Compare commits

...

2 Commits

Author SHA1 Message Date
Mikaël Cluseau
8506f8807d boot v2 progress: disks, ssh, success... 2022-03-08 11:45:56 +01:00
Mikaël Cluseau
8e86579004 prepare boot v2 2022-02-04 21:45:18 +01:00
44 changed files with 2065 additions and 186 deletions

4
.gitignore vendored
View File

@ -1 +1,5 @@
.*.sw[po] .*.sw[po]
/dist
/qemu.pid
/test-initrd.cpio
/tmp

View File

@ -1,19 +0,0 @@
# ------------------------------------------------------------------------
from mcluseau/golang-builder:1.15.5 as build
# ------------------------------------------------------------------------
from alpine:3.12
env busybox_v=1.28.1-defconfig-multiarch \
arch=x86_64
run apk add --update curl
workdir /layer
add build-layer /
run /build-layer
copy --from=build /go/bin/initrd /layer/init
entrypoint ["sh","-c","find |cpio -H newc -o |base64"]

12
alpine/Dockerfile Normal file
View File

@ -0,0 +1,12 @@
# ------------------------------------------------------------------------
from alpine:3.15
add alpine-minirootfs-3.15.0-x86_64.tar.gz /layer/
workdir /layer
run apk update
run apk add -p . musl lvm2 lvm2-dmeventd udev cryptsetup e2fsprogs btrfs-progs
run rm -rf usr/share/apk var/cache/apk
entrypoint ["sh","-c","find |cpio -H newc -o |base64"]

Binary file not shown.

43
ask-secret.go Normal file
View File

@ -0,0 +1,43 @@
package main
import (
"bufio"
"bytes"
"io"
"os"
)
func askSecret(prompt string) []byte {
stdinTTY.EchoOff()
var (
in io.Reader = stdin
out io.Writer = stdout
)
if stdin == nil {
in = os.Stdin
out = os.Stdout
}
out.Write([]byte(prompt + ": "))
if stdin != nil {
stdout.HideInput()
}
s, err := bufio.NewReader(in).ReadBytes('\n')
if stdin != nil {
stdout.ShowInput()
}
stdinTTY.Restore()
if err != nil {
fatalf("failed to read from stdin: %v", err)
}
s = bytes.TrimRight(s, "\r\n")
return s
}

58
auth.go Normal file
View File

@ -0,0 +1,58 @@
package main
import (
"bytes"
"errors"
"log"
"golang.org/x/crypto/ssh"
"novit.nc/direktil/initrd/config"
)
var (
auths []config.Auth
)
func localAuth() bool {
sec := askSecret("password")
for _, auth := range auths {
if auth.Password == "" {
continue
}
if config.CheckPassword(auth.Password, sec) {
log.Printf("login with auth %q", auth.Name)
return true
}
}
return false
}
func sshCheckPubkey(conn ssh.ConnMetadata, key ssh.PublicKey) (*ssh.Permissions, error) {
keyBytes := key.Marshal()
for _, auth := range auths {
if auth.SSHKey == "" {
continue
}
allowedKey, _, _, _, err := ssh.ParseAuthorizedKey([]byte(auth.SSHKey))
if err != nil {
log.Printf("SSH pubkey for %q invalid: %v", auth.Name, auth.SSHKey)
return nil, err
}
if bytes.Equal(allowedKey.Marshal(), keyBytes) {
log.Print("ssh: accepting public key for ", auth.Name)
return &ssh.Permissions{
Extensions: map[string]string{
"pubkey-fp": ssh.FingerprintSHA256(key),
},
}, nil
}
}
return nil, errors.New("no matching public key")
}

162
boot-v1.go Normal file
View File

@ -0,0 +1,162 @@
package main
import (
"fmt"
"io/ioutil"
"log"
"os"
"path/filepath"
"strings"
"syscall"
"time"
yaml "gopkg.in/yaml.v2"
"novit.nc/direktil/pkg/sysfs"
)
var loopOffset = 0
func bootV1() {
log.Print("-- boot v1 --")
// find and mount /boot
bootMatch := param("boot", "")
bootMounted := false
if bootMatch != "" {
bootFS := param("boot.fs", "vfat")
for i := 0; ; i++ {
devNames := sysfs.DeviceByProperty("block", bootMatch)
if len(devNames) == 0 {
if i > 30 {
fatal("boot partition not found after 30s")
}
log.Print("boot partition not found, retrying")
time.Sleep(1 * time.Second)
continue
}
devFile := filepath.Join("/dev", devNames[0])
log.Print("boot partition found: ", devFile)
mount(devFile, "/boot", bootFS, bootMountFlags, "")
bootMounted = true
break
}
} else {
log.Print("Assuming /boot is already populated.")
}
// load config
cfgPath := param("config", "/boot/config.yaml")
layersDir = filepath.Join("/boot", bootVersion, "layers")
applyConfig(cfgPath, bootMounted)
finalizeBoot()
}
func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) {
cfgBytes, err := ioutil.ReadFile(cfgPath)
if err != nil {
fatalf("failed to read %s: %v", cfgPath, err)
}
cfg = &configV1{}
if err := yaml.Unmarshal(cfgBytes, cfg); err != nil {
fatal("failed to load config: ", err)
}
// mount layers
if len(cfg.Layers) == 0 {
fatal("no layers configured!")
}
log.Printf("wanted layers: %q", cfg.Layers)
layersInMemory := paramBool("layers-in-mem", false)
const layersInMemDir = "/layers-in-mem"
if layersInMemory {
mkdir(layersInMemDir, 0700)
mount("layers-mem", layersInMemDir, "tmpfs", 0, "")
}
lowers := make([]string, len(cfg.Layers))
for i, layer := range cfg.Layers {
path := layerPath(layer)
info, err := os.Stat(path)
if err != nil {
fatal(err)
}
log.Printf("layer %s found (%d bytes)", layer, info.Size())
if layersInMemory {
log.Print(" copying to memory...")
targetPath := filepath.Join(layersInMemDir, layer)
cp(path, targetPath)
path = targetPath
}
dir := "/layers/" + layer
lowers[i] = dir
loopDev := fmt.Sprintf("/dev/loop%d", i+loopOffset)
losetup(loopDev, path)
mount(loopDev, dir, "squashfs", layerMountFlags, "")
}
// prepare system root
mount("mem", "/changes", "tmpfs", 0, "")
mkdir("/changes/workdir", 0755)
mkdir("/changes/upperdir", 0755)
mount("overlay", "/system", "overlay", rootMountFlags,
"lowerdir="+strings.Join(lowers, ":")+",upperdir=/changes/upperdir,workdir=/changes/workdir")
if bootMounted {
if layersInMemory {
if err := syscall.Unmount("/boot", 0); err != nil {
log.Print("WARNING: failed to unmount /boot: ", err)
time.Sleep(2 * time.Second)
}
} else {
mount("/boot", "/system/boot", "", syscall.MS_BIND, "")
}
}
// - write configuration
log.Print("writing /config.yaml")
if err := ioutil.WriteFile("/system/config.yaml", cfgBytes, 0600); err != nil {
fatal("failed: ", err)
}
// - write files
for _, fileDef := range cfg.Files {
log.Print("writing ", fileDef.Path)
filePath := filepath.Join("/system", fileDef.Path)
ioutil.WriteFile(filePath, []byte(fileDef.Content), fileDef.Mode)
}
return
}
func finalizeBoot() {
// clean zombies
cleanZombies()
// switch root
log.Print("switching root")
err := syscall.Exec("/sbin/switch_root", []string{"switch_root",
"-c", "/dev/console", "/system", "/sbin/init"}, os.Environ())
fatal("switch_root failed: ", err)
}

