Compare commits
40 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 Mikaël Cluseau
|
30cdf9456b | ||
|
Mikaël Cluseau
|
19193a9560 | ||
|
Mikaël Cluseau
|
ee0ff1373f | ||
|
Mikaël Cluseau
|
ee03452591 | ||
|
Mikaël Cluseau
|
7fef9eaf6c | ||
|
Mikaël Cluseau
|
6a9875fad5 | ||
|
Mikaël Cluseau
|
6a8805346f | ||
|
Mikaël Cluseau
|
acb8f28ab7 | ||
|
Mikaël Cluseau
|
d4ec6380f8 | ||
|
Mikaël Cluseau
|
3036b2f417 | ||
|
Mikaël Cluseau
|
e72e6a0b3b | ||
|
Mikaël Cluseau
|
2924263cb6 | ||
|
Mikaël Cluseau
|
5ce212b3ef | ||
|
Mikaël Cluseau
|
ea49b99dbe | ||
|
Mikaël Cluseau
|
c5f3f220c9 | ||
|
Mikaël Cluseau
|
fec3cfcb57 | ||
|
Mikaël Cluseau
|
c8437c655c | ||
|
Mikaël Cluseau
|
fe3752baf9 | ||
|
Mikaël Cluseau
|
f29dc650b4 | ||
|
Mikaël Cluseau
|
5ebf1331bb | ||
|
Mikaël Cluseau
|
be0e10723a | ||
|
Mikaël Cluseau
|
01b211d0c5 | ||
|
Mikaël Cluseau
|
0ef1ae769e | ||
|
Mikaël Cluseau
|
afac751118 | ||
|
Mikaël Cluseau
|
e7769155e1 | ||
|
Mikaël Cluseau
|
c8bbbf858a | ||
|
Mikaël Cluseau
|
9a65ca5552 | ||
|
Mikaël Cluseau
|
8596389970 | ||
|
Mikaël Cluseau
|
ba0a304095 | ||
|
Mikaël Cluseau
|
798317432d | ||
|
Mikaël Cluseau
|
5c86af7614 | ||
|
Mikaël Cluseau
|
0c4f636477 | ||
|
Mikaël Cluseau
|
7b30eb4435 | ||
|
Mikaël Cluseau
|
2e337f9957 | ||
|
Mikaël Cluseau
|
dff9142bdc | ||
|
Mikaël Cluseau
|
74c8ae293d | ||
|
Mikaël Cluseau
|
f886692c7f | ||
|
Mikaël Cluseau
|
96f801e27d | ||
|
Mikaël Cluseau
|
3f7cd80a96 | ||
|
Mikaël Cluseau
|
41c3f9badd |
Generated
+769
-465
File diff suppressed because it is too large
Load Diff
+6
-4
@@ -1,6 +1,6 @@
|
||||
[package]
|
||||
name = "init"
|
||||
version = "2.5.1"
|
||||
version = "2.6.10"
|
||||
edition = "2024"
|
||||
|
||||
[profile.release]
|
||||
@@ -16,7 +16,7 @@ env_logger = "0.11.3"
|
||||
eyre = { version = "0.6.12" }
|
||||
itertools = "0.14.0"
|
||||
log = "0.4.21"
|
||||
nix = { version = "0.30.1", features = ["feature", "mount", "process", "reboot", "signal"] }
|
||||
nix = { version = "0.31.1", features = ["feature", "mount", "process", "reboot", "signal"] }
|
||||
regex = "1.11.1"
|
||||
serde = { version = "1.0.198", features = ["derive"] }
|
||||
serde_json = "1.0.116"
|
||||
@@ -25,9 +25,11 @@ shell-escape = "0.1.5"
|
||||
tokio = { version = "1.38.0", features = ["rt", "net", "fs", "process", "io-std", "io-util", "sync", "macros", "signal"] }
|
||||
termios = "0.3.3"
|
||||
unix_mode = "0.1.4"
|
||||
base64 = "0.22.1"
|
||||
sys-info = "0.9.1"
|
||||
dkl = { git = "https://novit.tech/direktil/dkl", version = "1.0.0" }
|
||||
openssl = "0.10.73"
|
||||
reqwest = { version = "0.12.22", features = ["native-tls"] }
|
||||
#reqwest = { version = "0.13.1", features = ["native-tls", "system-proxy"], default-features = false }
|
||||
reqwest = { git = "https://github.com/mcluseau/rs-reqwest", version = "0.13.1", features = ["native-tls", "system-proxy", "socks"], default-features = false }
|
||||
glob = "0.3.3"
|
||||
hex = "0.4.3"
|
||||
tar = { version = "0.4.46", default-features = false }
|
||||
|
||||
+24
-8
@@ -1,4 +1,4 @@
|
||||
from rust:1.91.0-alpine as rust
|
||||
from rust:1.96.0-alpine as rust
|
||||
|
||||
run apk add --no-cache git musl-dev libudev-zero-dev openssl-dev cryptsetup-dev lvm2-dev clang-libs clang-dev
|
||||
|
||||
@@ -9,8 +9,7 @@ run --mount=type=cache,id=novit-rs,target=/usr/local/cargo/registry \
|
||||
RUSTFLAGS="-C target-feature=-crt-static" cargo install --path . --root /dist
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
from alpine:3.22.2 as initrd
|
||||
run apk add zstd lz4
|
||||
from alpine:3.23.4 as system
|
||||
|
||||
workdir /system
|
||||
|
||||
@@ -18,9 +17,9 @@ run . /etc/os-release \
|
||||
&& wget -O- https://dl-cdn.alpinelinux.org/alpine/v${VERSION_ID%.*}/releases/x86_64/alpine-minirootfs-${VERSION_ID}-x86_64.tar.gz |tar zxv
|
||||
|
||||
run apk add --no-cache --update -p . musl libgcc coreutils \
|
||||
lvm2 lvm2-extra lvm2-dmeventd udev cryptsetup \
|
||||
ethtool iproute2 lvm2 lvm2-extra lvm2-dmeventd udev cryptsetup \
|
||||
e2fsprogs lsblk openssl openssh-server wireguard-tools-wg-quick \
|
||||
&& rm -rf usr/share/apk var/cache/apk etc/motd
|
||||
&& rm -rf usr/share/apk var/cache/apk etc/motd dev/*
|
||||
|
||||
copy etc/sshd_config etc/ssh/sshd_config
|
||||
|
||||
@@ -31,9 +30,26 @@ run mkdir -p bin run var/log; cd bin && for cmd in init-version init-connect boo
|
||||
# check viability
|
||||
run chroot . init-version
|
||||
|
||||
run find * |cpio -H newc -oF /initrd
|
||||
# ------------------------------------------------------------------------
|
||||
from alpine:3.23.4 as initrd
|
||||
|
||||
copy --from=system /system /system
|
||||
run cd /system && find * |cpio -H newc -oF /initrd
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
from alpine:3.22.2
|
||||
copy --from=initrd /initrd /
|
||||
from debian:stable-backports as initramfs
|
||||
run apt update && apt install -y erofs-utils
|
||||
|
||||
copy --from=system /system /system
|
||||
run mkfs.erofs \
|
||||
-z lzma -C131072 -Efragments,ztailpacking \
|
||||
-T0 --all-time --ignore-mtime \
|
||||
/initramfs /system
|
||||
|
||||
# ------------------------------------------------------------------------
|
||||
from alpine:3.23.4
|
||||
copy --from=initrd /initrd /initrd
|
||||
entrypoint ["base64","/initrd"]
|
||||
|
||||
#copy --from=initramfs /initramfs /
|
||||
#entrypoint ["base64","/initramfs"]
|
||||
|
||||
Executable
+62
@@ -0,0 +1,62 @@
|
||||
#! /bin/bash
|
||||
|
||||
base_initrd=dist/initrd
|
||||
flavor=dhcp
|
||||
dir=tmp/$flavor-initrd
|
||||
|
||||
dist=dist/$flavor
|
||||
uki=$dist/bootx64.efi
|
||||
|
||||
linux_v=6.18.34
|
||||
|
||||
set -ex
|
||||
|
||||
mkdir -p tmp/dl $dist
|
||||
|
||||
linux=tmp/dl/linux-$linux_v
|
||||
modules=tmp/dl/modules-$linux_v
|
||||
|
||||
[ -e $linux ] || curl -o $linux https://dkl.novit.io/dist/kernels/6.18.35
|
||||
[ -e $modules ] || curl -o $modules https://dkl.novit.io/dist/layers/modules/6.18.35.erofs
|
||||
|
||||
rm -fr $dir
|
||||
mkdir $dir
|
||||
|
||||
cpio --quiet --extract --file $base_initrd --directory $dir
|
||||
|
||||
cp -rv $flavor/. $dir
|
||||
cp $modules $dir/modules.fs
|
||||
|
||||
(cd $dir && find * |cpio --create -H newc -R 0:0) >$dir.cpio
|
||||
|
||||
if cpio -tF $dir.cpio 2>&1 |grep bytes.of.junk; then echo "bad cpio archive"; exit 1; fi
|
||||
|
||||
zstd -12 -T0 -vf $dir.cpio &&
|
||||
mv $dir.cpio.zst $dist/initrd
|
||||
cp $linux $dist/vmlinuz
|
||||
|
||||
ukify build --output $uki --os-release "Direktil DHCP" \
|
||||
--linux $linux --initrd $dist/initrd
|
||||
|
||||
MB=$(( 2**20 ))
|
||||
sz=$(( ( $(stat -c %s $uki) + MB ) / MB + 2 ))
|
||||
|
||||
efi=$dist/efi.img
|
||||
|
||||
if [ -e $efi ]; then rm $efi; fi
|
||||
|
||||
truncate -s ${sz}M $efi
|
||||
sgdisk -n 1:2048:0 -t 1:ef00 -c 1:"EFI System" $efi
