-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathbuild-initramfs
More file actions
executable file
·258 lines (234 loc) · 7.92 KB
/
Copy pathbuild-initramfs
File metadata and controls
executable file
·258 lines (234 loc) · 7.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
#!/bin/sh
set -e
cd "$(dirname "${0}")"
usage() {
(
echo "Usage: $(basename "${0}") [options]"
echo " -c|--mapper-name Encrypted root mapper device name"
echo " -H|--hostname Hostname to be set when initramfs starts"
echo " -h|--help Show this usage"
echo " -r|--root Root block device"
echo " -s|--static-root ROOT directory with static binaries"
echo " -u|--user Allow ssh login using this user's keys"
)
exit 1
}
lopts="mapper-name: help hostname: root: static-root: user:"
sopts="c:hH:r:s:u:"
getopt_out="$(getopt -n"${0}" --longoptions="${lopts}" "${sopts}" "${@}")"
[ ${?} -ne 0 ] && usage >&2
eval set -- "${getopt_out}"
[ ${#} -eq 0 ] && usage >&2
opt_mapper_name=
opt_root=
opt_help=0
opt_hostname=
opt_static_root=
opt_user="${SUDO_USER:-$(id -un)}"
while [ ${#} -gt 0 ]; do
case "${1}" in
-c|--mapper-name) opt_mapper_name="${2}"; shift;;
-h|--help) opt_help=1;;
-H|--hostname) opt_hostname="${2}"; shift;;
-r|--root) opt_root="${2}"; shift;;
-s|--static-root) opt_static_root="${2%%/}"; shift;;
-u|--user) opt_user="${2}"; shift;;
--) shift; break;;
-*) opt_help=1;;
*) ;;
esac
shift
done
[ ${opt_help} -ne 0 ] && usage >&2
if [ "$(id -u)" -ne 0 ]; then
echo "Error: This must be run as root." >&2
exit 1
fi
# Determine if the root filesystem is on an encrypted device
if [ -z "${opt_mapper_name}" ]; then
if df -P / | grep -q '^/dev/mapper/'; then
opt_mapper_name=$( (df -P / | grep '^/dev/mapper/' | \
awk '{print $1}' | grep -o '[^\/]*$') || /bin/true)
if [ -z "${opt_mapper_name}" ]; then
opt_mapper_name="root_crypt"
fi
fi
fi
# Locate root device
if [ -z "${opt_root}" ]; then
if df -P / | grep -q '^/dev/mapper/'; then
# Determine block device backing this mapper device, if possible
opt_root=$(cryptsetup status "${opt_mapper_name}" | \
awk '/^\s*device:/ {print $2}')
else
opt_root=$(df -P / | awk 'NR==2 {print $1}')
fi
if [ -n "${opt_root}" ]; then
# If the root device is an md device, use the /dev/md/* path
md_path=$(find -L /dev -maxdepth 2 -samefile "${opt_root}" \
-path '/dev/md/*' 2>/dev/null | head -n1)
if [ -b "${md_path}" ]; then
opt_root="${md_path}"
fi
fi
fi
if [ -z "${opt_root}" ]; then
echo "Error: Unable to determine root device." >&2
exit 1
fi
if [ -z "${opt_hostname}" ]; then
opt_hostname="$(hostname -s)"
fi
echo ">>> Initramfs configuration summary"
echo "Hostname: ${opt_hostname}"
echo "Root block device: ${opt_root}"
echo "Mapper device name: ${opt_mapper_name}"
echo "SSH keys for user: ${opt_user}"
# Components to include in initramfs image
dev_nodes="console null tty"
bin_exe="busybox"
sbin_exe=
if [ -n "${opt_mapper_name}" ]; then
# Add extra tools for unlocking an encrypted root filesystem
sbin_exe="${sbin_exe} cryptsetup dhcpcd sshd"
fi
if findfs "${opt_root}" | grep -qe '^\/dev\/md'; then
# Add mdraid tools
sbin_exe="${sbin_exe} mdadm"
fi
exit_cleanup()
{
if [ -n "${temp_dir}" ] && [ -d "${temp_dir}" ]; then
rm -rf "${temp_dir}"
fi
}
trap exit_cleanup EXIT
temp_dir="$(mktemp -d --suffix=".$(basename "${0}")")"
mkdir -p "${temp_dir}/etc"
(
echo "HOSTNAME=\"${opt_hostname}\""
echo "ROOT_DEVICE=\"${opt_root}\""
echo "MAPPER_NAME=\"${opt_mapper_name}\""
) >> "${temp_dir}/etc/init.conf"
# Copy basic set of device nodes and block device nodes
mkdir -p "${temp_dir}/dev"
for i in ${dev_nodes}; do
cp -a "/dev/${i}" "${temp_dir}/dev"
done
