aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick Ohly <patrick.ohly@intel.com>2016-10-28 14:11:22 +0200
committerPatrick Ohly <patrick.ohly@intel.com>2016-12-08 14:12:55 +0100
commit9e3968d23d060144254bb915a21820e7110847c5 (patch)
tree5f82b64886412da151c82d2f3fe74318484b0fcb
parente5f6bdd4838d1de88d45819efc941730361b6f2d (diff)
downloadmeta-swupd-9e3968d23d060144254bb915a21820e7110847c5.tar.gz
meta-swupd-9e3968d23d060144254bb915a21820e7110847c5.tar.bz2
meta-swupd-9e3968d23d060144254bb915a21820e7110847c5.zip
meta-swupd: per-image swupd client configuration
The settings affecting the swupd client belong to the image, not the swupd client recipe. That way, different images can use different settings while sharing the same swupd client. Creating the bundles directory was broken in the swupd-client recipe and also not needed because swupd-image.bbclass does it, too. This will also allow implementing better update repo generation (incremental, supporting format changes, etc.) because now swupd-image.bbclass has access to the settings. The installed swupd client must match the format of the update repo for that OS_VERSION. To ensure that, swupd-image.bbclass now adds a dependency on a virtual "swupd-client-format<format number>" and suitable swupd client recipe(s) provide that. Distros then have two ways of choosing a swupd client version, should that ever be necessary: - first they need to override the per-image format default value - then set the preferred swupd client version, if there is more than one for that format TODO: installing the SSL pubkey into the image after a file change does not work. Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-rw-r--r--classes/swupd-image.bbclass75
-rw-r--r--recipes-core/swupd-client/swupd-client_git.bb27
2 files changed, 82 insertions, 20 deletions
diff --git a/classes/swupd-image.bbclass b/classes/swupd-image.bbclass
index bc23cce..94daafb 100644
--- a/classes/swupd-image.bbclass
+++ b/classes/swupd-image.bbclass
@@ -32,6 +32,28 @@ SWUPD_IMAGE_PN = "${@ d.getVar('PN_BASE', True) or d.getVar('PN', True)}"
# to be published will be in the "www" sub-directory.
DEPLOY_DIR_SWUPD = "${DEPLOY_DIR}/swupd/${MACHINE}/${SWUPD_IMAGE_PN}"
+# The current format has to match the the source code of the
+# swupd-client that is in the image. This recipe picks a suitable
+# swupd-client via the client's RPROVIDES.
+SWUPD_FORMAT ??= "3"
+IMAGE_INSTALL_append = " swupd-client-format${SWUPD_FORMAT}"
+
+# The information about where to find version information and actual
+# content is needed in several places:
+# - the swupd client in the image gets configured such that it uses that as default
+# - swupd server needs information about the previous build
+#
+# The version URL determines what the client picks as the version that it updates to.
+# The content URL must have all builds ever produced and is expected to also
+# have the corresponding version information.
+SWUPD_VERSION_URL ??= "http://download.example.com/updates/my-distro/milestone/${MACHINE}/${SWUPD_IMAGE_PN}"
+SWUPD_CONTENT_URL ??= "http://download.example.com/updates/my-distro/builds/${MACHINE}/${SWUPD_IMAGE_PN}"
+
+# An absolute path for a file containing the SSL certificate that is
+# is to be used for verifying https connections to the version and content
+# derver.
+SWUPD_PINNED_PUBKEY ??= ""
+
# User configurable variables to disable all swupd processing or deltapack
# generation.
SWUPD_GENERATE ??= "1"
@@ -43,8 +65,6 @@ SWUPD_LOG_FN ??= "bbdebug 1"
# a non-negative integer that fits in an int.
OS_VERSION ??= "${DISTRO_VERSION}"
-IMAGE_INSTALL_append = " swupd-client os-release"
-
# We need to preserve xattrs which is only supported by GNU tar >= 1.27
# to be sure this functionality works as expected use the tar-replacement-native
DEPENDS += "tar-replacement-native"
@@ -240,7 +260,6 @@ addtask stage_swupd_inputs after do_image before do_swupd_update
do_stage_swupd_inputs[dirs] = "${SWUPDIMAGEDIR} ${SWUPDMANIFESTDIR} ${DEPLOY_DIR_SWUPD}/maps/"
do_stage_swupd_inputs[depends] += "virtual/fakeroot-native:do_populate_sysroot"
-SWUPD_FORMAT ??= "3"
# do_swupd_update uses its own pseudo database, for several reasons:
# - Performance is better when the pseudo instance is not shared
# with the do_image tasks of other virtual swupd image recipes (those
@@ -449,7 +468,7 @@ ROOTFS_POSTPROCESS_COMMAND += "swupd_replace_hardlinks; "
# then this can be achieved by influencing the os-release package
# by setting in local.conf:
# VERSION_ID = "${OS_VERSION}"
-
+IMAGE_INSTALL_append = " os-release"
swupd_patch_os_release () {
sed -i -e 's/^VERSION_ID *=.*/VERSION_ID="${OS_VERSION}"/' ${IMAGE_ROOTFS}/usr/lib/os-release
}
@@ -515,3 +534,51 @@ i.e. the link is to a file which only exists at runtime, such as files in /proc,
SWUPD_IMAGE_SYMLINK_WHITELIST to resolve this error.'
raise ImageQAFailed(message, swupd_check_dangling_symlinks)
}
+
+def hash_swupd_pinned_pubkey(d):
+ pubkey = d.getVar('SWUPD_PINNED_PUBKEY', True)
+ if pubkey:
+ import hashlib
+ bb.parse.mark_dependency(d, pubkey)
+ with open(pubkey, 'rb') as f:
+ hash = hashlib.sha256()
+ hash.update(f.read())
+ return hash.hexdigest()
+ else:
+ return ''
+
+SWUPD_PINNED_PUBKEY_HASH := "${@ hash_swupd_pinned_pubkey(d)}"
+
+# The swupd client must be configured on a per-image basis.
+# Different images might need different settings.
+configure_swupd_client () {
+ # Write default values to the configuration hierarchy (since 3.4.0)
+ install -d ${IMAGE_ROOTFS}/usr/share/defaults/swupd
+ echo "${SWUPD_VERSION_URL}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/versionurl
+ echo "${SWUPD_CONTENT_URL}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/contenturl
+ echo "${SWUPD_FORMAT}" >> ${IMAGE_ROOTFS}/usr/share/defaults/swupd/format
+ # Changing content of the pubkey also changes the hash and thus ensures
+ # that this method and thus do_rootfs run again.
+ #
+ # TODO: does not actually work. Recipe gets reparsed when the file
+ # changes ("bitbake -e ostro-image-swupd | SWUPD_PINNED_PUBKEY_HASH" changes)
+ # but the task does not get re-executed. Forcing that leads to:
+ #
+ # ERROR: ostro-image-swupd-1.0-r0 do_rootfs: Taskhash mismatch 8762bf20b997ac29dd6793fd11e609c3 versus cb40afac8ca291e31022d5ffd9a9bbac for /work/ostro-os/meta-ostro/recipes-image/images/ostro-image-swupd.bb.do_rootfs
+ # ERROR: Taskhash mismatch 8762bf20b997ac29dd6793fd11e609c3 versus cb40afac8ca291e31022d5ffd9a9bbac for /work/ostro-os/meta-ostro/recipes-image/images/ostro-image-swupd.bb.do_rootfs
+ #
+ # $ bitbake-diffsigs tmp-glibc/stamps/qemux86-ostro-linux/ostro-image-swupd/1.0-r0.do_rootfs.sigdata.c8a9371831f58ce4f8b49a73211f66aa tmp-glibc/stamps/qemux86-ostro-linux/ostro-image-swupd/1.0-r0.do_rootfs.sigdata.cb40afac8ca291e31022d5ffd9a9bbac
+ # basehash changed from 02de100ee7baa348e224f21844fdaa06 to e3bb23a069673a09afee4994522991d3
+ # Variable SWUPD_PINNED_PUBKEY_HASH value changed from 'b9ffbe0963f3f7ab3f3c1af5cd8471c121cb601eb4294ad4b211f1e206746a0a' to '8d172423eb0162feb8c7fb2f2d7da28a6effdf3e95184114c62e6b0efdeae89a'
+ # Taint (by forced/invalidated task) changed from None to 2c8e3b43-5e70-4c96-bf6e-741f0b344731
+ #
+ # There's no sigdata for 8762b. c8a93 is from before changing the file.
