update
This commit is contained in:
parent
55202efcba
commit
2e63e25d7d
|
@ -55,12 +55,14 @@ This is WIP. Please test and report issues, comments or missing components on ht
|
|||
- dm_verity + squashfs immutable, integrity checked root
|
||||
- passwd + shadow + group + gshadow decoupled from system in /var
|
||||
- bind LUKS2 with tpm2 to machine
|
||||
- swap on LUKS2 with tpm2 (no password for resume from disk??)
|
||||
- /home and /var on single data partition
|
||||
|
||||
## Known Failures
|
||||
- no kernel command line on DELL ( you need a newer systemd https://github.com/systemd/systemd/pull/10001 )
|
||||
cp linuxx64.efi.stub to this git repo dir from a compiled upstream systemd
|
||||
- gnome-software: can't update firmware repo
|
||||
- systemd: failed to umount /var
|
||||
|
||||
## Create
|
||||
|
||||
|
|
13
clonedisk.sh
13
clonedisk.sh
|
@ -107,18 +107,21 @@ fi
|
|||
|
||||
if ! [[ $UPDATE ]]; then
|
||||
|
||||
udevadm settle
|
||||
wipefs --all "$OUT"
|
||||
|
||||
udevadm settle
|
||||
sfdisk -W always -w always "$OUT" << EOF
|
||||
label: gpt
|
||||
size=512MiB, type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
|
||||
size=256M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
|
||||
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$(blkid -o value -s PARTUUID ${IN}2)
|
||||
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root1", uuid=$(blkid -o value -s PARTUUID ${IN}3)
|
||||
size=256M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
|
||||
size=64M, type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver2"
|
||||
size=4GiB, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, name="root2"
|
||||
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4f, name="swap"
|
||||
size=${mem}GiB, type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4e, name="swap"
|
||||
type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
|
||||
EOF
|
||||
udevadm settle
|
||||
fi
|
||||
|
||||
OUT_DEV=$OUT
|
||||
|
@ -136,9 +139,11 @@ for i in 1 2 3; do
|
|||
done
|
||||
|
||||
if ! [[ $UPDATE ]]; then
|
||||
swapoff ${OUT}6 || :
|
||||
# ------------------------------------------------------------------------------
|
||||
# swap
|
||||
mkswap -L swap ${OUT}6
|
||||
echo -n "zero key" \
|
||||
| cryptsetup luksFormat --type luks2 ${OUT}6 /dev/stdin
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# data
|
||||
|
|
|
@ -3,7 +3,7 @@ systemd-bootchart
|
|||
grubby
|
||||
grub*
|
||||
plymouth
|
||||
device-mapper-multipath
|
||||
selinux-policy-targeted
|
||||
libselinux-utils
|
||||
httpd
|
||||
gnome-boxes
|
||||
|
|
|
@ -66,3 +66,7 @@ nss-mdns
|
|||
@development-libs
|
||||
@c-development
|
||||
man-db
|
||||
nautilus
|
||||
rpcbind
|
||||
nfs-utils
|
||||
autofs
|
||||
|
|
44
pre-pivot.sh
44
pre-pivot.sh
|
@ -39,12 +39,56 @@ done
|
|||
|
||||
disk=${d%-part*}
|
||||
|
||||
unset FOUND
|
||||
for swapdev in $disk*; do
|
||||
[[ $(blkid -o value -s PARTLABEL "$swapdev") == "swap" ]] || continue
|
||||
FOUND=1
|
||||
break
|
||||
done
|
||||
|
||||
if [[ $FOUND ]]; then
|
||||
if cryptsetup isLuks --type luks2 "$swapdev"; then
|
||||
luksname=swap
|
||||
luksdev=/dev/mapper/$luksname
|
||||
|
||||
if ! cryptsetup luksDump "$swapdev" | grep -F -q clevis ; then
|
||||
udevadm settle --exit-if-exists=/dev/tpmrm0
|
||||
export TPM2TOOLS_TCTI_NAME=device
|
||||
export TPM2TOOLS_DEVICE_FILE=/dev/tpmrm0
|
||||
|
||||
if echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7"}'; then
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||
elif echo -n "zero key" | clevis-luks-bind -f -k - -d "$swapdev" tpm2 '{"pcr_ids":"7","key":"rsa"}'; then
