diff mbox series

[v2,1/1] fix: rebuild rootfs on change of USERS

Message ID 20250411112618.3992560-1-felix.moessbauer@siemens.com
State Accepted, archived
Headers show
Series [v2,1/1] fix: rebuild rootfs on change of USERS | expand

Commit Message

MOESSBAUER, Felix April 11, 2025, 11:26 a.m. UTC 
In case a change to the Isar created users is done, this currently
only re-triggers the do_rootfs_postprocess task. This task changes the
rootfs (e.g. home dirs are moved) and by that needs to operate on a
clean one. Otherwise old homedirs might still remain in the final rootfs
or move operations are not possible.

We fix this by ensuring that the do_rootfs_install task is executed
whenever a change to USERS is done. By that, we enter the
do_rootfs_postinstall with a clean rootfs.

Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
---
Changes since v1:

- Also add dependency to USER_<x> for all x in USERS

 meta/classes/image-account-extension.bbclass | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Clara Kowalsky April 11, 2025, 3:56 p.m. UTC | #1 
On 11.04.25 13:26, Felix Moessbauer wrote:
> In case a change to the Isar created users is done, this currently
> only re-triggers the do_rootfs_postprocess task. This task changes the
> rootfs (e.g. home dirs are moved) and by that needs to operate on a
> clean one. Otherwise old homedirs might still remain in the final rootfs
> or move operations are not possible.
> 
> We fix this by ensuring that the do_rootfs_install task is executed
> whenever a change to USERS is done. By that, we enter the
> do_rootfs_postinstall with a clean rootfs.
> 
> Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> Changes since v1:
> 
> - Also add dependency to USER_<x> for all x in USERS
> 
>   meta/classes/image-account-extension.bbclass | 6 ++++++
>   1 file changed, 6 insertions(+)
> 
> diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
> index ea956cd5..3c461b1a 100644
> --- a/meta/classes/image-account-extension.bbclass
> +++ b/meta/classes/image-account-extension.bbclass
> @@ -8,6 +8,10 @@
>   USERS ??= ""
>   GROUPS ??= ""
>   
> +# rebuild rootfs on change of USERS as homes might be moved / created
> +# no need to depend on GROUPS as they don't create directories
> +# groups need to be created before users, hence do not move the user creation into
> +# the do_rootfs_install task but only add a dependency
>   python() {
>       for entry in (d.getVar("GROUPS") or "").split():
>           group_entry = "GROUP_{}".format(entry)
> @@ -16,7 +20,9 @@ python() {
>       for entry in (d.getVar("USERS") or "").split():
>           user_entry = "USER_{}".format(entry)
>           d.appendVarFlag("image_postprocess_accounts", "vardeps", " {}".format(user_entry))
> +        d.appendVarFlag("do_rootfs_install", "vardeps", " {}".format(user_entry))
>   }
> +do_rootfs_install[vardeps] += "USERS"
>   
>   def image_create_groups(d: "DataSmart") -> None:
>       """Creates the groups defined in the ``GROUPS`` bitbake variable.

This works, at least for the case of adding / moving the home directory 
of an existing user. Only removing an existing home dir when removing 
all home flags of a user is not covered, but we can ignore this for now.
BR,
Clara
MOESSBAUER, Felix April 29, 2025, 8:31 a.m. UTC | #2 
On Fri, 2025-04-11 at 17:56 +0200, Clara Kowalsky wrote:
> 
> 
> On 11.04.25 13:26, Felix Moessbauer wrote:
> > In case a change to the Isar created users is done, this currently
> > only re-triggers the do_rootfs_postprocess task. This task changes
> > the
> > rootfs (e.g. home dirs are moved) and by that needs to operate on a
> > clean one. Otherwise old homedirs might still remain in the final
> > rootfs
> > or move operations are not possible.
> > 
> > We fix this by ensuring that the do_rootfs_install task is executed
> > whenever a change to USERS is done. By that, we enter the
> > do_rootfs_postinstall with a clean rootfs.
> > 
> > Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
> > Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> > ---
> > Changes since v1:
> > 
> > - Also add dependency to USER_<x> for all x in USERS
> > 
> >   meta/classes/image-account-extension.bbclass | 6 ++++++
> >   1 file changed, 6 insertions(+)
> > 
> > diff --git a/meta/classes/image-account-extension.bbclass
> > b/meta/classes/image-account-extension.bbclass
> > index ea956cd5..3c461b1a 100644
> > --- a/meta/classes/image-account-extension.bbclass
> > +++ b/meta/classes/image-account-extension.bbclass
> > @@ -8,6 +8,10 @@
> >   USERS ??= ""
> >   GROUPS ??= ""
> >   
> > +# rebuild rootfs on change of USERS as homes might be moved /
> > created
> > +# no need to depend on GROUPS as they don't create directories
> > +# groups need to be created before users, hence do not move the
> > user creation into
> > +# the do_rootfs_install task but only add a dependency
> >   python() {
> >       for entry in (d.getVar("GROUPS") or "").split():
> >           group_entry = "GROUP_{}".format(entry)
> > @@ -16,7 +20,9 @@ python() {
> >       for entry in (d.getVar("USERS") or "").split():
> >           user_entry = "USER_{}".format(entry)
> >           d.appendVarFlag("image_postprocess_accounts", "vardeps",
> > " {}".format(user_entry))
> > +        d.appendVarFlag("do_rootfs_install", "vardeps", "
> > {}".format(user_entry))
> >   }
> > +do_rootfs_install[vardeps] += "USERS"
> >   
> >   def image_create_groups(d: "DataSmart") -> None:
> >       """Creates the groups defined in the ``GROUPS`` bitbake
> > variable.
> 
> This works, at least for the case of adding / moving the home
> directory 
> of an existing user. Only removing an existing home dir when removing
> all home flags of a user is not covered, but we can ignore this for
> now.

