partition=false # change to true to force a full wipe
fi
+## ignore disks that are mounted, eg when running from fai-cd
+declare -A disk_excludes
+while read -r l; do
+ eval "$l"
+ if [[ ! $PKNAME ]]; then
+ PKNAME="$KNAME"
+ fi
+ if [[ $MOUNTPOINT ]]; then
+ disk_excludes[$PKNAME]=true
+ fi
+done < <(lsblk -nP -o KNAME,MOUNTPOINT,PKNAME)
hdds=()
ssds=()
cd /sys/block
for disk in [sv]d[a-z]; do
+ if [[ ${disk_excludes[$disk]} ]]; then
+ continue
+ fi
case $(cat $disk/queue/rotational) in
0) ssds+=(/dev/$disk) ;;
1) hdds+=(/dev/$disk) ;;
if $partition; then break; fi
y=$(readlink -f $dev)
arr=($y[0-9])
- [[ ${#arr[@]} == "${lastn}" ]] || partition=true
+ [[ ${#arr[@]} == "$lastn" ]] || partition=true
for (( i=1; i <= lastn; i++ )); do
[[ -e ${dev}$i ]] || partition=true
done
for short_dev in ${short_devs[@]}; do
devs+=($(devbyid $short_dev))
done
-if [[ ! ${devs[@]} ]]; then
+if [[ ! ${devs[0]} ]]; then
echo "$0: error: failed to detect devs" >&2
exit 1
fi
break
fi
done
- $bad_disk || boot_devs+=(`bootdev`)
+ $bad_disk || boot_devs+=($(bootdev))
else
- boot_devs+=(`bootdev`)
+ boot_devs+=($(bootdev))
fi
if [[ $boot_devs && $first ]]; then
- first_grub_extdev=`grub_extdev`
+ first_grub_extdev=$(grub_extdev)
first=false
fi
done
}
-# keyfiles generated like:
-# head -c 2048 /dev/urandom | od | s dd of=/q/root/luks/host-demohost
+# see README for docs about how to create these
luks_dir=${LUKS_DIR:-/var/lib/fai/config/distro-install-common/luks}
-if [[ ! -e $luks_dir/host-$HOSTNAME ]]; then
- echo "$0: error: no key for hostname at $luks_dir/host-$HOSTNAME" >&2
- exit 1
+
+luks_file=$luks_dir/host-$HOSTNAME
+if [[ ! -e $luks_file ]]; then
+ hostkeys=($luks_dir/host-*)
+ # if there is only one key, we might be deploying somewhere
+ # where dhcp doesnt give us a proper hostname, so use that.
+ if [[ ${#hostkeys[@]} == 1 && -e ${hostkeys[0]} ]]; then
+ luks_file=${hostkeys[0]}
+ else
+ echo "$0: error: no key for hostname at $luks_file" >&2
+ exit 1
+ fi
fi
-lukspw=$(cat $luks_dir/iank)
-# # ian: disabled by chaning to tpnew while I use the tp host.
# # note, corresponding changes in /b/ds/keyscript-{on,off}
if ifclass tpnew; then
lukspw=$(cat $luks_dir/traci)
-fi
-if ifclass ziva; then
+elif ifclass ziva; then
lukspw=$(cat $luks_dir/ziva)
-fi
-if ifclass demohost; then
+elif ifclass demohost; then
lukspw=x
+elif [[ -e $luks_dir/$HOSTNAME ]]; then
+ lukspw=$(cat $luks_dir/$HOSTNAME)
+else
+ lukspw=$(cat $luks_dir/iank)
fi
mkdir -p /tmp/fai
root_devs=()
for dev in ${devs[@]}; do
- root_devs+=(`rootdev`)
+ root_devs+=($(rootdev))
done
shopt -s nullglob
if $partition; then
# wait at all. So I've added a 3 second minimum wait.
sleep 3
secs=0
- while [[ ! -e `rootdev` ]] && (( secs < 10 )); do
+ while [[ ! -e $(rootdev) ]] && (( secs < 10 )); do
sleep 1
secs=$((secs +1))
done
# to grubenv after booting, but that relies on the boot always succeeding.
# This is just a bit more robust, and it could work for booting
# into ipxe which can't persist data, if we ever got that working.
- mkfs.ext2 `grub_extdev`
+ mkfs.ext2 $(grub_extdev)
# when we move to newer than trisquel 8, we can remove
# --type luks1. We can also check on cryptsetup --help | less /compil
# to see about the other settings. Default in debian 9 is luks2.
# cryptsetup luksAddKey --pbkdf pbkdf2
# then remove the new format keys with cryptsetup luksRemoveKey
# then cryptsetup convert DEV --type luks1, then readd old keys and remove temp.
- yes YES | cryptsetup luksFormat `rootdev` $luks_dir/host-$HOSTNAME \
+ yes YES | cryptsetup luksFormat $(rootdev) $luks_file \
--type luks1 -c aes-cbc-essiv:sha256 -s 256 || [[ $? == 141 ]]
yes "$lukspw" | \
- cryptsetup luksAddKey --key-file $luks_dir/host-$HOSTNAME \
- `rootdev` || [[ $? == 141 ]]
+ cryptsetup luksAddKey --key-file $luks_file \
+ $(rootdev) || [[ $? == 141 ]]
# background: Keyfile and password are treated just
# like 2 ways to input a passphrase, so we don't actually need to have
# different contents of keyfile and passphrase, but it makes some
# yes 'test' | cryptsetup luksRemoveKey /dev/... \
# /key/file || [[ $? == 141 ]]
- cryptsetup luksOpen `rootdev` `root-cryptname` \
- --key-file $luks_dir/host-$HOSTNAME
+ cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+ --key-file $luks_file
if [[ $SPECIAL_DISK ]]; then
exit 0
bpart ${boot_devs[@]}
else
for dev in ${devs[@]}; do
- mkfs.ext2 `grub_extdev`
- cryptsetup luksOpen `rootdev` `root-cryptname` \
- --key-file $luks_dir/host-$HOSTNAME
+ mkfs.ext2 $(grub_extdev)
+ cryptsetup luksOpen $(rootdev) $(root-cryptname) \
+ --key-file $luks_file
done
sleep 1
fi
EOF
swaps=()
for dev in ${devs[@]}; do
- swaps+=(`swap-cryptname`)
+ swaps+=($(swap-cryptname))
cat >>/tmp/fai/crypttab <<EOF
-`root-cryptname` `rootdev` none keyscript=/root/keyscript,discard,luks
-`swap-cryptname` `swapdev` /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
+$(root-cryptname) $(rootdev) none keyscript=decrypt_keyctl,discard,luks,initramfs
+$(swap-cryptname) $(swapdev) /dev/urandom swap,cipher=aes-xts-plain64,size=256,hash=ripemd160
EOF
cat >> /tmp/fai/fstab <<EOF
-`swap-cryptdev` none swap sw 0 0
+$(swap-cryptdev) none swap sw 0 0
EOF
done