Re: Best practices for tokens/passwords that can't be versioned


Yes! :)
That is what I ended up doing in the end, thanks.

Be Well,

On Thu, Dec 13, 2018 at 1:45 PM Erik Botö <erik.boto@...> wrote:

On Tue, Dec 11, 2018 at 1:44 PM Alan Martinovic
<alan.martinovic@...> wrote:

Thanks Erik,
guess that could work to and seems cleaner than the env variables.

It still leaves the question how to move that content into a static file.
For example if in the end the recipe should install a file with "super
secret" as the content.

Example on the device at runtime:
cat /etc/config-passwords
super secret

The only idea that come to mind is to do something like in the recipe:

set_secrets() {
echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords

But that seems like a bad practice because it "globalizes" the recipe logic.
It's no longer a matter of that recipe but something applied to the
whole rootfs.
But couldn't you just place the creation of this secrets file inside a
regular recipe?

When I have config files that I want to place e.g. secret credentials
into during build time I ship them with placeholders that I can then
use sed to modify during e.g. do_install().

E.g. point to file://myconfig in SRC_URI, and maybe myconfig looks
something like:
... tons of options here
... more config options here

Then during do_install() I do something like:

install -Dm0644 ${WORKDIR}/myconfig ${D}/etc/myconfig
sed 's,###USERNAME###,${MYSECRETUSER},' -i ${D}/etc/myconfig
sed 's,###PASSWORD###,${MYSECRETKEY},' -i ${D}/etc/myconfig

That way it will be contained to a recipe and not be something you
have to do in each image that wants to ship the secrets file.


Be Well,

Join to automatically receive all group messages.