| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
During bootup all journal from startup will be uploaded in one shot when
network is available. We need to increase burst size to make sure it can
hold all messages in a regular boot up.
Also increased the time span so rate-limit per-second doesn't change too
much.
Change-Id: I229ae176b24cb1c9b48710680309d286f10d82fa
Signed-off-by: Yuxiao Zhang <yuxiaozhang@google.com>
|
|
In rsyslog, the logs are read via the journal files like with
`journalctl`. The socket used by ForwardToSyslog is not used at all
(`run/systemd/journal/syslog`), so we will disable the forwarding to
avoid unnecessary work.
With the logs spamming the CPU usage of systemd-journald went down
after this change.
Before:
Always top 1 or two in CPU usage,
```
PID USER PRI NI VIRT RES SHR S CPU%-MEM% TIME+ Command
30892 root 20 0 23520 10108 9720 R 84.3 1.0 0:37.72 /usr/lib/systemd/systemd-journald
```
After:
Less CPU usage overall.
```
PID USER PRI NI VIRT RES SHR S CPU%-MEM% TIME+ Command
30976 root 20 0 23520 7608 7216 R 40.8 0.8 2:32.36 /usr/lib/systemd/systemd-journald
```
Reference:
- https://www.freedesktop.org/software/systemd/man/journald.conf.html#Forwarding%20to%20traditional%20syslog%20daemons
Change-Id: I50cf868d63697fc9b72529863bb83d249f3275c7
Signed-off-by: Willy Tu <wltu@google.com>
|
|
Signed-off-by: Harvey Wu <Harvey.Wu@quantatw.com>
Change-Id: I2dffda1e08e8c536a7f9b27a936dcebb4674deb7
|
|
The default rsyslog.conf uses `imjournal`, so we should enable it by
default to make sure that the config is valid.
Change-Id: Idba361d3a374a88207e7825216f393522647d11d
Signed-off-by: Willy Tu <wltu@google.com>
|
|
Enable common config for imjournal to use across all gBMC, so that we
don't have to manage it seperately.
Change-Id: I96057e3ee8246afdd0030fb2b90bcf01f9709137
Signed-off-by: Willy Tu <wltu@google.com>
|
|
SPDX doesn't identify an unadorned "BSD" license like the recipe
previously claimed. Define the license as BSD-2-Clause in accordance
with the COPYING file:
https://github.com/yrutschle/conf2struct/blob/6bc9eed1eb50175e5fda791f27d85e72f5a6ac78/COPYING
Change-Id: I878d8dab97980aa1547f630bd55eb5f81f72b625
Signed-off-by: Andrew Jeffery <andrew@aj.id.au>
|
|
This updates to libpam 1.5.2. This version removes support for
pam_cracklib and pam_tally2. They are replaced by pam_pwquality and
pam_faillock respectively.
Since parameters of pam_cracklb and pam_tally2 are configurable through
Redfish, it's possible that they will remain in the overlay of
/etc/pam.d with the old module names preventing PAM from working
correctly. To avoid this, this commit includes a script that will detect
if the old modules are in the overlay and update the overlay with the
new modules and configuration.
The script will allow updates from libpam 1.3.1 to libpam 1.5.2, but if there
are configured parameters during a downgrade from libpam 1.5.2 to libpam
1.3.1, it will require a factory reset before the downgrade.
pam_pwquality was selected over pam_passwdqc because of better security
and compatibility with pam_cracklib.
Note pam_faillock is necessarily configured into the pam module stack
differently than pam_tally2.
This patchset causes a BMC operational change:
- The pam_tally2 command (invoked from the BMC's command line) is no
longer present. If you used the "pam_tally2 -u USER -r" command
to unlock a user after repeated authentication failures, change to
use: faillock --user USER --reset
Compatibility note / migration issue. If your BMC cannot authenticate
users after installing this change, the cause might be an overlayfs file
hiding the new /etc/pam.d/common-auth file. To find out, use
`grep deny= /etc/pam.d/common-auth` on your BMC. If it shows "tally2"
then your BMC is affected. The recovery is to delete the overlay file,
to factory reset the BMC, or manually-install the changed files.
The convert-pam-configs service is intended to handle this problem.
