From c1d8c19d35e3df5bf3ebf1cddf65e3657dcce3d0 Mon Sep 17 00:00:00 2001 From: Ole Tange Date: Mon, 1 Jun 2020 18:40:56 +0200 Subject: [PATCH] r815 re-installed. --- r815/SETUP | 60 ++++ r815/etc/auto.master | 38 +++ travel/SETUP | 25 ++ ubuntu-20.04/etc/rc.local | 6 + .../etc/systemd/system/rc-local.service | 27 ++ ubuntu-20.04/etc/udev/rules.d/99-local.rules | 4 + ubuntu-20.04/home/.bashrc | 245 ++++++++++++++++ ubuntu-20.04/home/.iftoprc | 2 + ubuntu-20.04/home/.toprc | 15 + ubuntu-20.04/install-zfs-luks.sh | 29 +- ubuntu-20.04/packages | 111 ++++++++ .../scripts/local-top/cryptroot | 261 ++++++++++++++++++ 12 files changed, 817 insertions(+), 6 deletions(-) create mode 100644 r815/SETUP create mode 100644 r815/etc/auto.master create mode 100644 travel/SETUP create mode 100644 ubuntu-20.04/etc/rc.local create mode 100644 ubuntu-20.04/etc/systemd/system/rc-local.service create mode 100644 ubuntu-20.04/etc/udev/rules.d/99-local.rules create mode 100644 ubuntu-20.04/home/.bashrc create mode 100644 ubuntu-20.04/home/.iftoprc create mode 100644 ubuntu-20.04/home/.toprc create mode 100644 ubuntu-20.04/packages create mode 100644 ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot diff --git a/r815/SETUP b/r815/SETUP new file mode 100644 index 0000000..37de812 --- /dev/null +++ b/r815/SETUP @@ -0,0 +1,60 @@ +UEFI boot does not work, so use legacy boot. +Installed with ubuntu-20.04-live-server-amd64.iso + +ssh-copy-id +git clone 192.168.1.129:privat/configfiles +cp configfiles/ubuntu-20.04/home/.* . +sudo cp configfiles/ubuntu-20.04/home/.* /root +bash configfiles/ubuntu-20.04/packages + +LVM_extend_to_full_disk() { + lvextend -L +10G /dev/ubuntu-vg/ubuntu-lv + resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv +} + +Change_LUKS_password_to_USB_cryptkey() { + echo oldpassword:; read oldpassword + echo secretpassword:; read secretpassword + echo newpassword:; read newpassword /sys/module/zswap/parameters/enabled +echo z3fold > /sys/module/zswap/parameters/zpool +echo 50 > /sys/module/zswap/parameters/max_pool_percent +echo lz4 > /sys/module/zswap/parameters/compressor diff --git a/ubuntu-20.04/etc/systemd/system/rc-local.service b/ubuntu-20.04/etc/systemd/system/rc-local.service new file mode 100644 index 0000000..08edf66 --- /dev/null +++ b/ubuntu-20.04/etc/systemd/system/rc-local.service @@ -0,0 +1,27 @@ +# /etc/systemd/system/rc-local.service + +# Setup: +# sudo touch /etc/rc.local +# sudo chmod +x /etc/rc.local +# sudo systemctl enable rc-local +# +# Check with: +# +# sudo systemctl start rc-local.service +# sudo systemctl status rc-local.service + + +[Unit] + Description=/etc/rc.local Compatibility + ConditionPathExists=/etc/rc.local + +[Service] + Type=forking + ExecStart=/etc/rc.local start + TimeoutSec=0 + StandardOutput=tty + RemainAfterExit=yes + SysVStartPriority=99 + +[Install] + WantedBy=multi-user.target diff --git a/ubuntu-20.04/etc/udev/rules.d/99-local.rules b/ubuntu-20.04/etc/udev/rules.d/99-local.rules new file mode 100644 index 0000000..55685c3 --- /dev/null +++ b/ubuntu-20.04/etc/udev/rules.d/99-local.rules @@ -0,0 +1,4 @@ +KERNEL=="sd[a-z]*", SUBSYSTEMS=="usb", MODE="660", GROUP="plugdev" +# Virker +# SUBSYSTEMS=="block", MODE="661", GROUP="plugdev" +# SUBSYSTEMS=="usb", MODE="662", GROUP="plugdev" diff --git a/ubuntu-20.04/home/.bashrc b/ubuntu-20.04/home/.bashrc new file mode 100644 index 0000000..22fe150 --- /dev/null +++ b/ubuntu-20.04/home/.bashrc @@ -0,0 +1,245 @@ +# ~/.bashrc: executed by bash(1) for non-login shells. +# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc) +# for examples + +# If not running interactively, skip the rest +[ -z "$PS1" ] && return + +# don't put duplicate lines in the history. See bash(1) for more