diff --git a/.gitignore b/.gitignore index c8b9dc2..00c6118 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /dist /qemu.pid /test-initrd.cpio +/tmp diff --git a/Dockerfile b/alpine/Dockerfile similarity index 58% rename from Dockerfile rename to alpine/Dockerfile index 1344d08..156e359 100644 --- a/Dockerfile +++ b/alpine/Dockerfile @@ -1,18 +1,12 @@ # ------------------------------------------------------------------------ from alpine:3.15 -add alpine/alpine-minirootfs-3.15.0-x86_64.tar.gz /layer/ - -run apk update -run apk add -p /layer lvm2-static +add alpine-minirootfs-3.15.0-x86_64.tar.gz /layer/ workdir /layer +run apk update +run apk add -p . musl lvm2 lvm2-dmeventd udev cryptsetup e2fsprogs btrfs-progs run rm -rf usr/share/apk var/cache/apk -#add build-layer / -#run /build-layer - -copy dist/init /layer/init - entrypoint ["sh","-c","find |cpio -H newc -o |base64"] diff --git a/ask-secret.go b/ask-secret.go new file mode 100644 index 0000000..75c271f --- /dev/null +++ b/ask-secret.go @@ -0,0 +1,43 @@ +package main + +import ( + "bufio" + "bytes" + "io" + "os" +) + +func askSecret(prompt string) []byte { + stdinTTY.EchoOff() + + var ( + in io.Reader = stdin + out io.Writer = stdout + ) + + if stdin == nil { + in = os.Stdin + out = os.Stdout + } + + out.Write([]byte(prompt + ": ")) + + if stdin != nil { + stdout.HideInput() + } + + s, err := bufio.NewReader(in).ReadBytes('\n') + + if stdin != nil { + stdout.ShowInput() + } + + stdinTTY.Restore() + + if err != nil { + fatalf("failed to read from stdin: %v", err) + } + + s = bytes.TrimRight(s, "\r\n") + return s +} diff --git a/auth.go b/auth.go new file mode 100644 index 0000000..ee52157 --- /dev/null +++ b/auth.go @@ -0,0 +1,58 @@ +package main + +import ( + "bytes" + "errors" + "log" + + "golang.org/x/crypto/ssh" + "novit.nc/direktil/initrd/config" +) + +var ( + auths []config.Auth +) + +func localAuth() bool { + sec := askSecret("password") + + for _, auth := range auths { + if auth.Password == "" { + continue + } + + if config.CheckPassword(auth.Password, sec) { + log.Printf("login with auth %q", auth.Name) + return true + } + } + + return false +} + +func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) { + keyBytes := key.Marshal() + + for _, auth := range auths { + if auth.SSHKey == "" { + continue + } + + allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey)) + if err != nil { + log.Printf("SSH pubkey for %q invalid: %v", auth.Name, auth.SSHKey) + return nil, err + } + + if bytes.Equal(allowedKey.Marshal(), keyBytes) { + log.Print("ssh: accepting public key for ", auth.Name) + return &ssh.Permissions{ + Extensions: map[string]string{ + "pubkey-fp": ssh.FingerprintSHA256(key), + }, + }, nil + } + } + + return nil, errors.New("no matching public key") +} diff --git a/boot-v1.go b/boot-v1.go index d64caed..55a7a22 100644 --- a/boot-v1.go +++ b/boot-v1.go @@ -14,7 +14,11 @@ import ( "novit.nc/direktil/pkg/sysfs" ) +var loopOffset = 0 + func bootV1() { + log.Print("-- boot v1 --") + // find and mount /boot bootMatch := param("boot", "") bootMounted := false @@ -47,12 +51,19 @@ func bootV1() { // load config cfgPath := param("config", "/boot/config.yaml") + layersDir = filepath.Join("/boot", bootVersion, "layers") + applyConfig(cfgPath, bootMounted) + + finalizeBoot() +} + +func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) { cfgBytes, err := ioutil.ReadFile(cfgPath) if err != nil { fatalf("failed to read %s: %v", cfgPath, err) } - cfg := &config{} + cfg = &configV1{} if err := yaml.Unmarshal(cfgBytes, cfg); err != nil { fatal("failed to load config: ", err) } @@ -94,7 +105,7 @@ func bootV1() { lowers[i] = dir - loopDev := fmt.Sprintf("/dev/loop%d", i) + loopDev := fmt.Sprintf("/dev/loop%d", i+loopOffset) losetup(loopDev, path) mount(loopDev, dir, "squashfs", layerMountFlags, "") @@ -136,12 +147,16 @@ func bootV1() { ioutil.WriteFile(filePath, []byte(fileDef.Content), fileDef.Mode) } + return +} + +func finalizeBoot() { // clean zombies cleanZombies() // switch root log.Print("switching root") - err = syscall.Exec("/sbin/switch_root", []string{"switch_root", + err := syscall.Exec("/sbin/switch_root", []string{"switch_root", "-c", "/dev/console", "/system", "/sbin/init"}, os.Environ()) fatal("switch_root failed: ", err) } diff --git a/boot-v2.go b/boot-v2.go index 2600406..e1665d4 100644 --- a/boot-v2.go +++ b/boot-v2.go @@ -1,5 +1,88 @@ package main +import ( + "log" + "os" + "os/exec" + + "gopkg.in/yaml.v3" + + "novit.nc/direktil/initrd/config" +) + func bootV2() { - fatal("boot v2 not finished") + log.Print("-- boot v2 --") + + cfg := &config.Config{} + + { + f, err := os.Open("/config.yaml") + if err != nil { + fatal("failed to open /config.yaml: ", err) + } + + err = yaml.NewDecoder(f).Decode(cfg) + f.Close() + + if err != nil { + fatal("failed to parse /config.yaml: ", err) + } + } + + log.Print("config loaded") + log.Printf("anti-phishing code: %q", cfg.AntiPhishingCode) + + auths = cfg.Auths + + // mount kernel modules + if cfg.Modules != "" { + log.Print("mount modules from ", cfg.Modules) + + err := os.MkdirAll("/modules", 0755) + if err != nil { + fatal("failed to create /modules: ", err) + } + + run("mount", cfg.Modules, "/modules") + loopOffset++ + + err = os.Symlink("/modules/lib/modules", "/lib/modules") + if err != nil { + fatal("failed to symlink modules: ", err) + } + } + + // load basic modules + run("modprobe", "unix") + + // devices init + err := exec.Command("udevd").Start() + if err != nil { + fatal("failed to start udevd: ", err) + } + + log.Print("udevadm triggers") + run("udevadm", "trigger", "-c", "add", "-t", "devices") + run("udevadm", "trigger", "-c", "add", "-t", "subsystems") + + log.Print("udevadm settle") + run("udevadm", "settle") + + // networks + setupNetworks(cfg) + + // Wireguard VPN + // TODO startVPN() + + // SSH service + startSSH(cfg) + + // LVM + setupLVM(cfg) + + // bootstrap the system + bootstrap(cfg) + + // finalize + finalizeBoot() } diff --git a/bootstrap.go b/bootstrap.go new file mode 100644 index 0000000..55fe77b --- /dev/null +++ b/bootstrap.go @@ -0,0 +1,123 @@ +package main + +import ( + "bytes" + "io/ioutil" + "log" + "os" + "path/filepath" + "strings" + + "novit.nc/direktil/initrd/config" +) + +func bootstrap(cfg *config.Config) { + if cfg.Bootstrap.Dev == "" { + fatalf("bootstrap device not defined!") + } + + const bsDir = "/bootstrap" + os.MkdirAll(bsDir, 0700) + + run("mount", cfg.Bootstrap.Dev, bsDir) + + baseDir := filepath.Join(bsDir, bootVersion) + sysCfgPath := filepath.Join(baseDir, "config.yaml") + + if _, err := os.Stat(sysCfgPath); os.IsNotExist(err) { + log.Printf("bootstrap %q does not exist", bootVersion) + + seed := cfg.Bootstrap.Seed + if seed == "" { + fatalf("boostrap seed not defined, admin required") + } + + log.Printf("seeding bootstrap from %s", seed) + + // TODO + } + + layersDir = baseDir + layersOverride["modules"] = "/modules.sqfs" + sysCfg := applyConfig(sysCfgPath, false) + + // mounts are v2 only + for _, mount := range sysCfg.Mounts { + log.Print("mount ", mount.Dev, " to system's ", mount.Path) + + path := filepath.Join("/system", mount.Path) + + os.MkdirAll(path, 0755) + + args := []string{mount.Dev, path} + if mount.Type != "" { + args = append(args, "-t", mount.Type) + } + if mount.Options != "" { + args = append(args, "-o", mount.Options) + } + + run("mount", args...) + } + + // setup root user + if ph := sysCfg.RootUser.PasswordHash; ph != "" { + log.Print("setting root's password") + setUserPass("root", ph) + } + if ak := sysCfg.RootUser.AuthorizedKeys; len(ak) != 0 { + log.Print("setting root's authorized keys") + setAuthorizedKeys(ak) + } +} + +func setUserPass(user, passwordHash string) { + const fpath = "/system/etc/shadow" + + ba, err := ioutil.ReadFile(fpath) + if err != nil { + fatalf("failed to read shadow: %v", err) + } + + lines := bytes.Split(ba, []byte{'\n'}) + + buf := new(bytes.Buffer) + for _, line := range lines { + line := string(line) + p := strings.Split(line, ":") + if len(p) < 2 || p[0] != user { + buf.WriteString(line) + continue + } + + p[1] = passwordHash + line = strings.Join(p, ":") + + buf.WriteString(line) + buf.WriteByte('\n') + } + + err = ioutil.WriteFile(fpath, buf.Bytes(), 0600) + if err != nil { + fatalf("failed to write shadow: %v", err) + } +} + +func setAuthorizedKeys(ak []string) { + buf := new(bytes.Buffer) + for _, k := range ak { + buf.WriteString(k) + buf.WriteByte('\n') + } + + const sshDir = "/system/root/.ssh" + err := os.MkdirAll(sshDir, 0700) + if err != nil { + fatalf("failed to create %s: %v", sshDir, err) + } + + err = ioutil.WriteFile(filepath.Join(sshDir, "authorized_keys"), buf.Bytes(), 0600) + if err != nil { + fatalf("failed to write authorized keys: %v", err) + } +} diff --git a/buildenv/Dockerfile b/buildenv/Dockerfile new file mode 100644 index 0000000..df0dd43 --- /dev/null +++ b/buildenv/Dockerfile @@ -0,0 +1,5 @@ +from golang:1.18beta2-alpine3.15 + +run apk add --update musl-dev git + +workdir /src diff --git a/colorio/colorio.go b/colorio/colorio.go new file mode 100644 index 0000000..01c243b --- /dev/null +++ b/colorio/colorio.go @@ -0,0 +1,45 @@ +package colorio + +import "io" + +var ( + Reset = []byte("\033[0m") + Bold = []byte("\033[1m") + Dim = []byte("\033[2m") + Underlined = []byte("\033[4m") + Blink = []byte("\033[5m") + Reverse = []byte("\033[7m") + Hidden = []byte("\033[8m") +) + +type writer struct { + before []byte + after []byte + w io.Writer +} + +func NewWriter(color []byte, w io.Writer) io.Writer { + return writer{ + before: color, + after: Reset, + w: w, + } +} + +func (w writer) Write(ba []byte) (n int, err error) { + b := make([]byte, len(w.before)+len(ba)+len(w.after)) + copy(b, w.before) + copy(b[len(w.before):], ba) + copy(b[len(w.before)+len(ba):], w.after) + + n, err = w.w.Write(b) + + n -= len(w.before) + if n < 0 { + n = 0 + } else if n > len(ba) { + n = len(ba) + } + + return +} diff --git a/colorio/colorio_test.go b/colorio/colorio_test.go new file mode 100644 index 0000000..a887039 --- /dev/null +++ b/colorio/colorio_test.go @@ -0,0 +1,21 @@ +package colorio + +import ( + "bytes" + "fmt" + "testing" +) + +func TestWriter(t *testing.T) { + buf := new(bytes.Buffer) + + w := NewWriter(Bold, buf) + + buf.WriteByte('{') + fmt.Fprintln(w, "hello") + buf.WriteByte('}') + + if s, exp := buf.String(), "{"+string(Bold)+"hello\n"+string(Reset)+"}"; s != exp { + t.Errorf("%q != %q", s, exp) + } +} diff --git a/config.go b/config.go index b7e2c0c..45c9ffd 100644 --- a/config.go +++ b/config.go @@ -4,7 +4,23 @@ import ( nconfig "novit.nc/direktil/pkg/config" ) -type config struct { +type configV1 struct { Layers []string `yaml:"layers"` Files []nconfig.FileDef `yaml:"files"` + + // v2 handles more + + RootUser struct { + PasswordHash string `yaml:"password_hash"` + AuthorizedKeys []string `yaml:"authorized_keys"` + } `yaml:"root_user"` + + Mounts []MountDef `yaml:"mounts"` +} + +type MountDef struct { + Dev string + Path string + Options string + Type string } diff --git a/config/config.go b/config/config.go new file mode 100644 index 0000000..333caba --- /dev/null +++ b/config/config.go @@ -0,0 +1,61 @@ +package config + +type Config struct { + AntiPhishingCode string `json:"anti_phishing_code"` + + Keymap string + Modules string + + Auths []Auth + + Networks []struct { + Name string + Interfaces []struct { + Var string + N int + Regexps []string + } + Script string + } + + LVM []LvmVG + Bootstrap Bootstrap +} + +type Auth struct { + Name string + SSHKey string `yaml:"sshKey"` + Password string `yaml:"password"` +} + +type LvmVG struct { + VG string + PVs struct { + N int + Regexps []string + } + + Defaults struct { + FS string + Raid *RaidConfig + } + + LVs []struct { + Name string + Crypt string + FS string + Raid *RaidConfig + Size string + Extents string + } +} + +type RaidConfig struct { + Mirrors int + Stripes int +} + +type Bootstrap struct { + Dev string + Seed string +} diff --git a/config/password.go b/config/password.go new file mode 100644 index 0000000..5986cd2 --- /dev/null +++ b/config/password.go @@ -0,0 +1,46 @@ +package config + +import ( + "crypto/rand" + "crypto/sha512" + "encoding/base64" + "strings" + + "golang.org/x/crypto/pbkdf2" +) + +var ( + encoding = base64.RawStdEncoding +) + +func PasswordHashFromSeed(seed, pass []byte) string { + h := pbkdf2.Key(pass, seed, 2048, 32, sha512.New) + return encoding.EncodeToString(h) +} + +func PasswordHash(pass []byte) (hashedPassWithSeed string) { + seed := make([]byte, 10) // 8 bytes min by the RFC recommendation + _, err := rand.Read(seed) + if err != nil { + panic(err) // we do not