msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: msw:8540cfebfa19e488431b93d7866304fa3c4122f330d1d64250b3d47fdbffd605
Branches Tags
msw:master
...
compare: msw:8632ef5fb6ef47d883aefaeb7185ac2fd33e721f202ec5d2c619a02a9c60cb5b
Branches Tags
msw:master

2 Commits
8540cfebfa ... 8632ef5fb6

Author SHA256 Message Date
Marc S. Weidner
8632ef5fb6 Merge remote-tracking branch 'origin/master'
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 54s
Details
2025-08-17 20:49:27 +02:00
Marc S. Weidner
559f36d906 V8.00.000.2025.06.17 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
 2025-08-17 20:48:58 +02:00
29 changed files with 443 additions and 88 deletions
Expand all files Collapse all files

6
.preseed/preseed.yaml
View File

@@ -85,12 +85,12 @@ debootstrap: # Provide a mirror for downloading the Debian pac
mirror: "https://deb.debian.org/debian"
# The following packages MUST be included in the debootstrap.
includes: "busybox,ca-certificates,locales,openssl,tzdata,zstd"
distribution: "trixie" # MUST be "bookworm".
distribution: "trixie" # MUST be "trixie".
debian_suite: "stable" # MUST be "stable". Not supported yet: "testing", "experimental".
exit:
halt: false # This is how to make the installer shutdown when finished, but not reboot.
poweroff: true # This will power off the machine instead of just halting it (RECOMMENDED).
reboot: false # This will reboot the machine.
poweroff: false # This will power off the machine instead of just halting it (RECOMMENDED).
reboot: true # This will reboot the machine.
firmware:
install: true # If non-free firmware is needed for the network or other hardware, autoinstall it.
lookup: "missing" # - "never" Completely disables the firmware search.

12
func/cdi_1000_helper/1080_helper_chroot.sh
View File

@@ -13,9 +13,9 @@
guard_sourcing
#######################################
# Use do_in_target() for:
# Use chroot_exec() for:
# - simple commands (e.g., dpkg, ln, mkdir, apt, etc.).
# Use do_in_target_script() for:
# Use chroot_script() for:
# - all shell scripts, redirects, pipes, conditions, loops, or subshells.
#######################################
@@ -31,7 +31,7 @@ guard_sourcing
# 0: on success
# ERR_CHRT_COMMAND: on failure
#######################################
do_in_target() {
chroot_exec() {
declare var_chroot_target="$1"; shift
declare -a ary_chroot_command=("$@")
declare -r var_default_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -39,7 +39,7 @@ do_in_target() {
if (( ${#ary_chroot_command[@]} == 0 )); then
do_log "emergency" "file_only" "1080() Empty command passed to 'do_in_target()'."
do_log "emergency" "file_only" "1080() Empty command passed to 'chroot_exec()'."
return "${ERR_CHRT_COMMAND}"
fi
@@ -89,7 +89,7 @@ do_in_target() {
# 0: on success
# ERR_CHRT_COMMAND: on failure
#######################################
do_in_target_script() {
chroot_script() {
declare var_chroot_target="$1"
declare var_chroot_script="$2"
declare var_log_level_on_error="${3:-emergency}"
@@ -98,7 +98,7 @@ do_in_target_script() {
if [[ -z "${var_chroot_script}" ]]; then
do_log "emergency" "file_only" "1080() Empty command passed to 'do_in_target_script()'."
do_log "emergency" "file_only" "1080() Empty command passed to 'chroot_script()'."
return "${ERR_CHRT_COMMAND}"
fi

6
func/cdi_4000_debootstrap/4010_prepare_mounts.sh
View File

@@ -99,14 +99,14 @@ prepare_mounts() {
fi
if ! do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
if ! chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "emergency" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
do_log "emergency" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] failed."
return "${ERR_CHRT_MOUNTS}"
fi
do_log "info" "file_only" "4010() Command: [do_in_target ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
do_log "info" "file_only" "4010() Command: [chroot_exec ${TARGET} mkdir -p /etc/systemd/system/multi-user.target.wants] successful."
mkdir -p "${TARGET}/media/cdrom0"

6
func/cdi_4000_debootstrap/4020_remove_x509.sh
View File

@@ -28,13 +28,13 @@ remove_x509() {
"${TARGET}/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh"
if ! do_in_target_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
if ! chroot_script "${TARGET}" "/root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh" "emergency"; then
do_log "warn" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
do_log "warn" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] failed."
else
do_log "debug" "file_only" "4020() Command: [do_in_target_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
do_log "debug" "file_only" "4020() Command: [chroot_script ${TARGET} /root/.ciss/cdi/hooks/4020_remove_x509.hooks.sh emergency] successful."
fi

4
func/cdi_4000_debootstrap/4040_setup_timezone.sh
View File

@@ -30,9 +30,9 @@ EOF
chmod 0644 "${TARGET}/etc/timezone"
do_log "info" "file_only" "4040() File generated: '${TARGET}/etc/timezone' | timezone '${ntp_timezone:-UTC}'."
do_in_target "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
chroot_exec "${TARGET}" ln -sf "/usr/share/zoneinfo/${ntp_timezone}" /etc/localtime
do_in_target "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
chroot_exec "${TARGET}" dpkg-reconfigure -f noninteractive tzdata
guard_dir && return 0
}

2
func/cdi_4000_debootstrap/4050_setup_locales.sh
View File

@@ -113,7 +113,7 @@ LC_IDENTIFICATION=${ARY_LOCALE[0]}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
EOF
chmod 0700 "${TARGET}${var_locale_hook}"
do_in_target_script "${TARGET}" "${var_locale_hook}"
chroot_script "${TARGET}" "${var_locale_hook}"
### Set the keyboard layout for the system (for consoles).
cat << EOF >| "${TARGET}/etc/default/keyboard"

6
func/cdi_4100_base/4110_update_sources.sh
View File

@@ -33,14 +33,14 @@ update_sources() {
### Update generated sources.
# shellcheck disable=SC2312
do_in_target_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
chroot_script "${TARGET}" "apt-get update 2>&1 | tee -a ${var_logfile}; echo ExitCode: \$? >> ${var_logfile}"
do_log "info" "file_only" "4110() Sources lists: updated successfully."
### Update unattended, security, or no unattended updates at all.
if [[ "${apt_updates_policy,,}" == "unattended" ]]; then
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -49,7 +49,7 @@ update_sources() {
elif [[ "${apt_updates_policy,,}" == "security" ]]; then
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests unattended-upgrades 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}

4
func/cdi_4100_base/4120_installation_kernel.sh
View File

@@ -34,7 +34,7 @@ installation_kernel() {
if [[ -n "${VAR_KERNEL}" ]]; then
do_in_target_script "${TARGET}" '
chroot_script "${TARGET}" '
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests '"${VAR_KERNEL}"' initramfs-tools 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'
@@ -46,7 +46,7 @@ installation_kernel() {
else
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${image} initramfs-tools 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}

4
func/cdi_4100_base/4130_installation_toolset.sh
View File

@@ -106,7 +106,7 @@ installation_toolset() {
### Collecting missing binaries.
for var_bin in "${!hmp_tool_pkg[@]}"; do
if ! do_in_target_script "${TARGET}" "command -v ${var_bin} >/dev/null" "debug"; then
if ! chroot_script "${TARGET}" "command -v ${var_bin} >/dev/null" "debug"; then
ary_missing_pkgs+=("${hmp_tool_pkg[${var_bin}]}")
fi
@@ -120,7 +120,7 @@ installation_toolset() {
mapfile -t ary_unique_pkgs < <(printf '%s\n' "${ary_missing_pkgs[@]}" | sort -u)
do_log "debug" "file_only" "4130() [ary_unique_pkgs]='${ary_unique_pkgs[*]}'."
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${ary_unique_pkgs[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}

6
func/cdi_4100_base/4131_installation_systemd.sh
View File

@@ -30,10 +30,10 @@ installation_systemd() {
chroot_logger "${TARGET}${var_logfile}"
if ! do_in_target_script "${TARGET}" "type -P systemctl >/dev/null"; then
if ! chroot_script "${TARGET}" "type -P systemctl >/dev/null"; then
do_log "info" "file_only" "4131() 'systemctl' NOT found, installing 'systemd' and dependencies."
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests systemd systemd-sysv dbus 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -45,7 +45,7 @@ installation_systemd() {
fi
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
systemctl --version 2>&1 | tee -a ${var_logfile} | grep -qi 'systemd' || echo '[WARN]: systemd not verifiable' >> ${var_logfile}
"

4
func/cdi_4100_base/4132_installation_machineid.sh
View File

@@ -22,10 +22,10 @@ guard_sourcing
# 0: on success
#######################################
installation_machineid() {
if ! do_in_target_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
if ! chroot_script "${TARGET}" "[[ -s /etc/machine-id ]]"; then
do_log "info" "file_only" "4132() Generating /etc/machine-id via systemd-machine-id-setup."
do_in_target "${TARGET}" systemd-machine-id-setup
chroot_exec "${TARGET}" systemd-machine-id-setup
else

2
func/cdi_4100_base/4133_installation_masking.sh
View File

@@ -22,7 +22,7 @@ guard_sourcing
# 0: on success
#######################################
installation_masking() {
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
systemctl mask ctrl-alt-del.target sleep.target suspend.target hibernate.target hybrid-sleep.target
"

6
func/cdi_4100_base/4140_installation_microcode.sh
View File

@@ -52,9 +52,9 @@ installation_microcode() {
###########################################################################################
if [[ "${var_whereiam}" != "kvm" && -n "${var_microcode_pkgs}" ]]; then
if ! do_in_target_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
if ! chroot_script "${TARGET}" "dpkg -s ${var_microcode_pkgs} >/dev/null 2>&1"; then
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -62,7 +62,7 @@ installation_microcode() {
else
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests --only-upgrade ${var_microcode_pkgs} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}

