[kirkstone] Cherry-pick SNAC changes to NILRT 10 #742
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a packagegroup to track package dependencies of the NILRT Secured, Network-Attached Controller (SNAC) configuration. Since the SNAC configuration is officially supported, add it to the core package feed. This packagegroup SHOULD NOT be installed to the NILRT runmode or safemode images. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit c683180) Signed-off-by: Alex Stewart <[email protected]>
Add some initial packages that we know are going to be used in the SNAC v1.0 design. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 2b025f3) Signed-off-by: Alex Stewart <[email protected]>
The snac packagegroup is only expected to contain one logical subsection of packages, so there is no need to split up the RDEPENDS assignments. Use a single section. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit fe72374) Signed-off-by: Alex Stewart <[email protected]>
Signed-off-by: Mark Silva <[email protected]> (cherry picked from commit 2fb4222) Signed-off-by: Alex Stewart <[email protected]>
* Add pwquality.conf that has the values that are required
for SNAC mode
* These values are more restrictive than the default
values
* Add bbappend file to install the config file to the
correct location
Signed-off-by: Mark Silva <[email protected]>
(cherry picked from commit 94ffc6e)
Signed-off-by: Alex Stewart <[email protected]>
* Create a directory for tmux configuration files in /usr/share/tmux/conf.d * Add a /etc/tmux.conf file with default lock command * Add a line to source all files in /usr/share/tmux/conf.d in /etc/tmux.conf * -q is to ignore errors if the directory is empty * This allows snac mode to add a conf file to this location without modifying the main tmux.conf file Signed-off-by: Mark Silva <[email protected]> tmux-bbappend: Add conf.d directory (cherry picked from commit b09f844) Signed-off-by: Alex Stewart <[email protected]>
nftables is the modern packet filtering solution on Linux. The nftables userspace can be installed alongside iptables, but in general, only one can be enabled at once. This commit adds the userspace but does not do anything with the present iptables-based firewall configuration. At present, there are no plans to introduce nftables into safemode, so add it to the runmode packagegroup, not base. Signed-off-by: Rich Tollerton <[email protected]> (cherry picked from commit 3718278) Signed-off-by: Alex Stewart <[email protected]>
firewalld is the best-maintained high-level firewall administration tool on Linux. We ultimately wish to replace our present direct use of iptables (via initscript) with firewalld; but at present the existing configuration is unchanged. Signed-off-by: Rich Tollerton <[email protected]> (cherry picked from commit b03a949) Signed-off-by: Alex Stewart <[email protected]>
…settings - update the pam-plugin-faillock package so that the plugin gets enabled when it's installed - modify some faillock configuration settings - prevent pam-plugin-faillock from being installed when ni-auth is installed This change simplifies Secured, Network-Attached Controller (SNAC) configuration. faillock is required to be enabled on a SNAC. The faillock settings were chosen to comply with SNAC requirements. The conflict with ni-auth was added because from testing it appears that the faillock plugin is incompatible with the ni-auth plugin. Signed-off-by: Alex Hearn <[email protected]> (cherry picked from commit eeb7b91) Signed-off-by: Alex Stewart <[email protected]>
Signed-off-by: Alex Hearn <[email protected]> (cherry picked from commit 6633023) Signed-off-by: Alex Stewart <[email protected]>
nilrt-snac is an NI configuration tool for NILRT that allows a system administrator to semi-automate the process of configuring the system into the Secured, Network-Attached Controller (SNAC) configuration. Add a recipe for it. This recipe is NILRT-specific. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 50e89ba) Signed-off-by: Alex Stewart <[email protected]>
Add the nilrt-snac configuration tool to the SNAC packagegroup to ensure that it is always built into the core packagefeed. It should not be installed to the base system image by default. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit dcc67ef) Signed-off-by: Alex Stewart <[email protected]>
The nilrt-snac project now has an integration test suite. Add a run-ptest entrypoint and pytest subpackage to run it. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 889156f) Signed-off-by: Alex Stewart <[email protected]>
Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 4713fbd) Signed-off-by: Alex Stewart <[email protected]>
Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 80eff37) Signed-off-by: Alex Stewart <[email protected]>
The ptest.bbclass already adds an RDEPENDS on `nilrt-snac`, but it is overriden by the nilrt-snac-ptest RDEPENDS bb assignment. Instead, append the ptest RDEPENDS. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 052582b) Signed-off-by: Alex Stewart <[email protected]>
The NI ptest-parser (and ptests in general) use the AutoMake style of test output. The nilrt-snac integration tests uses pytest formatting, which is generally non-compliant and obscures individual testcase output from being parsed by the RTOS ptesting pipeline. Use the python3-unittest-automake-output plugin for pytest, to output the test results in format ptest can parse. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 1c994ae) Signed-off-by: Alex Stewart <[email protected]>
The nirtcfg utility is installed to a non-standard path, for no good reason. When running the nilrt-snac ptests from an interactive shell, this nonstandard path is already searched. But when the ptests are run from an non-interactive shell, they fail to resolve the path. Add the nonstandard location to the search PATH. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 4ffacf6) Signed-off-by: Alex Stewart <[email protected]>
Python files use spaces for indentation. Signed-off-by: Alex Stewart <[email protected]> (cherry picked from commit 626231b) Signed-off-by: Alex Stewart <[email protected]>
amstewart
force-pushed
the
dev/kirkstone/snac
branch
from
9aa6c29 to
80bc94a
Compare
Patch V2
|
This was referenced Oct 2, 2024
chaitu236
approved these changes
Oct 4, 2024
There was a problem hiding this comment.
@amstewart I suppose you meant #726 and not #725 in the PR description.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of Changes
This patchset cherry-picks the SNAC-related changes that have gone into the
nilrt/master/nextref back into kirkstone.Specifically, it picks the commits from the following PRs.
Justification
Since the NILRT 11.0 release has been delayed, SNAC v1.0 must rebase to NILRT 10 to affect a 25Q1 release.
Testing
Testing completed by @texasaggie97 .
bitbake packagefeed-ni-core)Procedure