From 7d097f89e7f14fe8d81d7634bc5f72910179869c Mon Sep 17 00:00:00 2001 From: Harald Hoyer Date: Mon, 10 Sep 2018 14:19:20 +0200 Subject: [PATCH] update --- pkglist.txt | 7 ++++++ prepare-root.sh | 65 +++++++++++++++++++++++++++++++++++-------------- quirks/nss.sh | 23 +++++++++++------ update.sh | 7 ++++-- 4 files changed, 74 insertions(+), 28 deletions(-) diff --git a/pkglist.txt b/pkglist.txt index 78a12e1..8afd386 100644 --- a/pkglist.txt +++ b/pkglist.txt @@ -70,3 +70,10 @@ nautilus rpcbind nfs-utils autofs +dnf +fedora-release +libvirt-daemon-config-network +libvirt-daemon-kvm +squashfs-tools +mc +veritysetup diff --git a/prepare-root.sh b/prepare-root.sh index e772b35..6ac38b2 100755 --- a/prepare-root.sh +++ b/prepare-root.sh @@ -14,7 +14,9 @@ Creates a directory with a readonly root on squashfs, a dm_verity file and an EF --outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE) --name NAME The NAME of the product (default: FedoraBook) --logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp) + --quirks LIST Source the list of quirks from the quikrs directory --gpgkey FILE Use FILE as the signing gpg key + --reposd DIR Use DIR as the dnf repository directory --noupdate Do not install from Fedora Updates EOF } @@ -33,6 +35,9 @@ TEMP=$( --long name: \ --long releasever: \ --long logo: \ + --long quirks: \ + --long gpgkey: \ + --long reposd: \ --long noupdates \ -- "$@" ) @@ -46,6 +51,7 @@ eval set -- "$TEMP" unset TEMP . /etc/os-release unset NAME +declare -a QUIRKS while true; do case "$1" in @@ -81,10 +87,18 @@ while true; do LOGO="$2" shift 2; continue ;; + '--quirks') + QUIRKS+=( $2 ) + shift 2; continue + ;; '--gpgkey') GPGKEY="$2" shift 2; continue ;; + '--reposd') + REPOSD="$2" + shift 2; continue + ;; '--noupdates') unset WITH_UPDATES shift 1; continue @@ -106,6 +120,7 @@ RELEASEVER=${RELEASEVER:-$VERSION_ID} VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')" OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"} GPGKEY=${GPGKEY:-${NAME}.gpg} +REPOSD=${REPOSD:-/etc/yum.repos.d} [[ $TMPDIR ]] || TMPDIR=/var/tmp readonly TMPDIR="$(realpath -e "$TMPDIR")" @@ -140,6 +155,15 @@ fi readonly sysroot="${MY_TMPDIR}/sysroot" +# We need to preserve old uid/gid +mkdir -p "$sysroot"/etc +for i in passwd shadow group gshadow subuid subgid; do + [[ -e "${BASEDIR}/${NAME}/$i" ]] || continue + cp -a "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i" +done + +chown -R +0.+0 "$sysroot" + mkdir -p "$sysroot"/{dev,proc,sys,run} mount --bind /proc "$sysroot/proc" #mount --bind /run "$sysroot/run" @@ -149,18 +173,12 @@ mount -t devtmpfs devtmpfs "$sysroot/dev" mkdir -p "$sysroot"/var/cache/dnf mount --bind /var/cache/dnf "$sysroot"/var/cache/dnf -# We need to preserve old uid/gid -mkdir -p "$sysroot"/etc -for i in passwd shadow group gshadow subuid subgid; do - [[ -e "${BASEDIR}/${NAME}/$i" ]] || continue - cp "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i" -done - -dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disablerepo='*' \ - --enablerepo=fedora \ - ${WITH_UPDATES:+--enablerepo=updates} \ +dnf -v --nogpgcheck \ + --installroot "$sysroot"/ \ + --releasever "$RELEASEVER" \ --exclude="$EXCLUDELIST" \ --setopt=keepcache=True \ + --setopt=reposdir="$REPOSD" \ install -y \ dracut \ passwd \ @@ -222,6 +240,7 @@ done cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update + mkdir -p "$sysroot"/etc/pki/${NAME} cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY @@ -251,7 +270,6 @@ chroot "$sysroot" \ --install "cryptsetup tail sort pwmake mktemp swapon" \ --install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \ --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \ - --install "strace" \ --include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \ --include /overlay / \ --install /usr/lib/systemd/system/clevis-luks-askpass.path \ @@ -271,6 +289,15 @@ mkdir -p "$sysroot"/usr/share/factory/data/{var/etc,home} ln -sfnr "$sysroot"/usr/share/factory/data/var "$sysroot"/usr/share/factory/var ln -sfnr "$sysroot"/usr/share/factory/data/home "$sysroot"/usr/share/factory/home + +chroot "$sysroot" update-ca-trust + +. "${BASEDIR}"/quirks/nss.sh + +for q in "${QUIRKS[@]}"; do + . "${BASEDIR}"/quirks/"$q".sh +done + #--------------- # timesync ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service @@ -321,8 +348,6 @@ C /var/etc/libvirt - - - - - EOF fi -. "${BASEDIR}"/quirks/nss.sh - #--------------- # resolv.conf ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf @@ -354,10 +379,12 @@ mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed -sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' "$sysroot"/usr/lib/systemd/systemd-timedated +sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' \ + "$sysroot"/usr/lib/systemd/systemd-timedated \ + "$sysroot"/usr/lib/systemd/libsystemd-shared*.so -sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-localed.service -sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-timedated.service +sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-localed.service +sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-timedated.service cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf < /usr/lib/tmpfiles.d/var-quirk.conf; :' +chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :' mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release @@ -435,7 +463,8 @@ mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/ mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux rm -fr "$sysroot"/{boot,root} ln -sfnr "$sysroot"/data/root "$sysroot"/root -rm -fr "$sysroot"/etc/yum.repos.d/* +mkdir -p "$sysroot"/usr/etc +mv "$sysroot"/etc/yum.repos.d "$sysroot"/usr/etc/yum.repos.d mkdir "$sysroot"/efi rm -fr "$sysroot"/var/* rm -fr "$sysroot"/home/* diff --git a/quirks/nss.sh b/quirks/nss.sh index 8d32242..3bac2aa 100644 --- a/quirks/nss.sh +++ b/quirks/nss.sh @@ -7,6 +7,8 @@ chroot "$sysroot" bash -c 'useradd -G wheel admin' egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin +sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd + sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow @@ -40,13 +42,18 @@ mkdir -p "$sysroot"/usr/share/factory/home cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin +mkdir -p "$sysroot"/usr/share/factory/var/root +cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/var/root +chown -R +0.+0 "$sysroot"/usr/share/factory/var/root + cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <