Revamp basic OS installation and settings for Alpine
This commit is contained in:
parent
f0afd6e596
commit
aa100397f1
154
01-basic.sh
154
01-basic.sh
@ -1,153 +1,51 @@
|
||||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
|
||||
SOURCE_DIR=$(realpath $(dirname "${0}"))/basic
|
||||
export DEBIAN_FRONTEND="noninteractive"
|
||||
|
||||
# Uninstall unnecessary packages
|
||||
apt-get -y purge bsdmainutils dictionaries-common emacsen-common iamerican ibritish ienglish-common installation-report ispell laptop-detect nano os-prober task-english tasksel tasksel-data wamerican
|
||||
|
||||
# Install useful packages
|
||||
apt-get -y update
|
||||
apt-get -y --no-install-recommends install apt-transport-https bash-completion ca-certificates curl file git htop ntp openssl sudo tree unzip vim
|
||||
|
||||
|
||||
######
|
||||
# OpenSSH and user settings
|
||||
#####
|
||||
|
||||
# Install OpenSSH server
|
||||
apt-get -y --no-install-recommends install openssh-server
|
||||
mkdir ~/.ssh
|
||||
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
|
||||
# Install packages
|
||||
apk --no-cache add docker gettext git htop kbd-misc libressl openssh-server openssh-sftp-server postfix nginx
|
||||
|
||||
# Copy profile files and settings
|
||||
mkdir /root/.ssh
|
||||
mkdir -p /root/.config/htop
|
||||
cp ${SOURCE_DIR}/root/.bashrc /root/.bashrc
|
||||
cp ${SOURCE_DIR}/root/.ssh/authorized_keys /root/.ssh/authorized_keys
|
||||
cp ${SOURCE_DIR}/root/.config/htop/htoprc /root/.config/htop/htoprc
|
||||
cp ${SOURCE_DIR}/root/.vimrc /root/.vimrc
|
||||
|
||||
# Remove default user
|
||||
deluser --remove-all-files user 2>/dev/null
|
||||
|
||||
|
||||
#####
|
||||
# System boot
|
||||
#####
|
||||
|
||||
# Rename encrypted partition
|
||||
sed -i 's/sda2_crypt/system/' /etc/crypttab
|
||||
dmsetup rename sda2_crypt system
|
||||
|
||||
# Suppress warnings during boot
|
||||
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/lvm2 /usr/share/initramfs-tools/scripts/local-top/lvm2
|
||||
cp ${SOURCE_DIR}/usr/share/initramfs-tools/scripts/local-top/cryptroot /usr/share/initramfs-tools/scripts/local-top/cryptroot
|
||||
|
||||
# Set GRUB options
|
||||
cp ${SOURCE_DIR}/etc/default/grub /etc/default/grub
|
||||
|
||||
# Set legal banner with URL + latin2 character set
|
||||
cp ${SOURCE_DIR}/etc/default/console-setup /etc/default/console-setup
|
||||
cp ${SOURCE_DIR}/etc/issue /etc/issue
|
||||
dpkg-reconfigure console-setup
|
||||
# Copy boot configuration
|
||||
cp ${SOURCE_DIR}/boot/extlinux.conf /boot/extlinux.conf
|
||||
|
||||
# Forbid login on tty1, disable tty2-6
|
||||
cp ${SOURCE_DIR}/lib/systemd/system/getty@.service /lib/systemd/system/getty@.service
|
||||
systemctl mask getty-static
|
||||
cp ${SOURCE_DIR}/etc/inittab /etc/inittab
|
||||
|
||||
# Update initramfs and GRUB
|
||||
update-initramfs -u
|
||||
update-grub
|
||||
# Enable support for Czech characters
|
||||
cp ${SOURCE_DIR}/etc/rc.conf /etc/rc.conf
|
||||
cp ${SOURCE_DIR}/etc/conf.d/consolefont /etc/conf.d/consolefont
|
||||
rc-update add consolefont boot
|
||||
|
||||
|
||||
#####
|
||||
# Postfix
|
||||
#####
|
||||
|
||||
# Preconfigure
|
||||
echo postfix postfix/main_mailer_type string "Satellite system" | debconf-set-selections
|
||||
echo postfix postfix/mailname string "$(hostname -f)" | debconf-set-selections
|
||||
echo postfix postfix/relayhost string "" | debconf-set-selections
|
||||
|
||||
# Install packages
|
||||
apt-get -y --no-install-recommends install postfix
|
||||
# Set legal banner with URL
|
||||
cp ${SOURCE_DIR}/etc/issue.template /etc/issue.template
|
||||
cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # TODO: Make executable
|
||||
|
||||
# Configure Postfix
|
||||
cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
|
||||
|
||||
# Restart services
|
||||
systemctl restart postfix
|
||||
|
||||
|
||||
#####
|
||||
# Docker
|
||||
#####
|
||||
|
||||
# Add Docker repository
|
||||
echo 'deb https://download.docker.com/linux/debian stretch stable' > /etc/apt/sources.list.d/docker.list
|
||||
wget https://download.docker.com/linux/debian/gpg -O - | apt-key add -
|
||||
apt-get -y update
|
||||
|
||||
# Install packages
|
||||
apt-get -y --no-install-recommends install docker-ce
|
||||
|
||||
# Install docker-compose
|
||||
# wget https://github.com/docker/compose/releases/download/1.17.1/docker-compose-Linux-x86_64 -O /usr/local/bin/docker-compose
|
||||
# chmod +x /usr/local/bin/docker-compose
|
||||
|
||||
|
||||
#####
|
||||
# Nginx + uWSGI
|
||||
#####
|
||||
|
||||
# Install packages
|
||||
apt-get -y --no-install-recommends install nginx-light uwsgi uwsgi-plugin-python
|
||||
# cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf
|
||||
|
||||
# Create a self-signed certificate
|
||||
mkdir /etc/ssl/private
|
||||
openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private/services.key -nodes -days 3654 -subj "/C=CZ/CN=$(hostname -f)"
|
||||
chgrp ssl-cert /etc/ssl/private/services.key
|
||||
chmod 640 /etc/ssl/private/services.key
|
||||
|
||||
# Configure nginx
|
||||
mkdir /etc/nginx/apps-available /etc/nginx/apps-enabled
|
||||
cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
||||
|
||||
# Workaround for web2py shutdown problem, see https://github.com/web2py/web2py/issues/1769
|
||||
sed -i 's|QUIT/30|QUIT/5|' /usr/share/uwsgi/init/specific_daemon
|
||||
# cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf
|
||||
# cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default
|
||||
|
||||
# Copy Portal resources
|
||||
cp -r ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
|
||||
cp ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager
|
||||
cp -r ${SOURCE_DIR}/srv/portal /srv/portal
|
||||
chown -R www-data:www-data /srv/portal
|
||||
|
||||
# Restart
|
||||
systemctl restart nginx
|
||||
# Configure services
|
||||
for SERVICE in docker nginx postfix sshd; do
|
||||
rc-update add ${SERVICE} boot
|
||||
service ${SERVICE} start
|
||||
done
|
||||
|
||||
#####
|
||||
# MariaDB
|
||||
#####
|
||||
|
||||
# Install packages
|
||||
apt-get -y --no-install-recommends install mariadb-server
|
||||
|
||||
# Enable query logging. Only if the DEBUG environment variable is set
|
||||
if [ ${DEBUG:-0} -eq 1 ]; then
|
||||
sed -i 's/#general_log/general_log/g' /etc/mysql/mariadb.conf.d/50-server.cnf
|
||||
fi
|
||||
|
||||
# Restart
|
||||
systemctl restart mysqld
|
||||
|
||||
|
||||
#####
|
||||
# Tomcat
|
||||
#####
|
||||
|
||||
# Install packages
|
||||
apt-get -y --no-install-recommends install libservlet3.1-java openjdk-8-jre-headless tomcat8
|
||||
|
||||
# Configure
|
||||
cp ${SOURCE_DIR}/etc/tomcat8/server.xml /etc/tomcat8/server.xml
|
||||
|
||||
# Restart
|
||||
systemctl restart tomcat8
|
||||
# TODO: Hide OpenRC output
|
||||
|
6
basic/boot/extlinux.conf
Normal file
6
basic/boot/extlinux.conf
Normal file
@ -0,0 +1,6 @@
|
||||
DEFAULT vm
|
||||
SAY Startuji SpotterVM...
|
||||
LABEL vm
|
||||
LINUX vmlinuz-virthardened
|
||||
INITRD initramfs-virthardened
|
||||
APPEND root=/dev/vg0/root modules=sd-mod,usb-storage,ext4 pax_nouderef quiet rootfstype=ext4 cryptroot=/dev/sda2 cryptdm=system
|
11
basic/etc/conf.d/consolefont
Normal file
11
basic/etc/conf.d/consolefont
Normal file
@ -0,0 +1,11 @@
|
||||
# The consolefont service is not activated by default. If you need to
|
||||
# use it, you should run "rc-update add consolefont boot" as root.
|
||||
#
|
||||
# consolefont specifies the default font that you'd like Linux to use on the
|
||||
# console. You can find a good selection of fonts in /usr/share/consolefonts;
|
||||
consolefont="lat2-sun16.psfu.gz"
|
||||
|
||||
# consoletranslation is the charset map file to use. Leave commented to use
|
||||
# the default one. Have a look in /usr/share/consoletrans for a selection of
|
||||
# map files you can use.
|
||||
consoletranslation="8859-2_to_uni.trans"
|
@ -1,16 +0,0 @@
|
||||
# CONFIGURATION FILE FOR SETUPCON
|
||||
|
||||
# Consult the console-setup(5) manual page.
|
||||
|
||||
ACTIVE_CONSOLES="/dev/tty[1-6]"
|
||||
|
||||
CHARMAP="UTF-8"
|
||||
|
||||
CODESET="Lat2"
|
||||
FONTFACE="Fixed"
|
||||
FONTSIZE="8x16"
|
||||
|
||||
VIDEOMODE=
|
||||
|
||||
# The following is an example how to use a braille font
|
||||
# FONT='lat9w-08.psf.gz brl-8x8.psf'
|
@ -1,34 +0,0 @@
|
||||
# If you change this file, run 'update-grub' afterwards to update
|
||||
# /boot/grub/grub.cfg.
|
||||
# For full documentation of the options in this file, see:
|
||||
# info -f grub -n 'Simple configuration'
|
||||
|
||||
GRUB_DEFAULT=0
|
||||
GRUB_TIMEOUT=0
|
||||
GRUB_RECORDFAIL_TIMEOUT=0
|
||||
GRUB_FORCE_HIDDEN_MENU="true"
|
||||
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
|
||||
GRUB_CMDLINE_LINUX_DEFAULT="quiet loglevel=0"
|
||||
GRUB_CMDLINE_LINUX=""
|
||||
|
||||
# Uncomment to enable BadRAM filtering, modify to suit your needs
|
||||
# This works with Linux (no patch required) and with any kernel that obtains
|
||||
# the memory map information from GRUB (GNU Mach, kernel of FreeBSD ...)
|
||||
#GRUB_BADRAM="0x01234567,0xfefefefe,0x89abcdef,0xefefefef"
|
||||
|
||||
# Uncomment to disable graphical terminal (grub-pc only)
|
||||
#GRUB_TERMINAL=console
|
||||
|
||||
# The resolution used on graphical terminal
|
||||
# note that you can use only modes which your graphic card supports via VBE
|
||||
# you can see them in real GRUB with the command `vbeinfo'
|
||||
#GRUB_GFXMODE=640x480
|
||||
|
||||
# Uncomment if you don't want GRUB to pass "root=UUID=xxx" parameter to Linux
|
||||
#GRUB_DISABLE_LINUX_UUID=true
|
||||
|
||||
# Uncomment to disable generation of recovery mode menu entries
|
||||
GRUB_DISABLE_RECOVERY="true"
|
||||
|
||||
# Uncomment to get a beep at grub start
|
||||
#GRUB_INIT_TUNE="480 440 1"
|
26
basic/etc/inittab
Normal file
26
basic/etc/inittab
Normal file
@ -0,0 +1,26 @@
|
||||
# /etc/inittab
|
||||
|
||||
::sysinit:/sbin/openrc sysinit
|
||||
::sysinit:/sbin/openrc boot
|
||||
::wait:/sbin/openrc default
|
||||
|
||||
# Set up a couple of getty's
|
||||
::wait:/sbin/issue-gen
|
||||
tty1::respawn:/sbin/getty -l /sbin/nologin 38400 tty1
|
||||
#tty2::respawn:/sbin/getty 38400 tty2
|
||||
#tty3::respawn:/sbin/getty 38400 tty3
|
||||
#tty4::respawn:/sbin/getty 38400 tty4
|
||||
#tty5::respawn:/sbin/getty 38400 tty5
|
||||
#tty6::respawn:/sbin/getty 38400 tty6
|
||||
|
||||
# Put a getty on the serial port
|
||||
#ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
|
||||
|
||||
# Stuff to do for the 3-finger salute
|
||||
::ctrlaltdel:/sbin/reboot
|
||||
|
||||
# Stuff to do before rebooting
|
||||
::shutdown:/sbin/openrc shutdown
|
||||
|
||||
# enable login on alternative console
|
||||
#ttyS0::respawn:/sbin/getty -L 115200 ttyS0 vt100
|
@ -1,11 +1,11 @@
|
||||
|
||||
[1;32m _____ _ _ _____ _ _
|
||||
/ ____| | | | | / ____| | | |
|
||||
| (___ _ __ ___ | |_| |_ ___ _ __ | | | |_ _ ___| |_ ___ _ __
|
||||
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__| | | | | | | / __| __/ _ \\ '__|
|
||||
____) | |_) | (_) | |_| || __/ | | |____| | |_| \\__ \\ || __/ |
|
||||
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\_____|_|\\__,_|___/\\__\\___|_|
|
||||
| |
|
||||
[1;32m _____ _ _ __ ____ __
|
||||
/ ____| | | | | \\ \\ / / \\/ |
|
||||
| (___ _ __ ___ | |_| |_ ___ _ _\\ \\ / /| \\ / |
|
||||
\\___ \\| '_ \\ / _ \\| __| __/ _ \\ '__\\ \\/ / | |\\/| |
|
||||
____) | |_) | (_) | |_| || __/ | \\ / | | | |
|
||||
|_____/| .__/ \\___/ \\__|\\__\\___|_| \\/ |_| |_|
|
||||
| |
|
||||
|_|[0m
|
||||
|
||||
|
||||
@ -25,7 +25,7 @@
|
||||
|
||||
|
||||
|
||||
Pro přístup k aplikacím otevřete URL [1mhttps://\4/[0m ve Vašem
|
||||
Pro přístup k aplikacím otevřete URL [1mhttps://${URL}/[0m ve Vašem
|
||||
internetovém prohlížeči.