Tested: as follows, for local users only (not tested with LDAP)
Note OpenBMC configuration defaults to an AccountLockoutThreshold
value of 0 which does not lock account passwords no matter how many
consecutive failed authentication attempts. To configure this on
the BMC, for example, use:
curl -X PATCH https://${bmc}/redfish/v1/AccountService
-d '{"AccountLockoutThreshold": 3, "AccountLockoutDuration": 60}'
Tested update scenarios:
1. Install from scratch. Success.
2. Install over firmware which had old PAM configs. Success.
Tested update scenarios for the convert-pam-configs service.
Tested changing the password via various interfaces:
- the passwd command
- the PATCH Refish AccountService {Password: NEW}
- SSH (accessible only when the password is expired)
- IPMI user set password (accessible for unexpired password)
Tested both good and bad (unacceptable) passwords.
Tested account lockout after N bad passwords
Tested unlock via Redfish.
Also, because its implementation changed, ensure reading and writing the
D-Bus User AccountPolicy RememberOldPasswordTimes property continues to
work. There is no Redfish API for this.
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Signed-off-by: Jason M. Bills <jason.m.bills@linux.intel.com>
Change-Id: I7b712cf7cfbf7b0bc79da42f822540baee66ca4f
|
|
Sometimes the build does not include directories we remove based on some
system non-determinism.
Change-Id: Ia1c1d66349f1aa0a1bd3ae7860ec10d10fc31b5d
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
This is the prod configuration.
Change-Id: I04c33362cf874637caa528779c57bcacfca50201
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: I284f85c2a114d079fdca74978bbae867bf120879
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: I66f808499e228653cd964422275959be9e12b7d7
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Commit 951f1aabea4c8683cda113e743b68ad2dfd57fa8 removed the entry for
pam_cracklib.so from common-password. This resulted in the next entry in
the file to become the first module. However, as it still contained the
use_authtok flag, this forced the module to not prompt the user for a
new password and instead attempt to use the one provided by the
previously stacked password module. Since there is no previous stacked
password module, the process just fails.
This change adds code to remove the use_authtok entry from the first
password module to fix this issue.
Tested: Check that passwords can be changed again via "passwd".
Signed-off-by: Oskar Senft <osk@google.com>
Change-Id: Id88302732fe9d4c6e6c8cbb0004271d6ea2ac340
|
|
The package "cracklib" is not needed. Ideally in the future we will
start using Google GLOME.
The "libpam" library depends on cracklib, so override the libpam
recipe also, so that it no longer depends on cracklib.
Tested: This has been tested locally on our local product, which uses
OpenBMC, and it appeared to work just fine for us.
Signed-off-by: Kasun Athukorala <kasunath@google.com>
Change-Id: I0d7714766a2e14151f00f6582abee78dee43614d
Signed-off-by: Josh Lehan <krellan@google.com>
|
|
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I746b04e1e36abaf2ff3852beb8a04535692442c1
|
|
This is no longer needed, the latest upstream version of the recipe has
added both of these by default:
https://gerrit.openbmc-project.xyz/c/openbmc/openbmc/+/52492/4/poky/meta/recipes-extended/zstd/zstd_1.5.2.bb
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
Change-Id: I01e4404ba1694c1f8f7436e4ccf52fae4b5eb156
|
|
Change Ifb47c08571e6297f643db5daf135349bc0fbf888 adjusted the LICENSE
but missed a corresponding update to the LIC_FILES_CHKSUM. Make them
match.
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I0170a4b79cc593dd819c8eb5bc1bb3304ccb3e73
|
|
Per [1], upstream removed the generic "BSD" license. The libconfig-perl
package doesn't have an explicit LICENSE or COPYING file but instead has
a single line in the readme that states the license is "bsd".
Considering the OE commit says that the license-formally-just-BSD is
more formally BSD-3-Clause, update this recipe as such.
1. https://git.openembedded.org/openembedded-core/commit/?id=14d4c007c49652d836d325a12bdbcd3bfa42e6d5
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: Ifb47c08571e6297f643db5daf135349bc0fbf888
|
|
Per [1], Yocto is going to start requiring both branch names and
`protocol=https` in GitHub SRC_URI variables. Ran the upstream tool to
automatically fix our URIs.
1. https://git.yoctoproject.org/poky/tree/documentation/migration-guides/migration-3.5.rst#n10
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I5f9619f7ff707050b469ae74c8aa16846568c5e4
|
|
The current log level is too noisy and polluting the journal with lots
of unhelpful debugging messages. Drop the level down to 2 in order to
only produce error messages.
