diff options
56 files changed, 4854 insertions, 911 deletions
diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..446abd8 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +prep.sh + diff --git a/EFI/BOOT/grub-embedded.cfg b/EFI/BOOT/grub-embedded.cfg index 917672f..cc2098e 100644 --- a/EFI/BOOT/grub-embedded.cfg +++ b/EFI/BOOT/grub-embedded.cfg @@ -1 +1,4 @@ search --file --no-floppy --set=root /EFI/BOOT/SLACKWARELIVE +if [ -e ($root)/EFI/BOOT/grub.cfg ]; then + set prefix=($root)/EFI/BOOT +fi diff --git a/EFI/BOOT/grub.cfg b/EFI/BOOT/grub.cfg deleted file mode 100644 index 63e7c80..0000000 --- a/EFI/BOOT/grub.cfg +++ /dev/null @@ -1 +0,0 @@ -source $prefix/menu/grub.cfg diff --git a/EFI/BOOT/help.txt b/EFI/BOOT/help.txt index cb35533..ea24562 100644 --- a/EFI/BOOT/help.txt +++ b/EFI/BOOT/help.txt @@ -10,11 +10,15 @@ To boot with default values just press ENTER. kbd=fr xkb=ch,fr => Example of custom X keyboard layout. livepw="somestring" => Change the password for user "live". + The password is passed as a cleartext string. + You can pass an empty string (livepw=) to remove the password. locale=nl_NL kbd=nl tz=Europe/Amsterdam => Example of language, keyboard and/or timezone customization. rootpw="somestring" => Change the password for user "root". + The password is passed as a cleartext string. + You can pass an empty string (rootpw=) to remove the password. === Custom software === @@ -52,8 +56,10 @@ localhd => initialize RAID/LVM on local hard drives. tweaks=tweak1[,tweak2,[,...]] => Implemented tweaks: nga - no glamor 2D acceleration, avoids error "EGL_MESA_drm_image required". + nsh - no sub-pixel hinting in freetype. tpb - enable TrackPoint scrolling while holding down middle mouse button. syn - start the syndaemon for better support of Synaptics touchpads. + ssh - start SSH daemon (disabled by default). nomodeset => Boot without kernel mode setting, needed with some machines. @@ -83,7 +89,8 @@ livemedia=/dev/sdX => Tell the init script which partition become necessary if you have another copy of Slackware Live installed in another partition. -livemedia=/dev/sdX:/path/to/live.iso => Use this if you want to +livemedia=/dev/sdX:/path/to/live.iso +livemedia=scandev:/path/to/live.iso => Use this if you want to load the live OS from an ISO file on a local harddisk partition. livemain=directoryname => Use this if you copied the content @@ -94,19 +101,34 @@ luksvol=file1[:/mountpoint1][,file1[:/mountpoint2],...] => Multiple files should be separated with comma. Specify "luksvol=" to *prevent* mounting any LUKS container. -nop => No persistence, i.e. boot the virgin installation in - case your "persistence" directory got corrupted. +nop => No persistence, i.e. boot the virgin installation in + case your "persistence" directory got corrupted. + If you want to ignore any persistent data during boot, + including LUKS data, specify "nop luksvol=" . + +nop=wipe => Wipe all data from persistence directory or container. + Useful in cases where your persistent data got corrupted. persistence=directoryname => Use this if you want to use a different directory than "persistence" for storing persistent data. +persistence=/dev/sdX:/path/to/mypersistence +persistence=scandev:/path/to/mypersistence => Use this if + the persistence directory or container is not located on the USB stick, + but on a local hard disk partition. Useful for network (PXE) boot + where you still want to offer users persistence. + toram => copy the OS from the media to to RAM before running it. You can remove the boot media after booting. toram=all => Prevent writes to disk since we are supposed to run from RAM; equivalent to parameter "toram". +toram=core => Load Console OS modules into RAM. Console-only Slackware + loads fast, contains 'setup2hd' and frees up your USB drive so you can + overwrite it with a Persistent Live OS. + toram=os => Load OS modules into RAM, but write persistent data to USB. === Troubleshooting === diff --git a/EFI/BOOT/make-grub.sh b/EFI/BOOT/make-grub.sh index 6575ea7..ddf9f68 100644 --- a/EFI/BOOT/make-grub.sh +++ b/EFI/BOOT/make-grub.sh @@ -37,6 +37,9 @@ EFIFORM=${EFIFORM:-"x86_64"} EFISUFF=${EFISUFF:-"x64"} EFIDIR=${EFIDIR:-"/EFI/BOOT"} +# Fix the path in grub-ebedded.cfg if needed: +sed -e "s,/EFI/BOOT,${EFIDIR}," -i grub-embedded.cfg + echo echo "Building ${EFIDIR}/boot${EFISUFF}.efi and /boot/syslinux/efiboot.img." @@ -44,12 +47,13 @@ echo "Building ${EFIDIR}/boot${EFISUFF}.efi and /boot/syslinux/efiboot.img." # works with mutiple grub releases (grub-2.02 added the 'disk' module): GMODDIR="$(dirname $(LANG=C grub-mkimage -O ${EFIFORM}-efi -p ${EFIDIR} alienbob 2>&1 | cut -d\` -f2 |cut -d\' -f1) )" GMODLIST="" -for GMOD in part_gpt part_msdos fat ext2 iso9660 ntfs chain linux boot configfile normal regexp extcmd minicmd reboot halt search search_fs_file search_fs_uuid search_label gfxterm gfxmenu gfxterm_background efi_gop efi_uga all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard disk memdisk nativedisk file loopback tar tftp net efinet efifwsetup ; do +# 'shim_lock' is built into grub, not a module anymore: +for GMOD in part_gpt part_msdos fat btrfs ext2 f2fs jfs xfs iso9660 ntfs chain linux boot configfile normal regexp extcmd minicmd reboot halt search search_fs_file search_fs_uuid search_label gfxterm gfxmenu gfxterm_menu gfxterm_background efi_gop efi_uga all_video loadbios gzio echo true probe loadenv bitmap_scale font cat help ls png jpeg tga test at_keyboard usb_keyboard disk memdisk nativedisk file loopback tar tftp net efinet efifwsetup zstd ; do [ -f ${GMODDIR}/${GMOD}.mod ] && GMODLIST="${GMODLIST} ${GMOD}" || echo ">> ${GMOD} not found" done # Build bootx64.efi/bootia32.efi, which will be installed here in ${EFIDIR}. -grub-mkimage --format=${EFIFORM}-efi --output=boot${EFISUFF}.efi --config=grub-embedded.cfg --compression=xz --prefix=${EFIDIR} ${GMODLIST} +grub-mkimage --format=${EFIFORM}-efi --output=boot${EFISUFF}.efi --config=grub-embedded.cfg --sbat=grub_sbat.csv --compression=xz --prefix=${EFIDIR} ${GMODLIST} # Then, create a FAT formatted image that contains bootx64.efi in the # ${EFIDIR} directory. This is used to bootstrap GRUB from the ISO image. @@ -5,7 +5,7 @@ ===== Preface ===== -Welcome to the Slackware Live Edition! This is a version of Slackware 14.2 (and newer), that can be run from a DVD or a USB stick. It is an ISO image meant to be a showcase of what Slackware is about. You get the default install, no custom packages or kernel, but with all the power of Slackware. The ISO is created from scratch using a Slackware package mirror, by the "liveslak" scripts. +Welcome to the Slackware Live Edition! All Slackware releases since 14.2, including the development version ''-current'', are supported versions for the ''liveslak'' project. The Live OS which liveslak creates from the Slackware Distro can be run from a DVD or a USB stick. It is an ISO image meant to be a showcase of what Slackware is about. You get the default install, no custom packages or kernel, but with all the power of Slackware. The ISO is created from scratch using a Slackware package mirror, by the "liveslak" scripts. Slackware Live Edition does not have to be installed to a computer hard drive (however you do have that choice if you want to: using the setup2hd script). You can carry the USB stick version with you in your pocket. You'll have a pre-configured Slackware OS up & running in a minute wherever you can get your hands on a computer with a USB port. @@ -13,6 +13,8 @@ The USB version is "persistent" - meaning that the OS stores your updates on the In order to protect your sensitive private data in case you lose your USB stick (or in case it gets stolen) you can enhance your persistent USB Live OS with an encrypted homedirectory and/or an encrypted persistence file, to be unlocked on boot with a passphrase that only you know. +And even booting directly from the ISO file (see chapter ''Boot from an ISO file on disk'') you can use persistence and enjoy an encrypted homedirectory, without the need for any modification to the ISO file. + ===== Why yet another Slackware Live ===== @@ -31,14 +33,14 @@ The reasons I had for creating the Slackware Live Edition are as follows: The "liveslak" scripts can generate a variety of Slackware flavors: - - a complete 64bit Slackware-current Live Edition (in a 4.0 GB ISO); - - a slimmed-down XFCE ISO (700 MB) with XDM as the graphical login manager. It fits on a CDROM medium or a 1 GB USB stick; - - a ISO image (4.3 GB) of Slackware64-current containing 'ktown' Plasma 5 instead of Slackware's KDE. - - A Digital Audio Workstation (DAW) based on a custom Slackware package set plus a basic Plasma5, containing a rich software collection for musicians, producers and live performance artists. - - a Mate variant (3.2 GB) where KDE 4 has been replaced by Mate (a Gnome 2 fork); - - a Cinnamon flavour (a fork of the Gnome 3 Shell replacing Slackware's KDE 4). - - a Dlackware variant, which is Gnome3 + PAM + systemd on top of Slackware and stripped of KDE4. - - a StudioWare edition containing all the project's audio, video and photo editing software packages. + - a complete 64bit Slackware-current Live Edition (in a 4.5 GB ISO); + - a slimmed-down XFCE ISO (1100 MB) with XDM as the graphical login manager. It fits on a 1 GB USB stick; + - a LEAN ISO (2.5 GB) of Slackware-current with reduced package set and based on Plasma5 Desktop; + - A Digital Audio Workstation (DAW) based on a custom Slackware package set plus a basic Plasma5, containing a rich software collection for musicians, producers and live performance artists (3.6 GB). + - a Mate variant (4.2 GB) where KDE has been replaced by Mate (a Gnome 2 fork); + - a Cinnamon flavour (a fork of the Gnome 3 Shell replacing Slackware's KDE) in an ISO file of 4.2 GB; + - a Dlackware variant, which is Gnome3 + PAM + systemd on top of Slackware and stripped of KDE (no longer developed after Slackware 14.2); + - a StudioWare edition containing all the project's audio, video and photo editing software packages (no longer developed after Slackware 14.2); - a "Custom" variant which you can give your own name, its own package list and custom post-install configuration. @@ -46,11 +48,10 @@ The "liveslak" scripts can generate a variety of Slackware flavors: Common download locations are: - * Primary site: http://download.liveslak.org/ (%%rsync://liveslak.org/liveslak/%%) - * Darren's http://slackware.uk/people/alien-slacklive/ (%%rsync://slackware.uk/people/alien-slacklive/%%) + * Primary site: https://download.liveslak.org/ (%%rsync://liveslak.org/liveslak/%%) + * My US mirror: https://us.liveslak.org/ (%%rsync://us.liveslak.org/liveslak/%%) + * Darren's https://slackware.uk/liveslak/ (%%rsync://slackware.uk/liveslak/%%) * Willy's http://repo.ukdw.ac.id/slackware-live/ - * Ryan's https://seattleslack.ryanpcmcquen.org/mirrors/slackware-live/ - * Shasta's http://ftp.slackware.pl/pub/slackware-live/ (%%rsync://ftp.slackware.pl/slackware-live/%%) ===== Enduser Documentation ===== @@ -61,7 +62,7 @@ Common download locations are: The ISO images are hybrid, which means you can either burn them to DVD, or use 'dd' or 'cp' to copy the ISO to a USB stick. Both methods will give you a live environment which will allow you to make changes and seemingly "write them to disk". The changes will actually be kept in a RAM disk, so a reboot will "reset" the live OS to its original default state. In other words, there is no persistence of data. -Slackware Live Edition knows two user accounts: "root" and "live". They have passwords, and by default these are... you guessed: "root" and "live". Also by default, the ISOs will boot into runlevel 4, i.e. you will get a graphical login. The bootloader allows you to pick a non-US language and/or keyboard layout and (on boot of an UEFI system) a custom timezone. +Slackware Live Edition knows two user accounts: "root" and "live". They have passwords, and by default these are... you guessed: "root" and "live". Also by default, the ISOs will boot into runlevel 4, i.e. you will get a graphical login. The bootloader allows you to pick a non-US language and/or keyboard layout and (on boot of an UEFI system) a custom timezone. Slackware Live Edition deviates as little as possible from a regular Slackware boot. Once you have passed the initial Liveboot stage and brought up the actual OS, you login as user "live". From that moment onwards, you are in a regular Slackware environment. @@ -72,13 +73,14 @@ Slackware Live Edition deviates as little as possible from a regular Slackware b === BIOS boot === -Slackware Live Edition uses syslinux to boot the Linux kernel on BIOS computers. To be precise, the "isolinux" variant is installed to the ISO image and the "extlinux" variant is installed into the Linux partition of the USB Live version. +Slackware Live Edition uses syslinux to boot the Linux kernel on BIOS computers. To be precise, the "isolinux" variant is installed to the ISO image and the "extlinux" variant is installed into the ext4-formatted Linux partition of the USB Live version. Syslinux shows a graphical boot menu with a nice Slackware-themed background and several options: - * Start (SLACKWARE | KTOWN | XFCE | MATE | DAW) Live (depending on which of the ISOs you boot) + * Start (SLACKWARE | XFCE | MATE | CINNAMON | DAW | LEAN) Live (depending on which of the ISOs you boot) * Non-US Keyboard selection * Non-US Language selection * Memory test with memtest86+ + * Console OS in RAM You can select a keyboard mapping that matches your computer's. Also you can boot Slackware in another language than US English. If you stick to US English interface language you will probably still want to change the timezone because it will default to UTC. You have to specify a custom timezone manually by adding "tz=YourGeography/YourLocation" because the syslinux bootmenu does not offer you a selection of timezones. Syslinux allows you to edit the boot commandline by pressing <TAB>. Press <ENTER> to boot after you made your changes or <ESC> to discard your edit and return to the menu. @@ -89,18 +91,66 @@ If you stick to US English interface language you will probably still want to ch On UEFI computers, Grub2 handles the boot and it will show a menu similar (and similarly themed) to the Syslinux menu: - * Start (SLACKWARE | KTOWN | XFCE | MATE | DAW) Live (depending on which of the ISOs you boot) + * Start (SLACKWARE | XFCE | MATE | CINNAMON | DAW | LEAN) Live (depending on which of the ISOs you boot) * Non-US Keyboard selection * Non-US Language selection * Non-US Timezone selection * Memory test with memtest86+ * Help on boot parameters + * Console OS in RAM -Editing a Grub menu before booting it is possible by pressing the "e" key. After making your changes to the boot commandline, press <F10> to boot. To discard your changes, press <ESC>. +Editing a Grub menu before booting it is possible by pressing the "e" key. After making your changes to the boot commandline, press <F10> or <Ctrl>-<x> to boot. To discard your changes, press <ESC>. Another difference between Syslinux and Grub2 menus: in Grub2 you can select a non-US keyboard, language and/or timezone and you will return to the main menu every time. You still have to select "Start SLACKWARE Live" to boot the computer. In the Syslinux menu, only the keyboard selection menu will return you to the main menu. Any non-US *language* selection on the other hand will boot you into Slackware Live immediately; without returning to the main menu. This is a limitation of syslinux which would require exponentially more menu files to construct a menu with more choices. Grub2 supports variables which make it easy to modify a menu entry's characteristics. +=== UEFI Secure Boot === + + +On computers with Secure Boot enabled, extra measures may be required to boot an Operating System. Slackware for instance, is unable to boot on a computer that has Secure Boot enabled. Historic liveslak based ISOs are also not able to boot there. From liveslak-1.5.0 and onwards, Secure Boot is supported for the 64-bit ISO images. + +Secure Boot enforces that the first-stage bootloader is signed with an encryption key known to Microsoft. For Linux based Operating Systems, the most widely used solution is to place an small single-purpose bootloader before the regular Linux bootloader. This EFI bootloader is called 'shim'. Shim must be cryptographically signed by Microsoft for it to successfully boot a computer. This is not a trivial process, Microsoft is very strict about the signing process because in essence your signed bootloader will boot anything on a Secure Boot enabled computer, including malware if that was signed by your 'distro key'. That would create a huge security hole and defy the purpose of Secure Boot. + +Signing your Grub bootloader and your kernel also becomes mandatory, because the 'shim' refuses to load un-signed binaries. This complicates the process of upgrading to a new kernel further. + +The Slackware Live OS boots on a Secure Boot enabled computer if created with liveslak-1.5.0 or newer, and only for the 64-bit liveslak ISO images. The Slackware Linux distro does not ship a 'shim' which is signed by Microsoft, so how to get around the dilemma of requiring a signed 'shim'? + +To realize this, the Slackware Live ISO 'borrows' a 3rd-party 'shim'. The binaryis actually called ''bootx64.efi'' in the ''/EFI/BOOT/'' directory and has been extracted from another distro's officially signed 'shim' package; Fedora by default but the Debian and openSUSE shim are also supported by the ''make_slackware_live.sh'' script. This 3rd-party 'shim' binary has been signed by 'Microsoft UEFI CA' which will allow it to boot on any computer. We just need to tell it that is OK to load Slackware's Grub and kernel into memory. + +A distro 'shim' like Fedora's contains an embedded distro SSL certificate and 'shim' will trust the signature of any binary (grub, kernel, etc) which has been signed using that certificate. Of course, 3rd-party 'shim' binaries do not embed a Slackware SSL certificate. Therefore, another means must be used to establish trust. Secure Boot recognizes additional SSL certificates in the computer's MOK (Machine Owner Key) database as valid. The 'shim' trusts custom SSL vertificates of signed binaries, if they are present in the MOK database. It is up to the user (the Machine Owner) to enroll a custom SSL certificate into that database. + +The Grub and kernel images of Slackware Live Edition are signed with an 'Alien BOB' SSL certificate and private key. This SSL certificate needs to be added to the MOK database of your Secure Boot enabled computer. All liveslak ISOs use this specific certificate plus its associated private key. The private key will of course never be distributed but a 'DER-encoded' version of the public certificate is distributed as part of the ISO. You can find it as ''/EFI/BOOT/liveslak.der'' inside the ISO. On a persistent USB stick which you created from the ISO, this will be on the second partition (the ESP). + +== Add the ''liveslak.der'' certificate to the MOK database == + +There are two ways to add or enroll this certificate. + * When you boot a Secure Boot enabled liveslak ISO for the first time, the 'shim' will fail to validate the certificate of liveslak's Grub. It will then start the 'MokManager' showing you a nice blue screen with a dialog requesting you to enroll a public key (aka the SSL certificate) from disk. You can use the file selector to browse to the 'efi' partition and there to the ''./EFI/BOOT/'' directory. Select the ''liveslak.der'' and confirm that this is the correct certificate. The computer will then reboot and after reboot, you will automatically end up in the Grub boot menu without any further intervention. + * If you already have a Linux OS up and running on that computer, you can use the program ''mokutil'' to enroll the key before you boot a liveslak ISO:<code> +# mokutil --import liveslak.der</code>. This command will schedule a request to shim, and the first time you boot a liveslak ISO the MokManager will ask confirmation to enroll the scheduled key. In other words, you won't have to 'enroll from disk'. + +Note that MOK key enrollment is a one-time action for the official liveslak based ISOs. All future liveslak ISOs will also be signed using this ''liveslak.der'' certificate and as long as it stays in your computer's MOK database, the 'shim' will load Grub and the kernel without complaint. + +Note that you can create your own SSL certificate plus private key and use those to generate custom liveslak ISO images with Secure Boot support. All you need to do is to enroll the public key (the DER-encoded version of your SSL certificate) into the MOK database of your computer. The MOK database has room for multiple keys so yours as well as liveslak's keys (and more) will fit there. + + +=== Boot from an ISO file on disk === + + +If you downloaded a liveslak ISO file and want to boot that ISO directly from its location on your computer's hard drive, you can use the following Grub configuration block and add it to your ''/boot/grub/grub.cfg'' (the example code assumes you downloaded the XFCE ISO and stored it as ''/data/ISOS/slackware64-live-xfce-current.iso''):<code> +menuentry " LIVESLAK ISO" --class gnu-linux --class os --class icon-linux { + set iso='/data/ISOS/slackware64-live-xfce-current.iso' + set bootparms='load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 kbd=us tz=Europe/Amsterdam lang=nl' + + search -f $iso --set=root + loopback loop $iso + linux (loop)/boot/generic livemedia=scandev:$iso $bootparms + initrd (loop)/boot/initrd.img +}</code> +This example will add a 'LIVESLAK ISO' menu entry to your local computer's boot menu, through which you can start a XFCE Live ISO which you previously downloaded to directory ''/data/ISOS/'', pre-configured for a US keyboard, Dutch language and Amsterdam timezone. You should of course change the ''bootparms'' string so that it matches your requirements. + +Alternatively you could look into Ventoy, which is a tool to create a bootable USB drive containing multiple ISO files. Ventoy allows you to boot from any of these ISOs by automatically generating on every boot a Grub menu containing all the images found on disk. Liveslak is fully Ventoy-compatible. Website: https://www.ventoy.net/ . + + ==== Transfering ISO content to USB stick ==== @@ -118,22 +168,40 @@ This script, called 'iso2usb.sh', accepts the following parameters: <code> -f|--force Ignore most warnings (except the back-out). -h|--help This help. -i|--infile <filename> Full path to the ISO image file. + -l|--lukshome <name> Custom path to the containerfile for your LUKS + encrypted /home (slhome by default). -o|--outdev <filename> The device name of your USB drive. - -p|--persistence <name> Custom name of the 'persistence' directory/file. + -p|--persistence <name> Custom path to the 'persistence' directory + or containerfile (persistence by default). -r|--refresh Refresh the USB stick with the ISO content. No formatting, do not touch user content. -s|--scan Scan for insertion of new USB device instead of providing a devicename (using option '-o'). -u|--unattended Do not ask any questions. -v|--verbose Show verbose messages. - -w|--wait<number> Add <number> seconds wait time to initialize USB. + -w|--wait <number> Add <number> seconds wait time to initialize USB. + -y|--layout <x,x,x,x> Specify partition layout and sizes (in MB). + Default values: '1,100,-1,' for 3 partitions, + the '-1' value for partition 3 meaning + 'use all remaining space', + and an empty 4th value means 'do not reserve + free space for a custom 4th partition'. -C|--cryptpersistfile size|perc Use a LUKS-encrypted 'persistence' file instead of a directory (for use on FAT filesystem). Format for size/percentage is the same as for the '-c' parameter. + -F|--filesystem <fs> Specify filesystem to create when formatting + devices/containers. Defaults to 'ext4', + Choices are btrfs,ext2,ext4,f2fs,jfs,xfs. + Note that the linux partition will always be + formatted as 'ext4' because extlinux is used + as the BIOS bootloader. -P|--persistfile Use an unencrypted 'persistence' file instead of a directory (for use on FAT filesystem). + Persistent data will not be migrated + when switching from directory to container