[meta-virtualization] [PATCH] meta-virtualization: add layer depends on selinux

Mark Hatle mark.hatle at windriver.com
Fri Jul 26 09:46:16 PDT 2019


On 7/25/19 9:38 PM, Bruce Ashfield wrote:
> 
> 
> On Thu, Jul 25, 2019 at 10:31 PM Bruce Ashfield <bruce.ashfield at gmail.com
> <mailto:bruce.ashfield at gmail.com>> wrote:
> 
> 
> 
>     On Thu, Jul 25, 2019 at 9:57 PM Yu, Mingli <mingli.yu at windriver.com
>     <mailto:mingli.yu at windriver.com>> wrote:
> 
> 
> 
>         On 2019年07月26日 02:28, Bruce Ashfield wrote:
>         > On Wed, Jul 24, 2019 at 11:43 PM <mingli.yu at windriver.com
>         <mailto:mingli.yu at windriver.com>> wrote:
>         >>
>         >> From: Mingli Yu <Mingli.Yu at windriver.com
>         <mailto:Mingli.Yu at windriver.com>>
>         >>
>         >> Since cri-o of meta-virtualization depends on
>         >> libselinux which comes from selinux, add missing
>         >> layer depends back.
>         >
>         > This is already covered in the README. Since cri-o is optional, I
>         > didn't want it to be a hard depends.
> 
>         Not matter cri-o is optional or not, but first the cri-o recipe indeed
>         exists in meta-virtualization layer until now as
>         ./meta-virtualization/recipes-containers/cri-o/cri-o_git.bb
>         <http://cri-o_git.bb> and second
>         there is below logic in
> 
> 
>     considering that I wrote the recipe .. I know this.
> 
>      
> 
>         ./meta-virtualization/recipes-containers/cri-o/cri-o_git.bb
>         <http://cri-o_git.bb> and clearly
>         it depends on libselinux.
>         DEPENDS = " \
>              glib-2.0 \
>              btrfs-tools \
>              gpgme \
>              ostree \
>              libdevmapper \
>              libseccomp \
>              libselinux \
>              "

Why does cri-o (any version) require libselinux?  (libseccomp I can see).

Is this something that changed upstream to make it mandatory?  If so, any way to
reverse it?  selinux is horribly heavy weight for a lot of things.

>         So we should add the layer depends selinux(libselinux in selinux layer)
>         for meta-virtualization layer, otherwise there comes below error when do
>         yocto compliance check:
>         ERROR: Nothing PROVIDES 'libselinux' (but
>         /buildarea/layers/meta-virtualization/recipes-containers/cri-o/cri-o_git.bb
>         <http://cri-o_git.bb>
>         DEPENDS on or otherwise requires it)
> 
> 
>     My point is that I disagree with that compliance check. Unless I'm building
>     the recipe, I don't have that dependency, I want a way to express that.
> 
> 
> That being said, I did merge the patch so the layer will be in compliance while
> I look into options for not always requiring that dependency.

The way to do this is make the recipe based on a dynamic dependency.

IMHO the -best- way to do this, if possible, is to split the libselinux
dependency out.  Make it buildable with it.  But either way the setup is similar.

conf/layer.conf:

BBFILES_DYNAMIC += "selinux:${LAYERDIR}/dynamic-layers/selinux/recipes*/*/*.bb \

selinux:${LAYERDIR}/dynamic-layers/selinux/recipes*/*/*.bbappend"


LAYERRECOMMENDS_<collection> = " \
          selinux \
          "


The above says that selinux is recommended for use with this (layerindex can
read this and process it.)  The BBFILES_DYNAMIC says to only bring in that path
if 'selinux' collection is available.


Then move the recipe (or break out the selinux part in a bbappend) into:

dynamic-layers/selinux/recipes-containers/cri-o/...

--Mark


> Bruce
> 
>  
> 
> 
>     Bruce
> 
>      
> 
>         ERROR: Required build target 'meta-world-pkgdata' has no buildable
>         providers.
> 
>         Missing or unbuildable dependency chain was: ['meta-world-pkgdata',
>         'cri-o', 'libselinux'
>         ]
> 
>         Thanks,
> 
>         >
>         > Required for cri-o:
>         > URI: git://github.com/advancedtelematic/meta-updater
>         <http://github.com/advancedtelematic/meta-updater>
>         > URI: git://git.yoctoproject.org/meta-selinux
>         <http://git.yoctoproject.org/meta-selinux>
>         > URI: git://git.yoctoproject.org/meta-security
>         <http://git.yoctoproject.org/meta-security>
>         > branch: master
>         > revision: HEAD
>         > prio: default
>         >
>         >
>         > I haven't seen a way to do a conditional depends .. has anyone else ?
>         >
>         > Bruce
>         >
>         >>
>         >> Signed-off-by: Mingli Yu <Mingli.Yu at windriver.com
>         <mailto:Mingli.Yu at windriver.com>>
>         >> ---
>         >>   conf/layer.conf | 1 +
>         >>   1 file changed, 1 insertion(+)
>         >>
>         >> diff --git a/conf/layer.conf b/conf/layer.conf
>         >> index be1f222..23efcb8 100644
>         >> --- a/conf/layer.conf
>         >> +++ b/conf/layer.conf
>         >> @@ -21,6 +21,7 @@ LAYERDEPENDS_virtualization-layer = " \
>         >>       networking-layer \
>         >>       filesystems-layer \
>         >>       meta-python \
>         >> +    selinux \
>         >>   "
>         >>
>         >>   # webserver: naigos requires apache2
>         >> --
>         >> 2.7.4
>         >>
>         >
>         >
> 
> 
> 
>     -- 
>     - Thou shalt not follow the NULL pointer, for chaos and madness await thee
>     at its end
>     - "Use the force Harry" - Gandalf, Star Trek II
> 
> 
> 
> -- 
> - Thou shalt not follow the NULL pointer, for chaos and madness await thee at
> its end
> - "Use the force Harry" - Gandalf, Star Trek II
> 



More information about the meta-virtualization mailing list