diff --git a/docs/howto.md b/docs/howto.md new file mode 100644 index 0000000..42cdb62 --- /dev/null +++ b/docs/howto.md @@ -0,0 +1,99 @@ + +# How to make rootfs writable + +1. Open Citadel terminal + +2. Su to root + + $ su + +3. Remount root as read-write + + # mount -o remount,rw / + +# How to change timezone + +1. Make rootfs writable + +2. Run Setting application in Gnome, change timezone in Details -> Date & Time + +# How to change Gnome lock screen passwd + +1. Open Citadel terminal + +2. Generate new password with openssl + + $ openssl passwd + Password: + Verifying - Password: + sGYyWXqDuh64g + +3. Su to root + + $ su + +4. Make rootfs writable + + # mount -o remount,rw / + +5. Copy new password hash into /etc/shadow + + # vim /etc/shadow + +# How to install image update + +1. Open Citadel terminal + +2. Su to root + +3. Determine if current boot is from rootfsA or rootfsB. Make sure you don't overwrite the currently mounted rootfs partition! + + # findmnt / + TARGET SOURCE FSTYPE OPTIONS + / /dev/mapper/citadel-rootfsA ext2 rw,relatime,errors=continue,user_xattr + +4. Locate the rootfs update image you want to install + + # file /storage/user-data/primary-home/citadel-image-intel-corei7-64.ext2 + /storage/user-data/primary-home/citadel-image-intel-corei7-64.ext2: Linux rev 1.0 ext2 filesystem data, UUID=d9dd20e9-9286-4c60-9dc3-37c68e36481c (large files) + +5. Write to the correct partition with dd command. + + # dd if=/storage/user-data/primary-home/citadel-image-intel-corei7-64.ext2 of=/dev/mapper/citadel-rootfsB bs=4M + 255+1 records in + 255+1 records out + 1071823872 bytes (1.1 GB, 1022 MiB) copied, 3.01726 s, 355 MB/s + +6. Sync just to be sure everything is flushed to disk, then reboot into new image. + + # sync + # reboot + +# How to have hardware graphics acceleration for applications + +1. Open Citadel terminal + +2. Su to root + +3. Make rootfs writable + + # mount -o remount,rw / + +4. Enable /dev/dri/renderD128 bind mount in primary.nspawn file + + # vim /etc/systemd/nspawn/primary.nspawn + +# How to use Qemu? + +1. Open Citadel terminal + +2. Su to root + +3. Make rootfs writable + + # mount -o remount,rw / + +4. Enable /dev/kvm bind mount in primary.nspawn file + + # vim /etc/systemd/nspawn/primary.nspawn + diff --git a/scripts/create_install_pack b/scripts/create_install_pack new file mode 100755 index 0000000..6084aa0 --- /dev/null +++ b/scripts/create_install_pack @@ -0,0 +1,59 @@ +#!/bin/bash + +SCRIPT=$(realpath ${BASH_SOURCE}) +IMAGES=$(realpath $(dirname ${SCRIPT})/../build/images/) + +image_file() { + local fname=$(readlink -f ${IMAGES}/${1}) + if [[ ! -f ${fname} ]]; then + >&2 printf "File ${fname} does not exist\n" + exit 1 + fi + printf $fname +} + + +EFIBOOT=$(image_file systemd-bootx64.efi) +KERNEL=$(image_file bzImage) +ROOTFS=$(image_file citadel-image-intel-corei7-64.ext2) +USER_ROOTFS=$(image_file ../debootstrap/user-rootfs.tar.xz) +HOWTO=$(image_file ../../docs/howto.md) +INSTALL_SH=$(image_file ../../scripts/install.sh) + +KERNEL_CMDLINE="add_efi_memmap intel_iommu=off cryptomgr.notests