file. + </code> Examples: @@ -143,14 +211,94 @@ Examples: # ./iso2usb.sh -i slackware64-live-current.iso -o /dev/sdX -c 750M -w 15 * Create a USB Live with an encrypted /home (allocating 30% of the stick's free space for /home) and where the persistent data will be stored in a container file instead of a directory: # ./iso2usb.sh -i slackware64-live-current.iso -o /dev/sdX -c 30% -P - * Create a USB Live with both the /home and the persistent data encrypted (the persistence filesystem will be 300 MB in size): - # ./iso2usb.sh -i slackware64-live-current.iso -o /dev/sdX -c 30% -C 300M + * Create a USB Live with both the /home and the persistent data encrypted (the persistence filesystem will be 300 MB in size) using a btrfs filesystem: + # ./iso2usb.sh -i slackware64-live-current.iso -o /dev/sdX -F btrfs -c 30% -C 300M + * Create a 32bit USB Live but use a custom partition layout: create a 1 MB BIOS boot partition and a 200 MB EFI partition, add a 4th un-used $ GB partition at the end, and allocate all remaining disk space to the main Linux partition: + # iso2usb.sh -i slackware-live-current.iso -o /dev/sdX -y 1,200,-1,4096 * Refresh the system modules on a USB Live using a Live ISO as the source. Let the script scan for insertion of a USB stick instead of specifying the device name on the commandline. Note that the addons and optional modules will not be touched by this action: # ./iso2usb.sh -i slackware64-live-current.iso -r -s You might have noticed that the "-P" parameter does not accept a size parameter. This is because the unencrypted container file is created as a 'sparse' file that starts at zero size and is allowed to grow dynmically to a maximum of 90% of the initial free space on the Linux partition of the USB stick. +==== Adding functionality when booting directly off an ISO on disk ==== + + +An ISO companion script is available which enables you to add functionality in cases where you want to boot directly from an ISO file. For instance, when having added the ISO file as a selection in your Grub menu, or when using a 3rd-party boot manager like Ventoy. Typically, a Live ISO is immutable (its ISO-9660 filesystem is read-only) and when you boot off it, the Live OS does not have persistence. The system starts in a virgin state, every boot. + +The ISO companion script can create encrypted containers for persistence and your homedirectory on the disk partition; that partition can be formatted as VFAT or EXFAT if you want. It also can create a directory structure on-disk from which liveslak can load additional live modules that are not present inside the ISO (both 'addons' and 'optional'). + +The script is called 'isocomp.sh', and it accepts the following parameters: <code> + -d|--directory <path> Create a liveslak directory structure to store + additional modules. The parameter value is + used as the root path below which the + liveslak/{addons,optional} subdirectories + will be created. + -e|--examples Show some common usage examples. + -f|--force Force execution in some cases where the script + reports an issue. + -h|--help This help text. + -i|--iso <fullpath> Full path to your liveslak ISO image. + -l|--lukscontainer <fullpath> Full path to encrypted container file to be + created by this script, and to be mounted + in the live OS under /home + (or any other mountpoint you supply). + (filename needs to end in '.icc'!). + -p|--persistence <fullpath > Full path to encrypted persistence container + file to be created in the filesystem + (filename extension must be '.icc'!). + -x|--extend <fullpath> Full path to existing (encrypted) container + file that you want to extend in size. + Limitations: + - container needs to be LUKS encrypted. + - filename needs to end in '.icc'. + Supported filesystems inside container: + - btrfs,ext2,ext4,f2fs,jfs,xfs. + -F|--filesystem <fs> Specify filesystem to create when formatting + devices/containers. Defaults to 'ext4', + Choices are btrfs,ext2,ext4,f2fs,jfs,xfs. + -L|--lcsize <size|perc> Size of LUKS encrypted /home ; value is the + requested size of the container in kB, MB, GB, + or as a percentage of free space + (integer numbers only). + Examples: '-L 125M', '-L 2G', '-L 20%'. + -P|--perssize <size|perc> Size of persistence container ; value is the + requested size of the container in kB, MB, GB, + or as a percentage of free space + (integer numbers only). + Examples: '-P 125M', '-P 2G', '-P 20%'. + -X|--extendsize <size|perc> Extend size of existing container; value + is the requested extension of the container + in kB, MB, GB, or as percentage of free space + (integer numbers only). + Examples: '-X 125M', '-X 2G', '-X 20%'. +</code> +Some examples of what the script can do, are given when you run the script with the '-e' or '--examples' parameter. Here is an overview of those example commands. First, mount your USB partition, for instance a Ventoy disk will be mounted for you at /run/media/<user>/Ventoy/. Then: + + * Create a 1GB encrypted persistence container: + # ./isocomp.sh -p /run/media/<user>/Ventoy/myfiles/persistence.icc -P 1G + * Create a 4GB encrypted home with btrfs filesystem: + # ./isocomp.sh -l /run/media/<user>/Ventoy/somedir/lukscontainers.icc -L 4000M -i /run/media/<user>/Ventoy/slackware64-live-current.iso + * Increase the size of that encrypted home container with another 2GB: + # ./isocomp.sh -x /run/media/<user>/Ventoy/somedir/lukscontainers.icc -X 2G -i /run/media/<user>/Ventoy/slackware64-live-current.iso + * Create a 10GB encrypted container to be mounted on /data in the Live OS: + # ./isocomp.sh -l /run/media/<user>/Ventoy/somedir/mydata.icc:/data -L 10G -i /run/media/<user>/Ventoy/slackware64-live-current.iso + * Create a liveslak directory structure for adding extra live modules: + # ./isocomp.sh -d /run/media/<user>/Ventoy/myliveslak -i /run/media/<user>/Ventoy/slackware64-live-current.iso + +These enhancements are recorded in a configuration file next to the ISO, with the exact same name as that ISO but with extension '.cfg' instead of '.iso'. You can manually edit this configuration file if you want; the script will not change, remove or overwrite your customizations. + +Here is an example configuration file content: <code> +# Liveslak ISO configuration file for SLACKWARE-CURRENT FOR X86_64 (LEAN LIVE 1.5.4) +# Generated by isocomp.sh on 20220814_1554 +LIVESLAKROOT=/liveslak +LUKSVOL=/liveslak/myhome.icc:/home +ISOPERSISTENCE=/liveslak/persistence.icc +TZ=Europe/Amsterdam +</code> +Note that this configuration file example is not complete; you can manually add custom values for the following additional liveslak parameters which avoids having to enter the corresponding boot parameters manually every time: BLACKLIST, KEYMAP, LIVE_HOSTNAME, LIVESLAKROOT, LOAD, LOCALE, LUKSVOL, NOLOAD, ISOPERSISTENCE, RUNLEVEL, TWEAKS, TZ and XKB. + + ==== Using the Live OS to install Slackware to hard disk ==== @@ -159,6 +307,7 @@ The "setup2hd" script supports regular Slackware network installations. In addit The 'setup2hd' program has some capabilities that the original Slackware 'setup' lacks: * It will launch fdisk/gdisk if you forgot to create Linux partitions in advance; + * It will optionally install a firewall for which the configuration is based on your answers to a few questions; * It will allow you to create a regular user account and set its password; * It will prompt you to set the root password in a graphical dialog. @@ -173,6 +322,7 @@ Specifically, the script is able to: * Restore the backed-up kernel and modules if the new kernel is not working. * Add network support modules for PXE boot (if missing). * Increase (or decrease) USB wait time during boot. + * Extend the size of any of the encrypted containers on the USB Live stick, in case such a container is running out of storage space and there's still room on the USB disk partition for the expansion. * Replace the Live init script inside the initrd image with a new script that you supply. * Move current persistence data to a new squashfs module in 'addons' afther which the persistence store will be re-initialized. The new module's name is time-stamped (/liveslak/addons/0099-slackware__customchanges-yymmddHHMMSS.sxz) so that this action can be repeated many times. @@ -183,6 +333,7 @@ Before making any modifications, the script will show you a prompt at which poin This script, called 'upslak.sh', accepts the following parameters: <code> -b|--nobackup Do not try to backup original kernel and modules. -d|--devices List removable devices on this computer. + -e|--examples Show some common usage examples. -h|--help This help. -i|--init <filename> Replacement init script. -k|--kernel <filename> The kernel file (or package). @@ -195,6 +346,26 @@ This script, called 'upslak.sh', accepts the following parameters: <code> providing a devicename (using option '-o'). -v|--verbose Show verbose messages. -w|--wait<number> Add <number> seconds wait time to initialize USB. + -x|--extend <fullpath> Full path (either in your filesystem or else + relative to the USB partition root) + to an existing (encrypted) container file, + whose size you want to extend. + Limitations: + - container needs to be LUKS encrypted. + - filename extension needs to be '.img'. + Supported filesystems inside container: + - btrfs,ext2,ext4,f2fs,jfs,xfs. + -N|--nolivemods Don't create an addon live module containing + the new kernelmodules. Normally you *will* need + this addon module, *unless* you have already + installed these kernel-modules in the Live OS. + FYI: the kernel and module upgrade applies only + to the USB boot kernel and its initrd. + -X|--extendsize <size|perc> Extend size of existing container; value + is the requested extension of the container + in kB, MB, GB, or as percentage of free space + (integer numbers only). + Examples: '-X 125M', '-X 2G', '-X 20%'. </code> Examples: @@ -205,7 +376,10 @@ Examples: * Restore the previous kernel and modules after a failed update, and let the script scan your computer for the insertion of your USB stick: # ./upslak.sh -s -r * Replace the Live init script with the latest template taken from the git repository: - # ./upslak.sh -o /dev/sdX -i liveslak/liveinit.tpl + # wget https://git.liveslak.org/liveslak/plain/liveinit.tpl + # ./upslak.sh -o /dev/sdX -i liveinit.tpl + * Extend the size of the pre-existing LUKS container for your homedirectory with 3 GB, and let the script scan for the insertion of your USB stick: + # ./upslak.sh -s -x /slhome.img -X 3G ==== PXE booting the Live OS ==== @@ -250,7 +424,7 @@ How to start the PXE server? When you boot the Live OS you can then start a script "pxeserver" from the console in runlevel 3 or from an X terminal in runlevel 4. The script will gather all required information and if it is unable to figure something out by itself it will ask you. If it is unable to figure out the wired network interface that it should use, you can add the name of your interface (for instance, eth1) as a single parameter to the script when you start it. -The PXE server uses dnsmasq to offer DNS to the PXE clients. The dnsmasq program will enable its internal DHCP server capabilities if your LAN does not have its own DHCP server. Dnsmasq will also start a TFTP server which the PXE clients will connect to in order to retrieve the boot files (kernel and initrd). The ''pxeserver'' script also starts a NFS server which will be used by the Live initrd to obtain the squashfs modules and boot the Live OS. If your PXE server has multiple network interfaces, for instance a wireless interface which is connected to the outside world and a wired interface connected to another computer which will become a PXE client (or indeed connected to a switch with a whole bunch of prospective PXE clients behind that) then the PXE server will setup packet forwarding so that the PXE clients will be able to access the outside world through the wired interface and out to that other interface. +The PXE server uses dnsmasq to offer DNS to the PXE clients. The dnsmasq program will enable its internal DHCP server capabilities if your LAN does not have its own DHCP server. Dnsmasq will also start a TFTP server which the PXE clients will connect to in order to retrieve the boot files (kernel and initrd). The ''pxeserver'' script also starts a NFS server which will be used by the Live initrd to obtain the squashfs modules and boot the Live OS. If your PXE server has multiple network interfaces, for instance a wireless interface which is connected to the outside world and a wired interface connected to another computer which will become a PXE client (or indeed connected to a switch with a whole bunch of prospective PXE clients behind that) then the PXE server will setup packet forwarding so that the PXE clients will be able to access the outside world through the wired interface and out to that other interface. If the PXE clients are unable to access the Internet using this default IP packet forwarding configuration, you may want to answer with 'YES' to the question during pxeserver's configuration when it asks you if you want to hide the PXE clients behind a NAT router. If you have multiple network interfaces, it is important to know that dnsmasq will only bind to the interface where you want PXE clients to connect to. In a multi-NIC situation where a second NIC is connected to the outside world (your local network), this means that the DHCP/DNS server started by dnsmasq will not interfere with an existing DHCP server in your local network. @@ -287,12 +461,14 @@ You can still set just the XkbVariant by adding something like "kbd=ch xkb=,fr" livepw="somestring" => Change the password for user "live". The password is passed as a cleartext string. + You can pass an empty string (livepw=) to remove the password. locale=nl_NL kbd=nl tz=Europe/Amsterdam => Example of language, keyboard and/or timezone customization. rootpw="somestring" => Change the password for user "root". The password is passed as a cleartext string. + You can pass an empty string (rootpw=) to remove the password. === Custom software === @@ -389,6 +565,12 @@ nop=wipe => Wipe all data from persistence directory or container. persistence=name => Use this if you are using a different directory/file than "persistence" for storing persistent data. +persistence=/dev/sdX:/path/to/mypersistence +persistence=scandev:/path/to/mypersistence => Use this if + the persistence directory or container is not located on the USB stick, + but on a local hard disk partition. Useful for network (PXE) boot + where you still want to offer users persistence. + toram => copy the OS from the media to to RAM before running it. You can remove the boot media after booting. @@ -409,9 +591,12 @@ blacklist=mod1[,mod2[...]] => Add one or more kernel modules debug => During init, pause at strategic locations while assembling the overlay filesystem and show mount information. + Equivalent to 'debug=1'. -debug=<number> => '2' enables verbose script execution; - '4' dumps you into a debug shell right before the switch_root. +debug=<number> => '2' and higher enable verbose script execution; + '3' adds pauses like '1' or '2' but won't show blkid/mount info; + '4' dumps you into a debug shell right before the switch_root; + '5' saves verbose init execution output to 'debug_init.log' rescue => After initialization, you will be dropped in a rescue shell to perform lowlevel maintenance. @@ -449,7 +634,7 @@ The USB variant with persistence may have an additional directory in the root: The first script: The script "make_slackware_live.sh" creates an ISO file as its output which contains the Live OS. -Thanks to Linux kernel 4.x and the squashfs-tools package in Slackware, the process of creating a Slackware Live ISO requires **no** (re)compilation of Slackware content or installing 3rd party packages. +Thanks to Linux kernel >= 4.x and the squashfs-tools package in Slackware, the process of creating a Slackware Live ISO requires **no** (re)compilation of Slackware content or installing 3rd party packages. The script's inner workings can be subdivided into several distinct stages. For the full Slackware ISO the process stages are as follows: @@ -479,7 +664,7 @@ Stage two: * 'root' and 'live' user accounts are created, * an initial environment for the accounts is configured, * the desktop environment is pre-configured for first use, - * the liveslak scripts "makemod", "iso2usb.sh" and "upslak.sh" are copied to "/usr/local/sbin/" in the ISO for your convenience, + * the liveslak scripts "makemod", "iso2usb.sh", "isocomp.sh", "upslak.sh" and "pxeserver" are copied to "/usr/local/sbin/" in the ISO for your convenience, * The "setup2hd" script and the Slackware installer files are copied to "/usr/local/sbin" and "/usr/share/liveslak" respectively. * slackpkg is configured, * a locate database is created, @@ -501,7 +686,7 @@ Stage three: Stage four: - * a bootable ISO file is created using mkisofs. + * a bootable ISO file is created using mkisofs or xorriso. * the "isohybrid" command is run on the ISO so that you can "dd" or "cp" the ISO to a USB stick and thus create a bootable USB media. Done! You can find the ISO file and its MD5 checksum in the /tmp directory. @@ -522,9 +707,10 @@ The "iso2usb.sh" script wipes and re-partitions the USB stick unless the "-r" or * First partition: a small (1 MB in size) FAT partition which is not used for Slackware Live Edition. It can be used by an alternative bootloader if needed. You can also store your LUKS keyfile on it to unlock a LUKS-encrypted Slackware Linux computer (see the README_CRYPT.TXT file on your Slackware DVD for more information on LUKS keyfiles). * Second partition: a 100 MB VFAT partition containing the kernel, initrd and all the other stuff required by syslinux and grub2 to boot Slackware Live Edition. - * Third partition: a Linux partition taking up all of the remaining space. It contains the actual liveslak modules, the persistent live storage and optionally your encrypted homedirectory. You can use the remainder of this Linux ext4 filesystem's free space to store anything you like. + * Third partition: a Linux partition which by default takes up all of the remaining space. It contains the actual liveslak modules, the persistent live storage and optionally your encrypted homedirectory. You can use the remainder of this Linux ext4 filesystem's free space to store anything you like. + * Fourth partition is optional: using the ''-y|--layout'' commandline parameter you can create a un-used partition at the end of the USB disk which is all yours to format and use. This layout parameter allows you to specify partition sizes. -Note that this script is the only supported method of transfering the liveslak ISO content to a USB stick and make that USB stick into a persistent live OS. Several 3rd party tools (like multibootusb, rufus, unetbootin) that claim to be able to mix several Live OS'es on a single USB stick and make them all work in a multi-boot setup, are not currently supporting liveslak. +Note that this script extracts the ISO contents to transform a USB stick into into a persistent live OS. This is a destructive process, erasing all previously available content on that stick. Several 3rd party tools (like multibootusb, rufus, unetbootin) that claim to be able to mix several Live OS'es on a single USB stick and make them all work in a multi-boot setup, are not currently supporting liveslak. Ventoy on the other hand, is fully supported by liveslak and therefore your best bet if you don't want to wipe your data off your USB stick. As a bonus, the ''isocomp.sh'' script is able to add persistence to a liveslak ISO on a Ventoy boot disk. == Mounting a filesystem in an encrypted container == @@ -545,11 +731,48 @@ A second type of encrypted container exists, which can be used for storing your For slow USB media, the default 5 seconds wait time during boot are sometimes insufficient to allow the kernel to detect the partitions on your USB device. The script can optionally add more wait time. It does this by editing the file "wait-for-root" in the initrd and updating the value which is stored there (by default "5" is written there by the "make_slackware_live.sh" script). -=== makemod === +=== isocomp.sh === The third script: +The "isocomp.sh" script's runtime usage is explained in detail in a previous paragraph "Adding functionality when booting directly off an ISO on disk". + +This section explains the inner workings of the script to enhance the functionality of booting directly from ISO. + +== Secondary liveslak root directory == + +A secondary liveslak root directory can be created by the 'isocomp.sh' script: in the same filsystem where the ISO file is also present. The ISO contains the primary liveslak root, below which you will find directories 'system', 'addons', 'optional', 'core2ram' and so on. The secondary liveslak root can not contain a 'system' subdirectory but it can contain 'addons', 'optional', 'core2ram'. + +Additional Live modules can be placed in these directories. These will be loaded by the Live init after processing corresponding module locations below the primary liveslak root. Meaning, you can load all kinds of additional software without having to modify the official Live ISO. + +== Using container files for persistence or homedirectory == + +Two types of encrypted container are supported by 'isocomp.sh', just like with the 'iso2usb.sh' script: to be used either for storing the Live OS persistence data, or for providing (additional) persistent storage space at a mount point such as ''/home''. Also, the functionality of the Live init has been extended to deal with all this. + +The sequence is as follows: + - Live init checks if the OS was booted from an ISO file. + - If yes, init will additionally check for the existence of an ISO configuration file with the same name as the ISO except its extension (which needs to be '.cfg' instead of '.iso'). + - If the configuration file defines the ISOPERSISTENCE variable, Live init expects its value to be a container file which will be used to store the modifications to the Live OS persistently, instead of writing those to a RAM disk. + - If the configuration file defines the LUKSVOL variable, Live init parses it and mounts all container files defined in there at the mountpoints specified (or ''/home'' if not specified). + - If init determines that it deals with a LUKS-encrypted container, init asks you for its unlock passphrase. + +== Creating an encrypted container == + +The script will create a file of requested size in the same disk partition that also contains the Live ISO, using the 'dd' command. A new loopback device is requested from the OS and the freshly created container file is mapped to the loop device using 'losetup'. The 'cryptsetup luksCreate' command initializes the encryption on this loop device, which causes the script to prompt you with "are you sure, type uppercase YES". After receiving your confirmation, cryptsetup requests you to enter an encryption passphrase three times (two for intializing, and one for unlocking the container subsequently). + +If the container is used for an encrypted /home, the script will copy the existing content of the ISO's /home into the container's filesystem which will later be mounted on top of the ISO's /home (thereby masking the existing /home). + +== Extending the size of an existing container file == + +The 'isocomp.sh' script is able to extend your encrypted containers if you are running out of space on their enclosed filesystems. It does this by appending random bytes to the end of the file, unlocking and mounting the filesystem inside, and then resizing that filesystem so it grows to the new size of the container. + + +=== makemod === + + +The fourth script: + The "makemod" script allows you to create a Slackware Live module easily, with a Slackware package or a directory tree as its input parameter. Usage: @@ -557,7 +780,7 @@ Usage: * The first parameter is either the full path to a Slackware package, or else a directory. * If a packagename is supplied as first parameter, it will be installed into a temporary directory using Slackware's "installpkg". The content of the temporary directory will be squashed into a module by the "squashfs" program. - * If a directoryname is supplied, its content will be squashed into a module by the "squashfs" program.. + * If