88
boot-v2.go Normal file
View File

@ -0,0 +1,88 @@
package main
import (
"log"
"os"
"os/exec"
"gopkg.in/yaml.v3"
"novit.nc/direktil/initrd/config"
)
func bootV2() {
log.Print("-- boot v2 --")
cfg := &config.Config{}
{
f, err := os.Open("/config.yaml")
if err != nil {
fatal("failed to open /config.yaml: ", err)
}
err = yaml.NewDecoder(f).Decode(cfg)
f.Close()
if err != nil {
fatal("failed to parse /config.yaml: ", err)
}
}
log.Print("config loaded")
log.Printf("anti-phishing code: %q", cfg.AntiPhishingCode)
auths = cfg.Auths
// mount kernel modules
if cfg.Modules != "" {
log.Print("mount modules from ", cfg.Modules)
err := os.MkdirAll("/modules", 0755)
if err != nil {
fatal("failed to create /modules: ", err)
}
run("mount", cfg.Modules, "/modules")
loopOffset++
err = os.Symlink("/modules/lib/modules", "/lib/modules")
if err != nil {
fatal("failed to symlink modules: ", err)
}
}
// load basic modules
run("modprobe", "unix")
// devices init
err := exec.Command("udevd").Start()
if err != nil {
fatal("failed to start udevd: ", err)
}
log.Print("udevadm triggers")
run("udevadm", "trigger", "-c", "add", "-t", "devices")
run("udevadm", "trigger", "-c", "add", "-t", "subsystems")
log.Print("udevadm settle")
run("udevadm", "settle")
// networks
setupNetworks(cfg)
// Wireguard VPN
// TODO startVPN()
// SSH service
startSSH(cfg)
// LVM
setupLVM(cfg)
// bootstrap the system
bootstrap(cfg)
// finalize
finalizeBoot()
}

123
bootstrap.go Normal file
View File

@ -0,0 +1,123 @@
package main
import (
"bytes"
"io/ioutil"
"log"
"os"
"path/filepath"
"strings"
"novit.nc/direktil/initrd/config"
)
func bootstrap(cfg *config.Config) {
if cfg.Bootstrap.Dev == "" {
fatalf("bootstrap device not defined!")
}
const bsDir = "/bootstrap"
os.MkdirAll(bsDir, 0700)
run("mount", cfg.Bootstrap.Dev, bsDir)
baseDir := filepath.Join(bsDir, bootVersion)
sysCfgPath := filepath.Join(baseDir, "config.yaml")
if _, err := os.Stat(sysCfgPath); os.IsNotExist(err) {
log.Printf("bootstrap %q does not exist", bootVersion)
seed := cfg.Bootstrap.Seed
if seed == "" {
fatalf("boostrap seed not defined, admin required")
}
log.Printf("seeding bootstrap from %s", seed)
// TODO
}
layersDir = baseDir
layersOverride["modules"] = "/modules.sqfs"
sysCfg := applyConfig(sysCfgPath, false)
// mounts are v2 only
for _, mount := range sysCfg.Mounts {
log.Print("mount ", mount.Dev, " to system's ", mount.Path)
path := filepath.Join("/system", mount.Path)
os.MkdirAll(path, 0755)
args := []string{mount.Dev, path}
if mount.Type != "" {
args = append(args, "-t", mount.Type)
}
if mount.Options != "" {
args = append(args, "-o", mount.Options)
}
run("mount", args...)
}
// setup root user
if ph := sysCfg.RootUser.PasswordHash; ph != "" {
log.Print("setting root's password")
setUserPass("root", ph)
}
if ak := sysCfg.RootUser.AuthorizedKeys; len(ak) != 0 {
log.Print("setting root's authorized keys")
setAuthorizedKeys(ak)
}
}
func setUserPass(user, passwordHash string) {
const fpath = "/system/etc/shadow"
ba, err := ioutil.ReadFile(fpath)
if err != nil {
fatalf("failed to read shadow: %v", err)
}
lines := bytes.Split(ba, []byte{'\n'})
buf := new(bytes.Buffer)
for _, line := range lines {
line := string(line)
p := strings.Split(line, ":")
if len(p) < 2 || p[0] != user {
buf.WriteString(line)
continue
}
p[1] = passwordHash
line = strings.Join(p, ":")
buf.WriteString(line)
buf.WriteByte('\n')
}
err = ioutil.WriteFile(fpath, buf.Bytes(), 0600)
if err != nil {
fatalf("failed to write shadow: %v", err)
}
}
func setAuthorizedKeys(ak []string) {
buf := new(bytes.Buffer)
for _, k := range ak {
buf.WriteString(k)
buf.WriteByte('\n')
}
const sshDir = "/system/root/.ssh"
err := os.MkdirAll(sshDir, 0700)
if err != nil {
fatalf("failed to create %s: %v", sshDir, err)
}
err = ioutil.WriteFile(filepath.Join(sshDir, "authorized_keys"), buf.Bytes(), 0600)
if err != nil {
fatalf("failed to write authorized keys: %v", err)
}
}

View File

@ -1,14 +1,6 @@
#! /bin/sh #! /bin/sh
set -ex set -ex
mkdir dev
mknod dev/null -m 0666 c 1 3 mknod dev/null -m 0666 c 1 3
mknod dev/tty -m 0666 c 5 0 mknod dev/tty -m 0666 c 5 0
mknod dev/console -m 0600 c 5 1 mknod dev/console -m 0600 c 5 1
mkdir sys proc bin sbin usr usr/bin usr/sbin
curl -L -o bin/busybox https://busybox.net/downloads/binaries/$busybox_v/busybox-$arch
chmod +x bin/busybox
chroot . /bin/busybox --install -s

5
buildenv/Dockerfile Normal file
View File

@ -0,0 +1,5 @@
from golang:1.18beta2-alpine3.15
run apk add --update musl-dev git
workdir /src

45
colorio/colorio.go Normal file
View File

@ -0,0 +1,45 @@
package colorio
import "io"
var (
Reset = []byte("\033[0m")
Bold = []byte("\033[1m")
Dim = []byte("\033[2m")
Underlined = []byte("\033[4m")
Blink = []byte("\033[5m")
Reverse = []byte("\033[7m")
Hidden = []byte("\033[8m")
)
type writer struct {
before []byte
after []byte
w io.Writer
}
func NewWriter(color []byte, w io.Writer) io.Writer {
return writer{
before: color,
after: Reset,
w: w,
}
}
func (w writer) Write(ba []byte) (n int, err error) {
b := make([]byte, len(w.before)+len(ba)+len(w.after))
copy(b, w.before)
copy(b[len(w.before):], ba)
copy(b[len(w.before)+len(ba):], w.after)
n, err = w.w.Write(b)
n -= len(w.before)
if n < 0 {
n = 0
} else if n > len(ba) {
n = len(ba)
}
return
}

21
colorio/colorio_test.go Normal file
View File

@ -0,0 +1,21 @@
package colorio
import (
"bytes"
"fmt"
"testing"
)
func TestWriter(t *testing.T) {
buf := new(bytes.Buffer)
w := NewWriter(Bold, buf)
buf.WriteByte('{')
fmt.Fprintln(w, "hello")
buf.WriteByte('}')
if s, exp := buf.String(), "{"+string(Bold)+"hello\n"+string(Reset)+"}"; s != exp {
t.Errorf("%q != %q", s, exp)
}
}

View File

@ -4,7 +4,23 @@ import (
nconfig "novit.nc/direktil/pkg/config" nconfig "novit.nc/direktil/pkg/config"
) )
type config struct { type configV1 struct {
Layers []string `yaml:"layers"` Layers []string `yaml:"layers"`
Files []nconfig.FileDef `yaml:"files"` Files []nconfig.FileDef `yaml:"files"`
// v2 handles more
RootUser struct {
PasswordHash string `yaml:"password_hash"`
AuthorizedKeys []string `yaml:"authorized_keys"`
} `yaml:"root_user"`
Mounts []MountDef `yaml:"mounts"`
}
type MountDef struct {
Dev string
Path string
Options string
Type string
} }

61
config/config.go Normal file
View File

@ -0,0 +1,61 @@
package config
type Config struct {
AntiPhishingCode string `json:"anti_phishing_code"`
Keymap string
Modules string
Auths []Auth
Networks []struct {
Name string
Interfaces []struct {
Var string
N int
Regexps []string
}
Script string
}
LVM []LvmVG
Bootstrap Bootstrap
}
type Auth struct {
Name string
SSHKey string `yaml:"sshKey"`
Password string `yaml:"password"`
}
type LvmVG struct {
VG string
PVs struct {
N int
Regexps []string
}
Defaults struct {
FS string
Raid *RaidConfig
}
LVs []struct {
Name string
Crypt string
FS string
Raid *RaidConfig
Size string
Extents string
}
}
type RaidConfig struct {
Mirrors int
Stripes int
}
type Bootstrap struct {
Dev string
Seed string
}