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
echo -n "zero key" | cryptsetup luksRemoveKey "$swapdev" /dev/stdin || die "Failed to remove key from LUKS"
|
||||
else
|
||||
warn "Failed to bind swap disk to TPM2"
|
||||
fi
|
||||
else
|
||||
clevis-luks-unlock -d "$swapdev" -n "$luksname" || die "Failed to unlock $swapdev"
|
||||
fi
|
||||
swapdev="$luksdev"
|
||||
fi
|
||||
|
||||
swaptype=$(blkid -o value -s TYPE "$swapdev")
|
||||
[[ $swaptype == "swsuspend" ]] && \
|
||||
/usr/lib/systemd/systemd-hibernate-resume "$swapdev"
|
||||
|
||||
[[ $swaptype != "swap" ]] && \
|
||||
mkswap "$swapdev"
|
||||
|
||||
swapon "$swapdev"
|
||||
fi
|
||||
|
||||
|
||||
unset FOUND
|
||||
for datadev in $disk*; do
|
||||
[[ $(blkid -o value -s PARTLABEL "$datadev") == "data" ]] || continue
|
||||
FOUND=1
|
||||
break
|
||||
done
|
||||
[[ $FOUND ]] || die "No data disk found"
|
||||
|
||||
if cryptsetup isLuks --type luks2 "$datadev"; then
|
||||
#luksname=luks-$(blkid -o value -s UUID "$datadev")
|
||||
|
|
134
prepare-root.sh
134
prepare-root.sh
|
@ -7,14 +7,15 @@ Usage: $PROGNAME [OPTION]
|
|||
|
||||
Creates a directory with a readonly root on squashfs, a dm_verity file and an EFI executable
|
||||
|
||||
-h, --help Display this help
|
||||
-p, --pkglist FILE The packages to install read from FILE (default: pkglist.txt)
|
||||
-e, --excludelist FILE The packages to install read from FILE (default: excludelist.txt)
|
||||
-r, --releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
|
||||
-o, --outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE)
|
||||
-n, --name NAME The NAME of the product (default: FedoraBook)
|
||||
-l, --logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
|
||||
--noupdate Do not install from Fedora Updates
|
||||
--help Display this help
|
||||
--pkglist FILE The packages to install read from FILE (default: pkglist.txt)
|
||||
--excludelist FILE The packages to install read from FILE (default: excludelist.txt)
|
||||
--releasever NUM Used Fedora release version NUM (default: $VERSION_ID)
|
||||
--outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE)
|
||||
--name NAME The NAME of the product (default: FedoraBook)
|
||||
--logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
|
||||
--gpgkey FILE Use FILE as the signing gpg key
|
||||
--noupdate Do not install from Fedora Updates
|
||||
EOF
|
||||
}
|
||||
|
||||
|
@ -25,7 +26,7 @@ BASEDIR=${0%/*}
|
|||
WITH_UPDATES=1
|
||||
|
||||
TEMP=$(
|
||||
getopt -o 'p:o:n:r:l:e:' \
|
||||
getopt -o '' \
|
||||
--long pkglist: \
|
||||
--long excludelist: \
|
||||
--long outdir: \
|
||||
|
@ -48,7 +49,7 @@ unset NAME
|
|||
|
||||
while true; do
|
||||
case "$1" in
|
||||
'-p'|'--pkglist')
|
||||
'--pkglist')
|
||||
if [[ -f $2 ]]; then
|
||||
PKGLIST=$(<$2)
|
||||
else
|
||||
|
@ -56,7 +57,7 @@ while true; do
|
|||
fi
|
||||
shift 2; continue
|
||||
;;
|
||||
'-e'|'--excludelist')
|
||||
'--excludelist')
|
||||
if [[ -f $2 ]]; then
|
||||
EXCLUDELIST=$(<$2)
|
||||
else
|
||||
|
@ -64,22 +65,26 @@ while true; do
|
|||
fi
|
||||
shift 2; continue
|
||||
;;
|
||||
'-o'|'--outdir')
|
||||
'--outdir')
|
||||
OUTDIR="$2"
|
||||
shift 2; continue
|
||||
;;
|
||||
'-n'|'--name')
|
||||
'--name')
|
||||
NAME="$2"
|
||||
shift 2; continue
|
||||
;;
|
||||
'-r'|'--releasever')
|
||||
'--releasever')
|
||||
RELEASEVER="$2"
|
||||
shift 2; continue
|
||||
;;
|
||||
'-l'|'--logo')
|
||||
'--logo')
|
||||
LOGO="$2"
|
||||
shift 2; continue
|
||||
;;
|
||||
'--gpgkey')
|
||||
GPGKEY="$2"
|
||||
shift 2; continue
|
||||
;;
|
||||
'--noupdates')
|
||||
unset WITH_UPDATES
|
||||
shift 1; continue
|
||||
|
@ -100,6 +105,7 @@ NAME=${NAME:-"FedoraBook"}
|
|||