a directoryname is supplied, its content will be squashed into a module by the "squashfs" program. * The second parameter is the full pathname of the output module which will be created. You can copy the module you just created (minding the filename conventions for a Slackware Live module, see paragraph "Slackware Live module format") to either the optional/ or to the addon/ directory of your Live OS. If you copy it to the optional/ or addon/ directory of the liveslak sources then "make_slackware_live.sh" will use the module when creating the ISO image. @@ -566,7 +789,7 @@ You can copy the module you just created (minding the filename conventions for a === setup2hd === -The fourth script: +The fifth script: The "setup2hd" script is a modified Slackware installer, so you will be comfortable with the process. The 'SOURCE' section offers two types of choices: a regular Slackware network installation using a NFS, HTTP, FTP or Samba server, as well as a choice of installing the Live OS which you are running. The script knows where to find the squashfs modules, so the "Install Live OS" selection will not prompt further inputs. * The Slackware network installation is identical to that of the official Slackware installation medium. @@ -576,7 +799,7 @@ The "setup2hd" script is a modified Slackware installer, so you will be comforta === pxeserver === -The fifth script: +The sixth script: The ''pxeserver'' script works as follows: * It requires a wired network; wireless PXE boot is impossible. @@ -589,6 +812,7 @@ The ''pxeserver'' script works as follows: * dnsmasq providing DNS, DHCP and BOOTP; * NFS and RPC daemons; * The script will detect if you have an outside network connection on another interface and will enable IP forwarding if needed, so that the PXE clients will also have network access. + * The script can optionally setup NAT routing - masquerading the PXE clients from the outside world - if regular IP packet forwarding is not making the outside network accessible to PXE clients. * The Live OS booted via pxelinux is configured with additional boot parameters: <code> nfsroot=<server_ip_address>:/mnt/livemedia luksvol= @@ -604,7 +828,7 @@ kbd=<server_kbd_layout> === upslak.sh === -The sixth script: +The seventh script: The "upslak.sh" script's runtime usage is explained in detail in a previous paragraph "Updating the kernel (and more) on a USB stick". @@ -616,14 +840,18 @@ When the script is started, it will do some sanity checks and then extracts the * the current USB wait time is checked. Depending on the parameters passed to the script, it will then perform one or more of the following actions: -== Update the kernel and moules == +== Update the kernel and modules == You can provide a new kernel and its modules in two ways. The '-k' option accepts a kernel image file or else a Slackware package contaning a kernel. The '-m' option accepts a directory tree of modules below "/lib/modules/, or else a Slackware package containing kernel modules. If there is sufficient space on the Linux and EFI partitions, the script will make a backup of the current kernel and modules by renaming the kernel and the module directory with a ".prev" suffix. Sufficient space means that at least 10 MB of free space must remain on the partition(s) after making the backup and installing the new kernel plus modules. If space is an issue, you can skip making a backup by providing the '-b' parameter to the script (a possibly unsafe choice). +Note that these new kernel-modules will be added to the initrd image (they are needed when booting the new kernel). In order for the Live OS to keep working with the new kernel however, these new kernel-modules must also be made available to the Live OS. The script achieves this by creating a '''kernelmodules''' squashfs module and copying the module into the '''addons''' directory of the liveslak installation on your USB stick. When the Live OS boots, the kernelmodules will then automatically be merged into the live filesystem. +It is possible to skip the creation of this squashfs module via the '-N' switch to the script. + == Restore backed-up kernel and modules == If a backup was made of kernel and modules, the upslak.sh script is able to restore these using the '-r' option, thereby removing the replacements. This comes in handy when the replacement kernel turns out to be non-functional. +Note that restoring the old kernel and its modules will leave an orphaned squashfs kernelmodule in liveslak's '''addons''' directory. You can safely delete that file. == Add network support modules == @@ -637,6 +865,10 @@ Similar to the functionality of the "iso2usb.sh" script, the "upslak.sh" script The init script inside the initrd image is the core of liveslak. The init script prepares the Live filesystem and configures several run-time OS parameters. If you have made modifications to this init script you can easily replace the default init script with your own script using the '-i' option. The "upslak.sh" script is smart enough to recognize a iveslak template as input. The ".tpl" extension of some liveslak files means that these are templates. They are not usable as-is, because they contain placeholder strings like "@VERSION@" or "@DISTRO@" that first need to be replaced with real values. The "upslak.sh" script will take care of these substitutions. +== Extend the size of an existing LUKS container == + +Your Slackware Live USB stick will probably have two LUKS containers: one for your ''/home'' directory and the other to store persistent data. If space is running out inside such a container, you can use the '-x' and '-X' parameters to the script to indicate the relevant container and provide a size increase for it. Your data inside the container is safe; the filesystem inside it will be extended and this does not touch existing file data. + == Wrap persistence data into a new squashfs module == Persistence data will accumulate over time on the USB stick. That is perfectly OK, and you can wipe it on boot if that is needed. But sometimes you want to capture the packages you installed into the persistent storage, and create a new squashfs module out of them. The "upslak.sh" script is able to move your persistence data into a new squashfs module using the '-p' option. The new module will be created in the "/liveslak/addons/" directory so that it will be loaded into the Live OS everytime your USB Live boots up. After creating the new module, the persistence store will be re-initialized (i.e. its content will be erased on the next boot). The new module's name is time-stamped (/liveslak/addons/0099-slackware__customchanges-yyyymmddHHMMSS.sxz where yyyymmddHHMMSS is the timestamp) so that this action can be repeated as many times as you want. @@ -649,7 +881,7 @@ Creating an ISO image of Slackware Live Edition requires that you are running Sl You also need the "liveslak" script collection which can be downloaded from any of the links at the bottom of this page. -Liveslak is a directory tree containing scripts, bitmaps and configuration files. Only 6 scripts are meant to be run by you, the user. These scripts ("make_slackware_live.sh", "iso2usb.sh", "makemod", "setup2hd", "pxeserver" and "upslak.sh) are explained in more detail in the section "Scripts and tools" higher up. When creating a Live ISO from scratch, you only need to run the "make_slackware_live.sh" script. +Liveslak is a directory tree containing scripts, bitmaps and configuration files. Only 7 scripts are meant to be run by you, the user. These scripts ("make_slackware_live.sh", "iso2usb.sh", "isocomp.sh", "makemod", "setup2hd", "pxeserver" and "upslak.sh) are explained in more detail in the section "Scripts and tools" higher up. When creating a Live ISO from scratch, you only need to run the "make_slackware_live.sh" script. === Liveslak sources layout === @@ -675,6 +907,7 @@ The toplevel 'liveslak' directory contains the following files: * blueSW-128px.png , blueSW-64px.png - these are bitmaps of the Slackware "Blue S" logo, used for the "live" user icon and in the XDM theme. * grub.tpl - the template file which is used to generate the grub menu for UEFI boot. * iso2usb.sh - this script creates a bootable USB version wih persistence from a Slackware Live ISO. + * isocomp.sh - when you boot directly from a Slackware Live ISO using Grub or a multi-boot manager like Ventoy, this script adds capabilities like persistence, an encrypted home, and the ability to load further live modules from disk. * languages - this file contains the input configuration for language support. One language per line contains the following fields: "code:name:kbd:tz:locale:xkb". Example: "nl:nederlands:nl:Europe/Amsterdam:nl_NL.utf8:" * code = 2-letter language code * name = descriptive name of the language @@ -707,7 +940,8 @@ The script's parameters are: DAW (Digital Audio Workstation), XFCE (basic XFCE, stripped), KTOWN (ktown Plasma5 replacement), MATE (Gnome2 fork replaces KDE), CINNAMON (fork of Gnome3 Shell - replaces KDE), DLACK (Gnome3 replaces KDE). + replaces KDE), DLACK (Gnome3 replaces KDE), + STUDIOWARE (Multimedia Studio). -e Use ISO boot-load-size of 32 for computers where the ISO won't boot otherwise (default: 4). -f Forced re-generation of all squashfs modules, @@ -717,16 +951,19 @@ The script's parameters are: -m pkglst[,pkglst] Add modules defined by pkglists/<pkglst>,... -r series[,series] Refresh only one or a few package series. -s slackrepo_dir Directory containing Slackware repository. - -t <none|doc|mandoc|bloat> - Trim the ISO (remove man and/or doc and/or bloat). + -t <none|doc|mandoc|waste|bloat> + Trim the ISO (remove man, doc, waste and/or bloat). -v Show debug/error output. -z version Define your Slackware version (default: current). -C Add RAM-based Console OS to boot menu. - -G Generate ISO file from existing directory tree + -G Generate ISO file from existing directory tree. -H hostname Hostname of the Live OS (default: darkstar). -M Add multilib (x86_64 only). -O outfile Custom filename for the ISO. -R runlevel Runlevel to boot into (default: 4). + -S privkey:cert Enable SecureBoot support and sign binaries + using the full path to colon-separated + private key and certificate files. -X Use xorriso instead of mkisofs/isohybrid. </code> @@ -741,6 +978,9 @@ When all pre-reqs are met, you issue a single command to generate the ISO. The Another example which creates a MATE variant, configuring runlevel '3' as default and specifying a custom path for the Slackware package repository root (note that the script will look for a subdirectory "slackware64-current" below this directory if you are generating this ISO for slackware64-current): # ./make_slackware_live.sh -d MATE -R 3 -s ~ftp/pub/Slackware +An example on how to create a DAW Live ISO which supports UEFI SecureBoot (since liveslak 1.5.0 and only for 64-bit), is compressed using 'zstd' instead of the default 'xz' and is generated using xorriso instead of mkisofs. You need to provide the full path to a SSL private key and certificate file: + # ./make_slackware_live.sh -d DAW -c zstd -X -S /root/liveslak.key:/root/liveslak.pem + If you want to know what package sets are included in any of these Desktop Environments, run the following command: # grep ^SEQ_ make_slackware_live.sh for MATE, you will find: @@ -755,7 +995,7 @@ Which means that most of the Slackware package series (excepting kde and kdei) w You can create your own custom Live OS by changing its characteristics in the configuration file "make_slackware_live.conf". Among the things you can change are: - * The name of the Desktop variant (the script itself knows SLACKWARE, KTOWN, DAW, XFCE, MATE, CINNAMON, STUDIOWARE and DLACK), + * The name of the Desktop variant (the script itself knows SLACKWARE, LEAN, KTOWN, DAW, XFCE, MATE, CINNAMON, STUDIOWARE and DLACK), * The list(s) of packages used for your custom distribution, * The full name of the user (by default that is "Slackware Live User"), * The name of the useraccount (by default that is "live"), @@ -806,6 +1046,23 @@ This is the section in ''make_slackware_live.conf'' which deals with these custo #} </code> +=== Customizing the list of used packages === + +Any liveslak ISO variant contains a specific set of Slackware packages, as defined in the various ''SEQ_*'' variables used in the ''make_slackware_live.sh'' script. Your customized Live OS will be using variable "''SEQ_CUSTOM''". + +Let's breakdown the definition of such a variable to explain how to customize the package set for your own live ISO. + +The list of packages in the MATE ISO for instance, is defined by the ''SEQ_MSB'' variable (//MSB// stands for //Mate Slack Build//). Its value is as follows: <code> +# grep ^SEQ_MSB make_slackware_live.sh +SEQ_MSB="tagfile:a,ap,d,e,f,k,l,n,t,tcl,x,xap,xfce,y pkglist:slackextra,mate local:slackpkg+"</code> + +Three keywords can be identified in the value of a ''SEQ_*'' variable, and these determine where the packages to be installed are going to be searched for: + * tagfile - this is an Slackware tagfile for a complete package series. For instance, using "tagfile:ap" means: install all packages in the **AP** series. + * pkglist - this is a list of packages to be installed from the Slackware distro itself or from a Slackware-compatible 3rd-party repository. The file containing that package list is searched in the ''./pkglists/'' subdirectory of the liveslak toplevel directory. For instance, using "pkglist:mate" means: install all packages mentioned in the file ''./pkglists/mate.lst''. If there is no matching ''./pkglists/mate.conf'' file then the packages are assumed to be present in the Slackware distro directory. Else the ".conf" file is parsed and the variables that are defined in the ".conf" file will be used while generating the ISO. Most importantly, "''SL_REPO_URL''" will contain the rsync URI pointing to the 3rd-party repository where the requested packages can be downloaded. + * local - some packages can not be found in Slackware-compatible repositories. The "local" keyword alows you to install packages from a subdirectory of the liveslak toplevel directory. For instance, using "local:slackpkg+" means: install all packages found in subdirectory ''./local/slackpkg+/'' or if you are generating a 64bit live ISO, install all packages found in directory ''./local64/slackpkg+/''. + +For the value of a ''SEQ_*'' variable, any combination of these keywords can be used. Every keyword is followed by a colon, and that is followed by a comma-separated list of relevant package definitions. They are all separated by spaces. + === Custom background images === The Plasma5 based Live variants allow customization of the background image used for the login greeter, the desktop wallpaper and the lock screen. The image you want to use for this purpose, must have a 16:9 aspect ratio and its dimensions should at least be 1920x1080 pixels. You must store the custom image inside the liveslak source tree: in the subdirectory ''./media/<variant>/bg/'' where "<variant>" is the lower-case name of the Live variant (variant 'KTOWN' equals directory 'ktown', 'DAW' becomes 'daw', etc). @@ -848,12 +1105,14 @@ What does the 'liveslak' init script do? * The complete RAM filesystem which underpins the overlay is made available to the user of the Live OS as "/mnt/live" * The filesystem of the Live media is made available to the user of the Live OS as "/mnt/livemedia". If the media is a USB stick then you will have write access to "/mnt/livemedia". * With the root filesystem assembled, the Live OS is configured before it actually boots: + * If a OS-specific configuration file (by default ''/liveslak/slackware_os.cfg'') exists, its contents will be parsed. Values of the variables defined in this file overrule any default liveslak or boot commandline values. * if you specified "swap" on the boot commandline, any available swap partition will be added to "/etc/fstab" in the Live OS. * if you specified a custom keyboard layout for the console (and optionally another for X) by using the "kbd" and "xkb" boot parameters then these will be confifured in "/etc/rc.d/rc.keymap" and "/etc/X11/xorg.conf.d/30-keyboard.conf" in the Live OS. * Same for any custom locale which was specified with the "locale" parameter, this will get added to "/etc/profile.d/lang.sh". * If timezone and hardware clock were specified in the "tz" parameter, these will be configured in "/etc/localtime" and "/etc/hardwareclock". - * The boot parameters "livepw" and "rootpw" allow you to specify custom passwords for the 'live' and 'root' users; the defaults for these two are simply 'live' and 'root'. This is achieved by running the "chpasswd" command in the chrooted overlay so that a plain text password can be given as input. - * The "hostname" boot parameter can be used to change the Live OS' hostname from its default "darkstar". Configuration is written to "/etc/HOSTNAME" and "/etc/NetworkManager/NetworkManager.conf". + * The boot parameters "livepw" and "rootpw" allow you to specify custom passwords for the 'live' and 'root' users; the defaults for these two are simply 'live' and 'root'. This is achieved by running the "chpasswd" command in the chrooted overlay so that a plain text password can be given as input. If you would rather avoid a password completely, you can just pass an empty string ("livepw=" or "rootpw="). + * The "hostname" and "domain" boot parameters can be used to change the Live OS' hostname from its default "darkstar" and the domain to something else than "home.arpa". Configuration is written to "/etc/hosts", "/etc/HOSTNAME" and "/etc/NetworkManager/NetworkManager.conf". + * If the "nfshost" boot parameter was specified, the Live OS is going through a network (PXE) boot. Appropriate network drivers will be loaded and network configuration will be applied so that the squashfs modules can be loaded via NFS. * If the "blacklist" boot parameter was specified, then the kernel modules mentioned as argument(s) will be added to a modprobe blacklist file "/etc/modprobe.d/BLACKLIST-live.conf". * The "/var/lib/alsa/asound.state" file in the Live OS is removed to allow correct sound configuration on any computer where the Live media is booted. * The complete content of the /liveslak/rootcopy directory on the Live partition (may be empty) is copied to the filesystem root of the Live OS, potentially 'overwriting' files in the Live OS. Use the /liveslak/rootcopy to add customization to your Live OS when you run it off a USB stick. @@ -862,6 +1121,25 @@ What does the 'liveslak' init script do? * From this moment onward, you are booting a 'normal' Slackware system and the fact that this is actually running in RAM and not from your local harddisk is not noticeable. +=== OS configuration file for persistent media === + +If present, the liveslak init will load a OS config file from a persistent Live medium such as a USB stick. In the case of 'Slackware Live Edition' this file is called "/liveslak/slackware_os.cfg" - i.e. is placed in the "liveslak" directory of your USB drive. For custom non-Slackware Live OS-es based on liveslak, the filename may be different. +This file contains one or more "VARIABLE=value" lines, where VARIABLE is one of the following variables that are used in the live init script: + * BLACKLIST, KEYMAP, LIVE_HOSTNAME, LOAD, LOCALE, LUKSVOL, NOLOAD, RUNLEVEL, TWEAKS, TZ, XKB. +Values for the variables defined in this configuration file override the values already set via liveslak's own defaults or via boot-up command-line parameters. + +When booting your persistent //Slackware Live Edition//, the optional boot-time parameter "cfg" deals with this OS configuration file. The "cfg" parameter understands two possible argument values: + * "cfg=write" will (over)write the OS configuration file to your USB drive, using the values for all of the above variables that are valid for that particular boot. So if your timezone is "PST" then one of the lines in that file will read "TZ=PST". + * "cfg=skip" will skip processing of an existing "/liveslak/slackware_os.cfg" file. + +The OS configuration file is not present by default. You either create it at boot-time using "cfg=write" (which is a persistent change) or you create it manually using an ASCII text editor, after mounting theUSB partition on a computer. As an example, here is the content of ''/liveslak/slackware_os.cfg'' on my own USB stick: <code> +KEYMAP=nl +LIVE_HOSTNAME=zelazny +LOCALE=nl_NL.utf8 +TWEAKS=tpb,syn +TZ=Europe/Amsterdam</code> + + === Slackware Live module format === @@ -873,6 +1151,7 @@ Slackware Live Edition expects its modules to adhere to a particularly loose fil * Anything may be part of the '*' but most commonly used is "${VERSION}-${ARCH}". The core modules in Slackware Live use the Slackware release as ${VERSION} and the Slackware architecture as ${ARCH}. For the modules in addons/ and optional/ subdirectories, ${VERSION} would commonly be the version of the program that is being made available in the module. * The four digits of a modulename have a meaning. Some ranges are claimed by the core OS, so please do not use them. Their prefixes are based on the package source: <code> 0000 = contains the Slackware /boot directory + 0005 = Console OS modules when explicitly enabled for a regular ISO installed otherwise from Slackware tagfiles 0010-0019 = packages installed from a Slackware tagfile (a,ap,d, ... , y series) 0020-0029 = packages installed from a package list as found in the ./pkglists subdirectory of the liveslak sources (min, noxbase, x_base, xapbase, xfcebase etc) 0030-0039 = a 'local' package, i.e. a package found in subdirectory ./local or ./local64 (depending on architecture) @@ -894,7 +1173,7 @@ Naturally, there have been many who went before me, and since I started as a n00 Website: https://www.slax.org/ -SLAX was the original Live variant of Slackware. The linux-live scripts which are used to create a SLAX ISO were generalized so that they can create a Live version of any OS that is already installed to a harddrive. SLAX development stalled a couple of years ago but its creator seems to have warmed up recently. However, the current SLAX is no longer based on Slackware - Debian is its base now. +SLAX was the original Live variant of Slackware. The linux-live scripts which are used to create a SLAX ISO were generalized so that they can create a Live version of any OS that is already installed to a harddrive. SLAX development stalled a couple of years ago but its creator seems to have warmed up recently. New versions of SLAX were no longer based on Slackware but used Debian as its base. In 2022, a new SLAX variant emerged which is again based on Slackware. The Live functionality of SLAX is based on aufs and unionfs which requires a custom-built kernel with aufs support compiled-in. It is small and has its boot scripts tweaked for startup speed. diff --git a/contrib/scripts/makemod_wine b/contrib/scripts/makemod_wine index c2fbf95..a253cdd 100644 --- a/contrib/scripts/makemod_wine +++ b/contrib/scripts/makemod_wine @@ -3,26 +3,36 @@ # Root of all my slackbuilds: SBROOT=${SBROOT:-"/home/slackbuilds"} -# Package versions for wine and SDL_sound/OpenAL: +# The makemod script: +MAKEMOD=${MAKEMOD:-"/usr/local/sbin/makemod"} + +# Current directory: +CWD=$(pwd) + +# Package versions for wine and FAudio/vkd3d: WINEREL=$(ls ${SBROOT}/wine/pkg64/current/wine-*.t?z |rev |cut -f3 -d- |rev) FAUDIOREL=$(ls ${SBROOT}/FAudio/pkg/current/FAudio-*.t?z |rev |cut -f3 -d- |rev) -VKD3DREL=$(ls ${SBROOT}/vkd3d/pkg/current/vkd3d-*.t?z |rev |cut -f3 -d- |rev) +#VKD3DREL=$(ls ${SBROOT}/vkd3d/pkg/current/vkd3d-*.t?z |rev |cut -f3 -d- |rev) # Package locations for wine vkd3d and FAudio: WINEPKG=$(ls ${SBROOT}/wine/pkg64/current/wine-*.t?z) -FAUDIOPKG=$(ls ${SBROOT}/FAudio/pkg/current/FAudio-*.t?z) -VKD3DPKG=$(ls ${SBROOT}/vkd3d/pkg/current/vkd3d-*.t?z) +FAUDIOPKG=$(ls ${SBROOT}/FAudio/pkg64/current/FAudio-*.t?z) +FAUDIOPKG32=$(ls ${SBROOT}/FAudio/pkg/current/FAudio-*.t?z) +#VKD3DPKG=$(ls ${SBROOT}/vkd3d/pkg64/current/vkd3d-*.t?z) +#VKD3DPKG32=$(ls ${SBROOT}/vkd3d/pkg/current/vkd3d-*.t?z) # Convert the 32bit FAudio into a 'compat32' package: -convertpkg-compat32 -i ${FAUDIOPKG} -d /tmp +convertpkg-compat32 -i ${FAUDIOPKG32} -d /tmp -# Convert the 32bit vkd3d into a 'compat32' package: -convertpkg-compat32 -i ${VKD3DPKG} -d /tmp +## Convert the 32bit vkd3d into a 'compat32' package: +#convertpkg-compat32 -i ${VKD3DPKG32} -d /tmp # Create the SXZ module: SCRATCHDIR=$(mktemp -t -d makesxz.XXXXXX) installpkg --root $SCRATCHDIR ${WINEPKG} +installpkg --root $SCRATCHDIR ${FAUDIOPKG} +#installpkg --root $SCRATCHDIR ${VKD3DPKG} installpkg --root $SCRATCHDIR /tmp/FAudio-compat32-${FAUDIOREL}-x86_64-*compat32.txz -installpkg --root $SCRATCHDIR /tmp/vkd3d-compat32-${VKD3DREL}-x86_64-*compat32.txz -./makemod $SCRATCHDIR ./optional/0060-wine-${WINEREL}-current-x86_64.sxz +#installpkg --root $SCRATCHDIR /tmp/vkd3d-compat32-${VKD3DREL}-x86_64-*compat32.txz +$MAKEMOD $SCRATCHDIR $CWD/0060-wine-${WINEREL}-current-x86_64.sxz rm -r $SCRATCHDIR @@ -22,9 +22,17 @@ if [ -z "$sl_locale" ]; then export sl_locale fi +# Check whether we are in a Secure Boot scenario: +if [ "x$lockdown" != "x" ]; then + set check_signatures=enforce + export check_signatures +fi + # Determine whether we can show a graphical themed menu: insmod font if loadfont $prefix/theme/dejavusansmono12.pf2 ; then + loadfont $prefix/theme/dejavusansmono24.pf2 + loadfont $prefix/theme/dejavusansmono20.pf2 loadfont $prefix/theme/dejavusansmono10.pf2 loadfont $prefix/theme/dejavusansmono5.pf2 set gfxmode=1024x768,800x600,640x480,auto @@ -67,8 +75,8 @@ menuentry "Help on boot parameters" --hotkey h { unset pager } -@C2RMH@menuentry "Console OS in RAM ($sl_lang)" --hotkey c { -@C2RMH@ linux ($root)/boot/generic @KAPPEND@ load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 kbd=$sl_kbd tz=$sl_tz locale=$sl_locale xkb=$sl_xkb toram=core 3 -@C2RMH@ initrd ($root)/boot/initrd.img -@C2RMH@} +@C2RMS@menuentry "Console OS in RAM ($sl_lang)" --hotkey c { +@C2RMS@ linux ($root)/boot/generic @KAPPEND@ load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 kbd=$sl_kbd tz=$sl_tz locale=$sl_locale xkb=$sl_xkb toram=core 3 +@C2RMS@ initrd ($root)/boot/initrd.img +@C2RMS@} @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2015, 2016, 2017, 2019, 2020 Eric Hameleers, Eindhoven, NL +# Copyright 2015, 2016, 2017, 2019, 2020, 2021, 2022, 2023 Eric Hameleers, Eindhoven, NL # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -32,11 +32,20 @@ FORCE=0 # The default layout of the USB stick is: # partition 1 (1MB), # partition 2 (100 MB) -# partition 3 (claim all free space - specified as 0 MB). +# partition 3 (claim all free space - specified as -1 MB). # The script allows for an amount of free space to be left at the end -# (partition 4, unused by liveslak) in case you need this: +# (partition 4, un-used by liveslak) in case you need this: DEF_LAYOUT="1,100,-1," +# The extension for containerfiles accompanying an ISO is '.icc', +# whereas the persistent USB stick created with iso2usb.sh uses '.img'. +DEFEXT=".img" +CNTEXT="${DEFEXT}" + +# Default filesystem for devices/containers: +DEF_FS="ext4" +FSYS="${DEF_FS}" + # By default, we use 'slhome.img' as the name of the LUKS home containerfile. DEF_SLHOME="slhome" SLHOME="${DEF_SLHOME}" @@ -80,7 +89,7 @@ DOLUKS=0 REFRESH=0 # These tools are required by the script, we will check for their existence: -REQTOOLS="blkid cpio extlinux fdisk gdisk isoinfo lsblk mkdosfs sgdisk syslinux wipefs" +REQTOOLS="blkid cpio cryptsetup extlinux fdisk find gdisk gzip isoinfo losetup lsblk lzip mkdosfs sgdisk syslinux wipefs xz" # Path to syslinux files: if [ -d /usr/share/syslinux ]; then @@ -97,9 +106,7 @@ else fi # Initialize more variables: -CNTBASE="" CNTDEV="" -CNTFILE="" HLUKSSIZE="" LUKSHOME="" LODEV="" @@ -111,6 +118,11 @@ CNTMNT="" USBMNT="" US2MNT="" +# Minimim free space (in MB) we want to have left in any partition +# after we are done. +# The default value can be changed from the environment: +MINFREE=${MINFREE:-10} + # Compressor used on the initrd ("gzip" or "xz --check=crc32"); # Note that the kernel's XZ decompressor does not understand CRC64: COMPR="xz --check=crc32" @@ -120,7 +132,7 @@ COMPR="xz --check=crc32" # # Clean up in case of failure: -cleanup() { +function cleanup() { # Clean up by unmounting our loopmounts, deleting tempfiles: echo "--- Cleaning up the staging area..." # During cleanup, do not abort due to non-zero exit code: @@ -130,7 +142,7 @@ cleanup() { # In case of failure, only the most recent device should still be open: if mount |grep -q ${CNTDEV} ; then umount -f ${CNTDEV} - cryptsetup luksClose $(basename ${CNTBASE}) + cryptsetup luksClose $(basename ${CNTDEV}) losetup -d ${LODEV} fi fi @@ -140,10 +152,10 @@ cleanup() { [ -n "${US2MNT}" ] && ( umount -f ${US2MNT} 2>/dev/null; rmdir $US2MNT 2>/dev/null ) [ -n "${IMGDIR}" ] && ( rm -rf $IMGDIR ) set -e -} +} # End of cleanup() trap 'echo "*** $0 FAILED at line $LINENO ***"; cleanup; exit 1' ERR INT TERM -showhelp() { +function showhelp() { cat <<EOT # # Purpose: to transfer the content of Slackware's Live ISO image @@ -186,8 +198,16 @@ cat <<EOT # of a directory (for use on FAT filesystem) # Format for size/percentage is the same # as for the '-c' parameter. +# -F|--filesystem <fs> Specify filesystem to create when formatting +# devices/containers. Defaults to '${DEF_FS}', +# Choices are $(createfs). +# Note that the linux partition will always be +# formatted as 'ext4' because extlinux is used +# as the BIOS bootloader. # -P|--persistfile Use a 'persistence' container file instead of # a directory (for use on FAT filesystem). +# Persistent data will not be migrated +# when switching from directory to container file. # # Examples: # @@ -196,28 +216,76 @@ cat <<EOT # $(basename $0) -i slackware-live-current.iso -o /dev/sdX -y 1,200,-1,4096 # EOT -} +} # End of showhelp() + +# Create a filesystem on a partition with optional label: +function createfs () { + MYDEV="${1}" + MYFS="${2:-'ext4'}" + MYLABEL="${3}" + + if [ -z "${MYDEV}" ]; then + # Without arguments given, reply with list of supported fs'es: + echo "btrfs,ext2,ext4,f2fs,jfs,xfs" + return + fi + + if [ -n "${MYLABEL}" ]; then + case "${MYFS}" in + fs2s) MYLABEL="-l ${MYLABEL}" ;; + *) MYLABEL="-L ${MYLABEL}" ;; + esac + fi + + case "${MYFS}" in + btrfs) mkfs.btrfs -f -d single -m single ${MYLABEL} ${MYDEV} + ;; + ext2) mkfs.ext2 -F -F ${MYLABEL} ${MYDEV} + # Tune the ext2 filesystem: + tune2fs -m 0 -c 0 -i 0 ${MYDEV} + ;; + ext4) mkfs.ext4 -F -F ${MYLABEL} ${MYDEV} + # Tune the ext4 filesystem: + tune2fs -m 0 -c 0 -i 0 ${MYDEV} + ;; + f2fs) mkfs.f2fs ${MYLABEL} -f ${MYDEV} + ;; + jfs) mkfs.jfs -q ${MYDEV} + ;; + xfs) mkfs.xfs -f ${MYDEV} + ;; + *) echo "*** Unsupported filesystem '${MYFS}'!"; exit 1 + ;; + esac +} # End of createfs() # Uncompress the initrd based on the compression algorithm used: -uncompressfs () { - if $(file "${1}" | grep -qi ": gzip"); then - gzip -cd "${1}" - elif $(file "${1}" | grep -qi ": XZ"); then - xz -cd "${1}" +function uncompressfs () { + local IMGFILE="$1" + # Content is streamed to STDOUT: + if $(file "${IMGFILE}" | grep -qi ": gzip"); then + gzip -cd "${IMGFILE}" + elif $(file "${IMGFILE}" | grep -qi ": XZ"); then + xz -cd "${IMGFILE}" + elif $(file "${IMGFILE}" | grep -qi ": LZMA"); then + lzma -cd "${IMGFILE}" + elif $(file "${IMGFILE}" | grep -qi ": lzip"); then + lzip -cd "${IMGFILE}" fi -} +} # End of uncompressfs() # Scan for insertion of a USB device: -scan_devices() { +function scan_devices() { + local MYSCANWAIT="${1}" local BD # Inotifywatch does not trigger on symlink creation, # so we can not watch /sys/block/ - BD=$(inotifywait -q -t ${SCANWAIT} -e create /dev 2>/dev/null |cut -d' ' -f3) + BD=$(inotifywait -q -t ${MYSCANWAIT} -e create /dev 2>/dev/null |cut -d' ' -f3) echo ${BD} } # End of scan_devices() # Show a list of removable devices detected on this computer: -show_devices() { +function show_devices() { local MYDATA="${*}" if [ -z "${MYDATA}" ]; then MYDATA="$(ls --indicator-style=none /sys/block/ |grep -Ev '(ram|loop|dm-)')" @@ -233,16 +301,16 @@ show_devices() { } # End of show_devices() # Read configuration data from old initrd: -read_initrd() { +function read_initrd() { IMGFILE="$1" OLDPERSISTENCE=$(uncompressfs ${IMGFILE} |cpio -i --to-stdout init |grep "^PERSISTENCE" |cut -d '"' -f2 2>/dev/null) OLDWAIT=$(uncompressfs ${IMGFILE} |cpio -i --to-stdout wait-for-root 2>/dev/null) OLDLUKS=$(uncompressfs ${IMGFILE} |cpio -i --to-stdout luksdev 2>/dev/null) -} +} # End of read_initrd() # Add longer USB WAIT to the initrd: -update_initrd() { +function update_initrd() { IMGFILE="$1" # USB boot medium needs a few seconds boot delay else the overlay will fail. @@ -310,93 +378,133 @@ update_initrd() { rm -rf $IMGDIR/* } # End of update_initrd() +# Determine size of a mounted partition (in MB): +function get_part_mb_size() { + local MYPART="${1}" + local MYSIZE + MYSIZE=$(df -P -BM ${MYPART} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f2) + echo "${MYSIZE%M}" +} # End of get_part_mb_size() + +# Determine free space of a mounted partition (in MB): +function get_part_mb_free() { + local MYPART="${1}" + local MYSIZE + MYSIZE=$(df -P -BM ${MYPART} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f4) + echo "${MYSIZE%M}" +} # End of get_part_mb_free() + +# Determine requested container size in MB (allow for '%|k|K|m|M|g|G' suffix): +function cont_mb() { + # Uses global variables: PARTFREE + local MYSIZE="$1" + case "${MYSIZE: -1}" in + "%") MYSIZE="$(( $PARTFREE * ${MYSIZE%\%} / 100 ))" ;; + "k") MYSIZE="$(( ${MYSIZE%k} / 1024 ))" ;; + "K") MYSIZE="$(( ${MYSIZE%K} / 1024 ))" ;; + "m") MYSIZE="${MYSIZE%m}" ;; + "M") MYSIZE="${MYSIZE%M}" ;; + "g") MYSIZE="$(( ${MYSIZE%g} * 1024 ))" ;; + "G") MYSIZE="$(( ${MYSIZE%G} * 1024 ))" ;; + *) MYSIZE=-1 ;; + esac + echo "$MYSIZE" +} # End of cont_mb() + # Create a container file in the empty space of the partition -create_container() { - CNTPART=$1 - CNTSIZE=$2 - CNTBASE=$3 - CNTENCR=$4 # 'none' or 'luks' - CNTUSED=$5 # '/home' or 'persistence' +function create_container() { + local CNTPART=$1 # partition containing the ISO + local CNTSIZE=$2 # size of the container file to create + local CNTFILE=$3 # ${CNTEXT} filename with full path + local CNTENCR=$4 # 'none' or 'luks' + local CNTUSED=$5 # '/home' or 'persistence' + local MYMAP + local MYMNT + + # If containerfile extension is missing, add it now: + if [ "${CNTFILE%${CNTEXT}}" == "${CNTFILE}" ]; then + CNTFILE="${CNTFILE}${CNTEXT}" + fi # Create a container file or re-use previously created one: - if [ -f $USBMNT/${CNTBASE}.img ]; then - CNTFILE="${CNTBASE}.img" - CNTSIZE=$(( $(du -sk $USBMNT/${CNTFILE} |tr '\t' ' ' |cut -f1 -d' ') / 1024 )) - echo "--- Keeping existing '${CNTFILE}' (size ${CNTSIZE} MB)." + if [ -f ${CNTFILE} ]; then + # Where are we mounted? + MYMNT=$(cd "$(dirname "${CNTFILE}")" ; df --output=target . |tail -1) + CNTSIZE=$(( $(du -sk ${CNTFILE} |tr '\t' ' ' |cut -f1 -d' ') / 1024 )) + echo "--- Keeping existing '${CNTFILE#${MYMNT}}' (size ${CNTSIZE} MB)." return fi # Determine size of the target partition (in MB), and the free space: - PARTSIZE=$(df -P -BM ${CNTPART} |tail -1 |tr -s '\t' ' ' |cut -d' ' -f2) - PARTSIZE=${PARTSIZE%M} - PARTFREE=$(df -P -BM ${CNTPART} |tail -1 |tr -s '\t' ' ' |cut -d' ' -f4) - PARTFREE=${PARTFREE%M} + PARTSIZE=$(get_part_mb_size ${CNTPART}) + PARTFREE=$(get_part_mb_free ${CNTPART}) - if [ $PARTFREE -lt 10 ]; then - echo "*** Free space on USB partition is less than 10 MB;" + if [ $PARTFREE -lt ${MINFREE} ]; then + echo "*** Free space on USB partition is less than ${MINFREE} MB;" echo "*** Not creating a container file!" + cleanup exit 1 fi - # Determine requested container size (allow for '%|k|K|m|M|g|G' suffix): - case "${CNTSIZE: -1}" in - "%") CNTSIZE="$(( $PARTFREE * ${CNTSIZE%\%} / 100 ))" ;; - "k") CNTSIZE="$(( ${CNTSIZE%k} / 1024 ))" ;; - "K") CNTSIZE="$(( ${CNTSIZE%K} / 1024 ))" ;; - "m") CNTSIZE="${CNTSIZE%m}" ;; - "M") CNTSIZE="${CNTSIZE%M}" ;; - "g") CNTSIZE="$(( ${CNTSIZE%g} * 1024 ))" ;; - "G") CNTSIZE="$(( ${CNTSIZE%G} * 1024 ))" ;; - *) ;; - esac + # Determine requested container size in MB (allow for '%|k|K|m|M|g|G' suffix): + CNTSIZE=$(cont_mb ${CNTSIZE}) if [ $CNTSIZE -le 0 ]; then echo "*** Container size must be larger than ZERO!" echo "*** Check your '-c' commandline parameter." + cleanup exit 1 elif [ $CNTSIZE -ge $PARTFREE ]; then echo "*** Not enough free space for container file!" echo "*** Check your '-c' commandline parameter." + cleanup exit 1 fi echo "--- Creating ${CNTSIZE} MB container file using 'dd if=/dev/urandom', patience please..." - mkdir -p $USBMNT/$(dirname "${CNTBASE}") - CNTFILE="${CNTBASE}.img" - # Create a sparse file (not allocating any space yet): - dd of=$USBMNT/${CNTFILE} bs=1M count=0 seek=$CNTSIZE + mkdir -p $(dirname "${CNTFILE}") + if [ $? ]; then + # Create a sparse file (not allocating any space yet): + dd of=${CNTFILE} bs=1M count=0 seek=$CNTSIZE 2>/dev/null + else + echo "*** Failed to create directory for the container file!" + cleanup + exit 1 + fi # Setup a loopback device that we can use with cryptsetup: LODEV=$(losetup -f) - losetup $LODEV $USBMNT/${CNTFILE} + losetup $LODEV ${CNTFILE} + MYMAP=$(basename ${CNTFILE} ${CNTEXT}) if [ "${CNTENCR}" = "luks" ]; then # Format the loop device with LUKS: - echo "--- Encrypting the container file with LUKS; enter 'YES' and a passphrase..." + echo "--- Encrypting the container file with LUKS via '${LODEV}'" + echo "--- This takes SOME time, please be patient..." + echo "--- enter 'YES' and a passphrase:" until cryptsetup -y luksFormat $LODEV ; do echo ">>> Did you type two different passphrases?" read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY done # Unlock the LUKS encrypted container: echo "--- Unlocking the LUKS container requires your passphrase again..." - until cryptsetup luksOpen $LODEV $(basename ${CNTBASE}) ; do + until cryptsetup luksOpen $LODEV ${MYMAP} ; do echo ">>> Did you type an incorrect passphrases?" read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY done - CNTDEV=/dev/mapper/$(basename ${CNTBASE}) + CNTDEV=/dev/mapper/${MYMAP} # Now we allocate blocks for the LUKS device. We write encrypted zeroes, # so that the file looks randomly filled from the outside. # Take care not to write more bytes than the internal size of the container: + echo "--- Writing ${CNTSIZE} MB of random data to encrypted container; takes LONG time..." CNTIS=$(( $(lsblk -b -n -o SIZE $(readlink -f ${CNTDEV})) / 512)) - dd if=/dev/zero of=${CNTDEV} bs=512 count=${CNTIS} || true + dd if=/dev/zero of=${CNTDEV} bs=512 count=${CNTIS} status=progress || true else - CNTDEV=$LODEV # Un-encrypted container files remain sparse. + CNTDEV=$LODEV fi # Format the now available block device with a linux fs: - mkfs.ext4 ${CNTDEV} - # Tune the ext4 filesystem: - tune2fs -m 0 -c 0 -i 0 ${CNTDEV} + createfs ${CNTDEV} ${FSYS} if [ "${CNTUSED}" != "persistence" ]; then # Create a mount point for the unlocked container: @@ -410,7 +518,7 @@ create_container() { fi # Copy the original /home (or whatever mount) content into the container: echo "--- Copying '${CNTUSED}' from LiveOS to container..." - HOMESRC=$(find ${USBMNT} -name "0099-slackware_zzzconf*" |tail -1) + HOMESRC=$(find ${ISOMNT} -name "0099-slackware_zzzconf*" |tail -1) mount ${CNTDEV} ${CNTMNT} unsquashfs -n -d ${CNTMNT}/temp ${HOMESRC} ${CNTUSED} mv ${CNTMNT}/temp/${CNTUSED}/* ${CNTMNT}/ @@ -420,10 +528,9 @@ create_container() { # Don't forget to clean up after ourselves: if [ "${CNTENCR}" = "luks" ]; then - cryptsetup luksClose $(basename ${CNTBASE}) + cryptsetup luksClose ${MYMAP} fi losetup -d ${LODEV} || true - } # End of create_container() { # @@ -502,6 +609,10 @@ while [ ! -z "$1" ]; do PERSISTTYPE="file" shift 2 ;; + -F|--filesystem) + FSYS="$2" + shift 2 + ;; -P|--persistfile) PERSISTTYPE="file" shift @@ -529,7 +640,7 @@ fi if [ -z "$TARGET" ]; then if [ $SCAN -eq 1 ]; then echo "-- Waiting ${SCANWAIT} seconds for a USB stick to be inserted..." - TARGET=$(scan_devices) + TARGET=$(scan_devices ${SCANWAIT}) if [ -z "$TARGET" ]; then echo "*** No new USB device detected during $SCANWAIT seconds scan." exit 1 @@ -550,6 +661,16 @@ if [ $FORCE -eq 0 -a ! -f "$SLISO" ]; then exit 1 fi +if [ "${HLUKSSIZE%.*}" != "${HLUKSSIZE}" ] ; then + echo "*** Integer value required in '-c $HLUKSSIZE' !" + exit 1 +fi + +if [ "${PLUKSSIZE%.*}" != "${PLUKSSIZE}" ] ; then + echo "*** Integer value required in '-C $PLUKSSIZE' !" + exit 1 +fi + if [ $FORCE -eq 0 ]; then if [ ! -e /sys/block/$(basename $TARGET) ]; then echo "*** Not a block device: '$TARGET' !" @@ -562,6 +683,9 @@ if [ $FORCE -eq 0 ]; then fi fi +# Add required filesystem tools: +REQTOOLS="${REQTOOLS} mkfs.${FSYS}" + # Are all the required not-so-common add-on tools present? PROG_MISSING="" for PROGN in ${REQTOOLS} ; do @@ -701,25 +825,34 @@ if [ $REFRESH -eq 0 ]; then # Create filesystems: # Not enough clusters for a 32 bit FAT: mkdosfs -s 2 -n "DOS" ${TARGETP1} - mkdosfs -F32 -s 2 -n "EFI" ${TARGETP2} + mkdosfs -F32 -s 2 -n "ESP" ${TARGETP2} # KDE tends to automount.. so try an umount: if mount |grep -qw ${TARGETP3} ; then umount ${TARGETP3} || true fi + # We use extlinux to boot the stick, so other filesystems are not accepted: + createfs ${TARGETP3} ext4 "${LIVELABEL}" # http://www.syslinux.org/wiki/index.php?title=Filesystem - # As of Syslinux 6.03, "pure 64-bits" compression/encryption is not supported. + # As of Syslinux 6.03, "pure 64-bits" compression/encryption is unsupported. # Modern mke2fs creates file systems with the metadata_csum and 64bit # features enabled by default. # Explicitly disable 64bit feature in the mke2fs command with '-O ^64bit'; # otherwise, the syslinux bootloader (>= 6.03) will fail. # Note: older 32bit OS-es will trip over the '^64bit' feature so be gentle. - mkfs.ext4 -F -F -L "${LIVELABEL}" ${TARGETP3} - if ! tune2fs -O ^64bit ${TARGETP3} 1>/dev/null 2>/dev/null ; then - FEAT_64BIT="" - else - FEAT_64BIT="-O ^64bit" + UNWANTED_FEAT="" + if tune2fs -O ^64bit ${TARGETP3} 1>/dev/null 2>/dev/null ; then + UNWANTED_FEAT="^64bit," + fi + # Grub 2.0.6 stumbles over metadata_csum_seed which is enabled by default + # since e2fsprogs 1.47.0, so let's disable that too: + if tune2fs -O ^metadata_csum_seed ${TARGETP3} 1>/dev/null 2>/dev/null ; then + UNWANTED_FEAT="${UNWANTED_FEAT}^metadata_csum_seed," fi - tune2fs -c 0 -i 0 -m 0 ${FEAT_64BIT} ${TARGETP3} + if [ -n "${UNWANTED_FEAT}" ]; then + # We found unwanted feature(s), get rid of trailing comma: + UNWANTED_FEAT="-O ${UNWANTED_FEAT::-1}" + fi + tune2fs -c 0 -i 0 -m 0 ${UNWANTED_FEAT} ${TARGETP3} else # Determine partition names independently of storage architecture: TARGETP1=$(fdisk -l $TARGET |grep ^$TARGET |cut -d' ' -f1 |grep -E '[^0-9]1$') @@ -817,9 +950,13 @@ if [ -n "$VERSION" ]; then fi if [ -n "${HLUKSSIZE}" ]; then - # Create LUKS container file for /home: - create_container ${TARGETP3} ${HLUKSSIZE} ${SLHOME} luks /home - LUKSHOME=${CNTFILE} + # If file extension is missing in the containername, add it now: + if [ "${SLHOME%${CNTEXT}}" == "${SLHOME}" ]; then + SLHOME="${SLHOME}${CNTEXT}" + fi + # Create LUKS container file for /home ; + LUKSHOME="${SLHOME}" + create_container ${TARGETP3} ${HLUKSSIZE} "${USBMNT}/${LUKSHOME}" luks /home fi # Update the initrd with regard to USB wait time, persistence and LUKS. @@ -835,15 +972,15 @@ if [ $REFRESH -eq 1 ]; then # The user specified a nonstandard persistence, so move the old one first; # hide any errors if it did not *yet* exist: mkdir -p ${USBMNT}/$(dirname ${PERSISTENCE}) - mv ${USBMNT}/${OLDPERSISTENCE}.img ${USBMNT}/${PERSISTENCE}.img 2>/dev/null + mv ${USBMNT}/${OLDPERSISTENCE}${CNTEXT} ${USBMNT}/${PERSISTENCE}${CNTEXT} 2>/dev/null mv ${USBMNT}/${OLDPERSISTENCE} ${USBMNT}/${PERSISTENCE} 2>/dev/null fi - if [ -f ${USBMNT}/${PERSISTENCE}.img ]; then + if [ -f ${USBMNT}/${PERSISTENCE}${CNTEXT} ]; then # If a persistence container exists, we re-use it: PERSISTTYPE="file" - if cryptsetup isLuks ${USBMNT}/${PERSISTENCE}.img ; then + if cryptsetup isLuks ${USBMNT}/${PERSISTENCE}${CNTEXT} ; then # If the persistence file is LUKS encrypted we need to record its size: - PLUKSSIZE=$(( $(du -sk $USBMNT/${PERSISTENCE}.img |tr '\t' ' ' |cut -f1 -d' ') / 1024 )) + PLUKSSIZE=$(( $(du -sk $USBMNT/${PERSISTENCE}${CNTEXT} |tr '\t' ' ' |cut -f1 -d' ') / 1024 )) fi elif [ -d ${USBMNT}/${PERSISTENCE} -a "${PERSISTTYPE}" = "file" ]; then # A persistence directory exists but the user wants a container now; @@ -864,10 +1001,10 @@ elif [ "${PERSISTTYPE}" = "file" ]; then # Note: the word "persistence" below is a keyword for create_container: if [ -z "${PLUKSSIZE}" ]; then # Un-encrypted container: - create_container ${TARGETP3} 90% ${PERSISTENCE} none persistence + create_container ${TARGETP3} 90% ${USBMNT}/${PERSISTENCE} none persistence else # LUKS-encrypted container: - create_container ${TARGETP3} ${PLUKSSIZE} ${PERSISTENCE} luks persistence + create_container ${TARGETP3} ${PLUKSSIZE} ${USBMNT}/${PERSISTENCE} luks persistence fi else echo "*** Unknown persistence type '${PERSISTTYPE}'!" diff --git a/isocomp.sh b/isocomp.sh new file mode 100644 index 0000000..ddb431b --- /dev/null +++ b/isocomp.sh @@ -0,0 +1,921 @@ +#!