options +export HISTCONTROL=ignoredups + +# check the window size after each command and, if necessary, +# update the values of LINES and COLUMNS. +shopt -s checkwinsize + +# dir without cd does cd +shopt -s autocd + +# make less more friendly for non-text input files, see lesspipe(1) +[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)" + +# set variable identifying the chroot you work in (used in the prompt below) +if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then + debian_chroot=$(cat /etc/debian_chroot) +fi + +set_color_prompt() { + _colorcombos() { + PERL_HASH_SEED=109 perl -MB -e ' + use B; + # color combinations that are readable (e.g. no red on red) + @c =(map { "$_\n0\n" } + 6..7,9..11,13..15,40..51,75..87,113..123,147..159,171..231,249..254), + (map { "$_\n231\n" } + 1..9,12..13,16..45,52..81,88..116,124..151,153,160..180, + 182..185,187..189,196..214,232..252,255..254); + for(@ARGV) { + print @c[hex(B::hash($_)) % $#c]; + } + ' "$@" + } + local col=($(_colorcombos `whoami` `hostname` "`id`")) + # (bg1,fg1)=user, (bg2,fg2)=host, (bg3,fg3)=path + PS1='${debian_chroot:+($debian_chroot)}\[\033[48;5;'${col[0]}';38;5;'${col[1]}'m\]\u\[\033[00m\]\[\033[48;5;'${col[2]}';38;5;'${col[3]}'m\]@\h\[\033[00m\]:\[\033[48;5;'${col[4]}';38;5;'${col[5]}'m\]\w\[\033[00m\]\$ ' +} + +# set a fancy prompt (non-color, unless we know we "want" color) +case "$TERM" in +xterm-color) + set_color_prompt + ;; +xterm-256color) + set_color_prompt + ;; +*) + PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' + ;; +esac + +# Comment in the above and uncomment this below for a color prompt +#PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' + +# If this is an xterm set the title to user@host:dir +case "$TERM" in +xterm*|rxvt*) + PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"' + ;; +*) + ;; +esac + +# Alias definitions. +# You may want to put all your additions into a separate file like +# ~/.bash_aliases, instead of adding them here directly. +# See /usr/share/doc/bash-doc/examples in the bash-doc package. + +#if [ -f ~/.bash_aliases ]; then +# . ~/.bash_aliases +#fi + +# enable color support of ls and also add handy aliases +if [ "$TERM" != "dumb" ]; then + eval "`dircolors -b`" + alias ls='ls --color=auto' + #alias dir='ls --color=auto --format=vertical' + #alias vdir='ls --color=auto --format=long' +fi + +# some more ls aliases +#alias ll='ls -l' +#alias la='ls -A' +#alias l='ls -CF' + +# enable programmable completion features (you don't need to enable +# this, if it's already enabled in /etc/bash.bashrc and /etc/profile +# sources /etc/bash.bashrc). +#if [ -f /etc/bash_completion ]; then +# . /etc/bash_completion +#fi + +LS_COLORS='no=00:fi=00:di=01;34:ln=01;35:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;31:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35:'; +export LS_COLORS + +#PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$  ' +#export PS1 + +PATH=$HOME/bin:$PATH:/sbin:/usr/sbin:$HOME/.local/bin:$HOME/.cargo/bin +VISUAL=em +export VISUAL +LESS=-Mqnfr +export LESS + +DEBEMAIL=ole@tange.dk +DEBFULLNAME="Ole Tange" +export DEBEMAIL DEBFULLNAME + +alias gi="grep -i" + +# Add sshkey to sshagent unless already done +ssha() { + if [ -e ~/.ssh/SSH_AUTH_SOCK ] ; then + SSH_AUTH_SOCK=`cat ~/.ssh/SSH_AUTH_SOCK` + fi + if [ -e ~/.ssh/SSH_AGENT_PID ] ; then + SSH_AGENT_PID=`cat ~/.ssh/SSH_AGENT_PID` + fi + if ssh-add -l ; then + true + else + eval `ssh-agent` ssh-add ~/.ssh/id*[^b] && + echo $SSH_AUTH_SOCK > ~/.ssh/SSH_AUTH_SOCK && + echo $SSH_AGENT_PID > ~/.ssh/SSH_AGENT_PID + fi +} +ssha +#export MOZ_NO_REMOTE=1 + +ORACLE_HOME=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server +PATH=$PATH:$ORACLE_HOME/bin +export ORACLE_HOME +export ORACLE_SID=XE +export PATH +LC_ALL=en_US.UTF-8 +bind 'set convert-meta off' + +PERL_MB_OPT="--install_base \"/home/tange/perl5\""; export PERL_MB_OPT; +PERL_MM_OPT="INSTALL_BASE=/home/tange/perl5"; export PERL_MM_OPT; +sh -c '(killall ibus-x11 2>/dev/null &)' + +tallia() { + echo "select '2016-06-21'::timestamp - now();" |sql pg:/// +} +. `which env_parallel.bash` +shopt -s globstar +GOPATH=$HOME/go +export GOPATH +MANPATH=$MANPATH:$HOME/share/man + +mgrep() { + grep -rzlP "(?s)$(printf "(?=.*?%s)" "$@")" . +} + +m2grep() { + v="$1" + shift + _mgrep() { + xargs -d "\n" grep -l "$1"; + } + find . -type f | parallel -kXq grep -l "$v" | + eval "cat $(printf "|_mgrep \"%s\"" "$@")" +} + +(play -q -n synth sine F2 sine C3 remix - fade 0 4 .1 norm -20 bend 0.5,2477,2 fade 0 4.0 0.5 2>/dev/null &) + +alias y=idok + +# gqview ui? +#export QT_SCALE_FACTOR=2 +MANPATH=$MANPATH:$HOME/share/man +export mysqlrootpass=RjQ+-ErFj4Ld + +cat </dev/null >/dev/null +( + start_tor_and_ssh() { + start_sshd_and_tor() { + sh -c `which sshd`' -p 2222 &' + sh -c 'tor &' + } + sleep 10 + # Start tor sshd on port 2222 + # But only if $HOME/.started-bash is older than 8.6 seconds + if [ -e $HOME/.started-bash ] ; then + if perl -e 'exit (0+ -M "'$HOME'/.started-bash" > 0.0001) '; then + # Short time 8.6 sec since last bash: do not start sshd + touch $HOME/.started-bash + else + start_sshd_and_tor + fi + else + start_sshd_and_tor + fi + touch $HOME/.started-bash + } + + change_keymap() { + if [ "$DISPLAY" != "" ] ; then + # Set Menu key = Mouse Button 3 + # Lenovo back/forward => PgUp/PgDown + xmodmap -e 'keycode 166=Prior' 2>/dev/null + xmodmap -e 'keycode 167=Next' 2>/dev/null + xmodmap -e "pointer = 1 3 2" 2>/dev/null + + xkbset m + xkbset exp =m + xkbcomp "$DISPLAY" - | + # Menu key = mouse button + # key { [ Menu ] }; + # => + # key { [ Pointer_Button2 ] }; + perl -pe '/key / && s/\[.*\]/ [ Pointer_Button2 ]/' | + sed -e '/interpret KP_/,/};/d' | + # Replace numpad , with . + sed -e 's/ KP_Separator / period /' | + xkbcomp - "$DISPLAY" 2> >(grep -v 'No symbols defined for') + fi + } + sleep 3 + change_keymap + start_tor_and_ssh +) & +EOF + +IO() { + # Minimize output from iostat -dkx 1 + # Usage: + # IO [substring] + string="${1:-sd}" + iostat -dkx 1 | + perl -ne 'BEGIN { $| = 1; $string = shift } + s/(........)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)/$1$3$9$21/ + || +s/(........)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)/$1$4$5$16/; + /Device/ and print and next; + m^$string^ and print; +' $string; +} diff --git a/ubuntu-20.04/home/.iftoprc b/ubuntu-20.04/home/.iftoprc new file mode 100644 index 0000000..6e3cc64 --- /dev/null +++ b/ubuntu-20.04/home/.iftoprc @@ -0,0 +1,2 @@ +log-scale: yes +interface: any diff --git a/ubuntu-20.04/home/.toprc b/ubuntu-20.04/home/.toprc new file mode 100644 index 0000000..838477b --- /dev/null +++ b/ubuntu-20.04/home/.toprc @@ -0,0 +1,15 @@ +top's Config File (Linux processes with windows) +Id:i, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0 +Def fieldscur=¥¨³´»½ÀÄ·º¹Å&')*+,-./012568<>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij + winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0 + summclr=1, msgsclr=1, headclr=3, taskclr=1 +Job fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij + winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0 + summclr=6, msgsclr=6, headclr=7, taskclr=6 +Mem fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghij + winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0 + summclr=5, msgsclr=5, headclr=4, taskclr=5 +Usr fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij + winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0 + summclr=3, msgsclr=3, headclr=2, taskclr=3 +Fixed_widest=0, Summ_mscale=2, Task_mscale=0, Zero_suppress=0 diff --git a/ubuntu-20.04/install-zfs-luks.sh b/ubuntu-20.04/install-zfs-luks.sh index a1685af..35b7370 100644 --- a/ubuntu-20.04/install-zfs-luks.sh +++ b/ubuntu-20.04/install-zfs-luks.sh @@ -6,11 +6,19 @@ # apt update # apt install openssh-server # passwd ubuntu +# +# read secretpassword +# password=`cat /mount/cryptkeys.txt` +secretpassword=${secretpassword:-MyLUKSPassword} password=${password:-MyLUKSPassword} +rootpassword=${rootpassword:-MyRootPassword} hostname=${hostname:-myhostname} DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082} +echo "$hostname $password $rootpassword $secretpassword $DISK" + +export rootpassword export password export DISK @@ -22,16 +30,18 @@ install_build_software() { partitiondisk() { sgdisk --zap-all $DISK - sgdisk -n2:1M:+512M -t2:EF00 $DISK - sgdisk -a 4096 -n3:0:+2G -t3:BF01 $DISK + sgdisk -n2:1M:+510M -t2:EF00 $DISK + sgdisk -a 1048576 -n3:0:+2G -t3:BF01 $DISK # TODO better way to find the max size rounded to 8192 - sgdisk -a 4096 -n4:0:1953521663 -t4:8300 $DISK + sgdisk -a 1048576 -n4:0:$((1948254208+5242880-1)) -t4:8300 $DISK fdisk -l $DISK # Needed for partitiontable to be visible sleep 5 + partprobe } setup_zpool_for_boot() { + zpool destroy bpool 2>/dev/null zpool create -f -o ashift=12 -d \ -o feature@async_destroy=enabled \ -o feature@bookmarks=enabled \ @@ -45,18 +55,24 @@ setup_zpool_for_boot() { -o feature@lz4_compress=enabled \ -o feature@spacemap_histogram=enabled \ -o feature@userobj_accounting=enabled \ - -o overlay=on \ -O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \ -O normalization=formD -O relatime=on -O xattr=sa \ -O mountpoint=/ -R /mnt bpool ${DISK}-part3 } setup_zpool_for_root() { + zpool destroy rpool 2>/dev/null cryptsetup luksClose luks1 echo "$password" | cryptsetup -y -v luksFormat --sector-size 4096 \ - --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 3000 \ + --pbkdf-parallel 1 \ + --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 10000 \ ${DISK}-part4 echo "$password" | cryptsetup luksOpen ${DISK}-part4 luks1 + (echo "$password"; echo "$secretpassword") | + cryptsetup -y -v luksAddKey \ + --pbkdf-parallel 1 \ + --pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \ + ${DISK}-part4 zpool create -o ashift=12 \ -O acltype=posixacl -O canmount=off -O compression=lz4 \ -O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \ @@ -161,7 +177,7 @@ EOF adduser_group() { addgroup --system lpadmin addgroup --system sambashare - echo "root:$password" | chpasswd + echo "root:$rootpassword" | chpasswd } install_grub() { @@ -224,6 +240,7 @@ stage1() { doall() { stage1 + modprobe efivars mount --rbind /dev /mnt/dev mount --rbind /proc /mnt/proc mount --rbind /sys /mnt/sys diff --git a/ubuntu-20.04/packages b/ubuntu-20.04/packages new file mode 100644 index 0000000..7602192 --- /dev/null +++ b/ubuntu-20.04/packages @@ -0,0 +1,111 @@ +# Run as normal user + +# Sudo +sudo perl -i.bak -pe 's/^%sudo.*/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers + +# add host lo +sudo perl -i.bak -pe 's/(\s+localhost)( lo)?\b/$1 lo/' /etc/hosts + +sudo apt-get update +sudo apt-get install -y ttf-mscorefonts-installer +# start med pakker, der er kræver interaktivitet +cat <<_EOF |grep -v '#'| sudo xargs -r -n 1 apt-get install -y +postfix +encfs +cpuburn +gnome-font-viewer +#mdadm +tmux +aptitude +sudo +openssh-server +ssh-server +emacs +emacs25-nox +xemacs21 +xemacs +git +git-core +parallel +rsync +bzip2 +smartmontools +strace +hdparm +#sdparm +#sg3_utils +tcpdump +ngrep +iftop +mtr +parallel +xfsprogs +sysstat +apt-file +pv +etckeeper +quota +tcptraceroute +lzop +pbzip2 +lzip +autofs +iotop +parted +ntpdate +ntp +haveged +make +telnet +lynx +mosh +psmisc +#owncloud-client +htop +#uswsusp +#cifs-utils +#r-base-core + +# Gui +libreoffice +vlc +iridium +#xfce4 +#clusterssh +##wine +##wine-stable +pwgen +chromium-browser +# broadcom netcard +firmware-bnx2 +firmware-b43-installer +net-tools +lvm2 +#xserver-xorg-input-synaptics +uswsusp +_EOF +sudo apt-file update & +locale-gen en_US.UTF-8 + +echo will cite | parallel --citation +sudo rm /etc/parallel/config +mkdir ~/privat +cd ~/privat +git clone https://gitlab.com/ole.tange/tangetools.git +cd tangetools +make +sudo make install + +# Install font for konsole +wget http://ole.tange.dk/linux/DroidSansMonoWide.ttf +gnome-font-viewer DroidSansMonoWide.ttf +sudo systemctl enable debug-shell.service + + +# parted +# resizepart +# pvs +# pvresize /dev/sda2 +# pvs +# lvresize -L +100GB /dev/[VolGroup00]/root +# resize2fs /dev/VolGroup00/root diff --git a/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot b/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot new file mode 100644 index 0000000..288aa1a --- /dev/null +++ b/ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot @@ -0,0 +1,261 @@ +#!/bin/sh + +PREREQ="cryptroot-prepare" + +# +# Standard initramfs preamble +# +prereqs() +{ + # Make sure that cryptroot is run last in local-top + local req + for req in "${0%/*}"/*; do + script="${req##*/}" + if [ "$script" != "${0##*/}" ]; then + printf '%s\n' "$script" + fi + done +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /scripts/functions + +[ -f /lib/cryptsetup/functions ] || return 0 +. /lib/cryptsetup/functions + + +# wait_for_source() +# Wait for encrypted $CRYPTTAB_SOURCE for up to 180s. Set +# $CRYPTTAB_SOURCE to its normalized device name when it shows up; +# return 1 if timeout. +wait_for_source() { + wait_for_udev 10 + + if crypttab_resolve_source; then + # the device is here already, no need to loop + return 0 + fi + + # The lines below has been taken from + # /usr/share/initramfs-tools/scripts/local's local_device_setup(), + # as suggested per https://launchpad.net/bugs/164044 + + # If the source device hasn't shown up yet, give it a little while + # to allow for asynchronous device discovery (e.g. USB). + + cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..." + + # Default delay is 180s, cf. initramfs-tools(8) + local slumber="${ROOTDELAY:-180}" + while [ $slumber -gt 0 ]; do + sleep 1 + + if [ -x /scripts/local-block/lvm2 ]; then + # activate any VG that might hold $CRYPTTAB_SOURCE + /scripts/local-block/lvm2 "$CRYPTTAB_SOURCE" + fi + + if crypttab_resolve_source; then + wait_for_udev 10 + return 0 + fi + + slumber=$(( $slumber - 1 )) + done + return 1 +} + +# setup_mapping() +# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME, +# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS. +setup_mapping() { + local dev + + # The same target can be specified multiple times + # e.g. root and resume lvs-on-lvm-on-crypto + if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then + return 0 + fi + + crypttab_parse_options --export --missing-path=fail || return 1 + + if ! wait_for_source; then + # we've given up + if [ -n "$panic" ]; then + panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + else + # let the user fix matters if they can + echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME." + echo " Check cryptopts=source= bootarg: cat /proc/cmdline" + echo " or missing modules, devices: cat /proc/modules; ls /dev" + panic "Dropping to a shell." + fi + return 1 # can't continue because environment is lost + fi + + # our `cryptroot-unlock` script searches for cryptsetup processes + # with a given CRYPTTAB_NAME it their environment + export CRYPTTAB_NAME + + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # no keyscript: interactive unlocking, or key file + + if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then + # skip the mapping for now if the root FS is not mounted yet + sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1 + # substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise + CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" + fi + + if [ "$CRYPTTAB_KEY" != "none" ]; then + if [ ! -e "$CRYPTTAB_KEY" ]; then + cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY" + return 1 + fi + # try only once if we have a key file + CRYPTTAB_OPTION_tries=1 + fi + fi + + get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device + local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv + while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then + # unlock via keyfile + unlock_mapping "$CRYPTTAB_KEY" + else + if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then + # Wait for USB to settle + /bin/sleep 3 + + # Test all devices + mkdir /mnt + echo -n "Searching for cryptkey.txt on available disks... " + local partition + for partition in `cat /proc/partitions |awk '{print $4}'|tail -n +3`; do + if mount /dev/$partition /mnt 2>/dev/null; then + cat /mnt/cryptkey.txt >> /tmp/cryptkeys.txt 2>/dev/null + umount /dev/$partition + fi + done + echo "done." + fi + + if [ -s /tmp/cryptkeys.txt ]; then + local keyfound + keyfound=0 + echo Trying keys from cryptkey.txt + for key in `cat /tmp/cryptkeys.txt`; do + if echo -n "$key" | unlock_mapping; then + # Found the key + echo Key found in cryptkey.txt + keyfound=1 + key="" + fi + done + # Remove traces of the key + rm /tmp/cryptkeys.txt + unset key + if [ "$keyfound" = "0" ]; then + # Fall back to manual entry + run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping + fi + else + # unlock interactively or via keyscript + run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping + fi + fi + rv=$? + count=$(( $count + 1 )) + + if [ $rv -ne 0 ]; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?" + sleep 1 + continue + elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping" + return 1 + fi + + if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then + if [ "$CRYPTTAB_TYPE" != "luks" ]; then + # bad password for plain dm-crypt device? or mkfs not run yet? + cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?" + wait_for_udev 10 + /sbin/cryptsetup remove -- "$CRYPTTAB_NAME" + sleep 1 + continue + fi + elif [ "$fstype" = lvm2 ]; then + if [ ! -x /sbin/lvm ]; then + cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available" + return 1 + elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then + # activate the VG held by the PV we just unlocked + lvm lvchange -a y --sysinit --ignoreskippedcluster -- "$vg" + fi + fi + + cryptsetup_message "$CRYPTTAB_NAME: set up successfully" + wait_for_udev 10 + return 0 + done + + cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded" + exit 1 +} + + +####################################################################### +# Begin real processing + +mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5) + +# Do we have any kernel boot arguments? +if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then + # ensure $TABFILE exists and has a mtime greater than the boot time + # (existing $TABFILE is preserved) + touch -- "$TABFILE" +else + # let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline + tr ' ' '\n' "$TABFILE" +fi + +# Do we have any settings from the $TABFILE? +if [ -s "$TABFILE" ]; then + # Create locking directory before invoking cryptsetup(8) to avoid warnings + mkdir -pm0700 /run/cryptsetup + modprobe -q dm_crypt + + crypttab_foreach_entry setup_mapping +fi + +exit 0