is in the PATH.
> > For OE nodistro maybe this QA is disabled (need to confirm that) but for distros that have this QA enabled it will fire up.
> >
>
> The installed but not shipped, isn't inhibited anywhere that I know
> of. Certainly not on poky, which is where most of the nightly builds
> happen for this.
>
> > About moving the binaries for another place is mainly because /bin is not the right place for them IMO.
> > https://tldp.org/LDP/Linux-Filesystem-Hierarchy/html/bin.html
>
> But that's not where they are going for all the rest of the builds :)
> I'm aware of the various filesystem standards.
>
> >
> > But I forgot to update all the services involved in this patch set so please drop it all and I will update all services as well in V2.
> >
>
> I wouldn't bother with that for v2, since again, they are using
> /usr/bin and /usr/local/bin from all the .service files I recall, and
> that's where we want the binaries to continue to be.
>

aha. I see that k3s does set BIN_PREFIX, but it has been lost for
kubernetes and nerdctl.

right, maybe you don't see the QA because it will only shon for files installed in /bin when usrmerge is enabled.

for nerdctl, the BIN_PREFIX is there from the beginning so the recipe allway install it in /bin.

for kubernetes, BIN_PREFIX is added in [1] and this only install k8s-init in /bin and all the other binaries

continue where they were installed (in /usr/bin in this case).

[1] - https://git.yoctoproject.org/meta-virtualization/commit/?id=4d0f0a5ca2338e5f6ed3fe3a18c602447cf60eb4

The easiest / lowest footprint route is to just add the variable back
in for kubernetes and nerdctl, to the current default location. That
allows folks to override it and/or keep their scripts/service files
unmodified.

This is what I did but using ${bindir} instead of ${BIN_PREFIX}.

Adding the BIN_PREFIX ?= "${exec_prefix}/local" will change install location so

since we have to change, we can use the ${bindir} and put the files in the right place.

The last patch for k3s is more invasive as it touches many places and the systemd services as well.

I will send it separate because this one don't fix anything and only change the installation of binaries

from /usr/local/bin to /usr/bin

Jose

Bruce

> Bruce
>
> > Jose
> >
> >>
> >>
> >> > Jose
> >> >
> >> >>
> >> >>
> >> >> Cheers,
> >> >>
> >> >> Bruce
> >> >>
> >> >> On Tue, Aug 9, 2022 at 8:16 AM Jose Quaresma <quaresma.jose@...> wrote:
> >> >> >
> >> >> > - The env BIN_PREFIX is there from the beginning but there are no references to it,
> >> >> > also fix a fatal QA errors installed-vs-shipped.
> >> >> >
> >> >> > ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: QA Issue: kubernetes: Files/directories were installed but not shipped in any package:
> >> >> > /bin
> >> >> > /bin/k8s-init
> >> >> > Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
> >> >> > kubernetes: 2 installed and not shipped files. [installed-vs-shipped]
> >> >> > ERROR: kubernetes-1_v1.23.6+gitfbcfa33018159c033aee77b0d5456df6771aa9b5-r0 do_package: Fatal QA errors were found, failing task.
> >> >> >
> >> >> > Signed-off-by: Jose Quaresma <jose.quaresma@...>
> >> >> > ---
> >> >> > recipes-containers/kubernetes/kubernetes_git.bb | 6 +++---
> >> >> > 1 file changed, 3 insertions(+), 3 deletions(-)
> >> >> >
> >> >> > diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
> >> >> > index e9460d4..82b75b1 100644
> >> >> > --- a/recipes-containers/kubernetes/kubernetes_git.bb
> >> >> > +++ b/recipes-containers/kubernetes/kubernetes_git.bb
> >> >> > @@ -103,8 +103,8 @@ do_install() {
> >> >> > install -m 0644 ${WORKDIR}/git/release/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf ${D}${systemd_unitdir}/system/kubelet.service.d/
> >> >> >
> >> >> > if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
> >> >> > - install -d "${D}${BIN_PREFIX}/bin"
> >> >> > - install -m 755 "${WORKDIR}/k8s-init" "${D}${BIN_PREFIX}/bin"
> >> >> > + install -d ${D}${bindir}
> >> >> > + install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}
> >> >> >
> >> >> > install -d ${D}${sysconfdir}/sysctl.d
> >> >> > install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
> >> >> > @@ -141,7 +141,7 @@ FILES:kube-proxy = "${bindir}/kube-proxy"
> >> >> > FILES:${PN}-misc = "${bindir} ${sysconfdir}/sysctl.d"
> >> >> >
> >> >> > ALLOW_EMPTY:${PN}-host = "1"
> >> >> > -FILE:${PN}-host = "${BIN_PREFIX}/bin/k8s-init"
> >> >> > +FILE:${PN}-host = "${bindir}/k8s-init"
> >> >> > RDEPENDS:${PN}-host = "${PN}"
> >> >> >
> >> >> > RRECOMMENDS:${PN} = "\
> >> >> > --
> >> >> > 2.37.1
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >> --
> >> >> - Thou shalt not follow the NULL pointer, for chaos and madness await
> >> >> thee at its end
> >> >> - "Use the force Harry" - Gandalf, Star Trek II
> >> >
> >> >
> >> >
> >> > --
> >> > Best regards,
> >> >
> >> > José Quaresma
> >>
> >>
> >>
> >> --
> >> - Thou shalt not follow the NULL pointer, for chaos and madness await
> >> thee at its end
> >> - "Use the force Harry" - Gandalf, Star Trek II
> >
> >
> >
> > --
> > Best regards,
> >
> > José Quaresma
>
>
>
> --
> - Thou shalt not follow the NULL pointer, for chaos and madness await
> thee at its end
> - "Use the force Harry" - Gandalf, Star Trek II
>
>
>

