update

clonedisk.sh

@@ -107,6 +107,7 @@ if [[ ${IN#/dev/loop} != $IN ]]; then
 fi
 
 if ! [[ $UPDATE ]]; then
+    swapoff -a || :
 
     udevadm settle
     wipefs --all "$OUT"
@@ -140,8 +141,6 @@ for i in 1 2 3; do
 done
 
 if ! [[ $UPDATE ]]; then
-    swapoff -a :
-
     if [[ $USE_CRYPT ]]; then
            # ------------------------------------------------------------------------------
         # swap

mkimage.sh

@@ -1,10 +1,4 @@
-#!/bin/bash
-
-#===================================
-FEDORA_VERSION=${FEDORA_VERSION:-28}
-#===================================
-
-set -ex
+#!/bin/bash -ex
 
 CURDIR=$(pwd)
 PROGNAME=${0##*/}
@@ -74,7 +68,7 @@ while true; do
 done
 
 SOURCE=$(readlink -e "$1")
-IMAGE=$(readlink -e "$2")
+IMAGE=$(readlink -f "$2")
 
 if ! [[ -d $SOURCE ]] || ! [[ $IMAGE ]]; then
     usage

pre-pivot.sh

@@ -56,29 +56,29 @@ if [[ $FOUND ]]; then
             export TPM2TOOLS_TCTI_NAME=device
             export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
 
-            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}'; then
+            if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 | vwarn; then
                 clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
                 echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
-            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
+            elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 | vwarn; then
                 clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
                 echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
             else
                 warn "Failed to bind swap disk to TPM2"
             fi
         else
-            clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
+            clevis-luks-unlock -d "$swapdev" -n "$luksname"  2>&1 | vinfo || die "Failed to unlock $swapdev"
         fi
         swapdev="$luksdev"
     fi
 
     swaptype=$(blkid -o value -s TYPE "$swapdev")
     [[ $swaptype == "swsuspend" ]] && \
-        /usr/lib/systemd/systemd-hibernate-resume "$swapdev"
+        /usr/lib/systemd/systemd-hibernate-resume "$swapdev"  &>/dev/null
 
     [[ $swaptype != "swap" ]] && \
-        mkswap "$swapdev"
+        mkswap "$swapdev" 2>&1 | vinfo
 
-    swapon "$swapdev"
+    swapon "$swapdev" 2>&1 | vinfo
 fi
 
 

prepare-root.sh

@@ -373,6 +373,11 @@ echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
 mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
 ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
 
+#---------------
+# machine-id
+rm -f "$sysroot"/etc/machine-id
+ln -fsnr "$sysroot"/var/machine-id "$sysroot"/etc/machine-id
+
 #---------------
 # adjtime
 mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
@@ -453,7 +458,7 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i
 cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
 rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
 
-chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
+chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
 mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
 
 sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release

quirks/nss.sh

@@ -60,5 +60,4 @@ C /var/group - - - - -
 C /var/gshadow - - - - -
 C /var/subuid - - - - -
 C /var/subgid - - - - -
-C /var/etc - - - - -
 EOF

squashfs-size.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+getbyte () {
+    local IFS= LC_CTYPE=C res c
+    read -r -n 1 -d '' c
+    res=$?
+    # the single quote in the argument of the printf
+    # yields the numeric value of $c (ASCII since LC_CTYPE=C)
+    [[ -n $c ]] && c=$(printf '%u' "'$c") || c=0
+    printf "$c"
+    return $res
+}
+
+getword () {
+    local b1 b2 val
+    b1=$(getbyte) || return 1
+    b2=$(getbyte) || return 1
+    (( val = b2 * 256 + b1 ))
+    echo $val
+    return 0
+}
+
+getuint () {
+    local b1 b2 val
+    b1=$(getword) || return 1
+    b2=$(getword) || return 1
+    (( val = b2 * 256 * 256 + b1 ))
+    echo $val
+    return 0
+}
+
+squashfs_size() {
+    size=$(for i in {1..20}; do getword >/dev/null; done; getuint)
+    echo $(((size+4095)/4096*4096))
+}
+
+squashfs_size
+

update.sh

@@ -1,5 +1,64 @@
 #!/bin/bash -ex
 
+CURDIR=$(pwd)
+PROGNAME=${0##*/}
+
+usage() {
+    cat << EOF
+Usage: $PROGNAME [OPTION]
+
+  -h, --help             Display this help
+  --force                Update, even if the signature checks fail
+  --dir DIR              Update from DIR, instead of downloading
+EOF
+}
+
+TEMP=$(
+    getopt -o '' \
+        --long dir: \
+        --long force \
+        --long nocheck \
+	--long help \
+        -- "$@"
+    )
+
+if (( $? != 0 )); then
+    usage >&2
+    exit 1
+fi
+
+eval set -- "$TEMP"
+unset TEMP
+
+while true; do
+    case "$1" in
+        '--dir')
+	    USE_DIR="$(readlink -e $2)"
+            shift 2; continue
+            ;;
+        '--force')
+	    FORCE="y"
+            shift 1; continue
+            ;;
+        '--nocheck')
+	    NO_CHECK="y"
+            shift 1; continue
+            ;;
+        '--help')
+	    usage
+	    exit 0
+            ;;
+        '--')
+            shift
+            break
+            ;;
+        *)
+            echo 'Internal error!' >&2
+            exit 1
+            ;;
+    esac
+done
+
 BASEURL="$1"
 
 . /etc/os-release
@@ -45,25 +104,37 @@ fi
 mkdir -p /var/cache/${NAME}
 cd /var/cache/${NAME}
 
-curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
+if ! [[ $USE_DIR ]]; then
+    curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
 
-IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
-ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
+    IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
+    ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
 
-if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
-    echo "Already up2date"
-    exit 1
+    if ! [[ $FORCE ]] && [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
+        echo "Already up2date"
+        exit 1
+    fi
+
+    [[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
+else
+    IMAGE="$USE_DIR"
+    ROOT_HASH=$(<"$IMAGE"/root-hash.txt)
+
+    if ! [[ $FORCE ]] && [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
+        echo "Already up2date"
+        exit 1
+    fi
 fi
 
-[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
-
 [[ -d ${IMAGE} ]]
 
 cd ${IMAGE}
 
-# check integrity
-gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
-sha512sum -c sha512sum.txt
+if ! [[ $NO_CHECK ]]; then
+    # check integrity
+    gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
+    sha512sum -c sha512sum.txt
+fi
 
 dd status=progress if=root.verity.img   of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
 dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
@@ -79,5 +150,5 @@ sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
 mkdir -p /efi/EFI/${NAME}
 cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
 
-mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi
-rm /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi
+mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi || :
+rm -f /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi