update
This commit is contained in:
parent
55202efcba
commit
2e63e25d7d
|
@ -55,12 +55,14 @@ This is WIP. Please test and report issues, comments or missing components on ht
|
||||||
- dm_verity + squashfs immutable, integrity checked root
|
- dm_verity + squashfs immutable, integrity checked root
|
||||||
- passwd + shadow + group + gshadow decoupled from system in /var
|
- passwd + shadow + group + gshadow decoupled from system in /var
|
||||||
- bind LUKS2 with tpm2 to machine
|
- bind LUKS2 with tpm2 to machine
|
||||||
|
- swap on LUKS2 with tpm2 (no password for resume from disk??)
|
||||||
- /home and /var on single data partition
|
- /home and /var on single data partition
|
||||||
|
|
||||||
## Known Failures
|
## Known Failures
|
||||||
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
|
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
|
||||||
cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
|
cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
|
||||||
- gnome-software: can't update firmware repo
|
- gnome-software: can't update firmware repo
|
||||||
|
- systemd: failed to umount /var
|
||||||
|
|
||||||
## Create
|
## Create
|
||||||
|
|
||||||
|
|
13
clonedisk.sh
13
clonedisk.sh
|
@ -107,18 +107,21 @@ fi
|
||||||
|
|
||||||
if ! [[ $UPDATE ]]; then
|
if ! [[ $UPDATE ]]; then
|
||||||
|
|
||||||
|
udevadm settle
|
||||||
wipefs --all "$OUT"
|
wipefs --all "$OUT"
|
||||||
|
|
||||||
|
udevadm settle
|
||||||
sfdisk -W always -w always "$OUT" << EOF
|
sfdisk -W always -w always "$OUT" << EOF
|
||||||
label: gpt
|
label: gpt
|
||||||
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
|
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
|
||||||
size=256M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
|
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
|
||||||
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$(blkid -o value -s PARTUUID ${IN}3)
|
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$(blkid -o value -s PARTUUID ${IN}3)
|
||||||
size=256M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
|
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
|
||||||
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2"
|
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2"
|
||||||
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4f, name="swap"
|
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4e, name="swap"
|
||||||
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
|
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
|
||||||
EOF
|
EOF
|
||||||
|
udevadm settle
|
||||||
fi
|
fi
|
||||||
|
|
||||||
OUT_DEV=$OUT
|
OUT_DEV=$OUT
|
||||||
|
@ -136,9 +139,11 @@ for i in 1 2 3; do
|
||||||
done
|
done
|
||||||
|
|
||||||
if ! [[ $UPDATE ]]; then
|
if ! [[ $UPDATE ]]; then
|
||||||
|
swapoff ${OUT}6 || :
|
||||||
# ------------------------------------------------------------------------------
|
# ------------------------------------------------------------------------------
|
||||||
# swap
|
# swap
|
||||||
mkswap -L swap ${OUT}6
|
echo -n "zero key" \
|
||||||
|
| cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
# ------------------------------------------------------------------------------
|
||||||
# data
|
# data
|
||||||
|
|
|
@ -3,7 +3,7 @@ systemd-bootchart
|
||||||
grubby
|
grubby
|
||||||
grub*
|
grub*
|
||||||
plymouth
|
plymouth
|
||||||
device-mapper-multipath
|
|
||||||
selinux-policy-targeted
|
selinux-policy-targeted
|
||||||
libselinux-utils
|
libselinux-utils
|
||||||
httpd
|
httpd
|
||||||
|
gnome-boxes
|
||||||
|
|
|
@ -66,3 +66,7 @@ nss-mdns
|
||||||
@development-libs
|
@development-libs
|
||||||
@c-development
|
@c-development
|
||||||
man-db
|
man-db
|
||||||
|
nautilus
|
||||||
|
rpcbind
|
||||||
|
nfs-utils
|
||||||
|
autofs
|
||||||
|
|
44
pre-pivot.sh
44
pre-pivot.sh
|
@ -39,12 +39,56 @@ done
|
||||||
|
|
||||||
disk=${d%-part*}
|
disk=${d%-part*}
|
||||||
|
|
||||||
|
unset FOUND
|
||||||
|
for swapdev in $disk*; do
|
||||||
|
[[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
|
||||||
|
FOUND=1
|
||||||
|
break
|
||||||
|
done
|
||||||
|
|
||||||
|
if [[ $FOUND ]]; then
|
||||||
|
if cryptsetup isLuks --type luks2 "$swapdev"; then
|
||||||
|
luksname=swap
|
||||||
|
luksdev=/dev/mapper/$luksname
|
||||||
|
|
||||||
|
if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then
