From patchwork Fri Nov 21 04:29:29 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cedric Hombourger X-Patchwork-Id: 4620 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Fri, 21 Nov 2025 05:29:58 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-wm1-f63.google.com (mail-wm1-f63.google.com [209.85.128.63]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AL4TvG3013389 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 21 Nov 2025 05:29:57 +0100 Received: by mail-wm1-f63.google.com with SMTP id 5b1f17b1804b1-4775d110fabsf15967855e9.1 for ; Thu, 20 Nov 2025 20:29:57 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763699392; cv=pass; d=google.com; s=arc-20240605; b=gjjnBaElxhAlM8HsOLHx49YX2enp32snT32qDjuTVB3slwzOZKxK/bOy/BrZjKqLmJ cFJRjjZbTLz8RyDL+DOHJJfiPK4X0eltQfPXYOkHtTIfua9fdkYigYL9yyxzbtCjjg3h g05mavgg+aU3SxoJ2VGY/KnAUomyx5Upo1XDT7PXWeG+JsIJDSiv70ikR0mehV7YVtO0 TKagErbaoT8KiVqmGTQN3qYtKxd+OTyIp4K96fur1y2V8GVElz87W1d+JXoeuT4LHI9g 8DRYPAYtNrSAS0zvf7unnhg2IZYd0/G44uyAG/FlQSPDkP5t0a0A6YNlS+5DPN7Qq0Ob EjIA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:feedback-id:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=/cf8B3Rkdmz76q56CDolDHD1PGjpDGqZ02R6xaUq7cA=; fh=6Rb86LDc05RpfIGJlqcSmCzGlZX1bmBl57ufW3D7UpI=; b=RSGtfrXJGqEwDy2FggsT1uId9oXwHagRvLjGk6GD3+egYwFBAG9tJq93hs1uVJTkaR qbHeJaT1dYkEKW9QrApdWrZLRczqh8D+Rf0z+1GHtpVvS4iEmRPEPP80oipCyoF6EovG CrMNTQ/iVhmqGO8e3ubdjFpH+1UFWRHGp/bc7VJdA7MjjdtykYxMbMsBbNY4SMSbl0ac ejHUS3lfnK3Ea3oI1WSlq/5rWGr68JoVl7hpjdIKLQ3c4TqjDZhb+ZgDDpIpX707KGMa Bbno+OlzRsy9dpGomLyzKCVUu1EHpTnjhGXqeo3VjojNq66RU/7jjz+y8XH40ZfQ7mry jYIw==; darn=isar-build.org ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=T4PNBZ59; spf=pass (google.com: domain of fm-1212295-20251121042946d57f097890000207e8-9sgrx8@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20251121042946d57f097890000207e8-9SgRx8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763699392; x=1764304192; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:from:to:cc:subject :date:message-id:reply-to; bh=/cf8B3Rkdmz76q56CDolDHD1PGjpDGqZ02R6xaUq7cA=; b=Afd73pCYz/0b+Aty/6yghZmjv3Tho5K0IXJEaN0EW34XwKL0knr5XJuV5zGhH66Cff F6UZo7EnQ2TPcufeewfQ+y+doa0atmUpdlKOEvInO+SXxf63RRFJbuhZqD395/twSt6w O8Cln3YBAkLI6qCgWWmlQ86MShBWJnGsXGatTEw5zbsSFiOAMbL2vbIlKTdo/mXgM++8 LAlODq81bmD6BxWBFpK6GheLJD+FUKrZuiOVa5S6JH1dMNQ4OZ4E5d0HlXV7vn42FdA2 CBmYVAMH5OZJ7k+H6MfHtatDHvXlURUj7DUzhiynsYE/jH/bCKWyHWBXdh5JWw2v93nW 1weg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763699392; x=1764304192; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:feedback-id :mime-version:message-id:date:subject:cc:to:from:x-beenthere :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=/cf8B3Rkdmz76q56CDolDHD1PGjpDGqZ02R6xaUq7cA=; b=e1WVy7usTYCyVsbw4v92UawzL3oxr5gHUeXLWiSNZ4hHBtwegeMuTpIbcK8T2lRhVQ 55O6CFi6/G4f3BZ1EC8HvpF8S5Ozk9k1cD96RFPX8q8Qc7bd5aNC+/9M2XdlJoxYp1aw dkcmZuzorWKl9UyLo32XTX3j9qOWkRj3CjgdYNOZgnYu8LHtGz1RnfCts+KxvPJhHBO8 b5aKOJ5PXgEJrM7Y3Zr93NeKzdYrTWoiaB7Mx0iILVhJ/r0N7XRkxJdz8mT4ANCC1YIk 1o2jIuHp/FsmnRkfywH2f/fZGvIrVCEyqmwY7rOV14rs/FToltKD19KDfjZzAEF5oZ1i tGYw== X-Forwarded-Encrypted: i=2; AJvYcCX1sv/1XyFFysOXA7cMbA9QCD1ankrpXybfeHcZXGav/hv/Zu7qJ0deiohLbK5MvXHcSERQ9Qw=@isar-build.org X-Gm-Message-State: AOJu0Yy7HbtewiDfXzUEhW/563WGdmbXw9zRZRyHmTvfAAjXWj2PDoTI YUdqZDYdWUMBYhaoGm/IiPJZBwkoA5QCTa9u1FiIgENh4fB9/j/svhLx X-Google-Smtp-Source: AGHT+IGN6K1q4cC+hVr6tmuOV3EOYqHKJrVVArM9qiXCnvvcFELvpIuD6Ek6OvUTOdOnMqsOdbZDtg== X-Received: by 2002:a05:600c:4fcb:b0:46e:3d41:6001 with SMTP id 5b1f17b1804b1-477c01f7b9amr7581125e9.34.1763699391184; Thu, 20 Nov 2025 20:29:51 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+YTqbceO6ISXe8jynGvUD3nqENIpjc8D9eG+M7gz+c1Bw==" Received: by 2002:a05:600c:3b08:b0:477:a1a3:e379 with SMTP id 5b1f17b1804b1-477b8e1338cls8829415e9.1.-pod-prod-09-eu; Thu, 20 Nov 2025 20:29:48 -0800 (PST) X-Received: by 2002:a05:600c:4591:b0:477:8b77:155e with SMTP id 5b1f17b1804b1-477c018a016mr10239475e9.15.1763699387910; Thu, 20 Nov 2025 20:29:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1763699387; cv=none; d=google.com; s=arc-20240605; b=fzn2ATFj2EsvO/pyLCJa4M8faoYOfDV8fLyn6E/SZw7piT7tpWNlNeUgjn+sX/7swH qt+GLgaHf9uUYEZeeO8JJilhVrrZRFpJGtA9EWhB753o+6UupebR1ILVE+o9fyl8pf3u VGmKZEySWKw4p/ljOnQoj2EGTjx0zWfwEqIhorEsIPrXoZtbsOEkKnuubDfNoD1O/Rqq vp6o1Y4P7UvY+9+PirmoiiwLyb5jy37ObmheZ5UT+lXpP3etRQ67Up0Rf1yhtwxKtmNf gTlf7ne334jrXAIEg+uObPwrxjza3NyguiU7hxZSGsPMG5y7FkXdg6wDsbYSg6HbMzTN HVMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=feedback-id:content-transfer-encoding:mime-version:message-id:date :subject:cc:to:from:dkim-signature; bh=SdiMdov3TIjM3zAc8fnbmtWnbwKyY06/YX/v1XaAbkU=; fh=1z37pEVhqwMLlkT4FDzOga7XBsM6Rzv6sXOq0pipxqo=; b=jGCpEZqwPzEpjrqPVyBg7pCZ2pKED3tF4oCW314sASVQx2R/fhIs4LnVx2lHXwPXlP 7H6QpiNybcRch8a2N/spxyc4PvygWnsUvsS0AmR3SRxDbMRuD3XH4y6yrgwDTg/YbmKA 8XF+dToLQ21Jl9vpSY8WIEfmTPJdMAYMWflGhAdAdE2xqvi/KTvvuuhpTnVhIpOT3NLe K7Nqvd2O/PimEuGOnDW3CH3yI5Ot0dTeWJTiuviUKqGja5glFoT52nE0tj/+UQikUJ1L WAMkCrLe7ZUTEhmco6KyA2bz/IULwHaVOFXAM7x0RCXw2l6oE587tNbsi8nJ9z0Nj1dq 8ghQ==; dara=google.com ARC-Authentication-Results: i=1; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=T4PNBZ59; spf=pass (google.com: domain of fm-1212295-20251121042946d57f097890000207e8-9sgrx8@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20251121042946d57f097890000207e8-9SgRx8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from mta-64-225.siemens.flowmailer.net (mta-64-225.siemens.flowmailer.net. [185.136.64.225]) by gmr-mx.google.com with ESMTPS id 5b1f17b1804b1-477b7b92212si375405e9.0.2025.11.20.20.29.47 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Nov 2025 20:29:47 -0800 (PST) Received-SPF: pass (google.com: domain of fm-1212295-20251121042946d57f097890000207e8-9sgrx8@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) client-ip=185.136.64.225; Received: by mta-64-225.siemens.flowmailer.net with ESMTPSA id 20251121042946d57f097890000207e8 for ; Fri, 21 Nov 2025 05:29:47 +0100 X-Patchwork-Original-From: "'Cedric Hombourger' via isar-users" From: Cedric Hombourger To: isar-users@googlegroups.com Cc: Cedric Hombourger Subject: [PATCH] mmdebstrap: support for user credentials for apt sources Date: Fri, 21 Nov 2025 05:29:29 +0100 Message-ID: <20251121042931.3520717-1-cedric.hombourger@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-1212295:519-21489:flowmailer