rcupdate.rcu_expedited=1 rcu_nocbs=0-64 tsc=reliable no_timer_check noreplace-smp i915.fastboot=1 quiet splash" + +INSTALLPACK=/tmp/installpack +BOOTPATH=${INSTALLPACK}/boot + +make_loader_conf() { + echo "default bootA" + echo "timeout 5" +} + +make_boot_conf() { + echo "title Subgraph OS (Citadel) [Root Partition ${1}]" + echo "linux /bzImage" + echo "options LABEL=Boot root=/dev/mapper/citadel-rootfs${1} ${KERNEL_CMDLINE}" +} + +setup_boot() { + mkdir -p ${BOOTPATH}/EFI/BOOT + mkdir -p ${BOOTPATH}/loader/entries + cp ${EFIBOOT} ${BOOTPATH}/EFI/BOOT/bootx64.efi + cp ${KERNEL} ${BOOTPATH}/bzImage + make_loader_conf > ${BOOTPATH}/loader/loader.conf + make_boot_conf 'A' > ${BOOTPATH}/loader/entries/bootA.conf + make_boot_conf 'B' > ${BOOTPATH}/loader/entries/bootB.conf +} + + +rm -rf /tmp/installpack +mkdir -p /tmp/installpack/components +setup_boot +cp ${ROOTFS} /tmp/installpack/components/citadel-image-rootfs.ext2 +cp ${USER_ROOTFS} /tmp/installpack/components/ +cp ${HOWTO} /tmp/installpack/components/ +cp ${INSTALL_SH} /tmp/installpack +chmod +x /tmp/installpack/install.sh + +tar -C /tmp -cvf installpack.tar installpack diff --git a/scripts/install.sh b/scripts/install.sh new file mode 100755 index 0000000..a291734 --- /dev/null +++ b/scripts/install.sh @@ -0,0 +1,178 @@ +#!/bin/bash + +set -e +set -u + +blkdev_info() { + local model=$(< /sys/block/${1}/device/model) + local size=$(printf "%sG" $(( $(> 21 ))) + printf " Device: /dev/${1}\n" + printf " Size: ${size}\n" + printf " Model: ${model}\n" +} + +errormsg() { + printf "Failed: ${1}\n" + exit 1 +} + +info() { + printf "[+] ${1}\n" +} + +passphrase="" + +ask_passphrase() { + local p1 p2 + for i in {1..3} + do + read -s -p "Enter passphrase for disk encryption: " p1 + echo + read -s -p " Confirm passphrase: " p2 + echo + + if [[ ${p1} != ${p2} ]]; then + printf "THe passphrases did not match\n" + elif [[ -z ${p1} ]] ; then + printf "Passphrase cannot be empty\n" + else + passphrase=${p1} + return + fi + done + errormsg "Too many attempts, Unable to set disk encryption passphrase" +} + +confirm_device() { + if [[ ! -b ${1} ]]; then + errormsg "No block device '${1}' found" + fi + + local base=$(basename ${1}) + + if [[ ! -e /sys/block/${base}/device ]]; then + errormsg "Unable to find device path /sys/block/${base}/device" + fi + + printf "Are you sure you want to overwrite this device\n\n%s\n\n" "$(blkdev_info ${base})" + read -p "Type YES (uppercase) to continue: " confirm + if [[ ${confirm} != "YES" ]]; then + echo "Install not confirmed, exiting." + exit 1 + fi +} + +LUKS_UUID="683a17fc-4457-42cc-a946-cde67195a101" + +partition_device() { + local PARTED="parted -a optimal ${1}" + ${PARTED} -s mklabel gpt + ${PARTED} mkpart boot fat32 0% 512MiB + ${PARTED} set 1 boot on + ${PARTED} mkpart data ext4 512MiB 100% + ${PARTED} set 2 lvm on +} + +setup_luks() { + # /dev/sdb2 + local TARGET_LVM=${1}2 + printf "${passphrase}" | cryptsetup -q --uuid=${LUKS_UUID} luksFormat ${TARGET_LVM} - + printf "${passphrase}" | cryptsetup open --type luks --key-file - ${TARGET_LVM} luks-install +} + +setup_lvm() { + pvcreate -ff --yes /dev/mapper/luks-install + vgcreate --yes citadel /dev/mapper/luks-install + lvcreate --yes --size 2g --name rootfsA citadel + lvcreate --yes --size 2g --name rootfsB citadel + lvcreate --yes --extents 100%VG --name storage citadel +} + +setup_disk() { + [[ $# -ne 1 ]] && usage + confirm_device ${1} + ask_passphrase + + info "Deactivating device ${1}" + blkdeactivate ${1} >> install.log 2>&1 + + info "Partitioning device ${1}" + partition_device ${1} >> install.log 2>&1 + + info "Setting up LUKS disk encryption on partition ${1}2" + setup_luks ${1} >> install.log 2>&1 + + info "Creating LVM volumes inside LUKS volume" + setup_lvm >> install.log 2>&1 + + info "Creating vfat filesystem on EFI system partition ${1}1" + mkfs.vfat -F 32 ${1}1 >> install.log 2>&1 + + info "Creating btrfs filesystem on storage volume" + mkfs.btrfs /dev/mapper/citadel-storage >> install.log 2>&1 + + lsblk -o NAME,SIZE,TYPE,FSTYPE ${1} >> install.log + +} + +unmount_disk() { + info "Closing LVM volumes" + vgchange -an citadel >> install.log 2>&1 + info "Closing LUKS volume" + cryptsetup luksClose luks-install +} + +install() { + local MNT="install-mnt" + mkdir -p install-mnt + info "Mounting EFI system partition ${1}1" + mount ${1}1 install-mnt + info "Installing boot tree to EFI system partition" + cp -R boot/* install-mnt + info "Unmounting EFI system partition" + umount ${1}1 + + local PRIMARY_HOME="${MNT}/user-data/primary-home" + local PRIMARY_ROOTFS="${MNT}/appimg/primary/rootfs" + + info "Mounting storage partition" + mount /dev/mapper/citadel-storage ${MNT} + + info "Installing base appimg tree" + mkdir -p ${PRIMARY_ROOTFS} + ln -s primary ${MNT}/appimg/default.appimg + tar -C ${PRIMARY_ROOTFS} -xf components/user-rootfs.tar.xz + + mkdir -p ${PRIMARY_HOME} + cp components/howto.md ${PRIMARY_HOME} + cp ${PRIMARY_ROOTFS}/home/user/{.bashrc,.profile} ${PRIMARY_HOME} + chown -R 1000:1000 ${PRIMARY_HOME} + + info "Unmounting storage partition" + umount /dev/mapper/citadel-storage + + info "Writing citadel image to rootfsA partition" + dd if=components/citadel-image-rootfs.ext2 of=/dev/mapper/citadel-rootfsA bs=4M >> install.log 2>&1 + + #info "Writing citadel image to rootfsB partition" + #dd if=components/citadel-image-rootfs.ext2 of=/dev/mapper/citadel-rootfsB bs=4M >> install.log 2>&1 +} + +usage() { + printf "Usage:\n" + printf "\t\t./install.sh []\n\n" + exit 1 +} + + +if [[ $# -eq 0 ]]; then + usage +fi + +setup_disk ${1} +install ${1} +unmount_disk +sync +info "Install completed successfully" + + diff --git a/scripts/install_image b/scripts/install_image deleted file mode 100755 index 5fe374f..0000000 --- a/scripts/install_image +++ /dev/null @@ -1,147 +0,0 @@ -#!