[yocto] Best practices for tokens/passwords that can't be versioned
Erik Botö
erik.boto at gmail.com
Thu Dec 13 04:45:04 PST 2018
On Tue, Dec 11, 2018 at 1:44 PM Alan Martinovic
<alan.martinovic at senic.com> wrote:
>
> Thanks Erik,
> guess that could work to and seems cleaner than the env variables.
>
> It still leaves the question how to move that content into a static file.
> For example if in the end the recipe should install a file with "super
> secret" as the content.
>
> Example on the device at runtime:
> cat /etc/config-passwords
> super secret
>
> The only idea that come to mind is to do something like in the recipe:
>
> set_secrets() {
> echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords
> }
> ROOTFS_POSTPROCESS_COMMAND += " set_secrets;"
>
> But that seems like a bad practice because it "globalizes" the recipe logic.
> It's no longer a matter of that recipe but something applied to the
> whole rootfs.
But couldn't you just place the creation of this secrets file inside a
regular recipe?
When I have config files that I want to place e.g. secret credentials
into during build time I ship them with placeholders that I can then
use sed to modify during e.g. do_install().
E.g. point to file://myconfig in SRC_URI, and maybe myconfig looks
something like:
... tons of options here
username=###USERNAME###
password=###PASSWORD###
... more config options here
Then during do_install() I do something like:
install -Dm0644 ${WORKDIR}/myconfig ${D}/etc/myconfig
sed 's,###USERNAME###,${MYSECRETUSER},' -i ${D}/etc/myconfig
sed 's,###PASSWORD###,${MYSECRETKEY},' -i ${D}/etc/myconfig
That way it will be contained to a recipe and not be something you
have to do in each image that wants to ship the secrets file.
Cheers,
Erik
>
> Be Well,
> Alan
More information about the yocto
mailing list