355
func/cdi_4100_base/4145_installation_firmware.sh Normal file
View File

@@ -0,0 +1,355 @@
#!/bin/bash
# SPDX-Version: 3.0
# SPDX-CreationInfo: 2025-06-17; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-ExternalRef: GIT https://git.coresecret.dev/msw/CISS.debian.installer.git
# SPDX-FileContributor: WEIDNER, Marc S.; Centurion Intelligence Consulting Agency
# SPDX-FileCopyrightText: 2024-2025; WEIDNER, Marc S.; <msw@coresecret.dev>
# SPDX-FileType: SOURCE
# SPDX-License-Identifier: EUPL-1.2 OR LicenseRef-CCLA-1.0
# SPDX-LicenseComment: This file is part of the CISS.debian.installer.secure framework.
# SPDX-PackageName: CISS.debian.installer
# SPDX-Security-Contact: security@coresecret.eu
guard_sourcing
#######################################
# Install microcode updates depending on architecture (amd64, arm64, intel64) and environment (Baremetal, VM).
# Every 'apt-get install' command is invoked by adding 'export INITRD=No'
# to suppress the 'update-initramfs'-Kernel-Hooks, according to the initramfs-tools manpage:
# https://manpages.debian.org/testing/initramfs-tools-core/initramfs-tools.7.en.html
# Globals:
# TARGET
# firmware_lookup
# image
# Arguments:
# None
# Returns:
# 0: on success
#######################################
installation_firmware() {
### Declare Arrays, HashMaps, and Variables.
declare -a ary_bus=( "acpi" "hid" "i2c" "mdio" "of" "pci" "platform" "pnp" "serio" "spi" "usb" "virtio" ) \
ary_files=() ary_mods=() ary_pkgs_resolved=()
declare var_kernel="${image#linux-image-}" var_fw_policy="${firmware_lookup:-missing}" \
dir_fw="${TARGET}/root/.ciss/cdi/log/firmware" \
var_alias="" var_bus="" var_file="" var_found="" var_fw="" var_mod="" var_pkgs="" var_re="" var_wc_alias=""
declare -r var_logfile="/root/.ciss/cdi/log/4145_installation_firmware.log"
declare -A hmp_alias_unique=() hmp_fw_present=() hmp_fw_unique=() hmp_module_unique=() hmp_want_pkgs=()
declare -A hmp_fw_map=(
["^iwlwifi/.*\\.ucode$"]="firmware-iwlwifi"
["^ath10k/.*\\.bin$"]="firmware-atheros"
["^ath11k/.*\\.bin$"]="firmware-atheros"
["^brcm/.*\\.(bin|txt)$"]="firmware-brcm80211"
["^libertas/.*"]="firmware-libertas"
["^rtlwifi/.*\\.(bin|fw)$"]="firmware-realtek"
["^rtl_bt/.*\\.(bin|fw)$"]="firmware-realtek"
["^mediatek/.*"]="firmware-misc-nonfree"
["^rtl_nic/.*\\.fw$"]="firmware-realtek"
["^bnx2/.*\\.fw$"]="firmware-bnx2"
["^bnx2x/.*\\.fw$"]="firmware-bnx2x"
["^qed/.*\\.bin$"]="firmware-qlogic"
["^qla2xxx/.*\\.bin$"]="firmware-qlogic"
["^cxgb4/.*"]="firmware-chelsio"
["^netronome/.*"]="firmware-netronome"
["^ice/.*\\.pkg$"]="firmware-misc-nonfree"
["^amdgpu/.*\\.bin$"]="firmware-amd-graphics"
["^radeon/.*\\.bin$"]="firmware-amd-graphics"
["^i915/.*\\.(bin|dmc)$"]="firmware-misc-nonfree"
["^sof/.*"]="firmware-sof-signed"
["^mrvl/.*"]="firmware-misc-nonfree"
["^aspeed/.*"]="firmware-misc-nonfree"
)
chroot_logger "${TARGET}${var_logfile}"
if [[ ! -d "${TARGET}/lib/modules/${var_kernel}" ]]; then
do_log "error" "file_only" "4145() Target modules-directory missing: ${TARGET}/lib/modules/${var_kernel}."
return 0
fi
### Step 1: Collect all module aliases per bus (deterministic inputs):
mkdir -p "${dir_fw}"
: >| "${dir_fw}/4145_s1_mod_aliases_all.txt"
for var_bus in "${ary_bus[@]}"; do
: >| "${dir_fw}/4145_s1_mod_aliases_${var_bus}.txt"
### Safe enumeration without failing on unmatched globs.
# shellcheck disable=SC2312
readarray -t ary_files < <(compgen -G "/sys/bus/${var_bus}/devices"/*/modalias)
for var_file in "${ary_files[@]}"; do
if [[ -r "${var_file}" ]]; then
var_alias=""
IFS= read -r var_alias < "${var_file}" || true
if [[ -n "${var_alias}" ]]; then
if [[ -z "${hmp_alias_unique[${var_alias}]}" ]]; then
hmp_alias_unique["${var_alias}"]=1
printf '%s\n' "${var_alias}" >> "${dir_fw}/4145_s1_mod_aliases_all.txt"
fi
printf '%s\n' "${var_alias}" >> "${dir_fw}/4145_s1_mod_aliases_${var_bus}.txt"
fi
fi
done
done
### Step 2: Resolve modules from aliases against the "TARGET" kernel tree.
: >| "${dir_fw}/4145_s2_alias_to_modules.txt"
var_alias=""
for var_alias in "${!hmp_alias_unique[@]}"; do
var_wc_alias="$(wildcard_mod_alias "${var_alias}")"
### Resolve modules in the "TARGET" root (-d) and for the "var_kernel" (-S)
while IFS= read -r var_mod; do
if [[ -n "${var_mod}" ]]; then
ary_mods+=("${var_mod}")
fi
done < <(modprobe -R "${var_wc_alias}" -S "${var_kernel}" -d "${TARGET}" 2>/dev/null || true)
if [[ "${#ary_mods[@]}" -eq 0 ]]; then
printf '%s\t%s\n' "${var_alias}" "-" >> "${dir_fw}/4145_s2_alias_to_modules.txt"
else
for var_mod in "${ary_mods[@]}"; do
hmp_module_unique["${var_mod}"]=1
printf '%s\t%s\n' "${var_alias}" "${var_mod}" >> "${dir_fw}/4145_s2_alias_to_modules.txt"
done
fi
done
### Step 3: Resolve modules to firmware filenames; mark present/missing in "TARGET".
: >| "${dir_fw}/4145_s3_module_to_firmware.txt"
