X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from mail-pa0-f44.google.com (mail-pa0-f44.google.com [209.85.220.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mail.alpinelinux.org (Postfix) with ESMTPS id 2BA68DC00C0 for ; Mon, 2 Mar 2015 15:17:35 +0000 (UTC) Received: by paceu11 with SMTP id eu11so1071532pac.1 for ; Mon, 02 Mar 2015 07:17:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=references:mime-version:in-reply-to:content-type :content-transfer-encoding:message-id:cc:from:subject:date:to; bh=8wD6uRnntjGGQZIy0QWVN3nqBGtMXPaDAHjHo5C+TiQ=; b=XoAYGstg+UEKQowcaYEpOMLw4XDyhaBYDg0YkCcDS81TDT01XrluomEff1ycAq4vNH DEXSlGSNx3JSCW82HOJrIUiZv6XC95CX7oveSa6PqHUKdCbScjmnr6BPy1QhKWCt7Ks4 lW1PPLV28VVIXOr/aJgvpVLjd/O1CzNiAfNLWmt8NwNR4zipAXxAQaYIwfIxPe6BTY7D szOADbMwcpZrZiIoA0d8v8a8SOw7ygRdSKGLGz3GJSybV2jclUextRPWj48TqP/LKK4Y ooHhLvgrk4IXzsJld7b5VS1fnS3dZafBaZqaCRcI9VBEXOHRK04W6dNCE/bZrOqA0Wrf weww== X-Received: by 10.70.98.239 with SMTP id el15mr47131290pdb.133.1425309455040; Mon, 02 Mar 2015 07:17:35 -0800 (PST) Received: from [192.168.1.106] (107-142-231-44.lightspeed.mtryca.sbcglobal.net. [107.142.231.44]) by mx.google.com with ESMTPSA id zs9sm12254382pbc.43.2015.03.02.07.17.33 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 02 Mar 2015 07:17:34 -0800 (PST) References: <73d18b671f2fb6008af1bf7e04ffcccd@it-offshore.co.uk> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: Mime-Version: 1.0 (1.0) In-Reply-To: <73d18b671f2fb6008af1bf7e04ffcccd@it-offshore.co.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Message-Id: <927F344C-F32F-4E70-97AA-6F51498F3902@gmail.com> Cc: "alpine-devel@lists.alpinelinux.org" X-Mailer: iPhone Mail (12B466) From: Orion Subject: Re: [alpine-devel] [PATCH] main/alpine-conf: setup-disk + support for LUKS installs Date: Mon, 2 Mar 2015 07:17:33 -0800 To: "developer@it-offshore.co.uk" Thank you.=20 Sent from my iPhone > On Mar 2, 2015, at 04:49, developer@it-offshore.co.uk wrote: >=20 > Adds support for installing Alpine to multiple LUKS partitions > (& optionally set up keys for auto mounting non root partitions). >=20 > Also supports installing to LVM on LUKS. >=20 > Mount the LUKS devices & 'setup-disk -E $MNT' or just 'setup-disk -E' >=20 > It shouldn't affect any other type of installation as any changes rely > on $CRYPTDM being set. I've attached the complete script to test. > --- > .../0002-setup-disk-add-luks-support.patch | 242 +++++++++++++++++= ++++ > main/alpine-conf/APKBUILD | 12 +- > 2 files changed, 250 insertions(+), 4 deletions(-) > create mode 100644 main/alpine-conf/0002-setup-disk-add-luks-support.patch= >=20 > diff --git a/main/alpine-conf/0002-setup-disk-add-luks-support.patch