From cecbdd21c9b1e2ec2cc7e00074b3e6dcdfd3dc6a Mon Sep 17 00:00:00 2001 From: chainsx Date: Thu, 31 Oct 2024 17:25:07 +0800 Subject: [PATCH] =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E9=97=AE=E9=A2=98=E6=B1=87?= =?UTF-8?q?=E6=80=BB=E3=80=81=E4=BD=BF=E7=94=A8Docker=E6=9E=84=E5=BB=BA?= =?UTF-8?q?=E3=80=81=E8=AE=BE=E7=BD=AESELinux=E7=9A=84=E6=96=87=E6=A1=A3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.en.md | 31 ++++ README.md | 32 ++++ ...04\345\273\272\351\225\234\345\203\217.md" | 139 ++++++++++++++++++ .../\350\256\276\347\275\256SELinux.md" | 111 ++++++++++++++ 4 files changed, 313 insertions(+) create mode 100644 "documents/\344\275\277\347\224\250Docker\346\236\204\345\273\272\351\225\234\345\203\217.md" create mode 100644 "documents/\350\256\276\347\275\256SELinux.md" diff --git a/README.en.md b/README.en.md index 62128e2..0d30e65 100644 --- a/README.en.md +++ b/README.en.md @@ -14,6 +14,7 @@ This repository provides scripts for building openEuler image for Rockchip devel - [Install an Image on an SD Card](#install-an-image-on-an-sd-card) - [Install an Image on an EMMC](#install-an-image-on-an-emmc) - [Install an Image on an EMMC](#install-an-image-on-an-emmc) + - [Issue Summary](#issue-summary) ## File Description @@ -23,6 +24,8 @@ This repository provides scripts for building openEuler image for Rockchip devel - [Build images sequentially](documents/顺序构建.md) - [Compile the kernel of Firefly-RK3399 based on the Firefly SDK](documents/基于Firefly-SDK编译Firefly-RK3399的内核镜像.md) - [Packaging ITX-RK3588J Integrated Burn Write Image](documents/打包ITX-RK3588J一体化烧写镜像.md) + - [Set up SELinux](documents/设置SELinux.md) + - [Build an image using Docker](documents/使用Docker构建镜像.md) - [scripts](./scripts/): Used to build openEuler Rockchip images - [One-time build images](scripts/build.sh) - [Build a boot Image](scripts/build_boot.sh) @@ -339,3 +342,31 @@ After decompressing the RAW original image, please refer to [Install openEuler o ### Install an Image on an EMMC Refer to [Install openEuler to the EMMC](documents/刷写EMMC镜像.md) for details about how to write compressed RAW original image to an EMMC. + +## Issue Summary + +1. Login Incorrect Message with Custom Built openEuler Image: + + This issue typically has the following characteristics: + + - After entering root/openeuler, you see "Login incorrect": + + ``` + openEuler 22.03 LTS + Kernel 5.10.0 on an aarch64 + + openEuler login: root + Password: + + Login incorrect + ``` + + - Unable to change the password when chrooted to the root directory: + + `passwd: Authentication token manipulation error` + + Here are some solutions for this type of issue. If you have more methods, feel free to provide feedback: + + - [Build an Image Using Docker (Recommended)](documents/使用Docker构建镜像.md) + + - [Set Up SELinux](documents/设置SELinux.md) \ No newline at end of file diff --git a/README.md b/README.md index c6e34ec..6660c50 100644 --- a/README.md +++ b/README.md @@ -14,6 +14,7 @@ - [刷写镜像](#刷写镜像) - [刷写到 SD 卡](#刷写到-sd-卡) - [刷写到 EMMC](#刷写到-emmc) + - [问题汇总](#问题汇总) ## 文件说明 @@ -23,6 +24,8 @@ - [顺序构建](documents/顺序构建.md) - [基于Firefly-SDK编译Firefly-RK3399的内核镜像](documents/基于Firefly-SDK编译Firefly-RK3399的内核镜像.md) - [打包 ITX-RK3588J 一体化烧写镜像](documents/打包ITX-RK3588J一体化烧写镜像.md) + - [设置 SELinux](documents/设置SELinux.md) + - [使用 Docker 构建镜像](documents/使用Docker构建镜像.md) - [scripts](./scripts/): 构建 openEuler Rockchip镜像的脚本 - [一次构建脚本](scripts/build.sh) - [boot 镜像构建脚本](scripts/build_boot.sh) @@ -341,3 +344,32 @@ ### 刷写到 EMMC 将 openEuler 安装到 EMMC,详见[刷写EMMC镜像](documents/刷写EMMC镜像.md)。 + + +## 问题汇总 + +1. 