Change-Id: I9d892b80e0d1ba7516614944c4ad74502c6c1aad
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
This saves ~3MB of uncompressed size.
Working on upstreaming this change, but keep it as part of meta-google
for now.
Change-Id: I261610c1413b514f7090e3be84ca19e243653640
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
```
convert-overrides.py meta-google
git grep "_[a-z0-9_/-]*[ :]" -- meta-google | grep ".bb"
git grep -l _gbmc -- meta-google | grep ".bb" \
| xargs sed -i 's/_gbmc/:gbmc/'
git grep -l _prod -- meta-google | grep ".bb" \
| xargs sed -i 's/_prod/:prod/'
git grep -l _dev -- meta-google | grep ".bb" \
| xargs sed -i 's/_dev/:dev/'
git grep -l _hoth -- meta-google | grep ".bb" \
| xargs sed -i 's/_hoth/:hoth/'
git grep -l _bandaid -- meta-google | grep ".bb" \
| xargs sed -i 's/_bandaid/:bandaid/'
```
Some small fix includes
```
platforms_gbmc_bringup
platforms_gbmc_secure
```
Tested:
```
$ git grep "_[a-z0-9_/-]*[ :]" -- meta-google | grep ".bb"
meta-google/recipes-connectivity/avahi/avahi_%.bbappend:do_install:append:gbmc() {
meta-google/recipes-core/dropbear/dropbear_%.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-core/dropbear/dropbear_%.bbappend: echo ' chain gbmc_br_pub_input {' >>"$rules"
meta-google/recipes-extended/libconfig/conf2struct-native_git.bb: oe_runmake checker
meta-google/recipes-extended/libconfig/conf2struct-native_git.bb: oe_runmake install
meta-google/recipes-extended/networking/mstpd_git.bb:do_install:append() {
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake distclean
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake sslh-conf.h
meta-google/recipes-extended/networking/sslh_git.bb: oe_runmake install
meta-google/recipes-google/ipmi/ipmi-fru-sh.bb:do_install:append() {
meta-google/recipes-google/ncsi/gbmc-ncsi-config.bb:do_install:append() {
meta-google/recipes-google/networking/gbmc-bridge.bb:do_rm_work:prepend() {
meta-google/recipes-google/networking/gbmc-bridge.bb: # HACK: Work around broken do_rm_work not properly calling rm with `--`
meta-google/recipes-google/networking/gbmc-ip-monitor.bb:do_install:append() {
meta-google/recipes-google/networking/gbmc-iperf3.bb:do_install:append:dev() {
meta-google/recipes-google/networking/gbmc-iperf3.bb: echo ' chain gbmc_br_pub_input {' >>"$rules"
meta-google/recipes-google/networking/gbmc-mac-config.bb:do_install:append() {
meta-google/recipes-google/networking/network-sh.bb:do_install:append() {
meta-google/recipes-google/ssh/authorized-keys-comp.bb:SUMMARY = "Compiles a set of authorized_keys files into a single file"
meta-google/recipes-google/ssh/authorized-keys-comp.bb:do_install:append() {
meta-google/recipes-google/systemd/gbmc-systemd-config.bb:do_install:append:dev() {
meta-google/recipes-google/test/test-sh.bb:do_install:append() {
meta-google/recipes-phosphor/flash/inplace-gbmc-update.bb:do_install:prepend:dev() {
meta-google/recipes-phosphor/host/phosphor-host-postd_%.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-phosphor/initrdscripts/obmc-phosphor-initfs.bbappend:do_install:append:gbmc:dev() {
meta-google/recipes-phosphor/initrdscripts/obmc-phosphor-initfs.bbappend:do_install:append:gbmc:prod() {
meta-google/recipes-phosphor/ipmi/phosphor-ipmi-config.bbappend:do_install:append:gbmc() {
meta-google/recipes-phosphor/ipmi/phosphor-ipmi-config.bbappend: overlapping="$(jq '."${GBMCBR_IPMI_CHANNEL}" | .is_valid and .name != "gbmcbr"' $chjson)"
```
Change-Id: I9d610c664bd44e8bd81fb8f7e76249a0b43b9ffd
Signed-off-by: Willy Tu <wltu@google.com>
|
|
This is not used in the installed output and is breaking the build
non-deterministically.
