[Buildroot] [PATCH 3/4] package/openssh: seperate sd service for host key generation

Jérémy ROSEN jeremy.rosen at smile.fr
Sun Jun 7 19:09:20 UTC 2020


Le dim. 7 juin 2020 à 20:56, Norbert Lange <nolange79 at gmail.com> a écrit :

> Am So., 7. Juni 2020 um 12:44 Uhr schrieb Jérémy ROSEN <
> jeremy.rosen at smile.fr>:
> >
> > Why the RemainAfterExit ?
> > This is a "real oneshot", it doesn't need a state to stay behind.
> > Moreover it would only stay behind when actually generating the key. in
> all followup boot the unit would not be started at all
>
> Yeah... there is some truth to that, but those one-shots have tricky
> sideeffects systemd 245 changed something that completely undermines
> my understanding of how they should work,
> and make that flag practically a necessity. See:
> https://github.com/systemd/systemd/issues/15091
>
> I dont think I am able to correctly describe all pro's and cons but I
> added this flag after:
>
> -   later services did not care for failures
> -   starting/stopping *any* service will recheck the condition and
> fill the syslog (* depends on other stuff aswell, but that's what
> happens for me)
>
> In short: add RemainAfterExit for every one-shot, or there will be
> dragons. Doesn't seem upstream is bothered by this.
>
> ok, I see your point... you are protected by your various Condition= from
this bug, but that would fill the logs with condition checks messages.

Could you please add a comment pointing to that bug report ?

Appart from that
Reviewd-by: Jérémy Rosen <jeremy.rosen at smile.fr>


> >
> > Appart from that, Looks good to me...
> >
> > Le sam. 6 juin 2020 à 00:59, Norbert Lange <nolange79 at gmail.com> a
> écrit :
> >>
> >> split out generationg of host keys into an optional service
> >> that can easily be removed or deactivated.
> >>
> >> Signed-off-by: Norbert Lange <nolange79 at gmail.com>
> >> ---
> >>  package/openssh/openssh.mk               |  5 +++--
> >>  package/openssh/sshd-host-keygen.service | 20 ++++++++++++++++++++
> >>  package/openssh/sshd.service             |  1 -
> >>  3 files changed, 23 insertions(+), 3 deletions(-)
> >>  create mode 100644 package/openssh/sshd-host-keygen.service
> >>
> >> diff --git a/package/openssh/openssh.mk b/package/openssh/openssh.mk
> >> index d425db1428..6b3ee1f5f4 100644
> >> --- a/package/openssh/openssh.mk
> >> +++ b/package/openssh/openssh.mk
> >> @@ -114,8 +114,9 @@ endef
> >>  OPENSSH_POST_INSTALL_TARGET_HOOKS += OPENSSH_INSTALL_SERVER_PROGRAMS
> >>
> >>  define OPENSSH_INSTALL_INIT_SYSTEMD
> >> -       $(INSTALL) -D -m 644 package/openssh/sshd.service \
> >> -               $(TARGET_DIR)/usr/lib/systemd/system/sshd.service
> >> +       mkdir $(TARGET_DIR)/usr/lib/systemd/system
> >> +       $(INSTALL) -m 644 package/openssh/sshd*.service \
> >> +               $(TARGET_DIR)/usr/lib/systemd/system/
> >>         $(OPENSSH_INSTALL_SYSTEMD_SYSUSERS)
> >>  endef
> >>
> >> diff --git a/package/openssh/sshd-host-keygen.service
> b/package/openssh/sshd-host-keygen.service
> >> new file mode 100644
> >> index 0000000000..058e671c44
> >> --- /dev/null
> >> +++ b/package/openssh/sshd-host-keygen.service
> >> @@ -0,0 +1,20 @@
> >> +[Unit]
> >> +Description=SSH Key Generation
> >> +Before=sshd.service
> >> +
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
> >> +ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
> >> +
> >> +[Service]
> >> +ExecStart=/usr/bin/ssh-keygen -A
> >> +Type=oneshot
> >> +RemainAfterExit=yes
> >> +
> >> +[Install]
> >> +WantedBy=sshd.service
> >> diff --git a/package/openssh/sshd.service b/package/openssh/sshd.service
> >> index 715bd3f7eb..797e249d8d 100644
> >> --- a/package/openssh/sshd.service
> >> +++ b/package/openssh/sshd.service
> >> @@ -4,7 +4,6 @@ Documentation=man:sshd(8) man:sshd_config(5)
> >>  After=network.target auditd.service
> >>
> >>  [Service]
> >> -ExecStartPre=/usr/bin/ssh-keygen -A
> >>  ExecStartPre=/usr/sbin/sshd -t
> >>  ExecStart=/usr/sbin/sshd -D
> >>  ExecReload=/usr/sbin/sshd -t
> >> --
> >> 2.26.2
> >>
> >> _______________________________________________
> >> buildroot mailing list
> >> buildroot at busybox.net
> >> http://lists.busybox.net/mailman/listinfo/buildroot
> >
> >
> >
> > --
> >
> >
> > 20 rue des Jardins
> > 92600 Asnières-sur-Seine
> >
> > Jérémy ROSEN
> > Architecte technique
> >
> >  jeremy.rosen at smile.fr
> >   +33 6 88 25 87 42
> >  http://www.smile.eu
> >
> >
> >
>


-- 
[image: SMILE]  <http://www.smile.eu/>

20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique

[image: email] jeremy.rosen at smile.fr
[image: phone]  +33 6 88 25 87 42
[image: url] http://www.smile.eu

[image: Twitter] <https://twitter.com/GroupeSmile> [image: Facebook]
<https://www.facebook.com/smileopensource> [image: LinkedIn]
<https://www.linkedin.com/company/smile> [image: Github]
<https://github.com/Smile-SA>

[image: Découvrez l’univers Smile, rendez-vous sur smile.eu]
<https://www.smile.eu/fr/publications/livres-blancs/yocto?utm_source=signature&utm_medium=email&utm_campaign=signature>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20200607/68875fbe/attachment-0002.html>


More information about the buildroot mailing list