- Introduce tik encryption module

- Transition towards "openSUSE-less" branding

OBS-URL: https://build.opensuse.org/package/show/devel:microos:aeon:images/openSUSE-Aeon?expand=0&rev=19
This commit is contained in:
Richard Brown 2024-07-24 12:41:35 +00:00 committed by Git OBS Bridge
commit ffc4db202a
8 changed files with 406 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

1
.gitignore vendored Normal file
View File

@ -0,0 +1 @@
.osc

17
LICENSE Normal file
View File

@ -0,0 +1,17 @@
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

8
_constraints Normal file
View File

@ -0,0 +1,8 @@
<constraints>
<hardware>
<disk>
<size unit="G">20</size>
</disk>
</hardware>
</constraints>

230
config.sh Normal file
View File

@ -0,0 +1,230 @@
#!/bin/bash
# Copyright (c) 2020 SUSE LLC
#
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in
# all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
#
#======================================
# Functions...
#--------------------------------------
test -f /.kconfig && . /.kconfig
test -f /.profile && . /.profile
set -euxo pipefail
echo "Configure image: [$kiwi_iname]-[$kiwi_profiles]..."
# Systemd controls the console font now
echo FONT="eurlatgr.psfu" >> /etc/vconsole.conf
#======================================
# prepare for setting root pw, timezone
#--------------------------------------
echo "** reset machine settings"
rm -f /etc/machine-id \
/var/lib/zypp/AnonymousUniqueId \
/var/lib/systemd/random-seed
#======================================
# Specify default systemd target
#--------------------------------------
baseSetRunlevel graphical.target
#======================================
# Import trusted rpm keys
#--------------------------------------
suseImportBuildKey
#======================================
# Set hostname by DHCP
#--------------------------------------
baseUpdateSysConfig /etc/sysconfig/network/dhcp DHCLIENT_SET_HOSTNAME yes
# Add repos from /etc/YaST2/control.xml
if [ -x /usr/sbin/add-yast-repos ]; then
add-yast-repos
zypper --non-interactive rm -u live-add-yast-repos
fi
# Adjust zypp conf
sed -i 's/^multiversion =.*/multiversion =/g' /etc/zypp/zypp.conf
#=====================================
# Configure snapper
#-------------------------------------
if [ "${kiwi_btrfs_root_is_snapshot-false}" = 'true' ]; then
echo "creating initial snapper config ..."
cp /etc/snapper/config-templates/default /etc/snapper/configs/root \
|| cp /usr/share/snapper/config-templates/default /etc/snapper/configs/root
baseUpdateSysConfig /etc/sysconfig/snapper SNAPPER_CONFIGS root
# Adjust parameters
sed -i'' 's/^TIMELINE_CREATE=.*$/TIMELINE_CREATE="no"/g' /etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT=.*$/NUMBER_LIMIT="2-10"/g' /etc/snapper/configs/root
sed -i'' 's/^NUMBER_LIMIT_IMPORTANT=.*$/NUMBER_LIMIT_IMPORTANT="4-10"/g' /etc/snapper/configs/root
fi
#=====================================
# Enable chrony if installed
#-------------------------------------
if [ -f /etc/chrony.conf ]; then
systemctl enable chronyd
fi
#=====================================
# Storage configuration
#-------------------------------------
# The %post script can't edit /etc/fstab sys due to https://github.com/OSInside/kiwi/issues/945
# so use the kiwi custom hack
cat >/etc/fstab.script <<"EOF"
#!/bin/sh
set -eux
/usr/sbin/setup-fstab-for-overlayfs
# ... set options for autoexpanding /home
gawk -i inplace '$2 == "/home" { $4 = $4",x-systemd.growfs" } { print $0 }' /etc/fstab
# workaround https://github.com/systemd/systemd/issues/927, drop the ro from the fstab mount
gawk -i inplace '$2 == "/" && $4 == "compress=zstd:1,ro" { $4 = "compress=zstd:1" } { print $0 }' /etc/fstab
EOF
chmod a+x /etc/fstab.script
