[arch-releng] [PATCH] Initialize pacman keyring on bootup
This will allow users to install packages within the live environment. We use the haveged daemon to increase entropy from CPU timings. See http://www.issihosts.com/haveged/ for details. Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- configs/releng/packages.i686 | 1 + configs/releng/packages.x86_64 | 1 + configs/releng/root-image/etc/rc.conf | 2 +- configs/releng/root-image/etc/rc.d/pacman-init | 36 ++++++++++++++++++++++++ 4 Dateien geändert, 39 Zeilen hinzugefügt(+), 1 Zeile entfernt(-) create mode 100755 configs/releng/root-image/etc/rc.d/pacman-init diff --git a/configs/releng/packages.i686 b/configs/releng/packages.i686 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.i686 +++ b/configs/releng/packages.i686 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/root-image/etc/rc.conf b/configs/releng/root-image/etc/rc.conf index a3e3d8a..90aa930 100644 --- a/configs/releng/root-image/etc/rc.conf +++ b/configs/releng/root-image/etc/rc.conf @@ -30,4 +30,4 @@ USELVM="no" HOSTNAME="archiso" -DAEMONS=(hwclock syslog-ng) +DAEMONS=(hwclock syslog-ng haveged pacman-init) diff --git a/configs/releng/root-image/etc/rc.d/pacman-init b/configs/releng/root-image/etc/rc.d/pacman-init new file mode 100755 index 0000000..1b8d93f --- /dev/null +++ b/configs/releng/root-image/etc/rc.d/pacman-init @@ -0,0 +1,36 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + stat_busy "Initializing pacman keyring" + pacman-key --init >/dev/null 2>&1 \ + && pacman-key --populate archlinux >/dev/null 2>&1 + if [[ $? -gt 0 ]]; then + stat_fail + exit 1 + else + add_daemon pacman-init + stat_done + fi + ;; + + stop) + stat_busy "Removing pacman keyring" + rm -rf /etc/pacman.d/gnupg + rm_daemon pacman-init + stat_done + ;; + + restart) + $0 stop + $0 start + ;; + + *) + echo "usage: $0 {start|stop|restart" +esac + +exit 0 -- 1.7.10.4
Am 18.06.2012 19:06, schrieb Pierre Schmitz:
This will allow users to install packages within the live environment. We use the haveged daemon to increase entropy from CPU timings.
See http://www.issihosts.com/haveged/ for details.
Note: this patch assumes we use a pacman with my "pacman-key: Use lsign_keys function in --populate" patch applied. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 06/18/2012 02:06 PM, Pierre Schmitz wrote:
This will allow users to install packages within the live environment. We use the haveged daemon to increase entropy from CPU timings.
See http://www.issihosts.com/haveged/ for details.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- configs/releng/packages.i686 | 1 + configs/releng/packages.x86_64 | 1 + configs/releng/root-image/etc/rc.conf | 2 +- configs/releng/root-image/etc/rc.d/pacman-init | 36 ++++++++++++++++++++++++ 4 Dateien geändert, 39 Zeilen hinzugefügt(+), 1 Zeile entfernt(-) create mode 100755 configs/releng/root-image/etc/rc.d/pacman-init
diff --git a/configs/releng/packages.i686 b/configs/releng/packages.i686 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.i686 +++ b/configs/releng/packages.i686 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/root-image/etc/rc.conf b/configs/releng/root-image/etc/rc.conf index a3e3d8a..90aa930 100644 --- a/configs/releng/root-image/etc/rc.conf +++ b/configs/releng/root-image/etc/rc.conf @@ -30,4 +30,4 @@ USELVM="no"
HOSTNAME="archiso"
-DAEMONS=(hwclock syslog-ng) +DAEMONS=(hwclock syslog-ng haveged pacman-init) diff --git a/configs/releng/root-image/etc/rc.d/pacman-init b/configs/releng/root-image/etc/rc.d/pacman-init new file mode 100755 index 0000000..1b8d93f --- /dev/null +++ b/configs/releng/root-image/etc/rc.d/pacman-init @@ -0,0 +1,36 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + stat_busy "Initializing pacman keyring" + pacman-key --init >/dev/null 2>&1 \ + && pacman-key --populate archlinux >/dev/null 2>&1 + if [[ $? -gt 0 ]]; then + stat_fail + exit 1 + else + add_daemon pacman-init + stat_done + fi + ;; + + stop) + stat_busy "Removing pacman keyring" + rm -rf /etc/pacman.d/gnupg + rm_daemon pacman-init + stat_done + ;; + + restart) + $0 stop + $0 start + ;; + + *) + echo "usage: $0 {start|stop|restart" +esac + +exit 0 looks good, your git repo URL?
-- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 24.06.2012 01:22, schrieb Gerardo Exequiel Pozzi:
looks good, your git repo URL?
I pushed it into a staging branch on github: https://github.com/pierres/archiso/tree/staging This already includes th discussed changes. -- Pierre Schmitz, https://pierre-schmitz.com
On 06/24/2012 06:18 AM, Pierre Schmitz wrote:
Am 24.06.2012 01:22, schrieb Gerardo Exequiel Pozzi:
looks good, your git repo URL? I pushed it into a staging branch on github: https://github.com/pierres/archiso/tree/staging This already includes th discussed changes.
For now, I added to master branch these commits: Set UTC as default timezone Use mirror_status to rank mirrors Use pci.ids from the root image instead of downloading it every time Fix creation of [core] repository Use a default pacman.conf to build releng images Use the host's package cache Skipped (for this moment): * Add arch-install-scripts what about adding these script via one package on repos, instead of merge with archiso? * Use pacman-key snapshot looks good for a staging git repo only. * Remove aif looks like Dieter is a bit busy in these days, there are some pending patches for AIF, but I want to get at least one feedback from him. * Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically? Good luck! -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 24.06.2012 22:58, schrieb Gerardo Exequiel Pozzi:
On 06/24/2012 06:18 AM, Pierre Schmitz wrote:
Am 24.06.2012 01:22, schrieb Gerardo Exequiel Pozzi:
looks good, your git repo URL? I pushed it into a staging branch on github: https://github.com/pierres/archiso/tree/staging This already includes th discussed changes.
For now, I added to master branch these commits:
Set UTC as default timezone Use mirror_status to rank mirrors Use pci.ids from the root image instead of downloading it every time Fix creation of [core] repository Use a default pacman.conf to build releng images Use the host's package cache
Skipped (for this moment): * Add arch-install-scripts what about adding these script via one package on repos, instead of merge with archiso?
Yes, this was nto meant for merging. The idea is to have this as its own package. Just put it there to create an iso more esily.
* Use pacman-key snapshot looks good for a staging git repo only.
We need to wait for a new pacman here.
* Remove aif looks like Dieter is a bit busy in these days, there are some pending patches for AIF, but I want to get at least one feedback from him.
This also was just for building a testing iso. Those files I removed should be moved to the aif package though.
* Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically?
What is the downside of doing it automatically here? Everybody will have to do it manually otherwise. You wont only need this to install a system but also to use pacman within your live environment. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 06/24/2012 06:24 PM, Pierre Schmitz wrote:
* Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically? What is the downside of doing it automatically here? Everybody will have to do it manually otherwise. You wont only need this to install a system but also to use pacman within your live environment.
Greetings,
Pierre
Just to keep, the live-enviroment to the most default possible. I am more fan to setup pacman keyring at build time rather than at runtime, or there are any downside? -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
On Mon, Jun 25, 2012 at 12:12 AM, Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> wrote:
On 06/24/2012 06:24 PM, Pierre Schmitz wrote:
* Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically?
What is the downside of doing it automatically here? Everybody will have to do it manually otherwise. You wont only need this to install a system but also to use pacman within your live environment.
Greetings,
Pierre
Just to keep, the live-enviroment to the most default possible. I am more fan to setup pacman keyring at build time rather than at runtime, or there are any downside?
We can't do it at runtime. Unless I'm misunderstanding something, that would mean we would ship the private keys needed to sign any packaging key. To turn it around (I'm inclined to agree with Pierre on this): is there any use-case where we don't need to be able to install packages from the live-environment (and hence don't need to generate the key)? -t
Am 25.06.2012 00:12, schrieb Gerardo Exequiel Pozzi:
On 06/24/2012 06:24 PM, Pierre Schmitz wrote:
* Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically? What is the downside of doing it automatically here? Everybody will have to do it manually otherwise. You wont only need this to install a system but also to use pacman within your live environment.
Greetings,
Pierre
Just to keep, the live-enviroment to the most default possible. I am more fan to setup pacman keyring at build time rather than at runtime, or there are any downside?
