Fix E2E SSH and post-boot sudo: pi shell + NOPASSWD sudoers in prepare-image#273
Open
guysoft wants to merge 4 commits into
Open
Fix E2E SSH and post-boot sudo: pi shell + NOPASSWD sudoers in prepare-image#273guysoft wants to merge 4 commits into
guysoft wants to merge 4 commits into
Conversation
Raspberry Pi OS Trixie ships the pi user with /usr/sbin/nologin as the default shell. Since we remove userconfig.service (which normally handles first-boot user setup), the shell stays nologin and SSH sessions fail with "This account is currently not available." Download /etc/passwd alongside /etc/shadow and replace nologin with /bin/bash for the pi user.
- Add feature/e2e to docker-build.yml branch triggers so CI produces a custompios:feature-e2e container tag for development - Create shared ssh-helpers.sh with canonical ssh_cmd/scp_cmd functions to replace duplicated SSH boilerplate across distro test scripts - Create reusable e2e-test.yml workflow that distros can call with uses: guysoft/CustomPiOS/.github/workflows/e2e-test.yml@ref - Update test_boot.sh to source ssh-helpers.sh
userconfig.service is what normally creates this file on first boot; since we remove that service for headless QEMU testing, pi sudo requires a password and breaks post-boot hooks that try to install packages or start services over non-TTY SSH. Write the canonical 'pi ALL=(ALL) NOPASSWD: ALL' rule directly via guestfish so 'sudo apt-get install ...' and similar work from ssh_cmd "sudo ..." calls.
guysoft
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the shared E2E test framework SSH stage and post-boot sudo, which were both broken by the combination of Raspberry Pi OS Trixie defaults and the headless
userconfig.serviceremoval we do inprepare-image.sh.Root causes
SSH login failed for
pi. RPi OS Trixie ships thepiuser with/usr/sbin/nologinas the default shell. The first-bootuserconfig.servicewould normally rewrite it, butsrc/distro_testing/scripts/prepare-image.shremoves that service. Result: SSH authenticates but every session printsThis account is currently not available.and exits 1, timing out the wait-for-ssh stage. Reproduced in FullPageOS run 24418025784.sudofrom thepiuser required a password.userconfig.serviceis also what normally drops/etc/sudoers.d/010_pi-nopasswd. With that service removed,sudo apt-get install ...and similar calls from post-boot hooks fail over non-TTY SSH (sudo: a terminal is required to read the password). This was previously masked by the SSH timeout above.Fix
In
src/distro_testing/scripts/prepare-image.sh:/etc/passwdalongside/etc/shadow, sed-replace:/usr/sbin/nologin->:/bin/bashfor thepiuser, re-upload.write /etc/sudoers.d/010_pi-nopasswd "pi ALL=(ALL) NOPASSWD: ALL\n"withchmod 0440.Verification
Built
ghcr.io/guysoft/custompios:bugfix-e2efrom this branch, pointed FullPageOStest/e2e-bugfixat it. FullPageOS run 26096890001 is fully green:SSH is ready (took 98s)(previously: 600s timeout)test_boot.sh-> PASSEDtest_chromium.sh-> PASSED (matchbox window detected, chromium kiosk running)test_lighttpd.sh-> PASSEDALL TESTS PASSEDCommits in this PR
2a87cfbFix E2E SSH: set pi user shell to /bin/bash in prepare-image (cherry-picked fromfeature/e2e).4f055f3Seed /etc/sudoers.d/010_pi-nopasswd in prepare-image.3b7827dAdd reusable E2E workflow, SSH helpers, and CI trigger for feature/e2e (cherry-picked fromfeature/e2e; needed because distros sourcessh-helpers.shfrom the docker image).82c0ebfci: build docker image for bugfix/e2e branch (can be reverted on merge if desired, or left as a no-op once this branch is gone).