|
||||||
|
udevadm settle --exit-if-exists=/dev/tpmrm0
|
||||||
|
export TPM2TOOLS_TCTI_NAME=device
|
||||||
|
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
|
||||||
|
|
||||||
|
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}'; then
|
||||||
|
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||||
|
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||||
|
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
|
||||||
|
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||||
|
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||||
|
else
|
||||||
|
warn "Failed to bind swap disk to TPM2"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||||
|
fi
|
||||||
|
swapdev="$luksdev"
|
||||||
|
fi
|
||||||
|
|
||||||
|
swaptype=$(blkid -o value -s TYPE "$swapdev")
|
||||||
|
[[ $swaptype == "swsuspend" ]] && \
|
||||||
|
/usr/lib/systemd/systemd-hibernate-resume "$swapdev"
|
||||||
|
|
||||||
|
[[ $swaptype != "swap" ]] && \
|
||||||
|
mkswap "$swapdev"
|
||||||
|
|
||||||
|
swapon "$swapdev"
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
unset FOUND
|
unset FOUND
|
||||||
for datadev in $disk*; do
|
for datadev in $disk*; do
|
||||||
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
|
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
|
||||||
FOUND=1
|
FOUND=1
|
||||||
break
|
break
|
||||||
done
|
done
|
||||||
|
[[ $FOUND ]] || die "No data disk found"
|
||||||
|
|
||||||
if cryptsetup isLuks --type luks2 "$datadev"; then
|
if cryptsetup isLuks --type luks2 "$datadev"; then
|
||||||
#luksname=luks-$(blkid -o value -s UUID "$datadev")
|
#luksname=luks-$(blkid -o value -s UUID "$datadev")
|
||||||
|
|
134
prepare-root.sh
134
prepare-root.sh
|
@ -7,14 +7,15 @@ Usage: $PROGNAME [OPTION]
|
||||||
|
|
||||||
Creates a directory with a readonly root on squashfs, a dm_verity file and an EFI executable
|
Creates a directory with a readonly root on squashfs, a dm_verity file and an EFI executable
|
||||||
|
|
||||||
-h, --help Display this help
|
--help Display this help
|
||||||
-p, --pkglist FILE The packages to install read from FILE (default: pkglist.txt)
|
--pkglist FILE The packages to install read from FILE (default: pkglist.txt)
|
||||||
-e, --excludelist FILE The packages to install read from FILE (default: excludelist.txt)
|
--excludelist FILE The packages to install read from FILE (default: excludelist.txt)
|
||||||
-r, --releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
|
--releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
|
||||||
-o, --outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE)
|
--outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE)
|
||||||
-n, --name NAME The NAME of the product (default: FedoraBook)
|
--name NAME The NAME of the product (default: FedoraBook)
|
||||||
-l, --logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
|
--logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
|
||||||
--noupdate Do not install from Fedora Updates
|
--gpgkey FILE Use FILE as the signing gpg key
|
||||||
|
--noupdate Do not install from Fedora Updates
|
||||||
EOF
|
EOF
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -25,7 +26,7 @@ BASEDIR=${0%/*}
|
||||||
WITH_UPDATES=1
|
WITH_UPDATES=1
|
||||||
|
|
||||||
TEMP=$(
|
TEMP=$(
|
||||||
getopt -o 'p:o:n:r:l:e:' \
|
getopt -o '' \
|
||||||
--long pkglist: \
|
--long pkglist: \
|
||||||
--long excludelist: \
|
--long excludelist: \
|
||||||
--long outdir: \
|
--long outdir: \
|
||||||
|
@ -48,7 +49,7 @@ unset NAME
|
||||||
|
|
||||||
while true; do
|
while true; do
|
||||||
case "$1" in
|
case "$1" in
|
||||||
'-p'|'--pkglist')
|
'--pkglist')
|
||||||
if [[ -f $2 ]]; then
|
if [[ -f $2 ]]; then
|
||||||
PKGLIST=$(<$2)
|
PKGLIST=$(<$2)
|
||||||
else
|
else
|
||||||
|
@ -56,7 +57,7 @@ while true; do
|
||||||
fi
|
fi
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
'-e'|'--excludelist')
|
'--excludelist')
|
||||||
if [[ -f $2 ]]; then
|
if [[ -f $2 ]]; then
|
||||||
EXCLUDELIST=$(<$2)
|
EXCLUDELIST=$(<$2)
|
||||||
else
|
else
|
||||||
|
@ -64,22 +65,26 @@ while true; do
|
||||||
fi
|
fi
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
'-o'|'--outdir')
|
'--outdir')
|
||||||
OUTDIR="$2"
|
OUTDIR="$2"
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
'-n'|'--name')
|
'--name')
|
||||||
NAME="$2"
|
NAME="$2"
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