RELEASEVER=${RELEASEVER:-$VERSION_ID}
|
||||
VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
|
||||
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
|
||||
GPGKEY=${GPGKEY:-${NAME}.gpg}
|
||||
|
||||
[[ $TMPDIR ]] || TMPDIR=/var/tmp
|
||||
readonly TMPDIR="$(realpath -e "$TMPDIR")"
|
||||
|
@ -168,6 +174,7 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
|
|||
xfsprogs \
|
||||
pciutils \
|
||||
microcode_ctl \
|
||||
nss-altfiles \
|
||||
nss_db \
|
||||
keyutils \
|
||||
make \
|
||||
|
@ -189,8 +196,23 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
|
|||
dbus-broker \
|
||||
tar \
|
||||
gzip \
|
||||
p11-kit \
|
||||
efibootmgr \
|
||||
jq \
|
||||
gnupg2 \
|
||||
$PKGLIST
|
||||
|
||||
for i in passwd shadow group gshadow subuid subgid; do
|
||||
[[ -e "$sysroot"/etc/${i}.rpmnew ]] || continue
|
||||
while read line || [[ $line ]]; do
|
||||
IFS=: read user _ <<<$line
|
||||
grep -E -q "^$user:" "$sysroot"/etc/${i} && continue
|
||||
echo "$line" >> "$sysroot"/etc/${i}
|
||||
done <"$sysroot"/etc/${i}.rpmnew
|
||||
done
|
||||
|
||||
find "$sysroot" -name '*.rpmnew' -print0 | xargs -0 rm -fv
|
||||
|
||||
# We need to preserve old uid/gid
|
||||
mkdir -p ${BASEDIR}/${NAME}
|
||||
for i in passwd shadow group gshadow subuid subgid; do
|
||||
|
@ -199,6 +221,9 @@ done
|
|||
|
||||
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
|
||||
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
|
||||
mkdir -p "$sysroot"/etc/pki/${NAME}
|
||||
cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY
|
||||
|
||||
rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
|
||||
mkdir -p "$sysroot"/overlay/efi
|
||||
|
@ -218,12 +243,12 @@ chroot "$sysroot" \
|
|||
dracut -N --kver $KVER --force \
|
||||
--filesystems "squashfs vfat xfs" \
|
||||
--add-drivers "=drivers/char/tpm" \
|
||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo" \
|
||||
-m "bash systemd systemd-initrd modsign crypt dm kernel-modules qemu rootfs-block udev-rules dracut-systemd base fs-lib shutdown terminfo resume" \
|
||||
--install /usr/lib/systemd/systemd-veritysetup \
|
||||
--install /usr/lib/systemd/system-generators/systemd-veritysetup-generator \
|
||||
--install "clonedisk wipefs sfdisk dd mkfs.xfs mkswap chroot mountpoint mkdir stat openssl" \
|
||||
--install "clevis clevis-luks-bind jose clevis-encrypt-tpm2 clevis-decrypt clevis-luks-unlock clevis-decrypt-tpm2" \
|
||||
--install "cryptsetup tail sort pwmake mktemp " \
|
||||
--install "cryptsetup tail sort pwmake mktemp swapon" \
|
||||
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
|
||||
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
|
||||
--install "strace" \
|
||||
|
@ -239,7 +264,6 @@ chroot "$sysroot" \
|
|||
--install /usr/lib/systemd/system/basic.target.wants/rngd.service
|
||||
|
||||
rm "$sysroot"/pre-pivot.sh
|
||||
#bash -i
|
||||
|
||||
umount "$sysroot"/var/cache/dnf
|
||||
|
||||
|
@ -297,24 +321,69 @@ C /var/etc/libvirt - - - - -
|
|||
EOF
|
||||
fi
|
||||
|
||||
. "${BASEDIR}"/quirks/nss_db.sh
|
||||
. "${BASEDIR}"/quirks/nss.sh
|
||||
|
||||
#---------------
|
||||
# resolv.conf
|
||||
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
|
||||
echo 'f /run/NetworkManager/resolv.conf 0755 root root - ' >> "$sysroot"/usr/lib/tmpfiles.d/resolv.conf
|
||||
ln -sfrn "$sysroot"/var/etc/hostname "$sysroot"/etc/hostname
|
||||
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/etc/hostname
|
||||
|
||||
#---------------
|
||||
# hostname
|
||||
ln -sfrn "$sysroot"/var/hostname "$sysroot"/etc/hostname
|
||||
echo "FedoraBook" > "$sysroot"/usr/share/factory/var/hostname
|
||||
|
||||
#---------------
|
||||