|
||||
|
||||
offset=$(( 2048 * 512 ))
|
||||
|
||||
export MTOOLSRC=$(mktemp)
|
||||
trap "rm -f $MTOOLSRC" exit
|
||||
echo "drive e: file=\"$efi\" offset=$offset" >$MTOOLSRC
|
||||
|
||||
args="-i $efi@@$offset"
|
||||
|
||||
mformat -F e:
|
||||
mmd e:EFI e:EFI/BOOT
|
||||
mcopy $uki e:EFI/BOOT/BOOTX64.EFI
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
use std::process::Command;
|
||||
fn main() {
|
||||
let output = Command::new("git")
|
||||
.args(&["rev-parse", "HEAD"])
|
||||
.args(["rev-parse", "HEAD"])
|
||||
.output()
|
||||
.unwrap();
|
||||
let git_commit = String::from_utf8(output.stdout).unwrap();
|
||||
|
||||
@@ -0,0 +1,37 @@
|
||||
---
|
||||
anti_phishing_code: "direktil<3"
|
||||
|
||||
modules: /modules.fs
|
||||
|
||||
auths:
|
||||
- name: adm1@novit
|
||||
sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N
|
||||
- name: adm2@novit
|
||||
sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIomzqVAIqb7BedauhAo2VgbLqme5Jx/vjGUqZLoJqF
|
||||
|
||||
ssh:
|
||||
listen: "[::]:22"
|
||||
|
||||
networks:
|
||||
- name: loopback
|
||||
interfaces: [ { var: iface, n: 1, udev: !eq [INTERFACE, lo] } ]
|
||||
script: |
|
||||
ip a add 127.0.0.1/8 dev lo
|
||||
ip a add ::1/128 dev lo
|
||||
ip li set lo up
|
||||
- name: main
|
||||
interfaces:
|
||||
- var: ifaces
|
||||
n: -1
|
||||
udev: !has ID_NET_NAME_MAC
|
||||
script: |
|
||||
ip link add main type bond mode active-backup
|
||||
for l in $ifaces; do
|
||||
ip link set $l master main
|
||||
ip link set $l up
|
||||
done
|
||||
ip link set main up
|
||||
udhcpc -b -i main
|
||||
|
||||
bootstrap:
|
||||
dev: /dev/storage/bootstrap
|
||||
+106
-29
@@ -1,9 +1,10 @@
|
||||
use eyre::{format_err, Result};
|
||||
use eyre::{Result, format_err};
|
||||
use log::{error, info, warn};
|
||||
use std::collections::BTreeSet as Set;
|
||||
use std::convert::Infallible;
|
||||
use std::os::unix::fs::symlink;
|
||||
use tokio::sync::Mutex;
|
||||
use tokio::{fs, process::Command};
|
||||
use tokio::{fs, io::AsyncReadExt, process::Command};
|
||||
|
||||
use crate::{cmd::version::version_string, dklog, input, utils};
|
||||
use dkl::bootstrap::Config;
|
||||
@@ -53,10 +54,10 @@ pub async fn run() {
|
||||
info!("Linux version {kernel_version}");
|
||||
|
||||
// mount basic filesystems
|
||||
mount(None, "/proc", "proc", None).await;
|
||||
mount(None, "/sys", "sysfs", None).await;
|
||||
mount(None, "/dev", "devtmpfs", None).await;
|
||||
mount(None, "/dev/pts", "devpts", Some("gid=5,mode=620")).await;
|
||||
mount(None::<&str>, "/proc", "proc", None).await;
|
||||
mount(None::<&str>, "/sys", "sysfs", None).await;
|
||||
mount(None::<&str>, "/dev", "devtmpfs", None).await;
|
||||
mount(None::<&str>, "/dev/pts", "devpts", Some("gid=5,mode=620")).await;
|
||||
|
||||
if utils::bool_param("debug") {
|
||||
log::set_max_level(log::LevelFilter::Debug);
|
||||
@@ -143,6 +144,9 @@ pub async fn run() {
|
||||
warn!("failed to copy {INIT_LOG} to system: {e}");
|
||||
}
|
||||
|
||||
if let Err(e) = nix::mount::umount2("/modules", nix::mount::MntFlags::MNT_DETACH) {
|
||||
warn!("failed to umount /modules: {e}");
|
||||
}
|
||||
retry(async || switch_root("/system").await).await;
|
||||
}
|
||||
|
||||
@@ -150,7 +154,8 @@ use std::path::Path;
|
||||
|
||||
async fn mount_modules(modules: &str, kernel_version: &str) -> Result<()> {
|
||||
info!("mounting modules");
|
||||
mount(Some(modules), "/modules", "squashfs", None).await;
|
||||
|
||||
mount_ro_fs(modules, "/modules").await?;
|
||||
|
||||
fs::create_dir_all("/lib/modules").await?;
|
||||
let modules_path = &format!("/modules/lib/modules/{kernel_version}");
|
||||
@@ -162,6 +167,13 @@ async fn mount_modules(modules: &str, kernel_version: &str) -> Result<()> {
|
||||
}
|
||||
|
||||
symlink(modules_path, format!("/lib/modules/{kernel_version}"))?;
|
||||
|
||||
let firmware_path = &format!("/modules/lib/firmware/{kernel_version}");
|
||||
if std::fs::exists(firmware_path)? {
|
||||
fs::create_dir_all("/lib/firmware").await?;
|
||||
symlink(firmware_path, format!("/lib/firmware/{kernel_version}"))?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
@@ -173,18 +185,32 @@ async fn chmod(path: impl AsRef<Path>, mode: u32) -> std::io::Result<()> {
|
||||
fs::set_permissions(path, perms).await
|
||||
}
|
||||
|
||||
async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
|
||||
async fn mount<S: AsRef<Path>>(
|
||||
src: Option<S>,
|
||||
dst: impl AsRef<Path>,
|
||||
fstype: &str,
|
||||
opts: Option<&str>,
|
||||
) {
|
||||
let src = src.as_ref().map(|s| s.as_ref());
|
||||
let src_str = src.map(|s| s.display().to_string());
|
||||
let src_str = src_str.as_deref();
|
||||
|
||||
let dst = dst.as_ref();
|
||||
let dst_str = &dst.display().to_string();
|
||||
|
||||
if let Err(e) = fs::create_dir_all(dst).await {
|
||||
error!("failed to create dir {dst}: {e}");
|
||||
error!("failed to create dir {dst_str}: {e}");
|
||||
}
|
||||
|
||||
retry_or_ignore(async || {
|
||||
let mut is_file = false;
|
||||
|
||||
if let Some(src) = src {
|
||||
if let Some(src) = src_str {
|
||||
is_file = (fs::metadata(src).await)
|
||||
.map_err(|e| format_err!("stat {src} failed: {e}"))?
|
||||
.is_file();
|
||||
|
||||
#[allow(clippy::single_match)] // may be extended later
|
||||
match fstype {
|
||||
"ext4" => {
|
||||
exec("fsck.ext4", &["-p", src]).await;
|
||||
@@ -193,7 +219,7 @@ async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
|
||||
}
|
||||
}
|
||||
|
||||
let mut args = vec![src.unwrap_or("none"), dst, "-t", fstype];
|
||||
let mut args = vec![src_str.unwrap_or("none"), dst_str, "-t", fstype];
|
||||
if let Some(opts) = opts {
|
||||
args.extend(["-o", opts]);
|
||||
}
|
||||
@@ -205,15 +231,50 @@ async fn mount(src: Option<&str>, dst: &str, fstype: &str, opts: Option<&str>) {
|
||||
}
|
||||
|
||||
let (cmd_str, _) = cmd_str("mount", &args);
|
||||
let flags = nix::mount::MsFlags::empty();
|
||||
|
||||
info!("# {cmd_str}",);
|
||||
nix::mount::mount(src, dst, Some(fstype), flags, opts)
|
||||
.map_err(|e| format_err!("mount {dst} failed: {e}"))
|
||||
|
||||
let mount = |flags| nix::mount::mount(src, dst, Some(fstype), flags, opts);
|
||||
|
||||
use nix::{errno::Errno, mount::MsFlags};
|
||||
match mount(MsFlags::empty()) {
|
||||
Err(Errno::EACCES) => mount(MsFlags::MS_RDONLY),
|
||||
r => r,
|
||||
}
|
||||
.map_err(|e| format_err!("mount {dst_str} failed: {e}"))
|
||||
})
|
||||
.await
|
||||
}
|
||||
|
||||
async fn mount_ro_fs(src: impl AsRef<Path>, dst: impl AsRef<Path>) -> Result<()> {
|
||||
let src = src.as_ref();
|
||||
let dst = dst.as_ref();
|
||||
|
||||
// identify RO fs type
|
||||
let mut buf = [0u8; 1028];
|
||||
|
||||
fs::File::open(src)
|
||||
.await
|
||||
.map_err(|e| format_err!("open {}: {e}", src.display()))?
|
||||
.read_exact(&mut buf)
|
||||
.await
|
||||
.map_err(|e| format_err!("read {}: {e}", src.display()))?;
|
||||
|
||||
let fstype = if buf[1024..1028] == 0xE0F5E1E2u32.to_le_bytes() {
|
||||
"erofs"
|
||||
} else {
|
||||
"squashfs"
|
||||
};
|
||||
|
||||
if let Err(e) = fs::create_dir_all(dst).await {
|
||||
error!("failed to create dir {dst}: {e}", dst = dst.display());
|
||||
}
|
||||
|
||||
let mut cmd = Command::new("mount");
|
||||
cmd.args(["-t", fstype]).arg(src).arg(dst);
|
||||
try_exec_cmd(cmd).await
|
||||
}
|
||||
|
||||
async fn start_daemon(prog: &str, args: &[&str]) {
|
||||
let (cmd_str, mut cmd) = cmd_str(prog, args);
|
||||
retry_or_ignore(async || {
|
||||
@@ -224,6 +285,25 @@ async fn start_daemon(prog: &str, args: &[&str]) {
|
||||
.await;
|
||||
}
|
||||
|
||||
async fn try_exec_cmd(mut cmd: Command) -> Result<()> {
|
||||
info!(
|
||||
"# {} {}",
|
||||
cmd.as_std().get_program().to_string_lossy(),
|
||||
cmd.as_std()
|
||||
.get_args()
|
||||
.map(|a| a.to_string_lossy())
|
||||
.collect::<Vec<_>>()
|
||||
.join(" ")
|
||||
);
|
||||
|
||||
let s = cmd.status().await?;
|
||||
if s.success() {
|
||||
Ok(())
|
||||
} else {
|
||||
Err(format_err!("command failed: {s}"))
|
||||
}
|
||||
}
|
||||
|
||||
async fn try_exec(prog: &str, args: &[&str]) -> Result<()> {
|
||||
let (cmd_str, mut cmd) = cmd_str(prog, args);
|
||||
info!("# {cmd_str}");
|
||||
@@ -307,9 +387,9 @@ fn cmd_str(prog: &str, args: &[&str]) -> (String, Command) {
|
||||
|
||||
#[allow(unused)]
|
||||
async fn child_reaper() {
|
||||
use nix::sys::wait::{waitpid, WaitPidFlag};
|
||||
use nix::sys::wait::{WaitPidFlag, waitpid};
|
||||
use nix::unistd::Pid;
|
||||
use tokio::signal::unix::{signal, SignalKind};
|
||||
use tokio::signal::unix::{SignalKind, signal};
|
||||
|
||||
let Ok(mut sigs) =
|
||||
signal(SignalKind::child()).inspect_err(|e| warn!("failed to setup SIGCHLD handler: {e}"))
|
||||
@@ -323,24 +403,24 @@ async fn child_reaper() {
|
||||
}
|
||||
}
|
||||
|
||||
macro_rules! cstr {
|
||||
($s:expr) => {
|
||||
std::ffi::CString::new($s)?.as_c_str()
|
||||
};
|
||||
}
|
||||
|
||||
async fn switch_root(root: &str) -> Result<()> {
|
||||
async fn switch_root(root: &str) -> Result<Infallible> {
|
||||
info!("killing all processes and switching root");
|
||||
dklog::LOG.close().await;
|
||||
|
||||
use nix::sys::signal::{kill, SIGKILL};
|
||||
use nix::sys::signal::{SIGKILL, kill};
|
||||
use nix::unistd::Pid;
|
||||
|
||||
if let Err(e) = kill(Pid::from_raw(-1), SIGKILL) {
|
||||
eprintln!("failed to kill processes: {e}");
|
||||
}
|
||||
|
||||
nix::unistd::execv(
|
||||
macro_rules! cstr {
|
||||
($s:expr) => {
|
||||
std::ffi::CString::new($s)?.as_c_str()
|
||||
};
|
||||
}
|
||||
|
||||
Ok(nix::unistd::execv(
|
||||
cstr!("/sbin/switch_root"),
|
||||
&[
|
||||
cstr!("switch_root"),
|
||||
@@ -349,8 +429,5 @@ async fn switch_root(root: &str) -> Result<()> {
|
||||
cstr!(root),
|
||||
cstr!("/sbin/init"),
|
||||
],
|
||||
)
|
||||
.unwrap();
|
||||
|
||||
unreachable!();
|
||||
)?)
|
||||
}
|
||||
|
||||
+269
-69
@@ -1,22 +1,24 @@
|
||||
use eyre::{format_err, Result};
|
||||
use log::{info, warn};
|
||||
use eyre::{Result, format_err};
|
||||
use log::{debug, info, warn};
|
||||
use std::path::{Path, PathBuf};
|
||||
use tokio::{
|
||||
fs,
|
||||
io::{AsyncBufReadExt, AsyncWriteExt, BufReader},
|
||||
io::{AsyncBufReadExt, AsyncWrite, AsyncWriteExt, BufReader},
|
||||
};
|
||||
|
||||
use dkl::{
|
||||
self,
|
||||
apply::{self, chroot, set_perms},
|
||||
base64_decode,
|
||||
bootstrap::Config,
|
||||
};
|
||||
|
||||
use super::{exec, mount, retry, retry_or_ignore, try_exec};
|
||||
use super::{exec, mount, mount_ro_fs, retry, retry_or_ignore, try_exec, try_exec_cmd};
|
||||
use crate::{fs::walk_dir, utils};
|
||||
|
||||
pub async fn bootstrap(cfg: Config) {
|
||||
let verifier = retry(async || Verifier::from_config(&cfg)).await;
|
||||
let bs = cfg.bootstrap;
|
||||
let bs = &cfg.bootstrap;
|
||||
|
||||
mount(Some(&bs.dev), "/bootstrap", "ext4", None).await;
|
||||
|
||||
@@ -47,12 +49,12 @@ pub async fn bootstrap(cfg: Config) {
|
||||
.await;
|
||||
|
||||
let sys_cfg: dkl::Config = retry(async || {
|
||||
let sys_cfg_bytes = seed_config(base_dir, &bs.seed, &verifier).await?;
|
||||
let sys_cfg_bytes = seed_config(base_dir, bs, &verifier).await?;
|
||||
Ok(serde_yaml::from_slice(&sys_cfg_bytes)?)