|
||||
|
||||
|
251
basic/etc/rc.conf
Normal file
251
basic/etc/rc.conf
Normal file
@ -0,0 +1,251 @@
|
||||
# Global OpenRC configuration settings
|
||||
|
||||
# Set to "YES" if you want the rc system to try and start services
|
||||
# in parallel for a slight speed improvement. When running in parallel we
|
||||
# prefix the service output with its name as the output will get
|
||||
# jumbled up.
|
||||
# WARNING: whilst we have improved parallel, it can still potentially lock
|
||||
# the boot process. Don't file bugs about this unless you can supply
|
||||
# patches that fix it without breaking other things!
|
||||
#rc_parallel="NO"
|
||||
|
||||
# Set rc_interactive to "YES" and you'll be able to press the I key during
|
||||
# boot so you can choose to start specific services. Set to "NO" to disable
|
||||
# this feature. This feature is automatically disabled if rc_parallel is
|
||||
# set to YES.
|
||||
#rc_interactive="YES"
|
||||
|
||||
# If we need to drop to a shell, you can specify it here.
|
||||
# If not specified we use $SHELL, otherwise the one specified in /etc/passwd,
|
||||
# otherwise /bin/sh
|
||||
# Linux users could specify /sbin/sulogin
|
||||
#rc_shell=/bin/sh
|
||||
|
||||
# Do we allow any started service in the runlevel to satisfy the dependency
|
||||
# or do we want all of them regardless of state? For example, if net.eth0
|
||||
# and net.eth1 are in the default runlevel then with rc_depend_strict="NO"
|
||||
# both will be started, but services that depend on 'net' will work if either
|
||||
# one comes up. With rc_depend_strict="YES" we would require them both to
|
||||
# come up.
|
||||
#rc_depend_strict="YES"
|
||||
|
||||
# rc_hotplug controls which services we allow to be hotplugged.
|
||||
# A hotplugged service is one started by a dynamic dev manager when a matching
|
||||
# hardware device is found.
|
||||
# Hotplugged services appear in the "hotplugged" runlevel.
|
||||
# If rc_hotplug is set to any value, we compare the name of this service
|
||||
# to every pattern in the value, from left to right, and we allow the
|
||||
# service to be hotplugged if it matches a pattern, or if it matches no
|
||||
# patterns. Patterns can include shell wildcards.
|
||||
# To disable services from being hotplugged, prefix patterns with "!".
|
||||
#If rc_hotplug is not set or is empty, all hotplugging is disabled.
|
||||
# Example - rc_hotplug="net.wlan !net.*"
|
||||
# This allows net.wlan and any service not matching net.* to be hotplugged.
|
||||
# Example - rc_hotplug="!net.*"
|
||||
# This allows services that do not match "net.*" to be hotplugged.
|
||||
|
||||
# rc_logger launches a logging daemon to log the entire rc process to
|
||||
# /var/log/rc.log
|
||||
# NOTE: Linux systems require the devfs service to be started before
|
||||
# logging can take place and as such cannot log the sysinit runlevel.
|
||||
#rc_logger="NO"
|
||||
|
||||
# Through rc_log_path you can specify a custom log file.
|
||||
# The default value is: /var/log/rc.log
|
||||
#rc_log_path="/var/log/rc.log"
|
||||
|
||||
# If you want verbose output for OpenRC, set this to yes. If you want
|
||||
# verbose output for service foo only, set it to yes in /etc/conf.d/foo.
|
||||
#rc_verbose=no
|
||||
|
||||
# By default we filter the environment for our running scripts. To allow other
|
||||
# variables through, add them here. Use a * to allow all variables through.
|
||||
#rc_env_allow="VAR1 VAR2"
|
||||
|
||||
# By default we assume that all daemons will start correctly.
|
||||
# However, some do not - a classic example is that they fork and return 0 AND
|
||||
# then child barfs on a configuration error. Or the daemon has a bug and the
|
||||
# child crashes. You can set the number of milliseconds start-stop-daemon
|
||||
# waits to check that the daemon is still running after starting here.
|
||||
# The default is 0 - no checking.
|
||||
#rc_start_wait=100
|
||||
|
||||
# rc_nostop is a list of services which will not stop when changing runlevels.
|
||||
# This still allows the service itself to be stopped when called directly.
|
||||
#rc_nostop=""
|
||||
|
||||
# rc will attempt to start crashed services by default.
|
||||
# However, it will not stop them by default as that could bring down other
|
||||
# critical services.
|
||||
#rc_crashed_stop=NO
|
||||
#rc_crashed_start=YES
|
||||
|
||||
# Set rc_nocolor to yes if you do not want colors displayed in OpenRC
|
||||
# output.
|
||||
#rc_nocolor=NO
|
||||
|
||||
##############################################################################
|
||||
# MISC CONFIGURATION VARIABLES
|
||||
# There variables are shared between many init scripts
|
||||
|
||||
# Set unicode to YES to turn on unicode support for keyboards and screens.
|
||||
#unicode="NO"
|
||||
unicode="YES"
|
||||
|
||||
# This is how long fuser should wait for a remote server to respond. The
|
||||
# default is 60 seconds, but it can be adjusted here.
|
||||
#rc_fuser_timeout=60
|
||||
|
||||
# Below is the default list of network fstypes.
|
||||
#
|
||||
# afs ceph cifs coda davfs fuse fuse.sshfs gfs glusterfs lustre ncpfs
|
||||
# nfs nfs4 ocfs2 shfs smbfs
|
||||
#
|
||||
# If you would like to add to this list, you can do so by adding your
|
||||
# own fstypes to the following variable.
|
||||
#extra_net_fs_list=""
