V8.13.440.2025.11.19
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m37s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 2m37s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -116,11 +116,12 @@ log() {
|
||||
### Declare variables. ---------------------------------------------------------------------------------------------------------
|
||||
export CDLB_ISO_LABEL="CISS.debian.live"
|
||||
export CDLB_LUKS_FS="/live/ciss_rootfs.crypt"
|
||||
export CDLB_LUKS_ROOTFS_MNT="/run/live/ciss-rootfs"
|
||||
export CDLB_MAPPER_NAME="crypt_liveiso"
|
||||
export CDLB_MAPPER_DEV="/dev/mapper/${CDLB_MAPPER_NAME}"
|
||||
CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
|
||||
MNT_MEDIUM="/run/live/medium"
|
||||
MNT_ROOTFS="/run/live/rootfs"
|
||||
export CDLB_MNT_MEDIUM="/run/live/medium"
|
||||
export CDLB_MNT_ROOTFS="/run/live/rootfs"
|
||||
export CDLB_REMOTE_WAIT_SECS="${CDLB_REMOTE_WAIT_SECS:-3600}"
|
||||
_PARAMETER=""
|
||||
_dev=""
|
||||
|
||||
@@ -141,22 +142,22 @@ done
|
||||
printf "\e[92m[INFO] CDLB_LUKS_FS : [%s] \n\e[0m" "${CDLB_LUKS_FS}"
|
||||
printf "\e[92m[INFO] CDLB_ISO_LABEL : [%s] \n\e[0m" "${CDLB_ISO_LABEL}"
|
||||
|
||||
mkdir -p "${MNT_MEDIUM}" "${MNT_ROOTFS}"
|
||||
mkdir -p /conf "${CDLB_MNT_MEDIUM}" "${CDLB_MNT_ROOTFS}"
|
||||
|
||||
### Mount the live medium (ISO) read-only, unless already mounted. -------------------------------------------------------------
|
||||
if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
|
||||
|
||||
if [ -n "${CDLB_ISO_LABEL}" ] && [ -e "/dev/disk/by-label/${CDLB_ISO_LABEL}" ]; then
|
||||
|
||||
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|
||||
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${MNT_MEDIUM}" 2>/dev/null \
|
||||
mount -r -t iso9660 "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
|
||||
|| mount -r -t udf "/dev/disk/by-label/${CDLB_ISO_LABEL}" "${CDLB_MNT_MEDIUM}" 2>/dev/null \
|
||||
|| log "could not mount label=${CDLB_ISO_LABEL} (iso9660/udf)"
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
|
||||
|
||||
### Fallback scan (covers SR drives and loop-mounted ISOs that udev exposed).
|
||||
for _dev in /dev/sr* /dev/cdrom /dev/disk/by-label/*; do
|
||||
@@ -165,13 +166,13 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
[ -b "${_dev}" ] || continue
|
||||
|
||||
### Try ISO9660 first, then UDF; only unmount on failure.
|
||||
if mount -r -t iso9660 "${_dev}" "${MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${MNT_MEDIUM}" 2>/dev/null; then
|
||||
if mount -r -t iso9660 "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null || mount -r -t udf "${_dev}" "${CDLB_MNT_MEDIUM}" 2>/dev/null; then
|
||||
|
||||
mountpoint -q "${MNT_MEDIUM}" 2>/dev/null && break
|
||||
mountpoint -q "${CDLB_MNT_MEDIUM}" 2>/dev/null && break
|
||||
|
||||
else
|
||||
|
||||
umount "${MNT_MEDIUM}" 2>/dev/null || true
|
||||
umount "${CDLB_MNT_MEDIUM}" 2>/dev/null || true
|
||||
|
||||
fi
|
||||
|
||||
@@ -179,29 +180,38 @@ if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
|
||||
fi
|
||||
|
||||
if ! mountpoint -q "${MNT_MEDIUM}"; then
|
||||
if ! mountpoint -q "${CDLB_MNT_MEDIUM}"; then
|
||||
|
||||
log "No live medium mounted, defer to default live-boot path."
|
||||
printf "\e[91m[FATAL] Boot failure : No live medium mounted, defer to default live-boot path. \n\e[0m"
|
||||
exit 42
|
||||
sleep 60
|
||||
log "[FATAL] Boot failure : No live medium mounted, defer to default live-boot path."
|
||||
panic "[FATAL] Boot failure : No live medium mounted, defer to default live-boot path."
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${MNT_MEDIUM}"
|
||||
printf "\e[92m[INFO] MNT_MEDIUM : [%s] \n\e[0m" "${CDLB_MNT_MEDIUM}"
|
||||
|
||||
### Locate the encrypted root container on the medium. -------------------------------------------------------------------------
|
||||
if [ ! -f "${MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
|
||||
if [ ! -f "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}" ]; then
|
||||
|
||||
log "Encrypted root not found at: [${MNT_MEDIUM}${CDLB_LUKS_FS}]"
|
||||
printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
exit 42
|
||||
printf "\e[91m[FATAL] Boot failure : Encrypted root not found at: [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
sleep 60
|
||||
log "[FATAL] Boot failure : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
|
||||
panic "[FATAL] Boot failure : Encrypted root not found at: [${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}]"
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
printf "\e[92m[INFO] CISS LUKS FS : [%s%s] \n\e[0m" "${CDLB_MNT_MEDIUM}" "${CDLB_LUKS_FS}"
|
||||
|
||||
### Attach a loop device read-only to the encrypted file. ----------------------------------------------------------------------
|
||||
LOOP="$(losetup -f --show -r "${MNT_MEDIUM}${CDLB_LUKS_FS}")" || { log "losetup failed"; exit 42; }
|
||||
if ! LOOP="$(losetup -f --show -r "${CDLB_MNT_MEDIUM}${CDLB_LUKS_FS}")"; then
|
||||
|
||||
printf "\e[91m[FATAL] Boot failure : losetup failed \n\e[0m"
|
||||
sleep 60
|
||||
log "[FATAL] Boot failure : losetup failed "
|
||||
panic "[FATAL] Boot failure : losetup failed "
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] Loop device : [%s] \n\e[0m" "${LOOP}"
|
||||
|
||||
@@ -225,8 +235,10 @@ fi
|
||||
|
||||
if ! mkfifo /lib/cryptsetup/passfifo 2>/dev/null; then
|
||||
|
||||
printf "\e[92m[WARN] Boot failure : Failed to create /lib/cryptsetup/passfifo \n\e[0m"
|
||||
exit 42
|
||||
printf "\e[92m[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo] \n\e[0m"
|
||||
sleep 60
|
||||
log "[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo]"
|
||||
panic "[WARN] Boot failure : Failed to create [/lib/cryptsetup/passfifo]"
|
||||
|
||||
fi
|
||||
|
||||
@@ -355,7 +367,9 @@ if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
|
||||
kill "${PID_PROMPT}" 2>/dev/null || true
|
||||
kill "${PID_BROKER}" 2>/dev/null || true
|
||||
rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
|
||||
exit 42
|
||||
sleep 60
|
||||
log "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
|
||||
panic "[WARN] CISS LUKS decryption : Timeout LUKS mapper [${CDLB_MAPPER_DEV}] not present after ${CDLB_REMOTE_WAIT_SECS} seconds."
|
||||
|
||||
fi
|
||||
|
||||
@@ -365,45 +379,42 @@ rm -f /lib/cryptsetup/passfifo 2>/dev/null || true
|
||||
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : [%s] is now present.\n\e[0m" "${CDLB_MAPPER_DEV}"
|
||||
|
||||
### Mount the decrypted root device ready to use als PLAIN_ROOT artifact in '9990-main.sh'. ------------------------------------
|
||||
if ! mount -r -t squashfs "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"; then
|
||||
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
|
||||
cat << EOF >| /run/ciss-rootdev
|
||||
export CDLB_ISO_LABEL=${CDLB_ISO_LABEL}
|
||||
export CDLB_LUKS_FS=${CDLB_LUKS_FS}
|
||||
export CDLB_LUKS_ROOTFS_MNT=${CDLB_LUKS_ROOTFS_MNT}
|
||||
export CDLB_MAPPER_NAME=${CDLB_MAPPER_NAME}
|
||||
export CDLB_MAPPER_DEV=${CDLB_MAPPER_DEV}
|
||||
export CDLB_MNT_MEDIUM=${CDLB_MNT_MEDIUM}
|
||||
export CDLB_MNT_ROOTFS=${CDLB_MNT_ROOTFS}
|
||||
export CDLB_REMOTE_WAIT_SECS=${CDLB_REMOTE_WAIT_SECS}
|
||||
EOF
|
||||
