From 79cd04733bf570db299ef09195c498a63f3f3fd5 Mon Sep 17 00:00:00 2001 From: Ian Kelling Date: Fri, 23 Sep 2022 20:44:36 -0400 Subject: [PATCH] fix lid close, other improvements --- README | 2 +- fai-revm | 11 +- fai/config/class/50-host-classes | 5 + fai/config/distro-install-common/end | 16 +- .../jammy-firmware/JAMMY_FIRMWARE | 3 + .../logind.conf.d/iank.conf/IANK} | 4 +- .../root/fai-check/VOL_BULLSEYE_BOOTSTRAP | 3 +- fai/config/hooks/instsoft.DEFAULT | 5 + fai/config/scripts/IANK/11-iank | 2 + fsf/close-crypt-luks-keys-loopback | 30 ---- fsf/create-vm-disk | 160 ------------------ fsf/crypt-disks-start | 30 ---- fsf/open-crypt-luks-keys-loopback | 40 ----- 13 files changed, 39 insertions(+), 272 deletions(-) create mode 100644 fai/config/files/etc/apt/preferences.d/jammy-firmware/JAMMY_FIRMWARE rename fai/config/files/etc/{logind.conf.d/iank.conf => systemd/logind.conf.d/iank.conf/IANK} (75%) delete mode 100755 fsf/close-crypt-luks-keys-loopback delete mode 100755 fsf/create-vm-disk delete mode 100755 fsf/crypt-disks-start delete mode 100755 fsf/open-crypt-luks-keys-loopback diff --git a/README b/README index fbfa4ae..304227a 100644 --- a/README +++ b/README @@ -327,7 +327,7 @@ m s iptables -t nat -A POSTROUTING -o $(ip -4 route get 8.8.8.8 | sed -nr 's,^.* change /p/c/machine_specific/vps/bind-initial/db.b8.nz faiserver 10.0.44.1 -TARGET 10.0.44.2 +TARGET_HOSTNAME 10.0.44.2 apt install isc-dhcp-server diff --git a/fai-revm b/fai-revm index a016a76..8bfb970 100755 --- a/fai-revm +++ b/fai-revm @@ -35,10 +35,19 @@ usage() { Setup fai or arch pxe (depending on $0 name) then start a virtual machine to test the config +todo: make it so this can run this on a network we dont control, the 2 +ways I know which could work are either running in libvirt's the nated +network, and altering the dnsmasq options for the dnsmasq that runs in +that, or giving the vm a static ip and for resolving faiserver, and then +for resolving "faiserver", either setup some static resolution in the +vm, or give it the host machine's ip as a dns server, or in general +change references of faiserver to faiserver.b8.nz (I like this idea +because it helps in other cases too). + Note, sometimes shutting down the existing demohost vm fails. Just run again if that happens. --d When doing pxe, don't do dhcp setup. Good for when we +-d When doing pxe with -p, don't do dhcp setup. Good for when we aren't on Ian's home network. -n Create new qcow2(s) for vm. Good for testing partitioning script, to ensure a blank disk. diff --git a/fai/config/class/50-host-classes b/fai/config/class/50-host-classes index 80b86b5..a59ff3b 100755 --- a/fai/config/class/50-host-classes +++ b/fai/config/class/50-host-classes @@ -74,6 +74,11 @@ echo FAIBASE STANDARD DEBIAN # # D16: for kgpe-d16 specific settings. # +# JAMMY_FIRMWARE: for trisquel install to get nonfree firmware from +# ubuntu jammy. The linux-firmware-free package in trisquel conflicts +# with the linux-firmware package in ubuntu, but you only find out after +# installing due to an error. +# # For filesystem/partitioning related classes, see comments at the top of # fai/config/hooks/partition.DEFAULT diff --git a/fai/config/distro-install-common/end b/fai/config/distro-install-common/end index f8c9d5f..22fa4f0 100755 --- a/fai/config/distro-install-common/end +++ b/fai/config/distro-install-common/end @@ -30,12 +30,6 @@ au() { # add user. i don't use adduser for portability fi } -# generating a hashed password: -# under debian, you can do -# mkpasswd -m sha-512 -s >/q/root/shadow/standard -# On arch, best seems to be copy your shadow file to a temp location, -# then passwd, get out the new pass, then copy the shadow file back. -sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e # only setup root pass for bootstrap vol if ifclass VOL_BULLSEYE_BOOTSTRAP; then @@ -45,7 +39,15 @@ fi # return of 9 = user already exists. so we are idempotent. au iank -sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e +# generating a hashed password: +# under debian, you can do +# mkpasswd -m sha-512 -s >/q/root/shadow/standard +# On arch, best seems to be copy your shadow file to a temp location, +# then passwd, get out the new pass, then copy the shadow file back. +if [[ -e $root_pw_f ]]; then + sed 's/^/root:/' $root_pw_f | $ROOTCMD chpasswd -e + sed 's/^/iank:/' $root_pw_f | $ROOTCMD chpasswd -e +fi au user2 if ifclass frodo; then diff --git a/fai/config/files/etc/apt/preferences.d/jammy-firmware/JAMMY_FIRMWARE b/fai/config/files/etc/apt/preferences.d/jammy-firmware/JAMMY_FIRMWARE new file mode 100644 index 0000000..78205ea --- /dev/null +++ b/fai/config/files/etc/apt/preferences.d/jammy-firmware/JAMMY_FIRMWARE @@ -0,0 +1,3 @@ +Package: linux-image-generic linux-firmware intel-microcode amd64-microcode +Pin: release n=jammy,o=Ubuntu +Pin-Priority: 1001 diff --git a/fai/config/files/etc/logind.conf.d/iank.conf b/fai/config/files/etc/systemd/logind.conf.d/iank.conf/IANK similarity index 75% rename from fai/config/files/etc/logind.conf.d/iank.conf rename to fai/config/files/etc/systemd/logind.conf.d/iank.conf/IANK index 0ddbf9f..9e7b111 100644 --- a/fai/config/files/etc/logind.conf.d/iank.conf +++ b/fai/config/files/etc/systemd/logind.conf.d/iank.conf/IANK @@ -1,6 +1,6 @@ # See logind.conf(5) for details. [Login] HandleLidSwitch=ignore -# seems like a good idea. +# seemed like a good idea when i was using psd # https://wiki.archlinux.org/index.php/profile-sync-daemon#I_need_more_memory_to_accommodate_my_profile/profiles_in_/run/user/xxxx._How_can_I_allocate_more? -RuntimeDirectorySize=50% +#RuntimeDirectorySize=50% diff --git a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP index 1d7b5c7..6f01194 100755 --- a/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP +++ b/fai/config/files/root/fai-check/VOL_BULLSEYE_BOOTSTRAP @@ -51,7 +51,7 @@ case $1 in ;; esac -faiserver=${1:-faiserver} +faiserver=${1:-faiserver.b8.nz} if $force; then @@ -69,6 +69,7 @@ for dev in $(btrfs fi show / | sed -rn 's#^\s*devid\s.*\s([^0-9 ]+)\S+$#\1#p' \ for (( i=4; i<=7; i++ )); do if [[ $(blockdev --getsize64 ${dev}$i) == 8388608 ]]; then grub_extn=${dev}$i + found=true break fi done diff --git a/fai/config/hooks/instsoft.DEFAULT b/fai/config/hooks/instsoft.DEFAULT index 5c7be4e..3bf0f62 100755 --- a/fai/config/hooks/instsoft.DEFAULT +++ b/fai/config/hooks/instsoft.DEFAULT @@ -11,6 +11,11 @@ if ifclass FSF; then exit 0 fi +fcopy -riB /etc/apt/preferences.d +# ian: i'm guessing fai does this already +#fcopy -riB /etc/apt/sources.list.d + + keyfile=/var/lib/fai/config/distro-install-common/luks/host-$HOSTNAME f=$target/root/keyscript cat > $f <&2; exit 1; fi -shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR - -m() { printf "%s\n" "$*"; "$@"; } - - -fs_file=/root/crypt-luks-keys-loopback -mapper_name=crypt-luks-keys-loopback - -if mountpoint /mnt2 &>/dev/null; then - m umount /mnt2 -fi -if cryptsetup status /dev/mapper/$mapper_name &>/dev/null; then - m cryptsetup luksClose /dev/mapper/$mapper_name; then -fi -l=$(losetup -l --noheadings | awk '$6 ~ /\/'$mapper_name'$/ {print $1}') -if [[ $l ]]; then - m losetup -d $l -else - echo "$0: warning: no loopback device found" >&2 -fi diff --git a/fsf/create-vm-disk b/fsf/create-vm-disk deleted file mode 100755 index 37cc45f..0000000 --- a/fsf/create-vm-disk +++ /dev/null @@ -1,160 +0,0 @@ -#!/bin/bash -# Copyright (C) 2022 Ian Kelling -# SPDX-License-Identifier: AGPL-3.0-or-later - -# todo: put this script and this library into ansible -source /usr/local/lib/err - -#### begin arg processing ### -usage() { - cat <&2 - usage 1 -fi - -read -r disk_type gb hostname <<<"$@" -#### end arg processing ### - -if ! type -p apg &>/dev/null; then - apt install -y apg -fi - -if ! mountpoint -q /mnt2; then - echo "$0: error: expected /mnt2 to be a mountpoint, run /root/open-crypt-luks-keys-loopback" >&2 -fi - -case $disk_type in - hdd) - volgroups=( - vgata-WDC_WD4004FZWX-00GBGB0_NHG3PK4M - vgata-ST4000DM000-1F2168_Z3028BKA - vgata-WDC_WD40EZRX-00SPEB0_WD-WCC4E0304017 - ) - ;; - sdd) - volgroups=( - vgata-Samsung_SSD_850_EVO_1TB_S3PJNB0J902536K - vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909382V - vgata-Samsung_SSD_850_EVO_1TB_S3PJNF0J909379K - ) - ;; -esac - -for vg in ${volgroups[@]}; do - lvdev=/dev/$vg/$hostname - if [[ -e $lvdev ]]; then - echo "$0: skipping creation of existing lv: $lvdev" - else - m lvcreate -L ${gb}g -n $hostname $vg - fi -done - -keyfile=/mnt2/$hostname -if [[ ! -s $keyfile ]]; then - apg -m 25 -x 25 -n1 | tr -d '\n' >$keyfile - # directory is already 700, just being thorough - m chmod 600 $keyfile -fi - -crypttab_err=false - -mountdir=/mnt/$hostname -mkdir -p $mountdir -integrity_devs=() -if $mdraid; then - for vg in ${volgroups[@]}; do - lvdev=/dev/$vg/$hostname - integrity_name=integrity-$vg-$hostname - integrity_dev=/dev/mapper/$integrity_name - integrity_devs+=($integrity_dev) - if [[ -e $integrity_dev ]]; then - echo "$0: skipping creation of existing integrity dev: $integrity_dev" - else - m time integritysetup --batch-mode format $lvdev - m integritysetup open --allow-discards $lvdev $integrity_name - fi - done - mddev=/dev/md/md$hostname - if [[ -e $mddev ]]; then - echo "$0: skipping creation of existing mddev: $mddev" - else - # get stable auto-assembled names - # https://serverfault.com/questions/763870/raid-device-on-rename-appended-with-0 - if ! grep -Fxq "HOMEHOST " /etc/mdadm/mdadm.conf; then - sed -i '/^ *HOMEHOST/d' /etc/mdadm/mdadm.conf - echo "HOMEHOST " >>/etc/mdadm/mdadm.conf - m update-initramfs -u -k all - fi - yes yes | m mdadm --create /dev/md/md$hostname --level 1 --raid-devices=3 ${integrity_devs[@]} || [[ $? == 141 ]] - fi - luks_name=crypt-$hostname - luks_dev=/dev/mapper/$luks_name - if [[ -e $luks_dev ]]; then - echo "$0: skipping creation of existing luks dev: $luks_dev" - else - yes YES | m cryptsetup luksFormat $mddev $keyfile || [[ $? == 141 ]] - echo appending to /etc/crypttab - echo "$luks_name $mddev $keyfile discard,luks" | tee -a /etc/crypttab - m cryptdisks_start $luks_name - fi - m mkfs.ext4 $luks_dev -else - - luks_devs=() - for vg in ${volgroups[@]}; do - lvdev=/dev/$vg/$hostname - # todo add apg to automatically installed packages - yes YES | m cryptsetup luksFormat $lvdev $keyfile || [[ $? == 141 ]] - luks_name=crypt-$vg-$hostname - echo appending to /etc/crypttab - line="$luks_name $lvdev $keyfile discard,luks,noauto" - if grep -Fq "$lvdev" /etc/crypttab; then - if grep -Fx "$line" /etc/crypttab; then - echo "$0: crypttab line already found ^. not adding" - else - echo "$0: error: found existing lvdev: $lvdev in /etc/crypttab that is different than expected:" - echo "$line" - echo "saving exit 1 until script completes. manual intervention required" - crypttab_err=true - fi - else - echo "appending to /etc/crypttab:" - echo "$line" | tee -a /etc/crypttab - fi - m cryptdisks_start $luks_name - luks_devs+=(/dev/mapper/$luks_name) - done - - m mkfs.btrfs -f -m raid1c3 -d raid1c3 ${luks_devs[@]} - m mount ${luks_devs[0]} $mountdir - m btrfs sub create $mountdir/root - m umount $mountdir -fi - -if $crypttab_err; then - echo "$0: crypttab error, exiting 1, see above." - exit 1 -fi diff --git a/fsf/crypt-disks-start b/fsf/crypt-disks-start deleted file mode 100755 index 7e310da..0000000 --- a/fsf/crypt-disks-start +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -# usage: $0 -# this script is idempotent - -if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi -shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR - -m() { printf "%s\n" "$*"; "$@"; } - - -lvs --noheadings -o vg_name,lv_name | while read -r vg lv; do - if [[ ! $vg || ! $lv ]]; then - continue - fi - if ! integritysetup dump /dev/$vg/$lv &>/dev/null; then - continue - fi - int_name=integrity-$vg-$lv - if integritysetup status $int_name &>/dev/null; then - continue - fi - m integritysetup open --allow-discards /dev/$vg/$lv $int_name -done - -awk '$1 !~ /^ *#/ {print $1}' /etc/crypttab | while read -r c; do - m cryptdisks_start $c -done diff --git a/fsf/open-crypt-luks-keys-loopback b/fsf/open-crypt-luks-keys-loopback deleted file mode 100755 index 09c85fd..0000000 --- a/fsf/open-crypt-luks-keys-loopback +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/bash - -# usage: $0 -# this script is idempotent - -# warning: changes here may affect the close version of this script - - -if ! test "$BASH_VERSION"; then echo "error: shell is not bash" >&2; exit 1; fi -shopt -s inherit_errexit 2>/dev/null ||: # ignore fail in bash < 4.4 -set -eE -o pipefail -trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" exit status: $?, PIPESTATUS: ${PIPESTATUS[*]}" >&2' ERR - -m() { printf "%s\n" "$*"; "$@"; } - - -fs_file=/root/crypt-luks-keys-loopback -mapper_name=crypt-luks-keys-loopback - -l=$(losetup -j $fs_file | sed -rn 's/^([^ ]+): .*/\1/p' | head -n1 ||:) -if [[ $l ]]; then - echo "$0: skipping losetup due to existing loopback: $l" -else - l=$(losetup -f) - m losetup $l $fs_file -fi -if cryptsetup status /dev/mapper/$mapper_name &>/dev/null; then - echo "$0: skipping cryptsetup due to existing /dev/mapper/$mapper_name" -else - if ! cryptsetup luksOpen $l $mapper_name; then - echo "$0: error luksOpen failed. detaching loopback" >&2 - m losetup -d $l - exit 1 - fi -fi -if mountpoint -q /dev/mapper/$mapper_name; then - echo "$0: skipping mount /dev/mapper/$mapper_name /mnt2 due to existing mount" -else - m mount /dev/mapper/$mapper_name /mnt2 -fi -- 2.30.2