expect this to fail... + } + return JoinSeedAndHash(seed, PasswordHashFromSeed(seed, pass)) +} + +func JoinSeedAndHash(seed []byte, hash string) string { + return encoding.EncodeToString(seed) + ":" + hash +} + +func CheckPassword(hashedPassWithSeed string, pass []byte) (ok bool) { + parts := strings.SplitN(hashedPassWithSeed, ":", 2) + + encodedSeed := parts[0] + encodedHash := parts[1] + + seed, err := encoding.DecodeString(encodedSeed) + if err != nil { + return false + } + + return encodedHash == PasswordHashFromSeed(seed, pass) +} diff --git a/config/password_test.go b/config/password_test.go new file mode 100644 index 0000000..2051fa8 --- /dev/null +++ b/config/password_test.go @@ -0,0 +1,12 @@ +package config + +import "fmt" + +func ExamplePasswordHash() { + seed := []byte("myseed") + hash := PasswordHashFromSeed(seed, []byte("mypass")) + fmt.Println(JoinSeedAndHash(seed, hash)) + + // Output: + // bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 +} diff --git a/cpiocat/cpiocat.go b/cpiocat/cpiocat.go index 7a19509..595747c 100644 --- a/cpiocat/cpiocat.go +++ b/cpiocat/cpiocat.go @@ -22,12 +22,25 @@ func Append(out io.Writer, in io.Reader, filesToAppend []string) (err error) { return } + mode := hdr.FileInfo().Mode() + + if mode&os.ModeSymlink != 0 { + // symlink target must be written after + hdr.Size = int64(len(hdr.Linkname)) + } + err = cout.WriteHeader(hdr) if err != nil { return } - _, err = io.Copy(cout, cin) + if mode.IsRegular() { + _, err = io.Copy(cout, cin) + + } else if mode&os.ModeSymlink != 0 { + _, err = cout.Write([]byte(hdr.Linkname)) + } + if err != nil { return } @@ -35,26 +48,41 @@ func Append(out io.Writer, in io.Reader, filesToAppend []string) (err error) { for _, file := range filesToAppend { err = func() (err error) { - stat, err := os.Stat(file) + stat, err := os.Lstat(file) if err != nil { return } - hdr := &cpio.Header{ - Name: file, - Size: stat.Size(), - Mode: cpio.FileMode(stat.Mode()), + link := "" + if stat.Mode()&os.ModeSymlink != 0 { + link, err = os.Readlink(file) + if err != nil { + return + } } + hdr, err := cpio.FileInfoHeader(stat, link) + if err != nil { + return + } + + hdr.Name = file + cout.WriteHeader(hdr) - f, err := os.Open(file) - if err != nil { - return - } - defer f.Close() + if stat.Mode().IsRegular() { + var f *os.File + f, err = os.Open(file) + if err != nil { + return + } + defer f.Close() - _, err = io.Copy(cout, f) + _, err = io.Copy(cout, f) + + } else if stat.Mode()&os.ModeSymlink != 0 { + _, err = cout.Write([]byte(link)) + } return }() if err != nil { diff --git a/filter.go b/filter.go new file mode 100644 index 0000000..39b033c --- /dev/null +++ b/filter.go @@ -0,0 +1,22 @@ +package main + +func filter[T any](values []T, accept func(T) bool) []T { + r := make([]T, 0, len(values)) + + for _, v := range values { + if accept(v) { + r = append(r, v) + } + } + + return r +} + +func contains[T any](values []T, accept func(T) bool) bool { + for _, v := range values { + if accept(v) { + return true + } + } + return false +} diff --git a/filter_test.go b/filter_test.go new file mode 100644 index 0000000..bcb6580 --- /dev/null +++ b/filter_test.go @@ -0,0 +1,13 @@ +package main + +import ( + "fmt" + "testing" +) + +func TestFilter(t*testing.T) { + a := filter([]string{"a","b","c"}, func(v string) bool { return v != "b" }) + if fmt.Sprint(a) != "[a c]" { + t.Errorf("bad result: %v", a) + } +} diff --git a/go.mod b/go.mod index 0e9be77..f2ef565 100644 --- a/go.mod +++ b/go.mod @@ -2,23 +2,16 @@ module novit.nc/direktil/initrd require ( github.com/cavaliergopher/cpio v1.0.1 + github.com/kr/pty v1.1.8 + github.com/pkg/term v1.1.0 + golang.org/x/crypto v0.0.0-20220214200702-86341886e292 + golang.org/x/sys v0.0.0-20220209214540-3681064d5158 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 gopkg.in/yaml.v2 v2.4.0 + gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 ) -require ( - github.com/charmbracelet/bubbletea v0.19.3 // indirect - github.com/containerd/console v1.0.2 // indirect - github.com/lucasb-eyer/go-colorful v1.2.0 // indirect - github.com/mattn/go-isatty v0.0.13 // indirect - github.com/mattn/go-runewidth v0.0.13 // indirect - github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b // indirect - github.com/muesli/reflow v0.3.0 // indirect - github.com/muesli/termenv v0.9.0 // indirect - github.com/pkg/errors v0.9.1 // indirect - github.com/rivo/uniseg v0.2.0 // indirect - golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 // indirect -) +require github.com/creack/pty v1.1.17 // indirect go 1.18 diff --git a/go.sum b/go.sum index 2baf361..5797c15 100644 --- a/go.sum +++ b/go.sum @@ -1,56 +1,32 @@ github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM= github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc= -github.com/charmbracelet/bubbletea v0.19.3 h1:OKeO/Y13rQQqt4snX+lePB0QrnW80UdrMNolnCcmoAw= -github.com/charmbracelet/bubbletea v0.19.3/go.mod h1:VuXF2pToRxDUHcBUcPmCRUHRvFATM4Ckb/ql1rBl3KA= -github.com/containerd/console v1.0.2 h1:Pi6D+aZXM+oUw1czuKgH5IJ+y0jhYcwBJfx5/Ghn9dE= -github.com/containerd/console v1.0.2/go.mod h1:ytZPjGgY2oeTkAONYafi2kSj0aYggsf8acV1PGKCbzQ= +github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= +github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI= +github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= +github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI= +github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= -github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY= -github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= -github.com/mattn/go-isatty v0.0.13 h1:qdl+GuBjcsKKDco5BsxPJlId98mSWNKqYA+Co0SC1yA= -github.com/mattn/go-isatty v0.0.13/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU= -github.com/mattn/go-runewidth v0.0.12/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk= -github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU= -github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w= -github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b h1:1XF24mVaiu7u+CFywTdcDo2ie1pzzhwjt6RHqzpMU34= -github.com/muesli/ansi v0.0.0-20211018074035-2e021307bc4b/go.mod h1:fQuZ0gauxyBcmsdE3ZT4NasjaRdxmbCS0jRHsrWu3Ho= -github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s= -github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8= -github.com/muesli/termenv