46
config/password.go Normal file
View File

@ -0,0 +1,46 @@
package config
import (
"crypto/rand"
"crypto/sha512"
"encoding/base64"
"strings"
"golang.org/x/crypto/pbkdf2"
)
var (
encoding = base64.RawStdEncoding
)
func PasswordHashFromSeed(seed, pass []byte) string {
h := pbkdf2.Key(pass, seed, 2048, 32, sha512.New)
return encoding.EncodeToString(h)
}
func PasswordHash(pass []byte) (hashedPassWithSeed string) {
seed := make([]byte, 10) // 8 bytes min by the RFC recommendation
_, err := rand.Read(seed)
if err != nil {
panic(err) // we do not expect this to fail...
}
return JoinSeedAndHash(seed, PasswordHashFromSeed(seed, pass))
}
func JoinSeedAndHash(seed []byte, hash string) string {
return encoding.EncodeToString(seed) + ":" + hash
}
func CheckPassword(hashedPassWithSeed string, pass []byte) (ok bool) {
parts := strings.SplitN(hashedPassWithSeed, ":", 2)
encodedSeed := parts[0]
encodedHash := parts[1]
seed, err := encoding.DecodeString(encodedSeed)
if err != nil {
return false
}
return encodedHash == PasswordHashFromSeed(seed, pass)
}

12
config/password_test.go Normal file
View File

@ -0,0 +1,12 @@
package config
import "fmt"
func ExamplePasswordHash() {
seed := []byte("myseed")
hash := PasswordHashFromSeed(seed, []byte("mypass"))
fmt.Println(JoinSeedAndHash(seed, hash))
// Output:
// bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0
}

95
cpiocat/cpiocat.go Normal file
View File

@ -0,0 +1,95 @@
package cpiocat
import (
"io"
"os"
"github.com/cavaliergopher/cpio"
)
func Append(out io.Writer, in io.Reader, filesToAppend []string) (err error) {
cout := cpio.NewWriter(out)
cin := cpio.NewReader(in)
for {
var hdr *cpio.Header
hdr, err = cin.Next()
if err != nil {
if err == io.EOF {
break
}
return
}
mode := hdr.FileInfo().Mode()
if mode&os.ModeSymlink != 0 {
// symlink target must be written after
hdr.Size = int64(len(hdr.Linkname))
}
err = cout.WriteHeader(hdr)
if err != nil {
return
}
if mode.IsRegular() {
_, err = io.Copy(cout, cin)
} else if mode&os.ModeSymlink != 0 {
_, err = cout.Write([]byte(hdr.Linkname))
}
if err != nil {
return
}
}
for _, file := range filesToAppend {
err = func() (err error) {
stat, err := os.Lstat(file)
if err != nil {
return
}
link := ""
if stat.Mode()&os.ModeSymlink != 0 {
link, err = os.Readlink(file)
if err != nil {
return
}
}
hdr, err := cpio.FileInfoHeader(stat, link)
if err != nil {
return
}
hdr.Name = file
cout.WriteHeader(hdr)
if stat.Mode().IsRegular() {
var f *os.File
f, err = os.Open(file)
if err != nil {
return
}
defer f.Close()
_, err = io.Copy(cout, f)
} else if stat.Mode()&os.ModeSymlink != 0 {
_, err = cout.Write([]byte(link))
}
return
}()
if err != nil {
return
}
}
err = cout.Close()
return
}

22
filter.go Normal file
View File

@ -0,0 +1,22 @@
package main
func filter[T any](values []T, accept func(T) bool) []T {
r := make([]T, 0, len(values))
for _, v := range values {
if accept(v) {
r = append(r, v)
}
}
return r
}
func contains[T any](values []T, accept func(T) bool) bool {
for _, v := range values {
if accept(v) {
return true
}
}
return false
}

13
filter_test.go Normal file
View File

@ -0,0 +1,13 @@
package main
import (
"fmt"
"testing"
)
func TestFilter(t*testing.T) {
a := filter([]string{"a","b","c"}, func(v string) bool { return v != "b" })
if fmt.Sprint(a) != "[a c]" {
t.Errorf("bad result: %v", a)
}
}

15
go.mod
View File

@ -1,10 +1,17 @@
module novit.nc/direktil/initrd module novit.nc/direktil/initrd
require ( require (
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 // indirect github.com/cavaliergopher/cpio v1.0.1
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 github.com/kr/pty v1.1.8
gopkg.in/yaml.v2 v2.3.0 github.com/pkg/term v1.1.0
golang.org/x/crypto v0.0.0-20220214200702-86341886e292
golang.org/x/sys v0.0.0-20220209214540-3681064d5158
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211
gopkg.in/yaml.v2 v2.4.0
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2
) )
go 1.13 require github.com/creack/pty v1.1.17 // indirect
go 1.18

29
go.sum
View File

@ -1,21 +1,32 @@
github.com/cavaliergopher/cpio v1.0.1 h1:KQFSeKmZhv0cr+kawA3a0xTQCU4QxXF1vhU7P7av2KM=
github.com/cavaliergopher/cpio v1.0.1/go.mod h1:pBdaqQjnvXxdS/6CvNDwIANIFSP0xRKI16PX4xejRQc=
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
github.com/creack/pty v1.1.17 h1:QeVUsEDNrLBW4tMgZHvxy18sKtr6VI492kBhUfhDJNI=
github.com/creack/pty v1.1.17/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4=
github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI= github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/pty v1.1.8 h1:AkaSdXYQOWeaO3neb8EM634ahkXXe3jYbVh/F9lq+GI=
github.com/kr/pty v1.1.8/go.mod h1:O1sed60cT9XZ5uDucP5qwvh+TE3NnUj51EiZO/lmSfw=
github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE= github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
github.com/pkg/term v1.1.0/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw=
github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8= github.com/ulikunitz/xz v0.5.6/go.mod h1:2bypXElzHzzJZwzH67Y6wb67pO62Rzfn7BSiF4ABRW8=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037 h1:YyJpGZS1sBuBCzLAR1VEpK193GlqGZbnPFnPV/5Rsb4= golang.org/x/crypto v0.0.0-20220214200702-86341886e292 h1:f+lwQ+GtmgoY+A2YaQxlSOnDjXcQ7ZRLWOHbC6HtRqE=
golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68 h1:nxC68pudNYkKU6jWhgrqdreuFiOQWj1Fs7T3VrH4Pjw= golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220209214540-3681064d5158 h1:rm+CHSpPEEW2IsXUib1ThaHIjuBVZjxNgSKmBLFfD4c=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/sys v0.0.0-20220209214540-3681064d5158/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b h1:h8qDotaEPuJATrMmW04NCwg7v22aHH28wwpauUhK9Oo=
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc= novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2 h1:LN3K19gAJ1GamJXkzXAQmjbl8xCV7utqdxTTrM89MMc=
novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU= novit.nc/direktil/pkg v0.0.0-20191211161950-96b0448b84c2/go.mod h1:zwTVO6U0tXFEaga73megQIBK7yVIKZJVePaIh/UtdfU=

326
lvm.go Normal file
View File

@ -0,0 +1,326 @@
package main
import (
"bytes"
"io/fs"
"log"
"os"
"os/exec"
"path/filepath"
"strconv"
"novit.nc/direktil/initrd/config"
"novit.nc/direktil/initrd/lvm"
)
func setupLVM(cfg *config.Config) {
if len(cfg.LVM) == 0 {
log.Print("no LVM VG configured.")
return
}
run("pvscan")
run("vgscan", "--mknodes")
for _, vg := range cfg.LVM {
setupVG(vg)
}
for _, vg := range cfg.LVM {
setupLVs(vg)
}
run("vgchange", "--sysinit", "-a", "ly")
for _, vg := range cfg.LVM {
setupCrypt(vg)
}
for _, vg := range cfg.LVM {
setupFS(vg)
}
}
func setupVG(vg config.LvmVG) {
pvs := lvm.PVSReport{}
err := runJSON(&pvs, "pvs", "--reportformat", "json")
if err != nil {
fatalf("failed to list LVM PVs: %v", err)
}
vgExists := false
devNeeded := vg.PVs.N
for _, pv := range pvs.PVs() {
if pv.VGName == vg.VG {
vgExists = true
devNeeded--
}
}
if devNeeded <= 0 {
log.Print("LVM VG ", vg.VG, " has all its devices")
return
}
if vgExists {
log.Printf("LVM VG %s misses %d devices", vg.VG, devNeeded)
} else {
log.Printf("LVM VG %s does not exists, creating", vg.VG)
}
devNames := make([]string, 0)
err = filepath.Walk("/dev", func(n string, fi fs.FileInfo, err error) error {
if fi.Mode().Type() == os.ModeDevice {
devNames = append(devNames, n)
}
return err
})
if err != nil {
fatalf("failed to walk /dev: %v", err)
}
devNames = filter(devNames, func(v string) bool {
for _, pv := range pvs.PVs() {
if v == pv.Name {
return false
}
}
return true
})
m := regexpSelectN(vg.PVs.N, vg.PVs.Regexps, devNames)
if len(m) == 0 {
log.Printf("no devices match the regexps %v", vg.PVs.Regexps)
for _, d := range devNames {
log.Print("- ", d)
}
fatalf("failed to setup VG %s", vg.VG)
}
if vgExists {
log.Print("- extending vg to ", m)
run("vgextend", append([]string{vg.VG}, m...)...)
devNeeded -= len(m)
} else {
log.Print("- creating vg with devices ", m)
run("vgcreate", append([]string{vg.VG}, m...)...)
devNeeded -= len(m)
}
if devNeeded > 0 {
fatalf("VG %s does not have enough devices (%d missing)", vg.VG, devNeeded)
}
}
func setupLVs(vg config.LvmVG) {
lvsRep := lvm.LVSReport{}
err := runJSON(&lvsRep, "lvs", "--reportformat", "json")
if err != nil {
fatalf("lvs failed: %v", err)
}
lvs := lvsRep.LVs()
defaults := vg.Defaults
for _, lv := range vg.LVs {
lvKey := vg.VG + "/" + lv.Name
if contains(lvs, func(v lvm.LV) bool {
return v.VGName == vg.VG && v.Name == lv.Name
}) {
log.Printf("LV %s exists", lvKey)
continue
}
log.Printf("creating LV %s", lvKey)
if lv.Raid == nil {
lv.Raid = defaults.Raid
}
args := make([]string, 0)
if lv.Name == "" {
fatalf("LV has no name")
}
args = append(args, vg.VG, "--name", lv.Name)
if lv.Size != "" && lv.Extents != "" {
fatalf("LV has both size and extents defined!")
} else if lv.Size == "" && lv.Extents == "" {
fatalf("LV does not have size or extents defined!")
} else if lv.Size != "" {
args = append(args, "-L", lv.Size)
} else /* if lv.Extents != "" */ {
args = append(args, "-l", lv.Extents)
}
if raid := lv.Raid; raid != nil {
if raid.Mirrors != 0 {
args = append(args, "--mirrors", strconv.Itoa(raid.Mirrors))
}
if raid.Stripes != 0 {
args = append(args, "--stripes", strconv.Itoa(raid.Stripes))
}
}
log.Print("lvcreate args: ", args)
run("lvcreate", args...)
dev := "/dev/" + vg.VG + "/" + lv.Name
zeroDevStart(dev)
}
}
func zeroDevStart(dev string) {
f, err := os.OpenFile(dev, os.O_WRONLY, 0600)
if err != nil {
fatalf("failed to open %s: %v", dev, err)
}
defer f.Close()
_, err = f.Write(make([]byte, 8192))
if err != nil {
fatalf("failed to zero the beginning of %s: %v", dev, err)
}
}
func setupCrypt(vg config.LvmVG) {
cryptDevs := map[string]bool{}
var password []byte
passwordVerified := false
for _, lv := range vg.LVs {
if lv.Crypt == "" {
continue
}
if cryptDevs[lv.Crypt] {
fatalf("duplicate crypt device name: %s", lv.Crypt)
}
cryptDevs[lv.Crypt] = true
retryOpen:
if len(password) == 0 {
password = askSecret("crypt password")
if len(password) == 0 {
fatalf("empty password given")
}
}
dev := "/dev/" + vg.VG + "/" + lv.Name
needFormat := !devInitialized(dev)
if needFormat {
if !passwordVerified {
retry:
p2 := askSecret("verify crypt password")
eq := bytes.Equal(password, p2)
for i := range p2 {
p2[i] = 0
}
if !eq {
log.Print("passwords don't match")
goto retry
}
}
log.Print("formatting encrypted device ", dev)
cmd := exec.Command("cryptsetup", "luksFormat", dev, "--key-file=-")
cmd.Stdin = bytes.NewBuffer(password)
cmd.Stdout = stdout
cmd.Stderr = stderr
err := cmd.Run()
if err != nil {
fatalf("failed luksFormat: %v", err)
}
}
log.Print("openning encrypted device ", lv.Crypt, " from ", dev)
cmd := exec.Command("cryptsetup", "open", dev, lv.Crypt, "--key-file=-")
cmd.Stdin = bytes.NewBuffer(password)
cmd.Stdout = stdout
cmd.Stderr = stderr
err := cmd.Run()
if err != nil {
// maybe the password is wrong
for i := range password {
password[i] = 0
}
password = password[:0]
passwordVerified = false
goto retryOpen
}
if needFormat {
zeroDevStart("/dev/mapper/" + lv.Crypt)
}
passwordVerified = true
}
for i := range password {
password[i] = 0
}
}
func devInitialized(dev string) bool {
f, err := os.Open(dev)
if err != nil {
fatalf("failed to open %s: %v", dev, err)
}
defer f.Close()
ba := make([]byte, 8192)
_, err = f.Read(ba)
if err != nil {
fatalf("failed to read %s: %v", dev, err)
}
for _, b := range ba {
if b != 0 {
return true
}
}
return false
}
func setupFS(vg config.LvmVG) {
for _, lv := range vg.LVs {
dev := "/dev/" + vg.VG + "/" + lv.Name
if lv.Crypt != "" {
dev = "/dev/mapper/" + lv.Crypt
}
if devInitialized(dev) {
log.Print("device ", dev, " already formatted")
continue
}
if lv.FS == "" {
lv.FS = vg.Defaults.FS
}
log.Print("formatting ", dev, " (", lv.FS, ")")
args := make([]string, 0)
switch lv.FS {
case "btrfs":
args = append(args, "-f")
case "ext4":
args = append(args, "-F")
}
run("mkfs."+lv.FS, append(args, dev)...)
}
}

19
lvm/lv.go Normal file
View File

@ -0,0 +1,19 @@
package lvm
type LVSReport struct {
Report []struct {
LV []LV `json:"lv"`
} `json:"report"`
}
type LV struct {
Name string `json:"lv_name"`
VGName string `json:"vg_name"`
}
func (r LVSReport) LVs() (ret []LV) {
for _, rep := range r.Report {
ret = append(ret, rep.LV...)
}
return
}

19
lvm/pv.go Normal file
View File

@ -0,0 +1,19 @@
package lvm
type PVSReport struct {
Report []struct {
PV []PV `json:"pv"`
} `json:"report"`
}
type PV struct {
Name string `json:"pv_name"`
VGName string `json:"vg_name"`
}
func (r PVSReport) PVs() (ret []PV) {
for _, rep := range r.Report {
ret = append(ret, rep.PV...)
}
return
}

234
main.go
View File

@ -3,24 +3,24 @@ package main
import ( import (
"fmt" "fmt"
"io" "io"
"io/ioutil"
"log" "log"
"os" "os"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
"runtime" "runtime"
"strings"
"syscall" "syscall"
"time" "time"
"github.com/pkg/term/termios"
"golang.org/x/term" "golang.org/x/term"
yaml "gopkg.in/yaml.v2"
"novit.nc/direktil/pkg/sysfs" "novit.nc/direktil/initrd/colorio"
"novit.nc/direktil/initrd/shio"
) )
const ( const (
// VERSION is the current version of init // VERSION is the current version of init
VERSION = "Direktil init v1.0" VERSION = "Direktil init v2.0"
rootMountFlags = 0 rootMountFlags = 0
bootMountFlags = syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID | syscall.MS_RDONLY bootMountFlags = syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID | syscall.MS_RDONLY
@ -29,155 +29,63 @@ const (
var ( var (
bootVersion string bootVersion string
stdin,
stdinPipe = newPipe()
stdout = shio.New()
stderr = colorio.NewWriter(colorio.Bold, stdout)
) )
func newPipe() (io.ReadCloser, io.WriteCloser) {
return io.Pipe()
}
func main() { func main() {
runtime.LockOSThread() runtime.LockOSThread()
// move log to shio
go io.Copy(os.Stdout, stdout.NewReader())
log.SetOutput(stderr)
// copy os.Stdin to my stdin pipe
go io.Copy(stdinPipe, os.Stdin)
log.Print("Welcome to ", VERSION) log.Print("Welcome to ", VERSION)
// essential mounts // essential mounts
mount("none", "/proc", "proc", 0, "") mount("none", "/proc", "proc", 0, "")
mount("none", "/sys", "sysfs", 0, "") mount("none", "/sys", "sysfs", 0, "")
mount("none", "/dev", "devtmpfs", 0, "") mount("none", "/dev", "devtmpfs", 0, "")
mount("none", "/dev/pts", "devpts", 0, "gid=5,mode=620")
// get the "boot version" // get the "boot version"
bootVersion = param("version", "current") bootVersion = param("version", "current")
log.Printf("booting system %q", bootVersion) log.Printf("booting system %q", bootVersion)
// find and mount /boot os.Setenv("PATH", "/usr/bin:/bin:/usr/sbin:/sbin")
bootMatch := param("boot", "")
bootMounted := false
if bootMatch != "" {
bootFS := param("boot.fs", "vfat")
for i := 0; ; i++ {
devNames := sysfs.DeviceByProperty("block", bootMatch)
if len(devNames) == 0 { _, err := os.Stat("/config.yaml")
if i > 30 {
fatal("boot partition not found after 30s")
}
log.Print("boot partition not found, retrying")
time.Sleep(1 * time.Second)
continue
}
devFile := filepath.Join("/dev", devNames[0])
log.Print("boot partition found: ", devFile)
mount(devFile, "/boot", bootFS, bootMountFlags, "")
bootMounted = true
break
}
} else {
log.Print("Assuming /boot is already populated.")
}
// load config
cfgPath := param("config", "/boot/config.yaml")
cfgBytes, err := ioutil.ReadFile(cfgPath)
if err != nil { if err != nil {
fatalf("failed to read %s: %v", cfgPath, err) if os.IsNotExist(err) {
} bootV1()
return
cfg := &config{}
if err := yaml.Unmarshal(cfgBytes, cfg); err != nil {
fatal("failed to load config: ", err)
}
// mount layers
if len(cfg.Layers) == 0 {
fatal("no layers configured!")
}
log.Printf("wanted layers: %q", cfg.Layers)
layersInMemory := paramBool("layers-in-mem", false)
const layersInMemDir = "/layers-in-mem"
if layersInMemory {
mkdir(layersInMemDir, 0700)
mount("layers-mem", layersInMemDir, "tmpfs", 0, "")
}
lowers := make([]string, len(cfg.Layers))
for i, layer := range cfg.Layers {
path := layerPath(layer)
info, err := os.Stat(path)
if err != nil {
fatal(err)
} }
fatal("stat failed: ", err)
log.Printf("layer %s found (%d bytes)", layer, info.Size())
if layersInMemory {
log.Print(" copying to memory...")
targetPath := filepath.Join(layersInMemDir, layer)
cp(path, targetPath)
path = targetPath
}
dir := "/layers/" + layer
lowers[i] = dir
loopDev := fmt.Sprintf("/dev/loop%d", i)
losetup(loopDev, path)
mount(loopDev, dir, "squashfs", layerMountFlags, "")
} }
// prepare system root bootV2()
mount("mem", "/changes", "tmpfs", 0, "")
mkdir("/changes/workdir", 0755)
mkdir("/changes/upperdir", 0755)
mount("overlay", "/system", "overlay", rootMountFlags,
"lowerdir="+strings.Join(lowers, ":")+",upperdir=/changes/upperdir,workdir=/changes/workdir")
if bootMounted {
if layersInMemory {
if err := syscall.Unmount("/boot", 0); err != nil {
log.Print("WARNING: failed to unmount /boot: ", err)
time.Sleep(2 * time.Second)
}
} else {
mount("/boot", "/system/boot", "", syscall.MS_BIND, "")
}
}
// - write configuration
log.Print("writing /config.yaml")
if err := ioutil.WriteFile("/system/config.yaml", cfgBytes, 0600); err != nil {
fatal("failed: ", err)
}
// - write files
for _, fileDef := range cfg.Files {
log.Print("writing ", fileDef.Path)
filePath := filepath.Join("/system", fileDef.Path)
ioutil.WriteFile(filePath, []byte(fileDef.Content), fileDef.Mode)
}
// clean zombies
cleanZombies()
// switch root
log.Print("switching root")
err = syscall.Exec("/sbin/switch_root", []string{"switch_root",
"-c", "/dev/console", "/system", "/sbin/init"}, os.Environ())
fatal("switch_root failed: ", err)
} }
var (
layersDir = "/boot/current/layers/"
layersOverride = map[string]string{}
)
func layerPath(name string) string { func layerPath(name string) string {
return fmt.Sprintf("/boot/%s/layers/%s.fs", bootVersion, name) if override, ok := layersOverride[name]; ok {
return override
}
return filepath.Join(layersDir, name+".fs")
} }
func fatal(v ...interface{}) { func fatal(v ...interface{}) {
@ -193,33 +101,79 @@ func fatalf(pattern string, v ...interface{}) {
} }
func die() { func die() {
fmt.Println("\nwill reboot in 1 minute; press r to reboot now, o to power off") log.SetOutput(os.Stderr)
stdout.Close()
stdin.Close()
stdinPipe.Close()
deadline := time.Now().Add(time.Minute) stdin = nil
term.MakeRaw(int(os.Stdin.Fd())) // disable line buffering mainLoop:
os.Stdin.SetReadDeadline(deadline)
b := []byte{0}
for { for {
termios.Tcdrain(os.Stdin.Fd())
termios.Tcdrain(os.Stdout.Fd())
termios.Tcdrain(os.Stderr.Fd())
fmt.Print("\nr to reboot, o to power off, s to get a shell: ")
// TODO flush stdin (first char lost here?)
deadline := time.Now().Add(time.Minute)
os.Stdin.SetReadDeadline(deadline)
termios.Tcflush(os.Stdin.Fd(), termios.TCIFLUSH)
term.MakeRaw(int(os.Stdin.Fd()))
b := make([]byte, 1)
_, err := os.Stdin.Read(b) _, err := os.Stdin.Read(b)
if err != nil { if err != nil {
break log.Print("failed to read from stdin: ", err)
time.Sleep(5 * time.Second)
syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
} }
fmt.Println()
switch b[0] { switch b[0] {
case 'o': case 'o':
syscall.Reboot(syscall.LINUX_REBOOT_CMD_POWER_OFF) syscall.Reboot(syscall.LINUX_REBOOT_CMD_POWER_OFF)
case 'r': case 'r':
syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART) syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
case 's':
for _, sh := range []string{"bash", "ash", "sh", "busybox"} {
fullPath, err := exec.LookPath(sh)
if err != nil {
continue
}
args := make([]string, 0)
if sh == "busybox" {
args = append(args, "sh")
}
if !localAuth() {
continue mainLoop
}
cmd := exec.Command(fullPath, args...)
cmd.Env = os.Environ()
cmd.Stdin = os.Stdin
cmd.Stdout = os.Stdout
cmd.Stderr = os.Stderr
err = cmd.Run()
if err != nil {
fmt.Println("shell failed:", err)
}
continue mainLoop
}
log.Print("failed to find a shell!")
default:
log.Printf("unknown choice: %q", string(b))
} }
} }
syscall.Reboot(syscall.LINUX_REBOOT_CMD_RESTART)
} }
func losetup(dev, file string) { func losetup(dev, file string) {
run("/sbin/losetup", dev, file) run("/sbin/losetup", "-r", dev, file)
} }
func run(cmd string, args ...string) { func run(cmd string, args ...string) {

View File

@ -1,6 +1,24 @@
go.??? *.go { modd.conf {}
prep: go test ./...
prep: dockb -t dkl-initrd . alpine/Dockerfile {
prep: docker run dkl-initrd | docker exec -i dls sh -c "base64 -d >/var/lib/direktil/dist/initrd/1.0.7 && rm -rfv /var/lib/direktil/cache/*" prep: docker build -t dkl-initrd alpine
prep: curl -H'Autorization: Bearer adm1n' localhost:7606/hosts/m1/boot.iso >/tmp/m1-boot.iso prep: docker run --rm dkl-initrd | base64 -d >dist/base-initrd
}
buildenv/Dockerfile {
prep: docker build -t dkl-initrd-build buildenv
}
go.??? **/*.go {
prep: go test ./...
prep: mkdir -p dist
prep: go build -o dist/ ./tools/...
prep: mkdir -p tmp/go tmp/.cache
prep: docker run --rm -v novit-go:/go -e GOCACHE=/go/.cache -v $PWD:/src -u $(id -u):$(id -g) dkl-initrd-build go build -o dist/init .
}
dist/init dist/base-initrd {
prep: cd dist && ../dist/cpiocat init <base-initrd >initrd.new
prep: mv dist/initrd.new dist/initrd
} }

8
modd.test.conf Normal file
View File

@ -0,0 +1,8 @@
modd.test.conf {}
dist/initrd dist/cpiocat test-initrd/* {
prep: cp -f dist/initrd test-initrd.cpio
prep: cd test-initrd && ../dist/cpiocat <../dist/initrd >../test-initrd.cpio *
prep: if cpio -t -F test-initrd.cpio 2>&1 |grep bytes.of.junk; then echo "bad cpio archive"; exit 1; fi
prep: kill $(<qemu.pid)
}

75
network.go Normal file
View File

@ -0,0 +1,75 @@
package main
import (
"log"
"net"
"os/exec"
"strings"
"novit.nc/direktil/initrd/config"
)
func setupNetworks(cfg *config.Config) {
if len(cfg.Networks) == 0 {
log.Print("no networks configured.")
return
}
ifNames := make([]string, 0)
{
ifaces, err := net.Interfaces()
if err != nil {
fatal("failed")
}
for _, iface := range ifaces {
ifNames = append(ifNames, iface.Name)
}
}
assigned := map[string]bool{}
for _, network := range cfg.Networks {
log.Print("setting up network ", network.Name)
// compute available names
if len(assigned) != 0 {
newNames := make([]string, 0, len(ifNames))
for _, n := range ifNames {
if assigned[n] {
continue
}
newNames = append(newNames, n)
}
ifNames = newNames
}
// assign envvars
envvars := make([]string, 0, 1+len(network.Interfaces))
envvars = append(envvars, "PATH=/bin:/sbin:/usr/bin:/usr/sbin")
for _, match := range network.Interfaces {
envvar := new(strings.Builder)
envvar.WriteString(match.Var)
envvar.WriteByte('=')
for i, m := range regexpSelectN(match.N, match.Regexps, ifNames) {
if i != 0 {
envvar.WriteByte(' ')
}
envvar.WriteString(m)
assigned[m] = true
}
log.Print("- ", envvar)
envvars = append(envvars, envvar.String())
}
cmd := exec.Command("/bin/sh", "-c", network.Script)
cmd.Env = envvars
cmd.Stdout = stdout
cmd.Stderr = stderr
if err := cmd.Run(); err != nil {
fatal("failed to setup network: ", err)
}
}
}

39
regexp.go Normal file
View File

@ -0,0 +1,39 @@
package main
import (
"log"
"regexp"
)
func regexpSelectN(n int, regexps []string, names []string) (matches []string) {
if n <= 0 {
matches = make([]string, 0)
} else {
matches = make([]string, 0, n)
}
res := make([]*regexp.Regexp, 0, len(regexps))
for _, reStr := range regexps {
re, err := regexp.Compile(reStr)
if err != nil {
log.Printf("warning: invalid regexp ignored: %q: %v", reStr, err)
continue
}
res = append(res, re)
}
namesLoop:
for _, name := range names {
if len(matches) == n {
break
}
for _, re := range res {
if re.MatchString(name) {
matches = append(matches, name)
continue namesLoop
}
}
}
return
}

19
run-test.sh Executable file
View File

@ -0,0 +1,19 @@
#! /bin/sh
disk1=tmp/test-vda.qcow2
disk2=tmp/test-vdb.qcow2
if ! [ -e $disk1 ]; then
qemu-img create -f qcow2 $disk1 10G
fi
if ! [ -e $disk2 ]; then
qemu-img create -f qcow2 $disk2 10G
fi
exec qemu-system-x86_64 -pidfile qemu.pid -kernel test-kernel -initrd test-initrd.cpio \
-smp 2 -m 2048 \
-netdev bridge,br=novit,id=eth0 -device virtio-net-pci,netdev=eth0 \
-drive file=$disk1,if=virtio \
-drive file=$disk2,if=virtio \
-nographic -serial mon:stdio -append 'console=ttyS0'
# -display curses

18
run.go Normal file
View File

@ -0,0 +1,18 @@
package main
import (
"encoding/json"
"os/exec"
)
func runJSON(v interface{}, cmd string, args ...string) (err error) {
c := exec.Command(cmd, args...)
c.Stderr = stderr
ba, err := c.Output()
if err != nil {
return
}
err = json.Unmarshal(ba, v)
return
}

118
shio/shio.go Normal file
View File

@ -0,0 +1,118 @@
// Shared IO
package shio
import (
"io"
"sync"
"novit.nc/direktil/initrd/colorio"
)
type ShIO struct {
buf []byte
closed bool
cond *sync.Cond
hideInput bool
}
func New() *ShIO {
return NewWithCap(1024)
}
func NewWithCap(capacity int) *ShIO {
return NewWithBytes(make([]byte, 0, capacity))
}
func NewWithBytes(content []byte) *ShIO {
return &ShIO{
buf: content,
cond: sync.NewCond(&sync.Mutex{}),
}
}
var (
_ io.WriteCloser = New()
)
func (s *ShIO) Write(data []byte) (n int, err error) {
s.cond.L.Lock()
defer s.cond.L.Unlock()
if s.closed {
err = io.EOF
return
}
if s.hideInput {
s.buf = append(s.buf, colorio.Reset...)
}
s.buf = append(s.buf, data...)
n = len(data)
if s.hideInput {
s.buf = append(s.buf, colorio.Hidden...)
}
s.cond.Broadcast()
return
}
func (s *ShIO) HideInput() {
s.cond.L.Lock()
defer s.cond.L.Unlock()
if s.closed {
return
}
s.buf = append(s.buf, colorio.Hidden...)
s.hideInput = true
}
func (s *ShIO) ShowInput() {
s.cond.L.Lock()
defer s.cond.L.Unlock()
if s.closed {
return
}
s.buf = append(s.buf, colorio.Reset...)
s.hideInput = false
}
func (s *ShIO) Close() (err error) {
s.cond.L.Lock()
defer s.cond.L.Unlock()
s.closed = true
s.cond.Broadcast()
return
}
func (s *ShIO) NewReader() io.Reader {
return &shioReader{s, 0}
}
type shioReader struct {
in *ShIO
pos int
}
func (r *shioReader) Read(ba []byte) (n int, err error) {
r.in.cond.L.Lock()
defer r.in.cond.L.Unlock()
for r.pos == len(r.in.buf) && !r.in.closed {
r.in.cond.Wait()
}
if r.pos == len(r.in.buf) && r.in.closed {
err = io.EOF
return
}
n = copy(ba, r.in.buf[r.pos:])
r.pos += n
return
}