|
||||
|
||||
##############################################################################
|
||||
# SERVICE CONFIGURATION VARIABLES
|
||||
# These variables are documented here, but should be configured in
|
||||
# /etc/conf.d/foo for service foo and NOT enabled here unless you
|
||||
# really want them to work on a global basis.
|
||||
# If your service has characters in its name which are not legal in
|
||||
# shell variable names and you configure the variables for it in this
|
||||
# file, those characters should be replaced with underscores in the
|
||||
# variable names as shown below.
|
||||
|
||||
# Some daemons are started and stopped via start-stop-daemon.
|
||||
# We can set some things on a per service basis, like the nicelevel.
|
||||
#SSD_NICELEVEL="-19"
|
||||
# Or the ionice level. The format is class[:data] , just like the
|
||||
# --ionice start-stop-daemon parameter.
|
||||
#SSD_IONICELEVEL="2:2"
|
||||
|
||||
# Pass ulimit parameters
|
||||
# If you are using bash in POSIX mode for your shell, note that the
|
||||
# ulimit command uses a block size of 512 bytes for the -c and -f
|
||||
# options
|
||||
#rc_ulimit="-u 30"
|
||||
|
||||
# It's possible to define extra dependencies for services like so
|
||||
#rc_config="/etc/foo"
|
||||
#rc_need="openvpn"
|
||||
#rc_use="net.eth0"
|
||||
#rc_after="clock"
|
||||
#rc_before="local"
|
||||
#rc_provide="!net"
|
||||
|
||||
# You can also enable the above commands here for each service. Below is an
|
||||
# example for service foo.
|
||||
#rc_foo_config="/etc/foo"
|
||||
#rc_foo_need="openvpn"
|
||||
#rc_foo_after="clock"
|
||||
|
||||
# Below is an example for service foo-bar. Note that the '-' is illegal
|
||||
# in a shell variable name, so we convert it to an underscore.
|
||||
# example for service foo-bar.
|
||||
#rc_foo_bar_config="/etc/foo-bar"
|
||||
#rc_foo_bar_need="openvpn"
|
||||
#rc_foo_bar_after="clock"
|
||||
|
||||
# You can also remove dependencies.
|
||||
# This is mainly used for saying which services do NOT provide net.
|
||||
#rc_net_tap0_provide="!net"
|
||||
|
||||
# This is the subsystem type.
|
||||
# It is used to match against keywords set by the keyword call in the
|
||||
# depend function of service scripts.
|
||||
#
|
||||
# It should be set to the value representing the environment this file is
|
||||
# PRESENTLY in, not the virtualization the environment is capable of.
|
||||
# If it is commented out, automatic detection will be used.
|
||||
#
|
||||
# The list below shows all possible settings as well as the host
|
||||
# operating systems where they can be used and autodetected.
|
||||
#
|
||||
# "" - nothing special
|
||||
# "docker" - Docker container manager (Linux)
|
||||
# "jail" - Jail (DragonflyBSD or FreeBSD)
|
||||
# "lxc" - Linux Containers
|
||||
# "openvz" - Linux OpenVZ
|
||||
# "prefix" - Prefix
|
||||
# "rkt" - CoreOS container management system (Linux)
|
||||
# "subhurd" - Hurd subhurds (to be checked)
|
||||
# "systemd-nspawn" - Container created by systemd-nspawn (Linux)
|
||||
# "uml" - Usermode Linux
|
||||
# "vserver" - Linux vserver
|
||||
# "xen0" - Xen0 Domain (Linux and NetBSD)
|
||||
# "xenU" - XenU Domain (Linux and NetBSD)
|
||||
#rc_sys=""
|
||||
|
||||
# on Linux and Hurd, this is the number of ttys allocated for logins
|
||||
# It is used in the consolefont, keymaps, numlock and termencoding
|
||||
# service scripts.
|
||||
rc_tty_number=12
|
||||
|
||||
##############################################################################
|
||||
# LINUX CGROUPS RESOURCE MANAGEMENT
|
||||
|
||||
# If you have cgroups turned on in your kernel, this switch controls
|
||||
# whether or not a group for each controller is mounted under
|
||||
# /sys/fs/cgroup.
|
||||
# None of the other options in this section work if this is set to "NO".
|
||||
#rc_controller_cgroups="YES"
|
||||
|
||||
# The following settings allow you to set up values for the cgroup
|
||||
# controllers for your services.
|
||||
# They can be set in this file;, however, if you do this, the settings
|
||||
# will apply to all of your services.
|
||||
# If you want different settings for each service, place the settings in
|
||||
# /etc/conf.d/foo for service foo.
|
||||
# The format is to specify the names of the settings followed by their
|
||||
# values. Each variable can hold multiple settings.
|
||||
# For example, you would use this to set the cpu.shares setting in the
|
||||
# cpu controller to 512 for your service.
|
||||
# rc_cgroup_cpu="
|
||||
# cpu.shares 512
|
||||
# "
|
||||
#
|
||||
#For more information about the adjustments that can be made with
|
||||
#cgroups, see Documentation/cgroups/* in the linux kernel source tree.
|
||||
|
||||
# Set the blkio controller settings for this service.
|
||||
#rc_cgroup_blkio=""
|
||||
|
||||
# Set the cpu controller settings for this service.
|
||||
#rc_cgroup_cpu=""
|
||||
|
||||
# Add this service to the cpuacct controller (any value means yes).
|
||||
#rc_cgroup_cpuacct=""
|
||||
|
||||
# Set the cpuset controller settings for this service.
|
||||
#rc_cgroup_cpuset=""
|
||||
|
||||
# Set the devices controller settings for this service.
|
||||
#rc_cgroup_devices=""
|
||||
|
||||
# Set the hugetlb controller settings for this service.
|
||||
#rc_cgroup_hugetlb=""
|
||||
|
||||
# Set the memory controller settings for this service.
|
||||
#rc_cgroup_memory=""
|
||||
|
||||
# Set the net_cls controller settings for this service.
|
||||
#rc_cgroup_net_cls=""
|
||||
|
||||
# Set the net_prio controller settings for this service.
|
||||
#rc_cgroup_net_prio=""
|
||||
|
||||
# Set the pids controller settings for this service.
|
||||
#rc_cgroup_pids=""
|
||||
|
||||
# Set this to YES if you want all of the processes in a service's cgroup
|
||||
# killed when the service is stopped or restarted.
|
||||
# This should not be set globally because it kills all of the service's
|
||||
# child processes, and most of the time this is undesirable. Please set
|
||||
# it in /etc/conf.d/<service>.
|
||||
# To perform this cleanup manually for a stopped service, you can
|
||||
# execute cgroup_cleanup with /etc/init.d/<service> cgroup_cleanup or
|
||||
# rc-service <service> cgroup_cleanup.
|
||||
# rc_cgroup_cleanup="NO"
|
@ -1,169 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more
|
||||
contributor license agreements. See the NOTICE file distributed with
|
||||
this work for additional information regarding copyright ownership.