--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

Best regards,

José Quaresma

[kirkstone][master][PATCH] k3s: install the binaries in OE standard places

Jose Quaresma

#7509

This will change the instalation path from "${exec_prefix}/local/bin"
to "${bindir}", that in OE-core moves the binaries from the
"/usr/local/bin" to the default "/usr/bin" path.
Update the systemd services as well with the new "${bindir}" path.

Signed-off-by: Jose Quaresma <jose.quaresma@...>
---
 recipes-containers/k3s/k3s/k3s-agent.service |  4 ++--
 recipes-containers/k3s/k3s/k3s.service       |  4 ++--
 recipes-containers/k3s/k3s_git.bb            | 21 +++++++++-----------
 3 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/recipes-containers/k3s/k3s/k3s-agent.service b/recipes-containers/k3s/k3s/k3s-agent.service
index 9f9016d..0792970 100644
--- a/recipes-containers/k3s/k3s/k3s-agent.service
+++ b/recipes-containers/k3s/k3s/k3s-agent.service
@@ -21,6 +21,6 @@ Restart=always
 RestartSec=5s
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s agent
-ExecStopPost=/usr/local/bin/k3s-clean
+ExecStart=/usr/bin/k3s agent
+ExecStopPost=/usr/bin/k3s-clean
 
diff --git a/recipes-containers/k3s/k3s/k3s.service b/recipes-containers/k3s/k3s/k3s.service
index 33d3ee7..647fc66 100644
--- a/recipes-containers/k3s/k3s/k3s.service
+++ b/recipes-containers/k3s/k3s/k3s.service
@@ -29,9 +29,9 @@ RestartSec=5s
 ExecStartPre=/bin/sh -xc '! systemctl is-enabled --quiet nm-cloud-setup.service'
 ExecStartPre=-/sbin/modprobe br_netfilter
 ExecStartPre=-/sbin/modprobe overlay
-ExecStart=/usr/local/bin/k3s server
+ExecStart=/usr/bin/k3s server
 # Avoid any delay due to this service when the system is rebooting or shutting
 # down by using the k3s-killall.sh script to kill all of the running k3s
 # services and containers
 ExecStopPost=/bin/sh -c "if systemctl is-system-running | grep -i \
-                           'stopping'; then /usr/local/bin/k3s-killall.sh; fi"
+                           'stopping'; then /usr/bin/k3s-killall.sh; fi"
diff --git a/recipes-containers/k3s/k3s_git.bb b/recipes-containers/k3s/k3s_git.bb
index 7f9f549..a4973fe 100644
--- a/recipes-containers/k3s/k3s_git.bb
+++ b/recipes-containers/k3s/k3s_git.bb
@@ -37,7 +37,6 @@ GO_BUILD_LDFLAGS = "-X github.com/rancher/k3s/pkg/version.Version=${PV} \
                     -X github.com/rancher/k3s/pkg/version.GitCommit=${@d.getVar('SRCREV_k3s', d, 1)[:8]} \
                     -w -s \
                    "
-BIN_PREFIX ?= "${exec_prefix}/local"
 
 inherit features_check
 REQUIRED_DISTRO_FEATURES ?= "seccomp"
@@ -634,20 +633,19 @@ do_compile() {
 }
 