# vconsole.conf
|
||||
ln -fsnr "$sysroot"/var/etc/vconsole.conf "$sysroot"/etc/vconsole.conf
|
||||
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/etc/vconsole.conf
|
||||
ln -fsnr "$sysroot"/var/vconsole.conf "$sysroot"/etc/vconsole.conf
|
||||
echo -e 'FONT=latarcyrheb-sun16\nKEYMAP=us' > "$sysroot"/usr/share/factory/var/vconsole.conf
|
||||
|
||||
#---------------
|
||||
# locale.conf
|
||||
ln -fsnr "$sysroot"/var/etc/locale.conf "$sysroot"/etc/locale.conf
|
||||
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/etc/locale.conf
|
||||
ln -fsnr "$sysroot"/var/locale.conf "$sysroot"/etc/locale.conf
|
||||
echo 'LANG=en_US.UTF-8' > "$sysroot"/usr/share/factory/var/locale.conf
|
||||
|
||||
#---------------
|
||||
# localtime
|
||||
mv "$sysroot"/etc/localtime "$sysroot"/usr/share/factory/var/localtime
|
||||
ln -fsnr "$sysroot"/var/localtime "$sysroot"/etc/localtime
|
||||
|
||||
#---------------
|
||||
# adjtime
|
||||
mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
|
||||
ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime
|
||||
|
||||
sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed
|
||||
sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' "$sysroot"/usr/lib/systemd/systemd-timedated
|
||||
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-localed.service
|
||||
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-timedated.service
|
||||
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
|
||||
C /var/hostname - - - - -
|
||||
C /var/vconsole.conf - - - - -
|
||||
C /var/locale.conf - - - - -
|
||||
C /var/localtime - - - - -
|
||||
C /var/adjtime - - - - -
|
||||
EOF
|
||||
|
||||
|
||||
#---------------
|
||||
# X11
|
||||
if [[ -d "$sysroot"/etc/X11/xorg.conf.d ]]; then
|
||||
mkdir -p "$sysroot"/usr/share/factory/var/etc
|
||||
mv "$sysroot"/etc/X11 "$sysroot"/usr/share/factory/var/etc/X11
|
||||
ln -fsnr "$sysroot"/var/etc/X11 "$sysroot"/etc/X11
|
||||
cat >> "$sysroot"/usr/lib/tmpfiles.d/X11.conf <<EOF
|
||||
C /var/etc/X11 - - - - -
|
||||
EOF
|
||||
fi
|
||||
|
||||
#---------------
|
||||
# autofs
|
||||
if [[ -f "$sysroot"/etc/autofs.conf ]]; then
|
||||
mkdir -p "$sysroot"/net
|
||||
fi
|
||||
|
||||
#---------------
|
||||
# udev dri/card0
|
||||
|
@ -394,7 +463,7 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
|
|||
|
||||
# ------------------------------------------------------------------------------
|
||||
# make bootx64.efi
|
||||
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID resume=PARTLABEL=swap raid=noautodetect" > "$MY_TMPDIR"/options.txt
|
||||
echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID raid=noautodetect" > "$MY_TMPDIR"/options.txt
|
||||
echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
|
||||
objcopy \
|
||||
--add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
|
||||
|
@ -416,5 +485,14 @@ mv "$MY_TMPDIR"/root-hash.txt \
|
|||
"$MY_TMPDIR"/initrd \
|
||||
"$OUTDIR"
|
||||
|
||||
tar cf - -C "${OUTDIR%/*}" "${OUTDIR##*/}" | pigz -c > "$OUTDIR".tgz
|
||||
echo "$ROOT_HASH ${NAME}-${VERSION_ID}" > "${OUTDIR%/*}/${NAME}-latest.txt"
|
||||
chown -R "$USER" "$OUTDIR"
|
||||
|
||||
cat > "${OUTDIR%/*}/${NAME}-latest.json" <<EOF
|
||||
{
|
||||
"roothash": "$ROOT_HASH",
|
||||
"name" : "${NAME}",
|
||||
"version" : "${VERSION_ID}"
|
||||
}
|
||||
EOF
|
||||
|
||||
chown "$USER" "${OUTDIR%/*}/${NAME}-latest.json"
|
||||
|
|
50
quirks/nss-altfiles.sh
Normal file
50
quirks/nss-altfiles.sh
Normal file
|
@ -0,0 +1,50 @@
|
|||
|
||||
sed -i -e 's#^\(passwd:.*\) files#\1 altfiles files#g;s#^\(shadow:.*\) files#\1 altfiles files#g;s#^\(group:.*\) files#\1 altfiles files#g' \
|
||||
"$sysroot"/etc/nsswitch.conf
