tange/config
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

r815 re-installed.

Browse source
This commit is contained in:
Ole Tange 2020-06-01 18:40:56 +02:00
parent 095166fe6d
commit c1d8c19d35
12 changed files with 817 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
r815/SETUP Normal file
View file

@ -0,0 +1,60 @@
UEFI boot does not work, so use legacy boot.
Installed with ubuntu-20.04-live-server-amd64.iso
ssh-copy-id
git clone 192.168.1.129:privat/configfiles
cp configfiles/ubuntu-20.04/home/.* .
sudo cp configfiles/ubuntu-20.04/home/.* /root
bash configfiles/ubuntu-20.04/packages
LVM_extend_to_full_disk() {
lvextend -L +10G /dev/ubuntu-vg/ubuntu-lv
resize2fs /dev/mapper/ubuntu--vg-ubuntu--lv
}
Change_LUKS_password_to_USB_cryptkey() {
echo oldpassword:; read oldpassword
echo secretpassword:; read secretpassword
echo newpassword:; read newpassword </mnt/cryptkey.txt
echo "$oldpassword $secretpassword $newpassword"
DISK=/dev/disk/by-path/pci-0000:05:00.0-scsi-0:2:1:0
# Add secretpassword to keyslot 2 (this will be slow to decrypt)
(echo "$oldpassword"; echo "$secretpassword") |
cryptsetup -y -v luksAddKey \
--pbkdf-parallel 1 \
--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \
${DISK}-part3
# Remove oldpassword from keyslot 1
(echo "$oldpassword") |
cryptsetup -y -v luksRemoveKey ${DISK}-part3
# Add newpassword to keyslot 1 (this will be fast to decrypt)
(echo "$secretpassword"; echo "$newpassword") |
cryptsetup -y -v luksAddKey \
--pbkdf-parallel 1 \
--pbkdf-memory 100000 --pbkdf argon2id --iter-time 1000 \
${DISK}-part3
# Check that slot 0 and 1 are in use
cryptsetup luksDump ${DISK}-part3
cryptsetup config --priority prefer --key-slot 0
# This should be fast
(echo "$newpassword"; echo "dummy") |
cryptsetup -y -v luksAddKey \
--pbkdf-parallel 1 \
--pbkdf-memory 100000 --pbkdf argon2id --iter-time 1000 \
${DISK}-part3
# This is still slow
(echo "dummy") |
cryptsetup -y -v luksRemoveKey ${DISK}-part3
}
autodecrypt() {
cd ~tange/configfiles/ubuntu-20.04/
cp usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
update-initramfs -u -k all
}

38
r815/etc/auto.master Normal file
View file

@ -0,0 +1,38 @@
#
# Sample auto.master file
# This is a 'master' automounter map and it has the following format:
# mount-point [map-type[,format]:]map [options]
# For details of the format look at auto.master(5).
#
#/misc /etc/auto.misc
#
# NOTE: mounts done from a hosts map will be mounted with the
# "nosuid" and "nodev" options unless the "suid" and "dev"
# options are explicitly given.
#
/nfs -hosts
#
# Include /etc/auto.master.d/*.autofs
# To add an extra map using this mechanism you will need to add
# two configuration items - one /etc/auto.master.d/extra.autofs file
# (using the same line format as the auto.master file)
# and a separate mount map (e.g. /etc/auto.extra or an auto.extra NIS map)
# that is referred to by the extra.autofs file.
#
+dir:/etc/auto.master.d
#
# If you have fedfs set up and the related binaries, either
# built as part of autofs or installed from another package,
# uncomment this line to use the fedfs program map to access
# your fedfs mounts.
#/nfs4 /usr/sbin/fedfs-map-nfs4 nobind
#
# Include central master map if it can be found using
# nsswitch sources.
#
# Note that if there are entries for /net or /misc (as
# above) in the included master map any keys that are the
# same will not be seen as the first read key seen takes
# precedence.
#
+auto.master