/bin/bash - -# tips here https://github.com/systemd/systemd/issues/6381 - -set -u -set -e -#set -x - - -SCRIPT=$(realpath ${BASH_SOURCE}) -IMAGES=$(realpath $(dirname ${SCRIPT})/../build/images/) - -image_file() { - local fname=$(readlink -f ${IMAGES}/${1}) - if [[ ! -f ${fname} ]]; then - >&2 printf "File ${fname} does not exist\n" - exit 1 - fi - printf $fname -} - -EFIBOOT=$(image_file systemd-bootx64.efi) -KERNEL=$(image_file bzImage) -ROOTFS=$(image_file citadel-image-intel-corei7-64.ext2) - -UUID="683a17fc-4457-42cc-a946-cde67195a101" - - -KERNEL_CMDLINE="add_efi_memmap intel_iommu=off cryptomgr.notests rcupdate.rcu_expedited=1 rcu_nocbs=0-64 tsc=reliable no_timer_check noreplace-smp i915.fastboot=1 quiet splash" - -MOUNT_PATH=/tmp/citadel-boot-mount - -TARGET=/dev/sdb -TARGET_BOOT=${TARGET}1 -TARGET_LVM=${TARGET}2 -PARTED="parted -a optimal ${TARGET}" - -is_mounted() { - echo "is mounted $1" - for mnt in $(awk '{print $1}' < /proc/self/mounts); do - [[ $mnt == $1 ]] && return 0 - done - return 1 -} - -unmount_partition() { - echo "unmount partition $1" - if ! is_mounted $1 ; then - printf "$1 is not mounted\n" - return - fi -} - - -unmount_device() { - echo "unmount device" - for p in ${TARGET}*; do - is_mounted $p && unmount_partition $p - done - echo "done unmount device" -} - -remove_volume() { - local vg - # find volume group name - vg=$(pvs --noheadings -o vg_name ${1}) - # echo to strip whitespace - [[ -n $(echo -n ${vg}) ]] && vgremove ${vg} - pvremove ${1} -} - -remove_volumes() { - echo "remove volumes" - for p in ${TARGET}*; do - pvs ${p} && remove_volume ${p} - done - return 0 -} - -partition_device() { - ${PARTED} -s mklabel gpt - ${PARTED} mkpart boot fat32 0% 512MiB - ${PARTED} set 1 boot on - ${PARTED} mkpart data ext4 512MiB 100% - ${PARTED} set 2 lvm on - mkfs.vfat -F 32 ${TARGET_BOOT} -} - -setup_luks() { - printf "subgraph" | cryptsetup -q --uuid=${UUID} luksFormat ${TARGET_LVM} - - printf "subgraph" | cryptsetup open --type luks --key-file - ${TARGET_LVM} e1 -} - -setup_lvm() { - pvcreate -ff --yes /dev/mapper/e1 - vgcreate --yes citadel /dev/mapper/e1 - #pvcreate -ff ${TARGET_LVM} - #vgcreate --yes citadel ${TARGET_LVM} - lvcreate --yes --size 2g --name rootfsA citadel - lvcreate --yes --size 2g --name rootfsB citadel - lvcreate --yes --extents 100%VG --name storage citadel - mkfs.ext4 /dev/mapper/citadel-storage -} - -make_loader_conf() { - echo "default bootA" - echo "timeout 5" -} - -make_boot_conf() { - echo "title Subgraph OS (Airwolf Edition) [Root Partition ${1}]" - echo "linux /bzImage" - echo "options LABEL=Boot root=/dev/mapper/citadel-rootfs${1} ${KERNEL_CMDLINE}" -} - -setup_efi() { - mkdir -p ${MOUNT_PATH} - mount ${TARGET_BOOT} ${MOUNT_PATH} - mkdir -p ${MOUNT_PATH}/EFI/BOOT - mkdir -p ${MOUNT_PATH}/loader/entries - cp ${EFIBOOT} ${MOUNT_PATH}/EFI/BOOT/bootx64.efi - cp ${KERNEL} ${MOUNT_PATH}/bzImage - make_loader_conf > ${MOUNT_PATH}/loader/loader.conf - make_boot_conf 'A' > ${MOUNT_PATH}/loader/entries/bootA.conf - make_boot_conf 'B' > ${MOUNT_PATH}/loader/entries/bootB.conf - umount ${MOUNT_PATH} - rmdir ${MOUNT_PATH} -} - -write_root() { - echo "writing rootfsA" - dd if=${ROOTFS} of=/dev/mapper/citadel-rootfsA bs=4M status=progress - sync -} - - -blkdeactivate -v ${TARGET} -unmount_device -remove_volumes -partition_device -setup_luks -setup_lvm -setup_efi -write_root - -vgchange -a n citadel -cryptsetup close e1