 do_install() {
-        install -d "${D}${BIN_PREFIX}/bin"
-        install -m 755 "${S}/src/import/dist/artifacts/k3s" "${D}${BIN_PREFIX}/bin"
-        ln -sr "${D}/${BIN_PREFIX}/bin/k3s" "${D}${BIN_PREFIX}/bin/crictl"
+        install -d "${D}${bindir}"
+        install -m 755 "${S}/src/import/dist/artifacts/k3s" "${D}${bindir}"
+        ln -sr "${D}${bindir}/k3s" "${D}${bindir}/crictl"
         # We want to use the containerd provided ctr
-        # ln -sr "${D}/${BIN_PREFIX}/bin/k3s" "${D}${BIN_PREFIX}/bin/ctr"
-        ln -sr "${D}/${BIN_PREFIX}/bin/k3s" "${D}${BIN_PREFIX}/bin/kubectl"
-        install -m 755 "${WORKDIR}/k3s-clean" "${D}${BIN_PREFIX}/bin"
-        install -m 755 "${WORKDIR}/k3s-killall.sh" "${D}${BIN_PREFIX}/bin"
+        # ln -sr "${D}${bindir}/k3s" "${D}${bindir}/ctr"
+        ln -sr "${D}${bindir}/k3s" "${D}${bindir}/kubectl"
+        install -m 755 "${WORKDIR}/k3s-clean" "${D}${bindir}"
+        install -m 755 "${WORKDIR}/k3s-killall.sh" "${D}${bindir}"
 
         if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
                 install -D -m 0644 "${WORKDIR}/k3s.service" "${D}${systemd_system_unitdir}/k3s.service"
                 install -D -m 0644 "${WORKDIR}/k3s-agent.service" "${D}${systemd_system_unitdir}/k3s-agent.service"
-                sed -i "s#\(Exec\)\(.*\)=\(.*\)\(k3s\)#\1\2=${BIN_PREFIX}/bin/\4#g" "${D}${systemd_system_unitdir}/k3s.service" "${D}${systemd_system_unitdir}/k3s-agent.service"
-                install -m 755 "${WORKDIR}/k3s-agent" "${D}${BIN_PREFIX}/bin"
+                install -m 755 "${WORKDIR}/k3s-agent" "${D}${bindir}"
         fi
 }
 
@@ -658,8 +656,7 @@ SYSTEMD_SERVICE:${PN}-server = "${@bb.utils.contains('DISTRO_FEATURES','systemd'
 SYSTEMD_SERVICE:${PN}-agent = "${@bb.utils.contains('DISTRO_FEATURES','systemd','k3s-agent.service','',d)}"
 SYSTEMD_AUTO_ENABLE:${PN}-agent = "disable"
 
-FILES:${PN}-agent = "${BIN_PREFIX}/bin/k3s-agent"
-FILES:${PN} += "${BIN_PREFIX}/bin/*"
+FILES:${PN}-agent = "${bindir}/k3s-agent"
 
 RDEPENDS:${PN} = "k3s-cni conntrack-tools coreutils findutils iptables iproute2 ipset virtual-containerd"
 RDEPENDS:${PN}-server = "${PN}"
-- 
2.37.1

[kirkstone][master][PATCH v2 3/3] kubernetes: replace tabs with spaces for identation

Jose Quaresma

#7508

Signed-off-by: Jose Quaresma <jose.quaresma@...>
---
 recipes-containers/kubernetes/kubernetes_git.bb | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/recipes-containers/kubernetes/kubernetes_git.bb b/recipes-containers/kubernetes/kubernetes_git.bb
index 82b75b1..4d65b27 100644
--- a/recipes-containers/kubernetes/kubernetes_git.bb
+++ b/recipes-containers/kubernetes/kubernetes_git.bb
@@ -103,11 +103,11 @@ do_install() {
     install -m 0644 ${WORKDIR}/git/release/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf  ${D}${systemd_unitdir}/system/kubelet.service.d/
 
     if ${@bb.utils.contains('DISTRO_FEATURES','systemd','true','false',d)}; then
-	install -d ${D}${bindir}
-	install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}
+        install -d ${D}${bindir}
+        install -m 755 ${WORKDIR}/k8s-init ${D}${bindir}
 
-	install -d ${D}${sysconfdir}/sysctl.d
-	install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
+        install -d ${D}${sysconfdir}/sysctl.d
+        install -m 0644 "${WORKDIR}/99-kubernetes.conf" "${D}${sysconfdir}/sysctl.d"
     fi
 }
 
-- 
2.37.1

561 - 580 of 8081

Home Hashtags Subgroups Terms