From 79b988553b2707aed9fba21dd53033a7a011af6f Mon Sep 17 00:00:00 2001 From: David P Date: Sat, 1 May 2021 19:23:57 -0400 Subject: sync with archiso Imported: 42cdf86 (HEAD -> master, origin/master, origin/HEAD) Set more generic output for signatures cc735db Force PGP signature file extension 73e3ccd Add ephemeral signing key to CI setup e2cce07 (tag: v53) Add changelog for v53 9dbb600 Add packages for unlocking LUKS2 volumes with systemd 81da518 Add required packages to interact with smartcards 6287f72 Remove docs/README.knownissues. Replaced by issue #83. 76c8030 Remove docs/README.build. Superseded by README.rst a855dd4 Move README.profile.rst to docs/ 6294d1d Update README.profile.rst 5754000 Update README.rst 06c3218 configs/releng/syslinux/: increase serial baud rate to 115200 0406f9c mkarchiso: create reproducible gzip archives a771297 mkarchiso: make sure to remove potentially preexisting files from $airootfs_dir before creating them with output redirection 98c7b67 mkarchiso: append IMAGE_ID and IMAGE_VERSION to /etc/os-release 0ed1c61 Add package count, El Torito EFI image size and initramfs image sizes to GitLab metrics 8bf95d3 Ignore SC3060 in initcpio hook bde3971 Fix shellcheck complains in CI scripts 1a97109 mkarchiso: also add iso name in grub environment block 09b6127 mkarchiso: use -isohybrid-gpt-basdat instead of -appended_part_as_gpt for ISOs that will support BIOS booting Signed-off-by: David P --- CHANGELOG.rst | 19 +++ README.profile.rst | 150 --------------------- README.rst | 75 +++++------ configs/baseline/syslinux/syslinux.cfg | 1 + configs/lxde-openrc/packages.both | 4 + configs/lxde-openrc/syslinux/parabolaiso_head.cfg | 2 +- configs/releng-openrc/packages.both | 4 + .../releng-openrc/syslinux/parabolaiso_head.cfg | 2 +- configs/releng/packages.both | 4 + configs/releng/syslinux/parabolaiso_head.cfg | 2 +- docs/README.build | 68 ---------- docs/README.knownissues | 12 -- docs/README.profile.rst | 150 +++++++++++++++++++++ parabolaiso/initcpio/hooks/parabolaiso_pxe_common | 2 +- parabolaiso/mkparabolaiso | 90 ++++++++++--- 15 files changed, 291 insertions(+), 294 deletions(-) delete mode 100644 README.profile.rst delete mode 100644 docs/README.build delete mode 100644 docs/README.knownissues create mode 100644 docs/README.profile.rst diff --git a/CHANGELOG.rst b/CHANGELOG.rst index 6b3ae8b..6d55065 100644 --- a/CHANGELOG.rst +++ b/CHANGELOG.rst @@ -2,6 +2,25 @@ Changelog ######### +[53] - 2021-05-01 +================= + +Added +----- + +- Add ISO name to grubenv +- Add IMAGE_ID and IMAGE_VERSION to /etc/os-release + +Changed +------- + +- Revert to an invalid GPT for greater hardware compatibility +- Fix initcpio script to comply with stricter shellcheck +- Fix an issue where writing to /etc/machine-id might override a file outside of the build directory +- Change gzip flags, so that compressed files are created reproducibly +- Increase default serial baud rate to 115200 +- Remove deprecated documentation and format existing documentation + [52] - 2021-04-01 ================= diff --git a/README.profile.rst b/README.profile.rst deleted file mode 100644 index f6cce5d..0000000 --- a/README.profile.rst +++ /dev/null @@ -1,150 +0,0 @@ -======= -profile -======= - -A parabolaiso profile consists of several configuration files and a directory for files to be added to the resulting image. - - .. code:: bash - - profile - |- airootfs/ - |- efiboot/ - |- syslinux/ - |- packages.arch - |- pacman.conf - \- profiledef.sh - -The required files and directories are explained in the following sections. - -profiledef.sh -============= - -This file describes several attributes of the resulting image and is a place for customization to the general behavior -of the image. - -The image file is constructed from some of the variables in **profiledef.sh**: `--.iso` -(e.g. `parabola-202010-x86_64.iso`). - -* `iso_name`: The first part of the name of the resulting image (defaults to `mkparabolaiso`) -* `iso_label`: The ISO's volume label (defaults to `MKPARABOLAISO`) -* `iso_publisher`: A free-form string that states the publisher of the resulting image (defaults to `mkparabolaiso`) -* `iso_application`: A free-form string that states the application (i.e. its use-case) of the resulting image (defaults - to `mkparabolaiso iso`) -* `iso_version`: A string that states the version of the resulting image (defaults to `""`) -* `install_dir`: A string (maximum eight characters long, which **must** consist of `[a-z0-9]`) that states the - directory on the resulting image into which all files will be installed (defaults to `mkparabolaiso`) -* `bootmodes`: A list of strings, that state the supported boot modes of the resulting image. Only the following are - understood: - - - `bios.syslinux.mbr`: Syslinux for x86 BIOS booting from a disk - - `bios.syslinux.eltorito`: Syslinux for x86 BIOS booting from an optical disc - - `uefi-x64.systemd-boot.esp`: Systemd-boot for x86_64 UEFI booting from a disk - - `uefi-x64.systemd-boot.eltorito`: Systemd-boot for x86_64 UEFI booting from an optical disc - - `uefi-x64.refind.esp`: rEFInd for x86_64 UEFI booting from a disk - - `uefi-x64.refind.eltorito`: rEFInd for x86_64 UEFI booting from an optical disc - Note that BIOS El Torito boot mode must always be listed before UEFI El Torito boot mode. -* `arch`: The architecture (e.g. `x86_64`) to build the image for. This is also used to resolve the name of the packages - file (e.g. `packages.x86_64`) -* `pacman_conf`: The `pacman.conf` to use to install packages to the work directory when creating the image (defaults to - the host's `/etc/pacman.conf`) -* `airootfs_image_type`: The image type to create. The following options are understood (defaults to `squashfs`): - - - `squashfs`: Create a squashfs image directly from the airootfs work directory - - `ext4+squashfs`: Create an ext4 partition, copy the airootfs work directory to it and create a squashfs image from it - - `erofs`: Create an EROFS image for the airootfs work directory -* `airootfs_image_tool_options`: An array of options to pass to the tool to create the airootfs image. `mksquashfs` and - `mkfs.erofs` are supported. See `mksquashfs --help` or `mkfs.erofs --help` for all possible options. -* `file_permissions`: An associative array that lists files and/or directories who need specific ownership or - permissions. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and - access mode. E.g. `file_permissions=(["/etc/shadow"]="0:0:400")`. When directories are listed with a trailing backslash ("/") **all** files and directories contained within the listed directory will have the same owner UID, owner GID, and access mode applied recursively. - -packages.arch -============= - -All packages to be installed into the environment of the image have to be listed in an architecture specific file (e.g. -`packages.x86_64`), which resides top-level in the profile. - -Packages have to be listed one per line. Lines starting with a `#` and blank lines are ignored. - - .. note:: - - The **mkinitcpio** and **mkinitcpio-parabolaiso** packages are mandatory (see `#30 - `_). - - -pacman.conf -=========== - -A configuration for pacman is required per profile. - -Some configuration options will not be used or will be modified: - -* `CacheDir`: the profile's option is **only** used if it is not the default (i.e. `/var/cache/pacman/pkg`) and if it is - not the same as the system's option. In all other cases the system's pacman cache is used. -* `HookDir`: it is **always** set to the `/etc/pacman.d/hooks` directory in the work directory's airootfs to allow - modification via the profile and ensure interoparability with hosts using dracut (see `#73 - `_) -* `RootDir`: it is **always** removed, as setting it explicitely otherwise refers to the host's root filesystem (see - `man 8 pacman` for further information on the `-r` option used by `pacstrap`) -* `LogFile`: it is **always** removed, as setting it explicitely otherwise refers to the host's pacman log file (see - `man 8 pacman` for further information on the `-r` option used by `pacstrap`) -* `DBPath`: it is **always** removed, as setting it explicitely otherwise refers to the host's pacman database (see - `man 8 pacman` for further information on the `-r` option used by `pacstrap`) - -airootfs -======== - -This - optional - directory may contain files and directories that will be copied to the work directory of the resulting -image's root filesystem. -The files are copied before packages are being installed to work directory location. -Ownership and permissions of files and directories from the profile's `airootfs` directory are not preserved. The mode -will be `644` for files and `755` for directories, all of them will be owned by root. To set custom ownership and/or -permissions, use `file_permissions` in **profiledef.sh**. - -With this overlay structure it is possible to e.g. create users and set passwords for them, by providing -`airootfs/etc/passwd`, `airootfs/etc/shadow`, `airootfs/etc/gshadow` (see `man 5 passwd`, `man 5 shadow` and `man 5 -gshadow` respectively). -If user home directories exist in the profile's `airootfs`, their ownership and (and top-level) permissions will be -altered according to the provided information in the password file. - -Boot loader configuration -========================= - -A profile may contain configuration for several boot loaders. These reside in specific top-level directories, which are -explained in the