Hi, this can only happen if a user is created by a package and then
transformed using ISAR, right?. IMHO this is simply not in scope, as we
have no way to express "remove-this-homedir".

Anyways, IMHO this patch is good to be merged.

Best regards,
Felix

> BR,
> Clara
Clara Kowalsky May 7, 2025, 12:28 p.m. UTC | #3 
On 29.04.25 10:31, Moessbauer, Felix (FT RPD CED OES-DE) wrote:
> On Fri, 2025-04-11 at 17:56 +0200, Clara Kowalsky wrote:
>>
>>
>> On 11.04.25 13:26, Felix Moessbauer wrote:
>>> In case a change to the Isar created users is done, this currently
>>> only re-triggers the do_rootfs_postprocess task. This task changes
>>> the
>>> rootfs (e.g. home dirs are moved) and by that needs to operate on a
>>> clean one. Otherwise old homedirs might still remain in the final
>>> rootfs
>>> or move operations are not possible.
>>>
>>> We fix this by ensuring that the do_rootfs_install task is executed
>>> whenever a change to USERS is done. By that, we enter the
>>> do_rootfs_postinstall with a clean rootfs.
>>>
>>> Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
>>> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
>>> ---
>>> Changes since v1:
>>>
>>> - Also add dependency to USER_<x> for all x in USERS
>>>
>>>    meta/classes/image-account-extension.bbclass | 6 ++++++
>>>    1 file changed, 6 insertions(+)
>>>
>>> diff --git a/meta/classes/image-account-extension.bbclass
>>> b/meta/classes/image-account-extension.bbclass
>>> index ea956cd5..3c461b1a 100644
>>> --- a/meta/classes/image-account-extension.bbclass
>>> +++ b/meta/classes/image-account-extension.bbclass
>>> @@ -8,6 +8,10 @@
>>>    USERS ??= ""
>>>    GROUPS ??= ""
>>>    
>>> +# rebuild rootfs on change of USERS as homes might be moved /
>>> created
>>> +# no need to depend on GROUPS as they don't create directories
>>> +# groups need to be created before users, hence do not move the
>>> user creation into
>>> +# the do_rootfs_install task but only add a dependency
>>>    python() {
>>>        for entry in (d.getVar("GROUPS") or "").split():
>>>            group_entry = "GROUP_{}".format(entry)
>>> @@ -16,7 +20,9 @@ python() {
>>>        for entry in (d.getVar("USERS") or "").split():
>>>            user_entry = "USER_{}".format(entry)
>>>            d.appendVarFlag("image_postprocess_accounts", "vardeps",
>>> " {}".format(user_entry))
>>> +        d.appendVarFlag("do_rootfs_install", "vardeps", "
>>> {}".format(user_entry))
>>>    }
>>> +do_rootfs_install[vardeps] += "USERS"
>>>    
>>>    def image_create_groups(d: "DataSmart") -> None:
>>>        """Creates the groups defined in the ``GROUPS`` bitbake
>>> variable.
>>
>> This works, at least for the case of adding / moving the home
>> directory
>> of an existing user. Only removing an existing home dir when removing
>> all home flags of a user is not covered, but we can ignore this for
>> now.
> 
> Hi, this can only happen if a user is created by a package and then
> transformed using ISAR, right?. IMHO this is simply not in scope, as we
> have no way to express "remove-this-homedir".
> 
> Anyways, IMHO this patch is good to be merged.

