refkit: activate minimal "stateless" changes

This enables the "stateless" distro feature and the "stateless" image
for all refkit-image.bbclass images.

However, only the changes that do no require upstream source code
patching get enabled. For example, systemd configuration gets moved
from /etc entirely into /usr. This is a choice we make for the
"refkit" distro. "refkit-config.inc" merely activates the base
stateless support, without any of the .inc files which actually cause
changes.

Advanced changes like allowing local user management separately from
the system users are not enabled because they depend on
patches. Enabling those changes would increase the risk that building
IoT Refkit breaks when OE-core gets updated, and at this point it is
not certain whether that is a risk worth taking.

Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>

Author: pohly

meta-refkit-core/classes/refkit-image.bbclass

@@ -80,8 +80,9 @@ IMAGE_FEATURES[validitems] += " \
 # building without swupd), or by defining additional bundles via
 # SWUPD_BUNDLES.
 IMAGE_FEATURES += " \
-    ${@bb.utils.contains('DISTRO_FEATURES', 'ima', 'ima', '', d)} \
-    ${@bb.utils.contains('DISTRO_FEATURES', 'smack', 'smack', '', d)} \
+    ${@ bb.utils.filter('DISTRO_FEATURES', 'ima', d) } \
+    ${@ bb.utils.filter('DISTRO_FEATURES', 'smack', d) } \
+    ${@ bb.utils.filter('DISTRO_FEATURES', 'stateless', d) } \
     ${@ 'muted' if (d.getVar('IMAGE_MODE') or 'production') == 'production' else 'autologin' } \
     ${REFKIT_IMAGE_EXTRA_FEATURES} \
 "

meta-refkit-core/conf/distro/include/refkit-config.inc

@@ -58,6 +58,15 @@ REFKIT_DEFAULT_DISTRO_FEATURES += "refkit-config"
 # Enable OSTree system update support.
 REFKIT_DEFAULT_DISTRO_FEATURES += "ostree"
 
+# Reconfigure and/or patch some recipes to support "stateless" images
+# better (stateless = configuration in /etc can be created locally or
+# isn't needed at all). Note that the actual changes are defined by
+# the stateless*.inc files included by a distro config like
+# refkit.conf, i.e. merely including refkit-config.inc does not
+# have much effect even when "stateless" is enabled as distro feature.
+REFKIT_DEFAULT_DISTRO_FEATURES += "stateless"
+require conf/distro/include/stateless.inc
+
 # Remove currently unsupported distro features from global defaults
 REFKIT_DEFAULT_DISTRO_FEATURES_REMOVE += "x11 3g"
 

meta-refkit/conf/distro/refkit.conf

@@ -74,7 +74,30 @@ DISTRO_EXTRA_RRECOMMENDS += " ${REFKIT_DEFAULT_EXTRA_RRECOMMENDS}"
 # Distro settings potentially shared with other distros.
 require conf/distro/include/no-static-libs.inc
 require conf/distro/include/refkit_security_flags.inc
-require conf/distro/include/stateless.inc
+
+# Turns build settings in /etc into image settings under /usr,
+# without non-upstream patches.
+require conf/distro/include/stateless-usr.inc
+
+# NOT used because it depends on non-upstream patches.
+# Without this, creating local users conflicts with updating system
+# users as part of a system update. Would be very nice to have.
+# require conf/distro/include/stateless-nss-altfiles.inc
+
+# NOT used because it depends on non-upstream patches.
+# Enables login without some files in /etc. Not so important.
+# require conf/distro/include/stateless-login.inc
+
+# NOT used because it depends on non-upstream patches.
+# Makes it possible to modify nsswitch.conf without
+# conflicting with system settings. Not particularly
+# important.
+# require conf/distro/include/stateless-nsswitch.inc
+
+# Not used because it renders the /etc handling in OSTree
+# and swupd useless: once /etc is populated, it remains
+# unchanged even when system defaults change.
+# require conf/distro/include/stateless-factory.inc
 
 # Include *and* enabled refkit configuration. Including
 # just refkit-config.inc would not enable the configuration