following subsections. - -The following *custom template identifiers* are understood and will be replaced according to the assignments of the -respective variables in **profiledef.sh**: - -* `%PARABOLAISO_LABEL%`: Set this using the `iso_label` variable in **profiledef.sh** -* `%INSTALL_DIR%`: Set this using the `iso_label` variable in **profiledef.sh** -* `%ARCH%`: Set this using the `arch` variable in **profiledef.sh** - - -efiboot -------- - -This directory is mandatory when the `uefi-x64.systemd-boot.esp` or `uefi-x64.systemd-boot.eltorito` bootmodes are -selected in **profiledef.sh**. It contains configuration for `systemd-boot -`_. - - .. note:: - - The directory is a top-level representation of the systemd-boot configuration directories and files found in the - root of an EFI system partition. - -The *custom template identifiers* are **only** understood in the boot loader entry `.conf` files (i.e. **not** in -`loader.conf`). - -The same happens when the `uefi-x64.refind.esp` or `uefi-x64.refind.eltorito` bootmodes are selected. - -syslinux --------- - -This directory is mandatory when the `bios.syslinux.mbr` or the `bios.syslinux.eltorito` bootmodes are selected in -**profiledef.sh**. -It contains configuration files for `syslinux `_ or `isolinux -`_ , or `pxelinux -`_ used in the resuling image. - -The *custom template identifiers* are understood in all `.cfg` files in this directory. diff --git a/README.rst b/README.rst index 5ff73c9..25f16a0 100644 --- a/README.rst +++ b/README.rst @@ -34,9 +34,9 @@ Profiles parabolaiso comes with the following profiles: **baseline**, **releng**, **releng-openrc**, **lxde-openrc** and **talkingparabola**. They can be found below `configs/baseline/ `_, `configs/releng/ `_, `configs/releng-openrc/ `_, `configs/lxde-openrc/ `_, `configs/talkingparabola/ `_ -(respectively). Profiles are defined by files to be placed into overlays (e.g. *airootfs* -> *the image's /*). +(respectively). Profiles are defined by files to be placed into overlays (e.g. airootfs → the image's ``/``). -Read `README.profile.rst `_ to learn more about how to create profiles. +Read `README.profile.rst `_ to learn more about how to create profiles. Create images ============= @@ -48,32 +48,32 @@ As filesystems are created and various mount actions have to be done when creati the scripts. When parabolaiso is installed system-wide and the modification of a profile is desired, it is necessary to copy it to a -writeable location, as */usr/share/parabolaiso* is tracked by the package manager and only writeable by root (changes will +writeable location, as ``/usr/share/parabolaiso`` is tracked by the package manager and only writeable by root (changes will be lost on update). The examples below will assume an unmodified profile in a system location (unless noted otherwise). It is advised to consult the help output of **mkparabolaiso**: - .. code:: bash +.. code:: sh - mkparabolaiso -h + mkparabolaiso -h Create images with packaged parabolaiso --------------------------------------- - .. code:: bash +.. code:: sh - mkparabolaiso -w path/to/work_dir -o path/to/out_dir path/to/profile + mkparabolaiso -w path/to/work_dir -o path/to/out_dir path/to/profile Create images with local clone ------------------------------ Clone this repository and run: - .. code:: bash +.. code:: sh - ./parabolaiso/mkparabolaiso -w path/to/work_dir -o path/to/out_dir path/to/profile + ./parabolaiso/mkparabolaiso -w path/to/work_dir -o path/to/out_dir path/to/profile Testing ======= @@ -81,61 +81,60 @@ Testing The convenience script **run_parabolaiso** is provided to boot into the medium using qemu. It is advised to read its help information: - .. code:: bash +.. code:: sh - run_parabolaiso -h + run_parabolaiso -h Run the following to boot the iso using BIOS: - .. code:: bash +.. code:: sh - run_parabolaiso -i path/to/a/parabola.iso + run_parabolaiso -i path/to/a/parabola.iso Run the following to boot the iso using UEFI: - .. code:: bash +.. code:: sh - run_parabolaiso -u -i path/to/a/parabola.iso + run_parabolaiso -u -i path/to/a/parabola.iso The script can of course also be executed from this repository: - .. code:: bash +.. code:: sh - ./scripts/run_parabolaiso.sh -i path/to/a/parabola.iso + ./scripts/run_parabolaiso.sh -i path/to/a/parabola.iso Installation ============ -To install parabolaiso system-wide use the included **Makefile**: +To install parabolaiso system-wide use the included ``Makefile``: - .. code:: bash +.. code:: sh - make install + make install Optionally install parabolaiso's mkinitcpio hooks: - .. code:: bash +.. code:: sh - make install-initcpio + make install-initcpio -Optional Features -================= +Optional features -The iso image contains a grub environment block holding the iso version. This allows to boot the iso image from grub -with a version specific cow directory to mitigate overlay clashes. +The iso image contains a GRUB environment block holding the iso name and version. This allows to +boot the iso image from GRUB with a version specific cow directory to mitigate overlay clashes. - .. code:: grub - loopback loop parabola.iso - load_env -f (loop)/parabola/grubenv - linux (loop)/parabola/boot/x86_64/vmlinuz-linux-libre ... \ - cow_directory=parabola/${VERSION} ... - initrd (loop)/parabola/boot/x86_64/initramfs-linux-libre-lts.img +.. code:: sh + loopback loop parabola.iso + load_env -f (loop)/parabola/grubenv + linux (loop)/parabola/boot/x86_64/vmlinuz-linux-libre ... \ + cow_directory=parabola/${VERSION} ... + initrd (loop)/parabola/boot/x86_64/initramfs-linux-libre-lts.img Contribute ========== -Development of parabolaiso takes place on Parabola GNU/Linux-libre' Git: https://git.parabola.nu/parabolaiso.git +Development of parabolaiso takes place on Parabola GNU/Linux-libre' Git: https://git.parabola.nu/parabolaiso.git. Read our `contributing guide `_ to learn more about how to provide fixes or improvements for the code base. @@ -151,20 +150,20 @@ Releases `Releases of parabolaiso `_ are created by its current maintainer `David P `_. Tags are signed using the PGP key with the ID -`6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78`. +``6DB9C4B4F0D8C0DC432CF6E4227CA7C556B2BA78``. To verify a tag, first import the relevant PGP key: - .. code:: bash +.. code:: sh - gpg --auto-key-locate wkd --search-keys megver83@parabola.nu + gpg --auto-key-locate wkd --search-keys megver83@parabola.nu Afterwards a tag can be verified from a clone of this repository: - .. code:: bash +.. code:: sh - git verify-tag + git verify-tag License ======= diff --git a/configs/baseline/syslinux/syslinux.cfg b/configs/baseline/syslinux/syslinux.cfg index e965abb..507082d 100644 --- a/configs/baseline/syslinux/syslinux.cfg +++ b/configs/baseline/syslinux/syslinux.cfg @@ -1,6 +1,7 @@ # # SPDX-License-Identifier: GPL-3.0-or-later +SERIAL 0 115200 UI menu.c32 MENU TITLE Parabola GNU/Linux-libre MENU CLEAR diff --git a/configs/lxde-openrc/packages.both b/configs/lxde-openrc/packages.both index 47eb1ad..3e697ab 100644 --- a/configs/lxde-openrc/packages.both +++ b/configs/lxde-openrc/packages.both @@ -37,6 +37,8 @@ iwd jfsutils kitty-terminfo lftp +libfido2 +libusb-compat linux-atm linux-libre linux-libre-firmware @@ -70,6 +72,7 @@ openvpn-openrc partclone parted partimage +pcsclite ppp pptpclient reflector @@ -89,6 +92,7 @@ terminus-font termite-terminfo testdisk tmux +tpm2-tss udev-init-scripts udftools usb_modeswitch diff --git a/configs/lxde-openrc/syslinux/parabolaiso_head.cfg b/configs/lxde-openrc/syslinux/parabolaiso_head.cfg index 17b77e9..99e8cd0 100644 --- a/configs/lxde-openrc/syslinux/parabolaiso_head.cfg +++ b/configs/lxde-openrc/syslinux/parabolaiso_head.cfg @@ -1,7 +1,7 @@ # # SPDX-License-Identifier: GPL-3.0-or-later -SERIAL 0 38400 +SERIAL 0 115200 UI vesamenu.c32 MENU TITLE Parabola GNU/Linux-libre MENU BACKGROUND splash.png diff --git a/configs/releng-openrc/packages.both b/configs/releng-openrc/packages.both index cdd7a3d..4742487 100644 --- a/configs/releng-openrc/packages.both +++ b/configs/releng-openrc/packages.both @@ -36,6 +36,8 @@ iwd jfsutils kitty-terminfo lftp +libfido2 +libusb-compat linux-atm linux-libre linux-libre-firmware @@ -69,6 +71,7 @@ openvpn-openrc partclone parted partimage +pcsclite ppp pptpclient reflector @@ -88,6 +91,7 @@ terminus-font termite-terminfo testdisk tmux +tpm2-tss udev-init-scripts udftools usb_modeswitch diff --git a/configs/releng-openrc/syslinux/parabolaiso_head.cfg b/configs/releng-openrc/syslinux/parabolaiso_head.cfg index 17b77e9..99e8cd0 100644 --- a/configs/releng-openrc/syslinux/parabolaiso_head.cfg +++ b/configs/releng-openrc/syslinux/parabolaiso_head.cfg @@ -1,7 +1,7 @@ # # SPDX-License-Identifier: GPL-3.0-or-later -SERIAL 0 38400 +SERIAL 0 115200 UI vesamenu.c32 MENU TITLE Parabola GNU/Linux-libre MENU BACKGROUND splash.png diff --git a/configs/releng/packages.both b/configs/releng/packages.both index 087d37d..d1c59ca 100644 --- a/configs/releng/packages.both +++ b/configs/releng/packages.both @@ -35,6 +35,8 @@ iwd jfsutils kitty-terminfo lftp +libfido2 +libusb-compat linux-atm linux-libre linux-libre-firmware @@ -66,6 +68,7 @@ openvpn partclone parted partimage +pcsclite ppp pptpclient reflector @@ -86,6 +89,7 @@ terminus-font termite-terminfo testdisk tmux +tpm2-tss udftools usb_modeswitch usbmuxd diff --git a/configs/releng/syslinux/parabolaiso_head.cfg b/configs/releng/syslinux/parabolaiso_head.cfg index 17b77e9..99e8cd0 100644 --- a/configs/releng/syslinux/parabolaiso_head.cfg +++ b/configs/releng/syslinux/parabolaiso_head.cfg @@ -1,7 +1,7 @@ # # SPDX-License-Identifier: GPL-3.0-or-later -SERIAL 0 38400 +SERIAL 0 115200 UI vesamenu.c32 MENU TITLE Parabola GNU/Linux-libre MENU BACKGROUND splash.png diff --git a/docs/README.build b/docs/README.build deleted file mode 100644 index 8855789..0000000 --- a/docs/README.build +++ /dev/null @@ -1,68 +0,0 @@ -INDEX ------ - -* Build requirements -* Building the most basic Parabola GNU/Linux-libre live media. (configs/baseline) -* Building official Parabola GNU/Linux-libre live media. (configs/releng) - - - -*** Build requirements - -** For mkparabolaiso script needs these packages (build host): - + arch-install-scripts for pacstrap/arch-chroot - + edk2-shell for UEFI shell - + squashfs-tools for mksquashfs - + libisoburn for xorriso - + btrfs-progs for mkfs.btrfs (optional) - -** For configs/releng build.sh needs theses packages (build host): - + dosfstools for mkfs.fat - + lynx for fetching the latest installation guide - -** For these hooks needs these packages (on target airootfs) -* parabolaiso - + (none) -* parabolaiso_loop_mnt - + (none) -* parabolaiso_pxe_common - + mkinitcpio-nfs-utils for ipconfig -* parabolaiso_pxe_nbd - + nbd for nbd-client -* parabolaiso_pxe_http - + curl for curl -* parabolaiso_pxe_nfs - + mkinitcpio-nfs-utils for nfsmount -* parabolaiso_shutdown - + (none) - - -*** Building the most basic Parabola GNU/Linux-libre live media. (configs/baseline) - -* Install needed packages. - # pacman -S git make arch-install-scripts squashfs-tools libisoburn --needed - -* Install parabolaiso. - # git clone git://git.parabola.nu/packages/parabolaiso.git - # make -C parabolaiso install - -* Build a basic iso. - # /usr/share/parabolaiso/configs/baseline/build.sh - -Note: If you want to customize, just see the configs/releng directory which is -used to build official images with much more things. - - -*** Building official Parabola GNU/Linux-libre live media. (configs/releng) - -* Install needed packages. - # pacman -S git make arch-install-scripts squashfs-tools libisoburn dosfstools lynx --needed - -* Install parabolaiso. - # git clone git://git.parabola.nu/packages/parabolaiso.git - # make -C parabolaiso install - -* Build them! - # /usr/share/parabolaiso/configs/releng/build.sh - -Note: See build.sh -h for more options. This only runs on x86_64. diff --git a/docs/README.knownissues b/docs/README.knownissues deleted file mode 100644 index 7002c5e..0000000 --- a/docs/README.knownissues +++ /dev/null @@ -1,12 +0,0 @@ -*** Know issues - -** (1) On shutdown lots of messages from systemd like: - - "Could not unmount /run/parabolaiso/: Device or resource busy" - "Could not delete loopback /dev/loop: Device or resource busy" - This is not a real issue since, all mounted filesystem, loopback devices - and device mapper devices made by parabolaiso will be "free" on "shutdown tmpfs" - (A.K.A deinitramfs), build at initramfs by [parabolaiso_shutdown] initcpio hook. - Proper shutdown is mostly important when persistent is used. - - diff --git a/docs/README.profile.rst b/docs/README.profile.rst new file mode 100644 index 0000000..f6cce5d --- /dev/null +++ b/docs/README.profile.rst @@ -0,0 +1,150 @@ +======= +profile +======= + +A parabolaiso profile consists of several configuration files and a directory for files to be added to the resulting image. + + .. code:: bash + + profile + |- airootfs/ + |- efiboot/ + |- syslinux/ + |- packages.arch + |- pacman.conf + \- profiledef.sh + +The required files and directories are explained in the following sections. + +profiledef.sh +============= + +This file describes several attributes of the resulting image and is a place for customization to the general behavior +of the image. + +The image file is constructed from some of the variables in **profiledef.sh**: `--.iso` +(e.g. `parabola-202010-x86_64.iso`). + +* `iso_name`: The first part of the name of the resulting image (defaults to `mkparabolaiso`) +* `iso_label`: The ISO's volume label (defaults to `MKPARABOLAISO`) +* `iso_publisher`: A free-form string that states the publisher of the resulting image (defaults to `mkparabolaiso`) +* `iso_application`: A free-form string that states the application (i.e. its use-case) of the resulting image (defaults + to `mkparabolaiso iso`) +* `iso_version`: A string that states the version of the resulting image (defaults to `""`) +* `install_dir`: A string (maximum eight characters long, which **must** consist of `[a-z0-9]`) that states the + directory on the resulting image into which all files will be installed (defaults to `mkparabolaiso`) +* `bootmodes`: A list of strings, that state the supported boot modes of the resulting image. Only