'-r'|'--releasever')
|
'--releasever')
|
||||||
RELEASEVER="$2"
|
RELEASEVER="$2"
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
'-l'|'--logo')
|
'--logo')
|
||||||
LOGO="$2"
|
LOGO="$2"
|
||||||
shift 2; continue
|
shift 2; continue
|
||||||
;;
|
;;
|
||||||
|
'--gpgkey')
|
||||||
|
GPGKEY="$2"
|
||||||
|
shift 2; continue
|
||||||
|
;;
|
||||||
'--noupdates')
|
'--noupdates')
|
||||||
unset WITH_UPDATES
|
unset WITH_UPDATES
|
||||||
shift 1; continue
|
shift 1; continue
|
||||||
|
@ -100,6 +105,7 @@ NAME=${NAME:-"FedoraBook"}
|
||||||
RELEASEVER=${RELEASEVER:-$VERSION_ID}
|
RELEASEVER=${RELEASEVER:-$VERSION_ID}
|
||||||
VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
|
VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
|
||||||
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
|
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
|
||||||
|
GPGKEY=${GPGKEY:-${NAME}.gpg}
|
||||||
|
|
||||||
[[ $TMPDIR ]] || TMPDIR=/var/tmp
|
[[ $TMPDIR ]] || TMPDIR=/var/tmp
|
||||||
readonly TMPDIR="$(realpath -e "$TMPDIR")"
|
readonly TMPDIR="$(realpath -e "$TMPDIR")"
|
||||||
|
@ -168,6 +174,7 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
|
||||||
xfsprogs \
|
xfsprogs \
|
||||||
pciutils \
|
pciutils \
|
||||||
microcode_ctl \
|
microcode_ctl \
|
||||||
|
nss-altfiles \
|
||||||
nss_db \
|
nss_db \
|
||||||
keyutils \
|
keyutils \
|
||||||
make \
|
make \
|
||||||
|
@ -189,8 +196,23 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
|
||||||
dbus-broker \
|
dbus-broker \
|
||||||
tar \
|
tar \
|
||||||
gzip \
|
gzip \
|
||||||
|
p11-kit \
|
||||||
|
efibootmgr \
|
||||||
|
jq \
|
||||||
|
gnupg2 \
|
||||||
$PKGLIST
|
$PKGLIST
|
||||||
|
|
||||||
|
for i in passwd shadow group gshadow subuid subgid; do
|
||||||
|
[[ -e "$sysroot"/etc/${i}.rpmnew ]] || continue
|
||||||
|
while read line || [[ $line ]]; do
|
||||||
|
IFS=: read user _ <<<$line
|
||||||
|
grep -E -q "^$user:" "$sysroot"/etc/${i} && continue
|
||||||
|
echo "$line" >> "$sysroot"/etc/${i}
|
||||||
|
done <"$sysroot"/etc/${i}.rpmnew
|
||||||
|
done
|
||||||
|
|
||||||
|
find "$sysroot" -name '*.rpmnew' -print0 | xargs -0 rm -fv
|
||||||
|
|
||||||
# We need to preserve old uid/gid
|
# We need to preserve old uid/gid
|
||||||
mkdir -p ${BASEDIR}/${NAME}
|
mkdir -p ${BASEDIR}/${NAME}
|
||||||
for i in passwd shadow group gshadow subuid subgid; do
|
for i in passwd shadow group gshadow subuid subgid; do
|
||||||
|
@ -199,6 +221,9 @@ done
|
||||||
|
|
||||||
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
|
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
|
||||||
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||||
|
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||||
|
mkdir -p "$sysroot"/etc/pki/${NAME}
|
||||||
|
cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY
|
||||||
|
|
||||||
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
|
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
|
||||||
mkdir -p "$sysroot"/overlay/efi
|
mkdir -p "$sysroot"/overlay/efi
|
||||||
|
@ -218,12 +243,12 @@ chroot "$sysroot" \
|
||||||
dracut -N --kver $KVER --force \
|
dracut -N --kver $KVER --force \
|
||||||
--filesystems "squashfs vfat xfs" \
|
--filesystems "squashfs vfat xfs" \
|
||||||
--add-drivers "=drivers/char/tpm" \
|
--add-drivers "=drivers/char/tpm" \
|
||||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo" \
|
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume" \
|
||||||
--install /usr/lib/systemd/systemd-veritysetup \
|
--install /usr/lib/systemd/systemd-veritysetup \
|
||||||
--install /usr/lib/systemd/system-generators/systemd-veritysetup-generator \
|
--install /usr/lib/systemd/system-generators/systemd-veritysetup-generator \
|
||||||
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
|
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
|
||||||
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
|
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
|
||||||
--install "cryptsetup tail sort pwmake mktemp " \
|
--install "cryptsetup tail sort pwmake mktemp swapon" \
|
||||||
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
|
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
|
||||||
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
|
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
|
||||||
--install "strace" \
