Yocto - mender-client postinstall failing - ca-certificates dependency problem?

Hi,

I’ve been building a simple RaspberryPi yocto image (dunfell) with mender client and recently it has stopped building.

At first my problem was initially Mender-shell missing from mender github as I was using meta-mender tagged dunfell-v2020.12 … but I’ve not tried upgrading to dunfell-v2021.03 and am now getting this error (“my-image” is my own image recipe):

ERROR: my-image-1.0-r0 do_rootfs: Postinstall scriptlets of ['mender-client'] have failed. If the intention is to defer them to first boot,
then please place them into pkg_postinst_ontarget_${PN} ().
Deferring to first boot via 'exit 1' is no longer supported.

The first signs of a problem in the log file are here:

Installing       : mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4       88/95 
Running scriptlet: mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4       88/95
%post(mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4): scriptlet start
%post(mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4): execv(/bin/sh) pid 308298
+ set -e
+ SYSROOT=<<MY--PATH>>/poky/build/tmp/work/raspberrypi4-poky-linux-gnueabi/my-image/1.0-r0/rootfs <<MY--PATH>>/poky/build/tmp/work/raspberrypi4-poky-linux-gnuea
  bi/my-image/1.0-r0/rootfs/usr/sbin/update-ca-certificates
  /var/tmp/rpm-tmp.vzIDJQ: 4: <<MY--PATH>>/poky/build/tmp/work/raspberrypi4-poky-linux-gnueabi/my-image/1.0-r0/rootfs/usr/sbin/update-ca-certificates: not found
%post(mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4): waitpid(308298) rc 308298 status 7f00
warning: %post(mender-client-2.5.0-r0.cortexa7t2hf_neon_vfpv4) scriptlet failed, exit status 127
  
Error in POSTIN scriptlet in rpm package mender-client

Looking further down the log, it looks like mender-client is being built before ca-certificates recipe. Is there a dependency issue?

My bblayers.conf contains:

 BBLAYERS ?= " \
  <<MY--PATH>>/poky/meta \
  <<MY--PATH>>/poky/meta-poky \
  <<MY--PATH>>/poky/meta-yocto-bsp \
  <<MY--PATH>>/poky/meta-raspberrypi \
  <<MY--PATH>>/poky/meta-mender/meta-mender-core \
  <<MY--PATH>>/poky/meta-mender/meta-mender-raspberrypi \
  <<MY--PATH>>/meta-my \
"

layer.conf contains:

FILESEXTRAPATHS_prepend_pn-mender := "${TOPDIR}/../build:"

SRC_URI_append_pn-mender = "file://server.crt"

MENDER_FEATURES_ENABLE_append = " mender-uboot mender-image mender-image-sd mender-systemd mender-growfs-data"
MENDER_FEATURES_DISABLE_append = " mender-grub mender-image-uefi"

MENDER_ARTIFACT_NAME = "my-rpi4-test"
MENDER_PARTITION_ALIGNMENT = "8388608"
MENDER_BOOT_PART_SIZE_MB = "80"

IMAGE_FSTYPES_remove = " rpi-sdimg"
SDIMG_ROOTFS_TYPE = "ext4"
MACHINE = "raspberrypi4"
KERNEL_DEVICETREE = "bcm2711-rpi-4-b.dtb"
SDKMACHINE = "i686"
ENABLE_UART = "1"

My “my-image” image recipe contains:

require recipes-core/images/core-image-minimal.bb

IMAGE_INSTALL += " \
    libstdc++ \
    openssh \
    sudo \
    ca-certificates \
    kernel-image \
    kernel-devicetree \
"

I’m using the following source versions:

• poky tag ‘dunfell-23.0.6’
• meta-raspberrypi branch ‘dunfell’
• meta-mender tag ’ dunfell-v2021.03’

Any help much appreciated. I’m afraid this is beyond my current limits of understanding of yocto recipes and the build process.

cheers

It looks like this commit is the one adding the call to update-ca-certificates which is failing. And it looks like this logic has changed significantly in master.

@lluiscampos do you have any thoughts on how to fix this for dunfell?

As a temporary workaround, I’ve added the following to mender-client recipe via a .bbappend:

RDEPENDS_${PN} += " ca-certificates "

@matt Thanks for reporting, @drewmoseley thanks for pointing to the right fix.

The dependency is indeed missing for dunfell, I’ll launch a fix for it ASAP.

The implementation is completely different for master (see commit) and the ca-certificates dependency is correctly set. The reason they deviate is that for master we have deprecated the variable MENDER_CERT_LOCATION. See the JIRA task for more details.

Mmm, on a second thought the dependency is already there, via PACKAGECONFIG, see this line.

On my setup, running bitbake -e mender-client | egrep ^RDEPENDS_mender-client= returns ca-certificates there. @matt Can you run this command without your .bbapend fix and post the output here?

I don’t really know what can be wrong with your setup. I assume you have not disabled mender-client-install feature, and I don’t see how can then disappear.

@kacf can you have a look on your end?

Hello @lluiscampos … correct, I have not done anything to disable mender-client-install as best as I know. My config is at the top of this thread.

The output you requested, with my .bbappend fix commented out:

$ bitbake -e mender-client | egrep ^RDEPENDS_mender-client=
RDEPENDS_mender-client=" liblzma openssl parted util-linux-fdisk libubootenv-bin"

And with my .bbappend fix included:

$ bitbake -e mender-client | egrep ^RDEPENDS_mender-client=
RDEPENDS_mender-client=" liblzma openssl  ca-certificates parted util-linux-fdisk libubootenv-bin"

Hi @matt,

I see it now: you are missing mender-client-install in your MENDER_FEATURES_ENABLE_append. Adding that feature should solve the issue.

The feature is to actually install mender client; your image is adding mender client through some other dependency (sorry, I cannot really tell) but then other parts, like the ca-certificates dependency, are missing. The recommended way to install the mender client is by enabling such feature

See documentation on the feature in the source code here or in Mender Docs here (*)

(*) obs! at the time of writing, Mender Docs feature has a typo: the feature is mender-client-install and not mender-install. I just caught it now and I am fixing here.

Many thanks @lluiscampos … that seems to have fixed it.