update

2018-09-06 15:56:53 +02:00 · 2018-09-06 15:56:53 +02:00 · 5d5ec9682e
parent 6910172911
commit 5d5ec9682e
8 changed files with 270 additions and 30 deletions
--- a/clonedisk.sh
+++ b/clonedisk.sh
@ -1,6 +1,67 @@
-#!/bin/bash
+#!/bin/bash -ex
-set -ex
+usage() {
    cat << EOF
 Usage: $PROGNAME [OPTION]
  -h, --help             Display this help
  --crypt                Use Luks2 to encrypt the data partition (default PW: 1)
  --crypttpm2            as --crypt, but additionally auto-open with the use of a TPM2
  --simple               do not use dual-boot layout (e.g. for USB install media)
  --update               do not clear the data partition
 EOF
 }
 TEMP=$(
    getopt -o '' \
        --long crypt \
        --long crypttpm2 \
 	--long simple \
 	--long update \
 	--long help \
        -- "$@"
    )
 if (( $? != 0 )); then
    usage >&2
    exit 1
 fi
 eval set -- "$TEMP"
 unset TEMP
 while true; do
    case "$1" in
        '--crypt')
 	    USE_CRYPT="y"
            shift 1; continue
            ;;
        '--crypttpm2')
 	    USE_TPM="y"
            shift 1; continue
            ;;
        '--simple')
 	    SIMPLE="y"
            shift 1; continue
            ;;
        '--update')
 	    UPDATE="y"
            shift 1; continue
            ;;
        '--help')
 	    usage
 	    exit 0
            ;;
        '--')
            shift
            break
            ;;
        *)
            echo 'Internal error!' >&2
            exit 1
            ;;
    esac
 done
 [[ $TMPDIR ]] || TMPDIR=/var/tmp
 readonly TMPDIR="$(realpath -e "$TMPDIR")"
@ -44,9 +105,11 @@ if [[ ${IN#/dev/loop} != $IN ]]; then
    IN="${IN}p"
 fi
-wipefs --all "$OUT"
+if ! [[ $UPDATE ]]; then
-sfdisk -W always -w always "$OUT" << EOF
+    wipefs --all "$OUT"
    sfdisk -W always -w always "$OUT" << EOF
 label: gpt
 	    size=512MiB,  type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
            size=256M,    type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1",   uuid=$(blkid -o value -s PARTUUID ${IN}2)
@ -56,6 +119,9 @@ label: gpt
            size=${mem}GiB,  type=0657fd6d-a4ab-43c4-84e5-0933c84b4f4f, name="swap"
            type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
 EOF
 fi
 OUT_DEV=$OUT
 if [[ ${OUT#/dev/loop} != $OUT ]]; then
    OUT="${OUT}p"
@ -66,13 +132,16 @@ fi
 for i in 1 2 3; do 
    dd if=${IN}${i} of=${OUT}${i} status=progress
    sfdisk --part-uuid ${OUT_DEV} $i $(blkid -o value -s PARTUUID ${IN}${i})
 done
-# ------------------------------------------------------------------------------
+if ! [[ $UPDATE ]]; then
-# swap
+    # ------------------------------------------------------------------------------
-mkswap -L swap ${OUT}6
+    # swap
    mkswap -L swap ${OUT}6
-# ------------------------------------------------------------------------------
+    # ------------------------------------------------------------------------------
-# data
+    # data
-echo -n "zero key" \
+    echo -n "zero key" \
-    | cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
+        | cryptsetup luksFormat --type luks2 ${OUT}7 /dev/stdin
 fi
--- a/excludelist.txt
+++ b/excludelist.txt
@ -4,7 +4,6 @@ grubby
 grub*
 plymouth
 device-mapper-multipath
 libvirt-daemon
 selinux-policy-targeted
 libselinux-utils
-
+httpd
--- a/mkimage.sh
+++ b/mkimage.sh
@ -17,6 +17,7 @@ Usage: $PROGNAME [OPTION]
  --crypt                Use Luks2 to encrypt the data partition (default PW: 1)
  --crypttpm2            as --crypt, but additionally auto-open with the use of a TPM2
  --simple               do not use dual-boot layout (e.g. for USB install media)
  --update               do not clear the data partition
 EOF
 }
@ -24,6 +25,8 @@ TEMP=$(
    getopt -o '' \
        --long crypt \
        --long crypttpm2 \
 	--long simple \
