mbox series

[isar-cip-core,RFC,0/9] cleanup of customizations

Message ID 20231023150243.3990309-1-Quirin.Gylstorff@siemens.com (mailing list archive)
Headers show
Series cleanup of customizations | expand

Message

Gylstorff Quirin Oct. 23, 2023, 2:59 p.m. UTC
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

cleanup the customizations scripts by:
  - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
  - Move systemd service overrides to files instead of setting it in
    postinst
  - fix formatting
  - fix scripting error in security customizations

Quirin Gylstorff (9):
  scripts/deploy-kernelci: Format python code and remove unused import
  customizations: Add variable to set the HOSTNAME
  customizations: Move ssh configuration from postinst to sshd_config.d
  security-customizations: Add dependency to customizations
  security-customizations: Fix shell error
  security-customizations: Extract sshd config from postinst to files
  cip-core-image-security: Move packages to security-customization
  customization-kernelci: Add dependency to customizations
  kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf

 conf/layer.conf                               |  2 ++
 kas/opt/reproducible.yml                      |  1 -
 kas/opt/security.yml                          |  2 ++
 recipes-core/customizations/common.inc        |  6 +++-
 recipes-core/customizations/customizations.bb | 10 ++++++
 .../files/{postinst => postinst.tmpl}         |  8 ++---
 .../customizations/files/ssh-permit-root.conf |  1 +
 .../images/cip-core-image-security.bb         | 12 +------
 .../kernelci-customizations/files/postinst    | 11 -------
 .../files/serial-getty-kernelci-override.conf |  3 ++
 .../files/ssh-permit-empty-passwords.conf     |  2 ++
 .../kernelci-customizations.bb                | 18 ++++++++---
 .../security-customizations/files/postinst    | 24 ++------------
 .../files/ssh-pam-remote.conf                 |  4 +++
 .../files/ssh-remote-session-term.conf        |  5 +++
 .../security-customizations.bb                | 25 ++++++++++++---
 scripts/deploy-kernelci.py                    | 31 ++++++++++---------
 17 files changed, 89 insertions(+), 76 deletions(-)
 rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
 create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
 create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
 create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
 create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf

Comments

Jan Kiszka Oct. 25, 2023, 4:33 p.m. UTC | #1
On 23.10.23 16:59, Quirin Gylstorff wrote:
> From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> 
> cleanup the customizations scripts by:
>   - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
>   - Move systemd service overrides to files instead of setting it in
>     postinst
>   - fix formatting
>   - fix scripting error in security customizations
> 
> Quirin Gylstorff (9):
>   scripts/deploy-kernelci: Format python code and remove unused import
>   customizations: Add variable to set the HOSTNAME
>   customizations: Move ssh configuration from postinst to sshd_config.d
>   security-customizations: Add dependency to customizations
>   security-customizations: Fix shell error
>   security-customizations: Extract sshd config from postinst to files
>   cip-core-image-security: Move packages to security-customization
>   customization-kernelci: Add dependency to customizations
>   kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
> 
>  conf/layer.conf                               |  2 ++
>  kas/opt/reproducible.yml                      |  1 -
>  kas/opt/security.yml                          |  2 ++
>  recipes-core/customizations/common.inc        |  6 +++-
>  recipes-core/customizations/customizations.bb | 10 ++++++
>  .../files/{postinst => postinst.tmpl}         |  8 ++---
>  .../customizations/files/ssh-permit-root.conf |  1 +
>  .../images/cip-core-image-security.bb         | 12 +------
>  .../kernelci-customizations/files/postinst    | 11 -------
>  .../files/serial-getty-kernelci-override.conf |  3 ++
>  .../files/ssh-permit-empty-passwords.conf     |  2 ++
>  .../kernelci-customizations.bb                | 18 ++++++++---
>  .../security-customizations/files/postinst    | 24 ++------------
>  .../files/ssh-pam-remote.conf                 |  4 +++
>  .../files/ssh-remote-session-term.conf        |  5 +++
>  .../security-customizations.bb                | 25 ++++++++++++---
>  scripts/deploy-kernelci.py                    | 31 ++++++++++---------
>  17 files changed, 89 insertions(+), 76 deletions(-)
>  rename recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
>  create mode 100644 recipes-core/customizations/files/ssh-permit-root.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/serial-getty-kernelci-override.conf
>  create mode 100644 recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-pam-remote.conf
>  create mode 100644 recipes-core/security-customizations/files/ssh-remote-session-term.conf
> 

Things look good to me, but I'd like to get another check/opinion.