the following are + understood: + + - `bios.syslinux.mbr`: Syslinux for x86 BIOS booting from a disk + - `bios.syslinux.eltorito`: Syslinux for x86 BIOS booting from an optical disc + - `uefi-x64.systemd-boot.esp`: Systemd-boot for x86_64 UEFI booting from a disk + - `uefi-x64.systemd-boot.eltorito`: Systemd-boot for x86_64 UEFI booting from an optical disc + - `uefi-x64.refind.esp`: rEFInd for x86_64 UEFI booting from a disk + - `uefi-x64.refind.eltorito`: rEFInd for x86_64 UEFI booting from an optical disc + Note that BIOS El Torito boot mode must always be listed before UEFI El Torito boot mode. +* `arch`: The architecture (e.g. `x86_64`) to build the image for. This is also used to resolve the name of the packages + file (e.g. `packages.x86_64`) +* `pacman_conf`: The `pacman.conf` to use to install packages to the work directory when creating the image (defaults to + the host's `/etc/pacman.conf`) +* `airootfs_image_type`: The image type to create. The following options are understood (defaults to `squashfs`): + + - `squashfs`: Create a squashfs image directly from the airootfs work directory + - `ext4+squashfs`: Create an ext4 partition, copy the airootfs work directory to it and create a squashfs image from it + - `erofs`: Create an EROFS image for the airootfs work directory +* `airootfs_image_tool_options`: An array of options to pass to the tool to create the airootfs image. `mksquashfs` and + `mkfs.erofs` are supported. See `mksquashfs --help` or `mkfs.erofs --help` for all possible options. +* `file_permissions`: An associative array that lists files and/or directories who need specific ownership or + permissions. The array's keys contain the path and the value is a colon separated list of owner UID, owner GID and + access mode. E.g. `file_permissions=(["/etc/shadow"]="0:0:400")`. When directories are listed with a trailing backslash ("/") **all** files and directories contained within the listed directory will have the same owner UID, owner GID, and access mode applied recursively. + +packages.arch +============= + +All packages to be installed into the environment of the image have to be listed in an architecture specific file (e.g. +`packages.x86_64`), which resides top-level in the profile. + +Packages have to be listed one per line. Lines starting with a `#` and blank lines are ignored. + + .. note:: + + The **mkinitcpio** and **mkinitcpio-parabolaiso** packages are mandatory (see `#30 + `_). + + +pacman.conf +=========== + +A configuration for pacman is required per profile. + +Some configuration options will not be used or will be modified: + +* `CacheDir`: the profile's option is **only** used if it is not the default (i.e. `/var/cache/pacman/pkg`) and if it is + not the same as the system's option. In all other cases the system's pacman cache is used. +* `HookDir`: it is **always** set to the `/etc/pacman.d/hooks` directory in the work directory's airootfs to allow + modification via the profile and ensure interoparability with hosts using dracut (see `#73 + `_) +* `RootDir`: it is **always** removed, as setting it explicitely otherwise refers to the host's root filesystem (see + `man 8 pacman` for further information on the `-r` option used by `pacstrap`) +* `LogFile`: it is **always** removed, as setting it explicitely otherwise refers to the host's pacman log file (see + `man 8 pacman` for further information on the `-r` option used by `pacstrap`) +* `DBPath`: it is **always** removed, as setting it explicitely otherwise refers to the host's pacman database (see + `man 8 pacman` for further information on the `-r` option used by `pacstrap`) + +airootfs +======== + +This - optional - directory may contain files and directories that will be copied to the work directory of the resulting +image's root filesystem. +The files are copied before packages are being installed to work directory location. +Ownership and permissions of files and directories from the profile's `airootfs` directory are not preserved. The mode +will be `644` for files and `755` for directories, all of them will be owned by root. To set custom ownership and/or +permissions, use `file_permissions` in **profiledef.sh**. + +With this overlay structure it is possible to e.g. create users and set passwords for them, by providing +`airootfs/etc/passwd`, `airootfs/etc/shadow`, `airootfs/etc/gshadow` (see `man 5 passwd`, `man 5 shadow` and `man 5 +gshadow` respectively). +If user home directories exist in the profile's `airootfs`, their ownership and (and top-level) permissions will be +altered according to the provided information in the password file. + +Boot loader configuration +========================= + +A profile may contain configuration for several boot loaders. These reside in specific top-level directories, which are +explained in the following subsections. + +The following *custom template identifiers* are understood and will be replaced according to the assignments of the +respective variables in **profiledef.sh**: + +* `%PARABOLAISO_LABEL%`: Set this using the `iso_label` variable in **profiledef.sh** +* `%INSTALL_DIR%`: Set this using the `iso_label` variable in **profiledef.sh** +* `%ARCH%`: Set this using the `arch` variable in **profiledef.sh** + + +efiboot +------- + +This directory is mandatory when the `uefi-x64.systemd-boot.esp` or `uefi-x64.systemd-boot.eltorito` bootmodes are +selected in **profiledef.sh**. It contains configuration for `systemd-boot +`_. + + .. note:: + + The directory is a top-level representation of the systemd-boot configuration directories and files found in the + root of an EFI system partition. + +The *custom template identifiers* are **only** understood in the boot loader entry `.conf` files (i.e. **not** in +`loader.conf`). + +The same happens when the `uefi-x64.refind.esp` or `uefi-x64.refind.eltorito` bootmodes are selected. + +syslinux +-------- + +This directory is mandatory when the `bios.syslinux.mbr` or the `bios.syslinux.eltorito` bootmodes are selected in +**profiledef.sh**. +It contains configuration files for `syslinux `_ or `isolinux +`_ , or `pxelinux +`_ used in the resuling image. + +The *custom template identifiers* are understood in all `.cfg` files in this directory. diff --git a/parabolaiso/initcpio/hooks/parabolaiso_pxe_common b/parabolaiso/initcpio/hooks/parabolaiso_pxe_common index 4144983..bbe705e 100644 --- a/parabolaiso/initcpio/hooks/parabolaiso_pxe_common +++ b/parabolaiso/initcpio/hooks/parabolaiso_pxe_common @@ -13,7 +13,7 @@ run_hook () { if [ -n "${ip}" ]; then if [ -n "${BOOTIF}" ]; then bootif_mac="${BOOTIF#01-}" - # shellcheck disable=SC2169 + # shellcheck disable=SC2169,SC3060 # ash supports bash-like string replacment bootif_mac="${bootif_mac//-/:}" for i in /sys/class/net/*/address; do diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso index de48fae..6f04947 100755 --- a/parabolaiso/mkparabolaiso +++ b/parabolaiso/mkparabolaiso @@ -94,7 +94,7 @@ usage: ${app_name} [options] Default: '${iso_label}' -P Set the ISO publisher Default: '${iso_publisher}' - -g Set the GPG key to be used for signing the squashfs image + -g Set the PGP key ID to be used for signing the rootfs image -h This message -o Set the output directory Default: '${out_dir}' @@ -154,6 +154,7 @@ _cleanup_airootfs() { # Delete package pacman related files. find "${work_dir}" \( -name '*.pacnew' -o -name '*.pacsave' -o -name '*.pacorig' \) -delete # Create an empty /etc/machine-id + rm -f -- "${airootfs_dir}/etc/machine-id" printf '' > "${airootfs_dir}/etc/machine-id" _msg_info "Done!" @@ -230,12 +231,13 @@ _mkairootfs_erofs() { } _mksignature() { - _msg_info "Signing SquashFS image..." + _msg_info "Signing ${arch} rootfs image..." cd -- "${isofs_dir}/${install_dir}/${arch}" + # always use the .sig file extension, as that is what mkinitcpio-parabolaiso's hooks expect if [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.sfs" ]]; then - gpg --detach-sign --default-key "${gpg_key}" airootfs.sfs + gpg --output airootfs.sfs.sig --detach-sign --default-key "${gpg_key}" airootfs.sfs elif [[ -e "${isofs_dir}/${install_dir}/${arch}/airootfs.erofs" ]]; then - gpg --detach-sign --default-key "${gpg_key}" airootfs.erofs + gpg --output airootfs.erofs.sig --detach-sign --default-key "${gpg_key}" airootfs.erofs fi cd -- "${OLDPWD}" _msg_info "Done!" @@ -427,10 +429,10 @@ _make_bootmode_bios.syslinux.mbr() { if [[ -e "${isofs_dir}/syslinux/hdt.c32" ]]; then install -d -m 0755 -- "${isofs_dir}/syslinux/hdt" if [[ -e "${airootfs_dir}/usr/share/hwdata/pci.ids" ]]; then - gzip -c -9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \ + gzip -cn9 "${airootfs_dir}/usr/share/hwdata/pci.ids" > \ "${isofs_dir}/syslinux/hdt/pciids.gz" fi - find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -c -9 '{}' ';' -quit > \ + find "${airootfs_dir}/usr/lib/modules" -name 'modules.alias' -print -exec gzip -cn9 '{}' ';' -quit > \ "${isofs_dir}/syslinux/hdt/modalias.gz" fi @@ -814,15 +816,10 @@ _add_xorrisofs_options_bios.syslinux.mbr() { '-isohybrid-mbr' "${isofs_dir}/syslinux/isohdpfx.bin" # When GPT is used, create an additional partition in the MBR (besides 0xEE) for sectors 0–1 (MBR # bootstrap code area) and mark it as bootable - # This violates the UEFI specification, but may allow booting on some systems + # May allow booting on some systems # https://wiki.archlinux.org/index.php/Partitioning#Tricking_old_BIOS_into_booting_from_GPT '--mbr-force-bootable' - # Set the ISO 9660 partition's