: >| "${dir_fw}/4145_s3_firmware_present.txt"
: >| "${dir_fw}/4145_s3_firmware_missing.txt"
for var_mod in "${!hmp_module_unique[@]}"; do
### Query modinfo in the 'TARGET' base (-b) for the target kernel image (-k)
while IFS= read -r var_fw; do
if [[ -n "${var_fw}" ]]; then
var_found="1"
### Normalize to the path relative to '/lib/firmware'
### modinfo may output "amdgpu/..." or "rtl_nic/..." already relative; handle both.
if [[ "${var_fw}" == /lib/firmware/* ]]; then
var_fw="${var_fw#/lib/firmware/}"
fi
hmp_fw_unique["${var_fw}"]=1
printf '%s\t%s\n' "${var_mod}" "${var_fw}" >> "${dir_fw}/4145_s3_module_to_firmware.txt"
if [[ -e "${TARGET}/lib/firmware/${var_fw}" ]]; then
hmp_fw_present["${var_fw}"]="yes"
else
hmp_fw_present["${var_fw}"]="no"
fi
fi
done < <(modinfo -k "${var_kernel}" -b "${TARGET}" -F firmware "${var_mod}" 2>/dev/null || true)
if [[ -z "${var_found}" ]]; then
printf '%s\t-\n' "${var_mod}" >> "${dir_fw}/4145_s3_module_to_firmware.txt"
fi
done
### Emit present/missing lists.
for var_fw in "${!hmp_fw_unique[@]}"; do
if [[ "${hmp_fw_present[${var_fw}]:-no}" == "yes" ]]; then
printf '%s\n' "${var_fw}" >> "${dir_fw}/4145_s3_firmware_present.txt"
else
printf '%s\n' "${var_fw}" >> "${dir_fw}/4145_s3_firmware_missing.txt"
fi
done
### Step 4: Read "${dir_fw}/4145_s3_firmware_missing.txt" and map to the package set using 'hmp_fw_map'.
var_fw=""
: >| "${dir_fw}/4145_s4_packages_resolved.txt"
if [[ -s "${dir_fw}/4145_s3_firmware_missing.txt" ]]; then
while IFS= read -r var_fw; do
if [[ -z "${var_fw}" ]]; then
continue
fi
declare var_matched=""
### Iterate through the explicit map first.
for var_re in "${!hmp_fw_map[@]}"; do
if [[ "${var_fw}" =~ ${var_re} ]]; then
hmp_want_pkgs["${hmp_fw_map[${var_re}]}"]=1
var_matched="1"
break
fi
done
if [[ -z "${var_matched}" ]]; then
### Fallback heuristics by top-level directory.
case "${var_fw}" in
iwlwifi/*) hmp_want_pkgs["firmware-iwlwifi"]=1 ;;
rtlwifi/*|rtl_*/*) hmp_want_pkgs["firmware-realtek"]=1 ;;
amdgpu/*|radeon/*) hmp_want_pkgs["firmware-amd-graphics"]=1 ;;
i915/*) hmp_want_pkgs["firmware-misc-nonfree"]=1 ;;
ath10k/*|ath11k/*) hmp_want_pkgs["firmware-atheros"]=1 ;;
brcm/*) hmp_want_pkgs["firmware-brcm80211"]=1 ;;
bnx2/*) hmp_want_pkgs["firmware-bnx2"]=1 ;;
bnx2x/*) hmp_want_pkgs["firmware-bnx2x"]=1 ;;
qed/*|qla2xxx/*) hmp_want_pkgs["firmware-qlogic"]=1 ;;
cxgb4/*) hmp_want_pkgs["firmware-chelsio"]=1 ;;
netronome/*) hmp_want_pkgs["firmware-netronome"]=1 ;;
sof/*) hmp_want_pkgs["firmware-sof-signed"]=1 ;;
ice/*) hmp_want_pkgs["firmware-misc-nonfree"]=1 ;;
*) do_log "warn" "file_only" "4145() No map entry for: '${var_fw}'." ;;
esac
fi
done < "${dir_fw}/4145_s3_firmware_missing.txt"
else
do_log "info" "file_only" "4145() No missing firmware file found."
fi
### Emit unique package list.
for var_pkgs in "${!hmp_want_pkgs[@]}"; do
printf '%s\n' "${var_pkgs}"
done | sort -u >| "${dir_fw}/4145_s4_packages_resolved.txt"
### Step 5: Install packages according to policy (always|missing|never).
: >| "${dir_fw}/4145_s5_installation_cmd.txt"
: >| "${dir_fw}/4145_s5_installation_out.txt"
if [[ "${var_fw_policy}" == "always" ]]; then
do_log "info" "file_only" "4145() Policy=always: installing broad firmware sets."
printf '%s\n' "firmware-linux" "firmware-misc-nonfree" >> "${dir_fw}/4145_s4_packages_resolved.txt"
fi
if [[ ! -s "${dir_fw}/4145_s4_packages_resolved.txt" ]]; then
do_log "info" "file_only" "4145() Nothing to install."
return 0
fi
mapfile -t ary_pkgs_resolved < "${dir_fw}/4145_s4_packages_resolved.txt"
if [[ "${var_fw_policy}" == "never" ]]; then
do_log "info" "file_only" "4145() Policy=never: Packages would be: ${ary_pkgs_resolved[*]}."
return 0
fi
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests ${ary_pkgs_resolved[*]} 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
guard_dir && return 0
}
#######################################
# Helper: Wildcardize a module alias (bus-aware, conservative)
# Arguments:
# 1: Module alias
# Returns:
# 0: on success
#######################################
wildcard_mod_alias() {
### Keep vendor/device exact, relax subfields, fall back to original if not matched.
declare a="${1}" out=""
case "${a}" in
pci:*)
if [[ "${a}" == *sv* ]]; then
out="${a%%sv*}sv*sd*bc*sc*i*"
elif [[ "${a}" == *bc* ]]; then
out="${a%%bc*}bc*sc*i*"
else
out="${a}"
fi
;;
usb:*)
if [[ "${a}" == *ic* ]]; then
out="${a%%ic*}ic*isc*ip*in*"
elif [[ "${a}" == *dc* ]]; then
out="${a%%dc*}dc*dsc*dp*ic*isc*ip*in*"
else
out="${a}"
fi
;;
platform:*|acpi:*|of:*|i2c:*|spi:*|mdio:*|virtio:*|pnp:*|serio:*|hid:*)
out="${a}"
;;
*)
out="${a}"
;;
esac
printf '%s\n' "${out}"
return 0
}
# vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh

8
func/cdi_4100_base/4150_installation_chrony.sh
View File

@@ -47,7 +47,7 @@ installation_chrony() {
mkdir -p "${TARGET}/var/log/chrony"
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests chrony 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -55,7 +55,7 @@ installation_chrony() {
if [[ ! -e "${TARGET}/etc/systemd/system/multi-user.target.wants/chrony.service" ]]; then
do_in_target_script "${TARGET}" "systemctl enable chrony.service"
chroot_script "${TARGET}" "systemctl enable chrony.service"
fi
@@ -68,8 +68,8 @@ installation_chrony() {
cat "${var_of}" >> "${TARGET}/etc/chrony/chrony.conf"
do_log "debug" "file_only" "4150() Executing: [do_in_target_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
do_in_target_script "${TARGET}" "
do_log "debug" "file_only" "4150() Executing: [chroot_script ${TARGET} chronyd -Q -f /etc/chrony/chrony.conf]."
chroot_script "${TARGET}" "
chronyd -Q -f /etc/chrony/chrony.conf 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

2
func/cdi_4200_boot/4205_check_fstab.sh
View File

@@ -28,7 +28,7 @@ check_fstab() {
chroot_logger "${TARGET}${var_logfile}"
# shellcheck disable=SC2016 # an Internal script is only evaluated in chroot.
do_in_target_script "${TARGET}" '
chroot_script "${TARGET}" '
export INITRD=No
if [[ ! -s /etc/fstab ]]; then