v0.9.0 h1:wnbOaGz+LUR3jNT0zOzinPnyDaCZUQRZj9GxK8eRVl8= -github.com/muesli/termenv v0.9.0/go.mod h1:R/LzAKf+suGs4IsO95y7+7DpFHO0KABgnZqtlyx2mBw= -github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= -github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= -github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY= -github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc= +github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk= +github.com/pkg/term v1.1.0/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= -golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw= -golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c h1:VwygUrnw9jn88c4u8GD3rZQbqrP/tgas88tPUbBxQrk= -golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27 h1:XDXtA5hveEEV8JB2l7nhMTp3t3cHp9ZpwcdjqyEWLlo= -golang.org/x/sys v0.0.0-20220128215802-99c3d69c2c27/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= -golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= -golang.org/x/term v0.0.0-20210422114643-f5beecf764ed h1:Ei4bQjjpYUsS4efOUz+5Nz++IVkHk87n2zBA0NxBWc0= -golang.org/x/term v0.0.0-20210422114643-f5beecf764ed/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE= +golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c= +golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= -gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo= +gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc= novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU= diff --git a/lvm.go b/lvm.go new file mode 100644 index 0000000..97b4586 --- /dev/null +++ b/lvm.go @@ -0,0 +1,326 @@ +package main + +import ( + "bytes" + "io/fs" + "log" + "os" + "os/exec" + "path/filepath" + "strconv" + + "novit.nc/direktil/initrd/config" + "novit.nc/direktil/initrd/lvm" +) + +func setupLVM(cfg *config.Config) { + if len(cfg.LVM) == 0 { + log.Print("no LVM VG configured.") + return + } + + run("pvscan") + run("vgscan", "--mknodes") + + for _, vg := range cfg.LVM { + setupVG(vg) + } + + for _, vg := range cfg.LVM { + setupLVs(vg) + } + + run("vgchange", "--sysinit", "-a", "ly") + + for _, vg := range cfg.LVM { + setupCrypt(vg) + } + + for _, vg := range cfg.LVM { + setupFS(vg) + } +} + +func setupVG(vg config.LvmVG) { + pvs := lvm.PVSReport{} + err := runJSON(&pvs, "pvs", "--reportformat", "json") + if err != nil { + fatalf("failed to list LVM PVs: %v", err) + } + + vgExists := false + devNeeded := vg.PVs.N + for _, pv := range pvs.PVs() { + if pv.VGName == vg.VG { + vgExists = true + devNeeded-- + } + } + + if devNeeded <= 0 { + log.Print("LVM VG ", vg.VG, " has all its devices") + return + } + + if vgExists { + log.Printf("LVM VG %s misses %d devices", vg.VG, devNeeded) + } else { + log.Printf("LVM VG %s does not exists, creating", vg.VG) + } + + devNames := make([]string, 0) + err = filepath.Walk("/dev", func(n string, fi fs.FileInfo, err error) error { + if fi.Mode().Type() == os.ModeDevice { + devNames = append(devNames, n) + } + return err + }) + if err != nil { + fatalf("failed to walk /dev: %v", err) + } + + devNames = filter(devNames, func(v string) bool { + for _, pv := range pvs.PVs() { + if v == pv.Name { + return false + } + } + return true + }) + + m := regexpSelectN(vg.PVs.N, vg.PVs.Regexps, devNames) + if len(m) == 0 { + log.Printf("no devices match the regexps %v", vg.PVs.Regexps) + for _, d := range devNames { + log.Print("- ", d) + } + + fatalf("failed to setup VG %s", vg.VG) + } + + if vgExists { + log.Print("- extending vg to ", m) + run("vgextend", append([]string{vg.VG}, m...)...) + devNeeded -= len(m) + } else { + log.Print("- creating vg with devices ", m) + run("vgcreate", append([]string{vg.VG}, m...)...) + devNeeded -= len(m) + } + + if devNeeded > 0 { + fatalf("VG %s does not have enough devices (%d missing)", vg.VG, devNeeded) + } +} + +func setupLVs(vg config.LvmVG) { + lvsRep := lvm.LVSReport{} + err := runJSON(&lvsRep, "lvs", "--reportformat", "json") + if err != nil { + fatalf("lvs failed: %v", err) + } + + lvs := lvsRep.LVs() + + defaults := vg.Defaults + + for _, lv := range vg.LVs { + lvKey := vg.VG + "/" + lv.Name + + if contains(lvs, func(v lvm.LV) bool { + return v.VGName == vg.VG && v.Name == lv.Name + }) { + log.Printf("LV %s exists", lvKey) + continue + } + + log.Printf("creating LV %s", lvKey) + + if lv.Raid == nil { + lv.Raid = defaults.Raid + } + + args := make([]string, 0) + + if lv.Name == "" { + fatalf("LV has no name") + } + args = append(args, vg.VG, "--name", lv.Name) + + if lv.Size != "" && lv.Extents != "" { + fatalf("LV has both size and extents defined!") + } else if lv.Size == "" && lv.Extents == "" { + fatalf("LV does not have size or extents defined!") + } else if lv.Size != "" { + args = append(args, "-L", lv.Size) + } else /* if lv.Extents != "" */ { + args = append(args, "-l", lv.Extents) + } + + if raid := lv.Raid; raid != nil { + if raid.Mirrors != 0 { + args = append(args, "--mirrors", strconv.Itoa(raid.Mirrors)) + } + if raid.Stripes != 0 { + args = append(args, "--stripes", strconv.Itoa(raid.Stripes)) + } + } + + log.Print("lvcreate args: ", args) + run("lvcreate", args...) + + dev := "/dev/" + vg.VG + "/" + lv.Name + zeroDevStart(dev) + } +} + +func zeroDevStart(dev string) { + f, err := os.OpenFile(dev, os.O_WRONLY, 0600) + if err != nil { + fatalf("failed to open %s: %v", dev, err) + } + + defer f.Close() + + _, err = f.Write(make([]byte, 8192)) + if err != nil { + fatalf("failed to zero the beginning of %s: %v", dev, err) + } +} + +func setupCrypt(vg config.LvmVG) { + cryptDevs := map[string]bool{} + + var password []byte + passwordVerified := false + + for _, lv := range vg.LVs { + if lv.Crypt == "" { + continue + } + + if cryptDevs[lv.Crypt] { + fatalf("duplicate crypt device name: %s", lv.Crypt) + } + cryptDevs[lv.Crypt] = true + + retryOpen: + if len(password) == 0 { + password = askSecret("crypt password") + + if len(password) == 0 { + fatalf("empty password given") + } + } + + dev := "/dev/" + vg.VG + "/" + lv.Name + + needFormat := !devInitialized(dev) + if needFormat { + if !passwordVerified { + retry: + p2 := askSecret("verify crypt password") + + eq := bytes.Equal(password, p2) + + for i := range p2 { + p2[i] = 0 + } + + if !eq { + log.Print("passwords don't match") + goto retry + } + } + + log.Print("formatting encrypted device ", dev) + cmd := exec.Command("cryptsetup", "luksFormat", dev, "--key-file=-") + cmd.Stdin = bytes.NewBuffer(password) + cmd.Stdout = stdout + cmd.Stderr = stderr + err := cmd.Run() + if err != nil { + fatalf("failed luksFormat: %v", err) + } + } + + log.Print("openning encrypted device ", lv.Crypt, " from ", dev) + cmd := exec.Command("cryptsetup", "open", dev, lv.Crypt, "--key-file=-") + cmd.Stdin = bytes.NewBuffer(password) + cmd.Stdout = stdout + cmd.Stderr = stderr + err := cmd.Run() + if err != nil { + // maybe the password is wrong + for i := range password { + password[i] = 0 + } + password = password[:0] + passwordVerified = false + goto retryOpen + } + + if needFormat { + zeroDevStart("/dev/mapper/" + lv.Crypt) + } + + passwordVerified = true + } + + for i := range password { + password[i] = 0 + } +} + +func devInitialized(dev string) bool { + f, err := os.Open(dev) + if err != nil { + fatalf("failed to open %s: %v", dev, err) + } + + defer f.Close() + + ba := make([]byte, 8192) + _, err = f.Read(ba) + if err != nil { + fatalf("failed to read %s: %v", dev, err) + } + + for _, b := range ba { + if b != 0 { + return true + } + } + return false +} + +func setupFS(vg config.LvmVG) { + for _, lv := range vg.LVs { + dev := "/dev/" + vg.VG + "/" + lv.Name + + if lv.Crypt != "" { + dev = "/dev/mapper/" + lv.Crypt + } + + if devInitialized(dev) { + log.Print("device ", dev, " already formatted") + continue + } + + if lv.FS == "" { + lv.FS = vg.Defaults.FS + } + + log.Print("formatting ", dev, " (", lv.FS, ")") + args := make([]string, 0) + + switch lv.FS { + case "btrfs": + args = append(args, "-f") + case "ext4": + args = append(args, "-F") + } + + run("mkfs."+lv.FS, append(args, dev)...) + } +} diff --git a/lvm/lv.go b/lvm/lv.go new file mode 100644 index 0000000..a86ff85 --- /dev/null +++ b/lvm/lv.go @@ -0,0 +1,19 @@ +package lvm + +type LVSReport struct { + Report []struct { + LV []LV `json:"lv"` + } `json:"report"` +} + +type LV struct { + Name string `json:"lv_name"` + VGName string `json:"vg_name"` +} + +func (r LVSReport) LVs() (ret []LV) { + for _, rep := range r.Report { + ret = append(ret, rep.LV...) + } + return +} diff --git a/lvm/pv.go b/lvm/pv.go new file mode 100644 index 0000000..2f59991 --- /dev/null +++ b/lvm/pv.go @@ -0,0 +1,19 @@ +package lvm + +type PVSReport struct { + Report []struct { + PV []PV `json:"pv"` + } `json:"report"` +} + +type PV struct { + Name string `json:"pv_name"` + VGName string `json:"vg_name"` +} + +func (r PVSReport) PVs() (ret []PV) { + for _, rep := range r.Report { + ret = append(ret, rep.PV...) + } + return +} diff --git a/main.go b/main.go index d754da3..0296bf8 100644 --- a/main.go +++ b/main.go @@ -6,11 +6,16 @@ import ( "log" "os" "os/exec" + "path/filepath" "runtime" "syscall" "time" + "github.com/pkg/term/termios" "golang.org/x/term" + + "novit.nc/direktil/initrd/colorio" + "novit.nc/direktil/initrd/shio" ) const ( @@ -24,22 +29,41 @@ const ( var ( bootVersion string + + stdin, + stdinPipe = newPipe() + stdout = shio.New() + stderr = colorio.NewWriter(colorio.Bold, stdout) ) +func newPipe() (io.ReadCloser, io.WriteCloser) { + return io.Pipe() +} + func main() { runtime.LockOSThread() + // move log to shio + go io.Copy(os.Stdout, stdout.NewReader()) + log.SetOutput(stderr) + + // copy os.Stdin to my stdin pipe + go io.Copy(stdinPipe, os.Stdin) + log.Print("Welcome to ", VERSION) // essential mounts mount("none", "/proc", "proc", 0, "") mount("none", "/sys", "sysfs", 0, "") mount("none", "/dev", "devtmpfs", 0, "") + mount("none", "/dev/pts", "devpts", 0, "gid=5,mode=620") // get the "boot version" bootVersion = param("version", "current") log.Printf("booting system %q", bootVersion) + os.Setenv("PATH", "/usr/bin:/bin:/usr/sbin:/sbin") + _, err := os.Stat("/config.yaml") if err != nil { if os.IsNotExist(err) { @@ -52,8 +76,16 @@ func main() { bootV2() } +var ( + layersDir = "/boot/current/layers/" + layersOverride = map[string]string{} +) + func layerPath(name string) string { - return fmt.Sprintf("/boot/%s/layers/%s.fs", bootVersion, name) + if override, ok := layersOverride[name]; ok { + return override + } + return filepath.Join(layersDir, name+".fs") } func fatal(v ...interface{}) { @@ -69,21 +101,36 @@ func fatalf(pattern string, v ...interface{}) { } func die() { - fmt.Println("\nwill reboot in 1 minute; press r to reboot now, o to power off, s to get a shell") + log.SetOutput(os.Stderr) + stdout.Close() + stdin.Close() + stdinPipe.Close() - deadline := time.Now().Add(time.Minute) + stdin = nil - term.MakeRaw(int(os.Stdin.Fd())) // disable line buffering - os.Stdin.SetReadDeadline(deadline) - - b := []byte{0} +mainLoop: for { + termios.Tcdrain(os.Stdin.Fd()) + termios.Tcdrain(os.Stdout.Fd()) + termios.Tcdrain(os.Stderr.Fd()) + + fmt.Print("\nr to reboot, o to power off, s to get a shell: ") + + // TODO flush stdin (first char lost here?) + deadline := time.Now().Add(time.Minute) + os.Stdin.SetReadDeadline(deadline) + + termios.Tcflush(os.Stdin.Fd(), termios.TCIFLUSH) + term.MakeRaw(int(os.Stdin.Fd())) + + b := make([]byte, 1) _, err := os.Stdin.Read(b) if err != nil { - break + log.Print("failed to read from stdin: ", err) + time.Sleep(5 * time.Second) + syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART) } - - fmt.Println(string(b)) + fmt.Println() switch b[0] { case 'o': @@ -91,18 +138,42 @@ func die() { case 'r': syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART) case 's': - err = syscall.Exec("/bin/ash", []string{"/bin/ash"}, os.Environ()) - if err != nil { - fmt.Println("failed to start the shell:", err) + for _, sh := range []string{"bash", "ash", "sh", "busybox"} { + fullPath, err := exec.LookPath(sh) + if err != nil { + continue + } + + args := make([]string, 0) + if sh == "busybox" { + args = append(args, "sh") + } + + if !localAuth() { + continue mainLoop + } + + cmd := exec.Command(fullPath, args...) + cmd.Env = os.Environ() + cmd.Stdin = os.Stdin + cmd.Stdout = os.Stdout + cmd.Stderr = os.Stderr + err = cmd.Run() + if err != nil { + fmt.Println("shell failed:", err) + } + continue mainLoop } + log.Print("failed to find a shell!") + + default: + log.Printf("unknown choice: %q", string(b)) } } - - syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART) } func losetup(dev, file