|
||||
})
|
||||
.await;
|
||||
|
||||
mount_system(&sys_cfg, base_dir, &verifier).await;
|
||||
mount_system(&sys_cfg, &cfg, base_dir, &verifier).await;
|
||||
|
||||
retry_or_ignore(async || {
|
||||
let path = "/etc/resolv.conf";
|
||||
@@ -64,7 +66,7 @@ pub async fn bootstrap(cfg: Config) {
|
||||
})
|
||||
.await;
|
||||
|
||||
retry_or_ignore(async || apply::files(&sys_cfg.files, "/system").await).await;
|
||||
retry_or_ignore(async || apply::files(&sys_cfg.files, "/system", false).await).await;
|
||||
|
||||
apply_groups(&sys_cfg.groups, "/system").await;
|
||||
apply_users(&sys_cfg.users, "/system").await;
|
||||
@@ -77,7 +79,30 @@ pub async fn bootstrap(cfg: Config) {
|
||||
})
|
||||
.await;
|
||||
|
||||
exec("chroot", &["/system", "update-ca-certificates"]).await
|
||||
exec("chroot", &["/system", "update-ca-certificates"]).await;
|
||||
|
||||
// activate ttyS* consoles as needed
|
||||
retry_or_ignore(async || {
|
||||
const PATH: &str = "/system/etc/inittab";
|
||||
let mut inittab = fs::read_to_string(PATH).await?;
|
||||
let mut changed = false;
|
||||
for opt in utils::cmdline().filter_map(|s| s.strip_prefix("console=ttyS")) {
|
||||
info!("inittab: adding entry for ttyS{opt}");
|
||||
changed = true;
|
||||
|
||||
let mut params = opt.split(',');
|
||||
let num = params.next().unwrap();
|
||||
let speed = params.next().unwrap_or("115200");
|
||||
inittab.push_str(&format!(
|
||||
"S{num}:12345:respawn:/sbin/agetty --noclear {speed} ttyS{num} linux\n"
|
||||
));
|
||||
}
|
||||
if changed {
|
||||
fs::write(PATH, inittab.as_bytes()).await?;
|
||||
}
|
||||
Ok(())
|
||||
})
|
||||
.await;
|
||||
}
|
||||
|
||||
struct Verifier {
|
||||
@@ -89,24 +114,27 @@ impl Verifier {
|
||||
return Ok(Self { pubkey: None });
|
||||
};
|
||||
|
||||
use base64::{prelude::BASE64_STANDARD, Engine};
|
||||
let pubkey = BASE64_STANDARD.decode(pubkey)?;
|
||||
let pubkey = base64_decode(pubkey)?;
|
||||
let pubkey = Some(pubkey);
|
||||
|
||||
return Ok(Self { pubkey });
|
||||
Ok(Self { pubkey })
|
||||
}
|
||||
|
||||
async fn verify_path(&self, path: &str) -> Result<Vec<u8>> {
|
||||
let data = (fs::read(path).await).map_err(|e| format_err!("failed to read {path}: {e}"))?;
|
||||
async fn verify_path(&self, path: impl AsRef<Path>) -> Result<Vec<u8>> {
|
||||
let path = path.as_ref();
|
||||
let p = path.display();
|
||||
|
||||
let data = (fs::read(path).await).map_err(|e| format_err!("failed to read {p}: {e}"))?;
|
||||
|
||||
let Some(ref pubkey) = self.pubkey else {
|
||||
return Ok(data);
|
||||
};
|
||||
|
||||
info!("verifying {path}");
|
||||
info!("verifying {p}");
|
||||
|
||||
let sig = &format!("{path}.sig");
|
||||
let sig = (fs::read(sig).await).map_err(|e| format_err!("failed to read {sig}: {e}"))?;
|
||||
let sig = path.with_added_extension("sig");
|
||||
let sig = (fs::read(&sig).await)
|
||||
.map_err(|e| format_err!("failed to read {}: {e}", sig.display()))?;
|
||||
|
||||
use openssl::{hash::MessageDigest, pkey::PKey, sign::Verifier};
|
||||
let pubkey = PKey::public_key_from_der(pubkey)?;
|
||||
@@ -118,51 +146,91 @@ impl Verifier {
|
||||
if sig_ok {
|
||||
Ok(data)
|
||||
} else {
|
||||
Err(format_err!("signature verification failed for {path}"))
|
||||
Err(format_err!("signature verification failed for {p}"))
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
async fn seed_config(
|
||||
base_dir: &str,
|
||||
seed_url: &Option<String>,
|
||||
base_dir: impl Into<PathBuf>,
|
||||
bs: &dkl::bootstrap::Bootstrap,
|
||||
verifier: &Verifier,
|
||||
) -> Result<Vec<u8>> {
|
||||
let cfg_path = &format!("{base_dir}/config.yaml");
|
||||
let base_dir = base_dir.into();
|
||||
|
||||
if fs::try_exists(cfg_path).await? {
|
||||
return Ok(fs::read(cfg_path).await?);
|
||||
let cfg_path = base_dir.join("config.yaml");
|
||||
|
||||
if fs::try_exists(&cfg_path).await? {
|
||||
return verifier.verify_path(cfg_path).await;
|
||||
}
|
||||
|
||||
let bs_tar = "/bootstrap.tar";
|
||||
if !fs::try_exists(bs_tar).await? {
|
||||
if let Some(seed_url) = seed_url.as_ref() {
|
||||
fetch_bootstrap(seed_url, bs_tar).await?;
|
||||
} else {
|
||||
if !fs::try_exists(&bs_tar).await? {
|
||||
if bs.seed.is_none() {
|
||||
return Err(format_err!(
|
||||
"no {cfg_path}, no {bs_tar} and no seed, can't bootstrap"
|
||||
"no {}, no {bs_tar} and no seed URL, can't bootstrap",
|
||||
cfg_path.display()
|
||||
));
|
||||
}
|
||||
fetch_bootstrap(bs, bs_tar).await?;
|
||||
}
|
||||
|
||||
try_exec("tar", &["xf", bs_tar, "-C", base_dir]).await?;
|
||||
let tmp_dir = base_dir.with_added_extension("new");
|
||||
fs::create_dir_all(&tmp_dir).await?;
|
||||
|
||||
if !fs::try_exists(cfg_path).await? {
|
||||
return Err(format_err!("{cfg_path} does not exist after seeding"));
|
||||
untar(bs_tar, &tmp_dir)
|
||||
.await
|
||||
.map_err(|e| format_err!("untar failed: {e}"))?;
|
||||
|
||||
let cfg_path = tmp_dir.join("config.yaml");
|
||||
if !fs::try_exists(&cfg_path).await? {
|
||||
return Err(format_err!(
|
||||
"{} does not exist after seeding",
|
||||
cfg_path.display()
|
||||
));
|
||||
}
|
||||
|
||||
verifier.verify_path(&cfg_path).await
|
||||
let cfg_bytes = verifier.verify_path(&cfg_path).await?;
|
||||
|
||||
fs::rename(tmp_dir, base_dir).await?;
|
||||
Ok(cfg_bytes)
|
||||
}
|
||||
|
||||
async fn fetch_bootstrap(seed_url: &str, output_file: &str) -> Result<()> {
|
||||
let seed_url: reqwest::Url = seed_url.parse()?;
|
||||
async fn fetch_bootstrap(bs: &dkl::bootstrap::Bootstrap, output_file: &str) -> Result<()> {
|
||||
let seed_url: reqwest::Url = (bs.seed.as_ref())
|
||||
.ok_or(format_err!("no seed URL"))?
|
||||
.parse()
|
||||
.map_err(|e| format_err!("invalid seed URL: {e}"))?;
|
||||
|
||||
info!(
|
||||
"fetching {output_file} from {}",
|
||||
seed_url.host_str().unwrap_or("<no host>")
|
||||
);
|
||||
|
||||
let resp = reqwest::get(seed_url).await?;
|
||||
let mut builder = reqwest::Client::builder();
|
||||
|
||||
if let Some(ref proxy) = bs.seed_proxy {
|
||||
debug!("using proxy {proxy}");
|
||||
let proxy = reqwest::Proxy::all(proxy) //
|
||||
.map_err(|e| format_err!("seed proxy setup failed: {e}"))?;
|
||||
builder = builder.proxy(proxy);
|
||||
}
|
||||
|
||||
if let Some(ref ca) = bs.seed_ca {
|
||||
debug!("using custom CA certificate");
|
||||
let ca = base64_decode(ca).map_err(|e| format_err!("invalid seed CA: decode: {e}"))?;
|
||||
let ca = reqwest::Certificate::from_der(&ca)
|
||||
.map_err(|e| format_err!("invalid seed CA: parse: {e}"))?;
|
||||
builder = builder.tls_certs_only([ca]);
|
||||
}
|
||||
|
||||
if let Some(ref sn) = bs.seed_servername {
|
||||
debug!("tls server name: {sn}");
|
||||
builder = builder.tls_server_name(bs.seed_servername.clone());
|
||||
}
|
||||
|
||||
let req = builder.build()?.get(seed_url);
|
||||
let resp = req.send().await?;
|
||||
|
||||
if !resp.status().is_success() {
|
||||
return Err(format_err!("HTTP request failed: {}", resp.status()));
|
||||
@@ -176,6 +244,18 @@ async fn fetch_bootstrap(seed_url: &str, output_file: &str) -> Result<()> {
|
||||
Ok(())
|
||||
}
|
||||
|
||||
async fn untar(arch: impl Into<PathBuf>, target: impl Into<PathBuf>) -> Result<()> {
|
||||
let arch = arch.into();
|
||||
let target = target.into();
|
||||
tokio::task::spawn_blocking(move || {
|
||||
let tar = std::fs::File::open(arch)?;
|
||||
let mut tar = tar::Archive::new(tar);
|
||||
tar.unpack(target)
|
||||
})
|
||||
.await??;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn default_root_tmpfs_opts() -> Option<String> {
|
||||
let mem = sys_info::mem_info()
|
||||
.inspect_err(|e| warn!("failed to get system memory info, using default tmpfs size: {e}"))
|
||||
@@ -187,47 +267,117 @@ fn default_root_tmpfs_opts() -> Option<String> {
|
||||
Some(format!("size={fs_size}m"))
|
||||
}
|
||||
|
||||
async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
|
||||
struct LayerMounter<'t> {
|
||||
bs_dir: &'t str,
|
||||
layers_dir: &'t str,
|
||||
verifier: &'t Verifier,
|
||||
lower_dir: String,
|
||||
}
|
||||
|
||||
impl LayerMounter<'_> {
|
||||
fn src_path(&self, name: &str) -> PathBuf {
|
||||
let mut p = PathBuf::from(self.bs_dir);
|
||||
p.push(name);
|
||||
if name != "merged" {
|
||||
p.add_extension("fs");
|
||||
}
|
||||
p
|
||||
}
|
||||
|
||||
async fn exists(&self, name: &str) -> bool {
|
||||
retry(async || Ok(fs::try_exists(self.src_path(name)).await?)).await
|
||||
}
|
||||
|
||||
async fn mount(&mut self, name: &str) {
|
||||
self.mount_path(self.src_path(name), name, true).await
|
||||
}
|
||||
|
||||
async fn mount_path(&mut self, src: impl AsRef<Path>, name: &str, verify: bool) {
|
||||
let src = src.as_ref();
|
||||
let tgt_dir = PathBuf::from(self.layers_dir).join(name);
|
||||
let tgt = tgt_dir.with_added_extension("fs");
|
||||
|
||||
if let Err(e) = fs::create_dir_all(&tgt_dir).await {
|
||||
warn!("mkdir -p {}: {e}", tgt_dir.display());
|
||||
}
|
||||
|
||||
let mount_src = if name == "merged" {
|
||||
retry(async || {
|
||||
let data = self.verifier.verify_path(src).await?;
|
||||
let data = MergedLayer::from_bytes(&data)
|
||||
.ok_or(format_err!("{}: invalid data", src.display()))?;
|
||||
|
||||
data.create(&tgt)
|
||||
.await
|
||||
.map_err(|e| format_err!("write {}: {e}", tgt.display()))?;
|
||||
|
||||
let dm_name = "system";
|
||||
|
||||
let mut cmd = tokio::process::Command::new("veritysetup");
|
||||
cmd.arg("open")
|
||||
.arg(format!("--hash-offset={}", data.hash_offset()))
|
||||
.arg(&tgt)
|
||||
.arg(dm_name)
|
||||
.arg(&tgt)
|
||||
.arg(data.root_hash_hex());
|
||||
|
||||
try_exec_cmd(cmd).await?;
|
||||
|
||||
Ok(PathBuf::from("/dev/mapper").join(dm_name))
|
||||
})
|
||||
.await
|
||||
} else {
|
||||
retry(async || {
|
||||
let src = if verify {
|
||||
self.verifier.verify_path(src).await?
