Todo

  • In buildroot1 in git, create a minimal Makefile
  • We need a high-level make that builds three buildroot images: LinuxRT 2019 64-bit and 32-bit and LinuxRT 2016 64-bit
    • Fetch 2019 buildroot tarball and get it to actually build (did this for 64-bit, need to build 32-bit and try it)
    • Fetch 2016 buildroot tarball and get it to actually build (and try it)
  • We need to get Eric Gumtow's changes (i.e., encourage Eric to check the changes he made in)
    • Incorporate/use Eric's changes to confirm that it works in the same way the RC3s he did worked (bug-per-bug)
  • Figure out what broke between RC1 and RC3 (with respect to chrt )
  • Add unit tests for all of the new ("security patch") functionality:
    • root has a password and it's the common one
    • all of the images now have the following user accounts and IDs:
      • acctf/acctest -> 11846/2459
      • flaci/facet -> 11121/2376
      • laci/lcls -> 8412/2211
      • spear/qb -> 7753/1080
    • /etc/SLACproperties exists and its contents are HAVE_ROOT_PASSWORD=1 (note: there's a /etc/site directory where these kinds of files were originally put – perhaps SLACproperties should be moved there?)
    • telnet is refused
    • chrt can be run on processes owned by root from the $IOC_USER account

From Marcio's e-mail:

* Make chrt work passwordless for laci, flaci, acctf, and spear users in LinuxRT 2019.08, 2016.11.1 (14h)
* Add sudo to CentOS 7 Lite and make "sudo chrt" work passwordless for laci, flaci, acctf, and spear users (2h)
* "iocConsole -t" must work passwordless in: LinuxRT 2019.08, 2016.11.1, CentOs (11h)
* "systemctl reboot" must operate passwordless for laci, flaci, acctf, and spear users in CentOS 7 Lite (2h)
* Add the configuration files for Buildroot in a Git repo (9h)
* Study a way to operate chrt using the same command for both LinuxRT and CentOS so we could use the same bash script for both (8h)
* Automated testing script (9h)


Mike's notes/questions:

  • Following the instructions Eric outlined here under "Setting up", I did the following:
    • I created a directory on rhel-dev7 in /scratch with my username (jmpdude). In there, I created a buildroot directory, as Eric discusses.
    • Inside /scratch/buildroot I created two directories:
      • buildroot-2016.11
      • buildroot-2019.08
    • Because I just wanted to build the originals as is first without any changes, I didn't create the "-2" directories that Eric talks about.
    • Following Eric's instructions, I was able to build and boot buildroot-2016.11.1-x86_64 as well as buildroot-2019.08-x86_64 and buildroot-2019-08-i686.
      • The buildroot-2016.11.1-x86_64 build didn't work as-is. It failed while trying to contract the RFS. It was attempting to use git to create the contents of text file and git no longer operated in that way. So, it exited with an error, stopping the process.
      • Since Eric's changes are on aird-b50-srv01, I was able to look in his corresponding directory to see how he got around that problem (he commented out the offending lines).


  • Eric's instructions involve grabbing the buildroot-site repo on SLAC's GitHub area, slaclab, and checking out a particular branch; for buildroot-2019-08 it's br2019.08 and for buildroot-2016.11.1 it's br2016.11. I did that originally because I didn't want to change anything. These branches get checked out as "site-top" in their respective buildroot directories.
  • Once I wanted to go in to start making changes, I created two new branches in buildroot-site named br2019.08-dev and br2016.11-dev.
    • Question: At the moment, it appears that buildroot-site is essentially using specific branches as tags. So, I didn't want to alter those. Perhaps we should tag them?
  • In order to attempt to start where Eric left off, I went into his buildroot directories and found the diffs (using git) in the site-top directories and applied them to mine (but I checked out the "-dev" variants I created, not to disturb the originals while working on this).


  • Questions/Notes from 2016-11.1 (to 11.1-N where N is currently 3, as built by Eric, but we're working towards 4, collaboratively):
    • The root password didn't come out as the common one when I built it (even though the /etc/shadow and /etc/passwd files match the ones that Eric built).
    • The telnet service is still running when I build it (when Eric builds it, /usr/sbin/telnetd doesn't exist in the file system but /usr/bin/telnet does; when I build it, /usr/sbin/telnetd does exist in the file system and gets invoked on startup).
    • Since I had already built everything once, after applying Eric's changes, I just did 'make`; do we need to do make clean  first?
    • Are there changes not captured in the site-top directory? If so, how do we capture those?
    • Note to self: Since I'm editing on a Mac, mounting the FS directly on it, changes made to the fs_skeleton directory get touched by the Mac FS (create "*_" meta-data files). We can .gitignore these so that they don't get checked in. But creating there RFS should ignore them, as well.
    • Other notes:
      • I did a make clean  and a make  after that but telnet was still running when I booted it.
      • Also, the password for root wasn't the common one.
      • So, for these cases, the incremental build worked the same.
      • For what's worth chrt didn't ask for a password when changing the priority of a root thread; but it also didn't actually change the priority.
      • Finally, I diff'd Eric's 2016-11-2 directory with my 2016-11.1 directory. Here's what I found:
        • From what I understood, we should have been starting with 2016-11.1 to make 2016-11.1-2 but Eric started with 2016-11 (not 11.1 but just 11). This means ALOT of things differed slightly here and there (mostly with the versions of packages that were used), but, interestingly:
          • The top-level .config file changed (using what?) such that how a password (user and root alike) is hashed is different (using sha-256 instead of md5), and this, in turn gets into (how?) ../output/buildroot-config/auto.conf (and autoconf.h).
          • The .config file for busybox also changed (again, using what?) such that telnet was removed from it as well as telling it to use CRYPT_SHA (what does that mean?).


  • Questions/Notes from 2019-08:
    • Some of the same issues for what I built after applying Eric's buildroot-site changes that I found with 2016-11.1 apply to 2019-08, namely:
      • The telnet service was still running.
      • And, of course, chrt didn't work.
    • But, by exploring Eric's 2016-11-2 non-site directories, we found out why telnet wasn't working (that the root password came out correctly would indicate that maybe Eric used .config info from 2019-08 to fix it in his 2016-11 build?).
    • Since Eric did have chrt  working at one point, I'm exploring his other 2019-08 directories to see if I can glean anything from those:
      • Just using the images from Eric's directory named "buildroot-2019.08-2-bad-uids", I found that chrt worked!
      • After comparing my directory with Eric's where chrt worked, I found that the busybox config where it worked had the SUID features set and enabled (where it didn't work, they were neither enabled nor set).


Summary

  • In order to get all three LinuxRT variants to have ALL of the features functional the following needs to be done:
    • Ensure that BusyBox is configured such that telnet is disabled entirely (neither set nor enabled)
    • Ensure that BusyBox is configured such that SUID is enabled (set and enabled)
    • The starting point of the BusyBox config file comes from site/config/bb-1.25.x.config, which you need copy from the .config you construct from running make busybox-menuconfig . For 2019-08 it's site/config/bb-1.29.x.config. This file is set in the BR2_PACKAGE_BUSYBOX_CONFIG which is in the br-2016.11.1-common.config file (for 2019-08, it's in site/br2-external/configs/br-common.config).
    • Ensure that BuildRoot is configured such that the password method is sha-256 instead of md5:
      • The way you do this is via make menuconfig . It's part of the "System Configuration" changes – you switch from either MD5 or SHA-256 via the menu it provides.
      • Once that is complete, the top-level .config file is changed with that change. You can then diff this with .config.old.
      • Once you know the specific differences, you add those changes to the bottom of the common.config file – in 2016-11.1, this is in the site/config directory; in 2019-08, this in the site/br2-external/configs directory.
  • Although Eric didn't check them in yet, the rest of the changes in his site directory (which are essentially all of the changes that go into the RFS itself) work as expected (these are the changes for all of the user/groups and the /etc/SLACproperties file).
  • Note: I checked in changes to both the br-2019-08-dev and br-2016-11-dev buildroot-site branches that contain the base changes for an RC4 build.

To test the chrt changes, you can do something along the lines of this:

[ laci@cpu-b34-sp07]$ chrt -p 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 50
[ laci@cpu-b34-sp07]$ chrt -pf 85 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 50
pid 6971's new scheduling policy: SCHED_FIFO
pid 6971's new scheduling priority: 85
[ laci@cpu-b34-sp07]$ chrt -p 6971
pid 6971's current scheduling policy: SCHED_FIFO
pid 6971's current scheduling priority: 85
  • No labels