自构建 openEuler 镜像登录时提示 Login incorrect: + + 该问题通常有以下几种特征: + + - 根据提示输入 root / openeuler 后提示 Login incorrect + + ``` + openEuler 22.03 LTS + Kernel 5.10.0 on an aarch64 + + openEuler login:root + Password: + + Login incorrect + ``` + + - chroot 到根目录无法修改密码 + + `passwd:Authentication token manipulation error` + + 遇到这一类问题有以下解决方法,如果有更多方法,欢迎反馈: + + - [使用 Docker 构建镜像(推荐)](documents/使用Docker构建镜像.md) + + - [设置 SELinux](documents/设置SELinux.md) diff --git "a/documents/\344\275\277\347\224\250Docker\346\236\204\345\273\272\351\225\234\345\203\217.md" "b/documents/\344\275\277\347\224\250Docker\346\236\204\345\273\272\351\225\234\345\203\217.md" new file mode 100644 index 0000000..65f5c19 --- /dev/null +++ "b/documents/\344\275\277\347\224\250Docker\346\236\204\345\273\272\351\225\234\345\203\217.md" @@ -0,0 +1,139 @@ +- [描述](#描述) +- [准备环境](#准备环境) +- [安装 Docker 及 qemu-user-static-aarch64](#安装-docker-及-qemu-user-static-aarch64) + - [openEuler/CentOS](#openeulercentos) + - [Debian/Ubuntu](#debianubuntu) +- [拉取 openEuler Docker 镜像](#拉取-openeuler-docker-镜像) +- [运行 openEuler Docker 容器](#运行-openeuler-docker-容器) +- [容器内安装 Git 来拉取构建框架](#容器内安装-git-来拉取构建框架) +- [容器内拉取并运行构建框架](#容器内拉取并运行构建框架) +- [将容器内构建好的镜像复制到主机](#将容器内构建好的镜像复制到主机) + +## 描述 + +本文介绍了如何使用 Docker 来运行 rockchip 的 openEuler 构建框架。 + +## 准备环境 + +- 操作系统:openEuler, CentOS, Ubuntu, Debian +- 架构:aarch64, x86_64 + +## 安装 Docker 及 qemu-user-static-aarch64 + +### openEuler/CentOS + +``` +dnf makecache +dnf install docker -y +``` + +如果是 `aarch64` 架构的构建主机,可以跳过以下步骤;如果是 `x86_64` 架构的构建主机,则还需要执行以下步骤来安装 `qemu-user-static-aarch64`。 + +``` +wget https://dl.fedoraproject.org/pub/fedora/linux/releases/40/Everything/x86_64/os/Packages/q/qemu-user-static-aarch64-8.2.2-1.fc40.x86_64.rpm + +rpm -ivh qemu-user-static-aarch64-8.2.2-1.fc40.x86_64.rpm +``` + +### Debian/Ubuntu + +``` +apt-get update +apt-get install docker.io -y +``` + +如果是 `aarch64` 架构的构建主机,可以跳过以下步骤;如果是 `x86_64` 架构的构建主机,则还需要执行以下步骤来安装 `qemu-user-static`。 + +``` +apt-get install qemu-user-static -y +``` + +## 拉取 openEuler Docker 镜像 + +``` +docker pull --platform=linux/arm64 openeuler/openeuler:22.03-lts +``` + +- `--platform=linux/arm64` 的意思是拉取 `arm64` 的镜像,如果在 `x86_64` 架构的构建主机上进行拉取的话,需要软件 QEMU 来模拟运行。 + +- `openeuler/openeuler` 对应的 tag `22.03-lts` 可以在以下页面查阅: + + https://hub.docker.com/r/openeuler/openeuler + +执行以上命令的输出如下: + +``` +[root@localhost ~]# docker pull --platform=linux/arm64 openeuler/openeuler:22.03-lts +22.03-lts: Pulling from openeuler/openeuler +69c9100b5f7b: Pull complete +249b19ca6efa: Pull complete +Digest: sha256:ce16fc3edbd44ca0dcbc3d5c01f8e09242c7e73471f18b948d0add0f180d1a17 +Status: Downloaded newer image for openeuler/openeuler:22.03-lts +docker.io/openeuler/openeuler:22.03-lts +``` + +## 运行 openEuler Docker 容器 + +``` +docker run --privileged --name openEuler-2203-aarch64 -it openeuler/openeuler:22.03-lts +``` + +- `--privileged` 表示以特权模式运行,因为构建过程包括镜像的分区和挂载,需要启用特权模式。 +- `--name openEuler-2403-aarch64` 将镜像的名字设置为 openEuler-2403-aarch64。 +- `openeuler/openeuler:22.03-lts` 表示运行之前拉取的版本。 + +执行以上命令的输出如下: + +``` +[root@localhost ~]# docker run --privileged --name openEuler-2403-aarch64 -it openeuler/openeuler:22.03-lts +WARNING: The requested image's platform (linux/arm64) does not match the detected host platform (linux/amd64/v4) and no specific platform was requested + + +Welcome to 6.6.0-28.0.0.34.oe2403.x86_64 + +System information as of time: Thu Oct 31 03:33:33 UTC 2024 + +System load: 0.07 +Processes: 5 +Memory used: 8.1% +Swap used: 0% +Usage On: 13% +Users online: 0 + + +[root@5999265a441f /]# +``` + +如果是 `aarch64` 架构的构建主机,则不会出现 `WARNING: The requested image's platform (linux/arm64) does not match the detected host platform (linux/amd64/v4) and no specific platform was requested` 的警告信息。 + +查看 Docker 是否成功使用 QEMU 模拟 `aarch64` 架构(`aarch64` 架构的构建主机则不需要这一步骤)。 + +``` +[root@5999265a441f /]# arch +aarch64 +``` + +## 容器内安装 Git 来拉取构建框架 + +``` +dnf makecache +dnf install git -y +``` + +## 容器内拉取并运行构建框架 + +过程参见[镜像构建](https://gitee.com/openeuler/rockchip#%E9%95%9C%E5%83%8F%E6%9E%84%E5%BB%BA)。 + +## 将容器内构建好的镜像复制到主机 + +脚本执行完成后,会在 Docker 容器中脚本所在目录的 build/YYYY-MM-DD 文件夹下生成 openEuler 镜像文件。 + +假设构建框架 rockchip 文件夹的在 Docker 容器里的绝对路径为:/root/rockchip,使用以下命令来拷贝 openEuler 镜像文件到构建主机: + +``` +docker cp openEuler-2203-aarch64:/root/rockchip/build/YYYY-MM-DD/openEuler-VERSION-BOARD-ARCH-RELEASE.img.xz /root +``` + +- `openEuler-2203-aarch64` 为 Docker 容器的名称。 +- `/root/rockchip/build/YYYY-MM-DD/openEuler-VERSION-BOARD-ARCH-RELEASE.img.xz` 为 Docker 容器内 openEuler 镜像的绝对路径。 +- `/root` 为拷贝 openEuler 镜像文件到构建主机的目标路径。 \ No newline at end of file diff --git "a/documents/\350\256\276\347\275\256SELinux.md" "b/documents/\350\256\276\347\275\256SELinux.md" new file mode 100644 index 0000000..6e67150 --- /dev/null +++ "b/documents/\350\256\276\347\275\256SELinux.md" @@ -0,0 +1,111 @@ +- [描述](#描述) +- [什么是 SELinux](#什么是-selinux) +- [检查 SELinux 状态](#检查-selinux-状态) +- [设置 SELinux 为许可状态](#设置-selinux-为许可状态) +- [永久设置 SELinux 为许可状态 (不推荐)](#永久设置-selinux-为许可状态-不推荐) + +## 描述 + +本文介绍了如何在 openEuler 中设置 SELinux 状态。 + +## 什么是 SELinux + +SELinux 是一个提供强制访问控制的安全模块,限制进程对系统资源的访问。 +当 SELinux 开启且强制执行时,它会阻止 chroot 其他系统的根目录修改密码,因为安全策略限制这些操作。 + +设置 SELinux 为许可模式会增加安全风险,使系统更易受到攻击,在充分了解设置 SELinux 为许可模式将对你的系统造成影响之后再进行以下操作。 + +## 检查 SELinux 状态 + +1. 使用 `getenforce` 查看 SELinux 状态: + +``` +[root@localhost ~]# getenforce +Enforcing +``` + +如果为 `Enforcing` 则表示 SELinux 为开启状态且强制执行。 + +2. 使用 `sestatus` 查看 SELinux 状态 + +``` +[root@localhost ~]# sestatus +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: targeted +Current mode: enforcing +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 33 +``` + +如果为 `Current mode: enforcing` 则表示 SELinux 为开启状态且强制执行。 + +## 设置 SELinux 为许可状态 + +使用 `setenforce 0` 来将 SELinux 暂时设置为许可状态 + +``` +[root@localhost ~]# setenforce 0 +``` + +查看修改后的 SELinux 状态: + +``` +[root@localhost ~]# getenforce +Permissive +[root@localhost ~]# sestatus +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: targeted +Current mode: permissive +Mode from config file: enforcing +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 33 +``` + +## 永久设置 SELinux 为许可状态 (不推荐) + +编辑 /etc/selinux/config 文件 + +完整内容如下: + +``` +# This file controls the state of SELinux on the system. +# SELINUX= can take one of these three values: +# enforcing - SELinux security policy is enforced. +# permissive - SELinux prints warnings instead of enforcing. +# disabled - No SELinux policy is loaded. +SELINUX=enforcing +# SELINUXTYPE= can take one of these three values: +# targeted - Targeted processes are protected, +# minimum - Modification of targeted policy. Only selected processes are protected. +# mls - Multi Level Security protection. +SELINUXTYPE=targeted +``` + +将 `SELINUX=enforcing` 修改为 `SELINUX=permissive` 然后重启即可。 + +重启后再查看 SELinux 状态如下: + +``` +[root@localhost ~]# getenforce +Permissive +[root@localhost ~]# sestatus +SELinux status: enabled +SELinuxfs mount: /sys/fs/selinux +SELinux root directory: /etc/selinux +Loaded policy name: targeted +Current mode: permissive +Mode from config file: permissive +Policy MLS status: enabled +Policy deny_unknown status: allowed +Memory protection checking: actual (secure) +Max kernel policy version: 33 +``` \ No newline at end of file -- Gitee