string) { - run("/sbin/losetup", dev, file) + run("/sbin/losetup", "-r", dev, file) } func run(cmd string, args ...string) { diff --git a/modd.conf b/modd.conf index 40c9178..ff7e2bb 100644 --- a/modd.conf +++ b/modd.conf @@ -1,13 +1,24 @@ modd.conf {} +alpine/Dockerfile { + prep: docker build -t dkl-initrd alpine + prep: docker run --rm dkl-initrd | base64 -d >dist/base-initrd +} + +buildenv/Dockerfile { + prep: docker build -t dkl-initrd-build buildenv +} + go.??? **/*.go { prep: go test ./... prep: mkdir -p dist - prep: go build -o dist/init -trimpath -ldflags "-extldflags '-static -pthread'" . prep: go build -o dist/ ./tools/... + + prep: mkdir -p tmp/go tmp/.cache + prep: docker run --rm -v novit-go:/go -e GOCACHE=/go/.cache -v $PWD:/src -u $(id -u):$(id -g) dkl-initrd-build go build -o dist/init . } -dist/init Dockerfile { - prep: docker build -t dkl-initrd . - prep: docker run dkl-initrd | base64 -d >dist/initrd +dist/init dist/base-initrd { + prep: cd dist && ../dist/cpiocat init initrd.new + prep: mv dist/initrd.new dist/initrd } diff --git a/modd.test.conf b/modd.test.conf index f7dd9d9..e34e5de 100644 --- a/modd.test.conf +++ b/modd.test.conf @@ -1,6 +1,6 @@ modd.test.conf {} -dist/initrd test-initrd/* { +dist/initrd dist/cpiocat test-initrd/* { prep: cp -f dist/initrd test-initrd.cpio prep: cd test-initrd && ../dist/cpiocat <../dist/initrd >../test-initrd.cpio * prep: if cpio -t -F test-initrd.cpio 2>&1 |grep bytes.of.junk; then echo "bad cpio archive"; exit 1; fi diff --git a/network.go b/network.go new file mode 100644 index 0000000..771a328 --- /dev/null +++ b/network.go @@ -0,0 +1,75 @@ +package main + +import ( + "log" + "net" + "os/exec" + "strings" + + "novit.nc/direktil/initrd/config" +) + +func setupNetworks(cfg *config.Config) { + if len(cfg.Networks) == 0 { + log.Print("no networks configured.") + return + } + + ifNames := make([]string, 0) + { + ifaces, err := net.Interfaces() + if err != nil { + fatal("failed") + } + for _, iface := range ifaces { + ifNames = append(ifNames, iface.Name) + } + } + + assigned := map[string]bool{} + + for _, network := range cfg.Networks { + log.Print("setting up network ", network.Name) + + // compute available names + if len(assigned) != 0 { + newNames := make([]string, 0, len(ifNames)) + for _, n := range ifNames { + if assigned[n] { + continue + } + newNames = append(newNames, n) + } + ifNames = newNames + } + + // assign envvars + envvars := make([]string, 0, 1+len(network.Interfaces)) + envvars = append(envvars, "PATH=/bin:/sbin:/usr/bin:/usr/sbin") + + for _, match := range network.Interfaces { + envvar := new(strings.Builder) + envvar.WriteString(match.Var) + envvar.WriteByte('=') + + for i, m := range regexpSelectN(match.N, match.Regexps, ifNames) { + if i != 0 { + envvar.WriteByte(' ') + } + envvar.WriteString(m) + assigned[m] = true + } + + log.Print("- ", envvar) + envvars = append(envvars, envvar.String()) + } + + cmd := exec.Command("/bin/sh", "-c", network.Script) + cmd.Env = envvars + cmd.Stdout = stdout + cmd.Stderr = stderr + if err := cmd.Run(); err != nil { + fatal("failed to setup network: ", err) + } + } +} diff --git a/regexp.go b/regexp.go new file mode 100644 index 0000000..9b633a3 --- /dev/null +++ b/regexp.go @@ -0,0 +1,39 @@ +package main + +import ( + "log" + "regexp" +) + +func regexpSelectN(n int, regexps []string, names []string) (matches []string) { + if n <= 0 { + matches = make([]string, 0) + } else { + matches = make([]string, 0, n) + } + + res := make([]*regexp.Regexp, 0, len(regexps)) + for _, reStr := range regexps { + re, err := regexp.Compile(reStr) + if err != nil { + log.Printf("warning: invalid regexp ignored: %q: %v", reStr, err) + continue + } + res = append(res, re) + } + +namesLoop: + for _, name := range names { + if len(matches) == n { + break + } + for _, re := range res { + if re.MatchString(name) { + matches = append(matches, name) + continue namesLoop + } + } + } + + return +} diff --git a/run-test.sh b/run-test.sh index 9e27035..4bc3626 100755 --- a/run-test.sh +++ b/run-test.sh @@ -1,6 +1,19 @@ #! /bin/sh +disk1=tmp/test-vda.qcow2 +disk2=tmp/test-vdb.qcow2 + +if ! [ -e $disk1 ]; then + qemu-img create -f qcow2 $disk1 10G +fi +if ! [ -e $disk2 ]; then + qemu-img create -f qcow2 $disk2 10G +fi + exec qemu-system-x86_64 -pidfile qemu.pid -kernel test-kernel -initrd test-initrd.cpio \ -smp 2 -m 2048 \ + -netdev bridge,br=novit,id=eth0 -device virtio-net-pci,netdev=eth0 \ + -drive file=$disk1,if=virtio \ + -drive file=$disk2,if=virtio \ -nographic -serial mon:stdio -append 'console=ttyS0' # -display curses diff --git a/run.go b/run.go new file mode 100644 index 0000000..b7f71c2 --- /dev/null +++ b/run.go @@ -0,0 +1,18 @@ +package main + +import ( + "encoding/json" + "os/exec" +) + +func runJSON(v interface{}, cmd string, args ...string) (err error) { + c := exec.Command(cmd, args...) + c.Stderr = stderr + ba, err := c.Output() + if err != nil { + return + } + + err = json.Unmarshal(ba, v) + return +} diff --git a/shio/shio.go b/shio/shio.go new file mode 100644 index 0000000..d742a85 --- /dev/null +++ b/shio/shio.go @@ -0,0 +1,118 @@ +// Shared IO +package shio + +import ( + "io" + "sync" + + "novit.nc/direktil/initrd/colorio" +) + +type ShIO struct { + buf []byte + closed bool + cond *sync.Cond + hideInput bool +} + +func New() *ShIO { + return NewWithCap(1024) +} +func NewWithCap(capacity int) *ShIO { + return NewWithBytes(make([]byte, 0, capacity)) +} +func NewWithBytes(content []byte) *ShIO { + return &ShIO{ + buf: content, + cond: sync.NewCond(&sync.Mutex{}), + } +} + +var ( + _ io.WriteCloser = New() +) + +func (s *ShIO) Write(data []byte) (n int, err error) { + s.cond.L.Lock() + defer s.cond.L.Unlock() + + if s.closed { + err = io.EOF + return + } + + if s.hideInput { + s.buf = append(s.buf, colorio.Reset...) + } + + s.buf = append(s.buf, data...) + n = len(data) + + if s.hideInput { + s.buf = append(s.buf, colorio.Hidden...) + } + + s.cond.Broadcast() + return +} + +func (s *ShIO) HideInput() { + s.cond.L.Lock() + defer s.cond.L.Unlock() + + if s.closed { + return + } + + s.buf = append(s.buf, colorio.Hidden...) + s.hideInput = true +} +func (s *ShIO) ShowInput() { + s.cond.L.Lock() + defer s.cond.L.Unlock() + + if s.closed { + return + } + + s.buf = append(s.buf, colorio.Reset...) + s.hideInput = false +} + +func (s *ShIO) Close() (err error) { + s.cond.L.Lock() + defer s.cond.L.Unlock() + + s.closed = true + + s.cond.Broadcast() + return +} + +func (s *ShIO) NewReader() io.Reader { + return &shioReader{s, 0} +} + +type shioReader struct { + in *ShIO + pos int +} + +func (r *shioReader) Read(ba []byte) (n int, err error) { + r.in.cond.L.Lock() + defer r.in.cond.L.Unlock() + + for r.pos == len(r.in.buf) && !r.in.closed { + r.in.cond.Wait() + } + + if r.pos == len(r.in.buf) && r.in.closed { + err = io.EOF + return + } + + n = copy(ba, r.in.buf[r.pos:]) + r.pos += n + + return +} diff --git a/shio/shio_test.go b/shio/shio_test.go new file mode 100644 index 0000000..20b547c --- /dev/null +++ b/shio/shio_test.go @@ -0,0 +1,52 @@ +package shio + +import ( + "fmt" + "io" + "os" + "sync" + "time" +) + +func ExampleOutput() { + done := false + defer func() { done = true }() + go func() { + time.Sleep(time.Second) + if !done { + panic("timeout") + } + }() + + shio := NewWithCap(3) + + r1 := shio.NewReader() + + // read as you write + wg := new(sync.WaitGroup) + wg.Add(1) + go func() { + defer wg.Done() + io.Copy(os.Stdout, r1) + fmt.Println("-- r1 done --") + }() + + fmt.Fprintln(shio, "hello1") + fmt.Fprintln(shio, "hello2") + shio.Close() + + wg.Wait() + + // read after close + r2 := shio.NewReader() + io.Copy(os.Stdout, r2) + fmt.Println("-- r2 done --") + + // Output: + // hello1 + // hello2 + // -- r1 done -- + // hello1 + // hello2 + // -- r2 done -- +} diff --git a/ssh.go b/ssh.go new file mode 100644 index 0000000..aaefae7 --- /dev/null +++ b/ssh.go @@ -0,0 +1,229 @@ +package main + +import ( + "encoding/binary" + "fmt" + "io" + "io/ioutil" + "log" + "net" + "os" + "os/exec" + "sync" + "syscall" + "unsafe" + + "github.com/kr/pty" + "golang.org/x/crypto/ssh" + + "novit.nc/direktil/initrd/config" +) + +func startSSH(cfg *config.Config) { + sshConfig := &ssh.ServerConfig{ + PublicKeyCallback: sshCheckPubkey, + } + + pkBytes, err := ioutil.ReadFile("/id_rsa") // TODO configurable + if err != nil { + fatalf("ssh: failed to load private key: %v", err) + } + + pk, err := ssh.ParsePrivateKey(pkBytes) + if err != nil { + fatalf("ssh: failed to parse private key: %v", err) + } + + sshConfig.AddHostKey(pk) + + sshBind := ":22" // TODO configurable + listener, err := net.Listen("tcp", sshBind) + if err != nil { + fatalf("ssh: failed to listen on %s: %v", sshBind, err) + } + + log.Print("SSH server listening on ", sshBind) + + go func() { + for { + conn, err := listener.Accept() + if err != nil { + log.Print("ssh: accept conn failed: ", err) + continue + } + + go sshHandleConn(conn, sshConfig) + } + }() +} + +func sshHandleConn(conn net.Conn, sshConfig *ssh.ServerConfig) { + sshConn, chans, reqs, err := ssh.NewServerConn(conn, sshConfig) + + if err != nil { + log.Print("ssh: handshake failed: ", err) + return + } + + remoteAddr := sshConn.User() + "@" + sshConn.RemoteAddr().String() + log.Print("ssh: new connection from ", remoteAddr) + + go sshHandleReqs(reqs) + go sshHandleChannels(remoteAddr, chans) +} + +func sshHandleReqs(reqs <-chan *ssh.Request) { + for req := range reqs { + switch req.Type { + case "keepalive@openssh.com": + req.Reply(true, nil) + + default: + log.Printf("ssh: discarding req: %+v", req) + req.Reply(false, nil) + } + } +} + +func sshHandleChannels(remoteAddr string, chans <-chan ssh.NewChannel) { + for newChannel := range chans { + if t := newChannel.ChannelType(); t != "session" { + newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", t)) + continue + } + + channel, requests, err := newChannel.Accept() + if err != nil { + log.Print("ssh: failed to accept channel: ", err) + continue + } + + go sshHandleChannel(remoteAddr, channel, requests) + } +} + +func sshHandleChannel(remoteAddr string, channel ssh.Channel, requests <-chan *ssh.Request) { + var ( + ptyF, ttyF *os.File + termEnv string + ) + + defer func() { + if ptyF != nil { + ptyF.Close() + } + if ttyF != nil { + ttyF.Close() + } + }() + + var once sync.Once + close := func() { + channel.Close() + } + + for req := range requests { + switch req.Type { + case "exec": + command := string(req.Payload[4 : req.Payload[3]+4]) + switch command { + case "init": + go func() { + io.Copy(channel, stdout.NewReader()) + once.Do(close) + }() + go func() { + io.Copy(stdinPipe, channel) + once.Do(close) + }() + + req.Reply(true, nil) + + default: + req.Reply(false, nil) + } + + case "shell": + cmd := exec.Command("/bin/ash") + cmd.Env = []string{"TERM=" + termEnv} + cmd.Stdin = ttyF + cmd.Stdout = ttyF + cmd.Stderr = ttyF + cmd.SysProcAttr = &syscall.SysProcAttr{ + Setctty: true, + Setsid: true, + Pdeathsig: syscall.SIGKILL, + } + + cmd.Start() + + go func() { + cmd.Wait() + ptyF.Close() + ptyF = nil + ttyF.Close() + ttyF = nil + }() + + go func() { + io.Copy(channel, ptyF) + once.Do(close) + }() + go func() { + io.Copy(ptyF, channel) + once.Do(close) + }() + + req.Reply(true, nil) + + case "pty-req": + if ptyF != nil || ttyF != nil { + req.Reply(false, nil) + continue + } + + var err error + ptyF, ttyF, err = pty.Open() + if err != nil { + log.Print("PTY err: ", err) + req.Reply(false, nil) + continue + } + + termLen := req.Payload[3] + termEnv = string(req.Payload[4 : termLen+4]) + w, h := sshParseDims(req.Payload[termLen+4:]) + sshSetWinsize(ptyF.Fd(), w, h) + + req.Reply(true, nil) + + case "window-change": + w, h := sshParseDims(req.Payload) + sshSetWinsize(ptyF.Fd(), w, h) + // no response + + default: + req.Reply(false, nil) + } + } +} + +func sshParseDims(b []byte) (uint32, uint32) { + w := binary.BigEndian.Uint32(b) + h := binary.BigEndian.Uint32(b[4:]) + return w, h +} + +// SetWinsize sets the size of the given pty. +func sshSetWinsize(fd uintptr, w, h uint32) { + // Winsize stores the Height and Width of a terminal. + type Winsize struct { + Height uint16 + Width uint16 + x uint16 // unused + y uint16 // unused + } + + ws := &Winsize{Width: uint16(w), Height: uint16(h)} + syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TIOCSWINSZ), uintptr(unsafe.Pointer(ws))) +} diff --git a/test-initrd/config.yaml b/test-initrd/config.yaml index 2211f72..d69fcbb 100644 --- a/test-initrd/config.yaml +++ b/test-initrd/config.yaml @@ -1,11 +1,23 @@ --- # early system configuration +anti_phishing_code: "direktil<3" modules: /modules.sqfs +auths: + - name: novit + sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N + password: bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 # mypass + networks: +- name: loopback + interfaces: [ { var: iface, n: 1, regexps: [ "^lo$" ] } ] + script: | + ip a add 127.0.0.1/8 dev lo + ip a add ::1/128 dev lo + ip li set lo up - name: main - ifaces: + interfaces: - var: iface n: 1 regexps: @@ -14,30 +26,44 @@ networks: - eno.