#======================================
# Enable NetworkManager
#--------------------------------------
systemctl enable NetworkManager
#======================================
# Disable recommends on virtual images (keep hardware supplements, see bsc#1089498)
#--------------------------------------
sed -i 's/.*solver.onlyRequires.*/solver.onlyRequires = true/g' /etc/zypp/zypp.conf
#======================================
# Disable installing documentation
#--------------------------------------
sed -i 's/.*rpm.install.excludedocs.*/rpm.install.excludedocs = yes/g' /etc/zypp/zypp.conf
#======================================
# Add default kernel boot options
#--------------------------------------
serialconsole='console=ttyS0,115200'
cmdline=('quiet' 'loglevel=2' 'systemd.show_status=0' "${serialconsole}" 'console=tty0' 'vt.global_cursor_default=0')
ignition_platform='metal'
if [ -n "${ignition_platform}" ]; then
cmdline+=("ignition.platform.id=${ignition_platform}")
fi
#======================================
# If SELinux is installed, configure it like transactional-update setup-selinux
#--------------------------------------
if [[ -e /etc/selinux/config ]]; then
cmdline+=("security=selinux selinux=1")
# Adjust selinux config
sed -i -e 's|^SELINUX=.*|SELINUX=enforcing|g' \
-e 's|^SELINUXTYPE=.*|SELINUXTYPE=targeted|g' \
"/etc/selinux/config"
# Move an /.autorelabel file from initial installation to writeable location
test -f /.autorelabel && mv /.autorelabel /etc/selinux/.autorelabel
fi
if [ -e /etc/default/grub ]; then
sed -i "s#^GRUB_CMDLINE_LINUX_DEFAULT=.*\$#GRUB_CMDLINE_LINUX_DEFAULT=\"${cmdline[*]}\"#" /etc/default/grub
else
echo "${cmdline[*]}" > /etc/kernel/cmdline
fi
#======================================
# tik specifics
#--------------------------------------
mkdir -p /ignition
useradd -m tik
usermod -aG wheel tik
cat >> /etc/sudoers.d/51-tik << "EOF"
tik ALL = (root) NOPASSWD: ALL
EOF
cat >> /etc/polkit-1/rules.d/10-tik.rules << "EOF"
polkit.addRule(function(action, subject) {
if (subject.user == "tik") {
return polkit.Result.YES;
}
});
EOF
chown tik:users /ignition
# SHOULD BE IN GNOME-BRANDING-TIK
cat >> /usr/share/glib-2.0/schemas/31_tik.gschema.override << "EOF"
[org.gnome.shell]
favorite-apps=['']
[org.gnome.desktop.session]
idle-delay=0
[org.gnome.desktop.screensaver]
lock-enabled=false
user-switch-enabled=false
[org.gnome.settings-daemon.plugins.power]
sleep-inactive-battery-type='nothing'
sleep-inactive-ac-type='nothing'
[org.gnome.desktop.lockdown]
disable-lock-screen=true
disable-log-out=true
disable-printing=true
disable-print-setup=true
disable-user-switching=true
user-administration-disabled=true
EOF
glib-compile-schemas /usr/share/glib-2.0/schemas/
# GNOME-BRANDING-TIK end
# tik-config-Aeon
mkdir -p /home/tik/.local/share/applications/
chown -R tik:users /home/tik/.local/
cat >> /home/tik/.local/share/applications/org.opensuse.tik.desktop << "EOF"
[Desktop Entry]
Name=openSUSE Aeon Installer
Comment=Installs openSUSE Aeon
Exec=/usr/bin/tik
Icon=distributor-logo-Aeon-symbolic
Type=Application
Categories=System;
Name[en_GB]=openSUSE Aeon Installer
EOF
# tik-config-Aeon
ln -s /home/tik/.local/share/applications/org.opensuse.tik.desktop /home/tik/.config/autostart/org.opensuse.tik.desktop
rm /home/tik/.config/autostart/aeon-firstboot.desktop
mkdir -p /home/tik/.config/gtk-3.0
echo "file:///ignition" >> /home/tik/.config/gtk-3.0/bookmarks
sed -i 's/DISPLAYMANAGER_AUTOLOGIN=""/DISPLAYMANAGER_AUTOLOGIN="tik"/' /etc/sysconfig/displaymanager

4
disk.sh Normal file
View File

@ -0,0 +1,4 @@
#!/bin/bash
set -euxo pipefail
# Fix the filesystem label of the ignition partition, uppercase doesn't work with ignition
e2label /dev/loop0p3 ignition

