[yocto] Best practices for tokens/passwords that can't be versioned
Alan Martinovic
alan.martinovic at senic.com
Tue Dec 11 04:44:03 PST 2018
Thanks Erik,
guess that could work to and seems cleaner than the env variables.
It still leaves the question how to move that content into a static file.
For example if in the end the recipe should install a file with "super
secret" as the content.
Example on the device at runtime:
cat /etc/config-passwords
super secret
The only idea that come to mind is to do something like in the recipe:
set_secrets() {
echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords
}
ROOTFS_POSTPROCESS_COMMAND += " set_secrets;"
But that seems like a bad practice because it "globalizes" the recipe logic.
It's no longer a matter of that recipe but something applied to the
whole rootfs.
Be Well,
Alan
On Tue, Dec 11, 2018 at 1:09 PM Erik Botö <erik.boto at gmail.com> wrote:
>
> On Tue, Dec 11, 2018 at 12:55 PM Alan Martinovic
> <alan.martinovic at senic.com> wrote:
> > Seems like conf/local.conf could also offer a solution given that it's
> > a temporary
> > thing (per build setup), but didn't yet figure out a good mechanism.
>
> You could have a variable in the recipe and override that value in local.conf.
>
> Let's say your recipe is called myexample_git.bb in which you add
> something like this:
> MYSECRETKEY ?= ""
>
> Then this could be assigned from local.conf using something like:
> MYSECRETKEY_pn-myexample = "super secret"
>
> Cheers,
> Erik
More information about the yocto
mailing list