type to "Linux filesystem data" - # When only MBR is present, the partition type ID will be 0x83 "Linux" as xorriso translates all - # GPT partition type GUIDs except for the ESP GUID to MBR type ID 0x83 - '-iso_mbr_part_type' '0FC63DAF-8483-4772-8E79-3D69D8477DE4' - # Move the first partition away from the start of the ISO to match the expectations of partition - # editors + # Move the first partition away from the start of the ISO to match the expectations of partition editors # May allow booting on some systems # https://dev.lovelyhq.com/libburnia/libisoburn/src/branch/master/doc/partition_offset.wiki '-partition_offset' '16' @@ -835,12 +832,26 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.esp() { # partition will not be mountable # shellcheck disable=SC2076 [[ " ${xorrisofs_options[*]} " =~ ' -partition_offset ' ]] || xorrisofs_options+=('-partition_offset' '16') - xorrisofs_options+=( - # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" - '-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img" - # Ensure GPT is used as some systems do not support UEFI booting without it - '-appended_part_as_gpt' - ) + # Attach efiboot.img as a second partition and set its partition type to "EFI system partition" + xorrisofs_options+=('-append_partition' '2' 'C12A7328-F81F-11D2-BA4B-00A0C93EC93B' "${work_dir}/efiboot.img") + # Ensure GPT is used as some systems do not support UEFI booting without it + # shellcheck disable=SC2076 + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # A valid GPT prevents BIOS booting on some systems, instead use an invalid GPT (without a protective MBR). + # The attached partition will have the EFI system partition type code in MBR, but in the invalid GPT it will + # have a Microsoft basic partition type code. + if [[ ! " ${bootmodes[*]} " =~ ' uefi-x64.systemd-boot.eltorito ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi + else + # Use valid GPT if BIOS booting support will not be required + xorrisofs_options+=('-appended_part_as_gpt') + fi } # systemd-boot via El Torito @@ -856,6 +867,15 @@ _add_xorrisofs_options_uefi-x64.systemd-boot.eltorito() { # Boot image is not emulating floppy or hard disk; required for all known boot loaders '-no-emul-boot' ) + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system @@ -895,6 +915,15 @@ _add_xorrisofs_options_uefi-x64.refind.eltorito() { # Boot image is not emulating floppy or hard disk; required for all known boot loaders '-no-emul-boot' ) + # A valid GPT prevents BIOS booting on some systems, use an invalid GPT instead. + if [[ " ${bootmodes[*]} " =~ ' bios.syslinux.mbr ' ]]; then + # If '-isohybrid-gpt-basdat' is specified before '-e', then the appended EFI system partition will have the + # EFI system partition type ID/GUID in both MBR and GPT. If '-isohybrid-gpt-basdat' is specified after '-e', + # the appended EFI system partition will have the Microsoft basic data type GUID in GPT. + if [[ ! " ${xorrisofs_options[*]} " =~ ' -isohybrid-gpt-basdat ' ]]; then + xorrisofs_options+=('-isohybrid-gpt-basdat') + fi + fi else # The ISO will not contain a GPT partition table, so to be able to reference efiboot.img, place it as a # file inside the ISO 9660 file system @@ -1115,12 +1144,29 @@ _export_gpg_publickey() { } _make_version() { + local osrelease install -d -m 0755 -- "${isofs_dir}/${install_dir}" - _msg_info "Creating ${arch} files with iso version..." + _msg_info "Creating files with iso version..." + # Write version file to airootfs + rm -f -- "${airootfs_dir}/version" printf '%s\n' "${iso_version}" > "${airootfs_dir}/version" + # Write version file to ISO 9660 printf '%s\n' "${iso_version}" > "${isofs_dir}/${install_dir}/version" - printf '%.1024s' "$(printf '# GRUB Environment Block\nVERSION=%s\n%s' "${iso_version}" \ - "$(printf '%0.1s' "#"{1..1024})")" > "${isofs_dir}/${install_dir}/grubenv" + # Write grubenv with version information to ISO 9660 + printf '%.1024s' "$(printf '# GRUB Environment Block\nNAME=%s\nVERSION=%s\n%s' \ + "${iso_name}" "${iso_version}" "$(printf '%0.1s' "#"{1..1024})")" \ + > "${isofs_dir}/${install_dir}/grubenv" + # Append IMAGE_ID & IMAGE_VERSION to os-release + osrelease="$(realpath -- "${airootfs_dir}/etc/os-release")" + if [[ ! -e "${airootfs_dir}/etc/os-release" && -e "${airootfs_dir}/usr/lib/os-release" ]]; then + osrelease="$(realpath -- "${airootfs_dir}/usr/lib/os-release")" + fi + if [[ "${osrelease}" != "${airootfs_dir}"* ]]; then + _msg_warning "os-release file '${osrelease}' is outside of valid path." + else + [[ ! -e "${osrelease}" ]] || sed -i '/^IMAGE_ID=/d;/^IMAGE_VERSION=/d' "${osrelease}" + printf 'IMAGE_ID=%s\nIMAGE_VERSION=%s\n' "${iso_name}" "${iso_version}" >> "${osrelease}" + fi _msg_info "Done!" } -- cgit v1.2.2