* - enp.* script: | - # hello - . /env - ip a add $address dev $iface - ip route add default via $gateway ip li set $iface up + udhcpc $iface lvm: +- vg: storage pvs: - n: 1 + n: 2 regexps: - - /dev/nvme[0-9]+n[0-9]+p[0-9]+ - - /dev/vd[a-z]+[0-9]+ - - /dev/sd[a-z]+[0-9]+ + # to match full disks + - /dev/nvme[0-9]+n[0-9]+ + - /dev/vd[a-z]+ + - /dev/sd[a-z]+ + - /dev/hd[a-z]+ + # to match partitions: + #- /dev/nvme[0-9]+n[0-9]+p[0-9]+ + #- /dev/vd[a-z]+[0-9]+ + #- /dev/sd[a-z]+[0-9]+ + #- /dev/hd[a-z]+[0-9]+ defaults: fs: ext4 - tags: [ encrypt ] + raid: + mirrors: 1 lvs: - name: bootstrap - tags: [ bootstrap, -encrypt ] + crypt: bootstrap size: 2g - - name: dls - mountPoint: /var/lib/direktil - size: 100%FREE + - name: varlog + crypt: varlog + extents: 10%FREE + + - name: dls + crypt: dls + extents: 100%FREE + +bootstrap: + dev: /dev/mapper/bootstrap + #seed: https://direktil.novit.io/bootstraps/dls diff --git a/test-initrd/id_rsa b/test-initrd/id_rsa new file mode 100644 index 0000000..cab27d3 --- /dev/null +++ b/test-initrd/id_rsa @@ -0,0 +1,38 @@ +-----BEGIN OPENSSH PRIVATE KEY----- +b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn +NhAAAAAwEAAQAAAYEAy6Ppr/tBiVYsBYiteGwMPI+B2BSBn+CP36ZiKsx6IX+9E0/nGKgC +khwWFfrmIzS2EIm+iIv7YT3sXsqcO96au2ewh77m5xUFIrqie5c13leNeOn+Xhy++v0705 +irYUuBVRbWukpQjhOrp0eqvBzOdlUoo2r7aF95rrMboAsIWh5gTTnVCXDSEQiHsvEGjs7T +ytOXQ6zmYTECYEkk/wUWja7WNP8UZiaPuU20Hso8g7kHSthKEudUDFs7E/yx+na0AYCnfE +UR6oxIbHH2ldgpnX7lTv5YhHVvNnqTIBQhmLTHrT/67N2z5AvdFC8T2UsrWs+3ebsdXb0o +Kzx81+N9OpPxj93ehLznncuCCgAedye5Xm760SOaU1T2b3f0bEhhsVCMI39mPExeZ2wtnd +g+Tmrqn3r59vb3iEYfJqvgLCTJ5L1BcFUTfulg7GfhfNvgBmgiiRTUC2G0SrV1tM84vsE7 +JyyTcJaXr0X+tUgsXoUqnlX53OEw7ABskWvZ0m0fAAAFiBu7krYbu5K2AAAAB3NzaC1yc2 +EAAAGBAMuj6a/7QYlWLAWIrXhsDDyPgdgUgZ/gj9+mYirMeiF/vRNP5xioApIcFhX65iM0 +thCJvoiL+2E97F7KnDvemrtnsIe+5ucVBSK6onuXNd5XjXjp/l4cvvr9O9OYq2FLgVUW1r +pKUI4Tq6dHqrwcznZVKKNq+2hfea6zG6ALCFoeYE051Qlw0hEIh7LxBo7O08rTl0Os5mEx +AmBJJP8FFo2u1jT/FGYmj7lNtB7KPIO5B0rYShLnVAxbOxP8sfp2tAGAp3xFEeqMSGxx9p +XYKZ1+5U7+WIR1bzZ6kyAUIZi0x60/+uzds+QL3RQvE9lLK1rPt3m7HV29KCs8fNfjfTqT +8Y/d3oS8553LggoAHncnuV5u+tEjmlNU9m939GxIYbFQjCN/ZjxMXmdsLZ3YPk5q6p96+f +b294hGHyar4CwkyeS9QXBVE37pYOxn4Xzb4AZoIokU1AthtEq1dbTPOL7BOycsk3CWl69F +/rVILF6FKp5V+dzhMOwAbJFr2dJtHwAAAAMBAAEAAAGBAJ0rDBBjtkgd9unqfCAmHCedht +RTt1vCgKhXjQqFOHmkUjSWhcD04s8L2EvskjR32VDYTvKqP0Dk/wqGC6D1hKzBMXEDeMi+ +43DTZNZIdS3+mtTInCbcvtWOHt+HxDXahZ47e0zaUGPncKMx3+dBwGN6BFxkFFeQ4KRh3h +9ehHqxWRghW3fm2GqHD9yew7XykWnIdsWnq0M2BSR1L5WXwrllSDQs7vyMJH8bJrpg0eXE +J4mvdzQx0B+dRfJ+JIsvkwvieAPb6sPmSgY47moP0xhbvs7/1UxPEY0Q2FpjQALQ0CnIC2 +LRHvGb7NJEX/ASDy/s1CNlk5ro/iht28wh0Iq8iqqpRkgKyhYsr8+QChs6oxcbx2xPRVy4 +NOBMLW6ppjIQO3rE79zPrp9tTmew5iQ4V58+DqhAZxeI4A6YZE98rAvRREqnT6HVmqtfHl +gPMlrSDw1I8ZN8QT1dD1sMbi4Ud0eHdg1xLUpJ3dStgN45yhBiWuR2x4Jbn8ayeZwJmQAA +AMA971gUyqrb7D6oFerzx3prijJoZOLE1Zluo3Q9Ise4KgDZ66QDE7mQRzSEniZcy77mSt +VOhjVmI5CXREbpdGU6LxJujIAm4pKwyVEV8XVAzII6s4He5QUBxiLYWHDro3bOSmOZ50tk +WBTO7llCR5FGbi7iJ1CP0C+CXRSaH8ug8Xqd0HBzTB2nXTGJNyx9lBwLY837VcdUIRrr+7 +QzVD/BQ/v+Ch21Ck0kMtLCv+lrXAeowsK89ExDp4HqMnOHnT0AAADBAObxbkJeoXfkmV7e +0nAyQ/IDTs3Zlm3517mTzvc7j2o0qJQty+9pLD60S5s0VUpQpgeT3LzXRZ2eZlq3FcWsRa +HyiovF6L5OUik1gVc/QiP+x6QSLdFi/ROHRT7DZFQ+1/bquGgVsoEVZJPDz7NJvBPLYwmj +EGRZeKWVjIcDLSGq6fek9aTFUe7bcDCHx+QuovxeFWncmTNYC7jaYMff6DtHjokLgsyOzF +FjYEC9wFVrEz+9oegDxatiJpWJN1zTWwAAAMEA4bwhyUDs0oyQ+16xpdd4f8PYfQ0HoLow +ckvWCNS2Xmpnbe+dYqqRw7mchnYj4uXvhi391LwWTea5bQ78Hj+DnMugOLmmcHuFAbkxeL +9x97iCIUrli5wawGfJgwPiGJlATUVz9Y3BOcg+uBmQ9qGR6wdI6N+zuu/54gGzW2gVanYs +Gs0JH+C+afZ2yitUuGXDIVlYdgjESIszdK0wNGzZ4HDleFVhK3jFiK1CHHBb89Tbmd6fMZ +NWpcpue2AYSUyNAAAADXRlc3RAbm92aXQuaW8BAgMEBQ== +-----END OPENSSH PRIVATE KEY----- diff --git a/test-initrd/id_rsa.pub b/test-initrd/id_rsa.pub new file mode 100644 index 0000000..3abde42 --- /dev/null +++ b/test-initrd/id_rsa.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo+mv+0GJViwFiK14bAw8j4HYFIGf4I/fpmIqzHohf70TT+cYqAKSHBYV+uYjNLYQib6Ii/thPexeypw73pq7Z7CHvubnFQUiuqJ7lzXeV4146f5eHL76/TvTmKthS4FVFta6SlCOE6unR6q8HM52VSijavtoX3musxugCwhaHmBNOdUJcNIRCIey8QaOztPK05dDrOZhMQJgSST/BRaNrtY0/xRmJo+5TbQeyjyDuQdK2EoS51QMWzsT/LH6drQBgKd8RRHqjEhscfaV2CmdfuVO/liEdW82epMgFCGYtMetP/rs3bPkC90ULxPZSytaz7d5ux1dvSgrPHzX4306k/GP3d6EvOedy4IKAB53J7lebvrRI5pTVPZvd/RsSGGxUIwjf2Y8TF5nbC2d2D5Oauqfevn29veIRh8mq+AsJMnkvUFwVRN+6WDsZ+F82+AGaCKJFNQLYbRKtXW0zzi+wTsnLJNwlpevRf61SCxehSqeVfnc4TDsAGyRa9nSbR8= test@novit.io diff --git a/tools/cpiocat/main.go b/tools/cpiocat/main.go index 978b4e7..6671ce6 100644 --- a/tools/cpiocat/main.go +++ b/tools/cpiocat/main.go @@ -2,6 +2,7 @@ package main import ( "flag" + "log" "os" "novit.nc/direktil/initrd/cpiocat" @@ -10,5 +11,8 @@ import ( func main() { flag.Parse() - cpiocat.Append(os.Stdout, os.Stdin, flag.Args()) + err := cpiocat.Append(os.Stdout, os.Stdin, flag.Args()) + if err != nil { + log.Fatal(err) + } } diff --git a/tty.go b/tty.go new file mode 100644 index 0000000..ba419e8 --- /dev/null +++ b/tty.go @@ -0,0 +1,38 @@ +package main + +import ( + "os" + + "golang.org/x/sys/unix" +) + +var ( + stdinTTY = &tty{int(os.Stdin.Fd()), nil} +) + +type tty struct { + fd int + termios *unix.Termios +} + +func (t *tty) EchoOff() { + termios, err := unix.IoctlGetTermios(t.fd, unix.TCGETS) + if err != nil { + return + } + + t.termios = termios + + newState := *termios + newState.Lflag &^= unix.ECHO + newState.Lflag |= unix.ICANON | unix.ISIG + newState.Iflag |= unix.ICRNL + unix.IoctlSetTermios(t.fd, unix.TCSETS, &newState) +} + +func (t *tty) Restore() { + if t.termios != nil { + unix.IoctlSetTermios(t.fd, unix.TCSETS, t.termios) + t.termios = nil + } +} diff --git a/zombies.go b/zombies.go index 5c23f42..33aa35c 100644 --- a/zombies.go +++ b/zombies.go @@ -6,6 +6,8 @@ import ( ) func cleanZombies() { + return // FIXME noop... udhcpc is a daemon staying alive so we never finish + var wstatus syscall.WaitStatus for {