Change-Id: I3f7193e9f0aac5e5cdcd45d4c736c3d31bb2858b
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
These files sometimes get checked into the repo and we don't want
non-determinism around their generation. Ensure they are cleaned up and
regenerated for every build since that is very fast.
Change-Id: If20c79f8308c117a20983c8cb54c3420d872d64b
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Uptream moved from PCRE to PCRE2
Change-Id: I62434762a7e0485f4fe49ad6f181290cf6d34844
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Change-Id: Ia4843efa02ed9f3f7587580e4cb83711054637cb
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
yrutschle (25):
changelog the sslh-select refactoring
justify use of select
remove some debug messages
made echosrv independant from common.o and with its own configuration
add UDP support to echosrv
when verbose, precise which listen sockets are udp
remove caveat about UDP refactor
upgraded argtable3 to current last version to fix a parsing issue with command line options
do not drop CAP_NET_ADMIN if any of the protocols require transparent proxying
typo
refactor: purified set_capabilities, told to keep or drop CAP_NET_ADMIN instead of deciding for itself
sslh-fork drops all capabilities after connecting to server side
refactor t_load to use test.cfg as base
changed CAP_NET_ADMIN to CAP_NET_RAW as it's enough
clarify variable name
clarify function name
add recv and sendto addresses
sslh-select sets O_NONBLOCK *before* calling connect, which prevents hanging on an unresposive server (fix #258)
fail gracefully if libconfig fails to find root element
fix for libconfig 1.7.3 (#292)
moved UDP support from sslh-fork to sslh-select
fix message for fd closure on timeout
report errors as E instead of M, and consolidate restarts as simplified roman numerals
removed static known_source arrays, UDP connections are now managed dynamically
make udp timeout configurable per protocol
Change-Id: I49280061e0cdef7b416ecf2e59601519d7979246
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Yves Rutschle (2):
fail gracefully if libconfig fails to find root config element
fix test without libconfig; fix for libconfig 1.7.3
Change-Id: I3f0d77e6ac0247c2784ac59d47424cc7c20047f8
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
We sometimes have a race condition in the git checkout process that
causes the source file timestamp to be newer than the generated ones.
The generation process is currently broken, but the necessary files are
bundled in the source tree.
Change-Id: I81fb707d5b16f88032d7022da97563bf6ccc78f5
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Mostly bugfixes, but importantly contains a parallel build fix that
periodically affects builds.
Change-Id: Ib60fb1fbd1427f5e6542c12c1383bdc871af5905
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Fixes a crash with the latest openbmc
Change-Id: Iacceb48d629cd3dd8e6f7f7a49053407438cfbbc
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
/sbin/bridge-stp was incorrectly migrated this repo as a duplicate
copy of the recipe.
Change-Id: I3efded2aaff614c1cdfd3f7d74b8dfcade378114
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Initial recipes-extended/networking mstpd code from gBMC.
Google-Bug-Id: 179618485
Upstream: 8ac594bdf054082ca6dbe35c4345759fe4c31669
Change-Id: Ia8a39b1f502283c9b0e1273bc28d9b7046a34164
Signed-off-by: Willy Tu <wltu@google.com>
|
|
Initial recipes-extended/networking sslh code from gBMC.
Google-Bug-Id: 179618485
Upstream: 8ac594bdf054082ca6dbe35c4345759fe4c31669
Change-Id: Iaf34ac877ad922970290bf398a5e86ad22011336
Signed-off-by: Willy Tu <wltu@google.com>
|
|
Google-Bug-Id: 179618161
Upstream: 8ac594bdf054082ca6dbe35c4345759fe4c31669
Change-Id: I1f86406891528241295455c6498f2a488d5b1b78
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Google-Bug-Id: 179618161
Upstream: 8ac594bdf054082ca6dbe35c4345759fe4c31669
Change-Id: Ie0017d9febe92fd968ef7c71ef24ce2aaed526e1
Signed-off-by: William A. Kennington III <wak@google.com>
|
|
Needed to build a native conf2struct, ultimately packaging sslh
Google-Bug-Id: 179618161
Upstream: 8ac594bdf054082ca6dbe35c4345759fe4c31669
Change-Id: I19f37ed554c9c37f90993fc4d972d9f18d622416
Signed-off-by: William A. Kennington III <wak@google.com>
|