|
--install "strace" \
|
||||||
|
@ -239,7 +264,6 @@ chroot "$sysroot" \
|
||||||
--install /usr/lib/systemd/system/basic.target.wants/rngd.service
|
--install /usr/lib/systemd/system/basic.target.wants/rngd.service
|
||||||
|
|
||||||
rm "$sysroot"/pre-pivot.sh
|
rm "$sysroot"/pre-pivot.sh
|
||||||
#bash -i
|
|
||||||
|
|
||||||
umount "$sysroot"/var/cache/dnf
|
umount "$sysroot"/var/cache/dnf
|
||||||
|
|
||||||
|
@ -297,24 +321,69 @@ C /var/etc/libvirt - - - - -
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
||||||
. "${BASEDIR}"/quirks/nss_db.sh
|
. "${BASEDIR}"/quirks/nss.sh
|
||||||
|
|
||||||
#---------------
|
#---------------
|
||||||
# resolv.conf
|
# resolv.conf
|
||||||
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
|
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
|
||||||
echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
|
echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
|
||||||
ln -sfrn "$sysroot"/var/etc/hostname "$sysroot"/etc/hostname
|
|
||||||
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/etc/hostname
|
#---------------
|
||||||
|
# hostname
|
||||||
|
ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname
|
||||||
|
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname
|
||||||
|
|
||||||
#---------------
|
#---------------
|
||||||
# vconsole.conf
|
# vconsole.conf
|
||||||
ln -fsnr "$sysroot"/var/etc/vconsole.conf "$sysroot"/etc/vconsole.conf
|
ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf
|
||||||
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/etc/vconsole.conf
|
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf
|
||||||
|
|
||||||
#---------------
|
#---------------
|
||||||
# locale.conf
|
# locale.conf
|
||||||
ln -fsnr "$sysroot"/var/etc/locale.conf "$sysroot"/etc/locale.conf
|
ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf
|
||||||
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/etc/locale.conf
|
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
|
||||||
|
|
||||||
|
#---------------
|
||||||
|
# localtime
|
||||||
|
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
|
||||||
|
ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
|
||||||
|
|
||||||
|
#---------------
|
||||||
|
# adjtime
|
||||||
|
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
|
||||||
|
ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime
|
||||||
|
|
||||||
|
sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed
|
||||||
|
sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' "$sysroot"/usr/lib/systemd/systemd-timedated
|
||||||
|
|
||||||
|
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-localed.service
|
||||||
|
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-timedated.service
|
||||||
|
|
||||||
|
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
|
||||||
|
C /var/hostname - - - - -
|
||||||
|
C /var/vconsole.conf - - - - -
|
||||||
|
C /var/locale.conf - - - - -
|
||||||
|
C /var/localtime - - - - -
|
||||||
|
C /var/adjtime - - - - -
|
||||||
|
EOF
|
||||||
|
|
||||||
|
|
||||||
|
#---------------
|
||||||
|
# X11
|
||||||
|
if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
|
||||||
|
mkdir -p "$sysroot"/usr/share/factory/var/etc
|
||||||
|
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/var/etc/X11
|
||||||
|
ln -fsnr "$sysroot"/var/etc/X11 "$sysroot"/etc/X11
|
||||||
|
cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
|
||||||
|
C /var/etc/X11 - - - - -
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
#---------------
|
||||||
|
# autofs
|
||||||
|
if [[ -f "$sysroot"/etc/autofs.conf ]]; then
|
||||||
|
mkdir -p "$sysroot"/net
|
||||||
|
fi
|
||||||
|
|
||||||
#---------------
|
#---------------
|
||||||
# udev dri/card0
|
# udev dri/card0
|
||||||
|
@ -394,7 +463,7 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
|
||||||
|
|
||||||
# ------------------------------------------------------------------------------
|
# ------------------------------------------------------------------------------
|
||||||
# make bootx64.efi
|
# make bootx64.efi
|
||||||
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID resume=PARTLABEL=swap raid=noautodetect" > "$MY_TMPDIR"/options.txt
|
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID raid=noautodetect" > "$MY_TMPDIR"/options.txt
|
||||||
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
