[yocto] Best practices for tokens/passwords that can't be versioned

[Alan Martinovic]

Yes! :)
That is what I ended up doing in the end, thanks.

Be Well,
Alan


On Thu, Dec 13, 2018 at 1:45 PM Erik Botö <erik.boto at gmail.com> wrote:
>
> On Tue, Dec 11, 2018 at 1:44 PM Alan Martinovic
> <alan.martinovic at senic.com> wrote:
> >
> > Thanks Erik,
> > guess that could work to and seems cleaner than the env variables.
> >
> > It still leaves the question how to move that content into a static file.
> > For example if in the end the recipe should install a file with "super
> > secret" as the content.
> >
> > Example on the device at runtime:
> > cat /etc/config-passwords
> > super secret
> >
> > The only idea that come to mind is to do something like in the recipe:
> >
> >     set_secrets() {
> >         echo ${MYSECRETKEY} > ${IMAGE_ROOTFS}/etc/config-passwords
> >     }
> >     ROOTFS_POSTPROCESS_COMMAND += " set_secrets;"
> >
> > But that seems like a bad practice because it "globalizes" the recipe logic.
> > It's no longer a matter of that recipe but something applied to the
> > whole rootfs.
>
> But couldn't you just place the creation of this secrets file inside a
> regular recipe?
>
> When I have config files that I want to place e.g. secret credentials
> into during build time I ship them with placeholders that I can then
> use sed to modify during e.g. do_install().
>
> E.g. point to file://myconfig in SRC_URI, and maybe myconfig looks
> something like:
> ... tons of options here
> username=###USERNAME###
> password=###PASSWORD###
> ... more config options here
>
> Then during do_install() I do something like:
>
> install -Dm0644 ${WORKDIR}/myconfig ${D}/etc/myconfig
> sed 's,###USERNAME###,${MYSECRETUSER},' -i ${D}/etc/myconfig
> sed 's,###PASSWORD###,${MYSECRETKEY},' -i ${D}/etc/myconfig
>
> That way it will be contained to a recipe and not be something you
> have to do in each image that wants to ship the secrets file.
>
> Cheers,
> Erik
>
> >
> > Be Well,
> > Alan