The downside is that you cannot. It is very important that everybody has its own secret key and that it stays secret. If we ship a private key, everybody would be able to sign any package with it and pacman would accept this. So we really need to create the key pair at runtime. And as everybody has to do it in order to use pacman (with signature verification enabled) we might as well script it. I am not sure I get the statement about "default". By default pacman ships no keyring and asks you to create it right after installing. By automating this step the result wont be different. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 06/24/2012 07:29 PM, Pierre Schmitz wrote:
Am 25.06.2012 00:12, schrieb Gerardo Exequiel Pozzi:
On 06/24/2012 06:24 PM, Pierre Schmitz wrote:
* Initialize pacman keyring on bootup what about leaving pacman-key --init to the user or install script instead of doing things automatically? What is the downside of doing it automatically here? Everybody will have to do it manually otherwise. You wont only need this to install a system but also to use pacman within your live environment.
Greetings,
Pierre
Just to keep, the live-enviroment to the most default possible. I am more fan to setup pacman keyring at build time rather than at runtime, or there are any downside? The downside is that you cannot. It is very important that everybody has its own secret key and that it stays secret. If we ship a private key, everybody would be able to sign any package with it and pacman would accept this.
So we really need to create the key pair at runtime. And as everybody has to do it in order to use pacman (with signature verification enabled) we might as well script it. OK. Thanks for your explanation :)
Maybe in a future, this "rc.d/pacman-init", can be part of the pacman pkg.
I am not sure I get the statement about "default". By default pacman ships no keyring and asks you to create it right after installing. By automating this step the result wont be different.
Greetings,
Pierre
-- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 25.06.2012 01:31, schrieb Gerardo Exequiel Pozzi:
Maybe in a future, this "rc.d/pacman-init", can be part of the pacman pkg.
This will never happen as it is specific to Arch Linux, our initscripts and kind of useless on a normal install. -- Pierre Schmitz, https://pierre-schmitz.com
On 06/24/2012 08:39 PM, Pierre Schmitz wrote:
Am 25.06.2012 01:31, schrieb Gerardo Exequiel Pozzi:
Maybe in a future, this "rc.d/pacman-init", can be part of the pacman pkg. This will never happen as it is specific to Arch Linux, our initscripts and kind of useless on a normal install.
I talk about pacman pkg (specific to Arch Linux), not pacman itself. But of course, this is useless for normal install. pushing in fews minutes.. -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
On Mon, Jun 18, 2012 at 07:06:02PM +0200, Pierre Schmitz wrote:
This will allow users to install packages within the live environment. We use the haveged daemon to increase entropy from CPU timings.
See http://www.issihosts.com/haveged/ for details.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- configs/releng/packages.i686 | 1 + configs/releng/packages.x86_64 | 1 + configs/releng/root-image/etc/rc.conf | 2 +- configs/releng/root-image/etc/rc.d/pacman-init | 36 ++++++++++++++++++++++++ 4 Dateien geändert, 39 Zeilen hinzugefügt(+), 1 Zeile entfernt(-) create mode 100755 configs/releng/root-image/etc/rc.d/pacman-init
diff --git a/configs/releng/packages.i686 b/configs/releng/packages.i686 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.i686 +++ b/configs/releng/packages.i686 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/root-image/etc/rc.conf b/configs/releng/root-image/etc/rc.conf index a3e3d8a..90aa930 100644 --- a/configs/releng/root-image/etc/rc.conf +++ b/configs/releng/root-image/etc/rc.conf @@ -30,4 +30,4 @@ USELVM="no"
HOSTNAME="archiso"
-DAEMONS=(hwclock syslog-ng) +DAEMONS=(hwclock syslog-ng haveged pacman-init) diff --git a/configs/releng/root-image/etc/rc.d/pacman-init b/configs/releng/root-image/etc/rc.d/pacman-init new file mode 100755 index 0000000..1b8d93f --- /dev/null +++ b/configs/releng/root-image/etc/rc.d/pacman-init @@ -0,0 +1,36 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + stat_busy "Initializing pacman keyring" + pacman-key --init >/dev/null 2>&1 \ + && pacman-key --populate archlinux >/dev/null 2>&1 + if [[ $? -gt 0 ]]; then
This is a lot more natural if you put the success condition first. if { cmd1 && cmd2; } &>/dev/null; then # success else # fail fi
+ stat_fail + exit 1 + else + add_daemon pacman-init + stat_done + fi + ;; + + stop) + stat_busy "Removing pacman keyring" + rm -rf /etc/pacman.d/gnupg + rm_daemon pacman-init + stat_done + ;;
This just blows my mind. I realize that this script will never live outside a liveCD, but why? What's the use case where youd want to destroy this?
+ + restart) + $0 stop + $0 start + ;; + + *) + echo "usage: $0 {start|stop|restart"
sed 's/"$/}"/'
+esac + +exit 0 -- 1.7.10.4
Am 24.06.2012 02:06, schrieb Dave Reisner:
On Mon, Jun 18, 2012 at 07:06:02PM +0200, Pierre Schmitz wrote:
This will allow users to install packages within the live environment. We use the haveged daemon to increase entropy from CPU timings.
See http://www.issihosts.com/haveged/ for details.
Signed-off-by: Pierre Schmitz <pierre@archlinux.de> --- configs/releng/packages.i686 | 1 + configs/releng/packages.x86_64 | 1 + configs/releng/root-image/etc/rc.conf | 2 +- configs/releng/root-image/etc/rc.d/pacman-init | 36 ++++++++++++++++++++++++ 4 Dateien geändert, 39 Zeilen hinzugefügt(+), 1 Zeile entfernt(-) create mode 100755 configs/releng/root-image/etc/rc.d/pacman-init
diff --git a/configs/releng/packages.i686 b/configs/releng/packages.i686 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.i686 +++ b/configs/releng/packages.i686 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/packages.x86_64 b/configs/releng/packages.x86_64 index 4e29737..6012e7c 100644 --- a/configs/releng/packages.x86_64 +++ b/configs/releng/packages.x86_64 @@ -14,6 +14,7 @@ efibootmgr elinks gnu-netcat gptfdisk +haveged hdparm ipw2100-fw ipw2200-fw diff --git a/configs/releng/root-image/etc/rc.conf b/configs/releng/root-image/etc/rc.conf index a3e3d8a..90aa930 100644 --- a/configs/releng/root-image/etc/rc.conf +++ b/configs/releng/root-image/etc/rc.conf @@ -30,4 +30,4 @@ USELVM="no"
HOSTNAME="archiso"
-DAEMONS=(hwclock syslog-ng) +DAEMONS=(hwclock syslog-ng haveged pacman-init) diff --git a/configs/releng/root-image/etc/rc.d/pacman-init b/configs/releng/root-image/etc/rc.d/pacman-init new file mode 100755 index 0000000..1b8d93f --- /dev/null +++ b/configs/releng/root-image/etc/rc.d/pacman-init @@ -0,0 +1,36 @@ +#!/bin/bash + +. /etc/rc.conf +. /etc/rc.d/functions + +case "$1" in + start) + stat_busy "Initializing pacman keyring" + pacman-key --init >/dev/null 2>&1 \ + && pacman-key --populate archlinux >/dev/null 2>&1 + if [[ $? -gt 0 ]]; then
This is a lot more natural if you put the success condition first.
if { cmd1 && cmd2; } &>/dev/null; then # success else # fail fi
updated; this was just taken from the rc script prototype which uses this order for unknown reasons.
+ stat_fail + exit 1 + else + add_daemon pacman-init + stat_done + fi + ;; + + stop) + stat_busy "Removing pacman keyring" + rm -rf /etc/pacman.d/gnupg + rm_daemon pacman-init + stat_done + ;;
This just blows my mind. I realize that this script will never live outside a liveCD, but why? What's the use case where youd want to destroy this?
There are no strong reasons for doing this; are there any downsides? Besides from symmetry reasons I wanted to "make sure" that the key wont get stored an a presitant device by accident (don't know if we support this atm). But the main reason was that you could easily recreate the key by running restart (e.g. when you want to user better random number or whatever) Anyway, if this breaks things, we can just remove this; it's not important.
+ + restart) + $0 stop + $0 start + ;; + + *) + echo "usage: $0 {start|stop|restart"
sed 's/"$/}"/'
fixed
+esac + +exit 0 -- 1.7.10.4
-- Pierre Schmitz, https://pierre-schmitz.com
On 06/24/2012 06:22 AM, Pierre Schmitz wrote:
+ stat_fail + exit 1 + else + add_daemon pacman-init + stat_done + fi + ;; + + stop) + stat_busy "Removing pacman keyring" + rm -rf /etc/pacman.d/gnupg + rm_daemon pacman-init + stat_done + ;; This just blows my mind. I realize that this script will never live outside a liveCD, but why? What's the use case where youd want to destroy this? There are no strong reasons for doing this; are there any downsides? Besides from symmetry reasons I wanted to "make sure" that the key wont get stored an a presitant device by accident (don't know if we support this atm). But the main reason was that you could easily recreate the key by running restart (e.g. when you want to user better random number or whatever)
persistent is supported via cow_label= OR cow_device= bootparms ;) -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
participants (4)
-
Dave Reisner
-
Gerardo Exequiel Pozzi
-
Pierre Schmitz
-
Tom Gundersen