 	--long update \
 	--long help \
        -- "$@"
    )
@ -47,6 +50,14 @@ while true; do
 	    USE_TPM="y"
            shift 1; continue
            ;;
        '--simple')
 	    SIMPLE="y"
            shift 1; continue
            ;;
        '--update')
 	    UPDATE="y"
            shift 1; continue
            ;;
        '--help')
 	    usage
 	    exit 0
@ -109,8 +120,10 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
 # create GPT table with EFI System Partition
 if ! [[ -b "${IMAGE}" ]]; then
-    rm -f "${IMAGE}"
+    if ! [[ $UPDATE ]]; then
-    dd if=/dev/null of="${IMAGE}" bs=1MiB seek=$((15*1024)) count=1
+        rm -f "${IMAGE}"
        dd if=/dev/null of="${IMAGE}" bs=1MiB seek=$((15*1024)) count=1
    fi
    readonly DEV=$(losetup --show -f -P "${IMAGE}")
    readonly DEV_PART=${DEV}p
 else
@ -118,13 +131,16 @@ else
 	umount "$i" || :
    done
-    wipefs --force --all "${IMAGE}"
+    if ! [[ $UPDATE ]]; then
        wipefs --force --all "${IMAGE}"
    fi
    readonly DEV="${IMAGE}"
    readonly DEV_PART="${IMAGE}"
 fi
 udevadm settle
-sfdisk "${DEV}" << EOF
+if ! [[ $UPDATE ]]; then
    sfdisk "${DEV}" << EOF
 label: gpt
 	    size=512MiB,  type=c12a7328-f81f-11d2-ba4b-00a0c93ec93b, name="ESP System Partition"
            size=64MiB,   type=2c7357ed-ebd2-46d9-aec1-23d437ec2bf5, name="ver1", uuid=$HASH_UUID
@ -132,15 +148,21 @@ label: gpt
                          type=3b8f8425-20e0-4f3b-907f-1a25a76f98e9, name="data"
 EOF
-udevadm settle
+    udevadm settle
-for i in 1 2 3 4; do
+    for i in 1 2 3 4; do
-    wipefs --force --all ${DEV_PART}${i}
+        wipefs --force --all ${DEV_PART}${i}
-done
+    done
-udevadm settle
+    udevadm settle
 else
    sfdisk --part-uuid ${DEV} 2 ${HASH_UUID}
    sfdisk --part-uuid ${DEV} 3 ${ROOT_UUID}
 fi
 # ------------------------------------------------------------------------------
 # ESP
-mkfs.fat -nEFI -F32 ${DEV_PART}1
+if ! [[ $UPDATE ]]; then
    mkfs.fat -nEFI -F32 ${DEV_PART}1
 fi
 mkdir "$MY_TMPDIR"/boot
 mount ${DEV_PART}1 "$MY_TMPDIR"/boot
@ -158,8 +180,9 @@ dd if="$SOURCE"/root.squashfs.img of=${DEV_PART}3 status=progress
 # ------------------------------------------------------------------------------
 # data
-mkfs.xfs -L data ${DEV_PART}4
+if ! [[ $UPDATE ]]; then
-
+    mkfs.xfs -L data ${DEV_PART}4
 fi
 # ------------------------------------------------------------------------------
 # DONE
--- a/pkglist.txt
+++ b/pkglist.txt
@ -10,7 +10,6 @@ NetworkManager-vpnc
 NetworkManager-vpnc-gnome
 NetworkManager-wifi
 firefox
 emacs
 vim-enhanced
 pigz
 flatpak
@ -63,3 +62,7 @@ fedora-gpg-keys
 bind-utils
 bash-completion
 nss-mdns
@development-tools
@development-libs
@c-development
--- a/prepare-root.sh
+++ b/prepare-root.sh
@ -44,6 +44,7 @@ fi
 eval set -- "$TEMP"
 unset TEMP
 . /etc/os-release
 unset NAME
 while true; do
    case "$1" in
@ -97,8 +98,8 @@ done
 [[ $EXCLUDELIST ]] || [[ -f excludelist.txt ]] && EXCLUDELIST=$(<excludelist.txt)
 NAME=${NAME:-"FedoraBook"}
 RELEASEVER=${RELEASEVER:-$VERSION_ID}
 OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
 VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
 OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
 [[ $TMPDIR ]] || TMPDIR=/var/tmp
 readonly TMPDIR="$(realpath -e "$TMPDIR")"
@ -142,6 +143,13 @@ mount -t devtmpfs devtmpfs "$sysroot/dev"
 mkdir -p "$sysroot"/var/cache/dnf
 mount --bind /var/cache/dnf "$sysroot"/var/cache/dnf
 # We need to preserve old uid/gid
 mkdir -p "$sysroot"/etc
 for i in passwd shadow group gshadow subuid subgid; do
    [[ -e "${BASEDIR}/${NAME}/$i" ]] || continue
    cp "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i"
 done
 dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disablerepo='*' \
    --enablerepo=fedora \
