[isar-cip-core PATCH 4/6] Use an image recipe to define installed packages instead of kas option


Venkata Pyla
 

From: Kazuhiro Hayashi kazuhiro3.hayashi@...

 

Signed-off-by: Kazuhiro Hayashi <kazuhiro3.hayashi@...>

---

SECURITY.md                                   | 23 ++++--------

opt-security.yml                              | 34 -----------------

.../images/cip-core-image-security.bb         | 37 +++++++++++++++++++

3 files changed, 45 insertions(+), 49 deletions(-)

delete mode 100644 opt-security.yml

create mode 100644 recipes-core/images/cip-core-image-security.bb

 

diff --git a/SECURITY.md b/SECURITY.md

index a8bccc7..ddceee5 100644

--- a/SECURITY.md

+++ b/SECURITY.md

@@ -18,31 +18,24 @@ Assumed environment

     * Installed packages: `docker-ce`, `qemu-system`

     * Users who does the following actions must be in the groups `docker` and `kvm`

-Create kas file

----------------

-

-Create a kas file named `opt-security.yml` to add security settings.

-

-Add security packages to rootfs

--------------------------------

+Create image recipe

+-------------------

-Set `IMAGE_PREINSTALL` to the list of packages required to enable

-the security features. This variable can be set through the kas file.

+Create the recipe `recipes-core/images/cip-core-image-security.bb`

+to generate a image including required packages.

+We can install existing Debian packages by setting

+`IMAGE_PREINSTALL` in the image recipe.

 Example:

-```

-local_conf_header:

-  security: |

     IMAGE_PREINSTALL = "openssl"

-```

 Build images

------------

-Build images for QEMU x86 64bit machine:

+Build images for QEMU x86 64bit machine.

-    $ ./kas-docker --isar build kas.yml:board-qemu-amd64.yml:opt-security.yml

+    $ ./kas-docker --isar build --target cip-core-image-security kas.yml:board-qemu-amd64.yml

 Run on QEMU

-----------

diff --git a/opt-security.yml b/opt-security.yml

deleted file mode 100644

index 7c6b39c..0000000

--- a/opt-security.yml

+++ /dev/null

@@ -1,34 +0,0 @@

-#

-# KAS configuration for CIP Core generic profile to enable security features

-#

-# Copyright (c) Toshiba Corporation, 2020

-#

-# Authors:

-#  Kazuhiro Hayashi <kazuhiro3.hayashi@...>

-#

-# SPDX-License-Identifier: MIT

-#

-

-header:

-  version: 8

-

-local_conf_header:

-  security: |

-    # TODO: Add sudo or sudo-ldap

-    IMAGE_PREINSTALL = "\

-      openssl libssl1.1 \

-      fail2ban \

-      openssh-server openssh-sftp-server openssh-client \

-      syslog-ng-core syslog-ng-mod-journal \

-      aide aide-common \

-      libnftables0 nftables \

-      libpam-pkcs11 \

-      chrony \

-      tpm2-tools \

-      tpm2-abrmd \

-      libtss2-esys0 libtss2-udev \

-      libpam-cracklib \

-      acl \

-      libauparse0 audispd-plugins auditd \

-      uuid-runtime \

-    "

\ No newline at end of file

diff --git a/recipes-core/images/cip-core-image-security.bb b/recipes-core/images/cip-core-image-security.bb

new file mode 100644

index 0000000..70571f8

--- /dev/null

+++ b/recipes-core/images/cip-core-image-security.bb

@@ -0,0 +1,37 @@

+#

+# A reference image which includes security packages

+#

+# Copyright (c) Toshiba Corporation, 2020

+#

+# Authors:

+#  Kazuhiro Hayashi <kazuhiro3.hayashi@...>

+#

+# SPDX-License-Identifier: MIT

+#

+

+inherit image

+

+DESCRIPTION = "CIP Core image including security packages"

+

+# Use the same customizations as cip-core-image

+IMAGE_INSTALL += "customizations"

+

+# Debian packages that provide security features

+# TODO: Add sudo or sudo-ldap which conflict each other

+IMAGE_PREINSTALL = " \

+             openssl libssl1.1 \

+             fail2ban \

+             openssh-server openssh-sftp-server openssh-client \

+             syslog-ng-core syslog-ng-mod-journal \

+             aide aide-common \

+             libnftables0 nftables \

+             libpam-pkcs11 \

+             chrony \

+             tpm2-tools \

+             tpm2-abrmd \

+             libtss2-esys0 libtss2-udev \

+             libpam-cracklib \

+             acl \

+             libauparse0 audispd-plugins auditd \

+             uuid-runtime \

+"

--

2.20.1

 

.

Join cip-dev@lists.cip-project.org to automatically receive all group messages.