b/mai= n/alpine-conf/0002-setup-disk-add-luks-support.patch > new file mode 100644 > index 0000000..9ef2d90 > --- /dev/null > +++ b/main/alpine-conf/0002-setup-disk-add-luks-support.patch > @@ -0,0 +1,242 @@ > +--- alpine-conf*/setup-disk.in > ++++ alpine-conf*/setup-disk.new > +@@ -43,6 +43,14 @@ > + case "$1" in > + /dev/md*) echo "$1" && return 0;; > + esac > ++ # crypted devices need a device mapper in fstab not an LVM volume > ++ if [ -n "$CRYPTDM" ]; then > ++ if echo $1| grep "^/dev/$(find_luks_vg)/" 1> /dev/null; then > ++ echo "$(convert_vg_to_mapper $1)" && return 0 > ++ elif echo $1| grep "^/dev/mapper/" 1>/dev/null; then > ++ echo "$1" && return 0 > ++ fi > ++ fi > + for i in $(_blkid "$1"); do > + case "$i" in > + UUID=3D*) eval $i;; > +@@ -214,6 +222,14 @@ > + pvs=3D$(find_pvs_in_vg $vg) > + fi > + > ++ if [ -n "$CRYPTDM" ]; then > ++ initfs_features=3D"$initfs_features cryptsetup" > ++ if is_luks_pv "$CRYPTDM" && [ -z $(echo $initfs_features| grep -= w "lvm") ]; then > ++ initfs_features=3D"$initfs_features lvm" > ++ local vg=3D$(find_luks_vg) > ++ pvs=3D$(find_pvs_in_vg $vg) > ++ fi > ++ fi > + > + bootdev=3D$(find_mount_dev "$mnt"/boot) > + if [ -z "$bootdev" ]; then > +@@ -287,6 +303,10 @@ > + if has_bootopt nomodeset; then > + kernel_opts=3D"nomodeset $kernel_opts" > + fi > ++ if [ -n "$CRYPTDM" ]; then > ++ kernel_opts=3D"$kernel_opts cryptroot=3D$CRYPTROOT cryptdm=3D$CR= YPTDM" > ++ setup_crypttab > ++ fi > + modules=3D"sd-mod,usb-storage,${root_fs}${raidmod}" > + sed -e "s:^root=3D.*:root=3D$root:" \ > + -e "s:^default_kernel_opts=3D.*:default_kernel_opts=3D\"$kernel_o= pts\":" \ > +@@ -460,7 +480,7 @@ > + local answer=3D > + local erasedisks=3D"$@" > + if [ "$ERASE_DISKS" =3D "$erasedisks" ]; then > +- reeturn 0 > ++ return 0 > + fi > + echo "WARNING: The following disk(s) will be erased:" > + show_disk_info $@ > +@@ -506,7 +526,7 @@ > + > + # find the bootable partition on given disk > + find_boot_partition() { > +- sfdisk -d $1 | awk '/bootable/ {print $1}' > ++ sfdisk -L -d $1 | awk '/bootable/ {print $1}' > + } > + > + # find the partition(s) for LVM > +@@ -659,6 +679,95 @@ > + fi > + } > + > ++find_mount_point() { > ++ local device=3D$1 > ++ awk "\$1 =3D=3D \"$device\" {print \$2}" /proc/mounts | tail -n 1 > ++} > ++ > ++find_mapper_disk() { > ++ cryptsetup status $1|grep device|awk '{ print $2 }' > ++} > ++ > ++find_luks_vg() { > ++ if is_luks_pv; then > ++ pvs --noheadings /dev/mapper/$CRYPTDM |awk '{ print $2 }' > ++ fi > ++} > ++ > ++is_luks_pv() { > ++ pvs --noheadings|awk '{ print $1 }'| grep -w $CRYPTDM &>/dev/null > ++} > ++ > ++convert_vg_to_mapper() { > ++ local mapper=3D"${1##*/}" local vg=3D$(find_luks_vg) > ++ echo "/dev/mapper/$vg-$mapper" > ++} > ++ > ++convert_lv_to_device() { > ++ local lv=3D"${1##*/}" local vg=3D$(find_luks_vg) > ++ if [ -n "$(find_mount_point /dev/$vg/$lv)" ]; then > ++ echo "/dev/$vg/$lv" > ++ elif [ -n "$(find_mount_point /dev/mapper/$vg-$lv)" ]; then > ++ echo "/dev/mapper/$vg-$lv" > ++ fi > ++} > ++ > ++setup_crypttab() { > ++ local keysdir=3D${keysdir:-$mnt/etc/luks-keys} > ++ local keyfile=3D local answer=3D local i=3D > ++ local config=3D$mnt/etc/conf.d/dmcrypt > ++ > ++ if [ -f "$mnt"/etc/crypttab ]; then > ++ mv "$mnt"/etc/crypttab "$mnt"/etc/crypttab.old > ++ fi > ++ > ++ if [ $(echo $DMLIST|wc -w) -gt 1 ]; then > ++ read -p "Setup LUKS keyfiles for automatic mounting? [y/N]: " an= swer > ++ case "$answer" in > ++ y*|Y*) mkdir -p $mnt/etc/conf.d; cp ${config#$mnt} $config > ++ ln -s /etc/init.d/dmcrypt $mnt/etc/runlevels/boot/dmcrypt= 2>/dev/null > ++ read -p "Enter directory for keys [ ${keysdir#$mnt} ]: " a= nswer > ++ until [ -d "$keysdir" ]; do > ++ if [ -n "$answer" ]; then keysdir=3D$mnt$answer; fi > ++ mkdir -p $keysdir > ++ done; echo "Creating $keysdir" > ++ for i in $DMLIST; do > ++ if [ "$i" !=3D "$CRYPTDM" ]; then > ++ read -p "Create key for /dev/mapper/$i [y/N]? : " an= swer > ++ case "$answer" in > ++ y*|Y*) if ! cryptsetup luksDump $(find_mapper_dis= k $i)|grep ": DISABLED" 1>/dev/null; then > ++ echo "All keyslots full: Choose slot to wipe? [1= -7]:" > ++ until [ $answer -ge 1 2>/dev/null ] && [ $answer= -le 7 2>/dev/null ]; do > ++ echo -en "\033[1;31m>>>\033[37m: \033[0m"; r= ead answer > ++ echo -en "\033[1A\033[K" #move the cursor & c= lear the line > ++ done > ++ cryptsetup luksKillSlot $(find_mapper_disk $i) $= answer > ++ fi > ++ dd if=3D/dev/urandom of=3D$keysdir/$i bs=3D1024 c= ount=3D4 > ++ cryptsetup luksAddKey $(find_mapper_disk $i) $ke= ysdir/$i > ++ echo -e "\n## Settings from /sbin/setup-disk" >>= $config > ++ echo "target=3D$i" >> $config > ++ echo "source=3D$(find_mapper_disk $i)" >> $confi= g > ++ echo "key=3D${keysdir#$mnt}/$i" >> $config > ++ esac > ++ fi > ++ done > ++ chmod -R 400 $keysdir;chown -R root:root $keysdir > ++ esac > ++ fi > ++ > ++ for i in $DMLIST; do > ++ if [ -f "$keysdir/$i" ];then > ++ keyfile=3D"$keysdir/$i" > ++ else > ++ keyfile=3D"none" > ++ fi > ++ # crypttab needs the UUID of the physical device > ++ echo "# $i is on $(find_mapper_disk $i)" >> $mnt/etc/crypttab > ++ echo "$i $(_blkid $(find_mapper_disk $i)|awk '{ print $2 }') $ke= yfile luks" >> $mnt/etc/crypttab > ++ done > ++} > ++ > + data_only_disk_install_lvm() { > + local diskdev=3D > + local vgname=3Dvg0 > +@@ -902,6 +1011,7 @@ > + -q Exit quietly if no disks are found > + -r Enable software raid1 with single disk > + -s Use SWAPSIZE MB instead of autodetecting