    ${WITH_UPDATES:+--enablerepo=updates} \
@ -179,9 +187,18 @@ dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disab
    tpm2-tss \
    ncurses-base \
    dbus-broker \
    tar \
    gzip \
    $PKGLIST
 # We need to preserve old uid/gid
 mkdir -p ${BASEDIR}/${NAME}
 for i in passwd shadow group gshadow subuid subgid; do 
    cp "$sysroot"/etc/"$i" ${BASEDIR}/${NAME}
 done
 cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
 cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
 rpm --root "$sysroot" -qa | sort > "$sysroot"/usr/rpm-list.txt
 mkdir -p "$sysroot"/overlay/efi
@ -243,6 +260,9 @@ ln -fsnr "$sysroot"/usr/lib/systemd/system/dbus-broker.service "$sysroot"/etc/sy
 if [[ -d "$sysroot"/etc/ssh ]]; then
    mv "$sysroot"/etc/ssh "$sysroot"/usr/share/factory/var/etc/ssh
    ln -sfnr "$sysroot"/var/etc/ssh "$sysroot"/etc/ssh
    cat >> "$sysroot"/usr/lib/tmpfiles.d/ssh.conf <<EOF
 C /var/etc/ssh - - - - -
 EOF
 fi
 #---------------
@ -267,6 +287,16 @@ EOF
    rm -fr "$sysroot"/usr/lib64/NetworkManager/*/libnm-settings-plugin-ifcfg-rh.so
 fi
 #---------------
 # libvirt
 if [[ -d "$sysroot"/etc/libvirt ]]; then
    mv "$sysroot"/etc/libvirt "$sysroot"/usr/share/factory/var/etc/
    ln -fsnr "$sysroot"/var/etc/libvirt "$sysroot"/etc/libvirt
    cat >> "$sysroot"/usr/lib/tmpfiles.d/libvirt.conf <<EOF
 C /var/etc/libvirt - - - - -
 EOF
 fi
 . "${BASEDIR}"/quirks/nss_db.sh
 #---------------
@ -300,6 +330,13 @@ if [[ -d "$sysroot"/usr/share/flatpak ]]; then
    chroot "$sysroot" bash -c '/usr/bin/flatpak remote-add --if-not-exists flathub /usr/share/flatpak/flathub.flatpakrepo'
 fi
 #---------------
 # inotify
 mkdir -p "$sysroot"/etc/sysctl.d
 cat > "$sysroot"/etc/sysctl.d/inotify.conf <<EOF
 fs.inotify.max_user_watches = $((8192*10))
 EOF
 cat >"$sysroot"/etc/fstab <<EOF
 LABEL=data /data xfs defaults,discard 0 0
 /data/var  /var  - bind 0 0
@ -323,6 +360,7 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C /d
 mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
 sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
 sed -i -e "s#NAME=.*#NAME=$NAME#" "$sysroot"/etc/os-release
 mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/
 mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
@ -357,7 +395,7 @@ HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-
 # ------------------------------------------------------------------------------
 # make bootx64.efi
 echo -n "rd.shell=0 quiet video=efifb:nobgrt audit=0 selinux=0 roothash=$ROOT_HASH systemd.verity_root_data=PARTUUID=$ROOT_UUID systemd.verity_root_hash=PARTUUID=$HASH_UUID resume=PARTLABEL=swap raid=noautodetect" > "$MY_TMPDIR"/options.txt
-echo -n "$NAME $VERSION_ID" > "$MY_TMPDIR"/release.txt
+echo -n "${NAME}-${VERSION_ID}" > "$MY_TMPDIR"/release.txt
 objcopy \
    --add-section .release="$MY_TMPDIR"/release.txt --change-section-vma .release=0x20000 \
    --add-section .cmdline="$MY_TMPDIR"/options.txt --change-section-vma .cmdline=0x30000 \
@ -377,3 +415,6 @@ mv "$MY_TMPDIR"/root-hash.txt \
   "$MY_TMPDIR"/linux \
   "$MY_TMPDIR"/initrd \
   "$OUTDIR"
 tar cf - -C "${OUTDIR%/*}" "${OUTDIR##*/}" | pigz -c > "$OUTDIR".tgz
 echo "$ROOT_HASH ${NAME}-${VERSION_ID}" > "${OUTDIR%/*}/${NAME}-latest.txt"
--- a/quirks/nss_db.sh
+++ b/quirks/nss_db.sh
@ -1,4 +1,3 @@
 sed -i -e 's#files#files db#g' "$sysroot"/etc/nsswitch.conf
 mkdir -p "$sysroot"/usr/db
 sed -i -e 's#/var/db#/usr/db#g' "$sysroot"/lib64/libnss_db-2*.so "$sysroot"/var/db/Makefile
--- a/systemd-udev-settle-dri.service
+++ b/systemd-udev-settle-dri.service
@ -0,0 +1,26 @@
 #  SPDX-License-Identifier: LGPL-2.1+
 #
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it
 #  under the terms of the GNU Lesser General Public License as published by
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.
 # This service can dynamically be pulled-in by legacy services which
 # cannot reliably cope with dynamic device configurations, and wrongfully
 # expect a populated /dev during bootup.
 [Unit]
 Description=udev Wait for /dev/dri/card0 Device Initialization
 Documentation=man:udev(7) man:systemd-udevd.service(8)
 Wants=systemd-udevd.service
 After=systemd-udev-trigger.service
 Before=display-manager.service
 ConditionPathIsReadWrite=/sys
 [Service]
 Type=oneshot
 TimeoutSec=180
 RemainAfterExit=yes
 ExecStart=/usr/bin/udevadm settle --exit-if-exists=/dev/dri/card0
--- a/update.sh
+++ b/update.sh
@ -0,0 +1,80 @@
 #!/bin/bash -ex
 BASEURL="$1"
 . /etc/os-release
 CURRENT_ROOT_HASH=$(</proc/cmdline)
 CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH#*roothash=}
 CURRENT_ROOT_HASH=${CURRENT_ROOT_HASH%% *}
 CURRENT_ROOT_UUID=${CURRENT_ROOT_HASH:32:8}-${CURRENT_ROOT_HASH:40:4}-${CURRENT_ROOT_HASH:44:4}-${CURRENT_ROOT_HASH:48:4}-${CURRENT_ROOT_HASH:52:12}
 CURRENT_HASH_UUID=${CURRENT_ROOT_HASH:0:8}-${CURRENT_ROOT_HASH:8:4}-${CURRENT_ROOT_HASH:12:4}-${CURRENT_ROOT_HASH:16:4}-${CURRENT_ROOT_HASH:20:12}
 [[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
    && [[ /dev/disk/by-partlabel/ver1 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
    && NEW_ROOT_NUM=2
 [[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
    && [[ /dev/disk/by-partlabel/ver2 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
    && NEW_ROOT_NUM=1
 if ! [[ $NEW_ROOT_NUM ]]; then
    echo "Current partitions booted from not found!"
    exit 1
 fi
 ## find base device and partition number
 for dev in /dev/disk/by-path/*; do
    if ! [[ $VER_PARTNO ]] && [[ /dev/disk/by-partlabel/ver${NEW_ROOT_NUM} -ef $dev ]]; then
        VER_PARTNO=${dev##*-part}
        ROOT_DEV=${dev%-part*}
    fi
    if ! [[ $ROOT_PARTNO ]] && [[ /dev/disk/by-partlabel/root${NEW_ROOT_NUM} -ef $dev ]]; then
        ROOT_PARTNO=${dev##*-part}
        ROOT_DEV=${dev%-part*}
    fi
    [[ $ROOT_PARTNO ]] && [[ $VER_PARTNO ]] && break
 done
 if ! [[ $ROOT_PARTNO ]] || ! [[ $VER_PARTNO ]] || ! [[ $ROOT_DEV ]]; then
    echo "Couldn't find partition numbers"
    exit 1
 fi
 mkdir -p /var/cache/${NAME}
 cd /var/cache/${NAME}
 curl ${BASEURL}/${NAME}-latest.txt --output ${NAME}-latest.txt
 RELEASE=$(read a b <${NAME}-latest.txt ; echo -n $b)
 ROOT_HASH=$(read a b <${NAME}-latest.txt; echo -n $a)
 ROOT_UUID=${ROOT_HASH:32:8}-${ROOT_HASH:40:4}-${ROOT_HASH:44:4}-${ROOT_HASH:48:4}-${ROOT_HASH:52:12}
 HASH_UUID=${ROOT_HASH:0:8}-${ROOT_HASH:8:4}-${ROOT_HASH:12:4}-${ROOT_HASH:16:4}-${ROOT_HASH:20:12}
 if [[ $CURRENT_ROOT_HASH == $ROOT_HASH ]] || [[ ${NAME}-${VERSION_ID} == $RELEASE ]]; then
    echo "Already up2date"
    exit 1
 fi
 curl ${BASEURL}/${RELEASE}.tgz | tar xzf -
 [[ -d ${RELEASE} ]]
 cd ${RELEASE}
 dd status=progress if=root.verity.img   of=/dev/disk/by-partlabel/ver${NEW_ROOT_NUM}
 dd status=progress if=root.squashfs.img of=/dev/disk/by-partlabel/root${NEW_ROOT_NUM}
 # set the new partition uuids
 sfdisk --part-uuid ${ROOT_DEV} ${VER_PARTNO} ${HASH_UUID}
 sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
 # install to /efi
 mkdir -p /efi/EFI/${NAME}
 cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
 ## unless proper boot entries set, just force copy to default boot loader
 cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
 mv --backup=numbered /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi