update
This commit is contained in:
parent
c8a3101e7b
commit
0e17648dc5
|
@ -107,6 +107,7 @@ if [[ ${IN#/dev/loop} != $IN ]]; then
|
|||
fi
|
||||
|
||||
if ! [[ $UPDATE ]]; then
|
||||
swapoff -a || :
|
||||
|
||||
udevadm settle
|
||||
wipefs --all "$OUT"
|
||||
|
@ -140,8 +141,6 @@ for i in 1 2 3; do
|
|||
done
|
||||
|
||||
if ! [[ $UPDATE ]]; then
|
||||
swapoff -a :
|
||||
|
||||
if [[ $USE_CRYPT ]]; then
|
||||
# ------------------------------------------------------------------------------
|
||||
# swap
|
||||
|
|
10
mkimage.sh
10
mkimage.sh
|
@ -1,10 +1,4 @@
|
|||
#!/bin/bash
|
||||
|
||||
#===================================
|
||||
FEDORA_VERSION=${FEDORA_VERSION:-28}
|
||||
#===================================
|
||||
|
||||
set -ex
|
||||
#!/bin/bash -ex
|
||||
|
||||
CURDIR=$(pwd)
|
||||
PROGNAME=${0##*/}
|
||||
|
@ -74,7 +68,7 @@ while true; do
|
|||
done
|
||||
|
||||
SOURCE=$(readlink -e "$1")
|
||||
IMAGE=$(readlink -e "$2")
|
||||
IMAGE=$(readlink -f "$2")
|
||||
|
||||
if ! [[ -d $SOURCE ]] || ! [[ $IMAGE ]]; then
|
||||
usage
|
||||
|
|
12
pre-pivot.sh
12
pre-pivot.sh
|
@ -56,29 +56,29 @@ if [[ $FOUND ]]; then
|
|||
export TPM2TOOLS_TCTI_NAME=device
|
||||
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
|
||||
|
||||
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}'; then
|
||||
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}' 2>&1 | vwarn; then
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
|
||||
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}' 2>&1 | vwarn; then
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||
else
|
||||
warn "Failed to bind swap disk to TPM2"
|
||||
fi
|
||||
else
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" 2>&1 | vinfo || die "Failed to unlock $swapdev"
|
||||
fi
|
||||
swapdev="$luksdev"
|
||||
fi
|
||||
|
||||
swaptype=$(blkid -o value -s TYPE "$swapdev")
|
||||
[[ $swaptype == "swsuspend" ]] && \
|
||||
/usr/lib/systemd/systemd-hibernate-resume "$swapdev"
|
||||
/usr/lib/systemd/systemd-hibernate-resume "$swapdev" &>/dev/null
|
||||
|
||||
[[ $swaptype != "swap" ]] && \
|
||||
mkswap "$swapdev"
|
||||
mkswap "$swapdev" 2>&1 | vinfo
|
||||
|
||||
swapon "$swapdev"
|
||||
swapon "$swapdev" 2>&1 | vinfo
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -373,6 +373,11 @@ echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
|
|||
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
|
||||
ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
|
||||
|
||||
#---------------
|
||||
# machine-id
|
||||
rm -f "$sysroot"/etc/machine-id
|
||||
ln -fsnr "$sysroot"/var/machine-id "$sysroot"/etc/machine-id
|
||||
|
||||
#---------------
|
||||
# adjtime
|
||||
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
|
||||
|
@ -453,7 +458,7 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i
|
|||
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/var/
|
||||
rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
|
||||
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
|
||||
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -maxdepth 2 -mindepth 1 -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
|
||||
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
|
||||
|
||||
sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
|
||||
|
|
|
@ -60,5 +60,4 @@ C /var/group - - - - -
|
|||
C /var/gshadow - - - - -
|
||||
C /var/subuid - - - - -
|
||||
C /var/subgid - - - - -
|
||||
C /var/etc - - - - -
|
||||
EOF
|
||||
|
|
38
squashfs-size.sh
Executable file
38
squashfs-size.sh
Executable file
|
@ -0,0 +1,38 @@
|
|||
#!/bin/bash
|
||||
|
||||
getbyte () {
|
||||
local IFS= LC_CTYPE=C res c
|
||||
read -r -n 1 -d '' c
|
||||
res=$?
|
||||
# the single quote in the argument of the printf
|
||||
# yields the numeric value of $c (ASCII since LC_CTYPE=C)
|
||||
[[ -n $c ]] && c=$(printf '%u' "'$c") || c=0
|
||||
printf "$c"
|
||||
return $res
|
||||
}
|
||||
|
||||
getword () {
|
||||
local b1 b2 val
|
||||
b1=$(getbyte) || return 1
|
||||
b2=$(getbyte) || return 1
|
||||
(( val = b2 * 256 + b1 ))
|
||||
echo $val
|
||||
return 0
|
||||
}
|
||||
|
||||
getuint () {
|
||||
local b1 b2 val
|
||||
b1=$(getword) || return 1
|
||||
b2=$(getword) || return 1
|
||||
(( val = b2 * 256 * 256 + b1 ))
|
||||
echo $val
|
||||
return 0
|
||||
}
|
||||
|
||||
squashfs_size() {
|
||||
size=$(for i in {1..20}; do getword >/dev/null; done; getuint)
|
||||
echo $(((size+4095)/4096*4096))
|
||||
}
|
||||
|
||||
squashfs_size
|
||||
|
93
update.sh
93
update.sh
|
@ -1,5 +1,64 @@
|
|||
#!/bin/bash -ex
|
||||
|
||||
CURDIR=$(pwd)
|
||||
PROGNAME=${0##*/}
|
||||
|
||||
usage() {
|
||||
cat << EOF
|
||||
Usage: $PROGNAME [OPTION]
|
||||
|
||||
-h, --help Display this help
|
||||
--force Update, even if the signature checks fail
|
||||
--dir DIR Update from DIR, instead of downloading
|
||||
EOF
|
||||
}
|
||||
|
||||
TEMP=$(
|
||||
getopt -o '' \
|
||||
--long dir: \
|
||||
--long force \
|
||||
--long nocheck \
|
||||
--long help \
|
||||
-- "$@"
|
||||
)
|
||||
|
||||
if (( $? != 0 )); then
|
||||
usage >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
eval set -- "$TEMP"
|
||||
unset TEMP
|
||||
|
||||
while true; do
|
||||
case "$1" in
|
||||
'--dir')
|
||||
USE_DIR="$(readlink -e $2)"
|
||||
shift 2; continue
|
||||
;;
|
||||
'--force')
|
||||
FORCE="y"
|
||||
shift 1; continue
|
||||
;;
|
||||
'--nocheck')
|
||||
NO_CHECK="y"
|
||||
shift 1; continue
|
||||
;;
|
||||
'--help')
|
||||
usage
|
||||
exit 0
|
||||
;;
|
||||
'--')
|
||||
shift
|
||||
break
|
||||
;;
|
||||
*)
|
||||
echo 'Internal error!' >&2
|
||||
exit 1
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
BASEURL="$1"
|
||||
|
||||
. /etc/os-release
|
||||
|
@ -45,25 +104,37 @@ fi
|
|||
mkdir -p /var/cache/${NAME}
|
||||
cd /var/cache/${NAME}
|
||||
|
||||
curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
|
||||
if ! [[ $USE_DIR ]]; then
|
||||
curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
|
||||
|
||||
IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
|
||||
ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
|
||||
IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
|
||||
ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
|
||||
|
||||
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
|
||||
if ! [[ $FORCE ]] && [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
|
||||
echo "Already up2date"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
|
||||
[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
|
||||
else
|
||||
IMAGE="$USE_DIR"
|
||||
ROOT_HASH=$(<"$IMAGE"/root-hash.txt)
|
||||
|
||||
if ! [[ $FORCE ]] && [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
|
||||
echo "Already up2date"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
||||
|
||||
[[ -d ${IMAGE} ]]
|
||||
|
||||
cd ${IMAGE}
|
||||
|
||||
# check integrity
|
||||
gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
|
||||
sha512sum -c sha512sum.txt
|
||||
if ! [[ $NO_CHECK ]]; then
|
||||
# check integrity
|
||||
gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
|
||||
sha512sum -c sha512sum.txt
|
||||
fi
|
||||
|
||||
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
|
||||
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
|
||||
|
@ -79,5 +150,5 @@ sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
|
|||
mkdir -p /efi/EFI/${NAME}
|
||||
cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
|
||||
|
||||
mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi
|
||||
rm /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi
|
||||
mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi || :
|
||||
rm -f /efi/EFI/${NAME}/_${NEW_ROOT_NUM}.efi
|
||||
|
|
Loading…
Reference in a new issue