|
||||
} else {
|
||||
fs::read(src).await?
|
||||
};
|
||||
fs::write(&tgt, &src).await?;
|
||||
|
||||
Ok(tgt.clone())
|
||||
})
|
||||
.await
|
||||
};
|
||||
|
||||
retry(async || mount_ro_fs(&mount_src, &tgt_dir).await).await;
|
||||
|
||||
if !self.lower_dir.is_empty() {
|
||||
self.lower_dir.push(':');
|
||||
}
|
||||
self.lower_dir.push_str(&tgt_dir.to_string_lossy());
|
||||
}
|
||||
}
|
||||
|
||||
async fn mount_system(cfg: &dkl::Config, bs_cfg: &Config, bs_dir: &str, verifier: &Verifier) {
|
||||
let opts = match utils::param("root-opts") {
|
||||
Some(s) => Some(s.to_string()),
|
||||
None => default_root_tmpfs_opts(),
|
||||
};
|
||||
|
||||
let mem_dir = "/mem";
|
||||
mount(None, mem_dir, "tmpfs", opts.as_deref()).await;
|
||||
mount(None::<&str>, mem_dir, "tmpfs", opts.as_deref()).await;
|
||||
|
||||
let layers_dir = &format!("{mem_dir}/layers");
|
||||
let mut lower_dir = String::new();
|
||||
let mut mounter = LayerMounter {
|
||||
bs_dir,
|
||||
layers_dir: &format!("{mem_dir}/layers"),
|
||||
verifier,
|
||||
lower_dir: String::new(),
|
||||
};
|
||||
|
||||
for layer in &cfg.layers {
|
||||
let src = retry(async || {
|
||||
if layer == "modules" {
|
||||
let src = "/modules.sqfs";
|
||||
(fs::read(src).await).map_err(|e| format_err!("read {src} failed: {e}"))
|
||||
} else {
|
||||
verifier.verify_path(&format!("{bs_dir}/{layer}.fs")).await
|
||||
if mounter.exists("merged").await {
|
||||
mounter.mount("merged").await;
|
||||
} else {
|
||||
for layer in &cfg.layers {
|
||||
if layer == "modules" && bs_cfg.modules.is_some() {
|
||||
continue; // take modules from initrd
|
||||
}
|
||||
})
|
||||
.await;
|
||||
|
||||
let tgt = &format!("{mem_dir}/{layer}.fs");
|
||||
retry(async || {
|
||||
info!("copying layer {layer}");
|
||||
|
||||
let mut out = (fs::File::create(tgt).await)
|
||||
.map_err(|e| format_err!("create {tgt} failed: {e}"))?;
|
||||
(out.write_all(&src).await).map_err(|e| format_err!("write failed: {e}"))?;
|
||||
(out.flush().await).map_err(|e| format_err!("write failed: {e}"))
|
||||
})
|
||||
.await;
|
||||
|
||||
let layer_dir = &format!("{layers_dir}/{layer}");
|
||||
mount(Some(tgt), layer_dir, "squashfs", None).await;
|
||||
|
||||
if !lower_dir.is_empty() {
|
||||
lower_dir.push(':');
|
||||
mounter.mount(layer).await;
|
||||
}
|
||||
lower_dir.push_str(&layer_dir);
|
||||
}
|
||||
|
||||
if let Some(ref modules) = bs_cfg.modules {
|
||||
mounter.mount_path(modules, "modules", false).await;
|
||||
}
|
||||
|
||||
let upper_dir = &format!("{mem_dir}/upper");
|
||||
@@ -240,8 +390,9 @@ async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
|
||||
})
|
||||
.await;
|
||||
|
||||
let lower_dir = &mounter.lower_dir;
|
||||
let opts = format!("lowerdir={lower_dir},upperdir={upper_dir},workdir={work_dir}");
|
||||
mount(None, "/system", "overlay", Some(&opts)).await;
|
||||
mount(None::<&str>, "/system", "overlay", Some(&opts)).await;
|
||||
|
||||
// make root rshared (default in systemd, required by Kubernetes 1.10+)
|
||||
// equivalent to "mount --make-rshared /"
|
||||
@@ -255,6 +406,53 @@ async fn mount_system(cfg: &dkl::Config, bs_dir: &str, verifier: &Verifier) {
|
||||
.await;
|
||||
}
|
||||
|
||||
struct MergedLayer<'t> {
|
||||
#[allow(unused)]
|
||||
root_hash_sig: &'t [u8],
|
||||
root_hash: &'t [u8],
|
||||
data: &'t [u8],
|
||||
hash: &'t [u8],
|
||||
}
|
||||
|
||||
impl<'t> MergedLayer<'t> {
|
||||
fn from_bytes(mut src: &'t [u8]) -> Option<Self> {
|
||||
let mut next = || {
|
||||
let (len, rem) = src.split_at_checked(8)?;
|
||||
let len = u64::from_be_bytes(len.try_into().ok()?);
|
||||
let (data, rem) = rem.split_at_checked(len as usize)?;
|
||||
src = rem;
|
||||
Some(data)
|
||||
};
|
||||
|
||||
Some(Self {
|
||||
root_hash_sig: next()?,
|
||||
root_hash: next()?,
|
||||
data: next()?,
|
||||
hash: next()?,
|
||||
})
|
||||
}
|
||||
|
||||
async fn create(&self, path: impl AsRef<Path>) -> std::io::Result<()> {
|
||||
let mut out = fs::File::create(path).await?;
|
||||
self.write_to(&mut out).await?;
|
||||
out.shutdown().await
|
||||
}
|
||||
|
||||
async fn write_to(&self, mut out: impl AsyncWrite + Unpin) -> std::io::Result<()> {
|
||||
out.write_all(self.data).await?;
|
||||
out.write_all(self.hash).await?;
|
||||
Ok(())
|
||||
}
|
||||
|
||||
fn hash_offset(&self) -> usize {
|
||||
self.data.len()
|
||||
}
|
||||
|
||||
fn root_hash_hex(&self) -> String {
|
||||
hex::encode(self.root_hash)
|
||||
}
|
||||
}
|
||||
|
||||
async fn apply_groups(groups: &[dkl::Group], root: &str) {
|
||||
for group in groups {
|
||||
let mut args = vec![root, "groupadd", "-r"];
|
||||
@@ -306,8 +504,10 @@ async fn mount_filesystems(mounts: &[dkl::Mount], root: &str) {
|
||||
}
|
||||
|
||||
async fn setup_root_user(user: &dkl::RootUser, root: &str) -> Result<()> {
|
||||
if let Some(pw_hash) = user.password_hash.as_ref().filter(|v| !v.is_empty()) {
|
||||
set_user_password("root", &pw_hash, root).await?;
|
||||
if let Some(pw_hash) = user.password_hash.as_ref()
|
||||
&& !pw_hash.is_empty()
|
||||
{
|
||||
set_user_password("root", pw_hash, root).await?;
|
||||
}
|
||||
|
||||
let mut authorized_keys = Vec::new();
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
use eyre::{format_err, Result};
|
||||
use eyre::{Result, format_err};
|
||||
use log::{error, info, warn};
|
||||
use std::collections::BTreeSet as Set;
|
||||
use std::process::Stdio;
|
||||
@@ -6,7 +6,7 @@ use tokio::io::AsyncWriteExt;
|
||||
use tokio::process::Command;
|
||||
use tokio::sync::Mutex;
|
||||
|
||||
use super::{retry_or_ignore, USED_DEVS};
|
||||
use super::{USED_DEVS, retry_or_ignore};
|
||||
use crate::blockdev::{is_uninitialized, uninitialize};
|
||||
use crate::fs::walk_dir;