52
shio/shio_test.go Normal file
View File

@ -0,0 +1,52 @@
package shio
import (
"fmt"
"io"
"os"
"sync"
"time"
)
func ExampleOutput() {
done := false
defer func() { done = true }()
go func() {
time.Sleep(time.Second)
if !done {
panic("timeout")
}
}()
shio := NewWithCap(3)
r1 := shio.NewReader()
// read as you write
wg := new(sync.WaitGroup)
wg.Add(1)
go func() {
defer wg.Done()
io.Copy(os.Stdout, r1)
fmt.Println("-- r1 done --")
}()
fmt.Fprintln(shio, "hello1")
fmt.Fprintln(shio, "hello2")
shio.Close()
wg.Wait()
// read after close
r2 := shio.NewReader()
io.Copy(os.Stdout, r2)
fmt.Println("-- r2 done --")
// Output:
// hello1
// hello2
// -- r1 done --
// hello1
// hello2
// -- r2 done --
}

229
ssh.go Normal file
View File

@ -0,0 +1,229 @@
package main
import (
"encoding/binary"
"fmt"
"io"
"io/ioutil"
"log"
"net"
"os"
"os/exec"
"sync"
"syscall"
"unsafe"
"github.com/kr/pty"
"golang.org/x/crypto/ssh"
"novit.nc/direktil/initrd/config"
)
func startSSH(cfg *config.Config) {
sshConfig := &ssh.ServerConfig{
PublicKeyCallback: sshCheckPubkey,
}
pkBytes, err := ioutil.ReadFile("/id_rsa") // TODO configurable
if err != nil {
fatalf("ssh: failed to load private key: %v", err)
}
pk, err := ssh.ParsePrivateKey(pkBytes)
if err != nil {
fatalf("ssh: failed to parse private key: %v", err)
}
sshConfig.AddHostKey(pk)
sshBind := ":22" // TODO configurable
listener, err := net.Listen("tcp", sshBind)
if err != nil {
fatalf("ssh: failed to listen on %s: %v", sshBind, err)
}
log.Print("SSH server listening on ", sshBind)
go func() {
for {
conn, err := listener.Accept()
if err != nil {
log.Print("ssh: accept conn failed: ", err)
continue
}
go sshHandleConn(conn, sshConfig)
}
}()
}
func sshHandleConn(conn net.Conn, sshConfig *ssh.ServerConfig) {
sshConn, chans, reqs, err := ssh.NewServerConn(conn, sshConfig)
if err != nil {
log.Print("ssh: handshake failed: ", err)
return
}
remoteAddr := sshConn.User() + "@" + sshConn.RemoteAddr().String()
log.Print("ssh: new connection from ", remoteAddr)
go sshHandleReqs(reqs)
go sshHandleChannels(remoteAddr, chans)
}
func sshHandleReqs(reqs <-chan *ssh.Request) {
for req := range reqs {
switch req.Type {
case "keepalive@openssh.com":
req.Reply(true, nil)
default:
log.Printf("ssh: discarding req: %+v", req)
req.Reply(false, nil)
}
}
}
func sshHandleChannels(remoteAddr string, chans <-chan ssh.NewChannel) {
for newChannel := range chans {
if t := newChannel.ChannelType(); t != "session" {
newChannel.Reject(ssh.UnknownChannelType, fmt.Sprintf("unknown channel type: %s", t))
continue
}
channel, requests, err := newChannel.Accept()
if err != nil {
log.Print("ssh: failed to accept channel: ", err)
continue
}
go sshHandleChannel(remoteAddr, channel, requests)
}
}
func sshHandleChannel(remoteAddr string, channel ssh.Channel, requests <-chan *ssh.Request) {
var (
ptyF, ttyF *os.File
termEnv string
)
defer func() {
if ptyF != nil {
ptyF.Close()
}
if ttyF != nil {
ttyF.Close()
}
}()
var once sync.Once
close := func() {
channel.Close()
}
for req := range requests {
switch req.Type {
case "exec":
command := string(req.Payload[4 : req.Payload[3]+4])
switch command {
case "init":
go func() {
io.Copy(channel, stdout.NewReader())
once.Do(close)
}()
go func() {
io.Copy(stdinPipe, channel)
once.Do(close)
}()
req.Reply(true, nil)
default:
req.Reply(false, nil)
}
case "shell":
cmd := exec.Command("/bin/ash")
cmd.Env = []string{"TERM=" + termEnv}
cmd.Stdin = ttyF
cmd.Stdout = ttyF
cmd.Stderr = ttyF
cmd.SysProcAttr = &syscall.SysProcAttr{
Setctty: true,
Setsid: true,
Pdeathsig: syscall.SIGKILL,
}
cmd.Start()
go func() {
cmd.Wait()
ptyF.Close()
ptyF = nil
ttyF.Close()
ttyF = nil
}()
go func() {
io.Copy(channel, ptyF)
once.Do(close)
}()
go func() {
io.Copy(ptyF, channel)
once.Do(close)
}()
req.Reply(true, nil)
case "pty-req":
if ptyF != nil || ttyF != nil {
req.Reply(false, nil)
continue
}
var err error
ptyF, ttyF, err = pty.Open()
if err != nil {
log.Print("PTY err: ", err)
req.Reply(false, nil)
continue
}
termLen := req.Payload[3]
termEnv = string(req.Payload[4 : termLen+4])
w, h := sshParseDims(req.Payload[termLen+4:])
sshSetWinsize(ptyF.Fd(), w, h)
req.Reply(true, nil)
case "window-change":
w, h := sshParseDims(req.Payload)
sshSetWinsize(ptyF.Fd(), w, h)
// no response
default:
req.Reply(false, nil)
}
}
}
func sshParseDims(b []byte) (uint32, uint32) {
w := binary.BigEndian.Uint32(b)
h := binary.BigEndian.Uint32(b[4:])
return w, h
}
// SetWinsize sets the size of the given pty.
func sshSetWinsize(fd uintptr, w, h uint32) {
// Winsize stores the Height and Width of a terminal.
type Winsize struct {
Height uint16
Width uint16
x uint16 // unused
y uint16 // unused
}
ws := &Winsize{Width: uint16(w), Height: uint16(h)}
syscall.Syscall(syscall.SYS_IOCTL, fd, uintptr(syscall.TIOCSWINSZ), uintptr(unsafe.Pointer(ws)))
}

69
test-initrd/config.yaml Normal file
View File

@ -0,0 +1,69 @@
---
# early system configuration
anti_phishing_code: "direktil<3"
modules: /modules.sqfs
auths:
- name: novit
sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N
password: bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 # mypass
networks:
- name: loopback
interfaces: [ { var: iface, n: 1, regexps: [ "^lo$" ] } ]
script: |
ip a add 127.0.0.1/8 dev lo
ip a add ::1/128 dev lo
ip li set lo up
- name: main
interfaces:
- var: iface
n: 1
regexps:
- eth.*
- veth.*
- eno.*
- enp.*
script: |
ip li set $iface up
udhcpc $iface
lvm:
- vg: storage
pvs:
n: 2
regexps:
# to match full disks
- /dev/nvme[0-9]+n[0-9]+
- /dev/vd[a-z]+
- /dev/sd[a-z]+
- /dev/hd[a-z]+
# to match partitions:
#- /dev/nvme[0-9]+n[0-9]+p[0-9]+
#- /dev/vd[a-z]+[0-9]+
#- /dev/sd[a-z]+[0-9]+
#- /dev/hd[a-z]+[0-9]+
defaults:
fs: ext4
raid:
mirrors: 1
lvs:
- name: bootstrap
crypt: bootstrap
size: 2g
- name: varlog
crypt: varlog
extents: 10%FREE
- name: dls
crypt: dls
extents: 100%FREE
bootstrap:
dev: /dev/mapper/bootstrap
#seed: https://direktil.novit.io/bootstraps/dls