|
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
|
||||||
objcopy \
|
objcopy \
|
||||||
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
|
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
|
||||||
|
@ -416,5 +485,14 @@ mv "$MY_TMPDIR"/root-hash.txt \
|
||||||
"$MY_TMPDIR"/initrd \
|
"$MY_TMPDIR"/initrd \
|
||||||
"$OUTDIR"
|
"$OUTDIR"
|
||||||
|
|
||||||
tar cf - -C "${OUTDIR%/*}" "${OUTDIR##*/}" | pigz -c > "$OUTDIR".tgz
|
chown -R "$USER" "$OUTDIR"
|
||||||
echo "$ROOT_HASH ${NAME}-${VERSION_ID}" > "${OUTDIR%/*}/${NAME}-latest.txt"
|
|
||||||
|
cat > "${OUTDIR%/*}/${NAME}-latest.json" <<EOF
|
||||||
|
{
|
||||||
|
"roothash": "$ROOT_HASH",
|
||||||
|
"name" : "${NAME}",
|
||||||
|
"version" : "${VERSION_ID}"
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
chown "$USER" "${OUTDIR%/*}/${NAME}-latest.json"
|
||||||
|
|
50
quirks/nss-altfiles.sh
Normal file
50
quirks/nss-altfiles.sh
Normal file
|
@ -0,0 +1,50 @@
|
||||||
|
|
||||||
|
sed -i -e 's#^\(passwd:.*\) files#\1 altfiles files#g;s#^\(shadow:.*\) files#\1 altfiles files#g;s#^\(group:.*\) files#\1 altfiles files#g' \
|
||||||
|
"$sysroot"/etc/nsswitch.conf
|
||||||
|
|
||||||
|
chroot "$sysroot" bash -c 'useradd -G wheel admin'
|
||||||
|
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
|
||||||
|
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||||
|
|
||||||
|
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
|
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
|
|
||||||
|
chroot "$sysroot" bash -c 'mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||||
|
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||||
|
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||||
|
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||||
|
chroot "$sysroot" bash -c 'passwd -e admin'
|
||||||
|
|
||||||
|
mkdir -p "$sysroot"/usr/share/factory/var
|
||||||
|
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
|
||||||
|
|
||||||
|
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
|
||||||
|
|
||||||
|
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
|
||||||
|
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
|
||||||
|
done
|
||||||
|
|
||||||
|
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
|
||||||
|
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||||
|
"$sysroot"/lib*/libc.so.* \
|
||||||
|
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
|
||||||
|
|
||||||
|
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' "$sysroot"/usr/lib*/librpmostree-1.so.1
|
||||||
|
|
||||||
|
mkdir -p "$sysroot"/usr/share/factory/home
|
||||||
|
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
|
||||||
|
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
|
||||||
|
|
||||||
|
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
|
||||||
|
C /data/home/admin - - - - -
|
||||||
|
C /data/var/passwd - - - - -
|
||||||
|
C /data/var/shadow - - - - -
|
||||||
|
C /data/var/group - - - - -
|
||||||
|
C /data/var/gshadow - - - - -
|
||||||
|
C /data/var/subuid - - - - -
|
||||||
|
C /data/var/subgid - - - - -
|
||||||
|
C /data/var/etc - - - - -
|
||||||
|
EOF
|
52
quirks/nss.sh
Normal file
52
quirks/nss.sh
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
|
||||||
|
"$sysroot"/etc/nsswitch.conf
|
||||||
|
mkdir -p "$sysroot"/usr/db
|
||||||
|
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||||
|
|
||||||
|
chroot "$sysroot" bash -c 'useradd -G wheel admin'
|
||||||
|
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
|
||||||
|
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||||
|
|
||||||
|
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
|
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
|
|
||||||
|
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||||
|
|
||||||
|
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||||
|
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||||
|
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||||
|
chroot "$sysroot" bash -c 'passwd -e admin'
|
||||||
|
|
||||||
|
mkdir -p "$sysroot"/usr/share/factory/var
|
||||||
|
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
|
||||||
|
|
||||||
|
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
|
||||||
|
|
||||||
|
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
|
||||||
|
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