+ if [ "${SWUPD_PINNED_PUBKEY_HASH}" ]; then
+ install -d ${IMAGE_ROOTFS}${datadir}/clear/update-ca
+ install -m 0644 '${SWUPD_PINNED_PUBKEY}' ${IMAGE_ROOTFS}${datadir}/clear/update-ca/
+ echo "${datadir}/clear/update-ca/$(basename '${SWUPD_PINNED_PUBKEY}')" > ${IMAGE_ROOTFS}/usr/share/defaults/swupd/pinnedpubkey
+ fi
+ chown -R root:root ${IMAGE_ROOTFS}/usr/share/defaults/swupd
+ chmod 0644 ${IMAGE_ROOTFS}/usr/share/defaults/swupd/*
+}
+ROOTFS_POSTPROCESS_COMMAND_append = " configure_swupd_client;"
diff --git a/recipes-core/swupd-client/swupd-client_git.bb b/recipes-core/swupd-client/swupd-client_git.bb
index 8df89a1..5709357 100644
--- a/recipes-core/swupd-client/swupd-client_git.bb
+++ b/recipes-core/swupd-client/swupd-client_git.bb
@@ -20,6 +20,17 @@ RDEPENDS_${PN}_append_class-target = " oe-swupd-helpers bsdtar"
# We check /etc/os-release for the current OS version number
RRECOMMENDS_${PN}_class-target = "os-release"
+# The current format is determined by the source code of the
+# swupd-client that is in the image.
+#
+# Watch the release notes and/or source code of the client carefully
+# and bump the number by one for each update of the recipe where we
+# switch to a source that has a format change.
+#
+# To switch to a client with a new format also update SWUPD_FORMAT in
+# swupd-image.bbclass.
+RPROVIDES_${PN} = "swupd-client-format3"
+
# TODO: we inherit autotools-brokensep because the Makefile calls a perl script
# in ${S} during one of its steps.
inherit pkgconfig autotools-brokensep systemd
@@ -33,22 +44,6 @@ EXTRA_OECONF = "\
PACKAGECONFIG ??= "stateless"
PACKAGECONFIG[stateless] = ",--disable-stateless"
-SWUPD_VERSION_URL ??= "example.com"
-SWUPD_CONTENT_URL ??= "example.com"
-SWUPD_FORMAT ??= "3"
-SWUPD_PINNED_PUBKEY ??= ""
-do_install_append () {
- # TODO: This should be a less os-specific directory and not hard-code datadir
- install -d ${D}$/usr/share/clear/bundles
-
- # Write default values to the configuration hierarchy (since 3.4.0)
- install -d ${D}/usr/share/defaults/swupd
- echo "${SWUPD_VERSION_URL}" >> ${D}/usr/share/defaults/swupd/versionurl
- echo "${SWUPD_CONTENT_URL}" >> ${D}/usr/share/defaults/swupd/contenturl
- echo "${SWUPD_FORMAT}" >> ${D}/usr/share/defaults/swupd/format
- test -n "${SWUPD_PINNED_PUBKEY}" && echo "${SWUPD_PINNED_PUBKEY}" > ${D}/usr/share/defaults/swupd/pinnedpubkey || true
-}
-
FILES_${PN} += "\
/usr/share \
${systemd_system_unitdir}/multi-user.target.wants* \