chmod 0444 /run/ciss-rootdev 2>/dev/null || true
|
||||
|
||||
log "Failed to mount SquashFS from [${CDLB_MAPPER_DEV}] on [${MNT_ROOTFS}]"
|
||||
printf "\e[91m[WARN] CISS LUKS decryption : SquashFS mount failed: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
|
||||
exit 42
|
||||
### Override '9990-main.sh' behavior to ensure 'Verify_checksums()' functions properly. ----------------------------------------
|
||||
if [ ! -e /conf/param.conf ]; then
|
||||
|
||||
else
|
||||
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Mounted SquashFS: [%s] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}" "${MNT_ROOTFS}"
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
|
||||
: >| /conf/param.conf
|
||||
|
||||
fi
|
||||
|
||||
### Expose the decrypted root device for live-boot overlay. The live-boot components will pick this up in '9990-overlay.sh'. ---
|
||||
echo "${CDLB_MAPPER_DEV}" >| /run/ciss-rootdev
|
||||
chmod 0644 /run/ciss-rootdev 2>/dev/null || true
|
||||
export CISS_ROOT_DEV="${CDLB_MAPPER_DEV}"
|
||||
export CISS_ROOT_DIR=""
|
||||
if ! grep -q '^PLAIN_ROOT=' /conf/param.conf 2>/dev/null; then
|
||||
|
||||
printf 'PLAIN_ROOT=1\n' >> /conf/param.conf
|
||||
|
||||
fi
|
||||
|
||||
if ! grep -q '^livefs_root=' /conf/param.conf 2>/dev/null; then
|
||||
|
||||
printf 'livefs_root=%s\n' "/run/live/medium" >> /conf/param.conf
|
||||
|
||||
# TODO: Remove Debug
|
||||
if [ -e /conf/param.conf ]; then
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Printing existing [/conf/param.conf] \n\e[0m"
|
||||
cat /conf/param.conf >/dev/console 2>&1 || :
|
||||
{
|
||||
printf '\n'
|
||||
printf 'PLAIN_ROOT=1\n'
|
||||
printf 'ROOT=%s\n' "${MNT_ROOTFS}"
|
||||
} >> /conf/param.conf 2>/dev/null || true
|
||||
else
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Not existing [/conf/param.conf] \n\e[0m"
|
||||
{
|
||||
printf '\n'
|
||||
printf 'PLAIN_ROOT=1\n'
|
||||
printf 'ROOT=%s\n' "${MNT_ROOTFS}"
|
||||
} >| /conf/param.conf 2>/dev/null || true
|
||||
fi
|
||||
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Final state [/conf/param.conf] \n\e[0m"
|
||||
cat /conf/param.conf >/dev/console 2>&1 || :
|
||||
sleep 8
|
||||
|
||||
log "Decrypted root device exposed at [/run/ciss-rootdev] -> [${CDLB_MAPPER_DEV}]"
|
||||
printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/run/ciss-rootdev] -> [%s] \n\e[0m" "${CDLB_MAPPER_DEV}"
|
||||
@@ -411,9 +422,10 @@ printf "\e[92m[INFO] CISS LUKS decryption : Decrypted root device exposed at: [/
|
||||
### Final sanity check. --------------------------------------------------------------------------------------------------------
|
||||
if [ ! -b "${CDLB_MAPPER_DEV}" ]; then
|
||||
|
||||
log "Failed to unlock encrypted root [${CDLB_LUKS_FS}] via dropbear and console."
|
||||
printf "\e[91m[WARN] Failed unlock : [%s] via dropbear and console. \n\e[0m" "${CDLB_LUKS_FS}"
|
||||
exit 42
|
||||
sleep 60
|
||||
log "[WARN] Failed unlock : [${CDLB_LUKS_FS}] via dropbear and console."
|
||||
panic "[WARN] Failed unlock : [${CDLB_LUKS_FS}] via dropbear and console."
|
||||
|
||||
fi
|
||||
|
||||
|
||||
@@ -128,45 +128,53 @@ Live ()
|
||||
fi
|
||||
|
||||
printf "\e[93m[DEBUG] live(): [%s] -> livefs_root. \e[0m\n" "${livefs_root}"
|
||||
if [ -z "${livefs_root}" ]
|
||||
then
|
||||
panic "Unable to find a medium containing a live file system"
|
||||
if [ -z "${livefs_root}" ]; then
|
||||
|
||||
printf "\e[91m[FATAL] live() : Unable to find a medium containing a live file system. \e[0m\n"
|
||||
sleep 60
|
||||
log "[FATAL] live() : Unable to find a medium containing a live file system."
|
||||
panic "[FATAL] live() : Unable to find a medium containing a live file system."
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[93m[DEBUG] live(): Before [Verify_checksums %s] \e[0m\n" "${livefs_root}"
|
||||
Verify_checksums "${livefs_root}"
|
||||
|
||||
# shellcheck disable=SC2244
|
||||
if [ "${TORAM}" ]
|
||||
then
|
||||
if [ "${TORAM}" ]; then
|
||||
|
||||
live_dest="ram"
|
||||
elif [ "${TODISK}" ]
|
||||
then
|
||||
|
||||
elif [ "${TODISK}" ]; then
|
||||
|
||||
live_dest="${TODISK}"
|
||||
|
||||
fi
|
||||
|
||||
# shellcheck disable=SC2244
|
||||
if [ "${live_dest}" ]
|
||||
then
|
||||
if [ "${live_dest}" ]; then
|
||||
|
||||
log_begin_msg "Copying live media to ${live_dest}"
|
||||
copy_live_to "${livefs_root}" "${live_dest}"
|
||||
log_end_msg
|
||||
|
||||
fi
|
||||
|
||||
# if we do not unmount the ISO, we can't run "fsck /dev/ice" later on
|
||||
# because the mountpoint is left behind in /proc/mounts, so let's get
|
||||
# rid of it when running from RAM
|
||||
# shellcheck disable=SC2244
|
||||
if [ -n "${FROMISO}" ] && [ "${TORAM}" ]
|
||||
then
|
||||
if [ -n "${FROMISO}" ] && [ "${TORAM}" ]; then
|
||||
|
||||
losetup -d /dev/loop0
|
||||
|
||||
if is_mountpoint /run/live/fromiso
|
||||
then
|
||||
if is_mountpoint /run/live/fromiso; then
|
||||
|
||||
umount /run/live/fromiso
|
||||
rmdir --ignore-fail-on-non-empty /run/live/fromiso \
|
||||
>/dev/null 2>&1 || true
|
||||
rmdir --ignore-fail-on-non-empty /run/live/fromiso >/dev/null 2>&1 || true
|
||||
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
printf "\e[93m[DBG] Live(): before overlay, live_dest=%s \e[0m\n" "${live_dest:-<none>}"
|
||||
|
||||
@@ -31,25 +31,18 @@ setup_unionfs ()
|
||||
addimage_directory="${3}"
|
||||
|
||||
### CISS hook: allow explicit root override ----------------------------------------------------------------------------------
|
||||
#if [ -z "${CISS_ROOT_DEV:-}" ] && [ -r /run/ciss-rootdev ]; then
|
||||
if [ -r /run/ciss-rootdev ]; then
|
||||
|
||||
# CISS_ROOT_DEV=$(cat /run/ciss-rootdev 2>/dev/null || printf '')
|
||||
. /run/ciss-rootdev
|
||||
|
||||
#fi
|
||||
export PLAIN_ROOT=1
|
||||
export image_directory="${CDLB_MAPPER_DEV}"
|
||||
|
||||
#if [ -n "${CISS_ROOT_DEV:-}" ]; then
|
||||
printf "\e[92m[INFO] setup_unionfs() : [image_directory=%s] \n\e[0m" "${image_directory}"
|
||||
printf "\e[92m[INFO] setup_unionfs() : [rootmnt=%s] \n\e[0m" "${rootmnt}"
|
||||
printf "\e[92m[INFO] setup_unionfs() : [addimage_directory=%s] \n\e[0m" "${addimage_directory}"
|
||||
|
||||
### Treat the decrypted block device as plain root (e.g., squashfs on LUKS).
|
||||
# PLAIN_ROOT=1
|
||||
# image_directory="${CISS_ROOT_DEV}"
|
||||
|
||||
#elif [ -n "${CISS_ROOT_DIR:-}" ]; then
|
||||
|
||||
### Alternative: explicitly provided root directory.
|
||||
# PLAIN_ROOT=1
|
||||
# image_directory="${CISS_ROOT_DIR}"
|
||||
|
||||
#fi
|
||||
fi
|
||||
### --------------------------------------------------------------------------------------------------------------------------
|
||||
|
||||
# shellcheck disable=SC2086
|
||||
|
||||
Reference in New Issue
Block a user