|
||||
|
||||
chroot "$sysroot" bash -c 'useradd -G wheel admin'
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||
|
||||
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
|
||||
chroot "$sysroot" bash -c 'mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||
chroot "$sysroot" bash -c 'passwd -e admin'
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/var
|
||||
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
|
||||
|
||||
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
|
||||
|
||||
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
|
||||
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
|
||||
done
|
||||
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
|
||||
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||
"$sysroot"/lib*/libc.so.* \
|
||||
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
|
||||
|
||||
[[ -e "$sysroot"/usr/lib*/librpmostree-1.so.1 ]] && sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' "$sysroot"/usr/lib*/librpmostree-1.so.1
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/home
|
||||
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
|
||||
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
|
||||
|
||||
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
|
||||
C /data/home/admin - - - - -
|
||||
C /data/var/passwd - - - - -
|
||||
C /data/var/shadow - - - - -
|
||||
C /data/var/group - - - - -
|
||||
C /data/var/gshadow - - - - -
|
||||
C /data/var/subuid - - - - -
|
||||
C /data/var/subgid - - - - -
|
||||
C /data/var/etc - - - - -
|
||||
EOF
|
52
quirks/nss.sh
Normal file
52
quirks/nss.sh
Normal file
|
@ -0,0 +1,52 @@
|
|||
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
|
||||
"$sysroot"/etc/nsswitch.conf
|
||||
mkdir -p "$sysroot"/usr/db
|
||||
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||
|
||||
chroot "$sysroot" bash -c 'useradd -G wheel admin'
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
|
||||
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
||||
|
||||
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
|
||||
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||
|
||||
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||
chroot "$sysroot" bash -c 'passwd -e admin'
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/var
|
||||
mv "$sysroot"/etc/passwd "$sysroot"/etc/sub{u,g}id "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow "$sysroot"/usr/share/factory/var
|
||||
|
||||
sed -i -e 's!^# directory = /etc!directory = /var!g' "$sysroot"/etc/libuser.conf
|
||||
|
||||
for i in passwd shadow group gshadow .pwd.lock subuid subgid; do
|
||||
ln -sfnr "$sysroot"/var/"$i" "$sysroot"/etc/"$i"
|
||||
done
|
||||
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/npasswd#/var/npasswd#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/shadow#/var/shadow#g;s#/etc/nshadow#/var/nshadow#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/.pwdXXXXXX#/var/.pwdXXXXXX#g' "$sysroot"/usr/lib64/security/pam_unix.so
|
||||
sed -i -e 's#/etc/passwd#/var/passwd#g;s#/etc/shadow#/var/shadow#g;s#/etc/gshadow#/var/gshadow#g;s#/etc/group#/var/group#g;s#/etc/subuid#/var/subuid#g;s#/etc/subgid#/var/subgid#g' "$sysroot"/usr/sbin/user{add,mod,del} "$sysroot"/usr/sbin/group{add,mod,del}
|
||||
sed -i -e 's#/etc/.pwd.lock#/var/.pwd.lock#g' \
|
||||
"$sysroot"/lib*/libc.so.* \
|
||||
"$sysroot"/usr/lib*/librpmostree-1.so.1 \
|
||||
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
|
||||
|
||||
|
||||
mkdir -p "$sysroot"/usr/share/factory/home
|
||||
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
|
||||
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