25
travel/SETUP Normal file
View file

@ -0,0 +1,25 @@
install-zfs-luks.sh
adduser tange
apt install git rsync openssh-server
ssh-copy-id
git clone 192.168.1.129:privat/configfiles
cp configfiles/ubuntu-20.04/home/.* .
apt install command-not-found
!disable suspend?
!copy ssh keys from old
!copy gnupg from old
!change boot keyboard dpkg-reconfigure keyboard-configuration
!dpkg-reconfigure uswsusp
autodecrypt() {
cd ~tange/configfiles/ubuntu-20.04/
cp usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
update-initramfs -u -k all
}

6
ubuntu-20.04/etc/rc.local Normal file
View file

@ -0,0 +1,6 @@
#!/bin/bash
echo 1 > /sys/module/zswap/parameters/enabled
echo z3fold > /sys/module/zswap/parameters/zpool
echo 50 > /sys/module/zswap/parameters/max_pool_percent
echo lz4 > /sys/module/zswap/parameters/compressor

27
ubuntu-20.04/etc/systemd/system/rc-local.service Normal file
View file

@ -0,0 +1,27 @@
# /etc/systemd/system/rc-local.service
# Setup:
# sudo touch /etc/rc.local
# sudo chmod +x /etc/rc.local
# sudo systemctl enable rc-local
#
# Check with:
#
# sudo systemctl start rc-local.service
# sudo systemctl status rc-local.service
[Unit]
Description=/etc/rc.local Compatibility
ConditionPathExists=/etc/rc.local
[Service]
Type=forking
ExecStart=/etc/rc.local start
TimeoutSec=0
StandardOutput=tty
RemainAfterExit=yes
SysVStartPriority=99
[Install]
WantedBy=multi-user.target

4
ubuntu-20.04/etc/udev/rules.d/99-local.rules Normal file
View file

@ -0,0 +1,4 @@
KERNEL=="sd[a-z]*", SUBSYSTEMS=="usb", MODE="660", GROUP="plugdev"
# Virker
# SUBSYSTEMS=="block", MODE="661", GROUP="plugdev"
# SUBSYSTEMS=="usb", MODE="662", GROUP="plugdev"

245
ubuntu-20.04/home/.bashrc Normal file
View file

@ -0,0 +1,245 @@
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, skip the rest
[ -z "$PS1" ] && return
# don't put duplicate lines in the history. See bash(1) for more options
export HISTCONTROL=ignoredups
# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize
# dir without cd does cd
shopt -s autocd
# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(lesspipe)"
# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "$debian_chroot" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi
set_color_prompt() {
_colorcombos() {
PERL_HASH_SEED=109 perl -MB -e '
use B;
# color combinations that are readable (e.g. no red on red)
@c =(map { "$_\n0\n" }
6..7,9..11,13..15,40..51,75..87,113..123,147..159,171..231,249..254),
(map { "$_\n231\n" }
1..9,12..13,16..45,52..81,88..116,124..151,153,160..180,
182..185,187..189,196..214,232..252,255..254);
for(@ARGV) {
print @c[hex(B::hash($_)) % $#c];
}
' "$@"
}
local col=($(_colorcombos `whoami` `hostname` "`id`"))
# (bg1,fg1)=user, (bg2,fg2)=host, (bg3,fg3)=path
PS1='${debian_chroot:+($debian_chroot)}\[\033[48;5;'${col[0]}';38;5;'${col[1]}'m\]\u\[\033[00m\]\[\033[48;5;'${col[2]}';38;5;'${col[3]}'m\]@\h\[\033[00m\]:\[\033[48;5;'${col[4]}';38;5;'${col[5]}'m\]\w\[\033[00m\]\$ '
}
# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color)
set_color_prompt
;;
xterm-256color)
set_color_prompt
;;
*)
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
;;
esac
# Comment in the above and uncomment this below for a color prompt
#PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME}: ${PWD/$HOME/~}\007"'
;;
*)
;;
esac
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
#if [ -f ~/.bash_aliases ]; then
# . ~/.bash_aliases
#fi
# enable color support of ls and also add handy aliases
if [ "$TERM" != "dumb" ]; then
eval "`dircolors -b`"
alias ls='ls --color=auto'
#alias dir='ls --color=auto --format=vertical'
#alias vdir='ls --color=auto --format=long'
fi
# some more ls aliases
#alias ll='ls -l'
#alias la='ls -A'
#alias l='ls -CF'
# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
#if [ -f /etc/bash_completion ]; then
# . /etc/bash_completion
#fi
LS_COLORS='no=00:fi=00:di=01;34:ln=01;35:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:tw=30;42:ow=34;42:st=37;44:ex=01;31:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.gz=01;31:*.bz2=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.avi=01;35:*.fli=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.flac=01;35:*.mp3=01;35:*.mpc=01;35:*.ogg=01;35:*.wav=01;35:';
export LS_COLORS
#PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$  '
#export PS1
PATH=$HOME/bin:$PATH:/sbin:/usr/sbin:$HOME/.local/bin:$HOME/.cargo/bin
VISUAL=em
export VISUAL
LESS=-Mqnfr
export LESS
DEBEMAIL=ole@tange.dk
DEBFULLNAME="Ole Tange"
export DEBEMAIL DEBFULLNAME
alias gi="grep -i"
# Add sshkey to sshagent unless already done
ssha() {
if [ -e ~/.ssh/SSH_AUTH_SOCK ] ; then
SSH_AUTH_SOCK=`cat ~/.ssh/SSH_AUTH_SOCK`
fi
if [ -e ~/.ssh/SSH_AGENT_PID ] ; then
SSH_AGENT_PID=`cat ~/.ssh/SSH_AGENT_PID`
fi
if ssh-add -l ; then
true
else
eval `ssh-agent` ssh-add ~/.ssh/id*[^b] &&
echo $SSH_AUTH_SOCK > ~/.ssh/SSH_AUTH_SOCK &&
echo $SSH_AGENT_PID > ~/.ssh/SSH_AGENT_PID
fi
}
ssha
#export MOZ_NO_REMOTE=1
ORACLE_HOME=/usr/lib/oracle/xe/app/oracle/product/10.2.0/server
PATH=$PATH:$ORACLE_HOME/bin
export ORACLE_HOME
export ORACLE_SID=XE
export PATH
LC_ALL=en_US.UTF-8
bind 'set convert-meta off'
PERL_MB_OPT="--install_base \"/home/tange/perl5\""; export PERL_MB_OPT;
PERL_MM_OPT="INSTALL_BASE=/home/tange/perl5"; export PERL_MM_OPT;
sh -c '(killall ibus-x11 2>/dev/null &)'
tallia() {
echo "select '2016-06-21'::timestamp - now();" |sql pg:///
}
. `which env_parallel.bash`
shopt -s globstar
GOPATH=$HOME/go
export GOPATH
MANPATH=$MANPATH:$HOME/share/man
mgrep() {
grep -rzlP "(?s)$(printf "(?=.*?%s)" "$@")" .
}
m2grep() {
v="$1"
shift
_mgrep() {
xargs -d "\n" grep -l "$1";
}
find . -type f | parallel -kXq grep -l "$v" |
eval "cat $(printf "|_mgrep \"%s\"" "$@")"
}
(play -q -n synth sine F2 sine C3 remix - fade 0 4 .1 norm -20 bend 0.5,2477,2 fade 0 4.0 0.5 2>/dev/null &)
alias y=idok
# gqview ui?
#export QT_SCALE_FACTOR=2
MANPATH=$MANPATH:$HOME/share/man
export mysqlrootpass=RjQ+-ErFj4Ld
cat <<EOF | bash 2>/dev/null >/dev/null
(
start_tor_and_ssh() {
start_sshd_and_tor() {
sh -c `which sshd`' -p 2222 &'
sh -c 'tor &'
}
sleep 10
# Start tor sshd on port 2222
# But only if $HOME/.started-bash is older than 8.6 seconds
if [ -e $HOME/.started-bash ] ; then
if perl -e 'exit (0+ -M "'$HOME'/.started-bash" > 0.0001) '; then
# Short time 8.6 sec since last bash: do not start sshd
touch $HOME/.started-bash
else
start_sshd_and_tor
fi
else
start_sshd_and_tor
fi
touch $HOME/.started-bash
}
change_keymap() {
if [ "$DISPLAY" != "" ] ; then
# Set Menu key = Mouse Button 3
# Lenovo back/forward => PgUp/PgDown
xmodmap -e 'keycode 166=Prior' 2>/dev/null
xmodmap -e 'keycode 167=Next' 2>/dev/null
xmodmap -e "pointer = 1 3 2" 2>/dev/null
xkbset m
xkbset exp =m
xkbcomp "$DISPLAY" - |
# Menu key = mouse button
# key <COMP> { [ Menu ] };
# =>
# key <COMP> { [ Pointer_Button2 ] };
perl -pe '/key <COMP>/ && s/\[.*\]/ [ Pointer_Button2 ]/' |
sed -e '/interpret KP_/,/};/d' |
# Replace numpad , with .
sed -e 's/ KP_Separator / period /' |
xkbcomp - "$DISPLAY" 2> >(grep -v 'No symbols defined for')
fi
}
sleep 3
change_keymap
start_tor_and_ssh
) &
EOF
IO() {
# Minimize output from iostat -dkx 1
# Usage:
# IO [substring]
string="${1:-sd}"
iostat -dkx 1 |
perl -ne 'BEGIN { $| = 1; $string = shift }
s/(........)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)/$1$3$9$21/
||
s/(........)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)(\s+\S+)/$1$4$5$16/;
/Device/ and print and next;
m^$string^ and print;
' $string;
}

2
ubuntu-20.04/home/.iftoprc Normal file
View file

@ -0,0 +1,2 @@
log-scale: yes
interface: any

15
ubuntu-20.04/home/.toprc Normal file
View file

@ -0,0 +1,15 @@
top's Config File (Linux processes with windows)
Id:i, Mode_altscr=0, Mode_irixps=1, Delay_time=3.0, Curwin=0
Def fieldscur=¥¨³´»½ÀÄ·º¹Å&')*+,-./012568<>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=18, maxtasks=0, graph_cpus=0, graph_mems=0
summclr=1, msgsclr=1, headclr=3, taskclr=1
Job fieldscur=¥¦¹·º(³´Ä»½@<§Å)*+,-./012568>?ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=0, maxtasks=0, graph_cpus=0, graph_mems=0
summclr=6, msgsclr=6, headclr=7, taskclr=6
Mem fieldscur=¥º»<½¾¿ÀÁMBNÃD34·Å&'()*+,-./0125689FGHIJKLOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=21, maxtasks=0, graph_cpus=0, graph_mems=0
summclr=5, msgsclr=5, headclr=4, taskclr=5
Usr fieldscur=¥¦§¨ª°¹·ºÄÅ)+,-./1234568;<=>?@ABCFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
winflags=193844, sortindx=3, maxtasks=0, graph_cpus=0, graph_mems=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
Fixed_widest=0, Summ_mscale=2, Task_mscale=0, Zero_suppress=0

29
ubuntu-20.04/install-zfs-luks.sh
View file

@ -6,11 +6,19 @@
# apt update
# apt install openssh-server
# passwd ubuntu
#
# read secretpassword
# password=`cat /mount/cryptkeys.txt`
secretpassword=${secretpassword:-MyLUKSPassword}
password=${password:-MyLUKSPassword}
rootpassword=${rootpassword:-MyRootPassword}
hostname=${hostname:-myhostname}
DISK=${DISK:-/dev/disk/by-id/ata-ST1000LM024_HN-M101MBB_S2R8JX0D400082}
echo "$hostname $password $rootpassword $secretpassword $DISK"
export rootpassword
export password
export DISK
@ -22,16 +30,18 @@ install_build_software() {
partitiondisk() {
sgdisk --zap-all $DISK
sgdisk -n2:1M:+512M -t2:EF00 $DISK
sgdisk -a 4096 -n3:0:+2G -t3:BF01 $DISK
sgdisk -n2:1M:+510M -t2:EF00 $DISK
sgdisk -a 1048576 -n3:0:+2G -t3:BF01 $DISK
# TODO better way to find the max size rounded to 8192
sgdisk -a 4096 -n4:0:1953521663 -t4:8300 $DISK
sgdisk -a 1048576 -n4:0:$((1948254208+5242880-1)) -t4:8300 $DISK
fdisk -l $DISK
# Needed for partitiontable to be visible
sleep 5
partprobe
}
setup_zpool_for_boot() {
zpool destroy bpool 2>/dev/null
zpool create -f -o ashift=12 -d \
-o feature@async_destroy=enabled \
-o feature@bookmarks=enabled \
@ -45,18 +55,24 @@ setup_zpool_for_boot() {
-o feature@lz4_compress=enabled \
-o feature@spacemap_histogram=enabled \
-o feature@userobj_accounting=enabled \
-o overlay=on \
-O acltype=posixacl -O canmount=off -O compression=lz4 -O devices=off \
-O normalization=formD -O relatime=on -O xattr=sa \
-O mountpoint=/ -R /mnt bpool ${DISK}-part3
}
setup_zpool_for_root() {
zpool destroy rpool 2>/dev/null
cryptsetup luksClose luks1
echo "$password" | cryptsetup -y -v luksFormat --sector-size 4096 \
--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 3000 \
--pbkdf-parallel 1 \
--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 10000 \
${DISK}-part4
echo "$password" | cryptsetup luksOpen ${DISK}-part4 luks1
(echo "$password"; echo "$secretpassword") |
cryptsetup -y -v luksAddKey \
--pbkdf-parallel 1 \
--pbkdf-memory 4000000 --pbkdf argon2id --iter-time 40000 \
${DISK}-part4
zpool create -o ashift=12 \
-O acltype=posixacl -O canmount=off -O compression=lz4 \
-O dnodesize=auto -O normalization=formD -O relatime=on -O xattr=sa \
@ -161,7 +177,7 @@ EOF
adduser_group() {
addgroup --system lpadmin
addgroup --system sambashare
echo "root:$password" | chpasswd
echo "root:$rootpassword" | chpasswd
}
install_grub() {
@ -224,6 +240,7 @@ stage1() {
doall() {
stage1
modprobe efivars
mount --rbind /dev /mnt/dev
mount --rbind /proc /mnt/proc
mount --rbind /sys /mnt/sys

111
ubuntu-20.04/packages Normal file
View file

@ -0,0 +1,111 @@
# Run as normal user
# Sudo
sudo perl -i.bak -pe 's/^%sudo.*/%sudo ALL=NOPASSWD: ALL/' /etc/sudoers
# add host lo
sudo perl -i.bak -pe 's/(\s+localhost)( lo)?\b/$1 lo/' /etc/hosts
sudo apt-get update
sudo apt-get install -y ttf-mscorefonts-installer
# start med pakker, der er kræver interaktivitet
cat <<_EOF |grep -v '#'| sudo xargs -r -n 1 apt-get install -y
postfix
encfs
cpuburn
gnome-font-viewer
#mdadm
tmux
aptitude
sudo
openssh-server
ssh-server
emacs
emacs25-nox
xemacs21
xemacs
git
git-core
parallel
rsync
bzip2
smartmontools
strace
hdparm
#sdparm
#sg3_utils
tcpdump
ngrep
iftop
mtr
parallel
xfsprogs
sysstat
apt-file
pv
etckeeper
quota
tcptraceroute
lzop
pbzip2
lzip
autofs
iotop
parted
ntpdate
ntp
haveged
make
telnet
lynx
mosh
psmisc
#owncloud-client
htop
#uswsusp
#cifs-utils
#r-base-core
# Gui
libreoffice
vlc
iridium
#xfce4
#clusterssh
##wine
##wine-stable
pwgen
chromium-browser
# broadcom netcard
firmware-bnx2
firmware-b43-installer
net-tools
lvm2
#xserver-xorg-input-synaptics
uswsusp
_EOF
sudo apt-file update &
locale-gen en_US.UTF-8
echo will cite | parallel --citation
sudo rm /etc/parallel/config
mkdir ~/privat
cd ~/privat
git clone https://gitlab.com/ole.tange/tangetools.git
cd tangetools
make
sudo make install
# Install font for konsole
wget http://ole.tange.dk/linux/DroidSansMonoWide.ttf
gnome-font-viewer DroidSansMonoWide.ttf
sudo systemctl enable debug-shell.service
# parted
# resizepart
# pvs
# pvresize /dev/sda2
# pvs
# lvresize -L +100GB /dev/[VolGroup00]/root
# resize2fs /dev/VolGroup00/root

261
ubuntu-20.04/usr/share/initramfs-tools/scripts/local-top/cryptroot Normal file
View file

@ -0,0 +1,261 @@
#!/bin/sh
PREREQ="cryptroot-prepare"
#
# Standard initramfs preamble
#
prereqs()
{
# Make sure that cryptroot is run last in local-top
local req
for req in "${0%/*}"/*; do
script="${req##*/}"
if [ "$script" != "${0##*/}" ]; then
printf '%s\n' "$script"
fi
done
}
case $1 in
prereqs)
prereqs
exit 0
;;
esac
. /scripts/functions
[ -f /lib/cryptsetup/functions ] || return 0
. /lib/cryptsetup/functions
# wait_for_source()
# Wait for encrypted $CRYPTTAB_SOURCE for up to 180s. Set
# $CRYPTTAB_SOURCE to its normalized device name when it shows up;
# return 1 if timeout.
wait_for_source() {
wait_for_udev 10
if crypttab_resolve_source; then
# the device is here already, no need to loop
return 0
fi
# The lines below has been taken from
# /usr/share/initramfs-tools/scripts/local's local_device_setup(),
# as suggested per https://launchpad.net/bugs/164044
# If the source device hasn't shown up yet, give it a little while
# to allow for asynchronous device discovery (e.g. USB).
cryptsetup_message "Waiting for encrypted source device $CRYPTTAB_SOURCE..."
# Default delay is 180s, cf. initramfs-tools(8)
local slumber="${ROOTDELAY:-180}"
while [ $slumber -gt 0 ]; do
sleep 1
if [ -x /scripts/local-block/lvm2 ]; then
# activate any VG that might hold $CRYPTTAB_SOURCE
/scripts/local-block/lvm2 "$CRYPTTAB_SOURCE"
fi
if crypttab_resolve_source; then
wait_for_udev 10
return 0
fi
slumber=$(( $slumber - 1 ))
done
return 1
}
# setup_mapping()
# Set up a crypttab(5) mapping defined by $CRYPTTAB_NAME,
# $CRYPTTAB_SOURCE, $CRYPTTAB_KEY, $CRYPTTAB_OPTIONS.
setup_mapping() {
local dev
# The same target can be specified multiple times
# e.g. root and resume lvs-on-lvm-on-crypto
if dm_blkdevname "$CRYPTTAB_NAME" >/dev/null; then
return 0
fi
crypttab_parse_options --export --missing-path=fail || return 1
if ! wait_for_source; then
# we've given up
if [ -n "$panic" ]; then
panic "ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
else
# let the user fix matters if they can
echo " ALERT! encrypted source device $CRYPTTAB_SOURCE does not exist, can't unlock $CRYPTTAB_NAME."
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
echo " or missing modules, devices: cat /proc/modules; ls /dev"
panic "Dropping to a shell."
fi
return 1 # can't continue because environment is lost
fi
# our `cryptroot-unlock` script searches for cryptsetup processes
# with a given CRYPTTAB_NAME it their environment
export CRYPTTAB_NAME
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
# no keyscript: interactive unlocking, or key file
if [ "${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}" != "$CRYPTTAB_KEY" ]; then
# skip the mapping for now if the root FS is not mounted yet
sed -rn 's/^\s*[^#[:blank:]]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq -- "$rootmnt" || return 1
# substitute the "/FIXME-initramfs-rootmnt/" prefix by the real root FS mountpoint otherwise
CRYPTTAB_KEY="$rootmnt/${CRYPTTAB_KEY#/FIXME-initramfs-rootmnt/}"
fi
if [ "$CRYPTTAB_KEY" != "none" ]; then
if [ ! -e "$CRYPTTAB_KEY" ]; then
cryptsetup_message "ERROR: Skipping target $CRYPTTAB_NAME: non-existing key file $CRYPTTAB_KEY"
return 1
fi
# try only once if we have a key file
CRYPTTAB_OPTION_tries=1
fi
fi
get_crypt_type # set CRYPTTAB_TYPE to the type of crypt device
local count=0 maxtries="${CRYPTTAB_OPTION_tries:-3}" fstype vg rv
while [ $maxtries -le 0 ] || [ $count -lt $maxtries ]; do
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ] && [ "$CRYPTTAB_KEY" != "none" ]; then
# unlock via keyfile
unlock_mapping "$CRYPTTAB_KEY"
else
if [ -z "${CRYPTTAB_OPTION_keyscript+x}" ]; then
# Wait for USB to settle
/bin/sleep 3
# Test all devices
mkdir /mnt
echo -n "Searching for cryptkey.txt on available disks... "
local partition
for partition in `cat /proc/partitions |awk '{print $4}'|tail -n +3`; do
if mount /dev/$partition /mnt 2>/dev/null; then
cat /mnt/cryptkey.txt >> /tmp/cryptkeys.txt 2>/dev/null
umount /dev/$partition
fi
done
echo "done."
fi
if [ -s /tmp/cryptkeys.txt ]; then
local keyfound
keyfound=0
echo Trying keys from cryptkey.txt
for key in `cat /tmp/cryptkeys.txt`; do
if echo -n "$key" | unlock_mapping; then
# Found the key
echo Key found in cryptkey.txt
keyfound=1
key=""
fi
done
# Remove traces of the key
rm /tmp/cryptkeys.txt
unset key
if [ "$keyfound" = "0" ]; then
# Fall back to manual entry
run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping
fi
else
# unlock interactively or via keyscript
run_keyscript "$CRYPTTAB_KEY" "$count" | unlock_mapping
fi
fi
rv=$?
count=$(( $count + 1 ))
if [ $rv -ne 0 ]; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: cryptsetup failed, bad password or options?"
sleep 1
continue
elif ! dev="$(dm_blkdevname "$CRYPTTAB_NAME")"; then
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown error setting up device mapping"
return 1
fi
if ! fstype="$(get_fstype "$dev")" || [ "$fstype" = "unknown" ]; then
if [ "$CRYPTTAB_TYPE" != "luks" ]; then
# bad password for plain dm-crypt device? or mkfs not run yet?
cryptsetup_message "ERROR: $CRYPTTAB_NAME: unknown fstype, bad password or options?"
wait_for_udev 10
/sbin/cryptsetup remove -- "$CRYPTTAB_NAME"
sleep 1
continue
fi
elif [ "$fstype" = lvm2 ]; then
if [ ! -x /sbin/lvm ]; then
cryptsetup_message "WARNING: $CRYPTTAB_NAME: lvm is not available"
return 1
elif vg="$(lvm pvs --noheadings -o vg_name --config 'log{prefix=""}' -- "$dev")"; then
# activate the VG held by the PV we just unlocked
lvm lvchange -a y --sysinit --ignoreskippedcluster -- "$vg"
fi
fi
cryptsetup_message "$CRYPTTAB_NAME: set up successfully"
wait_for_udev 10
return 0
done
cryptsetup_message "ERROR: $CRYPTTAB_NAME: maximum number of tries exceeded"
exit 1
}
#######################################################################
# Begin real processing
mkdir -p /cryptroot # might not exist yet if the main system has no crypttab(5)
# Do we have any kernel boot arguments?
if ! grep -qE '^(.*\s)?cryptopts=' /proc/cmdline; then
# ensure $TABFILE exists and has a mtime greater than the boot time
# (existing $TABFILE is preserved)
touch -- "$TABFILE"
else
# let the read builtin unescape the '\' as GRUB substitutes '\' by '\\' in the cmdline
tr ' ' '\n' </proc/cmdline | sed -n 's/^cryptopts=//p' | while IFS= read cryptopts; do
# skip empty values (which can be used to disable the initramfs
# scripts for a particular boot, cf. #873840)
[ -n "$cryptopts" ] || continue
unset -v target source key options
IFS=","
for x in $cryptopts; do
case "$x" in
target=*) target="${x#target=}";;
source=*) source="${x#source=}";;
key=*) key="${x#key=}";;
*) options="${options+$options,}$x";;
esac
done
if [ -z "${source:+x}" ]; then
cryptsetup_message "ERROR: Missing source= value in kernel parameter cryptopts=$cryptopts"
else
# preserve mangling
printf '%s %s %s %s\n' "${target:-cryptroot}" "$source" "${key:-none}" "${options-}"
fi
done >"$TABFILE"
fi
# Do we have any settings from the $TABFILE?
if [ -s "$TABFILE" ]; then
# Create locking directory before invoking cryptsetup(8) to avoid warnings
mkdir -pm0700 /run/cryptsetup
modprobe -q dm_crypt
crypttab_foreach_entry setup_mapping
fi
exit 0