50
openSUSE-Aeon.changes Normal file
View File

@ -0,0 +1,50 @@
-------------------------------------------------------------------
Wed Jul 24 12:40:41 UTC 2024 - Richard Brown <rbrown@suse.com>
- Introduce tik encryption module
- Transition towards "openSUSE-less" branding
-------------------------------------------------------------------
Fri May 24 13:30:21 UTC 2024 - Richard Brown <rbrown@suse.com>
- Correct ignition partition label to 'ignition'
-------------------------------------------------------------------
Wed May 22 11:07:36 UTC 2024 - Richard Brown <rbrown@suse.com>
- Remove unused disk.sh (no systemd-boot on installer)
- Remove growfs from initrd
- Remove ro mount option as can cause racy mount behaviour on boot
-------------------------------------------------------------------
Thu May 16 13:16:58 UTC 2024 - Richard Brown <rbrown@suse.com>
- Remove redundant relabelling (done better by kiwi now)
- Shift growfs to initrd
-------------------------------------------------------------------
Thu May 16 12:51:10 UTC 2024 - Richard Brown <rbrown@suse.com>
- libcontainers-common no longer uses storage = btrfs by default,
neither should images
-------------------------------------------------------------------
Thu May 16 07:57:30 UTC 2024 - Richard Brown <rbrown@suse.com>
- Require tik-osimage-openSUSE-Aeon
-------------------------------------------------------------------
Wed May 15 08:17:59 UTC 2024 - Richard Brown <rbrown@suse.com>
- Prevent screen blanking during install
-------------------------------------------------------------------
Tue May 14 08:30:59 UTC 2024 - Richard Brown <rbrown@suse.com>
- Move optional tik-module-mig and -welcome from patterns-tik to
image definition
-------------------------------------------------------------------
Wed Apr 10 07:51:11 UTC 2024 - Richard Brown <rbrown@suse.com>
- Initial Packaging

73
openSUSE-Aeon.kiwi Normal file
View File

@ -0,0 +1,73 @@
<?xml version="1.0" encoding="utf-8"?>
<image schemaversion="7.6" name="Aeon-Installer" displayname="Aeon Installer">
<description type="system">
<author>Richard Brown</author>
<contact>rbrownsuse@opensuse.org</contact>
<specification>Aeon Installer</specification>
</description>
<preferences>
<version>0.1.0</version>
<packagemanager>zypper</packagemanager>
<rpm-excludedocs>true</rpm-excludedocs>
<locale>en_US</locale>
<type
image="oem"
filesystem="btrfs"
fsmountoptions="compress=zstd:1"
firmware="uefi"
bootpartition="false"
bootkernel="custom"
devicepersistency="by-uuid"
btrfs_root_is_subvolume="true"
btrfs_root_is_snapshot="true"
btrfs_root_is_readonly_snapshot="true"
btrfs_quota_groups="true"
rootfs_label="TIKINSTALL"
>
<bootloader name="grub2" console="gfxterm"/>
<oemconfig>
<oem-resize>false</oem-resize>
</oemconfig>
<systemdisk>
<volume name="home"/>
<volume name="root"/>
<volume name="opt"/>
<volume name="srv"/>
<volume name="boot/grub2/i386-pc"/>
<volume name="boot/grub2/x86_64-efi" mountpoint="boot/grub2/x86_64-efi"/>
<volume name="boot/writable"/>
<volume name="usr/local"/>
<volume name="var" copy_on_write="false"/>
</systemdisk>
<partitions>
<partition name="ignition" size="1G" mountpoint="/ignition" filesystem="ext4"/>
</partitions>
</type>
</preferences>
<repository type="rpm-md">
<source path="obsrepositories:/"/>
</repository>
<packages type="image">
<package name="live-add-yast-repos"/>
<package name="patterns-tik-base"/>
<package name="tik-module-welcome"/>
<package name="tik-module-mig"/>
<package name="tik-module-encrypt"/>
<package name="tik-osimage-Aeon"/>
</packages>
<packages type="bootstrap">
<!-- Avoid that zypper picks the busybox-foo variant for those, that would fail later -->
<package name="coreutils"/>
<package name="gawk"/>
<package name="gzip"/>
<package name="hostname"/>
<!-- Avoid libressl -->
<package name="openssl"/>
<package name="filesystem"/>
<package name="glibc-locale-base"/>
<!-- So that https repos work for image package downloads -->
<package name="ca-certificates-mozilla"/>
<!-- TODO: Use the proper flavors once available -->
<package name="Aeon-release"/>
</packages>
</image>