|
||||
|
||||
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
|
||||
C /data/home/admin - - - - -
|
||||
C /data/var/passwd - - - - -
|
||||
C /data/var/shadow - - - - -
|
||||
C /data/var/group - - - - -
|
||||
C /data/var/gshadow - - - - -
|
||||
C /data/var/subuid - - - - -
|
||||
C /data/var/subgid - - - - -
|
||||
C /data/var/etc - - - - -
|
||||
EOF
|
|
@ -1,4 +1,5 @@
|
|||
sed -i -e 's#files#files db#g' "$sysroot"/etc/nsswitch.conf
|
||||
sed -i -e 's#^\(passwd:.*\) files#\1 files db altfile#g;s#^\(shadow:.*\) files#\1 files altfiles db#g;s#^\(group:.*\) files#\1 files altfiles db#g' \
|
||||
"$sysroot"/etc/nsswitch.conf
|
||||
mkdir -p "$sysroot"/usr/db
|
||||
sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
|
||||
|
||||
|
@ -9,7 +10,8 @@ egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
|
|||
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
|
||||
|
||||
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||
chroot "$sysroot" bash -c 'make -C /var/db /usr/db/passwd.db /usr/db/shadow.db /usr/db/gshadow.db /usr/db/group.db && mv /etc/{passwd,shadow,group,gshadow} /lib && >/etc/passwd && > /etc/shadow && >/etc/group && >/etc/gshadow'
|
||||
|
||||
mv "$sysroot"/etc/group.admin "$sysroot"/etc/group
|
||||
mv "$sysroot"/etc/gshadow.admin "$sysroot"/etc/gshadow
|
||||
chroot "$sysroot" bash -c 'useradd admin; usermod -a -G wheel admin; echo -n admin | passwd --stdin admin'
|
||||
|
|
26
update.sh
26
update.sh
|
@ -45,29 +45,33 @@ fi
|
|||
mkdir -p /var/cache/${NAME}
|
||||
cd /var/cache/${NAME}
|
||||
|
||||
curl ${BASEURL}/${NAME}-latest.txt --output ${NAME}-latest.txt
|
||||
curl ${BASEURL}/${NAME}-latest.json --output ${NAME}-latest.json
|
||||
|
||||
RELEASE=$(read a b <${NAME}-latest.txt ; echo -n $b)
|
||||
ROOT_HASH=$(read a b <${NAME}-latest.txt; echo -n $a)
|
||||
IMAGE="$(jq -r '.name' ${NAME}-latest.json)-$(jq -r '.version' ${NAME}-latest.json)"
|
||||
ROOT_HASH=$(jq -r '.roothash' ${NAME}-latest.json)
|
||||
|
||||
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
|
||||
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
|
||||
|
||||
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]] || [[ ${NAME}-${VERSION_ID} == $RELEASE ]]; then
|
||||
if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]]; then
|
||||
echo "Already up2date"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
curl ${BASEURL}/${RELEASE}.tgz | tar xzf -
|
||||
[[ -d ${IMAGE} ]] || curl ${BASEURL}/${IMAGE}.tgz | tar xzf -
|
||||
|
||||
[[ -d ${RELEASE} ]]
|
||||
[[ -d ${IMAGE} ]]
|
||||
|
||||
cd ${RELEASE}
|
||||
cd ${IMAGE}
|
||||
|
||||
# check integrity
|
||||
gpg2 --no-default-keyring --keyring /etc/pki/${NAME}/GPG-KEY --verify sha512sum.txt.sig sha512sum.txt
|
||||
sha512sum -c sha512sum.txt
|
||||
|
||||
dd status=progress if=root.verity.img of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
|
||||
dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
|
||||
|
||||
# set the new partition uuids
|
||||
ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
|
||||
HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
|
||||
|
||||
sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
|
||||
sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
|
||||
|
||||
|
@ -77,4 +81,4 @@ cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
|
|||
|
||||
## unless proper boot entries set, just force copy to default boot loader
|
||||
cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
|
||||
mv --backup=numbered /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
|
||||
mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi
|
||||
|
|
Loading…
Reference in a new issue