for i in $(find /dev -mindepth 1 -maxdepth 1 -type b | \
grep -ve '/loop' -e '/ram'); do
cp -a "${i}" "${temp_dir}/dev"
done
# Copy libraries needed for dynamically-linked executables
mkdir -p "${temp_dir}/lib"
ln -s "lib" "${temp_dir}/lib64"
locate_binary()
{
which_path=$(command -v "${1}")
if [ -x "${opt_static_root}${which_path}" ]; then
echo "${opt_static_root}${which_path}"
return
fi
echo "${which_path}"
}
calculate_libs()
{
(
for i in "${@}"; do
ldd "$(locate_binary "${i}")" | grep -oEe '\s/[^ ]*' || true
done
find /lib/ -iname 'libnss_files*'
) | sort -u
}
for i in $(calculate_libs ${bin_exe} ${sbin_exe}); do
for l in "${i}" $(readlink -f "${i}"); do
bn="$(basename "${l}")"
if [ -e "${temp_dir}/lib/${bn}" ]; then
continue
fi
cp -af "${l}" "${temp_dir}/lib/${bn}"
done
done
# Copy disk and mount configuration
mkdir -p "${temp_dir}/etc"
cp -af /etc/fstab "${temp_dir}/etc"
if echo "${sbin_exe}" | grep -q mdadm; then
if [ -f /etc/mdadm.conf ]; then
cp -af /etc/mdadm.conf "${temp_dir}/etc"
fi
fi
# Configure DHCP client
if echo "${sbin_exe}" | grep -q dhcpcd; then
(
echo "root:x:0:0:root:/root:/bin/sh"
echo "sshd:x:22:22:sshd:/var/empty:/bin/false"
) > "${temp_dir}/etc/passwd"
cp -af /etc/dhcpcd.duid "${temp_dir}/etc"
echo "hostname" > "${temp_dir}/etc/dhcpcd.conf"
fi
# Configure SSH server
if echo "${sbin_exe}" | grep -q sshd; then
# Re-use the same host key(s) that OpenSSH uses on the current host
# Note: If the current machine uses an encrypted root filesystem, this
# stores a copy of the ssh server host key unencrypted within the initramfs
mkdir -p "${temp_dir}/etc/ssh"
for k in rsa ed25519; do
cp -v "/etc/ssh/ssh_host_${k}_key" "/etc/ssh/ssh_host_${k}_key.pub" \
"${temp_dir}/etc/ssh/"
done
(
echo "PidFile /var/run/sshd.pid"
) > "${temp_dir}/etc/ssh/sshd_config"
chmod 0600 "${temp_dir}/etc/ssh/sshd_config"
mkdir -p "${temp_dir}/root/.ssh"
chmod 0700 "${temp_dir}/root/.ssh"
mkdir -m 0755 "${temp_dir}/var"
mkdir -m 0755 "${temp_dir}/var/empty"
if [ -n "${opt_user}" ]; then
# Add user's id_rsa.pub and any authorized_keys on this machine
user_home=$(getent passwd "${opt_user}" | cut -d: -f6)
for f in "${user_home}/.ssh/id_rsa.pub" \
"${user_home}/.ssh/authorized_keys" \
; do
if [ -r "${f}" ]; then
echo "Authorizing public key(s) in $(readlink -f "${f}")"
sed "${f}" -e 's/^.*ssh-/command="\/bin\/unlock" ssh-/g' \
>> "${temp_dir}/root/.ssh/authorized_keys"
break
fi
done
# Add user's keys from LDAP, if any
ldap_out=$(ldapsearch -LLL -Y external uid="${opt_user}" sshPublicKey \
-o ldif-wrap=no 2>/dev/null || /bin/true)
ldap_out=$(echo "${ldap_out}" | grep -e "sshPublicKey::" | cut -d: -f3-)
for k in ${ldap_out}; do
key_plain=$(echo "${k}" | base64 -d -)
key_name=$(echo "${key_plain}" | awk '{print $3}')
echo "Authorizing uid=${opt_user} LDAP public key \"${key_name}\""
echo "command=\"/bin/unlock\" ${key_plain}" \
>> "${temp_dir}/root/.ssh/authorized_keys"
done
if [ ! -f "${temp_dir}/root/.ssh/authorized_keys" ]; then
echo "Error: No ssh login keys authorized!" >&2
exit 1
fi
fi
fi
# Copy needed executables
mkdir -p "${temp_dir}/bin"
for i in ${bin_exe}; do
cp -vaf "$(locate_binary "${i}")" "${temp_dir}/bin"
done
mkdir -p "${temp_dir}/sbin"
for i in ${sbin_exe}; do
cp -vaf "$(locate_binary "${i}")" "${temp_dir}/sbin"
done
cp -dr files/. "${temp_dir}/"
# Create initramfs image
output_file_name=$(readlink -f "./initramfs.cpio.gz")
cd "${temp_dir}"
find . -print0 | cpio --null -o --format=newc | gzip -9 > "${output_file_name}"
if [ -n "${SUDO_USER}" ]; then
chown "${SUDO_USER}": "${output_file_name}"
fi
echo "Created initramfs in ${output_file_name}"