Implements FS#32064
Feedback is really welcomed :)
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar --- configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 UI boot/syslinux/vesamenu.c32 MENU TITLE Arch Linux MENU BACKGROUND boot/syslinux/splash.png diff --git a/configs/releng/syslinux/archiso_head.cfg b/configs/releng/syslinux/archiso_head.cfg index faa2588..43cda16 100644 --- a/configs/releng/syslinux/archiso_head.cfg +++ b/configs/releng/syslinux/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300 UI boot/syslinux/vesamenu.c32 MENU TITLE Arch Linux MENU BACKGROUND boot/syslinux/splash.png
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar
configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300
I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
On 10/26/2012 05:42 AM, Thomas Bächler wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar
configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300
I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
Beyond the "headless"... I think we should be consistent, currently gummiboot has a timeout of 3 seconds. What I want to say is, or apply timeout for syslinux or remove from gummiboot.
Am 26.10.2012 16:09, schrieb Gerardo Exequiel Pozzi:
On 10/26/2012 05:42 AM, Thomas Bächler wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar
configs/releng/syslinux.dual/archiso_head.cfg | 1 + configs/releng/syslinux/archiso_head.cfg | 1 + 2 files changed, 2 insertions(+)
diff --git a/configs/releng/syslinux.dual/archiso_head.cfg b/configs/releng/syslinux.dual/archiso_head.cfg index 81ad26e..4b53cf4 100644 --- a/configs/releng/syslinux.dual/archiso_head.cfg +++ b/configs/releng/syslinux.dual/archiso_head.cfg @@ -1,4 +1,5 @@ SERIAL 0 38400 +TIMEOUT 300
I suppose this is necessary for headless installations, but it is undesirable for interactive ones. I don't like it, but I feel it's the only choice.
Beyond the "headless"... I think we should be consistent, currently gummiboot has a timeout of 3 seconds. What I want to say is, or apply timeout for syslinux or remove from gummiboot.
I would lean towards disabling the timeouts when possible.
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar --- configs/releng/root-image/root/customize_root_image.sh | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/configs/releng/root-image/root/customize_root_image.sh b/configs/releng/root-image/root/customize_root_image.sh index cc47845..20d553c 100755 --- a/configs/releng/root-image/root/customize_root_image.sh +++ b/configs/releng/root-image/root/customize_root_image.sh @@ -9,8 +9,10 @@ ln -sf /usr/share/zoneinfo/UTC /etc/localtime
usermod -s /bin/zsh root cp -aT /etc/skel/ /root/ +echo "root:root" | chpasswd
useradd -m -p "" -g users -G "adm,audio,floppy,log,network,rfkill,scanner,storage,optical,power,wheel" -s /bin/zsh arch +echo "arch:arch" | chpasswd
chmod 750 /etc/sudoers.d chmod 440 /etc/sudoers.d/g_wheel
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
usermod -s /bin/zsh root cp -aT /etc/skel/ /root/ +echo "root:root" | chpasswd
useradd -m -p "" -g users -G "adm,audio,floppy,log,network,rfkill,scanner,storage,optical,power,wheel" -s /bin/zsh arch +echo "arch:arch" | chpasswd
chmod 750 /etc/sudoers.d chmod 440 /etc/sudoers.d/g_wheel
I'd rather have PermitEmptyPasswords in sshd_config. A default password will be more confusing on the console.
Signed-off-by: Gerardo Exequiel Pozzi vmlinuz386@yahoo.com.ar --- configs/releng/root-image/root/customize_root_image.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/configs/releng/root-image/root/customize_root_image.sh b/configs/releng/root-image/root/customize_root_image.sh index 20d553c..552d7ab 100755 --- a/configs/releng/root-image/root/customize_root_image.sh +++ b/configs/releng/root-image/root/customize_root_image.sh @@ -24,4 +24,4 @@ sed 's#(^ExecStart=-/sbin/agetty)#\1 --autologin root#; /usr/lib/systemd/system/getty@.service > /etc/systemd/system/autologin@.service
systemctl disable getty@tty1.service -systemctl enable multi-user.target pacman-init.service autologin@.service dhcpcd.service +systemctl enable multi-user.target pacman-init.service autologin@.service dhcpcd.service sshd.socket
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :)
So, installation over serial console is not enough and it has to be truely headless?
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :)
I think we should not implement this feature request. For headless installations you should use a serial console or an equivalent setup. Starting up sshd and hoping for the best is too fragile to actually really support this scenario.
But the biggest concern is security here. We open up a password-less root access here without telling the user or giving him any control over it. This might not be a big deal on your local lan, but it is a big issue if you are on e.g. an university network, a conference or even worse: you want to setup a new server which is directly connected to the net. Knowing that bots are constantly scanning for open or weak ssh servers this risk is not that esoteric.
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
On 10/26/2012 06:51 AM, Pierre Schmitz wrote:
Am 26.10.2012 04:32, schrieb Gerardo Exequiel Pozzi:
Implements FS#32064
Feedback is really welcomed :)
I think we should not implement this feature request. For headless installations you should use a serial console or an equivalent setup. Starting up sshd and hoping for the best is too fragile to actually really support this scenario.
But the biggest concern is security here. We open up a password-less root access here without telling the user or giving him any control over it. This might not be a big deal on your local lan, but it is a big issue if you are on e.g. an university network, a conference or even worse: you want to setup a new server which is directly connected to the net. Knowing that bots are constantly scanning for open or weak ssh servers this risk is not that esoteric.
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
On 10/26/2012 11:31 AM, Thomas Bächler wrote:
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Yes sounds good enabling by default.
However I have a question here: automated script mechanism where should be run? Currently if script= bootparam is present this script allways on one time in tty1.
Am 26.10.2012 16:39, schrieb Gerardo Exequiel Pozzi:
Yes sounds good enabling by default.
However I have a question here: automated script mechanism where should be run? Currently if script= bootparam is present this script allways on one time in tty1.
Maybe look at console= - this wouldn't work for people who fail to add it in the bootloader, but for everyone else.
Am 26.10.2012 16:31, schrieb Thomas Bächler:
Am 26.10.2012 16:11, schrieb Gerardo Exequiel Pozzi:
To sum things up: Our iso should try to be least intrusive as possible. Do not alter any settings on the host system and do not listen on any port.
Greetings,
Pierre
Last night, before going to sleep, I thinking about this ...
I agree with you.
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Do we also enable serial console in syslinux, memtest etc. atm? (at least I did not find it)
Am 28.10.2012 09:16, schrieb Pierre Schmitz:
We should also enable serial-getty@ttyS0.service by default - it has no [Install] section, so we have to create the symlink manually. Even if someone doesn't know how to put console=ttyS0 in the bootloader from serial, they'll get a terminal.
More details here: http://0pointer.de/blog/projects/serial-console.html
Do we also enable serial console in syslinux, memtest etc. atm? (at least I did not find it)
I tested with qemu: Serial Console is currently enabled, I booted with isolinux and syslinux to test it.
arch-releng@lists.archlinux.org