[arch-releng] [RFC] Enable headless installation
Implements FS#32064 Feedback is really welcomed :)
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+) diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 UI boot/syslinux/vesamenu.c32 MENU TITLE Arch Linux MENU BACKGROUND boot/syslinux/splash.png diff --git a/configs/releng/syslinux/archiso_head.cfg b/configs/releng/syslinux/archiso_head.cfg index faa2588..43cda16 100644 --- a/configs/releng/syslinux/archiso_head.cfg +++ b/configs/releng/syslinux/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 UI boot/syslinux/vesamenu.c32 MENU TITLE Arch Linux MENU BACKGROUND boot/syslinux/splash.png -- 1.8.0
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300
I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
On 10/26/2012 05:42 AM, Thomas Bächler wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
Beyond the "headless"... I think we should be consistent, currently gummiboot has a timeout of 3 seconds. What I want to say is, or apply timeout for syslinux or remove from gummiboot. -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 26.10.2012 16:09, schrieb Gerardo Exequiel Pozzi:
On 10/26/2012 05:42 AM, Thomas Bächler wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
Beyond the "headless"... I think we should be consistent, currently gummiboot has a timeout of 3 seconds. What I want to say is, or apply timeout for syslinux or remove from gummiboot.
I would lean towards disabling the timeouts when possible. -- Pierre Schmitz, https://pierre-schmitz.com
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/root-image/root/customize_root_image.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/releng/root-image/root/customize_root_image.sh b/configs/releng/root-image/root/customize_root_image.sh index cc47845..20d553c 100755 --- a/configs/releng/root-image/root/customize_root_image.sh +++ b/configs/releng/root-image/root/customize_root_image.sh @@ -9,8 +9,10 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime usermod -s /bin/zsh root cp -aT /etc/skel/ /root/ +echo "root:root" | chpasswd useradd -m -p "" -g users -G "adm,audio,floppy,log,network,rfkill,scanner,storage,optical,power,wheel" -s /bin/zsh arch +echo "arch:arch" | chpasswd chmod 750 /etc/sudoers.d chmod 440 /etc/sudoers.d/g_wheel -- 1.8.0
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
usermod -s /bin/zsh root cp -aT /etc/skel/ /root/ +echo "root:root" | chpasswd
useradd -m -p "" -g users -G "adm,audio,floppy,log,network,rfkill,scanner,storage,optical,power,wheel" -s /bin/zsh arch +echo "arch:arch" | chpasswd
chmod 750 /etc/sudoers.d chmod 440 /etc/sudoers.d/g_wheel
I'd rather have PermitEmptyPasswords in sshd_config. A default password will be more confusing on the console.
Signed-off-by: Gerardo Exequiel Pozzi <vmlinuz386@yahoo.com.ar> --- configs/releng/root-image/root/customize_root_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configs/releng/root-image/root/customize_root_image.sh b/configs/releng/root-image/root/customize_root_image.sh index 20d553c..552d7ab 100755 --- a/configs/releng/root-image/root/customize_root_image.sh +++ b/configs/releng/root-image/root/customize_root_image.sh @@ -24,4 +24,4 @@ sed 's#\(^ExecStart=-/sbin/agetty\)#\1 --autologin root#; /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin@.service systemctl disable getty@tty1.service -systemctl enable multi-user.target pacman-init.service autologin@.service dhcpcd.service +systemctl enable multi-user.target pacman-init.service autologin@.service dhcpcd.service sshd.socket -- 1.8.0
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :)
So, installation over serial console is not enough and it has to be truely headless?
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :)
I think we should not implement this feature request. For headless installations you should use a serial console or an equivalent setup. Starting up sshd and hoping for the best is too fragile to actually really support this scenario. But the biggest concern is security here. We open up a password-less root access here without telling the user or giving him any control over it. This might not be a big deal on your local lan, but it is a big issue if you are on e.g. an university network, a conference or even worse: you want to setup a new server which is directly connected to the net. Knowing that bots are constantly scanning for open or weak ssh servers this risk is not that esoteric. To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port. Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
On 10/26/2012 06:51 AM, Pierre Schmitz wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :) I think we should not implement this feature request. For headless installations you should use a serial console or an equivalent setup. Starting up sshd and hoping for the best is too fragile to actually really support this scenario.
But the biggest concern is security here. We open up a password-less root access here without telling the user or giving him any control over it. This might not be a big deal on your local lan, but it is a big issue if you are on e.g. an university network, a conference or even worse: you want to setup a new server which is directly connected to the net. Knowing that bots are constantly scanning for open or weak ssh servers this risk is not that esoteric.
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ... I agree with you. -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal. More details here: http://0pointer.de/blog/projects/serial-console.html
On 10/26/2012 11:31 AM, Thomas Bächler wrote:
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Yes sounds good enabling by default. However I have a question here: automated script mechanism where should be run? Currently if script= bootparam is present this script allways on one time in tty1. -- Gerardo Exequiel Pozzi \cos^2\alpha + \sin^2\alpha = 1
Am 26.10.2012 16:39, schrieb Gerardo Exequiel Pozzi:
Yes sounds good enabling by default.
However I have a question here: automated script mechanism where should be run? Currently if script= bootparam is present this script allways on one time in tty1.
Maybe look at console= - this wouldn't work for people who fail to add it in the bootloader, but for everyone else.
Am 26.10.2012 16:31, schrieb Thomas Bächler:
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Do we also enable serial console in syslinux, memtest etc. atm? (at least I did not find it) -- Pierre Schmitz, https://pierre-schmitz.com
Am 28.10.2012 09:16, schrieb Pierre Schmitz:
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Do we also enable serial console in syslinux, memtest etc. atm? (at least I did not find it)
I tested with qemu: Serial Console is currently enabled, I booted with isolinux and syslinux to test it.
participants (3)
-
Gerardo Exequiel Pozzi
-
Pierre Schmitz
-
Thomas Bächler