feat: enable conf/sys ext services and make /etc read-only without overlay
This commit is contained in:
parent
18c8e76850
commit
62dd1ca5bf
4 changed files with 26 additions and 24 deletions
pkgs
|
|
@ -12,23 +12,6 @@ find rootfs/ -type d -exec chmod 755 {} \;
|
|||
# set default target to multi-user
|
||||
ln -sf multi-user.target rootfs/usr/lib/systemd/system/default.target
|
||||
|
||||
# Overlay mount for /etc which makes it read-write in runtime
|
||||
cat <<EOF > rootfs/usr/lib/systemd/system/etc.mount
|
||||
[Unit]
|
||||
Description=Overlay mount for /etc
|
||||
Before=local-fs.target
|
||||
|
||||
[Mount]
|
||||
What=overlay
|
||||
Where=/etc
|
||||
Type=overlay
|
||||
Options=lowerdir=/etc,upperdir=/run/.rw-etc/upper,workdir=/run/.rw-etc/work
|
||||
|
||||
[Install]
|
||||
WantedBy=local-fs.target
|
||||
EOF
|
||||
ln -sf ../etc.mount rootfs/usr/lib/systemd/system/local-fs.target.wants/etc.mount
|
||||
|
||||
# enable dbus
|
||||
ln -sf ../dbus.service rootfs/usr/lib/systemd/system/multi-user.target.wants/dbus.service
|
||||
ln -sf ../dbus.socket rootfs/usr/lib/systemd/system/sockets.target.wants/dbus.socket
|
||||
|
|
@ -40,8 +23,9 @@ ln -sf ../systemd-timesyncd.service rootfs/usr/lib/systemd/system/multi-user.tar
|
|||
# enable default network config
|
||||
mv rootfs/usr/lib/systemd/network/89-ethernet.network.example rootfs/usr/lib/systemd/network/89-ethernet.network
|
||||
|
||||
#FIXME: generate a temporary machine id (replace with overlay/confext later?)
|
||||
$systemd/usr/bin/systemd-machine-id-setup --root=rootfs/
|
||||
# enable confext/sysext services
|
||||
ln -sf ../systemd-confext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-confext.service
|
||||
ln -sf ../systemd-sysext.service rootfs/usr/lib/systemd/system/sysinit.target.wants/systemd-sysext.service
|
||||
|
||||
# install sys users
|
||||
mkdir creds
|
||||
|
|
|
|||
|
|
@ -591,7 +591,8 @@ CONFIG_DM_SWITCH=m
|
|||
CONFIG_DM_THIN_PROVISIONING=m
|
||||
CONFIG_DM_UNSTRIPED=m
|
||||
CONFIG_DM_VDO=m
|
||||
CONFIG_DM_VERITY=m
|
||||
CONFIG_DM_VERITY=y
|
||||
CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG=y
|
||||
CONFIG_DM_WRITECACHE=m
|
||||
CONFIG_DM_ZERO=y
|
||||
CONFIG_DM_ZONED=m
|
||||
|
|
|
|||
|
|
@ -27,10 +27,12 @@ stdenvNoCC.mkDerivation (finalAttrs: {
|
|||
libbpf = pkgs.libbpf.out;
|
||||
btrfs = pkgs.btrfs-progs.out;
|
||||
tpm2Libs = patosPkgs.tpm2-tss.out;
|
||||
tpm2Tools = patosPkgs.tpm2-tools.out;
|
||||
kexec = patosPkgs.kexec.out;
|
||||
lvm2 = patosPkgs.lvm2.out;
|
||||
# FIXME: remove later:
|
||||
tpm2Tools = patosPkgs.tpm2-tools.out;
|
||||
cryptsetup = pkgs.cryptsetup.bin;
|
||||
erofsUtils = pkgs.erofs-utils.out;
|
||||
|
||||
builder = ./mkrootfs.sh;
|
||||
})
|
||||
|
|
|
|||
|
|
@ -29,8 +29,8 @@ IMAGE_ID=patos
|
|||
ID=patos
|
||||
IMAGE_VERSION=${version}
|
||||
VERSION=${version}
|
||||
VERSION_ID={version}
|
||||
BUILD_ID={version}
|
||||
VERSION_ID=patos
|
||||
BUILD_ID=somehash
|
||||
EOF
|
||||
|
||||
cat <<EOF > $out/etc/issue
|
||||
|
|
@ -106,6 +106,9 @@ cp -P ${lvm2}/lib/udev/rules.d/* $out/usr/lib/udev/rules.d/
|
|||
cp -Pr ${btrfs}/bin/* $out/usr/bin/
|
||||
cp -Pr ${btrfs}/lib/* $out/usr/lib/
|
||||
|
||||
##FIXME(remove later): install mkfs.erofs bin
|
||||
cp -P ${erofsUtils}/bin/mkfs.erofs $out/usr/bin/
|
||||
|
||||
### install tpm2 tools
|
||||
# For TPM debugging
|
||||
# cp -P ${tpm2Tools}/bin/* $out/usr/bin/
|
||||
|
|
@ -119,11 +122,23 @@ cp -P $kmodBin/bin/* $out/usr/bin
|
|||
### install libbpf
|
||||
cp -P $libbpf/lib/libbpf* $out/usr/lib
|
||||
|
||||
# setup default files
|
||||
$systemd/usr/bin/systemd-hwdb --root=$out --usr update
|
||||
$systemd/usr/bin/systemd-tmpfiles --root=$out $out/usr/lib/tmpfiles.d/etc.conf --create
|
||||
cp $out/usr/share/factory/etc/nsswitch.conf $out/etc/
|
||||
cp $out/usr/share/factory/etc/locale.conf $out/etc/
|
||||
cp $out/usr/share/factory/etc/vconsole.conf $out/etc/
|
||||
#Ephemeral machine-id until registration
|
||||
ln -sf /run/machine-id $out/etc/machine-id
|
||||
|
||||
|
||||
# remove pkgconfig
|
||||
rm -rf $out/usr/lib/pkgconfig
|
||||
|
||||
### Find and install all shared libs
|
||||
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | sort -u | xargs -I {} cp {} $out/usr/lib/
|
||||
find $out -type f -executable -exec ldd {} \; | awk '{print $3}' | \
|
||||
grep -v util-linux-2 | grep -v systemd | grep -v glibc | grep -v tpm2 | grep -v devmapper | \
|
||||
sort -u | xargs -I {} cp {} $out/usr/lib/
|
||||
find $out -type f -executable -exec chmod 755 {} \;
|
||||
|
||||
# FIXME: ELF patching. Is there a better way?
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue