harald/VerityBook
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

update

Browse source
This commit is contained in:
Harald Hoyer 2018-09-10 14:19:20 +02:00
parent 2e63e25d7d
commit 7d097f89e7
4 changed files with 74 additions and 28 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
pkglist.txt
View file

@ -70,3 +70,10 @@ nautilus
rpcbind rpcbind
nfs-utils nfs-utils
autofs autofs
dnf
fedora-release
libvirt-daemon-config-network
libvirt-daemon-kvm
squashfs-tools
mc
veritysetup

65
prepare-root.sh
View file

@ -14,7 +14,9 @@ Creates a directory with a readonly root on squashfs, a dm_verity file and an EF
--outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE) --outdir DIR Creates DIR and puts all files in there (default: NAME-NUM-DATE)
--name NAME The NAME of the product (default: FedoraBook) --name NAME The NAME of the product (default: FedoraBook)
--logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp) --logo FILE Uses the .bmp FILE to display as a splash screen (default: logo.bmp)
--quirks LIST Source the list of quirks from the quikrs directory
--gpgkey FILE Use FILE as the signing gpg key --gpgkey FILE Use FILE as the signing gpg key
--reposd DIR Use DIR as the dnf repository directory
--noupdate Do not install from Fedora Updates --noupdate Do not install from Fedora Updates
EOF EOF
} }
@ -33,6 +35,9 @@ TEMP=$(
--long name: \ --long name: \
--long releasever: \ --long releasever: \
--long logo: \ --long logo: \
--long quirks: \
--long gpgkey: \
--long reposd: \
--long noupdates \ --long noupdates \
-- "$@" -- "$@"
) )
@ -46,6 +51,7 @@ eval set -- "$TEMP"
unset TEMP unset TEMP
. /etc/os-release . /etc/os-release
unset NAME unset NAME
declare -a QUIRKS
while true; do while true; do
case "$1" in case "$1" in
@ -81,10 +87,18 @@ while true; do
LOGO="$2" LOGO="$2"
shift 2; continue shift 2; continue
;; ;;
'--quirks')
QUIRKS+=( $2 )
shift 2; continue
;;
'--gpgkey') '--gpgkey')
GPGKEY="$2" GPGKEY="$2"
shift 2; continue shift 2; continue
;; ;;
'--reposd')
REPOSD="$2"
shift 2; continue
;;
'--noupdates') '--noupdates')
unset WITH_UPDATES unset WITH_UPDATES
shift 1; continue shift 1; continue
@ -106,6 +120,7 @@ RELEASEVER=${RELEASEVER:-$VERSION_ID}
VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')" VERSION_ID="${RELEASEVER}.$(date -u +'%Y%m%d%H%M%S')"
OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"} OUTDIR=${OUTDIR:-"${CURDIR}/${NAME}-${VERSION_ID}"}
GPGKEY=${GPGKEY:-${NAME}.gpg} GPGKEY=${GPGKEY:-${NAME}.gpg}
REPOSD=${REPOSD:-/etc/yum.repos.d}
[[ $TMPDIR ]] || TMPDIR=/var/tmp [[ $TMPDIR ]] || TMPDIR=/var/tmp
readonly TMPDIR="$(realpath -e "$TMPDIR")" readonly TMPDIR="$(realpath -e "$TMPDIR")"
@ -140,6 +155,15 @@ fi
readonly sysroot="${MY_TMPDIR}/sysroot" readonly sysroot="${MY_TMPDIR}/sysroot"
# We need to preserve old uid/gid
mkdir -p "$sysroot"/etc
for i in passwd shadow group gshadow subuid subgid; do
[[ -e "${BASEDIR}/${NAME}/$i" ]] || continue
cp -a "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i"
done
chown -R +0.+0 "$sysroot"
mkdir -p "$sysroot"/{dev,proc,sys,run} mkdir -p "$sysroot"/{dev,proc,sys,run}
mount --bind /proc "$sysroot/proc" mount --bind /proc "$sysroot/proc"
#mount --bind /run "$sysroot/run" #mount --bind /run "$sysroot/run"
@ -149,18 +173,12 @@ mount -t devtmpfs devtmpfs "$sysroot/dev"
mkdir -p "$sysroot"/var/cache/dnf mkdir -p "$sysroot"/var/cache/dnf
mount --bind /var/cache/dnf "$sysroot"/var/cache/dnf mount --bind /var/cache/dnf "$sysroot"/var/cache/dnf
# We need to preserve old uid/gid dnf -v --nogpgcheck \
mkdir -p "$sysroot"/etc --installroot "$sysroot"/ \
for i in passwd shadow group gshadow subuid subgid; do --releasever "$RELEASEVER" \
[[ -e "${BASEDIR}/${NAME}/$i" ]] || continue
cp "${BASEDIR}/${NAME}/$i" "$sysroot"/etc/"$i"
done
dnf -v --nogpgcheck --installroot "$sysroot"/ --releasever "$RELEASEVER" --disablerepo='*' \
--enablerepo=fedora \
${WITH_UPDATES:+--enablerepo=updates} \
--exclude="$EXCLUDELIST" \ --exclude="$EXCLUDELIST" \
--setopt=keepcache=True \ --setopt=keepcache=True \
--setopt=reposdir="$REPOSD" \
install -y \ install -y \
dracut \ dracut \
passwd \ passwd \
@ -222,6 +240,7 @@ done
cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk cp "$CURDIR/clonedisk.sh" "$sysroot"/usr/bin/clonedisk
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update cp "$CURDIR/update.sh" "$sysroot"/usr/bin/update
mkdir -p "$sysroot"/etc/pki/${NAME} mkdir -p "$sysroot"/etc/pki/${NAME}
cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY cp "${CURDIR}/${GPGKEY}" "$sysroot"/etc/pki/${NAME}/GPG-KEY
@ -251,7 +270,6 @@ chroot "$sysroot" \
--install "cryptsetup tail sort pwmake mktemp swapon" \ --install "cryptsetup tail sort pwmake mktemp swapon" \
--install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \ --install "tpm2_pcrextend tpm2_createprimary tpm2_pcrlist tpm2_createpolicy" \
--install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \ --install "tpm2_create tpm2_load tpm2_unseal tpm2_takeownership" \
--install "strace" \
--include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \ --include /pre-pivot.sh /lib/dracut/hooks/pre-pivot/pre-pivot.sh \
--include /overlay / \ --include /overlay / \
--install /usr/lib/systemd/system/clevis-luks-askpass.path \ --install /usr/lib/systemd/system/clevis-luks-askpass.path \
@ -271,6 +289,15 @@ mkdir -p "$sysroot"/usr/share/factory/data/{var/etc,home}
ln -sfnr "$sysroot"/usr/share/factory/data/var "$sysroot"/usr/share/factory/var ln -sfnr "$sysroot"/usr/share/factory/data/var "$sysroot"/usr/share/factory/var
ln -sfnr "$sysroot"/usr/share/factory/data/home "$sysroot"/usr/share/factory/home ln -sfnr "$sysroot"/usr/share/factory/data/home "$sysroot"/usr/share/factory/home
chroot "$sysroot" update-ca-trust
. "${BASEDIR}"/quirks/nss.sh
for q in "${QUIRKS[@]}"; do
. "${BASEDIR}"/quirks/"$q".sh
done
#--------------- #---------------
# timesync # timesync
ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service ln -fsnr "$sysroot"/usr/lib/systemd/system/systemd-timesyncd.service "$sysroot"/usr/lib/systemd/system/sysinit.target.wants/systemd-timesyncd.service
@ -321,8 +348,6 @@ C /var/etc/libvirt - - - - -
EOF EOF
fi fi
. "${BASEDIR}"/quirks/nss.sh
#--------------- #---------------
# resolv.conf # resolv.conf
ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf ln -fsrn "$sysroot"/run/NetworkManager/resolv.conf "$sysroot"/etc/resolv.conf
@ -354,10 +379,12 @@ mv "$sysroot"/etc/adjtime "$sysroot"/usr/share/factory/var/adjtime
ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime ln -fsnr "$sysroot"/var/adjtime "$sysroot"/etc/adjtime
sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed sed -i -e 's#/etc/locale.conf#/var/locale.conf#g;s#/etc/vconsole.conf#/var/vconsole.conf#g' "$sysroot"/usr/lib/systemd/systemd-localed
sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' "$sysroot"/usr/lib/systemd/systemd-timedated sed -i -e 's#/etc/adjtime#/var/adjtime#g;s#/etc/localtime#/var/localtime#g' \
"$sysroot"/usr/lib/systemd/systemd-timedated \
"$sysroot"/usr/lib/systemd/libsystemd-shared*.so
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-localed.service sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-localed.service
sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' /lib/systemd/system/systemd-timedated.service sed -i -e 's#ReadWritePaths=/etc#ReadWritePaths=/var#g' "$sysroot"/lib/systemd/system/systemd-timedated.service
cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF cat >> "$sysroot"/usr/lib/tmpfiles.d/00-basics.conf <<EOF
C /var/hostname - - - - - C /var/hostname - - - - -
@ -383,6 +410,7 @@ fi
# autofs # autofs
if [[ -f "$sysroot"/etc/autofs.conf ]]; then if [[ -f "$sysroot"/etc/autofs.conf ]]; then
mkdir -p "$sysroot"/net mkdir -p "$sysroot"/net
systemctl --root "$sysroot" enable autofs
fi fi
#--------------- #---------------
@ -425,7 +453,7 @@ chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do grep " $i
cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/data/var/ cp -avxr "$sysroot"/var/* "$sysroot"/usr/share/factory/data/var/
rm -fr "$sysroot"/usr/share/factory/var/{run,lock} rm -fr "$sysroot"/usr/share/factory/var/{run,lock}
chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C /data$i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :' chroot "$sysroot" bash -c 'for i in $(find -H /var -xdev -type d); do echo "C $i - - - - -"; done > /usr/lib/tmpfiles.d/var-quirk.conf; :'
mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf mv "$sysroot"/lib/tmpfiles.d-var.conf "$sysroot"/lib/tmpfiles.d/var.conf
sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release sed -i -e "s#VERSION_ID=.*#VERSION_ID=$VERSION_ID#" "$sysroot"/etc/os-release
@ -435,7 +463,8 @@ mv -v "$sysroot"/boot/*/*/initrd "$MY_TMPDIR"/
mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux mv -v "$sysroot"/lib/modules/*/vmlinuz "$MY_TMPDIR"/linux
rm -fr "$sysroot"/{boot,root} rm -fr "$sysroot"/{boot,root}
ln -sfnr "$sysroot"/data/root "$sysroot"/root ln -sfnr "$sysroot"/data/root "$sysroot"/root
rm -fr "$sysroot"/etc/yum.repos.d/* mkdir -p "$sysroot"/usr/etc
mv "$sysroot"/etc/yum.repos.d "$sysroot"/usr/etc/yum.repos.d
mkdir "$sysroot"/efi mkdir "$sysroot"/efi
rm -fr "$sysroot"/var/* rm -fr "$sysroot"/var/*
rm -fr "$sysroot"/home/* rm -fr "$sysroot"/home/*

23
quirks/nss.sh
View file

@ -7,6 +7,8 @@ chroot "$sysroot" bash -c 'useradd -G wheel admin'
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin egrep -e '^(adm|wheel):.*' "$sysroot"/etc/group > "$sysroot"/etc/group.admin
egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin egrep -e '^(adm|wheel):.*' "$sysroot"/etc/gshadow > "$sysroot"/etc/gshadow.admin
sed -i -e 's#:/root:#:/var/root:#g' "$sysroot"/etc/passwd
sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow sed -i -e '/^wheel:.*/d;/^adm:.*/d' "$sysroot"/etc/group "$sysroot"/etc/gshadow
sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow sed -i -e '/^admin:.*/d' "$sysroot"/etc/passwd "$sysroot"/etc/shadow "$sysroot"/etc/group "$sysroot"/etc/gshadow
@ -40,13 +42,18 @@ mkdir -p "$sysroot"/usr/share/factory/home
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/home/admin
chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin chown -R +1000.+1000 "$sysroot"/usr/share/factory/home/admin
mkdir -p "$sysroot"/usr/share/factory/var/root
cp -avxr "$sysroot"/etc/skel "$sysroot"/usr/share/factory/var/root
chown -R +0.+0 "$sysroot"/usr/share/factory/var/root
cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF cat > "$sysroot"/usr/lib/tmpfiles.d/home.conf <<EOF
C /data/home/admin - - - - - C /home/admin - - - - -
C /data/var/passwd - - - - - C /var/root - - - - -
C /data/var/shadow - - - - - C /var/passwd - - - - -
C /data/var/group - - - - - C /var/shadow - - - - -
C /data/var/gshadow - - - - - C /var/group - - - - -
C /data/var/subuid - - - - - C /var/gshadow - - - - -
C /data/var/subgid - - - - - C /var/subuid - - - - -
C /data/var/etc - - - - - C /var/subgid - - - - -
C /var/etc - - - - -
EOF EOF

7
update.sh
View file

@ -13,11 +13,11 @@ CURRENT_HASH_UUID=${CURRENT_ROOT_HASH:0:8}-${CURRENT_ROOT_HASH:8:4}-${CURRENT_RO
[[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \ [[ /dev/disk/by-partlabel/root1 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver1 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \ && [[ /dev/disk/by-partlabel/ver1 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
&& NEW_ROOT_NUM=2 && NEW_ROOT_NUM=2 && OLD_ROOT_NUM=1
[[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \ [[ /dev/disk/by-partlabel/root2 -ef /dev/disk/by-partuuid/${CURRENT_ROOT_UUID} ]] \
&& [[ /dev/disk/by-partlabel/ver2 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \ && [[ /dev/disk/by-partlabel/ver2 -ef /dev/disk/by-partuuid/${CURRENT_HASH_UUID} ]] \
&& NEW_ROOT_NUM=1 && NEW_ROOT_NUM=1 && OLD_ROOT_NUM=2
if ! [[ $NEW_ROOT_NUM ]]; then if ! [[ $NEW_ROOT_NUM ]]; then
echo "Current partitions booted from not found!" echo "Current partitions booted from not found!"
@ -79,6 +79,9 @@ sfdisk --part-uuid ${ROOT_DEV} ${ROOT_PARTNO} ${ROOT_UUID}
mkdir -p /efi/EFI/${NAME} mkdir -p /efi/EFI/${NAME}
cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi cp bootx64.efi /efi/EFI/${NAME}/${NEW_ROOT_NUM}.efi
# better swap prio with efibootmgr
mv /efi/EFI/${NAME}/${OLD_ROOT_NUM}.efi /efi/EFI/${NAME}/_${OLD_ROOT_NUM}.efi
## unless proper boot entries set, just force copy to default boot loader ## unless proper boot entries set, just force copy to default boot loader
cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi cp bootx64.efi /efi/EFI/Boot/new_bootx64.efi
mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi mv --backup=simple /efi/EFI/Boot/new_bootx64.efi /efi/EFI/Boot/bootx64.efi