|
||||
The ASF licenses this file to You under the Apache License, Version 2.0
|
||||
(the "License"); you may not use this file except in compliance with
|
||||
the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!-- Note: A "Server" is not itself a "Container", so you may not
|
||||
define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/server.html
|
||||
-->
|
||||
<Server port="9005" shutdown="SHUTDOWN">
|
||||
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
|
||||
<!-- Security listener. Documentation at /docs/config/listeners.html
|
||||
<Listener className="org.apache.catalina.security.SecurityListener" />
|
||||
-->
|
||||
<!--APR library loader. Documentation at /docs/apr.html -->
|
||||
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
|
||||
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
|
||||
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
|
||||
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
|
||||
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
|
||||
|
||||
<!-- Global JNDI resources
|
||||
Documentation at /docs/jndi-resources-howto.html
|
||||
-->
|
||||
<GlobalNamingResources>
|
||||
<!-- Editable user database that can also be used by
|
||||
UserDatabaseRealm to authenticate users
|
||||
-->
|
||||
<Resource name="UserDatabase" auth="Container"
|
||||
type="org.apache.catalina.UserDatabase"
|
||||
description="User database that can be updated and saved"
|
||||
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
|
||||
pathname="conf/tomcat-users.xml" />
|
||||
</GlobalNamingResources>
|
||||
|
||||
<!-- A "Service" is a collection of one or more "Connectors" that share
|
||||
a single "Container" Note: A "Service" is not itself a "Container",
|
||||
so you may not define subcomponents such as "Valves" at this level.
|
||||
Documentation at /docs/config/service.html
|
||||
-->
|
||||
<Service name="Catalina">
|
||||
|
||||
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
|
||||
<!--
|
||||
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
|
||||
maxThreads="150" minSpareThreads="4"/>
|
||||
-->
|
||||
|
||||
|
||||
<!-- A "Connector" represents an endpoint by which requests are received
|
||||
and responses are returned. Documentation at :
|
||||
Java HTTP Connector: /docs/config/http.html
|
||||
Java AJP Connector: /docs/config/ajp.html
|
||||
APR (HTTP/AJP) Connector: /docs/apr.html
|
||||
Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
|
||||
-->
|
||||
<Connector address="127.0.0.1" port="9080" protocol="HTTP/1.1"
|
||||
connectionTimeout="20000"
|
||||
redirectPort="8443" />
|
||||
<!-- A "Connector" using the shared thread pool-->
|
||||
<!--
|
||||
<Connector executor="tomcatThreadPool"
|
||||
port="8080" protocol="HTTP/1.1"
|
||||
connectionTimeout="20000"
|
||||
redirectPort="8443" />
|
||||
-->
|
||||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
|
||||
This connector uses the NIO implementation. The default
|
||||
SSLImplementation will depend on the presence of the APR/native
|
||||
library and the useOpenSSL attribute of the
|
||||
AprLifecycleListener.
|
||||
Either JSSE or OpenSSL style configuration may be used regardless of
|
||||
the SSLImplementation selected. JSSE style configuration is used below.
|
||||
-->
|
||||
<!--
|
||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
|
||||
maxThreads="150" SSLEnabled="true">
|
||||
<SSLHostConfig>
|
||||
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
|
||||
type="RSA" />
|
||||
</SSLHostConfig>
|
||||
</Connector>
|
||||
-->
|
||||
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
|
||||
This connector uses the APR/native implementation which always uses
|
||||
OpenSSL for TLS.
|
||||
Either JSSE or OpenSSL style configuration may be used. OpenSSL style
|
||||
configuration is used below.
|
||||
-->
|
||||
<!--
|
||||
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
|
||||
maxThreads="150" SSLEnabled="true" >
|
||||
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
|
||||
<SSLHostConfig>
|
||||
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
|
||||
certificateFile="conf/localhost-rsa-cert.pem"
|
||||
certificateChainFile="conf/localhost-rsa-chain.pem"
|
||||
type="RSA" />
|
||||
</SSLHostConfig>
|
||||
</Connector>
|
||||
-->
|
||||
|
||||
<!-- Define an AJP 1.3 Connector on port 8009 -->
|
||||
<!--
|
||||
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
|
||||
-->
|
||||
|
||||
|
||||
<!-- An Engine represents the entry point (within Catalina) that processes
|
||||
every request. The Engine implementation for Tomcat stand alone
|
||||
analyzes the HTTP headers included with the request, and passes them
|
||||
on to the appropriate Host (virtual host).
|
||||
Documentation at /docs/config/engine.html -->
|
||||
|
||||
<!-- You should set jvmRoute to support load-balancing via AJP ie :
|
||||
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
|
||||
-->
|
||||
<Engine name="Catalina" defaultHost="localhost">
|
||||
|
||||
<!--For clustering, please take a look at documentation at:
|
||||
/docs/cluster-howto.html (simple how to)
|
||||
/docs/config/cluster.html (reference documentation) -->
|
||||
<!--
|
||||
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
|
||||
-->
|
||||
|
||||
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
|
||||
via a brute-force attack -->
|
||||
<Realm className="org.apache.catalina.realm.LockOutRealm">
|
||||
<!-- This Realm uses the UserDatabase configured in the global JNDI
|
||||
resources under the key "UserDatabase". Any edits
|
||||
that are performed against this UserDatabase are immediately
|
||||
available for use by the Realm. -->
|
||||
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
|
||||
resourceName="UserDatabase"/>
|
||||
</Realm>
|
||||
|
||||
<Host name="localhost" appBase="webapps"
|
||||
unpackWARs="true" autoDeploy="true">
|
||||
|
||||
<!-- SingleSignOn valve, share authentication between web applications
|
||||
Documentation at: /docs/config/valve.html -->
|
||||
<!--
|
||||
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
|
||||
-->
|
||||
|
||||
<!-- Access log processes all example.
|
||||
Documentation at: /docs/config/valve.html
|
||||
Note: The pattern used is equivalent to using pattern="common" -->
|
||||
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
|
||||
prefix="localhost_access_log" suffix=".txt"
|
||||
pattern="%h %l %u %t "%r" %s %b" />
|
||||
|
||||
</Host>
|
||||
</Engine>
|
||||
</Service>
|
||||
</Server>
|
@ -1,53 +0,0 @@
|
||||
# This file is part of systemd.
|
||||
#
|
||||
# systemd is free software; you can redistribute it and/or modify it
|
||||
# under the terms of the GNU Lesser General Public License as published by
|
||||
# the Free Software Foundation; either version 2.1 of the License, or
|
||||
# (at your option) any later version.
|
||||
|
||||
[Unit]
|
||||
Description=Getty on %I
|
||||
Documentation=man:agetty(8) man:systemd-getty-generator(8)
|
||||
Documentation=http://0pointer.de/blog/projects/serial-console.html
|
||||
After=systemd-user-sessions.service plymouth-quit-wait.service
|
||||
After=rc-local.service
|
||||
|
||||
# If additional gettys are spawned during boot then we should make
|
||||
# sure that this is synchronized before getty.target, even though
|
||||
# getty.target didn't actually pull it in.
|
||||
Before=getty.target
|
||||
IgnoreOnIsolate=yes
|
||||
|
||||
# IgnoreOnIsolate causes issues with sulogin, if someone isolates
|
||||
# rescue.target or starts rescue.service from multi-user.target or
|
||||
# graphical.target.
|
||||
Conflicts=rescue.service
|
||||
Before=rescue.service
|
||||
|
||||
# On systems without virtual consoles, don't start any getty. Note
|
||||
# that serial gettys are covered by serial-getty@.service, not this
|
||||
# unit.
|
||||
ConditionPathExists=/dev/tty0
|
||||
|
||||
[Service]
|
||||
# the VT is cleared by TTYVTDisallocate
|
||||
ExecStart=-/sbin/agetty -l /usr/sbin/nologin %I $TERM
|
||||
Type=idle
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
UtmpIdentifier=%I
|
||||
TTYPath=/dev/%I
|
||||
TTYReset=yes
|
||||
TTYVHangup=yes
|
||||
TTYVTDisallocate=yes
|
||||
KillMode=process
|
||||
IgnoreSIGPIPE=no
|
||||
SendSIGHUP=yes
|
||||
|
||||
# Unset locale for the console getty since the console has problems
|
||||
# displaying some internationalized messages.
|
||||
Environment=LANG= LANGUAGE= LC_CTYPE= LC_NUMERIC= LC_TIME= LC_COLLATE= LC_MONETARY= LC_MESSAGES= LC_PAPER= LC_NAME= LC_ADDRESS= LC_TELEPHONE= LC_MEASUREMENT= LC_IDENTIFICATION=
|
||||
|
||||
[Install]
|
||||
WantedBy=getty.target
|
||||
DefaultInstance=tty1
|
@ -1,25 +0,0 @@
|
||||
shopt -s histappend
|
||||
HISTSIZE=10000
|
||||
HISTFILESIZE=20000
|
||||
HISTTIMEFORMAT="(%F %T) "
|
||||
PROMPT_COMMAND="history -a"
|
||||
|
||||
case "$TERM" in
|
||||
xterm*|rxvt*)
|
||||
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\H:\w\a\]$PS1"
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
|
||||
eval "`dircolors`"
|
||||
COLOR="--color=auto"
|
||||
|
||||
if [ -f /etc/bash_completion ]; then
|
||||
. /etc/bash_completion
|
||||
fi
|
||||
|
||||
alias ls='ls --color=auto'
|
||||
alias ll='ls -la --color=auto'
|
||||
alias l='ls -a --color=auto'
|
||||
alias grep='grep --color=auto'
|
@ -1,2 +0,0 @@
|
||||
runtime! defaults.vim
|
||||
set mouse-=a
|
4
basic/sbin/issue-gen
Executable file
4
basic/sbin/issue-gen
Executable file
@ -0,0 +1,4 @@
|
||||
#!/bin/sh
|
||||
|
||||
export URL=$(ip route get 1 | awk '{print $NF;exit}')
|
||||
envsubst </etc/issue.template >/etc/issue
|
@ -1,425 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
PREREQ="cryptroot-prepare"
|
||||
|
||||
#
|
||||
# Standard initramfs preamble
|
||||
#
|
||||
prereqs()
|
||||
{
|
||||
# Make sure that cryptroot is run last in local-top
|
||||
for req in $(dirname $0)/*; do
|
||||
script=${req##*/}
|
||||
if [ $script != cryptroot ]; then
|
||||
echo $script
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
case $1 in
|
||||
prereqs)
|
||||
prereqs
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
# source for log_*_msg() functions, see LP: #272301
|
||||
. /scripts/functions
|
||||
|
||||
#
|
||||
# Helper functions
|
||||
#
|
||||
message()
|
||||
{
|
||||
if [ -x /bin/plymouth ] && plymouth --ping; then
|
||||
plymouth message --text="$@"
|
||||
else
|
||||
echo "$@" >&2
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
udev_settle()
|
||||
{
|
||||
# Wait for udev to be ready, see https://launchpad.net/bugs/85640
|
||||
if command -v udevadm >/dev/null 2>&1; then
|
||||
udevadm settle --timeout=30
|
||||
elif command -v udevsettle >/dev/null 2>&1; then
|
||||
udevsettle --timeout=30
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
parse_options()
|
||||
{
|
||||
local cryptopts
|
||||
cryptopts="$1"
|
||||
|
||||
if [ -z "$cryptopts" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Defaults
|
||||
cryptcipher=aes-cbc-essiv:sha256
|
||||
cryptsize=256
|
||||
crypthash=ripemd160
|
||||
crypttarget=cryptroot
|
||||
cryptsource=""
|
||||
cryptheader=""
|
||||
cryptlvm=""
|
||||
cryptkeyscript=""
|
||||
cryptkey="" # This is only used as an argument to an eventual keyscript
|
||||
cryptkeyslot=""
|
||||
crypttries=3
|
||||
crypttcrypt=""
|
||||
cryptveracrypt=""
|
||||
cryptrootdev=""
|
||||
cryptdiscard=""
|
||||
CRYPTTAB_OPTIONS=""
|
||||
|
||||
local IFS=" ,"
|
||||
for x in $cryptopts; do
|
||||
case $x in
|
||||
hash=*)
|
||||
crypthash=${x#hash=}
|
||||
;;
|
||||
size=*)
|
||||
cryptsize=${x#size=}
|
||||
;;
|
||||
cipher=*)
|
||||
cryptcipher=${x#cipher=}
|
||||
;;
|
||||
target=*)
|
||||
crypttarget=${x#target=}
|
||||
export CRYPTTAB_NAME="$crypttarget"
|
||||
;;
|
||||
source=*)
|
||||
cryptsource=${x#source=}
|
||||
if [ ${cryptsource#UUID=} != $cryptsource ]; then
|
||||
cryptsource="/dev/disk/by-uuid/${cryptsource#UUID=}"
|
||||
elif [ ${cryptsource#LABEL=} != $cryptsource ]; then
|
||||
cryptsource="/dev/disk/by-label/$(printf '%s' "${cryptsource#LABEL=}" | sed 's,/,\\x2f,g')"
|
||||
fi
|
||||
export CRYPTTAB_SOURCE="$cryptsource"
|
||||
;;
|
||||
header=*)
|
||||
cryptheader=${x#header=}
|
||||
if [ ! -e "$cryptheader" ] && [ -e "/conf/conf.d/cryptheader/$cryptheader" ]; then
|
||||
cryptheader="/conf/conf.d/cryptheader/$cryptheader"
|
||||
fi
|
||||
export CRYPTTAB_HEADER="$cryptheader"
|
||||
;;
|
||||
lvm=*)
|
||||
cryptlvm=${x#lvm=}
|
||||
;;
|
||||
keyscript=*)
|
||||
cryptkeyscript=${x#keyscript=}
|
||||
;;
|
||||
key=*)
|
||||
if [ "${x#key=}" != "none" ]; then
|
||||
cryptkey=${x#key=}
|
||||
fi
|
||||
export CRYPTTAB_KEY="$cryptkey"
|
||||
;;
|
||||
keyslot=*)
|
||||
cryptkeyslot=${x#keyslot=}
|
||||
;;
|
||||
tries=*)
|
||||
crypttries="${x#tries=}"
|
||||
case "$crypttries" in
|
||||
*[![:digit:].]*)
|
||||
crypttries=3
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
tcrypt)
|
||||
crypttcrypt="yes"
|
||||
;;
|
||||
veracrypt)
|
||||
cryptveracrypt="--veracrypt"
|
||||
;;
|
||||
rootdev)
|
||||
cryptrootdev="yes"
|
||||
;;
|
||||
discard)
|
||||
cryptdiscard="yes"
|
||||
;;
|
||||
esac
|
||||
PARAM="${x%=*}"
|
||||
if [ "$PARAM" = "$x" ]; then
|
||||
VALUE="yes"
|
||||
else
|
||||
VALUE="${x#*=}"
|
||||
fi
|
||||
CRYPTTAB_OPTIONS="$CRYPTTAB_OPTIONS $PARAM"
|
||||
eval export CRYPTTAB_OPTION_$PARAM="\"$VALUE\""
|
||||
done
|
||||
export CRYPTTAB_OPTIONS
|
||||
|
||||
if [ -z "$cryptsource" ]; then
|
||||
message "cryptsetup ($crypttarget): source parameter missing"
|
||||
return 1
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
activate_vg()
|
||||
{
|
||||
# Sanity checks
|
||||
if [ ! -x /sbin/lvm ]; then
|
||||
message "cryptsetup ($crypttarget): lvm is not available"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Detect and activate available volume groups
|
||||
/sbin/lvm vgscan >/dev/null 2>&1
|
||||
/sbin/lvm vgchange -a y --sysinit >/dev/null 2>&1
|
||||
return $?
|
||||
}
|
||||
|
||||
setup_mapping()
|
||||
{
|
||||
local opts count cryptopen cryptremove NEWROOT
|
||||
opts="$1"
|
||||
|
||||
if [ -z "$opts" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
parse_options "$opts" || return 1
|
||||
|
||||
if [ -z "$cryptkeyscript" ]; then
|
||||
if [ ${cryptsource#/dev/disk/by-uuid/} != $cryptsource ]; then
|
||||
# UUIDs are not very helpful
|
||||
diskname="$crypttarget"
|
||||
else
|
||||
diskname="$cryptsource ($crypttarget)"
|
||||
fi
|
||||
cryptkeyscript="/lib/cryptsetup/askpass"
|
||||
cryptkey="Please unlock disk $diskname: "
|
||||
elif ! type "$cryptkeyscript" >/dev/null; then
|
||||
message "cryptsetup ($crypttarget): error - script \"$cryptkeyscript\" missing"
|
||||
return 1
|
||||
fi
|
||||
|
||||
if [ "$cryptkeyscript" = "cat" ] && [ "${cryptkey#/root/}" != "$cryptkey" ]; then
|
||||
# skip the mapping if the root FS is not mounted yet
|
||||
sed -rn 's/^\s*[^#]\S*\s+(\S+)\s.*/\1/p' /proc/mounts | grep -Fxq "$rootmnt" || return 1
|
||||
# substitute the "/root" prefix by the real root FS mountpoint otherwise
|
||||
cryptkey="${rootmnt}/${cryptkey#/root/}"
|
||||
fi
|
||||
|
||||
if [ -n "$cryptheader" ] && ! type "$cryptheader" >/dev/null; then
|
||||
message "cryptsetup ($crypttarget): error - LUKS header \"$cryptheader\" missing"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# The same target can be specified multiple times
|
||||
# e.g. root and resume lvs-on-lvm-on-crypto
|
||||
if [ -e "/dev/mapper/$crypttarget" ]; then
|
||||
return 0
|
||||
fi
|
||||
|
||||
modprobe -q dm_crypt
|
||||
|
||||
# Make sure the cryptsource device is available
|
||||
if [ ! -e $cryptsource ]; then
|
||||
activate_vg
|
||||
fi
|
||||
|
||||
# If the encrypted source device hasn't shown up yet, give it a
|
||||
# little while to deal with removable devices
|
||||
|
||||
# the following lines below have been taken from
|
||||
# /usr/share/initramfs-tools/scripts/local, as suggested per
|
||||
# https://launchpad.net/bugs/164044
|
||||
if [ ! -e "$cryptsource" ]; then
|
||||
log_begin_msg "Waiting for encrypted source device..."
|
||||
|
||||
# Default delay is 180s
|
||||
if [ -z "${ROOTDELAY}" ]; then
|
||||
slumber=180
|
||||
else
|
||||
slumber=${ROOTDELAY}
|
||||
fi
|
||||
|
||||
slumber=$(( ${slumber} * 10 ))
|
||||
while [ ! -e "$cryptsource" ]; do
|
||||
# retry for LVM devices every 10 seconds
|
||||
if [ ${slumber} -eq $(( ${slumber}/100*100 )) ]; then
|
||||
activate_vg
|
||||
fi
|
||||
|
||||
/bin/sleep 0.1
|
||||
slumber=$(( ${slumber} - 1 ))
|
||||
[ ${slumber} -gt 0 ] || break
|
||||
done
|
||||
|
||||
if [ ${slumber} -gt 0 ]; then
|
||||
log_end_msg 0
|
||||
else
|
||||
log_end_msg 1 || true
|
||||
fi
|
||||
fi
|
||||
udev_settle
|
||||
|
||||
# We've given up, but we'll let the user fix matters if they can
|
||||
if [ ! -e "${cryptsource}" ]; then
|
||||
|
||||
echo " ALERT! ${cryptsource} does not exist."
|
||||
echo " Check cryptopts=source= bootarg: cat /proc/cmdline"
|
||||
echo " or missing modules, devices: cat /proc/modules; ls /dev"
|
||||
panic -r "Dropping to a shell. Will skip ${cryptsource} if you can't fix."
|
||||
fi
|
||||
|
||||
if [ ! -e "${cryptsource}" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
|
||||
# Prepare commands
|
||||
cryptopen="/sbin/cryptsetup -T 1"
|
||||
if [ "$cryptdiscard" = "yes" ]; then
|
||||
cryptopen="$cryptopen --allow-discards"
|
||||
fi
|
||||
if [ -n "$cryptheader" ]; then
|
||||
cryptopen="$cryptopen --header=$cryptheader"
|
||||
fi
|
||||
if [ -n "$cryptkeyslot" ]; then
|
||||
cryptopen="$cryptopen --key-slot=$cryptkeyslot"
|
||||
fi
|
||||
if /sbin/cryptsetup isLuks ${cryptheader:-$cryptsource} >/dev/null 2>&1; then
|
||||
cryptopen="$cryptopen open --type luks $cryptsource $crypttarget --key-file=-"
|
||||
elif [ "$crypttcrypt" = "yes" ]; then
|
||||
cryptopen="$cryptopen open --type tcrypt $cryptveracrypt $cryptsource $crypttarget"
|
||||
else
|
||||
cryptopen="$cryptopen -c $cryptcipher -s $cryptsize -h $crypthash open --type plain $cryptsource $crypttarget --key-file=-"
|
||||
fi
|
||||
cryptremove="/sbin/cryptsetup remove $crypttarget"
|
||||
NEWROOT="/dev/mapper/$crypttarget"
|
||||
|
||||
# Try to get a satisfactory password $crypttries times
|
||||
count=0
|
||||
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do
|
||||
export CRYPTTAB_TRIED="$count"
|
||||
count=$(( $count + 1 ))
|
||||
|
||||
if [ ! -e "$NEWROOT" ]; then
|
||||
if ! crypttarget="$crypttarget" cryptsource="$cryptsource" \
|
||||
$cryptkeyscript "$cryptkey" | $cryptopen; then
|
||||
message "cryptsetup ($crypttarget): cryptsetup failed, bad password or options?"
|
||||
continue
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ ! -e "$NEWROOT" ]; then
|
||||
message "cryptsetup ($crypttarget): unknown error setting up device mapping"
|
||||
return 1
|
||||
fi
|
||||
|
||||
#FSTYPE=''
|
||||
#eval $(fstype < "$NEWROOT")
|
||||
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
|
||||
|
||||
# See if we need to setup lvm on the crypto device
|
||||
#if [ "$FSTYPE" = "lvm" ] || [ "$FSTYPE" = "lvm2" ]; then
|
||||
if [ "$FSTYPE" = "LVM_member" ] || [ "$FSTYPE" = "LVM2_member" ]; then
|
||||
if [ -z "$cryptlvm" ]; then
|
||||
message "cryptsetup ($crypttarget): lvm fs found but no lvm configured"
|
||||
return 1
|
||||
elif ! activate_vg; then
|
||||
# disable error message, LP: #151532
|
||||
#message "cryptsetup ($crypttarget): failed to setup lvm device"
|
||||
return 1
|
||||
fi
|
||||
|
||||
# Apparently ROOT is already set in /conf/param.conf for
|
||||
# flashed kernels at least. See bugreport #759720.
|
||||
if [ -f /conf/param.conf ] && grep -q "^ROOT=" /conf/param.conf; then
|
||||
NEWROOT=$(sed -n 's/^ROOT=//p' /conf/param.conf)
|
||||
else
|
||||
NEWROOT=${cmdline_root:-/dev/mapper/$cryptlvm}
|
||||
if [ "$cryptrootdev" = "yes" ]; then
|
||||
# required for lilo to find the root device
|
||||
echo "ROOT=$NEWROOT" >>/conf/param.conf
|
||||
fi
|
||||
fi
|
||||
#eval $(fstype < "$NEWROOT")
|
||||
FSTYPE="$(/sbin/blkid -s TYPE -o value "$NEWROOT")"
|
||||
fi
|
||||
|
||||
#if [ -z "$FSTYPE" ] || [ "$FSTYPE" = "unknown" ]; then
|
||||
if [ -z "$FSTYPE" ]; then
|
||||
message "cryptsetup ($crypttarget): unknown fstype, bad password or options?"
|
||||
udev_settle
|
||||
$cryptremove
|
||||
continue
|
||||
fi
|
||||
|
||||
# decrease $count by 1, apparently last try was successful.
|
||||
count=$(( $count - 1 ))
|
||||
|
||||
message "cryptsetup ($crypttarget): set up successfully"
|
||||
break
|
||||
done
|
||||
|
||||
failsleep=60 # make configurable later?
|
||||
|
||||
if [ "$cryptrootdev" = "yes" ] && [ $crypttries -gt 0 ] && [ $count -ge $crypttries ]; then
|
||||
message "cryptsetup ($crypttarget): maximum number of tries exceeded"
|
||||
message "cryptsetup: going to sleep for $failsleep seconds..."
|
||||
sleep $failsleep
|
||||
exit 1
|
||||
fi
|
||||
|
||||
udev_settle
|
||||
return 0
|
||||
}
|
||||
|
||||
#
|
||||
# Begin real processing
|
||||
#
|
||||
|
||||
# Do we have any kernel boot arguments?
|
||||
cmdline_cryptopts=''
|
||||
unset cmdline_root
|
||||
for opt in $(cat /proc/cmdline); do
|
||||
case $opt in
|
||||
cryptopts=*)
|
||||
opt="${opt#cryptopts=}"
|
||||
if [ -n "$opt" ]; then
|
||||
if [ -n "$cmdline_cryptopts" ]; then
|
||||
cmdline_cryptopts="$cmdline_cryptopts $opt"
|
||||
else
|
||||
cmdline_cryptopts="$opt"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
root=*)
|
||||
opt="${opt#root=}"
|
||||
case $opt in
|
||||
/*) # Absolute path given. Not lilo major/minor number.
|
||||
cmdline_root=$opt
|
||||
;;
|
||||
*) # lilo major/minor number (See #398957). Ignore
|
||||
esac
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ -n "$cmdline_cryptopts" ]; then
|
||||
# Call setup_mapping separately for each possible cryptopts= setting
|
||||
for cryptopt in $cmdline_cryptopts; do
|
||||
setup_mapping "$cryptopt"
|
||||
done
|
||||
exit 0
|
||||
fi
|
||||
|
||||
# Do we have any settings from the /conf/conf.d/cryptroot file?
|
||||
if [ -r /conf/conf.d/cryptroot ]; then
|
||||
while read mapping <&3; do
|
||||
setup_mapping "$mapping" 3<&-
|
||||
done 3< /conf/conf.d/cryptroot
|
||||
fi
|
||||
|
||||
exit 0
|
@ -1,65 +0,0 @@
|
||||
#!/bin/sh
|
||||
|
||||
PREREQ="mdadm mdrun multipath"
|
||||
|
||||
prereqs()
|
||||
{
|
||||
echo "$PREREQ"
|
||||
}
|
||||
|
||||
case $1 in
|
||||
# get pre-requisites
|
||||
prereqs)
|
||||
prereqs
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ ! -e /sbin/lvm ]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
lvchange_activate() {
|
||||
lvm lvchange -aay -y --sysinit --ignoreskippedcluster "$@" >/dev/null 2>&1
|
||||
}
|
||||
|
||||
activate() {
|
||||
local dev="$1"
|
||||
|
||||
# Make sure that we have a non-empty argument
|
||||
if [ -z "$dev" ]; then
|
||||
return 1
|
||||
fi
|
||||
|
||||
case "$dev" in
|
||||
# Take care of lilo boot arg, risky activating of all vg
|
||||
fe[0-9]*)
|
||||
lvchange_activate
|
||||
exit 0
|
||||
;;
|
||||
# FIXME: check major
|
||||
/dev/root)
|
||||
lvchange_activate
|
||||
exit 0
|
||||
;;
|
||||
|
||||
/dev/mapper/*)
|
||||
eval $(dmsetup splitname --nameprefixes --noheadings --rows "${dev#/dev/mapper/}")
|
||||
if [ "$DM_VG_NAME" ] && [ "$DM_LV_NAME" ]; then
|
||||
lvchange_activate "$DM_VG_NAME/$DM_LV_NAME"
|
||||
fi
|
||||
;;
|
||||
|
||||
/dev/*/*)
|
||||
# Could be /dev/VG/LV; use lvs to check
|
||||
if lvm lvs -- "$dev" >/dev/null 2>&1; then
|
||||
lvchange_activate "$dev"
|
||||
fi
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
activate "$ROOT"
|
||||
activate "$resume"
|
||||
|
||||
exit 0
|
Loading…
Reference in New Issue
Block a user