swap size (Use 0 to disabl= e swap) > ++ -E Use Encrypted LUKS devices (LVM or Standard Partitions are supporte= d) > + -v Be more verbose about what is happening > + > + __EOF__ > +@@ -918,7 +1028,7 @@ > + DISK_MODE=3D > + USE_LVM=3D > + # Parse args > +-while getopts "hk:Lm:o:qrs:v" opt; do > ++while getopts "hk:Lm:o:qrs:vE" opt; do > + case $opt in > + m) DISK_MODE=3D"$OPTARG";; > + k) KERNEL_FLAVOR=3D"$OPTARG";; > +@@ -928,10 +1038,67 @@ > + r) USE_RAID=3D1;; > + s) SWAP_SIZE=3D"$OPTARG";; > + v) VERBOSE=3D1;; > ++ E) CRYPTROOT=3D1;; > + *) usage;; > + esac > + done > + shift $(( $OPTIND - 1)) > ++ > ++if [ -n "$CRYPTROOT" ]; then > ++ DMLIST=3D$(dmsetup ls --target crypt|awk '{ print $1 }') > ++ if [ -z "$DMLIST" ]; then echo "No Crypt Devices found."; exit 1; fi= > ++ echo -en "\033[1;4m\nSelect LUKS ROOT Device Mapper:\033[0m\n\n\033[= 1m$DMLIST\033[0m\n\n" > ++ > ++ until echo "$DMLIST" | grep -w "$CRYPTDM" 1>/dev/null; do > ++ echo -en "\033[1;32m>>>\033[37m: \033[0m"; read CRYPTDM; > ++ echo -en "\033[1A\033[K" #move the cursor & clear the line > ++ done > ++ > ++ CRYPTROOT=3D$(find_mapper_disk $CRYPTDM) > ++ CRYPTDISK=3D$(echo $CRYPTROOT | tr -d '[:digit:]') > ++ > ++ apk add --quiet sfdisk > ++ if [ -z $(find_boot_partition) ]; then > ++ echo "No Boot Device detected."; exit 1 > ++ fi > ++ if ! grep "$(find_boot_partition)" /proc/mounts 1>/dev/null; then > ++ echo "Boot Device '$(find_boot_partition)' is not mounted."; exi= t 1 > ++ fi > ++ > ++ if is_luks_pv; then > ++ if [ -z "$(find_lvm_partition $CRYPTDISK)" ]; then > ++ echo "$CRYPTROOT partition is not set to type 8e."; exit 1 > ++ fi > ++ fi > ++ > ++ if [ ! "$1" ]; then > ++ if is_luks_pv; then > ++ lvscan |awk '{ print $2,$3,$4 }' |sed "s/'//g" > ++ echo -en "\nSelect root device?\n\n" # ro= ws to columns > ++ part_list=3D$(lvscan |awk '{ print $2 }' |sed "s:/dev/$(find= _luks_vg)/::g"|tr "\n" " ") > ++ until [ -n "$(find_mount_point $(convert_lv_to_device $answe= r))" &>/dev/null ]; do > ++ if [ -n "$answer" ]; then echo -e "\033[1;31m$answer: no= t mounted";sleep 1;echo -en "\033[1A\033[K";fi > ++ echo -en "\033[1;32m>>>\033[37m[ $part_list]: \033[0m"; r= ead answer > ++ echo -en "\033[1A\033[K" > ++ done > ++ SYSROOT=3D$(find_mount_point $(convert_lv_to_device $answer)= ) > ++ rc-update add lvm boot > ++ else > ++ SYSROOT=3D$(find_mount_point /dev/mapper/$CRYPTDM) > ++ fi > ++ if [ -n "$SYSROOT" ]; then > ++ set $SYSROOT > ++ else > ++ echo "Device '$CRYPTDM' is not mounted."; exit 1 > ++ fi > ++ fi > ++ > ++ if is_luks_pv; then > ++ echo "root device =3D $(convert_lv_to_device $answer)" > ++ fi > ++ echo "cryptdm =3D $CRYPTDM" > ++ echo "cryptroot =3D $CRYPTROOT mounted@: $1" > ++fi > + > + if [ -d "$1" ]; then > + # install to given mounted root > diff --git a/main/alpine-conf/APKBUILD b/main/alpine-conf/APKBUILD > index fad1892..9583f83 100644 > --- a/main/alpine-conf/APKBUILD > +++ b/main/alpine-conf/APKBUILD > @@ -1,7 +1,7 @@ > # Maintainer: Natanael Copa > pkgname=3Dalpine-conf > pkgver=3D3.1.0 > -pkgrel=3D2 > +pkgrel=3D3 > pkgdesc=3D"Alpine configuration management scripts" > url=3Dhttp://git.alpinelinux.org/cgit/$pkgname > arch=3D"all" > @@ -10,6 +10,7 @@ depends=3D"openrc" > source=3D"http://dev.alpinelinux.org/archive/alpine-conf/alpine-conf-$pkgv= er.tar.xz > 0001-update-kernel-fix-typo.patch > 0001-setup-disk-pass-nomodeset-boot-option.patch > + 0002-setup-disk-add-luks-support.patch > " >=20 > _builddir=3D"$srcdir"/$pkgname-$pkgver > @@ -38,10 +39,13 @@ package() { >=20 > md5sums=3D"d48adaa13dbba0e4c461b39a59fb1c10 alpine-conf-3.1.0.tar.xz > fe4a81cdf9d30c1f0bbcc9977e96410a 0001-update-kernel-fix-typo.patch > -4b7844387da57e3ffdcd1e09c0a45fb6 0001-setup-disk-pass-nomodeset-boot-opt= ion.patch" > +4b7844387da57e3ffdcd1e09c0a45fb6 0001-setup-disk-pass-nomodeset-boot-opt= ion.patch > +b5f04d1ebe1f4dcbb8a520f1184d9a41 0002-setup-disk-add-luks-support.patch"= > sha256sums=3D"5c5c3081fba18c0303bd29ccf8caab5d550c0a767f9b3b1e6a0644b71766= 1122 alpine-conf-3.1.0.tar.xz > cc1a2254eae01c2cde362cc7cf65d6e5ba7d53a7ced8a170b0502130af6877be 0001-upd= ate-kernel-fix-typo.patch > -a5e486f41dafdca904e1d67b2bb26d871e6ec9597295e1fc21ea5d8995986570 0001-se= tup-disk-pass-nomodeset-boot-option.patch" > +a5e486f41dafdca904e1d67b2bb26d871e6ec9597295e1fc21ea5d8995986570 0001-se= tup-disk-pass-nomodeset-boot-option.patch > +8befff4156c1f6155ad0b59082bb60d9d418806151d7450977c01b2cbac6c2bd 0002-se= tup-disk-add-luks-support.patch" > sha512sums=3D"22ce9a149171cf8503937b60d36ec2b69fb95123d3e3f7776cc3c9e0f14c= dc8a9a2338be8c223233652cd1456f6b55bbc71ed0deda2efb75f0e62b67a4c40088 alpine= -conf-3.1.0.tar.xz > 7f30c7ecb696b4fbf815802bd9d369f2d21a2b2502efdeac3af260df72195c19199fddc817= 02eb204746146433a23c0649bcf1b8a71c57a34971c4457f0ac33f 0001-update-kernel-f= ix-typo.patch > -3ff38ab78bc0a07762c7c3668cf4daaa4ca2d030ef148e61de6dbb1df4589fd2c844c992f= 35ce64aa9cc3125d7422ba9deb727259cc68a61e7f6d6ff22de16f7 0001-setup-disk-pas= s-nomodeset-boot-option.patch" > +3ff38ab78bc0a07762c7c3668cf4daaa4ca2d030ef148e61de6dbb1df4589fd2c844c992f= 35ce64aa9cc3125d7422ba9deb727259cc68a61e7f6d6ff22de16f7 0001-setup-disk-pas= s-nomodeset-boot-option.patch > +96a7e993879a676d32d41a0c29b31803b04731f64107eb651147560aef8de9c179883d1d5= 5eb23fad0ad4347b535c5fe94ccd2135f3b744ecddfa6f34ee22c99 0002-setup-disk-add= -luks-support.patch" > --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---