|
||||
use crate::input;
|
||||
|
||||
+43
-25
@@ -5,7 +5,7 @@ use tokio::process::Command;
|
||||
use super::{USED_DEVS, exec, retry, retry_or_ignore};
|
||||
use crate::fs::walk_dir;
|
||||
use crate::{blockdev, lvm};
|
||||
use dkl::bootstrap::{Config, Filesystem, LvSize, LvmLV, LvmVG, TAKE_ALL};
|
||||
use dkl::bootstrap::{Config, Filesystem, LvSize, LvmLV, LvmPV, LvmVG, TAKE_ALL};
|
||||
|
||||
pub async fn setup(cfg: &Config) {
|
||||
if cfg.lvm.is_empty() {
|
||||
@@ -31,7 +31,7 @@ pub async fn setup(cfg: &Config) {
|
||||
if (lvs.iter()).any(|lv| lv.equal_name(vg_name, lv_name)) {
|
||||
info!("LVM LV {vg_name}/{lv_name} exists");
|
||||
} else {
|
||||
retry_or_ignore(async || setup_lv(&vg, &lv).await).await;
|
||||
retry_or_ignore(async || setup_lv(vg, lv).await).await;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -40,7 +40,7 @@ pub async fn setup(cfg: &Config) {
|
||||
|
||||
for vg in &cfg.lvm {
|
||||
for lv in &vg.lvs {
|
||||
retry_or_ignore(async || format_lv(&vg, &lv).await).await;
|
||||
retry_or_ignore(async || format_lv(vg, lv).await).await;
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -73,24 +73,12 @@ async fn setup_vg(vg: &LvmVG) -> Result<()> {
|
||||
info!("setting up LVM VG {vg_name} ({dev_done}/{dev_needed} devices configured)");
|
||||
}
|
||||
|
||||
let regexps: Vec<regex::Regex> = (vg.pvs.regexps.iter())
|
||||
.filter_map(|re_str| {
|
||||
(re_str.parse())
|
||||
.inspect_err(|e| error!("invalid regex ignored: {re_str:?}: {e}"))
|
||||
.ok()
|
||||
})
|
||||
.collect();
|
||||
|
||||
let mut used_devs = USED_DEVS.lock().await;
|
||||
|
||||
let matching_devs = (walk_dir("/dev").await.into_iter())
|
||||
.filter(|path| !used_devs.contains(path.as_str()))
|
||||
.filter(|path| regexps.iter().any(|re| re.is_match(path)));
|
||||
let matching_devs = find_devs(&vg.pvs).await?;
|
||||
|
||||
let devs: Vec<_> = if dev_needed == TAKE_ALL {
|
||||
matching_devs.collect()
|
||||
matching_devs
|
||||
} else {
|
||||
matching_devs.take(missing_count!()).collect()
|
||||
matching_devs.into_iter().take(missing_count!()).collect()
|
||||
};
|
||||
|
||||
let cmd = if dev_done == 0 {
|
||||
@@ -109,7 +97,7 @@ async fn setup_vg(vg: &LvmVG) -> Result<()> {
|
||||
}
|
||||
|
||||
dev_done += devs.len();
|
||||
used_devs.extend(devs);
|
||||
USED_DEVS.lock().await.extend(devs);
|
||||
|
||||
if dev_needed != TAKE_ALL && dev_done < (dev_needed as usize) {
|
||||
return Err(format_err!(
|
||||
@@ -127,20 +115,20 @@ async fn setup_lv(vg: &LvmVG, lv: &LvmLV) -> Result<()> {
|
||||
|
||||
let mut cmd = Command::new("lvcreate");
|
||||
cmd.arg(&vg.name);
|
||||
cmd.args(&["--name", &lv.name]);
|
||||
cmd.args(["--name", &lv.name]);
|
||||
|
||||
match &lv.size {
|
||||
LvSize::Size(sz) => cmd.args(&["-L", sz]),
|
||||
LvSize::Extents(sz) => cmd.args(&["-l", sz]),
|
||||
LvSize::Size(sz) => cmd.args(["-L", sz]),
|
||||
LvSize::Extents(sz) => cmd.args(["-l", sz]),
|
||||
};
|
||||
|
||||
let raid = lv.raid.as_ref().unwrap_or(&vg.defaults.raid);
|
||||
|
||||
if let Some(mirrors) = raid.mirrors {
|
||||
cmd.args(&["--mirrors", &mirrors.to_string()]);
|
||||
cmd.args(["--mirrors", &mirrors.to_string()]);
|
||||
}
|
||||
if let Some(stripes) = raid.stripes {
|
||||
cmd.args(&["--stripes", &stripes.to_string()]);
|
||||
cmd.args(["--stripes", &stripes.to_string()]);
|
||||
}
|
||||
|
||||
let status = cmd.status().await?;
|
||||
@@ -159,7 +147,7 @@ async fn format_lv(vg: &LvmVG, lv: &LvmLV) -> Result<()> {
|
||||
let name = &format!("{}/{}", vg.name, lv.name);
|
||||
let dev = &format!("/dev/{name}");
|
||||
|
||||
if !blockdev::is_uninitialized(&dev).await? {
|
||||
if !blockdev::is_uninitialized(dev).await? {
|
||||
info!("{dev} looks initialized");
|
||||
return Ok(());
|
||||
}
|
||||
@@ -213,3 +201,33 @@ async fn install_package(pkg: &str) -> Result<()> {
|
||||
Err(format_err!("failed to install package {pkg}: {status}"))
|
||||
}
|
||||
}
|
||||
|
||||
async fn find_devs(pvs: &LvmPV) -> Result<Vec<String>> {
|
||||
let mut results = if let Some(ref filter) = pvs.udev {
|
||||
use crate::udev;
|
||||
let filter: udev::Filter = filter.clone().into();
|
||||
(udev::all().await?.iter())
|
||||
.filter(|dev| dev.subsystem() == Some("block") && filter.matches(dev))
|
||||
.filter_map(|dev| dev.property("DEVNAME").map(|s| s.to_string()))
|
||||
.collect()
|
||||
} else if !pvs.regexps.is_empty() {
|
||||
let regexps: Vec<regex::Regex> = (pvs.regexps.iter())
|
||||
.filter_map(|re_str| {
|
||||
(re_str.parse())
|
||||
.inspect_err(|e| error!("invalid regex ignored: {re_str:?}: {e}"))
|
||||
.ok()
|
||||
})
|
||||
.collect();
|
||||
|
||||
(walk_dir("/dev").await.into_iter())
|
||||
.filter(|path| regexps.iter().any(|re| re.is_match(path)))
|
||||
.collect()
|
||||
} else {
|
||||
warn!("no device filters, no matches");
|
||||
vec![]
|
||||
};
|
||||
|
||||
let used_devs = USED_DEVS.lock().await;
|
||||
results.retain(|path| !used_devs.contains(path.as_str()));
|
||||
Ok(results)
|
||||
}
|
||||
|
||||
@@ -3,10 +3,10 @@ use log::{info, warn};
|
||||
use std::collections::BTreeSet as Set;
|
||||
use tokio::process::Command;
|
||||
|
||||
use super::{format_err, retry_or_ignore, Result};
|
||||
use super::{Result, format_err, retry_or_ignore};
|
||||
use crate::{
|
||||
udev,
|
||||
utils::{select_n_by_regex, select_n_by_udev, NameAliases},
|
||||
utils::{NameAliases, select_n_by_regex, select_n_by_udev},
|
||||
};
|
||||
use dkl::bootstrap::{Config, Network};
|
||||
|
||||
@@ -50,7 +50,7 @@ async fn setup_network(net: &Network, assigned: &mut Set<String>) -> Result<()>
|
||||
"net",
|
||||
"INTERFACE",
|
||||
&udev_filter.clone().into(),
|
||||
&assigned,
|
||||
assigned,
|
||||
)
|
||||
.await?
|
||||
} else {
|
||||
|
||||
@@ -1,10 +1,6 @@
|
||||
use log::{info, warn};
|
||||
use std::fs;
|
||||
use std::io::Write;
|
||||
use std::os::unix::fs::PermissionsExt;
|
||||
use std::process::Stdio;
|
||||
use tokio::net;
|
||||
use tokio::process::Command;
|
||||
use std::{fs, io::Write, os::unix::fs::PermissionsExt, process::Stdio};
|
||||
use tokio::{net, process::Command};
|
||||
|
||||
use super::retry_or_ignore;
|
||||
use dkl::bootstrap::{Config, SSHServer};
|
||||
@@ -60,7 +56,7 @@ async fn handle_ssh_connections(listener: net::TcpListener, cfg: SSHServer) {
|
||||
}
|
||||
|
||||
for opt in &options {
|
||||
sshd_args.extend(["-o", &opt]);
|
||||
sshd_args.extend(["-o", opt]);
|
||||
}
|
||||
|
||||
let mut keygen_done = false;
|
||||
|
||||
@@ -3,7 +3,7 @@ use crate::input;
|
||||
pub async fn run() {
|
||||
tokio::spawn(async {
|
||||
// give a bit of time for stdout
|
||||
use tokio::time::{sleep, Duration};
|
||||
use tokio::time::{Duration, sleep};
|
||||
sleep(Duration::from_millis(200)).await;
|
||||
|
||||
if let Err(e) = input::forward_requests_from_socket().await {
|
||||
|
||||
+9
-8
@@ -1,10 +1,9 @@
|
||||
use std::io::Write;
|
||||
use std::sync::{LazyLock, Mutex};
|
||||
use std::time::SystemTime;
|
||||
use tokio::sync::watch;
|
||||
use tokio::task::JoinSet;
|
||||
use tokio::{io::AsyncWriteExt, sync::watch, task::JoinSet};
|
||||
|
||||
pub static LOG: LazyLock<Log> = LazyLock::new(Log::new);
|
||||
pub static LOG: LazyLock<Log> = LazyLock::new(Log::default);
|
||||
|
||||
pub fn init() {
|
||||
log::set_logger(&*LOG).expect("set_logger should not fail");
|
||||
@@ -19,8 +18,8 @@ pub struct Log {
|
||||
tasks: Mutex<Option<JoinSet<()>>>,
|
||||
}
|
||||
|
||||
impl Log {
|
||||
pub fn new() -> Self {
|
||||
impl Default for Log {
|
||||
fn default() -> Self {
|
||||
let (tx, rx) = watch::channel(0);
|
||||
Self {
|
||||
start: SystemTime::now(),
|
||||
@@ -30,7 +29,9 @@ impl Log {
|
||||
tasks: Mutex::new(Some(JoinSet::new())),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
impl Log {
|
||||
pub fn spawn(&self, task: impl Future<Output = ()> + Send + 'static) {
|
||||
if let Some(tasks) = self.tasks.lock().unwrap().as_mut() {
|
||||
tasks.spawn(task);
|
||||
@@ -47,7 +48,6 @@ impl Log {
|
||||
|
||||
pub async fn copy_to<W: tokio::io::AsyncWrite + Unpin>(&self, mut out: W) {
|
||||
let mut log = self.subscribe();
|
||||
use tokio::io::AsyncWriteExt;
|
||||
while let Some(chunk) = log.next().await {
|
||||
let _ = out.write_all(&chunk).await;
|
||||
let _ = out.flush().await;
|
||||
@@ -56,7 +56,8 @@ impl Log {
|
||||
|
||||
pub async fn close(&self) {
|
||||
self.tx.lock().unwrap().take();
|
||||
if let Some(tasks) = self.tasks.lock().unwrap().take() {
|
||||
let tasks = self.tasks.lock().unwrap().take();
|
||||
if let Some(tasks) = tasks {
|
||||
tasks.join_all().await;
|
||||
}
|
||||
}
|
||||
@@ -115,7 +116,7 @@ pub struct LogWatch<'t> {
|
||||
impl<'t> LogWatch<'t> {
|
||||
pub async fn next(&mut self) -> Option<Vec<u8>> {
|
||||
loop {
|
||||
let new_pos = self.rx.borrow_and_update().clone();
|
||||
let new_pos = *self.rx.borrow_and_update();
|
||||
if new_pos <= self.pos {
|
||||
if self.rx.changed().await.is_err() {
|
||||
return None; // finished
|
||||
|
||||
+9
-8
@@ -14,7 +14,7 @@ pub async fn read_password(prompt: impl Display) -> String {
|
||||
}
|
||||
|
||||
fn choice_char(s: &str) -> char {
|
||||
s.chars().skip_while(|c| *c != '[').skip(1).next().unwrap()
|
||||
s.chars().skip_while(|c| *c != '[').nth(1).unwrap()
|
||||
}
|
||||
|
||||
#[test]
|
||||
@@ -51,7 +51,7 @@ pub async fn read_choice<const N: usize>(choices: [&str; N]) -> char {
|
||||
|
||||
loop {
|
||||
let line = read_line(&prompt).await;
|
||||
let Some(ch) = line.chars().nth(0) else {
|
||||
let Some(ch) = line.chars().next() else {
|
||||
continue;
|
||||
};
|
||||
|
||||
@@ -70,8 +70,9 @@ pub struct InputRequest {
|
||||
}
|
||||
|
||||
pub type Reply = Arc<Mutex<Option<oneshot::Sender<String>>>>;
|
||||
type RequestSender = watch::Sender<Option<(InputRequest, Reply)>>;
|
||||
|
||||
static REQ: LazyLock<Mutex<watch::Sender<Option<(InputRequest, Reply)>>>> = LazyLock::new(|| {
|
||||
static REQ: LazyLock<Mutex<RequestSender>> = LazyLock::new(|| {
|
||||
let (tx, _) = watch::channel(None);
|
||||
Mutex::new(tx)
|
||||
});
|
||||
@@ -117,7 +118,7 @@ pub async fn answer_requests_from_stdin() {
|
||||
if req.hide {
|
||||
match termios::Termios::from_fd(0) {
|
||||
Ok(mut tio) => {
|
||||
saved_termios = Some(tio.clone());
|
||||
saved_termios = Some(tio);
|
||||
tio.c_lflag &= !termios::ECHO;
|
||||
if let Err(e) = termios::tcsetattr(0, termios::TCSAFLUSH, &tio) {
|
||||
warn!("password may be echoed! {e}");
|
||||
@@ -160,10 +161,10 @@ pub async fn answer_requests_from_stdin() {
|
||||
);
|
||||
|
||||
// restore term if input was hidden
|
||||
if let Some(tio) = saved_termios {
|
||||
if let Err(e) = termios::tcsetattr(0, termios::TCSAFLUSH, &tio) {
|
||||
warn!("failed to restore pty attrs: {e}");
|
||||
}
|
||||
if let Some(tio) = saved_termios
|
||||
&& let Err(e) = termios::tcsetattr(0, termios::TCSAFLUSH, &tio)
|
||||
{
|
||||
warn!("failed to restore pty attrs: {e}");
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+3
-3
@@ -1,4 +1,4 @@
|
||||
use eyre::{Result, format_err};
|
||||
use eyre::{format_err, Result};
|
||||
use tokio::process::Command;
|
||||
|
||||
#[derive(Debug, serde::Deserialize, serde::Serialize)]
|
||||
@@ -55,7 +55,7 @@ pub struct LV {
|
||||
|
||||
impl LV {
|
||||
pub fn equal_name(&self, vg_name: &str, lv_name: &str) -> bool {
|
||||
vg_name == &self.vg_name && lv_name == &self.lv_name
|
||||
vg_name == self.vg_name && lv_name == self.lv_name
|
||||
}
|
||||
}
|
||||
|
||||
@@ -90,7 +90,7 @@ async fn report_cmd<T>(cmd: &str, find: fn(ReportObj) -> Option<Vec<T>>) -> Resu
|
||||
.await?;
|
||||
|
||||
if !output.status.success() {
|
||||
let stderr = String::from_utf8_lossy(&output.stderr.trim_ascii());
|
||||
let stderr = String::from_utf8_lossy(output.stderr.trim_ascii());
|
||||
return Err(format_err!("{cmd} failed: {}", stderr));
|
||||
}
|
||||
|
||||
|
||||
+15
-15
@@ -1,6 +1,8 @@
|
||||
use eyre::Result;
|
||||
use log::warn;
|
||||
|
||||
use dkl::bootstrap::UdevFilter;
|
||||
|
||||
pub struct Device {
|
||||
sysname: String,
|
||||
output: String,
|
||||
@@ -41,7 +43,7 @@ pub fn get_devices(class: &str) -> Result<Vec<Device>> {
|
||||
let path = path.to_string_lossy();
|
||||
|
||||
let output = std::process::Command::new("udevadm")
|
||||
.args(&["info", &format!("--path={path}")])
|
||||
.args(["info", &format!("--path={path}")])
|
||||
.stderr(std::process::Stdio::piped())
|
||||
.output()?;
|
||||
|
||||
@@ -102,10 +104,7 @@ pub struct Devs {
|
||||
|
||||
impl<'t> Devs {
|
||||
pub fn iter(&'t self) -> impl Iterator<Item = Dev<'t>> {
|
||||
self.data
|
||||
.split("\n\n")
|
||||
.filter(|s| !s.is_empty())
|
||||
.map(|s| Dev(s))
|
||||
self.data.split("\n\n").filter(|s| !s.is_empty()).map(Dev)
|
||||
}
|
||||
|
||||
pub fn of_subsystem(&'t self, subsystem: &str) -> impl Iterator<Item = Dev<'t>> {
|
||||
@@ -174,7 +173,7 @@ pub enum Filter {
|
||||
False,
|
||||
}
|
||||
|
||||
impl<'t> Filter {
|
||||
impl Filter {
|
||||
pub fn matches(&self, dev: &Dev) -> bool {
|
||||
match self {
|
||||
Self::False => false,
|
||||
@@ -190,21 +189,22 @@ impl<'t> Filter {
|
||||
}
|
||||
}
|
||||
|
||||
impl<'t> Into<Filter> for dkl::bootstrap::UdevFilter {
|
||||
fn into(self) -> Filter {
|
||||
match self {
|
||||
Self::Has(p) => Filter::Has(p),
|
||||
Self::Eq(p, v) => Filter::Eq(p, v),
|
||||
Self::Glob(p, pattern) => match glob::Pattern::new(&pattern) {
|
||||
impl From<UdevFilter> for Filter {
|
||||
fn from(filter: UdevFilter) -> Filter {
|
||||
use UdevFilter::*;
|
||||
match filter {
|
||||
Has(p) => Filter::Has(p),
|
||||
Eq(p, v) => Filter::Eq(p, v),
|
||||
Glob(p, pattern) => match glob::Pattern::new(&pattern) {
|
||||
Ok(pattern) => Filter::Glob(p, pattern),
|
||||
Err(e) => {
|
||||
warn!("pattern {pattern:?} will never match: {e}");
|
||||
Filter::False
|
||||
}
|
||||
},
|
||||
Self::And(ops) => Filter::And(ops.into_iter().map(Self::into).collect()),
|
||||
Self::Or(ops) => Filter::Or(ops.into_iter().map(Self::into).collect()),
|
||||
Self::Not(op) => Filter::Not(Box::new((*op).into())),
|
||||
And(ops) => Filter::And(ops.into_iter().map(|op| op.into()).collect()),
|
||||
Or(ops) => Filter::Or(ops.into_iter().map(|op| op.into()).collect()),
|
||||
Not(op) => Filter::Not(Box::new((*op).into())),
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
+3
-3
@@ -11,7 +11,7 @@ static CMDLINE: LazyLock<String> = LazyLock::new(|| {
|
||||
.unwrap_or_default()
|
||||
});
|
||||
|
||||
fn cmdline() -> impl Iterator<Item = &'static str> {
|
||||
pub fn cmdline() -> impl Iterator<Item = &'static str> {
|
||||
CMDLINE.split_ascii_whitespace()
|
||||
}
|
||||
|
||||
@@ -66,7 +66,7 @@ impl NameAliases {
|
||||
|
||||
pub fn select_n_by_regex<'t>(
|
||||
n: i16,
|
||||
regexs: &Vec<String>,
|
||||
regexs: &[String],
|
||||
nas: impl Iterator<Item = &'t NameAliases>,
|
||||
) -> Vec<String> {
|
||||
// compile regexs
|
||||
@@ -91,7 +91,7 @@ pub fn select_n_by_regex<'t>(
|
||||
}
|
||||
}
|
||||
|
||||
pub async fn select_n_by_udev<'t>(
|
||||
pub async fn select_n_by_udev(
|
||||
n: i16,
|
||||
subsystem: &str,
|
||||
result_property: &str,
|
||||
|
||||
+19
-17
@@ -21,8 +21,6 @@ auths:
|
||||
sshKey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICkpbU6sf4t0f6XAv9DuW3XH5iLM0AI5rc8PT2jwea1N
|
||||
password: bXlzZWVk:HMSxrg1cYphaPuUYUbtbl/htep/tVYYIQAuvkNMVpw0 # mypass
|
||||
|
||||
signer_public_key: MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQA29glSqk7MqoUIjD+UQG+b4v59pTFkn8rYtNhOftTe7uiLUvGFsjNdzP3tW64t/c6YD2p6dtI3oQXGOVQO1vIWPEBc6Sq++BRpQ0FVna+dgNQx8/kLXN9Na0ZYbK7q0haCI7/EHWOX79JFFxJE9HJ67AOMmXwGJ2jrfa1CUnWvfCmT+E=
|
||||
|
||||
ssh:
|
||||
listen: "[::]:22"
|
||||
user_ca: /user_ca.pub
|
||||
@@ -41,22 +39,24 @@ networks:
|
||||
udev: !has ID_NET_NAME_MAC
|
||||
script: |
|
||||
ip li set $iface up
|
||||
udhcpc -i $iface -b -t1 -T1 -A5 ||
|
||||
ip a add 2001:41d0:306:168f::1337:2eed/64 dev $iface
|
||||
ip a add 192.168.12.42/24 dev $iface
|
||||
ip a add fd12:6e76:7474::1337:2eed/64 dev $iface
|
||||
ip route add default via 192.168.12.254
|
||||
ip route add default via fd12:6e76:7474::1 dev $iface
|
||||
|
||||
pre_lvm_crypt:
|
||||
- name: sys-${name}
|
||||
udev: !glob [ DEVNAME, /dev/vd* ]
|
||||
#pre_lvm_crypt:
|
||||
#- name: sys-${name}
|
||||
# udev: !glob [ DEVNAME, /dev/vd* ]
|
||||
|
||||
lvm:
|
||||
- vg: storage
|
||||
pvs:
|
||||
n: 2
|
||||
regexps:
|
||||
- ^/dev/mapper/sys-
|
||||
#- ^/dev/mapper/sys-
|
||||
# to match full disks
|
||||
#- /dev/nvme[0-9]+n[0-9]+
|
||||
#- /dev/vd[a-z]+
|
||||
- /dev/vd[a-z]+
|
||||
#- /dev/sd[a-z]+
|
||||
#- /dev/hd[a-z]+
|
||||
# to match partitions:
|
||||
@@ -72,11 +72,16 @@ lvm:
|
||||
|
||||
lvs:
|
||||
- name: bootstrap
|
||||
size: 2g
|
||||
size: 1g
|
||||
|
||||
- name: varlog
|
||||
extents: 10%FREE
|
||||
# size: 10g
|
||||
size: 256m
|
||||
- name: kubelet
|
||||
size: 256m
|
||||
- name: containerd
|
||||
size: 1g
|
||||
- name: etcd
|
||||
size: 256m
|
||||
|
||||
- name: podman
|
||||
extents: 10%FREE
|
||||
@@ -90,11 +95,8 @@ lvm:
|
||||
#- dev: /dev/storage/bootstrap
|
||||
#- dev: /dev/storage/dls
|
||||
|
||||
signer_public_key: 'MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAd5sR4NqLtjSt8ESNlYWvuufYj7v+aYGDlgxQThcKbzDPVe639IfH94hHE0l9TAfyU94qtN/GpFyKJ68F/u2pu70A/umT1m24ELFDqXlQXqhTsH91r+nYUZ7due3EqSrvru/yjchNNRkpoCCu3QkDF25KnrYfWWHqj9ZIRlBTCJE9SwM='
|
||||
bootstrap:
|
||||
#dev: /dev/mapper/bootstrap
|
||||
dev: /dev/storage/bootstrap
|
||||
# TODO seed: https://direktil.novit.io/bootstraps/dls-crypt
|
||||
seed: http://192.168.10.254:7606/hosts/m1/bootstrap.tar
|
||||
# TODO seed_sign_key: "..."
|
||||
# TODO load_and_close: true
|
||||
seed: http://192.168.12.254:7606/public/download-set/host/m1/bootstrap.tar?set=ICM5KUZDRAMJPMO5OWW6PSIFYF4AHMYLAQSBZVFUDNG4DQDEW6UFQQJQKMGIXPI4CFOZFVA4CXULRXCAHKX3WELVAYS246FM6SGSGHIOAQRE2GDEOC4RUAAAQA3GEZDFMUZDOMD4NA5CUOTCN5XXI43UOJQXALTUMFZAAAAAACHHUMRU
|
||||
|
||||
|
||||
Binary file not shown.
BIN
Binary file not shown.
Reference in New Issue
Block a user