|
||||||
|
done
|
||||||
|
|
||||||
|
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||||
|
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
|
||||||
|
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||||
|
"$sysroot"/lib*/libc.so.* \
|
||||||
|
"$sysroot"/usr/lib*/librpmostree-1.so.1 \
|
||||||
|
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
|
||||||
|
|
||||||
|
|
||||||
|
mkdir -p "$sysroot"/usr/share/factory/home
|
||||||
|
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
|
||||||
|
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
|
||||||
|
|
||||||
|
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
|
||||||
|
C /data/home/admin - - - - -
|
||||||
|
C /data/var/passwd - - - - -
|
||||||
|
C /data/var/shadow - - - - -
|
||||||
|
C /data/var/group - - - - -
|
||||||
|
C /data/var/gshadow - - - - -
|
||||||
|
C /data/var/subuid - - - - -
|
||||||
|
C /data/var/subgid - - - - -
|
||||||
|
C /data/var/etc - - - - -
|
||||||
|
EOF
|
|
@ -1,4 +1,5 @@
|
||||||
sed -i -e 's#files#files db#g' "$sysroot"/etc/nsswitch.conf
|
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
|
||||||
|
"$sysroot"/etc/nsswitch.conf
|
||||||
mkdir -p "$sysroot"/usr/db
|
mkdir -p "$sysroot"/usr/db
|
||||||
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||||
|
|
||||||
|
@ -9,7 +10,8 @@ egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||||
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||||
|
|
||||||
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||||
|
|
||||||
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||||
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||||
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||||
|
|
26
update.sh
26
update.sh
|
@ -45,29 +45,33 @@ fi
|
||||||
mkdir -p /var/cache/${NAME}
|
mkdir -p /var/cache/${NAME}
|
||||||
cd /var/cache/${NAME}
|
cd /var/cache/${NAME}
|
||||||
|
|
||||||
curl ${BASEURL}/${NAME}-latest.txt --output ${NAME}-latest.txt
|
curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
|
||||||
|
|
||||||
RELEASE=$(read a b <${NAME}-latest.txt ; echo -n $b)
|
IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
|
||||||
ROOT_HASH=$(read a b <${NAME}-latest.txt; echo -n $a)
|
ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
|
||||||
|
|
||||||
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
|
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
|
||||||
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
|
|
||||||
|
|
||||||
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]] || [[ ${NAME}-${VERSION_ID} == $RELEASE ]]; then
|
|
||||||
echo "Already up2date"
|
echo "Already up2date"
|
||||||
exit 1
|
exit 1
|
||||||
fi
|
fi
|
||||||
|
|
||||||
curl ${BASEURL}/${RELEASE}.tgz | tar xzf -
|
[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
|
||||||
|
|
||||||
[[ -d ${RELEASE} ]]
|
[[ -d ${IMAGE} ]]
|
||||||
|
|
||||||
cd ${RELEASE}
|
cd ${IMAGE}
|
||||||
|
|
||||||
|
# check integrity
|
||||||
|
gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
|
||||||
|
sha512sum -c sha512sum.txt
|
||||||
|
|
||||||
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
|
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
|
||||||
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
|
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
|
||||||
|
|
||||||
# set the new partition uuids
|
# set the new partition uuids
|
||||||
|
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
|
||||||
|
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
|
||||||
|
|
||||||
sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
|
sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
|
||||||
sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
|
sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
|
||||||
|
|
||||||
|
@ -77,4 +81,4 @@ cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
|
||||||
|
|
||||||
## unless proper boot entries set, just force copy to default boot loader
|
## unless proper boot entries set, just force copy to default boot loader
|
||||||
cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
|
cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
|
||||||
mv --backup=numbered /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
|
mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
|
||||||
|
|
Loading…
Reference in a new issue