/bin/bash +# +# Copyright 2022, 2023 Eric Hameleers, Eindhoven, NL +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +# ----------------------------------------------------------------------------- +# +# This script can perform some specific changes on the USB stick +# containing an ISO of Slackware Live Edition, +# when you boot from that ISO using a multi-boot manager. +# - create a directory structure on the USB partition to add more +# functionality to the ISO (e.g. load extra addons/optional modules). +# - create an encrypted container file for storing persistence data. +# - create an encrypted container file to mount on /home . +# - write all the above information into a configuration file for the ISO. +# +# ----------------------------------------------------------------------------- + +# Be careful: +set -e + +# Limit the search path: +export PATH="/usr/sbin:/sbin:/usr/bin:/bin" + +# Use of force is sometimes needed: +FORCE=0 + +# Version is obtained from the ISO metadata: +VERSION="" + +# The extension for containerfiles accompanying an ISO is '.icc', +# whereas the persistent USB stick created with iso2usb.sh uses '.img'. +DEFEXT=".icc" +CNTEXT="${DEFEXT}" + +# Default filesystem for devices/containers: +DEF_FS="ext4" +FSYS="${DEF_FS}" + +# Default mount point for a LUKS container if not specified: +DEFMNT="/home" +LUKSMNT="" + +# Values for container sizes: +PERSSIZE="" +LUKSSIZE="" +INCSIZE="" +LUKSVOL="" + +# Associative array to capture LUKSVOL definitions: +declare -A CONTAINERS=() + +# Values obtained from a pre-existing .cfg file: +ISOPERSISTENCE="" +LUKSCNT="" +LIVESLAKROOT="" + +# Define ahead of time, so that cleanup knows about them: +IMGDIR="" +ISOMNT="" +CNTDEV="" +CNTMNT="" +EXTENSION="" +LODEV="" +PERSISTENCE="" + +# Minimim free space (in MB) we want to have left in any partition +# after we are done. +# The default value can be changed from the environment: +MINFREE=${MINFREE:-10} + +# Compressor used on the initrd ("gzip" or "xz --check=crc32"); +# Note that the kernel's XZ decompressor does not understand CRC64: +COMPR="xz --check=crc32" + +# These tools are required by the script, we will check for their existence: +REQTOOLS="cpio cryptsetup fsck gzip isoinfo lsblk unsquashfs xz zstd" + +# +# -- function definitions -- +# + +# Clean up in case of failure: +function cleanup() { + # Clean up by unmounting our loopmounts, deleting tempfiles: + echo "--- Cleaning up the staging area..." + # During cleanup, do not abort due to non-zero exit code: + set +e + sync + + if [ -n "$CNTDEV" ]; then + # In case of failure, only most recent LUKS mapped device is still open: + if mount | grep -q ${CNTDEV} ; then + umount -f ${CNTDEV} + cryptsetup luksClose $(basename ${CNTDEV}) + losetup -d ${LODEV} + fi + fi + [ -n "${ISOMNT}" ] && ( umount -f ${ISOMNT} 2>/dev/null; rmdir $ISOMNT 2>/dev/null ) + [ -n "${CNTMNT}" ] && ( umount -f ${CNTMNT} 2>/dev/null; rmdir $CNTMNT 2>/dev/null ) + [ -n "${IMGDIR}" ] && ( rm -rf $IMGDIR ) + set -e +} # End of cleanup() + +trap 'echo "*** $0 FAILED at line $LINENO ***"; cleanup; exit 1' ERR INT TERM + +# Show the help text for this script: +function showhelp() { +cat <<EOT +# +# Purpose: enhance the functionality when booting a Slackware Live ISO file. +# When supplying pathnames as parameter values below, use full pathnames in +# your local filesystem. The script will figure out where your USB disk +# partition is mounted and will adjust the path names accordingly +# in the USB configuration. +# +# $(basename $0) accepts the following parameters: +# -d|--directory <path> Create a liveslak directory structure to store +# additional modules. The parameter value is +# used as the root path below which the +# liveslak/{addons,optional} subdirectories +# will be created. +# -e|--examples Show some common usage examples. +# -f|--force Force execution in some cases where the script +# reports an issue. +# -h|--help This help text. +# -i|--iso <fullpath> Full path to your liveslak ISO image. +# -l|--lukscontainer <fullpath> Full path to encrypted container file to be +# created by this script, and to be mounted +# in the live OS under /home +# (or any other mountpoint you supply). +# (filename needs to end in '${CNTEXT}'!). +# -p|--persistence <fullpath > Full path to encrypted persistence container +# file to be created in the filesystem +# (filename extension must be '${CNTEXT}'!). +# -x|--extend <fullpath> Full path to existing (encrypted) container +# file that you want to extend in size +# Limitations: +# - container needs to be LUKS encrypted. +# - filename extension needs to be '${CNTEXT}'. +# Supported filesystems inside container: +# - $(resizefs). +# -F|--filesystem <fs> Specify filesystem to create when formatting +# devices/containers. Defaults to '${DEF_FS}', +# Choices are $(createfs). +# -L|--lcsize <size|perc> Size of LUKS encrypted /home ; value is the +# requested size of the container in kB, MB, GB, +# or as a percentage of free space +# (integer numbers only). +# Examples: '-L 125M', '-L 2G', '-L 20%'. +# -P|--perssize <size|perc> Size of persistence container ; value is the +# requested size of the container in kB, MB, GB, +# or as a percentage of free space +# (integer numbers only). +# Examples: '-P 125M', '-P 2G', '-P 20%'. +# -X|--extendsize <size|perc> Extend size of existing container; value +# is the requested extension of the container +# in kB, MB, GB, or as percentage of free space +# (integer numbers only). +# Examples: '-X 125M', '-X 2G', '-X 20%'. +# +EOT +} # End of showhelp() + +# Show some common usage examples: +function showexamples() { +cat <<EOT +# +# Some common usage examples for $(basename $0) +# --------------------------------------------------------------------------- +# First, mount your USB partition, for instance +# a Ventoy disk will be mounted for you at /run/media/<user>/Ventoy/. +# Then: +# --------------------------------------------------------------------------- +# Create a 1GB encrypted persistence container: +# ./$(basename $0) -p /run/media/<user>/Ventoy/myfiles/persistence.icc -P 1G +# +# Create a 4GB encrypted home with btrfs filesystem: +# ./$(basename $0) -l /run/media/<user>/Ventoy/somedir/lukscontainers.icc -L 4000M -F btrfs -i /run/media/<user>/Ventoy/slackware64-live-current.iso +# +# Increase the size of that encrypted home container with another 2GB: +# ./$(basename $0) -x /run/media/<user>/Ventoy/somedir/lukscontainers.icc -X 2G -i /run/media/<user>/Ventoy/slackware64-live-current.iso +# +# Create a 10GB encrypted container to be mounted on /data in the Live OS: +# ./$(basename $0) -l /run/media/<user>/Ventoy/somedir/mydata.icc:/data -L 10G -i /run/media/<user>/Ventoy/slackware64-live-current.iso +# +# Create a liveslak directory structure for adding extra live modules: +# ./$(basename $0) -d /run/media/<user>/Ventoy/myliveslak -i /run/media/<user>/Ventoy/slackware64-live-current.iso +# +EOT +} # End of showexamples() + +# Create a filesystem on a partition with optional label: +function createfs () { + MYDEV="${1}" + MYFS="${2:-'ext4'}" + MYLABEL="${3}" + + if [ -n "${MYLABEL}" ]; then + case "${MYFS}" in + fs2s) MYLABEL="-l ${MYLABEL}" ;; + *) MYLABEL="-L ${MYLABEL}" ;; + esac + fi + + if [ -z "${MYDEV}" ]; then + # Without arguments given, reply with list of supported fs'es: + echo "btrfs,ext2,ext4,f2fs,jfs,xfs" + return + fi + case "${MYFS}" in + btrfs) mkfs.btrfs -f -d single -m single ${MYLABEL} ${MYDEV} + ;; + ext2) mkfs.ext2 -F -F ${MYLABEL} ${MYDEV} + # Tune the ext2 filesystem: + tune2fs -m 0 -c 0 -i 0 ${MYDEV} + ;; + ext4) mkfs.ext4 -F -F ${MYLABEL} ${MYDEV} + # Tune the ext4 filesystem: + tune2fs -m 0 -c 0 -i 0 ${MYDEV} + ;; + f2fs) mkfs.f2fs ${MYLABEL} -f ${MYDEV} + ;; + jfs) mkfs.jfs -q ${MYDEV} + ;; + xfs) mkfs.xfs -f ${MYDEV} + ;; + *) echo "*** Unsupported filesystem '${MYFS}'!" + cleanup + exit 1 + ;; + esac +} # End of createfs() + +# Resize the filesystem on a block device: +function resizefs() { + local MYDEV="${1}" + + if [ -z "${MYDEV}" ]; then + # Without arguments given, reply with list of supported fs'es: + echo "btrfs,ext2,ext4,f2fs,jfs,xfs" + return + fi + + # Determine the current filesystem for the block device: + local MYFS=$(lsblk -n -o FSTYPE ${MYDEV}) + if [ -z "${MYFS}" ]; then + echo "*** Failed to resize filesystem on device '${MYDEV}'!" + echo "*** No filesystem found." + cleanup + exit 1 + fi + + local TMPMNT=$(mktemp -d -p /tmp -t alienres.XXXXXX) + if [ ! -d $TMPMNT ]; then + echo "*** Failed to create temporary mount for the filesystem resize!" + cleanup + exit 1 + else + chmod 711 ${TMPMNT} + fi + + # Mount the block device prior to the resize + # (btrfs, jfs and xfs do not support offline resize): + mount -o rw -t ${MYFS} ${MYDEV} ${TMPMNT} + + # Resize the filesystem to occupy the full new device capacity: + case "${MYFS}" in + btrfs) btrfs filesystem resize max ${TMPMNT} + ;; + ext*) resize2fs ${MYDEV} + ;; + f2fs) resize.f2fs ${MYDEV} + ;; + jfs) mount -o remount,resize,rw ${TMPMNT} + ;; + xfs) xfs_growfs -d ${TMPMNT} + ;; + *) echo "*** Unsupported filesystem '${MYFS}'!"; exit 1 + ;; + esac + + if [ ! $? ]; then + echo "*** Failed to resize '${MYFS}'filesystem on device '${MYDEV}'!" + cleanup + exit 1 + else + # Un-mount the device again: + sync + umount ${TMPMNT} + rmdir ${TMPMNT} + fi +} # End of checkfs() + +# Uncompress the initrd based on the compression algorithm used: +function uncompressfs () { + if $(file "${1}" | grep -qi ": gzip"); then + gzip -cd "${1}" + elif $(file "${1}" | grep -qi ": XZ"); then + xz -cd "${1}" + fi +} # End of uncompressfs() + +# Read configuration data from the initrd inside the ISO, +# after it has been extracted into a directory: +function read_initrddir() { + local IMGDIR="$1" + local INITVARS="$2" + cd ${IMGDIR} + + # Read the values of liveslak template variables in the init script: + for TEMPLATEVAR in ${INITVARS} ; do + eval $(grep "^ *${TEMPLATEVAR}=" ./init |head -1) + done +} # End of read_initrddir() + +# Extract the initrd: +function extract_initrd() { + local IMGFILE="$1" + local IMGDIR=$(mktemp -d -p /tmp -t alienimg.XXXXXX) + if [ ! -d $IMGDIR ]; then + echo "*** Failed to create temporary extraction directory for the initrd!" + cleanup + exit 1 + else + chmod 711 $IMGDIR + fi + + cd ${IMGDIR} + uncompressfs ${IMGFILE} 2>/dev/null \ + | cpio -i -d -m -H newc 2>/dev/null + echo "$IMGDIR" +} # End of extract_initrd() + +# Determine size of a mounted partition (in MB): +function get_part_mb_size() { + local MYSIZE + MYSIZE=$(df -P -BM ${1} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f2) + echo "${MYSIZE%M}" +} # End of get_part_mb_size() + +# Determine free space of a mounted partition (in MB): +function get_part_mb_free() { + local MYSIZE + MYSIZE=$(df -P -BM ${1} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f4) + echo "${MYSIZE%M}" +} # End of get_part_mb_free() + +# Determine requested container size in MB (allow for '%|k|K|m|M|g|G' suffix): +function cont_mb() { + local MYSIZE="$1" + case "${MYSIZE: -1}" in + "%") MYSIZE="$(( $PARTFREE * ${MYSIZE%\%} / 100 ))" ;; + "k") MYSIZE="$(( ${MYSIZE%k} / 1024 ))" ;; + "K") MYSIZE="$(( ${MYSIZE%K} / 1024 ))" ;; + "m") MYSIZE="${MYSIZE%m}" ;; + "M") MYSIZE="${MYSIZE%M}" ;; + "g") MYSIZE="$(( ${MYSIZE%g} * 1024 ))" ;; + "G") MYSIZE="$(( ${MYSIZE%G} * 1024 ))" ;; + *) MYSIZE=-1 ;; + esac + echo "$MYSIZE" +} # End of cont_mb() + +# Expand existing encrypted container file: +function expand_container() { + local MYPART="$1" # disk partition + local MYINC="$2" # requested increase ('%|k|K|m|M|g|G' suffix) + local MYFILE="$3" # full path to ${CNTEXT} containerfile + local MYMAP="" # Name of the device-mapped file + + # Determine requested container increase in MB: + MYINC=$(cont_mb ${MYINC}) + + # Determine size of the target partition (in MB), and the free space: + PARTSIZE=$(get_part_mb_size ${MYPART}) + PARTFREE=$(get_part_mb_free ${MYPART}) + + if [ $PARTFREE -lt $(( ${MYINC} + ${MINFREE} )) ]; then + echo "*** Free space on USB partition after file-resizing would be less than ${MINFREE} MB;" + echo "*** Not resizing the container file!" + cleanup + exit 1 + fi + + # Append random bytes to the end of the container file: + dd if=/dev/urandom of=${MYFILE} bs=1M count=${MYINC} oflag=append conv=notrunc 2>/dev/null + + # Setup a loopback device that we can use with or without cryptsetup: + LODEV=$(losetup -f) + losetup $LODEV ${MYFILE} + + if cryptsetup isLuks ${LODEV} ; then + # Unlock LUKS encrypted container first: + MYMAP=$(basename ${MYFILE} ${CNTEXT}) + CNTDEV=/dev/mapper/${MYMAP} + echo "--- Unlocking the LUKS container requires your passphrase..." + until cryptsetup luksOpen ${LODEV} ${MYMAP} ; do + echo ">>> Did you type an incorrect passphrases?" + read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY + done + else + # The loopmounted block device for the un-encrypted container: + CNTDEV=${LODEV} + fi + + # Run fsck so the filesystem is clean before we resize it: + fsck -fvy ${CNTDEV} + # Resize the filesystem to occupy the full new size: + resizefs ${CNTDEV} + # Just to be safe: + fsck -fvy ${CNTDEV} + + # Don't forget to clean up after ourselves: + if cryptsetup isLuks ${LODEV} ; then + cryptsetup luksClose ${MYMAP} + fi + losetup -d ${LODEV} || true + +} # End of expand_container() + +# Create container file in the empty space of the partition +function create_container() { + local CNTPART=$1 # partition containing the ISO + local CNTSIZE=$2 # size of the container file to create + local CNTFILE=$3 # ${CNTEXT} filename with full path + local CNTENCR=$4 # 'none' or 'luks' + local CNTUSED=$5 # 'persistence', '/home' or custom mountpoint + local MYMAP + + # Create a container file or re-use previously created one: + if [ -f ${CNTFILE} ]; then + CNTSIZE=$(( $(du -sk ${CNTFILE} |tr '\t' ' ' |cut -f1 -d' ') / 1024 )) + echo "--- Keeping existing '${CNTFILE}' (size ${CNTSIZE} MB)." + return + fi + + # Determine size of the target partition (in MB), and the free space: + PARTSIZE=$(get_part_mb_size ${CNTPART}) + PARTFREE=$(get_part_mb_free ${CNTPART}) + + if [ $PARTFREE -lt ${MINFREE} ]; then + echo "*** Free space on USB partition is less than ${MINFREE} MB;" + echo "*** Not creating a container file!" + cleanup + exit 1 + fi + + # Determine requested container size in MB (allow for '%|k|K|m|M|g|G' suffix): + CNTSIZE=$(cont_mb ${CNTSIZE}) + + if [ $CNTSIZE -le 0 ]; then + echo "*** Container size must be larger than ZERO!" + echo "*** Check your commandline parameter." + cleanup + exit 1 + elif [ $CNTSIZE -ge $PARTFREE ]; then + echo "*** Not enough free space for container file!" + echo "*** Check your commandline parameter." + cleanup + exit 1 + fi + + echo "--- Creating ${CNTSIZE} MB container file '$(basename =${CNTFILE})' using 'dd if=/dev/urandom', patience please..." + mkdir -p $(dirname "${CNTFILE}") + if [ $? ]; then + # Create a sparse file (not allocating any space yet): + dd of=${CNTFILE} bs=1M count=0 seek=$CNTSIZE 2>/dev/null + else + echo "*** Failed to create directory for the container file!" + cleanup + exit 1 + fi + + # Setup a loopback device that we can use with cryptsetup: + LODEV=$(losetup -f) + losetup $LODEV ${CNTFILE} + MYMAP=$(basename ${CNTFILE} ${CNTEXT}) + if [ "${CNTENCR}" = "luks" ]; then + # Format the loop device with LUKS: + echo "--- Encrypting the container file with LUKS; takes SOME time..." + echo "--- enter 'YES' and a passphrase:" + until cryptsetup -y luksFormat $LODEV ; do + echo ">>> Did you type two different passphrases?" + read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY + done + # Unlock the LUKS encrypted container: + echo "--- Unlocking the LUKS container requires your passphrase again..." + until cryptsetup luksOpen $LODEV ${MYMAP} ; do + echo ">>> Did you type an incorrect passphrases?" + read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY + done + CNTDEV=/dev/mapper/${MYMAP} + # Now we allocate blocks for the LUKS device. We write encrypted zeroes, + # so that the file looks randomly filled from the outside. + # Take care not to write more bytes than the internal size of the container: + echo "--- Writing ${CNTSIZE} MB of random data to encrypted container; takes LONG time..." + CNTIS=$(( $(lsblk -b -n -o SIZE $(readlink -f ${CNTDEV})) / 512)) + dd if=/dev/zero of=${CNTDEV} bs=512 count=${CNTIS} status=progress || true + else + # Un-encrypted container files remain sparse. + CNTDEV=$LODEV + fi + + # Format the now available block device with a linux fs: + createfs ${CNTDEV} ${FSYS} + + if [ "${CNTUSED}" == "${DEFMNT}" ]; then + # Copy the original /home content into the container. + # NOTE: we only do this for /home, not for any other mountpoint! + + # Create a mount point for the unlocked container: + CNTMNT=$(mktemp -d -p /var/tmp -t aliencnt.XXXXXX) + if [ ! -d $CNTMNT ]; then + echo "*** Failed to create temporary mount point for the LUKS container!" + cleanup + exit 1 + else + chmod 711 $CNTMNT + fi + echo "--- Copying '${CNTUSED}' from ISO to container..." + HOMESRC=$(find ${ISOMNT} -name "0099-slackware_zzzconf*" |tail -1) + mount ${CNTDEV} ${CNTMNT} + unsquashfs -n -d ${CNTMNT}/temp ${HOMESRC} ${CNTUSED} + mv ${CNTMNT}/temp/${CNTUSED}/* ${CNTMNT}/ + rm -rf ${CNTMNT}/temp + umount ${CNTDEV} + fi + + # Don't forget to clean up after ourselves: + if [ "${CNTENCR}" = "luks" ]; then + cryptsetup luksClose $(basename ${CNTFILE} ${CNTEXT}) + fi + losetup -d ${LODEV} || true + +} # End of create_container() + +function read_isoconfig() { + local MYISO="${1}" + # Read ISO customization from the .cfg file if it exists: + if [ -f "${MYISO%.iso}.cfg" ]; then + for LIVEPARM in \ + BLACKLIST KEYMAP LIVE_HOSTNAME LIVESLAKROOT LOAD LOCALE LUKSVOL \ + NOLOAD ISOPERSISTENCE RUNLEVEL TWEAKS TZ XKB ; + do + # Read values from disk only if the variable has not been set yet: + if [ -z "$(eval echo \$${LIVEPARM})" ]; then + eval $(grep -w ^${LIVEPARM} ${MYISO%.iso}.cfg) + fi + done + fi +} # End of read_isoconfig() + +function write_isoconfig() { + local MYISO="${1}" + # Write updated customization into the ISO .cfg: + echo "# Liveslak ISO configuration file for ${VERSION}" > ${MYISO%.iso}.cfg 2>/dev/null + echo "# Generated by $(basename $0) on $(date +%Y%m%d_%H%M)" >> ${MYISO%.iso}.cfg 2>/dev/null + if [ $? -ne 0 ]; then + echo "*** Media '${USBPART}' read-only, cannot write config file." + else + for LIVEPARM in \ + BLACKLIST KEYMAP LIVE_HOSTNAME LIVESLAKROOT LOAD LOCALE LUKSVOL \ + NOLOAD ISOPERSISTENCE RUNLEVEL TWEAKS TZ XKB ; + do + if [ -n "$(eval echo \$$LIVEPARM)" ]; then + echo $LIVEPARM=$(eval echo \$$LIVEPARM) >> ${MYISO%.iso}.cfg + fi + done + fi +} # End of write_isoconfig() + +# +# -- end of function definitions -- +# + +# =========================================================================== + +# Parse the commandline parameters: +if [ -z "$1" ]; then + showhelp + exit 1 +fi +while [ ! -z "$1" ]; do + case $1 in + -d|--directory) + LIVESLAKROOT="$2" + [[ ${LIVESLAKROOT::1} != "/" ]] && LIVESLAKROOT="$(pwd)/${LIVESLAKROOT}" + shift 2 + ;; + -e|--examples) + showexamples + exit + ;; + -f|--force) + FORCE=1 + shift + ;; + -h|--help) + showhelp + exit + ;; + -i|--iso) + SLISO="$(cd "$(dirname "$2")"; pwd)/$(basename "$2")" + shift 2 + ;; + -l|--lukscontainer) + LUKSMNT="$(echo "$2" |cut -f2 -d:)" + LUKSCNT="$(echo "$2" |cut -f1 -d:)" + # If no mountpoint was specified, use the default mountpoint (/home): + [ "$LUKSMNT" == "$LUKSCNT" ] && LUKSMNT=${DEFMNT} + LUKSCNT="$(cd "$(dirname "$LUKSCNT")"; pwd)/$(basename "$LUKSCNT")" + shift 2 + ;; + -p|--persistence) + PERSISTENCE="$(cd "$(dirname "$2")"; pwd)/$(basename "$2")" + shift 2 + ;; + -x|--extend) + EXTENSION="$(cd "$(dirname "$2")"; pwd)/$(basename "$2")" + shift 2 + ;; + -F|--filesystem) + FSYS="$2" + shift 2 + ;; + -L|--lcsize) + LUKSSIZE="$2" + shift 2 + ;; + -P|--perssize) + PERSSIZE="$2" + shift 2 + ;; + -X|--extendsize) + INCSIZE="$2" + shift 2 + ;; + *) + echo "*** Unknown parameter '$1'!" + exit 1 + ;; + esac +done + +# +# Sanity checks: +# + +if [ "$(id -u)" != "0" ]; then + echo "*** You need to be root to run $(basename $0)." + exit 1 +fi + +# Add required filesystem tools: +REQTOOLS="${REQTOOLS} mkfs.${FSYS}" + +# Are all the required tools present? +PROG_MISSING="" +for PROGN in ${REQTOOLS} ; do + if ! which $PROGN 1>/dev/null 2>/dev/null ; then + PROG_MISSING="${PROG_MISSING}-- $PROGN\n" + fi +done +if [ ! -z "$PROG_MISSING" ] ; then + echo "--- Required program(s) not found in search path '$PATH'!" + echo -e ${PROG_MISSING} + if [ $FORCE -eq 0 ]; then + echo "--- Exiting." + exit 1 + fi +fi + +if [ -z "${SLISO}" ]; then + echo "*** You must specify the path to the Live ISO (option '-i')!" + exit 1 +fi + +if [ ! -f "$SLISO" ]; then + echo "*** This is not a useable file: '$SLISO' !" + exit 1 +fi + +if [ -z "${LIVESLAKROOT}${LUKSCNT}${PERSISTENCE}${EXTENSION}" ]; then + echo "*** No action requested!" + exit 1 +fi + +if [ -n "${PERSISTENCE}" ]; then + if [ -z "${PERSSIZE}" ]; then + echo "*** Persistence filename '${PERSISTENCE}' defined but no filesize provided!" + echo "*** Not enabling persistence, please use '-P' parameter." + exit 1 + elif [ "$(basename ${PERSISTENCE} ${CNTEXT})" == "$(basename ${PERSISTENCE})" ]; then + echo "*** File '${PERSISTENCE}' does not have an '${CNTEXT}' extension!" + if [ $FORCE -eq 0 ]; then + exit 1 + else + CNTEXT=$(basename ${PERSISTENCE}) + if [ "${CNTEXT}" != "${CNTEXT##*.}" ]; then + # File has a different extension: + echo "--- Accepting '${CNTEXT##*.}' extension for '${PERSISTENCE}'." + CNTEXT=${CNTEXT##*.} + else + # File does not have an extension at all, so we add one: + echo "--- Adding '${DEFEXT}' extension to '${PERSISTENCE}'." + PERSISTENCE="${PERSISTENCE}${DEFEXT}" + fi + fi + fi +fi + +if [ -n "${LUKSCNT}" ]; then + if [ -z "${LUKSSIZE}" ]; then + echo "*** LUKS container '${LUKSCNT}' defined but no filesize provided!" + echo "*** Not adding encrypted ${LUKSMNT}, please use '-L' parameter." + exit 1 + elif [ "$(basename ${LUKSCNT} ${CNTEXT})" == "$(basename ${LUKSCNT})" ]; then + echo "*** File '${LUKSCNT}' does not have an '${CNTEXT}' extension!" + if [ $FORCE -eq 0 ]; then + exit 1 + else + CNTEXT=$(basename ${LUKSCNT}) + if [ "${CNTEXT}" != "${CNTEXT##*.}" ]; then + # File has a different extension: + echo "--- Accepting '${CNTEXT##*.}' extension for '${LUKSCNT}'." + CNTEXT=${CNTEXT##*.} + else + # File does not have an extension at all, so we add one: + echo "--- Adding '${DEFEXT}' extension to '${LUKSCNT}'." + LUKSCNT="${LUKSCNT}${DEFEXT}" + fi + fi + fi +fi + +if [ -n "${EXTENSION}" ]; then + if [ -z "${INCSIZE}" ]; then + echo "*** LUKS container '${EXTENSION}' defined but no extansion size provided!" + echo "*** Not extending encrypted ${EXTENSION}, please use '-X' parameter." + exit 1 + elif [ "$(basename ${EXTENSION} ${CNTEXT})" == "$(basename ${EXTENSION})" ]; then + echo "*** File '${EXTENSION}' does not have an '${CNTEXT}' extension!" + if [ $FORCE -eq 0 ]; then + exit 1 + else + CNTEXT=$(basename ${EXTENSION}) + if [ "${CNTEXT}" != "${CNTEXT##*.}" ]; then + # File has a different extension: + echo "--- Accepting '${CNTEXT##*.}' extension for '${EXTENSION}'." + CNTEXT=${CNTEXT##*.} + else + # File does not have an extension at all, so we add one: + echo "--- Adding '${DEFEXT}' extension to '${EXTENSION}'." + EXTENSION="${EXTENSION}${DEFEXT}" + fi + fi + fi +fi + +# Determine name and mountpoint of the partition containing the ISO: +USBPART=$(cd $(dirname ${SLISO}) ; df . |tail -n -1 |tr -s ' ' |cut -d' ' -f1) +USBMNT=$(cd $(dirname ${SLISO}) ; df . |tail -n -1 |tr -s ' ' |cut -d' ' -f6) + +# Determine size of the USB partition (in MB), and the free space: +USBPSIZE=$(get_part_mb_size ${USBMNT}) +USBPFREE=$(get_part_mb_free ${USBMNT}) + +# Report the Slackware Live version: +VERSION=$(isoinfo -d -i "${SLISO}" 2>/dev/null |grep Application |cut -d: -f2-) +echo "--- The ISO on medium '${USBPART}' is '${VERSION}'" + +# Try a write to the partition: +if touch ${USBMNT}/.rwtest 2>/dev/null && rm ${USBMNT}/.rwtest 2>/dev/null +then + echo "--- The medium '${USBPART}' is writable." +else + echo "--- Trying to remount readonly medium '${USBPART}' as writable..." + mount -o remount,rw ${USBMNT} + if [ $? -ne 0 ]; then + echo "*** Failed to remount '${USBPART}' writable, unable to continue!" + cleanup + exit 1 + fi +fi + +# Create a mount point for the ISO: +ISOMNT=$(mktemp -d -p /var/tmp -t alieniso.XXXXXX) +if [ ! -d $ISOMNT ]; then + echo "*** Failed to create temporary mount point for the ISO!" + cleanup + exit 1 +else + chmod 711 $ISOMNT + mount -o loop ${SLISO} ${ISOMNT} +fi + +# Collect data from the USB initrd: +IMGDIR=$(extract_initrd ${ISOMNT}/boot/initrd.img) +read_initrddir ${IMGDIR} "DISTRO LIVEMAIN MARKER MEDIALABEL" + +# Collect customization parameters for the ISO: +read_isoconfig ${SLISO} + +# Determine where in LUKSVOL the /home is defined. +# The LUKSVOL value looks like: +# "/path/to/cntner1.icc:/mountpoint1,[/path/to/cntner2.icc:/mountpoint2,[...]]" +# Break down the LUKSVOL value into container/mountpoint combo's: +if [ -n "$LUKSVOL" ]; then + _container="" + _mount="" + for _luksvol in $(echo $LUKSVOL |tr ',' ' '); do + _container="$(echo $_luksvol |cut -d: -f1)" + _mount="$(echo $_luksvol |cut -d: -f2)" + if [ "$_mount" == "$_container" ]; then + # No optional mount point specified, so we use the default: + CONTAINERS["${DEFMNT}"]="$_container" + else + CONTAINERS["$_mount"]="$_container" + fi + done +fi + +# Normalize paths on USB partition (remove mountpoint): +if [ -n "${PERSISTENCE}" ]; then + PERSISTENCE="${PERSISTENCE#$USBMNT}" +fi +if [ -n "${LUKSCNT}" ]; then + LUKSCNT="${LUKSCNT#$USBMNT}" +fi +if [ -n "${EXTENSION}" ]; then + EXTENSION="${EXTENSION#$USBMNT}" +fi + +# Should we create a liveslak root directory? +if [ -n "${LIVESLAKROOT}" ]; then + # The directory may already exist, in which case we obtained its name + # from the configfile. But creating directory tree is harmless: + mkdir -p ${LIVESLAKROOT}/${LIVEMAIN}/{addons,optional,core2ram} + # Normalize the path, removing the mount point: + LIVESLAKROOT="$(cd "$(dirname "$LIVESLAKROOT")"; pwd)$(basename "$LIVESLAKROOT")" + LIVESLAKROOT="${LIVESLAKROOT#$USBMNT}" +fi + +# Should we create a persistence container? +if [ -n "${PERSISTENCE}" ]; then + # Create LUKS persistence container file (or re-use it if existing): + create_container ${USBPART} ${PERSSIZE} ${USBMNT}${PERSISTENCE} luks persistence + ISOPERSISTENCE="${PERSISTENCE}" +fi + +# Should we add a LUKS container to mount at /home or specified other mount? +if [ -n "${LUKSCNT}" ]; then + if [ -v 'CONTAINERS["${LUKSMNT}"]' ] && [ "${LUKSCNT}" != "${CONTAINERS["${LUKSMNT}"]}" ]; then + # The configfile specifies a different mount for container: + echo "*** On-disk configuration defines an existing mountpoint ${LUKSMNT}" + echo "*** at '${USBMNT}${CONTAINERS["${LUKSMNT}"]}'," + echo "*** which is different from your '-l ${USBMNT}${LUKSCNT}'." + if [ $FORCE -eq 0 ]; then + echo "*** Not adding encrypted container for ${LUKSMNT} , please fix the entry" + echo "*** in '${SLISO%.iso}.cfg'," + echo "*** or supply the correct value for the '-l' parameter!" + cleanup + exit 1 + else + echo "--- Accepting new mountpoint '${LUKSMNT}' for encrypted container ${LUKSMNT}" + fi + fi + # Create LUKS container file for the mount point (or re-use it if existing): + create_container ${USBPART} ${LUKSSIZE} ${USBMNT}${LUKSCNT} luks ${LUKSMNT} + CONTAINERS["${LUKSMNT}"]="${LUKSCNT}" +fi + +# Should we extend the size of a container? +if [ -n "${EXTENSION}" ]; then + # Expand existing container file: + expand_container ${USBPART} ${INCSIZE} ${USBMNT}/${EXTENSION} +fi + +if [ ${#CONTAINERS[@]} -gt 0 ]; then + # CONTAINERS array is non-empty; (re-)assemble the LUKSVOL variable. + # First zap the LUKSVOL value: + LUKSVOL="" + # Write the CONTAINERS array back into LUKSVOL in the correct format: + for _mount in "${!CONTAINERS[@]}"; do + LUKSVOL="${LUKSVOL}${CONTAINERS[$_mount]}:${_mount}," + done + # Remove the trailing ',': + LUKSVOL="${LUKSVOL::-1}" +fi + +# Write customization parameters for the ISO to disk: +write_isoconfig ${SLISO} + +# Write ISO version to the liveslak rootdir if that exists: +if [ -d "${USBMNT}/${LIVESLAKROOT}" ]; then + echo "$VERSION" > ${USBMNT}/${LIVESLAKROOT}/.isoversion +fi + +# Unmount/remove stuff: +cleanup + +# THE END + diff --git a/liveinit.tpl b/liveinit.tpl index eb54b35..c4fd29a 100644 --- a/liveinit.tpl +++ b/liveinit.tpl @@ -1,8 +1,8 @@ -#!