X-Original-Sender: cedric.hombourger@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=fm1 header.b=T4PNBZ59; spf=pass (google.com: domain of fm-1212295-20251121042946d57f097890000207e8-9sgrx8@rts-flowmailer.siemens.com designates 185.136.64.225 as permitted sender) smtp.mailfrom=fm-1212295-20251121042946d57f097890000207e8-9SgRx8@rts-flowmailer.siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Cedric Hombourger Reply-To: Cedric Hombourger Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= Some organization may restrict access to their package feeds and require users to supply a user and password/token. With Isar having adopted mmdebstrap, we may now supply an apt auth configuration file in /etc/apt/auth.conf.d/. Credentials may be specified in local.conf (a kas configuration fragment with environment variables may be used). Multiple remotes and their respective credentials may be listed: ISAR_APT_CREDS += "apt.server1.com" ISAR_APT_CREDS_apt.server1.com = "my-user-for-server1 pass-for-server1" ISAR_APT_CREDS += "apt.server2.com" ISAR_APT_CREDS_apt.server2.com = "another-user-for-server2 different-pass" Signed-off-by: Cedric Hombourger --- RECIPE-API-CHANGELOG.md | 18 ++++++++++ doc/user_manual.md | 10 ++++++ .../isar-mmdebstrap/isar-mmdebstrap.inc | 34 +++++++++++++++++++ 3 files changed, 62 insertions(+) diff --git a/RECIPE-API-CHANGELOG.md b/RECIPE-API-CHANGELOG.md index 20183a8d..ede375fa 100644 --- a/RECIPE-API-CHANGELOG.md +++ b/RECIPE-API-CHANGELOG.md @@ -866,3 +866,21 @@ INITRD_IMAGE is "only" deprecated; meaning that it may still be used (but build-time warnings will be raised). If both IMAGE_INITRD and INITRD_IMAGE are set then the latter will be ignored (a warning noting that both were set will be emitted). + +### User-authentification for apt sources + +Some organization may restrict access to their package feeds and require +users to supply a user and password/token. With Isar having adopted +mmdebstrap, we may now supply an apt auth configuration file in +/etc/apt/auth.conf.d/. Credentials may be specified in local.conf (a kas +configuration fragment with environment variables may be used). Multiple +remotes and their respective credentials may be listed: + + ISAR_APT_CREDS += "apt.server1.com" + ISAR_APT_CREDS_apt.server1.com = "my-user-for-server1 pass-for-server1" + + ISAR_APT_CREDS += "apt.server2.com" + ISAR_APT_CREDS_apt.server2.com = "another-user-for-server2 different-pass" + +NOTE: this is not supported for the (soon-to-be-removed?) legacy bootstrap +method (based on deboostrap) diff --git a/doc/user_manual.md b/doc/user_manual.md index efe65a51..30002bea 100644 --- a/doc/user_manual.md +++ b/doc/user_manual.md @@ -451,6 +451,7 @@ Some other variables include: - `ISAR_APT_SNAPSHOT_TIMESTAMP[security]` - Unix timestamp of the security distribution. Optional. - `ISAR_APT_SNAPSHOT_DATE` - Timestamp in upstream format (e.g. `20240702T082400Z`) of the apt snapshot. Overrides `ISAR_APT_SNAPSHOT_TIMESTAMP` if set. Otherwise, will be automatically derived from `ISAR_APT_SNAPSHOT_TIMESTAMP` - `ISAR_APT_SNAPSHOT_DATE[security]` - Timestamp in upstream format of the