2
func/cdi_4200_boot/4220_installation_cryptsetup.sh
View File

@@ -30,7 +30,7 @@ installation_cryptsetup() {
chroot_logger "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" '
chroot_script "${TARGET}" '
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests cryptsetup cryptsetup-initramfs 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'

14
func/cdi_4200_boot/4230_installation_grub.sh
View File

@@ -73,7 +73,7 @@ installation_grub() {
case "${VAR_ARCHITECTURE}" in
amd64)
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends grub2-common grub-efi-amd64 grub-efi-amd64-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -81,7 +81,7 @@ installation_grub() {
;;
arm64)
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends grub2-common grub-efi-arm64 grub-efi-arm64-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -96,7 +96,7 @@ installation_grub() {
else
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
export INITRD=No
apt-get install -y --no-install-recommends grub2-common grub-pc grub-pc-bin 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
@@ -139,7 +139,7 @@ EOF
### Change the GRUB OS detection configuration accordingly.
if [[ "${grub_prober}" == "true" ]]; then
do_in_target "${TARGET}" export INITRD=No; apt-get install -y --no-install-recommends os-prober
chroot_exec "${TARGET}" export INITRD=No; apt-get install -y --no-install-recommends os-prober
cat << EOF >> "${TARGET}/etc/default/grub"
# If your computer has multiple operating systems installed, then you
@@ -187,7 +187,7 @@ EOF
fi
[[ "${var_update_grub_required}" == "true" ]] && do_in_target "${TARGET}" update-grub
[[ "${var_update_grub_required}" == "true" ]] && chroot_exec "${TARGET}" update-grub
if [[ "${grub_force_efi}" == "true" ]]; then
@@ -243,7 +243,7 @@ install_grub_bios() {
ary_bios_arg+=( --target=i386-pc --boot-directory=/boot "--modules=${var_bios_mod}" )
do_in_target "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}"
chroot_exec "${TARGET}" grub-install "${ary_bios_arg[@]}" "${grub_bootdev}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [BIOS]."
var_update_grub_required="true"
@@ -290,7 +290,7 @@ install_grub_uefi() {
[[ "${grub_update_nvram}" == "false" ]] && ary_uefi_arg+=( --no-nvram )
do_in_target "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
chroot_exec "${TARGET}" grub-install "${ary_uefi_arg[@]}" "${grub_bootdev}" || return "${ERR_GRUB_INSTALL}"
do_log "info" "file_only" "4230() Installed: GRUB on Device: '${grub_bootdev}' [UEFI]."
var_update_grub_required="true"

2
func/cdi_4200_boot/4240_update_grub_password.sh
View File

@@ -48,7 +48,7 @@ update_grub_password() {
} >> "${var_of}"
fi
do_in_target "${TARGET}" update-grub
chroot_exec "${TARGET}" update-grub
guard_dir && return 0
}

2
func/cdi_4200_boot/4250_update_grub_bootparameter.sh
View File

@@ -66,7 +66,7 @@ update_grub_bootparameter() {
grub_finalize_string
do_in_target "${TARGET}" update-grub
chroot_exec "${TARGET}" update-grub
guard_dir && return 0
}

2
func/cdi_4300_network/4300_installation_network.sh
View File

@@ -43,7 +43,7 @@ installation_network() {
### Declare Arrays, HashMaps, and Variables.
declare var_supersede="" var_supersede_ipv6=""
do_in_target "${TARGET}" apt-get install -y dhcpcd-base
chroot_exec "${TARGET}" apt-get install -y dhcpcd-base
mkdir -p "${TARGET}/etc/network/interfaces.d"
### Create a network configuration file header.

4
func/cdi_4300_network/4311_dropbear_initramfs.sh
View File

@@ -29,13 +29,13 @@ dropbear_initramfs() {
chroot_logger "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" '
chroot_script "${TARGET}" '
export INITRD=No
apt-get install -y --no-install-recommends --no-install-suggests dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'
'
do_in_target_script "${TARGET}" '
chroot_script "${TARGET}" '
export INITRD=No
apt-mark hold dropbear dropbear-initramfs 2>&1 | tee -a '"${var_logfile}"'
echo ExitCode: $? >> '"${var_logfile}"'

6
func/cdi_4300_network/4312_dropbear_setup.sh
View File

@@ -41,8 +41,8 @@ dropbear_setup() {
### Prepare strong dropbear host keys
rm -f "${TARGET}"/etc/dropbear/initramfs/dropbear*key
do_in_target "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
do_in_target "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
chroot_exec "${TARGET}" /usr/bin/dropbearkey -t rsa -s 4096 -f /etc/dropbear/initramfs/dropbear_rsa_host_key
chroot_exec "${TARGET}" /usr/bin/dropbearkey -t ed25519 -f /etc/dropbear/initramfs/dropbear_ed25519_host_key
chmod 0600 "${TARGET}"/etc/dropbear/initramfs/dropbear*key
chown root:root "${TARGET}"/etc/dropbear/initramfs/dropbear*key
@@ -98,7 +98,7 @@ dropbear_setup() {
"${TARGET}/etc/initramfs-tools/files/"
### Install the script to be called inside the initramfs environment for preparing dropbear execution.
do_in_target "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
chroot_exec "${TARGET}" mv /usr/share/initramfs-tools/scripts/init-premount/dropbear /usr/share/initramfs-tools/scripts/init-premount/dropbear.2022.83
install -D -m 0755 -o root -g root "${VAR_SETUP_PATH}/includes/target/usr/share/initramfs-tools/scripts/init-premount/dropbear" \
"${TARGET}/usr/share/initramfs-tools/scripts/init-premount/"