Jan
Venkata Pyla Oct. 26, 2023, 4:42 a.m. UTC | #2
> -----Original Message-----
> From: Jan Kiszka <jan.kiszka@siemens.com>
> Sent: Wednesday, October 25, 2023 10:04 PM
> To: Quirin Gylstorff <Quirin.Gylstorff@siemens.com>; cip-dev@lists.cip-
> project.org; pyla venkata(TSIP TMIEC ODG Porting)
> <Venkata.Pyla@toshiba-tsip.com>; dinesh kumar(TSIP TMIEC ODG
> Porting) <dinesh.kumar@toshiba-tsip.com>; hayashi kazuhiro(林 和宏
> DME ○DIG□MPS○MP4) <kazuhiro3.hayashi@toshiba.co.jp>
> Subject: Re: [cip-dev][isar-cip-core][RFC 0/9] cleanup of customizations
> 
> On 23.10.23 16:59, Quirin Gylstorff wrote:
> > From: Quirin Gylstorff <quirin.gylstorff@siemens.com>
> >
> > cleanup the customizations scripts by:
> >   - Move the ssh configuration from postinst to /etc/ssh/sshd_config.d
> >   - Move systemd service overrides to files instead of setting it in
> >     postinst
> >   - fix formatting
> >   - fix scripting error in security customizations
> >
> > Quirin Gylstorff (9):
> >   scripts/deploy-kernelci: Format python code and remove unused import
> >   customizations: Add variable to set the HOSTNAME
> >   customizations: Move ssh configuration from postinst to sshd_config.d
> >   security-customizations: Add dependency to customizations
> >   security-customizations: Fix shell error
> >   security-customizations: Extract sshd config from postinst to files
> >   cip-core-image-security: Move packages to security-customization
> >   customization-kernelci: Add dependency to customizations
> >   kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
> >
> >  conf/layer.conf                               |  2 ++
> >  kas/opt/reproducible.yml                      |  1 -
> >  kas/opt/security.yml                          |  2 ++
> >  recipes-core/customizations/common.inc        |  6 +++-
> >  recipes-core/customizations/customizations.bb | 10 ++++++
> >  .../files/{postinst => postinst.tmpl}         |  8 ++---
> >  .../customizations/files/ssh-permit-root.conf |  1 +
> >  .../images/cip-core-image-security.bb         | 12 +------
> >  .../kernelci-customizations/files/postinst    | 11 -------
> >  .../files/serial-getty-kernelci-override.conf |  3 ++
> >  .../files/ssh-permit-empty-passwords.conf     |  2 ++
> >  .../kernelci-customizations.bb                | 18 ++++++++---
> >  .../security-customizations/files/postinst    | 24 ++------------
> >  .../files/ssh-pam-remote.conf                 |  4 +++
> >  .../files/ssh-remote-session-term.conf        |  5 +++
> >  .../security-customizations.bb                | 25 ++++++++++++---
> >  scripts/deploy-kernelci.py                    | 31 ++++++++++---------
> >  17 files changed, 89 insertions(+), 76 deletions(-)  rename
> > recipes-core/customizations/files/{postinst => postinst.tmpl} (62%)
> > create mode 100644
> > recipes-core/customizations/files/ssh-permit-root.conf
> >  create mode 100644
> > recipes-core/kernelci-customizations/files/serial-getty-kernelci-overr
> > ide.conf  create mode 100644
> > recipes-core/kernelci-customizations/files/ssh-permit-empty-passwords.
> > conf  create mode 100644
> > recipes-core/security-customizations/files/ssh-pam-remote.conf
> >  create mode 100644
> > recipes-core/security-customizations/files/ssh-remote-session-term.con
> > f
> >
> 
> Things look good to me, but I'd like to get another check/opinion.

Hi Jan and Quirin,

Thanks for improving the changes, I have reviewed the changes of security customizations and reproducible builds patches and most of them are look good to me, except for one patch have asked clarification to Quirin.

security-customizations: Add dependency to customizations
security-customizations: Fix shell error
security-customizations: Extract sshd config from postinst to files
kas/opt/reproducible.yml: Move SOURCE_DATE_EPOCH to layer.conf
- LGTM

cip-core-image-security: Move packages to security-customization
- Have asked clarification to Quirin.

> 
> Jan
> 
> --
> Siemens AG, Technology
> Linux Expert Center