security distribution. Optional. + * `ISAR_APT_CREDS` - List of of remote apt servers requiring credentials (individually configured with `ISAR_APT_CREDS_server_fqdn = "user password")` - `THIRD_PARTY_APT_KEYS` - List of gpg key URIs used to verify apt repos for apt installation after bootstrapping. - `FILESEXTRAPATHS` - The default directories BitBake uses when it processes recipes are initially defined by the FILESPATH variable. You can extend FILESPATH variable by using FILESEXTRAPATHS. - `FILESOVERRIDES` - A subset of OVERRIDES used by the build system for creating FILESPATH. The FILESOVERRIDES variable uses overrides to automatically extend the FILESPATH variable. @@ -540,6 +541,15 @@ DISTRO_CONFIG_SCRIPT?= "raspbian-configscript.sh" DISTRO_KERNELS ?= "rpi rpi2 rpi-rpfv rpi2-rpfv" ``` +If the distribution has apt sources requiring authentication, users may add the following to e.g. `local.conf`: + + ``` + ISAR_APT_CREDS += "apt.restricted-server.com" + ISAR_APT_CREDS_apt.restricted-server.com = "my-user-name my-password-or-token" + ``` + +Consider passing these credentials via (CI-protected) environment variables and refrain from leaving your credentials in `local.conf`. + For RaspiOS a different DISTRO_KERNELS list is used: - `kernel` - for Raspberry Pi 1, Pi Zero, Pi Zero W, and Compute Module - `kernel7` - for Raspberry Pi 2, Pi 3, Pi 3+, and Compute Module 3 diff --git a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc index b2de61ad..d88628ac 100644 --- a/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc +++ b/meta/recipes-core/isar-mmdebstrap/isar-mmdebstrap.inc @@ -74,6 +74,39 @@ do_generate_keyrings() { } addtask generate_keyrings before do_build after do_unpack +# Generate an apt configuration file holding credentials for the apt sources +# requiring user authentication +do_generate_auth_file[vardeps] += "ISAR_APT_CREDS" +python do_generate_auth_file() { + creds = d.getVar('ISAR_APT_CREDS') or '' + auth_file = os.path.join(d.getVar('WORKDIR'), 'apt-auth') + if not creds: + if os.path.exists(auth_file): + os.unlink(auth_file) + return + + with open(auth_file, "w") as f: + for machine in creds.split(): + user_password = d.getVar(f"ISAR_APT_CREDS_{machine}") + try: + user, passwd = user_password.split() + f.write(f"machine {machine}\n" + f" user {user}\n" + f" password {passwd}\n") + except ValueError: + bb.fatal(f"Too few/many tokens in ISAR_APT_CREDS['{machine}']: " + f"user and password expected (got '{user_password}')!") +} +addtask generate_auth_file before do_bootstrap after do_unpack + +def get_apt_auth_opts(d): + creds = d.getVar('ISAR_APT_CREDS') or '' + workdir = d.getVar('WORKDIR') + if creds: + return "--setup-hook='mkdir -p \"$1/etc/apt/auth.conf.d\"' " + \ + f"--setup-hook='upload \"{workdir}/apt-auth\" /etc/apt/auth.conf.d/isar.conf'" + return '' + do_bootstrap[vardeps] += " \ DISTRO_APT_PREMIRRORS \ ISAR_ENABLE_COMPAT_ARCH \ @@ -189,6 +222,7 @@ do_bootstrap() { $arch_param \ --mode=unshare \ ${MMHOOKS} \ + ${@get_apt_auth_opts(d)} \ --setup-hook='mkdir -p "$1/var/cache/apt/archives/"' \ --setup-hook="$extra_setup" \ --setup-hook='upload "${APTPREFS}" /etc/apt/preferences.d/bootstrap' \