/bin/ash +#!/bin/sh # # Copyright 2004 Slackware Linux, Inc., Concord, CA, USA # Copyright 2007, 2008, 2009, 2010, 2012 Patrick J. Volkerding, Sebeka, MN, USA -# Copyright 2015, 2016, 2017, 2018, 2019, 2020, 2021 Eric Hameleers, Eindhoven, NL +# Copyright 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 Eric Hameleers, Eindhoven, NL # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -38,7 +38,10 @@ MEDIALABEL="@MEDIALABEL@" LIVEMAIN="@LIVEMAIN@" MARKER="@MARKER@" + PERSISTENCE="@PERSISTENCE@" +PERSISTPART="" +PERSISTPATH="." DISTRO="@DISTRO@" CDISTRO="@CDISTRO@" @@ -65,15 +68,19 @@ DEF_TZ=@DEF_TZ@ # By default, let the media determine if we can write persistent changes: # However, if we define TORAM=1, we will also set VIRGIN=1 when we want -# to avoid anything that writes to disk after we copy the OS to RAM. +# to avoid anything that writes to disk after we copy the OS to RAM; +# unless we explicitly use a persistence directory on the computer's local disk. VIRGIN=0 # If set to '1', existing persistent data will be wiped: WIPE_PERSISTENCE=0 # Used for debugging the init; -# Set DEBUG to '1' to enable explicit pauses; '2' enables verbose script exec; -# and '4' dumps you into a debug shell right before the switch_root: +# Set DEBUG to '1' to enable explicit pauses showing blkid/mount info; +# '2' and higher enable verbose script execution; +# '3' pauses like '1' or '2' but won't show blkid/mount info; +# '4' dumps you into a debug shell right before the switch_root; +# '5' additionally saves the verbose init execution output to 'debug_init.log': DEBUG=0 DEBUGV=" " @@ -106,6 +113,40 @@ HNMAC_ALLOWED="YES" INTERFACE="" NFSHOST="" +# Assume the default to be a readonly media - we write to RAM: +UPPERDIR=/mnt/live/changes +OVLWORK=/mnt/live/.ovlwork + +# Persistence directory on writable media gets mounted below /mnt/media. +# If the user specifies a system partition instead, +# then the mount point will be a subdirectory of /mnt/live instead: +PPATHINTERNAL=/mnt/media + +# Where will we mount the partition containing the ISO we are booting? +SUPERMNT=/mnt/super + +# LUKS containers on writable media are found below /mnt/media, +# unless liveslak boots off an ISO image, in which case the container files +# are found below /mnt/super - the filesystem of the USB partition containing +# our ISO: +CPATHINTERNAL=/mnt/media + +# If we boot directly off the ISO file, we want to know to enable extras. +# Possible values for ISOBOOT are 'diskpart','ventoy': +ISOBOOT="" +# The configuration file with customization for an ISO boot. +# Defaults to full pathname of the ISO, with extension 'cfg' instead of 'iso'. +ISOCFG="" + +# The extension for containerfiles accompanying an ISO is '.icc', +# for a persistent USB stick the extension is '.img' and this is the default: +CNTEXT=".img" + +# Password handling, assign random initialization: +DEFPW="7af0aed2-d900-4ed8-89f0" +ROOTPW=$DEFPW +LIVEPW=$DEFPW + # Max wait time for DHCP client to configure an interface: DHCPWAIT=20 @@ -120,13 +161,18 @@ PATH="/sbin:/bin:/usr/sbin:/usr/bin" # Mount /proc and /sys: mount -n proc /proc -t proc mount -n sysfs /sys -t sysfs -mount -n tmpfs /run -t tmpfs -o mode=0755 +mount -n tmpfs /run -t tmpfs -o mode=0755,size=32M,nodev,nosuid,noexec if grep devtmpfs /proc/filesystems 1>/dev/null 2>/dev/null ; then DEVTMPFS=1 - mount -n devtmpfs /dev -t devtmpfs + mount -n devtmpfs /dev -t devtmpfs -o size=8M fi +# Mount if this directory exists (so the kernel supports efivarfs): +if [ -d /sys/firmware/efi/efivars ]; then + mount -o rw -t efivarfs none /sys/firmware/efi/efivars +fi + # Parse command line for ARG in $(cat /proc/cmdline); do case $ARG in @@ -154,7 +200,7 @@ for ARG in $(cat /proc/cmdline); do # generic syntax: hostname=newname[,qualifier] LIVE_HOSTNAME=$(echo $ARG | cut -f2 -d= | cut -f1 -d,) # Allow for the user to (mistakenly) add a domain component: - if [ $(echo $LIVE_HOSTNAME |cut -d. -f1- --output-delimiter ' '|wc -w) -gt 1 ]; then + if [ -n "$(echo "$LIVE_HOSTNAME". |cut -d. -f2-)" ]; then LIVE_DOMAIN=$(echo $LIVE_HOSTNAME |cut -d. -f2-) LIVE_HOSTNAME=$(echo $LIVE_HOSTNAME |cut -d. -f1) fi @@ -175,6 +221,7 @@ for ARG in $(cat /proc/cmdline); do livemedia=*) # generic syntax: livemedia=/dev/sdX # ISO syntax: livemedia=/dev/sdX:/path/to/slackwarelive.iso + # Scan partitions for ISO: livemedia=scandev:/path/to/slackwarelive.iso LM=$(echo $ARG | cut -f2 -d=) LIVEMEDIA=$(echo $LM | cut -f1 -d:) LIVEPATH=$(echo $LM | cut -f2 -d:) @@ -224,7 +271,22 @@ for ARG in $(cat /proc/cmdline); do fi ;; persistence=*) - PERSISTENCE=$(echo $ARG | cut -f2 -d=) + # Generic syntax: persistence=/path/to/persistencedir + # Dir on harddisk partition: persistence=/dev/sdX:/path/to/persistencedir + # Instead of device name, the value of its LABEL or UUID can be used too. + PD=$(echo $ARG | cut -f2 -d=) + PERSISTPART=$(echo $PD | cut -f1 -d:) + PERSISTPATH=$(dirname $(echo $PD | cut -f2 -d:)) + PERSISTENCE=$(basename $(echo $PD | cut -f2 -d:)) + unset PD + if [ "${PERSISTENCE})" = "changes" ]; then + echo "${MARKER}: Persistence directory cannot be called 'changes'." + echo "${MARKER}: Disabling persistence and recording changes in RAM." + PERSISTPART="" + PERSISTPATH="." + PERSISTENCE="@PERSISTENCE@" + VIRGIN=1 + fi ;; rescue) RESCUE=1 @@ -240,13 +302,29 @@ for ARG in $(cat /proc/cmdline); do VIRGIN=1 # prevent writes to disk since we are supposed to run from RAM ;; toram=*) + # Generic syntax: toram=type[,memperc] + # type: string value; os,core,all,none + # memperc: integer value, percentage RAM to reserve for liveslak + # You can use this parameter to change the percentage RAM + # used by liveslak, which is 50% for normal operation. + # For instance when you have an insane amount of RAM, you can specify + # a much lower percentage to be reserved for liveslak: + # toram=none,12 TORAM=1 - if [ "$(echo $ARG | cut -f2 -d=)" = "os" ]; then + TRTYPE="$(echo $ARG |cut -f2 -d= |cut -f1 -d,)" + if [ "$TRTYPE" = "os" ]; then VIRGIN=0 # load OS modules into RAM, write persistent data to disk - elif [ "$(echo $ARG | cut -f2 -d=)" = "core" ]; then + elif [ "$TRTYPE" = "core" ]; then CORE2RAM=1 # load Core OS modules into RAM - elif [ "$(echo $ARG | cut -f2 -d=)" = "all" ]; then + elif [ "$TRTYPE" = "all" ]; then VIRGIN=1 # prevent writes to disk since we are supposed to run from RAM + elif [ "$TRTYPE" = "none" ]; then + TORAM=0 # we only want to change the percentage reserved memory + fi + RAMSIZE="$(echo $ARG |cut -f2 -d= |cut -f2 -d,)" + if [ "$RAMSIZE" = "$TRTYPE" ]; then + # memperc was not supplied on commandline: + unset RAMSIZE fi ;; tweaks=*) @@ -271,7 +349,17 @@ for ARG in $(cat /proc/cmdline); do done # Verbose boot script execution: -[ $DEBUG -ge 2 ] && set -x +if [ $DEBUG -ge 2 ]; then + if [ $DEBUG -ge 5 ]; then + # We save (verbose) shell output to local file; + # These busybox compile options make it possible: + # CONFIG_SH_IS_ASH=y + # CONFIG_ASH_BASH_COMPAT=y + exec 5> debug_init.log + export BASH_XTRACEFD="5" + fi + set -x +fi debugit () { if [ $DEBUG -eq 0 -o $DEBUG -gt 3 ]; then @@ -334,6 +422,7 @@ fi # Sometimes the devices need extra time to be available. # A root filesystem on USB is a good example of that. +echo "${MARKER}: Sleeping $WAIT seconds to give slow USB devices some time." sleep $WAIT # Fire at least one blkid: blkid 1>/dev/null 2>/dev/null @@ -392,6 +481,8 @@ if [ "$RESCUE" = "" ]; then echo "/run/dhcpcd-${MYDEV}.pid" elif [ -s /run/dhcpcd-${MYDEV}-4.pid ]; then echo "/run/dhcpcd-${MYDEV}-4.pid" + elif [ -s /run/${MYDEV}.pid ]; then + echo "/run/${MYDEV}.pid" else echo UNKNOWNLOC fi @@ -494,7 +585,7 @@ if [ "$RESCUE" = "" ]; then find_loop() { # The losetup of busybox is different from the real losetup - watch out! - lodev=$(losetup -f) + lodev=$(losetup -f 2>/dev/null) if [ -z "$lodev" ]; then # We exhausted the available loop devices, so create the block device: for NOD in $(seq 0 ${MAXLOOPS}); do @@ -509,13 +600,13 @@ if [ "$RESCUE" = "" ]; then mknod -m660 $lodev b 7 $(echo $lodev |sed 's%/dev/loop%%') fi echo "$lodev" - } + } # End find_loop() mod_base() { MY_MOD="$1" echo $(basename ${MY_MOD}) |rev |cut -d. -f2- |rev - } + } # End mod_base() find_mod() { MY_LOC="$1" @@ -537,7 +628,7 @@ if [ "$RESCUE" = "" ]; then done ) | sort fi - } + } # End find_mod() find_modloc() { MY_LOC="$1" @@ -555,14 +646,19 @@ if [ "$RESCUE" = "" ]; then fi echo "${MY_LOC}" - } + } # End find_modloc() load_modules() { # SUBSYS can be 'system', 'addons', 'optional', 'core2ram': SUBSYS="$1" # Find all supported modules: - for MODULE in $(find_mod /mnt/media/${LIVEMAIN}/${SUBSYS}/) ; do + SUBSYSSET="$(find_mod /mnt/media/${LIVEMAIN}/${SUBSYS}/) $(find_mod ${SUPERMNT}/${LIVESLAKROOT}/${LIVEMAIN}/${SUBSYS}/)" + if [ "$SUBSYS" = "optional" ]; then + # We need to load any core2ram modules first: + SUBSYSSET="$(find_mod /mnt/media/${LIVEMAIN}/core2ram/) $(find_mod ${SUPERMNT}/${LIVESLAKROOT}/${LIVEMAIN}/core2ram/ ${SUBSYSSET})" + fi + for MODULE in ${SUBSYSSET} ; do # Strip path and extension from the modulename: MODBASE="$(mod_base ${MODULE})" if [ "$SUBSYS" = "optional" ]; then @@ -610,10 +706,10 @@ if [ "$RESCUE" = "" ]; then echo "${MARKER}: '$SUBSYS' modules were not found. Trouble ahead..." fi fi - } + } # End load_modules() # Function input is a series of device node names. Return all block devices: - ret_blockdev () { + ret_blockdev() { local OUTPUT="" for IDEV in $* ; do if [ -e /sys/block/$(basename $IDEV) ]; then @@ -623,10 +719,10 @@ if [ "$RESCUE" = "" ]; then done # Trim trailing space: echo $OUTPUT |cat - } + } # End ret_blockdev() # Function input is a series of device node names. Return all partitions: - ret_partition () { + ret_partition() { local OUTPUT="" for IDEV in $* ; do if [ -e /sys/class/block/$(basename $IDEV)/partition ]; then @@ -636,22 +732,178 @@ if [ "$RESCUE" = "" ]; then done # Trim trailing space: echo $OUTPUT |cat - } + } # End ret_partition() + + # Return device node of Ventoy partition if found: + # Function input: + # (param 1) Ventoy OS parameter block (512 bytes file). + # (param 2) action + # 'isopath' request: return full path to the ISO on the USB filesystem; + # 'devpartition' request: + # return the device node for the partition containing the ISO file; + # 'diskuuid' request: return the UUID for the disk; + # 'partnr' request: return the number of the partition containing the ISO; + ret_ventoy() { + local VOSPARMS="$1" + local VACTION="$2" + local DISKSIZE="" + local BDEV="" + local IPART="" + local VENTPART="" + + if [ "$VACTION" == "isopath" ]; then + echo $(hexdump -s 45 -n 384 -e '384/1 "%01c""\n"' $VOSPARMS) + elif [ "$VACTION" == "diskuuid" ]; then + echo $(hexdump -s 481 -n 4 -e '4/1 "%02x "' ${VOSPARMS} \ + | awk '{ for (i=NF; i>1; i--) printf("%s",$i); print $i; }' ) + elif [ "$VACTION" == "partnr" ]; then + echo $(( 0x$(hexdump -s 41 -n 2 -e '2/1 "%02x "' ${VOSPARMS} \ + | awk '{ for (i=NF; i>1; i--) printf("%s",$i); print $i; }' ) + )) + elif [ "$VACTION" == "devpartition" ]; then + PARTNR=$(( 0x$(hexdump -s 41 -n 2 -e '2/1 "%02x "' ${VOSPARMS} \ + | awk '{ for (i=NF; i>1; i--) printf("%s",$i); print $i; }' ) + )) + DISKSIZE=$(( 0x$(hexdump -s 33 -n 8 -e '8/1 "%02x "' ${VOSPARMS} \ + | awk '{ for (i=NF; i>1; i--) printf("%s",$i); print $i; }' ) + )) + # Determine which block device (only one!) reports this disk size (bytes): + for BDEV in $(find /sys/block/* |grep -Ev '(ram|loop)') ; do + BDEV=$(basename $BDEV) + # The 'size' value is sectors, not bytes! + # Logical block size in Linux is commonly 512 bytes: + BDEVSIZE=$(( $(cat /sys/block/${BDEV}/size) * $(cat /sys/block/${BDEV}/queue/logical_block_size) )) + if [ $BDEVSIZE -eq $DISKSIZE ]; then + # Found a block device with matching size in bytes: + for IPART in $(ret_partition $(blkid |cut -d: -f1) | grep -v loop) ; + do + if [ -e /sys/block/$BDEV/$(basename $IPART)/partition ]; then + if [ $(cat /sys/block/$BDEV/$(basename $IPART)/partition) -eq $PARTNR ]; then + # Found the correct partition number on matching disk: + VENTPART="$IPART $VENTPART" + fi + fi + done + fi + done + if [ $(echo $VENTPART |wc -w) -eq 1 ]; then + # We found the Ventoy ISO-containing partition. + # Trim leading/trailing spaces: + echo $VENTPART |xargs + else + # Zero or multiple matching block devices found, fall back to 'scandev': + echo scandev + fi + fi + } # End ret_ventoy() + + # Find partition on which a file resides: + # Function input: + # (param 1) Full path to the file we are looking for + # (param 2) Directory to mount the partition containing our file + # Use $(df $MYMNT |tail -1 |tr -s ' ' |cut -d' ' -f1) to find that partition, + # it will remain mounted on the provided mountpoint upon function return. + scan_part() { + local FILEPATH="$1" + local MYMNT="$2" + local ISOPART="" + local PARTFS="" + echo "${MARKER}: Scanning for '$FILEPATH'..." + for ISOPART in $(ret_partition $(blkid |cut -d: -f1)) $(ret_blockdev $(blkid |cut -d: -f1)) ; do + PARTFS=$(blkid $ISOPART |rev |cut -d'"' -f2 |rev) + mount -t $PARTFS -o ro $ISOPART ${MYMNT} + if [ -f "${MYMNT}/${FILEPATH}" ]; then + # Found our file! + unset ISOPART + break + else + umount $ISOPART + fi + done + if [ -n "$ISOPART" ]; then + echo "${MARKER}: Partition scan unable to find $(basename $FILEPATH), trouble ahead." + return 1 + else + return 0 + fi + } # End scan_part() ## End support functions ## # We need a mounted filesystem here to be able to do a switch_root later, # so we create one in RAM: if [ $TORAM -eq 1 ]; then - RAMSIZE=90% # need to be able to load the entire OS in RAM + RAMSIZE="${RAMSIZE:-90}%" # 90% by default to load the entire OS in RAM else - RAMSIZE=50% # the default value. + RAMSIZE="${RAMSIZE:-50}%" # 50% is the default value. fi mount -t tmpfs -o defaults,size=${RAMSIZE} none /mnt # Find the Slackware Live media. # TIP: Increase WAIT to give USB devices a chance to be seen by the kernel. mkdir /mnt/media + + # Multi ISO boot managers first. + + # --- Ventoy --- + # If we boot an ISO via Ventoy, this creates a device-mapped file + # '/dev/mapper/ventoy' which liveslak could use to mount that ISO, + # but specifying '-t iso9660' will fail to mount it. + # Omitting the '-t iso9660' makes the mount succceed. + # liveslak is 'Ventoy compatible': + # Ventoy will not execute its hooks and leaves all the detection to us. + # It will create the device-mapped file /dev/mapper/ventoy still. + VENTID="VentoyOsParam-77772020-2e77-6576-6e74-6f792e6e6574" + VENTVAR="/sys/firmware/efi/vars/${VENTID}" + if [ ! -d "${VENTVAR}" ]; then + # Newer Slackware will use 'efivars' rather than 'vars' directory; + VENTVAR="/sys/firmware/efi/efivars/${VENTID}" + fi + if [ -d "${VENTVAR}" ]; then + echo "${MARKER}: (UEFI) Ventoy ISO boot detected..." + ISOBOOT="ventoy" + VENTOSPARM="${VENTVAR}/data" + elif [ -f "${VENTVAR}" ]; then + # Kernel >= 6.x does not offer a clean data sctructure, so we need to + # find the offset of the data block in the efivars file: + cat "${VENTVAR}" > /vent.dmp + else + # Detect Ventoy in memory (don't use the provided hooks), see + # https://www.ventoy.net/en/doc_compatible_format.html: + dd if=/dev/mem of=/vent.dmp bs=1 skip=$((0x80000)) count=$((0xA0000-0x80000)) 2>/dev/null + fi + if [ -f /vent.dmp ]; then + # Use 'strings' to find the decimal offset of the magic string; + # With 'xargs' we remove leading and ending spaces: + if strings -t d /vent.dmp 1>/dev/null 2>/dev/null ; then + # Busybox in Slackware 15.0 or newer: + OFFSET=$(strings -t d /vent.dmp |grep ' www.ventoy.net' |xargs |cut -d' ' -f1) + else + # Busybox in Slackware 14.2 or older: + OFFSET=$(strings -o /vent.dmp |grep ' www.ventoy.net' |xargs |cut -d' ' -f1) + fi + if [ -n "${OFFSET}" ]; then + echo "${MARKER}: (BIOS) Ventoy ISO boot detected..." + ISOBOOT="ventoy" + # Save the 512-byte Ventoy OS Parameter block: + dd if=/vent.dmp of=/vent_os_parms bs=1 count=512 skip=$OFFSET 2>/dev/null + VENTOSPARM="/vent_os_parms" + fi + fi + if [ "$ISOBOOT" == "ventoy" ]; then + LIVEPATH=$(ret_ventoy $VENTOSPARM isopath) + if [ -e /dev/mapper/ventoy ]; then + LIVEMEDIA=$(dmsetup table /dev/mapper/ventoy |tr -s ' ' |cut -d' ' -f 4) + LIVEMEDIA=$(readlink -f /dev/block/${LIVEMEDIA}) + # Having the ISO device-mapped to /dev/dm-0 prevents liveslak from + # mounting the underlying partition, so we delete the mapped device: + dmsetup remove /dev/mapper/ventoy + else + # Return Ventoy device partition (or 'scandev'): + LIVEMEDIA=$(ret_ventoy $VENTOSPARM devpartition) + fi + fi + if [ -n "$NFSHOST" ]; then # NFS root. First configure our network interface: setnet @@ -667,6 +919,7 @@ if [ "$RESCUE" = "" ]; then VIRGIN=1 elif [ -z "$LIVEMEDIA" ]; then # LIVEMEDIA not specified on the boot commandline using "livemedia=" + # Start digging: # Filter out the block devices, only look at partitions at first: # The blkid function in busybox behaves differently than the regular blkid! # It will return all devices with filesystems and list LABEL UUID and TYPE. @@ -685,6 +938,7 @@ if [ "$RESCUE" = "" ]; then # We found a block device with the correct label (non-UEFI media). # Determine filesystem type ('iso9660' means we found a CDROM/DVD) LIVEFS=$(blkid $LIVEMEDIA |rev |cut -d'"' -f2 |rev) + [ "$LIVEFS" = "swap" ] && continue mount -t $LIVEFS -o ro $LIVEMEDIA /mnt/media else # Bummer.. label not found; the ISO was extracted to a different device. @@ -692,8 +946,10 @@ if [ "$RESCUE" = "" ]; then for SLDEVICE in $(ret_partition $(blkid |cut -d: -f1)) $(ret_blockdev $(blkid |cut -d: -f1)) ; do # We rely on the fact that busybox blkid puts TYPE"..." at the end: SLFS=$(blkid $SLDEVICE |rev |cut -d'"' -f2 |rev) + [ "$SLFS" = "swap" ] && continue mount -t $SLFS -o ro $SLDEVICE /mnt/media - if [ -d /mnt/media/${LIVEMAIN} ]; then + if [ -f /mnt/media/${LIVEMAIN}/system/0099-${DISTRO}_zzzconf-*.s* ]; + then # Found our media! LIVEALL=$SLDEVICE LIVEMEDIA=$SLDEVICE @@ -712,7 +968,8 @@ if [ "$RESCUE" = "" ]; then fi sleep 1 else - # LIVEMEDIA was specified on the boot commandline using "livemedia=" + # LIVEMEDIA was specified on the boot commandline using "livemedia=", + # or ISO was booted by a compatible multi ISO bootmanager: if [ "$LIVEMEDIA" != "scandev" -a ! -b "$LIVEMEDIA" ]; then # Passed a UUID or LABEL? LIVEALL=$(findfs UUID=$LIVEMEDIA 2>/dev/null) || LIVEALL=$(findfs LABEL=$LIVEMEDIA 2>/dev/null) @@ -729,39 +986,31 @@ if [ "$RESCUE" = "" ]; then # instead of just: "livemedia=/dev/sdX". # # First mount the partition and then loopmount the ISO: - SUPERMNT=/mnt/super_$(od -An -N1 -tu1 /dev/urandom |tr -d ' ') mkdir -p ${SUPERMNT} # if [ "$LIVEMEDIA" = "scandev" ]; then - # Scan partitions to find the one with the ISO and set LIVEMEDIA: - echo "${MARKER}: Scanning for '$LIVEPATH'..." - for ISOPART in $(ret_partition $(blkid |cut -d: -f1)) $(ret_blockdev $(blkid |cut -d: -f1)) ; do - PARTFS=$(blkid $ISOPART |rev |cut -d'"' -f2 |rev) - # Abuse the $SUPERMNT a bit, we will actually use it later: - mount -t $PARTFS -o ro $ISOPART ${SUPERMNT} - if [ -f ${SUPERMNT}/${LIVEPATH} ]; then - # Found our ISO! - LIVEMEDIA=$ISOPART - umount $ISOPART - unset ISOPART - break - else - umount $ISOPART - fi - done - if [ -n "$ISOPART" ]; then - echo "${MARKER}: Partition scan unable to find ISO, trouble ahead." - fi + # Scan partitions to find the one with the ISO and set LIVEMEDIA. + # Abuse the $SUPERMNT a bit, we will actually use it later. + # TODO: proper handling of scan_part return code. + scan_part ${LIVEPATH} ${SUPERMNT} + LIVEMEDIA="$(df ${SUPERMNT} 2>/dev/null |tail -1 |tr -s ' ' |cut -d' ' -f1)" + umount ${SUPERMNT} fi # At this point we know $LIVEMEDIA - either because the bootparameter - # specified it or else because the 'scandev' found it for us: + # specified it or else because the 'scandev' found it for us. + # Next we will re-define LIVEMEDIA to point to the actual ISO file + # on the mounted live media: SUPERFS=$(blkid $LIVEMEDIA |rev |cut -d'"' -f2 |rev) - mount -t $SUPERFS -o ro $LIVEMEDIA ${SUPERMNT} - if [ -f "${SUPERMNT}/$LIVEPATH" ]; then - LIVEFS=$(blkid "${SUPERMNT}/$LIVEPATH" |rev |cut -d'"' -f2 |rev) - LIVEALL="${SUPERMNT}/$LIVEPATH" + SUPERPART=$LIVEMEDIA + mount -t ${SUPERFS} -o ro ${SUPERPART} ${SUPERMNT} + if [ -f "${SUPERMNT}/${LIVEPATH}" ]; then + LIVEFS=$(blkid "${SUPERMNT}/${LIVEPATH}" |rev |cut -d'"' -f2 |rev) + LIVEALL="${SUPERMNT}/${LIVEPATH}" LIVEMEDIA="$LIVEALL" MOUNTOPTS="loop" + if [ -z "$ISOBOOT" ]; then + ISOBOOT="diskpart" + fi fi fi LIVEFS=$(blkid $LIVEMEDIA |rev |cut -d'"' -f2 |rev) @@ -769,11 +1018,23 @@ if [ "$RESCUE" = "" ]; then fi fi - # Finished determining the media availability, it should be mounted now. + if [ -n "${ISOBOOT}" ]; then + # Containerfiles used in conjunction with ISO files have '.icc' extension, + # aka 'ISO Container Companion' ;-) + CNTEXT=".icc" + # Search for containers in another place than the default /mnt/media: + CPATHINTERNAL=${SUPERMNT} + fi + + # ---------------------------------------------------------------------- # + # # + # Finished determining the media availability, it should be mounted now. # + # # + # ---------------------------------------------------------------------- # if [ ! -z "$LIVEMEDIA" ]; then echo "${MARKER}: Live media found at ${LIVEMEDIA}." - if [ ! -d /mnt/media/${LIVEMAIN} ]; then + if [ ! -f /mnt/media/${LIVEMAIN}/system/0099-${DISTRO}_zzzconf-*.s* ]; then echo "${MARKER}: However, live media was not mounted... trouble ahead." fi if [ "$LIVEMEDIA" != "$LIVEALL" ]; then @@ -803,7 +1064,7 @@ if [ "$RESCUE" = "" ]; then BLACKLIST KEYMAP LIVE_HOSTNAME LOAD LOCALE LUKSVOL \ NOLOAD RUNLEVEL TWEAKS TZ XKB ; do - if [ -n "$(eval echo \$${LIVEPARM})" ]; then + if [ -z "$(eval echo \$${LIVEPARM})" ]; then eval $(grep -w ^${LIVEPARM} /mnt/media/${LIVEMAIN}/${DISTROCFG}) fi done @@ -826,6 +1087,32 @@ if [ "$RESCUE" = "" ]; then fi fi + # When booted from an ISO, liveslak optionally reads parameters + # from a file with the same full filename as the ISO, + # but with '.cfg' extension instead of '.iso': + if [ -n "$ISOBOOT" ] && [ -z "$CFGACTION" ]; then + # The partition's filesystem containing the ISO is mounted at ${SUPERMNT}: + ISOCFG="${SUPERMNT}/$(dirname ${LIVEPATH})/$(basename ${LIVEPATH} .iso).cfg" + if [ -f "$ISOCFG" ]; then + # Read ISO live customization from disk file if present, + # and set any variable from that file: + echo "${MARKER}: Reading ISO boot config from ${ISOCFG#$SUPERMNT})" + for LISOPARM in \ + BLACKLIST KEYMAP LIVE_HOSTNAME LIVESLAKROOT LOAD LOCALE LUKSVOL \ + NOLOAD ISOPERSISTENCE RUNLEVEL TWEAKS TZ XKB ; + do + eval $(grep -w ^${LISOPARM} ${ISOCFG}) + done + # Handle any customization. + if [ -n "${ISOPERSISTENCE}" ]; then + # Persistence container located on the USB stick - strip the extension: + PERSISTENCE=$(basename ${ISOPERSISTENCE%.*}) + PERSISTPATH=$(dirname ${ISOPERSISTENCE}) + PERSISTPART=${SUPERPART} + fi + fi + fi + # Some variables require a value before continuing, so if they were not set # on the boot commandline nor in a config file, we take care of it now: if [ -z "$KEYMAP" ]; then @@ -840,7 +1127,7 @@ if [ "$RESCUE" = "" ]; then # Load a custom keyboard mapping: if [ -n "$KEYMAP" ]; then - echo "${MARKER}: Loading '$KEYMAP' keyboard mapping:" + echo "${MARKER}: Loading '$KEYMAP' keyboard mapping." tar xzOf /etc/keymaps.tar.gz ${KEYMAP}.bmap | loadkmap fi @@ -862,6 +1149,7 @@ if [ "$RESCUE" = "" ]; then if [ $CORE2RAM -eq 1 ]; then # Only load the Core OS modules: + echo "${MARKER}: Loading Core OS into RAM." load_modules core2ram else # First, the base Slackware system components: @@ -902,64 +1190,180 @@ if [ "$RESCUE" = "" ]; then fi fi - # Setup persistence in case our media is writable, *and* the user - # has created a directory "persistence" in the root of the media. - # otherwise we let the block changes accumulate in RAM only. + # --------------------------------------------------------------- # + # # + # Setup persistence in case our media is writable, *and* the user # + # has created a persistence directory or container on the media, # + # otherwise we let the block changes accumulate in RAM only. # + # # + # --------------------------------------------------------------- # + + # Was a partition specified containing a persistence directory, + # and is it different from the live medium? + if [ -n "${PERSISTPART}" ]; then + # If partition was specified as UUID/LABEL, or as 'scandev', + # we need to figure out the partition device ourselves: + if [ "${PERSISTPART}" != "scandev" -a ! -b "${PERSISTPART}" ]; then + TEMPP=$(findfs UUID=${PERSISTPART} 2>/dev/null) || TEMPP=$(findfs LABEL=${PERSISTPART} 2>/dev/null) + if [ -n "${TEMPP}" ]; then + PERSISTPART=${TEMPP} + else + echo "${MARKER}: Partition '${PERSISTPART}' needed for persistence was not found." + echo "${MARKER}: Falling back to recording changes in RAM." + PERSISTPART="" + VIRGIN=1 + fi + unset TEMPP + elif [ "${PERSISTPART}" = "scandev" ]; then + # Scan partitions to find the one with the persistence directory: + echo "${MARKER}: Scanning for partition with '${PERSISTENCE}'..." + ppartdir=".persistence_$(od -An -N1 -tu1 /dev/urandom|tr -d ' ')" + mkdir -p /mnt/live/${ppartdir} + for PPART in $(ret_partition $(blkid |cut -d: -f1)) ; do + PPARTFS=$(blkid $PPART |rev |cut -d'"' -f2 |rev) + # Mount the partition and peek inside for a directory or container: + mount -t $PPARTFS -o ro ${PPART} /mnt/live/${ppartdir} + if [ -d /mnt/live/${ppartdir}/${PERSISTPATH}/${PERSISTENCE} ] || [ -f /mnt/live/${ppartdir}/${PERSISTPATH}/${PERSISTENCE}${CNTEXT} ]; then + # Found our persistence directory/container! + PERSISTPART=$PPART + unset PPART + umount /mnt/live/${ppartdir} + break + else + umount /mnt/live/${ppartdir} + fi + done + rmdir /mnt/live/${ppartdir} + if [ -n "$PPART" ]; then + echo "${MARKER}: Partition scan unable to find persistence." + echo "${MARKER}: Falling back to recording changes in RAM." + PERSISTPART="" + VIRGIN=1 + fi + fi + fi + + debugit + + # ------------------------------------------------------------------ # + # # + # At this point, we either have determined the persistence partition # + # via UUID/LABEL/scandev, or else we failed to find one, # + # and then VIRGIN has been set to '1' and PERSISTPART to "". # + # # + # ------------------------------------------------------------------ # + + if [ -n "${PERSISTPART}" ]; then + # Canonicalize the input and the media devices, + # to ensure that we are talking about two different devices: + MPDEV=$(df /mnt/media |tail -1 |tr -s ' ' |cut -d' ' -f1) + REALMP=$(readlink -f ${MPDEV}) + REALPP=$(readlink -f ${PERSISTPART}) + if [ "${REALMP}" != "${REALPP}" ]; then + # The liveslak media is different from the persistence partition. + # Mount the partition readonly to access the persistence directory: + ppdir=".persistence_$(od -An -N1 -tu1 /dev/urandom|tr -d ' ')" + mkdir -p /mnt/live/${ppdir} + mount -o ro ${PERSISTPART} /mnt/live/${ppdir} + if [ $? -ne 0 ]; then + echo "${MARKER}: Failed to mount persistence partition '${PERSISTPART}' readonly." + echo "${MARKER}: Falling back to recording changes in RAM." + rmdir /mnt/live/${ppdir} + VIRGIN=1 + else + # Explicitly configured persistence has priority over regular + # persistence settings, and also overrides the boot parameter 'nop': + if [ -n "${ISOBOOT}" ]; then + # Boot from ISO, persistence is on the filesystem containing the ISO: + PPATHINTERNAL=${SUPERMNT} + else + # We use the above created directory: + PPATHINTERNAL=/mnt/live/${ppdir} + fi + VIRGIN=0 + fi + fi + fi + + debugit + + # At this point, if we use persistence then its partition is either + # the live media (mounted on /mnt/media), a system partition + # (mounted on /mnt/live/${ppdir}) or the partition containing the ISO if we + # booted off that. + # The variable ${PPATHINTERNAL} points to its mount point, + # and the partition is mounted read-only. + + # Create the mount point for the writable upper directory of the overlay. + # First, we deal with the case of persistence (VIRGIN=0) and then we + # deal with a pure Live system without persistence (VIRGIN=1): + + if [ $VIRGIN -eq 0 ]; then + if [ -d ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE} ] || [ -f ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}${CNTEXT} ]; then + # Remount the partition r/w - we need to write to the persistence area. + # The value of PPATHINTERNAL will be different for USB stick or harddisk: + mount -o remount,rw ${PPATHINTERNAL} + if [ $? -ne 0 ]; then + echo "${MARKER}: Failed to mount persistence partition '${PERSISTPART}' read/write." + echo "${MARKER}: Falling back to recording changes in RAM." + VIRGIN=1 + fi + fi + fi + + # We have now checked whether the persistence area is actually writable. - # Create the mount point for the writable upper directory of the overlay: - # Assume the default to be a readonly media - we write to RAM: - UPPERDIR=/mnt/live/changes - OVLWORK=/mnt/live/.ovlwork if [ $VIRGIN -eq 0 ]; then - if [ "LIVEFS" != "iso9660" -a -d /mnt/media/${PERSISTENCE} ]; then - # Looks OK, but we need to remount the media in order to write - # to the persistence directory: - mount -o remount,rw /mnt/media + # Persistence directory (either on writable USB or else on system harddisk): + if [ -d ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE} ]; then # Try a write... just to be dead sure: - if touch /mnt/media/${PERSISTENCE}/.rwtest 2>/dev/null && rm /mnt/media/${PERSISTENCE}/.rwtest 2>/dev/null ; then + if touch ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}/.rwtest 2>/dev/null && rm ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}/.rwtest 2>/dev/null ; then # Writable media and we are allowed to write to it. - if [ "$WIPE_PERSISTENCE" = "1" -o -f /mnt/media/${PERSISTENCE}/.wipe ]; then - echo "${MARKER}: Wiping existing persistent data in '/${PERSISTENCE}'." - rm -f /mnt/media/${PERSISTENCE}/.wipe 2>/dev/null - find /mnt/media/${PERSISTENCE}/ -mindepth 1 -exec rm -rf {} \; 2>/dev/null + if [ "$WIPE_PERSISTENCE" = "1" -o -f ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}/.wipe ]; then + echo "${MARKER}: Wiping existing persistent data in '${PERSISTPATH}/${PERSISTENCE}'." + rm -f ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}/.wipe 2>/dev/null + find ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}/ -mindepth 1 -exec rm -rf {} \; 2>/dev/null fi - echo "${MARKER}: Writing persistent changes to media directory '/${PERSISTENCE}'." - UPPERDIR=/mnt/media/${PERSISTENCE} - OVLWORK=/mnt/media/.ovlwork + echo "${MARKER}: Writing persistent changes to media directory '${PERSISTENCE}'." + UPPERDIR=${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE} + OVLWORK=${PPATHINTERNAL}/${PERSISTPATH}/.ovlwork + else + echo "${MARKER}: Failed to write to persistence directory '${PERSISTENSE}'." + echo "${MARKER}: Falling back to recording changes in RAM." + VIRGIN=1 fi - elif [ "LIVEFS" != "iso9660" -a -f /mnt/media/${PERSISTENCE}.img ]; then - # Use a container file; the filesystem needs to be writable: - mount -o remount,rw /mnt/media + # Use a container file instead of a directory for persistence: + elif [ -f ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}${CNTEXT} ]; then # Find a free loop device to mount the persistence container file: prdev=$(find_loop) - prdir=$(basename ${PERSISTENCE})_$(od -An -N1 -tu1 /dev/urandom |tr -d ' ') + prdir=persistence_$(od -An -N1 -tu1 /dev/urandom |tr -d ' ') mkdir -p /mnt/live/${prdir} - losetup $prdev /mnt/media/${PERSISTENCE}.img + losetup $prdev ${PPATHINTERNAL}/${PERSISTPATH}/${PERSISTENCE}${CNTEXT} # Check if the persistence container is LUKS encrypted: if cryptsetup isLuks $prdev 1>/dev/null 2>/dev/null ; then - echo "${MARKER}: Unlocking LUKS encrypted persistence file '/${PERSISTENCE}.img'" - cryptsetup luksOpen $prdev $(basename ${PERSISTENCE}) </dev/tty0 >/dev/tty0 2>&1 + echo "${MARKER}: Unlocking LUKS encrypted persistence file '${PERSISTPATH}/${PERSISTENCE}${CNTEXT}'" + cryptsetup luksOpen $prdev ${PERSISTENCE} </dev/tty0 >/dev/tty0 2>&1 if [ $? -ne 0 ]; then - echo "${MARKER}: Failed to unlock persistence file '/${PERSISTENCE}.img'." + echo "${MARKER}: Failed to unlock persistence file '${PERSISTPATH}/${PERSISTENCE}${CNTEXT}'." echo "${MARKER}: Falling back to RAM." else # LUKS properly unlocked; from now on use the mapper device instead: - prdev=/dev/mapper/$(basename ${PERSISTENCE}) + prdev=/dev/mapper/${PERSISTENCE} fi fi - prfs=$(blkid $prdev |rev |cut -d'"' -f2 |rev) + prfs=$(blkid $prdev 2>/dev/null |rev |cut -d'"' -f2 |rev) mount -t $prfs $prdev /mnt/live/${prdir} 2>/dev/null if [ $? -ne 0 ]; then - echo "${MARKER}: Failed to mount persistence file '/${PERSISTENCE}.img'." + echo "${MARKER}: Failed to mount persistence file '${PERSISTPATH}/${PERSISTENCE}${CNTEXT}'." echo "${MARKER}: Falling back to RAM." else - if [ "$WIPE_PERSISTENCE" = "1" -o -f /mnt/live/${prdir}/$(basename ${PERSISTENCE})/.wipe ]; then - echo "${MARKER}: Wiping existing persistent data in '/${PERSISTENCE}.img'." - rm -f /mnt/live/${prdir}/$(basename ${PERSISTENCE})/.wipe 2>/dev/null - find /mnt/live/${prdir}/$(basename ${PERSISTENCE})/ -mindepth 1 -exec rm -rf {} \; 2>/dev/null + if [ "$WIPE_PERSISTENCE" = "1" -o -f /mnt/live/${prdir}/${PERSISTENCE}/.wipe ]; then + echo "${MARKER}: Wiping existing persistent data in '${PERSISTPATH}/${PERSISTENCE}${CNTEXT}'." + rm -f /mnt/live/${prdir}/${PERSISTENCE}/.wipe 2>/dev/null + find /mnt/live/${prdir}/${PERSISTENCE}/ -mindepth 1 -exec rm -rf {} \; 2>/dev/null fi - echo "${MARKER}: Writing persistent changes to file '/${PERSISTENCE}.img'." - UPPERDIR=/mnt/live/${prdir}/$(basename ${PERSISTENCE}) + echo "${MARKER}: Writing persistent changes to file '${PERSISTPATH}/${PERSISTENCE}${CNTEXT}'." + UPPERDIR=/mnt/live/${prdir}/${PERSISTENCE} OVLWORK=/mnt/live/${prdir}/.ovlwork fi fi @@ -968,7 +1372,13 @@ if [ "$RESCUE" = "" ]; then if [ ! -z "$LUKSVOL" ]; then # Even without persistence, we need to be able to write to the partition # if we are using a LUKS container file: - mount -o remount,rw /mnt/media + if [ -n "$ISOBOOT" ]; then + mount -o remount,rw ${SUPERMNT} + else + mount -o remount,rw /mnt/media + fi + else + mount -o remount,ro /mnt/media fi fi @@ -1034,6 +1444,12 @@ if [ "$RESCUE" = "" ]; then mount --bind /mnt/live/toram /mnt/overlay/mnt/livemedia fi + if [ -n "$ISOBOOT" ]; then + # Expose the filesystem on the USB stick when we booted off an ISO there: + mkdir -p /mnt/overlay/mnt/supermedia + mount --bind ${SUPERMNT} /mnt/overlay/mnt/supermedia + fi + if [ ! -z "$USE_SWAP" ]; then # Use any available swap device: for SWAPD in $(blkid |grep TYPE="\"swap\"" |cut -d: -f1) ; do @@ -1042,6 +1458,44 @@ if [ "$RESCUE" = "" ]; then done fi + if [ ! -z "$LUKSVOL" ]; then + # Bind any LUKS container into the Live filesystem: + for luksvol in $(echo $LUKSVOL |tr ',' ' '); do + luksfil="$(echo $luksvol |cut -d: -f1)" + luksmnt="$(echo $luksvol |cut -d: -f2)" + luksnam="$(echo $(basename $luksfil) |tr '.' '_')" + if [ "$luksmnt" = "$luksfil" ]; then + # No optional mount point specified, so we use the default: /home/ + luksmnt="/home" + fi + + # Find a free loop device: + lodev=$(find_loop) + + losetup $lodev ${CPATHINTERNAL}/$luksfil + echo "Unlocking LUKS encrypted container '$luksfil' at mount point '$luksmnt'" + cryptsetup luksOpen $lodev $luksnam </dev/tty0 >/dev/tty0 2>&1 + if [ $? -ne 0 ]; then + echo "${MARKER}: Failed to unlock LUKS container '$luksfil'... trouble ahead." + else + # Create the mount directory if it does not exist (unlikely): + mkdir -p /mnt/overlay/$luksmnt + + # Let Slackware mount the unlocked container: + luksfs=$(blkid /dev/mapper/$luksnam |rev |cut -d'"' -f2 |rev) + if ! grep -q "^/dev/mapper/$luksnam" /mnt/overlay/etc/fstab ; then + echo "/dev/mapper/$luksnam $luksmnt $luksfs defaults 1 1" >> /mnt/overlay/etc/fstab + fi + # On shutdown, ensure that the container gets locked again: + if ! grep -q "$luksnam $luksmnt" /mnt/overlay/etc/crypttab ; then + echo "$luksnam $luksmnt" >> /mnt/overlay/etc/crypttab + fi + fi + done + fi + + debugit + if [ ! -z "$KEYMAP" ]; then # Configure custom keyboard mapping in console and X: echo "${MARKER}: Switching live console to '$KEYMAP' keyboard" @@ -1162,20 +1616,28 @@ EOT fi fi - if [ ! -z "$LIVEPW" ]; then + if [ -n "$LIVEPW" ] && [ "$LIVEPW" != "${DEFPW}" ]; then # User entered a custom live password on the boot commandline: echo "${MARKER}: Changing password for user '${LIVEUID}'." chroot /mnt/overlay /usr/sbin/chpasswd <<EOPW ${LIVEUID}:${LIVEPW} EOPW + elif [ -z "$LIVEPW" ]; then + # User requested an empty live password: + echo "${MARKER}: Removing password for user '${LIVEUID}'." + chroot /mnt/overlay /usr/bin/passwd -d ${LIVEUID} fi - if [ ! -z "$ROOTPW" ]; then + if [ -n "$ROOTPW" ] && [ "$ROOTPW" != "${DEFPW}" ]; then # User entered a custom root password on the boot commandline: echo "${MARKER}: Changing password for user 'root'." chroot /mnt/overlay /usr/sbin/chpasswd <<EOPW root:${ROOTPW} EOPW + elif [ -z "$ROOTPW" ]; then + # User requested an empty root password: + echo "${MARKER}: Removing password for user 'root'." + chroot /mnt/overlay /usr/bin/passwd -d root fi if [ ! -z "$HNMAC" -a "$HNMAC_ALLOWED" = "YES" ]; then @@ -1211,7 +1673,7 @@ EOPW mkdir -p /mnt/overlay/run/dhcpcd mount --bind /run/dhcpcd /mnt/overlay/run/dhcpcd fi - cp -a /run/dhcpcd* /mnt/overlay/run/ + cp -a /run/dhcpcd* /run/${INTERFACE}.pid /mnt/overlay/run/ cat /etc/resolv.conf > /mnt/overlay/etc/resolv.conf # Disable NetworkManager: @@ -1365,7 +1827,7 @@ EOT done if [ $RUN_DEPMOD -eq 1 ]; then # This costs a few seconds in additional boot-up time unfortunately: - echo "${MARKER}: Additional kernel module(s) found... need a bit" + echo "${MARKER}: Additional kernel module(s) found... need a bit" chroot /mnt/overlay /sbin/depmod -a fi unset RUN_DEPMOD @@ -1376,52 +1838,19 @@ EOT # In case of network boot, do not kill the network, umount NFS prematurely # or stop udevd on shutdown: if [ -n "$NFSHOST" ]; then - sed -i /mnt/overlay/etc/rc.d/rc.0 \ - -e "/on \/ type nfs/s%grep -q 'on / type nfs'%egrep -q 'on / type (nfs|tmpfs)'%" \ - -e '/umount.*nfs/s/nfs,//' \ - -e 's/rc.udev force-stop/rc.udev stop/' \ - -e 's/$(pgrep mdmon)/& $(pgrep udevd)/' + for RUNLVL in 0 6 ; do + sed -i /mnt/overlay/etc/rc.d/rc.${RUNLVL} \ + -e "/on \/ type nfs/s%grep -q 'on / type nfs'%egrep -q 'on / type (nfs|tmpfs)'%" \ + -e "s%'on / type nfs4'%& -e 'on / type overlay'%" \ + -e '/umount.*nfs/s/nfs,//' \ + -e 's/rc.udev force-stop/rc.udev stop/' \ + -e 's/$(pgrep mdmon)/& $(pgrep udevd)/' + done fi # Copy contents of rootcopy directory (may be empty) to overlay: cp -af /mnt/media/${LIVEMAIN}/rootcopy/* /mnt/overlay/ 2>/dev/null - # Bind any LUKS container into the Live filesystem: - if [ ! -z "$LUKSVOL" ]; then - for luksvol in $(echo $LUKSVOL |tr ',' ' '); do - luksfil="$(echo $luksvol |cut -d: -f1)" - luksmnt="$(echo $luksvol |cut -d: -f2)" - luksnam="$(echo $(basename $luksfil) |tr '.' '_')" - if [ "$luksmnt" = "$luksfil" ]; then - # No optional mount point specified, so we use the default: /home/ - luksmnt="/home" - fi - - # Find a free loop device: - lodev=$(find_loop) - - losetup $lodev /mnt/media/$luksfil - echo "Unlocking LUKS encrypted container '$luksfil' at mount point '$luksmnt'" - cryptsetup luksOpen $lodev $luksnam </dev/tty0 >/dev/tty0 2>&1 - if [ $? -ne 0 ]; then - echo "${MARKER}: Failed to unlock LUKS container '$luksfil'... trouble ahead." - else - # Create the mount directory if it does not exist (unlikely): - mkdir -p /mnt/overlay/$luksmnt - - # Let Slackware mount the unlocked container: - luksfs=$(blkid /dev/mapper/$luksnam |rev |cut -d'"' -f2 |rev) - if ! grep -q /dev/mapper/$luksnam /mnt/overlay/etc/fstab ; then - echo "/dev/mapper/$luksnam $luksmnt $luksfs defaults 1 1" >> /mnt/overlay/etc/fstab - fi - # On shutdown, ensure that the container gets locked again: - if ! grep -q "$luksnam $luksmnt" /mnt/overlay/etc/crypttab ; then - echo "$luksnam $luksmnt" >> /mnt/overlay/etc/crypttab - fi - fi - done - fi - [ $DEBUG -gt 3 ] && rescue "DEBUG SHELL" # --------------------------------------------------------------------- # @@ -1453,8 +1882,8 @@ fi /sbin/udevadm control --exit unset ERR -umount /proc -umount /sys +umount /proc 2>/dev/null +umount /sys 2>/dev/null umount /run 2>/dev/null echo "${MARKER}: Slackware Live system is ready." diff --git a/make_slackware_live.sh b/make_slackware_live.sh index 19445f6..6611e4f 100755 --- a/make_slackware_live.sh +++ b/make_slackware_live.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021 Eric Hameleers, Eindhoven, NL +# Copyright 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 Eric Hameleers, Eindhoven, NL # All rights reserved. # # Permission to use, copy, modify, and distribute this software for @@ -35,7 +35,7 @@ # ----------------------------------------------------------------------------- # Version of the Live OS generator: -VERSION="1.3.9.3" +VERSION="1.8.1.1" # Timestamp: THEDATE=$(date +%Y%m%d) @@ -67,7 +67,27 @@ BOOTLOADSIZE=${BOOTLOADSIZE:-4} # Therefore we disable 32bit EFI by default. Enable at your own peril: EFI32=${EFI32:-"NO"} -# Set to YES if you want to use the SMP kernel on 32bit Slackware: +# Set to '1' using the "-S" parameter to the script, +# if the liveslak ISO should support SecureBoot-enabled computers: +SECUREBOOT=0 + +# Which shim to download and install? +# Supported are 'debian' 'fedora' 'opensuse'. +SHIM_3RDP=${SHIM_3RDP:-"fedora"} + +# When enabling SecureBoot support, we need a MOK certificate plus private key, +# which we use to sign grub and kernel. +# MOKCERT contains the location of the certificate, +# to be defined through the '-S' parameter: +MOKCERT="" +# MOKPRIVKEY points to the location of the private key, +# to be defined through the '-S' parameter: +MOKPRIVKEY="" + +# Set to YES if you want to use a SMP-tagged kernel package +# on 32bit Slackware 15.0 or earlier. +# In 32bit Slackware > 15.0 all kernels support preemption and the '-smp' +# tag has been removed. SMP32=${SMP32:-"NO"} # Include support for NFS root (PXE boot), will increase size of the initrd: @@ -161,8 +181,9 @@ ONLY_ISO="NO" # The name of the directory used for storing persistence data: PERSISTENCE=${PERSISTENCE:-"persistence"} -# Add a Core OS to load into RAM (currently supported for XFCE, LEAN, DAW): +# Add a Core OS to load into RAM (value can be 'NO', 'YES' or 'NATIVE'): CORE2RAM=${CORE2RAM:-"NO"} +# The MINLIST module must always be the first in CORE2RAMMODS: CORE2RAMMODS="${MINLIST} noxbase" # Slackware version to use (note: this won't work for Slackware <= 14.1): @@ -182,14 +203,20 @@ SL_REPO_URL=${SL_REPO_URL:-"rsync.osuosl.org::slackware"} DEF_SL_REPO_URL=${SL_REPO_URL} # List of Slackware package series - each will become a squashfs module: -SEQ_SLACKWARE="tagfile:a,ap,d,e,f,k,kde,l,n,t,tcl,x,xap,xfce,y pkglist:slackextra" +if [ "$(echo ${SL_VERSION}|cut -d. -f1)" == "14" ]; then + # Slackware up and until 14.2 has KDE4 which includes the 'kdei' package set: + SEQ_SLACKWARE="tagfile:a,ap,d,e,f,k,kde,kdei,l,n,t,tcl,x,xap,xfce,y pkglist:slackextra" +else + # Exclude Emacs to keep the ISO size below DVD size: + SEQ_SLACKWARE="tagfile:a,ap,d,f,k,kde,l,n,t,tcl,x,xap,xfce,y pkglist:slackextra" +fi # Stripped-down Slackware with XFCE as the Desktop Environment: # - each series will become a squashfs module: -SEQ_XFCEBASE="${MINLIST},noxbase,x_base,xapbase,xfcebase local:mcpp" +SEQ_XFCEBASE="pkglist:${MINLIST},noxbase,x_base,xapbase,xfcebase local:mcpp" # Stripped-down Base Slackware: -SEQ_LEAN="pkglist:${MINLIST},noxbase,x_base,xapbase,xfcebase,slackpkgplus,z00_plasma5supp,z01_plasma5base" +SEQ_LEAN="pkglist:${MINLIST},noxbase,x_base,xapbase,xfcebase,slackpkgplus,z00_plasma5supp,z01_plasma5base,z01_swdev" # Stripped-down Slackware DAW with Plasma5 as the Desktop Environment: # - each series will become a squashfs module. @@ -198,7 +225,7 @@ SEQ_DAW="pkglist:${MINLIST},noxbase,x_base,xapbase,slackpkgplus,z00_plasma5supp, # Slackware with 'ktown' Plasma5 instead of its own KDE (full install): # - each will become a squashfs module: -SEQ_KTOWN="tagfile:a,ap,d,e,f,k,l,n,t,tcl,x,xap,xfce,y pkglist:ktown,ktownalien,slackextra,slackpkgplus" +SEQ_KTOWN="tagfile:a,ap,d,f,k,l,n,t,tcl,x,xap,xfce,y pkglist:ktownslack,ktown,ktownalien,slackextra,slackpkgplus" # List of Slackware package series with MSB instead of KDE (full install): # - each will become a squashfs module: @@ -217,12 +244,20 @@ SEQ_DLACK="tagfile:a,ap,d,e,f,k,l,n,t,tcl,x,xap pkglist:dlackware,slackextra,sys SEQ_STUDW="tagfile:a,ap,d,e,f,k,kde,l,n,t,tcl,x,xap,xfce,y pkglist:slackextra,slackpkgplus,studioware" # Package blacklists for variants: -BLACKLIST_XFCE="lynx mc" +#BLACKLIST_DAW="seamonkey" +#BLACKLIST_LEAN="seamonkey" +BLACKLIST_SLACKWARE="calligra calligraplan gcc-gdc gcc-gfortran gcc-gnat gcc-objc krita kstars seamonkey" +#BLACKLIST_XFCE="gst-plugins-bad-free lynx mc motif mozilla-firefox pidgin xlockmore" + +# Potentially we will use package(s) from 'testing' instead of regular repo: +#TESTINGLIST_DAW="kernel-generic kernel-modules kernel-headers kernel-source" +TESTINGLIST_DAW="" # -- START: Used verbatim in upslak.sh -- # # List of kernel modules required for a live medium to boot properly; -# Lots of HID modules added to support keyboard input for LUKS password entry: -KMODS=${KMODS:-"squashfs:overlay:loop:xhci-pci:ohci-pci:ehci-pci:xhci-hcd:uhci-hcd:ehci-hcd:mmc-core:mmc-block:sdhci:sdhci-pci:sdhci-acpi:usb-storage:hid:usbhid:i2c-hid:hid-generic:hid-apple:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd:mbcache:ext3:ext4:isofs:fat:nls_cp437:nls_iso8859-1:msdos:vfat:ntfs"} +# Lots of HID modules added to support keyboard input for LUKS password entry; +# Virtio modules added to experiment with liveslak in a VM. +KMODS=${KMODS:-"squashfs:overlay:loop:efivarfs:xhci-pci:ohci-pci:ehci-pci:xhci-hcd:uhci-hcd:ehci-hcd:mmc-core:mmc-block:sdhci:sdhci-pci:sdhci-acpi:rtsx_pci:rtsx_pci_sdmmc:usb-storage:uas:hid:usbhid:i2c-hid:hid-generic:hid-apple:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd:mbcache:ext3:ext4:zstd_compress:lz4hc_compress:lz4_compress:btrfs:f2fs:jfs:xfs:isofs:fat:nls_cp437:nls_iso8859-1:msdos:vfat:exfat:ntfs:virtio_ring:virtio:virtio_blk:virtio_balloon:virtio_pci:virtio_pci_modern_dev:virtio_net"} # Network kernel modules to include for NFS root support: NETMODS="kernel/drivers/net kernel/drivers/virtio" @@ -237,9 +272,10 @@ NETFIRMWARE="3com acenic adaptec bnx tigon e100 sun kaweth tr_smctr cxgb3 rtl_ni # If any Live variant needs additional 'append' parameters, define them here, # either using a variable name 'KAPPEND_<LIVEDE>', or by defining 'KAPPEND' in the .conf file: KAPPEND_SLACKWARE="" -KAPPEND_KTOWN="threadirqs" -KAPPEND_DAW="threadirqs" -KAPPEND_STUDIOWARE="threadirqs" +KAPPEND_KTOWN="threadirqs loglevel=3 audit=0" +KAPPEND_DAW="threadirqs preempt=full loglevel=3 audit=0" +KAPPEND_LEAN="threadirqs preempt=full loglevel=3 audit=0" +KAPPEND_STUDIOWARE="threadirqs preempt=full loglevel=3 audit=0" # Add CACert root certificates yes/no? ADD_CACERT=${ADD_CACERT:-"NO"} @@ -275,7 +311,7 @@ SQ_COMP_PARAMS_OPT[gzip]="" SQ_COMP_PARAMS_OPT[lzma]="" SQ_COMP_PARAMS_OPT[lzo]="" SQ_COMP_PARAMS_OPT[xz]="-b 1M" -SQ_COMP_PARAMS_OPT[zstd]="-b 1M -Xcompression-level 19" +SQ_COMP_PARAMS_OPT[zstd]="-b 1M -Xcompression-level 22" # What compression to use for the squashfs modules? # Default is xz, alternatives are gzip, lzma, lzo, zstd: @@ -412,7 +448,9 @@ function install_pkgs() { fi if [ "${SL_REPO}" = "${DEF_SL_REPO}" ]; then - # We need only one release from the Slackware package mirror; + # SL_REPO was not re-defined in ${PKGCONF}, + # so we are dealing with an actual Slackware repository rootdir. + # We select only the requested release in the Slackware package mirror; # This must *not* end with a '/' : SELECTION="${DISTRO}${DIRSUFFIX}-${SL_VERSION}" else @@ -454,6 +492,16 @@ function install_pkgs() { # REP equal to PKG. # - If PKG is empty then this is a request to remove the package. REP=$(echo $PKGPAT |cut -d% -f1) + if [ "$CORE2RAM" != "NO" ] && [ -z "$(echo $CORE2RAMMODS |grep -w $(basename $PKGFILE .lst))" ]; then + # If we are adding core2ram modules, + # prevent re-installing their packages in another module: + PKGC2R="$(for