Re: Best practices for tokens/passwords that can't be versioned


Alan
 

Thanks Erik,
guess that could work to and seems cleaner than the env variables.

It still leaves the question how to move that content into a static file.
For example if in the end the recipe should install a file with "super
secret" as the content.

Example on the device at runtime:
cat /etc/config-passwords
super secret

The only idea that come to mind is to do something like in the recipe:

set_secrets() {
echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords
}
ROOTFS_POSTPROCESS_COMMAND += " set_secrets;"

But that seems like a bad practice because it "globalizes" the recipe logic.
It's no longer a matter of that recipe but something applied to the
whole rootfs.

Be Well,
Alan

On Tue, Dec 11, 2018 at 1:09 PM Erik Botö <erik.boto@...> wrote:

On Tue, Dec 11, 2018 at 12:55 PM Alan Martinovic
<alan.martinovic@...> wrote:
Seems like conf/local.conf could also offer a solution given that it's
a temporary
thing (per build setup), but didn't yet figure out a good mechanism.
You could have a variable in the recipe and override that value in local.conf.

Let's say your recipe is called myexample_git.bb in which you add
something like this:
MYSECRETKEY ?= ""

Then this could be assigned from local.conf using something like:
MYSECRETKEY_pn-myexample = "super secret"

Cheers,
Erik

Join yocto@lists.yoctoproject.org to automatically receive all group messages.