Yes, removing a home dir is out of scope. The patch can be merged.
BR,
Clara

> 
> Best regards,
> Felix
> 
>> BR,
>> Clara
>
Baurzhan Ismagulov May 7, 2025, 1:07 p.m. UTC | #4 
On 2025-04-11 13:26, 'Felix Moessbauer' via isar-users wrote:
> In case a change to the Isar created users is done, this currently
> only re-triggers the do_rootfs_postprocess task. This task changes the
> rootfs (e.g. home dirs are moved) and by that needs to operate on a
> clean one. Otherwise old homedirs might still remain in the final rootfs
> or move operations are not possible.
> 
> We fix this by ensuring that the do_rootfs_install task is executed
> whenever a change to USERS is done. By that, we enter the
> do_rootfs_postinstall with a clean rootfs.
> 
> Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>

Applied to next, thanks.

With kind regards,
Baurzhan
Jan Kiszka June 17, 2025, 3:13 p.m. UTC | #5 
On 11.04.25 13:26, 'Felix Moessbauer' via isar-users wrote:
> In case a change to the Isar created users is done, this currently
> only re-triggers the do_rootfs_postprocess task. This task changes the
> rootfs (e.g. home dirs are moved) and by that needs to operate on a
> clean one. Otherwise old homedirs might still remain in the final rootfs
> or move operations are not possible.
> 
> We fix this by ensuring that the do_rootfs_install task is executed
> whenever a change to USERS is done. By that, we enter the
> do_rootfs_postinstall with a clean rootfs.
> 
> Reported-by: Clara Kowalsky <clara.kowalsky@siemens.com>
> Signed-off-by: Felix Moessbauer <felix.moessbauer@siemens.com>
> ---
> Changes since v1:
> 
> - Also add dependency to USER_<x> for all x in USERS
> 
>  meta/classes/image-account-extension.bbclass | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
> index ea956cd5..3c461b1a 100644
> --- a/meta/classes/image-account-extension.bbclass
> +++ b/meta/classes/image-account-extension.bbclass
> @@ -8,6 +8,10 @@
>  USERS ??= ""
>  GROUPS ??= ""
>  
> +# rebuild rootfs on change of USERS as homes might be moved / created
> +# no need to depend on GROUPS as they don't create directories
> +# groups need to be created before users, hence do not move the user creation into
> +# the do_rootfs_install task but only add a dependency

Quirin and I do not yet buy why GROUPS should be excluded. They may also
need a clean baseline if the developer changed a recipe with impact on
groups.

We just had a case where someone changed the gid, and that failed to
rebuild. So, even if groups do not create directories, they influence
that. And some experiments I just did seem to confirm that.

Jan

>  python() {
>      for entry in (d.getVar("GROUPS") or "").split():
>          group_entry = "GROUP_{}".format(entry)
> @@ -16,7 +20,9 @@ python() {
>      for entry in (d.getVar("USERS") or "").split():
>          user_entry = "USER_{}".format(entry)
>          d.appendVarFlag("image_postprocess_accounts", "vardeps", " {}".format(user_entry))
> +        d.appendVarFlag("do_rootfs_install", "vardeps", " {}".format(user_entry))
>  }
> +do_rootfs_install[vardeps] += "USERS"
>  
>  def image_create_groups(d: "DataSmart") -> None:
>      """Creates the groups defined in the ``GROUPS`` bitbake variable.
diff mbox series

Patch

diff --git a/meta/classes/image-account-extension.bbclass b/meta/classes/image-account-extension.bbclass
index ea956cd5..3c461b1a 100644
--- a/meta/classes/image-account-extension.bbclass
+++ b/meta/classes/image-account-extension.bbclass
@@ -8,6 +8,10 @@ 
 USERS ??= ""
 GROUPS ??= ""
 
+# rebuild rootfs on change of USERS as homes might be moved / created
+# no need to depend on GROUPS as they don't create directories
+# groups need to be created before users, hence do not move the user creation into
+# the do_rootfs_install task but only add a dependency
 python() {
     for entry in (d.getVar("GROUPS") or "").split():
         group_entry = "GROUP_{}".format(entry)
@@ -16,7 +20,9 @@  python() {
     for entry in (d.getVar("USERS") or "").split():
         user_entry = "USER_{}".format(entry)
         d.appendVarFlag("image_postprocess_accounts", "vardeps", " {}".format(user_entry))
+        d.appendVarFlag("do_rootfs_install", "vardeps", " {}".format(user_entry))
 }
+do_rootfs_install[vardeps] += "USERS"
 
 def image_create_groups(d: "DataSmart") -> None:
     """Creates the groups defined in the ``GROUPS`` bitbake variable.