4
func/cdi_4300_network/4320_update_initramfs.sh
View File

@@ -27,13 +27,13 @@ update_initramfs() {
chroot_logger "${TARGET}${var_logfile}"
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
update-grub 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"
do_in_target_script "${TARGET}" "
chroot_script "${TARGET}" "
update-initramfs -c -v -k all 2>&1 | tee -a ${var_logfile}
echo ExitCode: \$? >> ${var_logfile}
"

14
func/cdi_4400_hardening/4420_installation_ssh.sh
View File

@@ -36,7 +36,7 @@ installation_ssh() {
declare -i i=0
declare var_auth="" var_name="" var_ca=""
do_in_target "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
chroot_exec "${TARGET}" apt-get install -y --no-install-recommends --no-install-suggests ssh
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/banner" "${TARGET}/etc/"
install -D -m 0644 -o root -g root "${VAR_SETUP_PATH}/includes/target/etc/motd" "${TARGET}/etc/"
@@ -55,9 +55,9 @@ installation_ssh() {
rm -rf "${TARGET}"/etc/ssh/ssh_host_*key*
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
#shellcheck disable=SC2312
do_in_target "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
chroot_exec "${TARGET}" ssh-keygen -o -N "" -t rsa -b 4096 -f /etc/ssh/ssh_host_rsa_key -C "root@${VAR_FINAL_FQDN}-$(date -I)"
mkdir -p "${TARGET}/root/.ciss/cdi/backup/etc/ssh"
cp "${TARGET}/etc/ssh/sshd_config" "${TARGET}/root/.ciss/cdi/backup/etc/ssh/sshd_config.bak"
@@ -91,20 +91,20 @@ installation_ssh() {
fi
### Preparing the test environment in chroot.
do_in_target "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
chroot_exec "${TARGET}" install -d -o root -g root -m 0755 /run/sshd
### Syntax test (hard).
if ! do_in_target_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
if ! chroot_script "${TARGET}" "sshd -t -f /etc/ssh/sshd_config"; then
do_log "emergency" "file_only" "4420() [sshd -t -f /etc/ssh/sshd_config] failed."
return "${ERR_CONF_VALIDATION}"
fi
### Effective configuration (soft, purely informative).
if ! do_in_target_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
if ! chroot_script "${TARGET}" "sshd -T -f /etc/ssh/sshd_config >| /root/.ciss/cdi/log/sshd_config.log"; then
do_log "warn" "file_only" "4420() [sshd -T -f /etc/ssh/sshd_config] failed. Likely env. Continuing."
fi
do_in_target_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
chroot_script "${TARGET}" "ssh-keygen -r ${VAR_FINAL_FQDN}. >| /root/.ciss/cdi/log/SSHFP.log"
###########################################################################################
# The file /etc/profile.d/idle-users.sh is created to set the read-only #

16
func/cdi_4500_user/4500_installation_accounts.sh
View File

@@ -53,13 +53,13 @@ installation_accounts() {
chmod 0600 "${TARGET}/etc/shadow" "${TARGET}/etc/gshadow"
if [[ -x "${TARGET}${user_root_shell}" ]]; then
do_in_target "${TARGET}" chsh -s "${user_root_shell}" root
chroot_exec "${TARGET}" chsh -s "${user_root_shell}" root
else
do_log "warn" "file_only" "Shell: '${user_root_shell}' not found for: 'root'. Using '/bin/bash' instead."
fi
var_chpasswd="root:${user_root_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
chroot_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
install -d -m 0700 -o root -g root "${TARGET}/root/.ssh"
@@ -109,12 +109,12 @@ installation_accounts() {
var_sudo="${!tmp_sudo}"
var_restricted="${!tmp_restricted}"
do_in_target "${TARGET}" getent group "${var_username}" >/dev/null || \
do_in_target "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
chroot_exec "${TARGET}" getent group "${var_username}" >/dev/null || \
chroot_exec "${TARGET}" groupadd --gid "${var_gid}" "${var_username}"
if [[ "${var_restricted}" == "false" ]]; then
do_in_target "${TARGET}" useradd \
chroot_exec "${TARGET}" useradd \
--comment "${var_fullname}" \
--create-home \
--expiredate 2102-12-31 \
@@ -127,7 +127,7 @@ installation_accounts() {
else
do_in_target "${TARGET}" useradd \
chroot_exec "${TARGET}" useradd \
--comment "${var_fullname}" \
--expiredate 2102-12-31 \
--gid "${var_gid}" \
@@ -141,11 +141,11 @@ installation_accounts() {
fi
var_chpasswd="${var_username}:${var_password}"
do_in_target_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
chroot_script "${TARGET}" "echo \"${var_chpasswd}\" | chpasswd -e"
var_chpasswd=""
if [[ "${var_sudo}" == "true" ]]; then
do_in_target "${TARGET}" usermod -aG sudo "${var_username}"
chroot_exec "${TARGET}" usermod -aG sudo "${var_username}"
fi
if [[ -n "${var_sshpubkey}" ]]; then

26
func/cdi_4600_verification/4670_verify_system.sh
View File

@@ -23,10 +23,10 @@ do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
do_log "info" "file_only" "4100() Checking systemd installation and machine-id."
do_in_target_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'command -v systemctl && systemctl --version' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd or systemctl not properly installed."
do_in_target_script "${TARGET}" '[ -s /etc/machine-id ]' || \
chroot_script "${TARGET}" '[ -s /etc/machine-id ]' || \
do_log "warning" "file_only" "4100() Missing or empty /etc/machine-id."
###########################################
@@ -34,27 +34,27 @@ do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
do_log "info" "file_only" "4100() Validating fstab and crypttab."
do_in_target_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'systemd-analyze verify /etc/fstab /etc/crypttab' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() systemd-analyze verification failed. See ${LOG_FILE}."
do_in_target_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'findmnt --verify' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() findmnt reports potential inconsistencies."
###########################################
## Essential Services
###########################################
do_log "info" "file_only" "4100() Validating essential services."
do_in_target_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
chroot_script "${TARGET}" 'systemctl list-unit-files --state=enabled,disabled' >> "${LOG_FILE}" 2>&1
###########################################
## Init & Bootloader
###########################################
do_log "info" "file_only" "4100() Checking init and GRUB presence."
do_in_target_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'readlink -f /sbin/init' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() /sbin/init is missing or invalid."
do_in_target_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
chroot_script "${TARGET}" 'test -e /boot/grub/grub.cfg || test -e /boot/efi/EFI/debian/grubx64.efi' || \
do_log "warning" "file_only" "4100() GRUB config or EFI binary not found."
###########################################
@@ -62,10 +62,10 @@ do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
do_log "info" "file_only" "4100() Validating core /etc configurations."
do_in_target_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'grep -E "^127\.0\.1\.1" /etc/hosts' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() Missing 127.0.1.1 entry in /etc/hosts."
do_in_target_script "${TARGET}" '[ -s /etc/hostname ]' || \
chroot_script "${TARGET}" '[ -s /etc/hostname ]' || \
do_log "warning" "file_only" "4100() /etc/hostname is missing or empty."
###########################################
@@ -73,16 +73,16 @@ do_log "info" "file_only" "4100() Starting system integrity verification..."
###########################################
do_log "info" "file_only" "4100() Auditing /root permissions and login shell."
do_in_target_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
do_in_target_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
chroot_script "${TARGET}" 'stat -c "%A %U:%G" /root' >> "${LOG_FILE}" 2>&1
chroot_script "${TARGET}" 'grep ^root: /etc/passwd' >> "${LOG_FILE}" 2>&1
###########################################
## dpkg & apt status
###########################################
do_log "info" "file_only" "4100() Verifying package integrity."
do_in_target_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
do_in_target_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
chroot_script "${TARGET}" 'dpkg --audit' >> "${LOG_FILE}" 2>&1 || true
chroot_script "${TARGET}" 'apt-get check' >> "${LOG_FILE}" 2>&1 || \
do_log "warning" "file_only" "4100() apt-get check reported errors."
do_log "info" "file_only" "4100() Verification completed. Output stored in: ${LOG_FILE}."

4
func/cdi_4700_xtended/4700_setup_packages.sh
View File

@@ -23,12 +23,12 @@ guard_sourcing
# 0: on success
#######################################
setup_packages() {
do_in_target_script "${TARGET}" "apt-get update -y > /dev/null"
chroot_script "${TARGET}" "apt-get update -y > /dev/null"
declare var_install_candidate=""
for var_install_candidate in "${ARY_PACKAGES[@]}"; do
do_in_target "${TARGET}" apt-get install -y "${var_install_candidate}"
chroot_exec "${TARGET}" apt-get install -y "${var_install_candidate}"
done
guard_dir && return 0

2
func/cdi_5000_recovery/3.9.0.functions_installation_setup_recovery.sh
View File

@@ -72,7 +72,7 @@ setup_recovery() {
exit "${ERR_CHROOT_MOUNTS}"
fi
if do_in_target "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
if chroot_exec "${TARGET}" mkdir -p /etc/systemd/system/multi-user.target.wants; then
do_log "info" "file_only" "Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."
else
do_log "emergency" "file_only" "Failed: Command: 'mkdir -p /etc/systemd/system/multi-user.target.wants' executed in: '${RECOVERY}'."