2
test-initrd/env Normal file
View File

@ -0,0 +1,2 @@
gateway=192.168.1.1/24
address=192.168.1.27/24

38
test-initrd/id_rsa Normal file
View File

@ -0,0 +1,38 @@
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAy6Ppr/tBiVYsBYiteGwMPI+B2BSBn+CP36ZiKsx6IX+9E0/nGKgC
khwWFfrmIzS2EIm+iIv7YT3sXsqcO96au2ewh77m5xUFIrqie5c13leNeOn+Xhy++v0705
irYUuBVRbWukpQjhOrp0eqvBzOdlUoo2r7aF95rrMboAsIWh5gTTnVCXDSEQiHsvEGjs7T
ytOXQ6zmYTECYEkk/wUWja7WNP8UZiaPuU20Hso8g7kHSthKEudUDFs7E/yx+na0AYCnfE
UR6oxIbHH2ldgpnX7lTv5YhHVvNnqTIBQhmLTHrT/67N2z5AvdFC8T2UsrWs+3ebsdXb0o
Kzx81+N9OpPxj93ehLznncuCCgAedye5Xm760SOaU1T2b3f0bEhhsVCMI39mPExeZ2wtnd
g+Tmrqn3r59vb3iEYfJqvgLCTJ5L1BcFUTfulg7GfhfNvgBmgiiRTUC2G0SrV1tM84vsE7
JyyTcJaXr0X+tUgsXoUqnlX53OEw7ABskWvZ0m0fAAAFiBu7krYbu5K2AAAAB3NzaC1yc2
EAAAGBAMuj6a/7QYlWLAWIrXhsDDyPgdgUgZ/gj9+mYirMeiF/vRNP5xioApIcFhX65iM0
thCJvoiL+2E97F7KnDvemrtnsIe+5ucVBSK6onuXNd5XjXjp/l4cvvr9O9OYq2FLgVUW1r
pKUI4Tq6dHqrwcznZVKKNq+2hfea6zG6ALCFoeYE051Qlw0hEIh7LxBo7O08rTl0Os5mEx
AmBJJP8FFo2u1jT/FGYmj7lNtB7KPIO5B0rYShLnVAxbOxP8sfp2tAGAp3xFEeqMSGxx9p
XYKZ1+5U7+WIR1bzZ6kyAUIZi0x60/+uzds+QL3RQvE9lLK1rPt3m7HV29KCs8fNfjfTqT
8Y/d3oS8553LggoAHncnuV5u+tEjmlNU9m939GxIYbFQjCN/ZjxMXmdsLZ3YPk5q6p96+f
b294hGHyar4CwkyeS9QXBVE37pYOxn4Xzb4AZoIokU1AthtEq1dbTPOL7BOycsk3CWl69F
/rVILF6FKp5V+dzhMOwAbJFr2dJtHwAAAAMBAAEAAAGBAJ0rDBBjtkgd9unqfCAmHCedht
RTt1vCgKhXjQqFOHmkUjSWhcD04s8L2EvskjR32VDYTvKqP0Dk/wqGC6D1hKzBMXEDeMi+
43DTZNZIdS3+mtTInCbcvtWOHt+HxDXahZ47e0zaUGPncKMx3+dBwGN6BFxkFFeQ4KRh3h
9ehHqxWRghW3fm2GqHD9yew7XykWnIdsWnq0M2BSR1L5WXwrllSDQs7vyMJH8bJrpg0eXE
J4mvdzQx0B+dRfJ+JIsvkwvieAPb6sPmSgY47moP0xhbvs7/1UxPEY0Q2FpjQALQ0CnIC2
LRHvGb7NJEX/ASDy/s1CNlk5ro/iht28wh0Iq8iqqpRkgKyhYsr8+QChs6oxcbx2xPRVy4
NOBMLW6ppjIQO3rE79zPrp9tTmew5iQ4V58+DqhAZxeI4A6YZE98rAvRREqnT6HVmqtfHl
gPMlrSDw1I8ZN8QT1dD1sMbi4Ud0eHdg1xLUpJ3dStgN45yhBiWuR2x4Jbn8ayeZwJmQAA
AMA971gUyqrb7D6oFerzx3prijJoZOLE1Zluo3Q9Ise4KgDZ66QDE7mQRzSEniZcy77mSt
VOhjVmI5CXREbpdGU6LxJujIAm4pKwyVEV8XVAzII6s4He5QUBxiLYWHDro3bOSmOZ50tk
WBTO7llCR5FGbi7iJ1CP0C+CXRSaH8ug8Xqd0HBzTB2nXTGJNyx9lBwLY837VcdUIRrr+7
QzVD/BQ/v+Ch21Ck0kMtLCv+lrXAeowsK89ExDp4HqMnOHnT0AAADBAObxbkJeoXfkmV7e
0nAyQ/IDTs3Zlm3517mTzvc7j2o0qJQty+9pLD60S5s0VUpQpgeT3LzXRZ2eZlq3FcWsRa
HyiovF6L5OUik1gVc/QiP+x6QSLdFi/ROHRT7DZFQ+1/bquGgVsoEVZJPDz7NJvBPLYwmj
EGRZeKWVjIcDLSGq6fek9aTFUe7bcDCHx+QuovxeFWncmTNYC7jaYMff6DtHjokLgsyOzF
FjYEC9wFVrEz+9oegDxatiJpWJN1zTWwAAAMEA4bwhyUDs0oyQ+16xpdd4f8PYfQ0HoLow
ckvWCNS2Xmpnbe+dYqqRw7mchnYj4uXvhi391LwWTea5bQ78Hj+DnMugOLmmcHuFAbkxeL
9x97iCIUrli5wawGfJgwPiGJlATUVz9Y3BOcg+uBmQ9qGR6wdI6N+zuu/54gGzW2gVanYs
Gs0JH+C+afZ2yitUuGXDIVlYdgjESIszdK0wNGzZ4HDleFVhK3jFiK1CHHBb89Tbmd6fMZ
NWpcpue2AYSUyNAAAADXRlc3RAbm92aXQuaW8BAgMEBQ==
-----END OPENSSH PRIVATE KEY-----

1
test-initrd/id_rsa.pub Normal file
View File

@ -0,0 +1 @@
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDLo+mv+0GJViwFiK14bAw8j4HYFIGf4I/fpmIqzHohf70TT+cYqAKSHBYV+uYjNLYQib6Ii/thPexeypw73pq7Z7CHvubnFQUiuqJ7lzXeV4146f5eHL76/TvTmKthS4FVFta6SlCOE6unR6q8HM52VSijavtoX3musxugCwhaHmBNOdUJcNIRCIey8QaOztPK05dDrOZhMQJgSST/BRaNrtY0/xRmJo+5TbQeyjyDuQdK2EoS51QMWzsT/LH6drQBgKd8RRHqjEhscfaV2CmdfuVO/liEdW82epMgFCGYtMetP/rs3bPkC90ULxPZSytaz7d5ux1dvSgrPHzX4306k/GP3d6EvOedy4IKAB53J7lebvrRI5pTVPZvd/RsSGGxUIwjf2Y8TF5nbC2d2D5Oauqfevn29veIRh8mq+AsJMnkvUFwVRN+6WDsZ+F82+AGaCKJFNQLYbRKtXW0zzi+wTsnLJNwlpevRf61SCxehSqeVfnc4TDsAGyRa9nSbR8= test@novit.io

BIN
test-initrd/modules.sqfs Normal file

Binary file not shown.

BIN
test-kernel Normal file

Binary file not shown.

18
tools/cpiocat/main.go Normal file
View File

@ -0,0 +1,18 @@
package main
import (
"flag"
"log"
"os"
"novit.nc/direktil/initrd/cpiocat"
)
func main() {
flag.Parse()
err := cpiocat.Append(os.Stdout, os.Stdin, flag.Args())
if err != nil {
log.Fatal(err)
}
}

38
tty.go Normal file
View File

@ -0,0 +1,38 @@
package main
import (
"os"
"golang.org/x/sys/unix"
)
var (
stdinTTY = &tty{int(os.Stdin.Fd()), nil}
)
type tty struct {
fd int
termios *unix.Termios
}
func (t *tty) EchoOff() {
termios, err := unix.IoctlGetTermios(t.fd, unix.TCGETS)
if err != nil {
return
}
t.termios = termios
newState := *termios
newState.Lflag &^= unix.ECHO
newState.Lflag |= unix.ICANON | unix.ISIG
newState.Iflag |= unix.ICRNL
unix.IoctlSetTermios(t.fd, unix.TCSETS, &newState)
}
func (t *tty) Restore() {
if t.termios != nil {
unix.IoctlSetTermios(t.fd, unix.TCSETS, t.termios)
t.termios = nil
}
}

View File

@ -6,6 +6,8 @@ import (
) )
func cleanZombies() { func cleanZombies() {
return // FIXME noop... udhcpc is a daemon staying alive so we never finish
var wstatus syscall.WaitStatus var wstatus syscall.WaitStatus
for { for {