MYLST in ${CORE2RAMMODS}; do grep "^${PKG}$" ${LIVE_TOOLDIR}/pkglists/${MYLST}.lst ; done)" + unset MYLST + if [ -n "${PKGC2R}" ]; then + # Found a package that is listed as a core2ram module: + continue + fi + fi # Skip installation on detecting a blacklisted package: for BLST in ${BLACKLIST} BLNONE; do if [ "$PKG" == "$BLST" ]; then @@ -461,6 +509,19 @@ function install_pkgs() { break fi done + # Sometimes we want to use a package in 'testing' instead: + for PTST in ${TESTINGLIST} TSTNONE; do + if [ "$PKG" == "$PTST" ]; then + # Found a package to install from 'testing'. + break + fi + done + # Install a SMP kernel/modules if requested: + if [ "${PKG}" = "kernel-generic" ] && [ "$SL_ARCH" != "x86_64" -a "$SMP32" = "YES" ]; then + PKG="kernel-generic-smp" + elif [ "${PKG}" = "kernel-modules" ] && [ "$SL_ARCH" != "x86_64" -a "$SMP32" = "YES" ]; then + PKG="kernel-modules-smp" + fi # Now decide what to do: if [ -z "${PKG}" ]; then # Package removal: @@ -468,17 +529,25 @@ function install_pkgs() { elif [ "${PKG}" == "${BLST}" ]; then echo "-- Not installing blacklisted package '$PKG'." else + if [ "${PKG}" == "${PTST}" ]; then + echo "-- Installing package '$PKG' from 'testing'." + FULLPKG=$(full_pkgname ${PKG} $(dirname ${SL_PKGROOT})/testing) + else + FULLPKG="" + fi # Package install/upgrade: # Look in ./patches ; then ./${DISTRO}$DIRSUFFIX ; then ./extra # Need to escape any '+' in package names such a 'gtk+2'. - if [ ! -z "${SL_PATCHROOT}" ]; then - FULLPKG=$(full_pkgname ${PKG} ${SL_PATCHROOT}) - else - FULLPKG="" + if [ "x${FULLPKG}" = "x" ]; then + if [ ! -z "${SL_PATCHROOT}" ]; then + FULLPKG=$(full_pkgname ${PKG} ${SL_PATCHROOT}) + else + FULLPKG="" + fi fi if [ "x${FULLPKG}" = "x" ]; then FULLPKG=$(full_pkgname ${PKG} ${SL_PKGROOT}) - else + elif [ "${PKG}" != "${PTST}" ]; then echo "-- $PKG found in patches" fi if [ "x${FULLPKG}" = "x" ]; then @@ -510,7 +579,7 @@ function install_pkgs() { done fi - if [ "$TRIM" = "doc" -o "$TRIM" = "mandoc" -o "$TRIM" = "bloat" ]; then + if [ "$TRIM" = "doc" -o "$TRIM" = "mandoc" -o "$TRIM" = "waste" -o "$TRIM" = "bloat" ]; then # Remove undesired (too big for a live OS) document subdirectories, # but leave cups alone because it contains the CUPS service's web page: (cd "${2}/usr/doc" && find . -type d -mindepth 2 -maxdepth 2 |grep -v /cups- |xargs rm -rf) @@ -525,13 +594,14 @@ function install_pkgs() { # Remove info pages: rm -rf "$2"/usr/info fi - if [ "$TRIM" = "mandoc" -o "$TRIM" = "bloat" ]; then + if [ "$TRIM" = "mandoc" -o "$TRIM" = "waste" -o "$TRIM" = "bloat" ]; then # Also remove man pages: rm -rf "$2"/usr/man fi if [ "$TRIM" = "bloat" ]; then # By pruning stuff that no one likely needs anyway, # we make room for packages we would otherwise not be able to add. + # We do this only if your ISO needs to be the smallest possible: # MySQL embedded is only used by Amarok: rm -f "$2"/usr/bin/mysql*embedded* # Also remove the big unused/esoteric static libraries: @@ -565,7 +635,9 @@ function install_pkgs() { rm -rf "$2"/usr/lib${DIRSUFFIX}/d3d rm -rf "$2"/usr/lib${DIRSUFFIX}/guile rm -rf "$2"/usr/share/icons/HighContrast - # Nor these datacenter NIC firmwares and drivers: + fi + if [ "$TRIM" = "waste" -o "$TRIM" = "bloat" ]; then + # Get rid of these datacenter NIC firmwares and drivers: rm -rf "$2"/lib/firmware/{bnx*,cxgb4,libertas,liquidio,mellanox,netronome,qed} rm -rf "$2"/lib/modules/*/kernel/drivers/infiniband rm -rf "$2"/lib/modules/*/kernel/drivers/net/ethernet/{broadcom/bnx*,chelsio,mellanox,netronome,qlogic} @@ -675,6 +747,7 @@ function gen_bootmenu() { -e "s/@VERSION@/$VERSION/g" \ -e "s/@KAPPEND@/$KAPPEND/g" \ -e "s/@C2RMH@/$C2RMH/g" \ + -e "s/@C2RSH@/$C2RMS/g" \ > ${MENUROOTDIR}/vesamenu.cfg for LANCOD in $(cat ${LIVE_TOOLDIR}/languages |grep -Ev "(^ *#|^$)" |cut -d: -f1) @@ -720,6 +793,7 @@ EOL -e "s/@VERSION@/$VERSION/g" \ -e "s/@KAPPEND@/$KAPPEND/g" \ -e "s/@C2RMH@/$C2RMH/g" \ + -e "s/@C2RMS@/$C2RMS/g" \ > ${MENUROOTDIR}/menu_${LANCOD}.cfg # Generate custom language selection submenu for selected keyboard: @@ -750,7 +824,7 @@ function gen_uefimenu() { GRUBDIR="$1" - # Generate the grub menu structure - many files because of the selection tree. + # Generate the grub menu structure. # I expect the directory to exist... but you never know. mkdir -p ${GRUBDIR} @@ -780,12 +854,13 @@ function gen_uefimenu() { -e "s/@VERSION@/$VERSION/g" \ -e "s/@KAPPEND@/$KAPPEND/g" \ -e "s/@C2RMH@/$C2RMH/g" \ + -e "s/@C2RMS@/$C2RMS/g" \ > ${GRUBDIR}/grub.cfg # Set a default keyboard selection: cat <<EOL > ${GRUBDIR}/kbd.cfg # Keyboard selection: -set default = $sl_lang +set default = $sl_kbd EOL @@ -831,6 +906,9 @@ EOL done # Create the timezone selection menu: + # Code used from Slackware script: + # source/a/glibc-zoneinfo/timezone-scripts/output-updated-timeconfig.sh + # Author: Patrick Volkerding <volkerdi@slackware.com> TZDIR="/usr/share/zoneinfo" TZLIST=$(mktemp -t alientz.XXXXXX) if [ ! -f $TZLIST ]; then @@ -838,38 +916,173 @@ EOL cleanup exit 1 fi - # First, create a list of timezones: - # This code taken from Slackware script: - # source/a/glibc-zoneinfo/timezone-scripts/output-updated-timeconfig.sh - # Author: Patrick Volkerding <volkerdi@slackware.com> - # US/ first: - ( cd $TZDIR - find . -type f | xargs file | grep "timezone data" | cut -f 1 -d : | cut -f 2- -d / | sort | grep "^US/" | while read zone ; do - echo "${zone}" >> $TZLIST - done - ) - # Don't list right/ and posix/ zones: - ( cd $TZDIR - find . -type f | xargs file | grep "timezone data" | cut -f 1 -d : | cut -f 2- -d / | sort | grep -v "^US/" | grep -v "^posix/" | grep -v "^right/" | while read zone ; do - echo "${zone}" >> $TZLIST - done - ) - for TZ in $(cat $TZLIST); do - # Add this entry to the keyboard selection menu: + + # Structured tz select instead of dumping them all in one menu: + for TZ in US Africa America Asia Atlantic Australia Etc Europe Pacific; do + # First the submenu for this zone: cat <<EOL >> ${GRUBDIR}/tz.cfg -menuentry "${TZ}" { - set sl_tz="$TZ" +submenu "${TZ} >" { + configfile \$prefix/${TZ}/tz.cfg +} + +EOL + # Then the locations for this zone: + mkdir ${GRUBDIR}/${TZ} + ( cd $TZDIR/$TZ + find . -type f | xargs file | grep "timezone data" | cut -f 1 -d : | cut -f2- -d / | sort | while read LOCN ; do + # Add this entry to the keyboard selection menu: + cat <<EOL >> ${GRUBDIR}/${TZ}/tz.cfg +menuentry "${TZ}/${LOCN}" { + set sl_tz="${TZ}/${LOCN}" export sl_tz configfile \$prefix/grub.cfg } EOL - rm -f $TZLIST - + done + ) done + # Timezone data in rootdirectory follows: + ( cd $TZDIR + find . -type f -mindepth 1 -maxdepth 1 | xargs file | grep "timezone data" | cut -f 1 -d : | cut -f 2- -d / | sort | while read ZONE ; do + # Add this entry to the keyboard selection menu: + cat <<EOL >> ${GRUBDIR}/tz.cfg +menuentry "${ZONE}" { + set sl_tz="$ZONE" + export sl_tz + configfile \$prefix/grub.cfg +} + +EOL + done + ) } # End of gen_uefimenu() + +# +# Add UEFI SecureBoot support: +# +function secureboot() { + # Liveslak uses Fedora's shim (for now), which is signed by + # 'Microsoft UEFI CA' and contains Fedora's CA certificate. + # We sign liveslak's grub and kernel with our own key/certificate pair. + # This means that the user of liveslak will have to enroll liveslak's + # public certificate via MokManager. This needs to be done only once. + + # Note that we use the generic fallback directory /EFI/BOOT/ for the Live ISO + # instead of a custom distro entry for UEFI such as /EFI/BOOT/Slackware/ + # When shim is booted with path /EFI/BOOT/bootx64.efi, and there is a + # Fallback binary (fbx64.efi) , shim will load that one instead of grub, + # so Fallback can create a NVRAM boot entry for a custom distro directory + # (which we do not have) causing a reset boot loop. + # This is why liveslak does not install fbx64.efi. A regular distro should + # install that file in its distro subdirectory! + + SHIM_VENDOR="$1" + [ -z "${SHIM_VENDOR}" ] && SHIM_VENDOR="fedora" + + case $SHIM_VENDOR in + opensuse) GRUB_SIGNED="grub.efi" + ;; + *) GRUB_SIGNED="grubx64.efi" + ;; + esac + mkdir -p ${LIVE_WORK}/shim + cd ${LIVE_WORK}/shim + + echo "-- Signing grub+kernel with '${LIVE_STAGING}/EFI/BOOT/liveslak.pem'." + # Sign grub: + # The Grub EFI image must be renamed appropriately for shim to find it, + # since some distros change the default 'grubx64.efi' filename: + mv -i ${LIVE_STAGING}/EFI/BOOT/bootx64.efi \ + ${LIVE_WORK}/shim/grubx64.efi.unsigned + sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \ + --output ${LIVE_STAGING}/EFI/BOOT/${GRUB_SIGNED} \ + ${LIVE_WORK}/shim/grubx64.efi.unsigned + # Sign the kernel: + mv ${LIVE_STAGING}/boot/generic ${LIVE_WORK}/shim/generic.unsigned + sbsign --key ${MOKPRIVKEY} --cert ${MOKCERT} \ + --output ${LIVE_STAGING}/boot/generic \ + ${LIVE_WORK}/shim/generic.unsigned + + if [ "${SHIM_VENDOR}" = "fedora" ]; then + # The version of Fedora's shim package - always use the latest! + SHIM_MAJVER=15.6 + SHIM_MINVER=2 + SHIMSRC="https://kojipkgs.fedoraproject.org/packages/shim/${SHIM_MAJVER}/${SHIM_MINVER}/x86_64/shim-x64-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm" + echo "-- Downloading/installing the SecureBoot signed shim from Fedora." + wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \ + | rpm2cpio - | cpio -dim + echo "" + # Install signed efi files into UEFI BOOT directory of the esp partition: + # The name of the shim in the ISO, *must* be 'bootx64.efi': + install -D -m0644 boot/efi/EFI/fedora/shimx64.efi \ + ${LIVE_STAGING}/EFI/BOOT/bootx64.efi + install -D -m0644 boot/efi/EFI/fedora/mmx64.efi \ + ${LIVE_STAGING}/EFI/BOOT/mmx64.efi + #install -D -m0644 boot/efi/EFI/BOOT/fbx64.efi \ + # ${LIVE_STAGING}/EFI/BOOT/fbx64.efi + elif [ "${SHIM_VENDOR}" = "opensuse" ]; then + SHIM_MAJVER=15.4 + SHIM_MINVER=6.1 + SHIMSRC="https://download.opensuse.org/repositories/openSUSE:/Factory/standard/x86_64/shim-${SHIM_MAJVER}-${SHIM_MINVER}.x86_64.rpm" + echo "-- Downloading/installing the SecureBoot signed shim from openSUSE." + wget -q --progress=dot:mega --show-progress ${SHIMSRC} -O - \ + | rpm2cpio - | cpio -dim + echo "" + # Install signed efi files into UEFI BOOT directory of the esp partition: + # The name of the shim in the ISO, *must* be 'bootx64.efi': + install -D -m0644 usr/share/efi/x86_64/shim-opensuse.efi \ + ${LIVE_STAGING}/EFI/BOOT/bootx64.efi + install -D -m0644 usr/share/efi/x86_64/MokManager.efi \ + ${LIVE_STAGING}/EFI/BOOT/MokManager.efi + #install -D -m0644 usr/share/efi/x86_64/fallback.efi \ + # ${LIVE_STAGING}/EFI/BOOT/fallback.efi + elif [ "${SHIM_VENDOR}" = "debian" ]; then + DEBSHIM_VER=1.40 + DEBMOKM_VER=1 + SHIM_MAJVER=15.7 + SHIM_MINVER=1 + SHIMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-signed/shim-signed_${DEBSHIM_VER}+${SHIM_MAJVER}-${SHIM_MINVER}_amd64.deb" + MOKMSRC="http://ftp.de.debian.org/debian/pool/main/s/shim-helpers-amd64-signed/shim-helpers-amd64-signed_${DEBMOKM_VER}+${SHIM_MAJVER}+${SHIM_MINVER}_amd64.deb" + echo "-- Downloading the SecureBoot signed shim from Debian." + wget -q --progress=dot:mega --show-progress ${SHIMSRC} + echo "" + echo "-- Installing the SecureBoot signed shim to the ESP." + # Extract discarding any directory structure: + ar p $(basename ${SHIMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \ + ./usr/lib/shim/shimx64.efi.signed + echo "-- Downloading the SecureBoot signed mokmanager from Debian." + wget -q --progress=dot:mega --show-progress ${MOKMSRC} + echo "" + echo "-- Installing the SecureBoot signed mokmanager to the ESP." + # Extract discarding any directory structure: + ar p $(basename ${MOKMSRC}) data.tar.xz | tar --xform='s#^.+/##x' -Jxf - \ + ./usr/lib/shim/fbx64.efi.signed ./usr/lib/shim/mmx64.efi.signed + # Install signed efi files into UEFI BOOT directory of the esp partition: + # The name of the shim in the ISO, *must* be 'bootx64.efi': + install -D -m0644 ./shimx64.efi.signed \ + ${LIVE_STAGING}/EFI/BOOT/bootx64.efi + install -D -m0644 ./mmx64.efi.signed \ + ${LIVE_STAGING}/EFI/BOOT/mmx64.efi + #install -D -m0644 ./fbx64.efi.signed \ + # ${LIVE_STAGING}/EFI/BOOT/fbx64.efi + else + echo ">> A '${SHIM_VENDOR}' shim was requested, but only 'opensuse' 'fedora' or 'debian' shim/mokmanager are supported." + echo ">> Expect trouble ahead." + fi + cd - 1>/dev/null + + ## Write CSV file for the Fallback EFI program so that it knows what to boot: + #echo -n "bootx64.efi,SHIM,,SecureBoot UEFI entry for liveslak" \ + # | iconv -t UCS-2 > ${LIVE_STAGING}/EFI/BOOT/BOOT.CSV + + # Cleanup: + rm -rf ${LIVE_WORK}/shim + +} # End of secureboot() + # # Create an ISO file from a directory's content: # @@ -1026,7 +1239,14 @@ EOT # Now set our wallpaper to be the default. For this to work, we need to link # the name of the default theme to ours, so find out what the default is: - DEF_THEME="$(grep ^defaultWallpaperTheme ${LIVE_ROOTDIR}/usr/share/plasma/desktoptheme/default/metadata.desktop |cut -d= -f2-)" + if [ -f "${LIVE_ROOTDIR}/usr/share/plasma/desktoptheme/default/metadata.desktop" ]; then + # Frameworks before 5.94.0: + THEMEFIL=/usr/share/plasma/desktoptheme/default/metadata.desktop + else + # Frameworks 5.94.0 and newer: + THEMEFIL=/usr/share/plasma/desktoptheme/default/plasmarc + fi + DEF_THEME="$(grep ^defaultWallpaperTheme ${LIVE_ROOTDIR}/${THEMEFIL} |cut -d= -f2-)" mv ${LIVE_ROOTDIR}/usr/share/wallpapers/${DEF_THEME}{,.orig} ln -s ${LIVEDE,,} ${LIVE_ROOTDIR}/usr/share/wallpapers/${DEF_THEME} @@ -1051,19 +1271,31 @@ FillMode=2 Image=file:///usr/share/${LIVEMAIN}/${LIVEDE,,}/background.jpg EOT +# Is a dark theme requested to match the background atmosphere? +if [ -f ${LIVE_TOOLDIR}/media/${LIVEDE,,}/bg/theme ]; then + if [ "$(grep -v '^#' ${LIVE_TOOLDIR}/media/${LIVEDE,,}/bg/theme)" == "dark" ] + then + mkdir -p ${LIVE_ROOTDIR}/home/${LIVEUID}/.config + cat <<EOT > ${LIVE_ROOTDIR}/home/${LIVEUID}/.config/plasmarc +[Theme] +name=breeze-dark +EOT + fi +fi + } # End of plasma5_custom_bg() # --------------------------------------------------------------------------- # Action! # --------------------------------------------------------------------------- -while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:X" Option +while getopts "a:c:d:efhl:m:r:s:t:vz:CGH:MO:R:S:X" Option do case $Option in h ) - echo "----------------------------------------------------------------" - echo "make_slackware_live.sh $VERSION" - echo "----------------------------------------------------------------" + echo "----------------------------------------------------------------" + echo "make_slackware_live.sh $VERSION" + echo "----------------------------------------------------------------" echo "Usage:" echo " $0 [OPTION] ..." echo "or:" @@ -1083,6 +1315,7 @@ do echo " KTOWN, MATE, CINNAMON, DLACK, STUDIOWARE." echo " -e Use ISO boot-load-size of 32 for computers." echo " where the ISO won't boot otherwise." + echo " Default value is ${BOOTLOADSIZE}." echo " -f Forced re-generation of all squashfs modules," echo " custom configurations and new initrd.img." echo " -l <localization> Enable a different default localization" @@ -1090,16 +1323,19 @@ do echo " -m pkglst[,pkglst] Add modules defined by pkglists/<pkglst>,..." echo " -r series[,series] Refresh only one or a few package series." echo " -s slackrepo_dir Directory containing ${DISTRO^} repository." - echo " -t <none|doc|mandoc|bloat>" + echo " -t <none|doc|mandoc|waste|bloat>" echo " Trim the ISO (remove man and/or doc and/or bloat)." echo " -v Show debug/error output." echo " -z version Define your ${DISTRO^} version (default: $SL_VERSION)." echo " -C Add RAM-based Console OS to boot menu." - echo " -G Generate ISO file from existing directory tree" + echo " -G Generate ISO file from existing directory tree." echo " -H hostname Hostname of the Live OS (default: $LIVE_HOSTNAME)." echo " -M Add multilib (x86_64 only)." echo " -O outfile Custom filename for the ISO." echo " -R runlevel Runlevel to boot into (default: $RUNLEVEL)." + echo " -S privkey:cert Enable SecureBoot support and sign binaries" + echo " using the full path to colon-separated" + echo " private key and certificate files" echo " -X Use xorriso instead of mkisofs/isohybrid." exit ;; @@ -1120,6 +1356,7 @@ do r ) REFRESH="${OPTARG}" ;; s ) SL_REPO="${OPTARG}" + DEF_SL_REPO="${SL_REPO}" ;; t ) TRIM="${OPTARG}" ;; @@ -1140,6 +1377,12 @@ do ;; R ) RUNLEVEL=${OPTARG} ;; + S ) MOKPRIVKEY=$(readlink -f $(echo ${OPTARG} |cut -d: -f1)) + MOKCERT=$(readlink -f $(echo ${OPTARG} |cut -d: -f2)) + TEMP_3RDP=$(echo ${OPTARG} |cut -d: -f3) + [ -n "${TEMP_3RDP}" ] && SHIM_3RDP=${TEMP_3RDP} + unset TEMP_3RDP + ;; X ) USEXORR="YES" ;; * ) echo "You passed an illegal switch to the program!" @@ -1184,6 +1427,16 @@ if [ "$SL_ARCH" != "x86_64" -a "$MULTILIB" = "YES" ]; then exit 1 fi +if [ -n "${MOKPRIVKEY}" ] && [ -n "${MOKCERT}" ]; then + if [ -f ${MOKPRIVKEY} ] && [ -f ${MOKCERT} ]; then + echo "-- Enabling SecureBoot support (${SHIM_3RDP} shim)." + SECUREBOOT=1 + else + echo ">> SecureBoot can not be enabled; MOK key and/or cert not found." + exit 1 + fi +fi + # Determine which module sequence we have to build: case "$LIVEDE" in SLACKWARE) MSEQ="${SEQ_SLACKWARE}" ;; @@ -1204,20 +1457,18 @@ case "$LIVEDE" in ;; esac -if [ "${CORE2RAM}" == "YES" ] || [ "${LIVEDE}" == "XFCE" ] || [ "${LIVEDE}" == "LEAN" ] || [ "${LIVEDE}" == "DAW" ] ; then - # For now, allow CORE2RAM only for the variants that actually - # have the required modules in their system list. - # TODO: create these modules separately in the 'core2ram' subdirectory. - for MY_MOD in ${CORE2RAMMODS} ; do - if ! echo ${MSEQ} | grep -wq ${MY_MOD} ; then - echo ">> Modules required for Core RAM-based OS (${CORE2RAMMODS}) not available." - exit 1 - fi - done - # Whether to hide the Core OS menu on boot yes or no: - C2RMH="#" +if [ "${MSEQ#pkglist:${CORE2RAMMODS/ /,}}" != "${MSEQ}" ]; then + # This live ISO contains core2ram modules out of the box: + echo "-- Native core2ram." + CORE2RAM="NATIVE" +fi +if [ "${CORE2RAM}" != "NO" ]; then + # Whether to show the Core OS menu in syslinux/grub on boot yes/no: + C2RMH="#" # syslinux + C2RMS="" # grub else - C2RMH="" + C2RMH="" # syslinux + C2RMS="#" # grub fi if ! cat ${LIVE_TOOLDIR}/languages |grep -Ev '(^ *#|^$)' |grep -q ^${DEF_LANG}: @@ -1260,7 +1511,11 @@ DEF_SL_PATCHROOT=${SL_PATCHROOT} # Are all the required add-on tools present? [ "$USEXORR" = "NO" ] && ISOGEN="mkisofs isohybrid" || ISOGEN="xorriso" PROG_MISSING="" -for PROGN in mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync mkdosfs ; do +REQTOOLS="mksquashfs unsquashfs grub-mkfont grub-mkimage syslinux $ISOGEN installpkg upgradepkg keytab-lilo rsync wget mkdosfs" +if [ $SECUREBOOT -eq 1 ]; then + REQTOOLS="${REQTOOLS} openssl sbsign" +fi +for PROGN in ${REQTOOLS} ; do if ! which $PROGN 1>/dev/null 2>/dev/null ; then PROG_MISSING="${PROG_MISSING}-- $PROGN\n" fi @@ -1304,20 +1559,30 @@ else RSYNCREP=" " fi -# What to trim from the ISO file (none, doc, mandoc, bloat): +# What to trim from the ISO file (none, doc, mandoc, waste, bloat): if [ "${LIVEDE}" == "XFCE" ] ; then - TRIM=${TRIM:-"bloat"} + TRIM=${TRIM:-"waste"} elif [ "${LIVEDE}" == "LEAN" ] ; then TRIM=${TRIM:-"doc"} else TRIM=${TRIM:-"none"} fi +# Determine additional boot parameters to be added: +if [ -z "${KAPPEND}" ]; then + eval KAPPEND=\$KAPPEND_${LIVEDE} +fi + # Determine possible blacklist to use: if [ -z "${BLACKLIST}" ]; then eval BLACKLIST=\$BLACKLIST_${LIVEDE} fi +# Determine possible package list from 'testing' to use: +if [ -z "${TESTINGLIST}" ]; then + eval TESTINGLIST=\$TESTINGLIST_${LIVEDE} +fi + # Create output directory for image file: mkdir -p "${OUTPUT}" if [ $? -ne 0 ]; then @@ -1377,6 +1642,18 @@ RODIRS="${LIVE_BOOT}" # Create the verification file for the install_pkgs function: echo "${THEDATE} (${BUILDER})" > ${LIVE_BOOT}/${MARKER} +# Do we need to add core2ram modules: +if [ "$CORE2RAM" == "YES" ]; then + echo "-- Adding core2ram." + MSEQ="pkglist:${CORE2RAMMODS/ /,} ${MSEQ}" +fi + +# Do we need to include secureboot module? +if [ $SECUREBOOT -eq 1 ]; then + echo "-- Adding secureboot module." + MSEQ="${MSEQ} pkglist:secureboot" +fi + # Do we need to create/include additional module(s) defined by a pkglist: if [ -n "$SEQ_ADDMOD" ]; then echo "-- Adding ${SEQ_ADDMOD}." @@ -1410,6 +1687,10 @@ for MSUBSEQ in ${MSEQ} ; do local) MNUM="0030" ;; *) echo "** Unknown package source '$MTYPE'"; exit 1 ;; esac + # For an explicitly added core2ram module, re-assign a lower prefix: + if [ "$CORE2RAM" == "YES" ] && [ "${SL_SERIES}" == "${CORE2RAMMODS}" ]; then + MNUM="0005" + fi for SPS in ${SL_SERIES} ; do @@ -1434,7 +1715,7 @@ for SPS in ${SL_SERIES} ; do install_pkgs ${SPS} ${LIVE_ROOTDIR} ${MTYPE} umount ${LIVE_ROOTDIR} || true - if [ "$SPS" = "a" -o "$SPS" = "${MINLIST}" ]; then + if [ "$SPS" = "a" -a "$CORE2RAM" = "NO" ] || [ "$SPS" = "${MINLIST}" ]; then # We need to take care of a few things first: if [ "$SL_ARCH" = "x86_64" -o "$SMP32" = "NO" ]; then @@ -1526,6 +1807,7 @@ sed -e "s/^\(127.0.0.1\t*\)darkstar.*/\1${LIVE_HOSTNAME}.home.arpa ${LIVE_HOSTNA cat <<EOT >> ${LIVE_ROOTDIR}/etc/resolv.conf nameserver 8.8.4.4 nameserver 8.8.8.8 +nameserver 1.1.1.1 EOT @@ -1543,7 +1825,7 @@ echo "LANG=${DEF_LOCALE}" > ${LIVE_ROOTDIR}/etc/locale.conf echo "KEYMAP=${DEF_KBD}" > ${LIVE_ROOTDIR}/etc/vconsole.conf # Set timezone to UTC, mimicking the 'timeconfig' script in Slackware: -ln -s /usr/share/zoneinfo/UTC ${LIVE_ROOTDIR}/etc/localtime +ln -sf /usr/share/zoneinfo/UTC ${LIVE_ROOTDIR}/etc/localtime # Could be absent so 'rm -f' to avoid script aborts: rm -f ${LIVE_ROOTDIR}/etc/localtime-copied-from @@ -1618,6 +1900,16 @@ none / tmpfs defaults 1 1 EOT +# Pipewire 1.0.0 is capable of replacing pulseaudio and jack2: +if chroot ${LIVE_ROOTDIR} /usr/bin/pkg-config libpipewire-0.3 --atleast-version=1 +then + # Make pipewire the default, kill pulseaudio: + if [ -x ${LIVE_ROOTDIR}/usr/sbin/pipewire-enable.sh ]; then + echo "-- Enabling pipewire" + chroot ${LIVE_ROOTDIR} /usr/sbin/pipewire-enable.sh + fi +fi + # Prevent loop devices (sxz modules) from appearing in filemanagers: mkdir -p ${LIVE_ROOTDIR}/etc/udev/rules.d cat <<EOL > ${LIVE_ROOTDIR}/etc/udev/rules.d/11-local.rules @@ -1671,9 +1963,20 @@ fi # Configure sudoers: chmod 640 ${LIVE_ROOTDIR}/etc/sudoers +# Slackware 14.2: sed -i ${LIVE_ROOTDIR}/etc/sudoers -e 's/# *\(%wheel\sALL=(ALL)\sALL\)/\1/' +# Slackware 15.0: +sed -i ${LIVE_ROOTDIR}/etc/sudoers -e 's/# *\(%wheel\sALL=(ALL:ALL)\sALL\)/\1/' chmod 440 ${LIVE_ROOTDIR}/etc/sudoers +# Also treat members of the 'wheel' group as admins next to root: +mkdir -p ${LIVE_ROOTDIR}/etc/polkit-1/rules.d +cat <<EOT > ${LIVE_ROOTDIR}/etc/polkit-1/rules.d/10-wheel-admin.rules +polkit.addAdminRule(function(action, subject) { + return ["unix-group:wheel"]; +}); +EOT + # Add some convenience to the bash shell: mkdir -p ${LIVE_ROOTDIR}/etc/skel/ cat << "EOT" > ${LIVE_ROOTDIR}/etc/skel/.bashrc @@ -1778,7 +2081,7 @@ EOT -i ${LIVE_ROOTDIR}/etc/NetworkManager/conf.d/00-dhcp-client.conf else - # Use Slackware's own network configurion routing for eth0 in the base image: + # Use Slackware's own network configuration routing for eth0 in base image: cat <<EOT > ${LIVE_ROOTDIR}/etc/rc.d/rc.inet1.conf IFNAME[0]="eth0" IPADDR[0]="" @@ -1813,6 +2116,10 @@ EOT echo "-- Creating slackpkg cache, takes a few seconds..." chroot "${LIVE_ROOTDIR}" /bin/bash <<EOSL 2>${DBGOUT} +# Rebuild SSL certificate database to prevent GPG verification errors +# which are in fact triggered by SSL certificate errors: +/usr/sbin/update-ca-certificates --fresh 1>/dev/null + if [ -f var/log/packages/slackpkg+-* ] ; then cat <<EOPL > etc/slackpkg/slackpkgplus.conf SLACKPKGPLUS=on @@ -1823,7 +2130,7 @@ WGETOPTS="--timeout=20 --tries=2" GREYLIST=on PKGS_PRIORITY=( restricted alienbob ktown mate ) REPOPLUS=( slackpkgplus restricted alienbob ktown mate ) -MIRRORPLUS['slackpkgplus']=http://slakfinder.org/slackpkg+/ +MIRRORPLUS['slackpkgplus']=https://slackware.nl/slackpkgplus/ MIRRORPLUS['restricted']=http://slackware.nl/people/alien/restricted_sbrepos/${SL_VERSION}/${SL_ARCH}/ MIRRORPLUS['alienbob']=http://slackware.nl/people/alien/sbrepos/${SL_VERSION}/${SL_ARCH}/ MIRRORPLUS['mate']=http://slackware.uk/msb/${SL_VERSION}/latest/${SL_ARCH}/ @@ -1850,8 +2157,8 @@ if [ "${SL_VERSION}" = "current" ]; then touch /var/lib/slackpkg/current fi -ARCH=${SL_ARCH} /usr/sbin/slackpkg -batch=on update gpg -ARCH=${SL_ARCH} /usr/sbin/slackpkg -batch=on update +ARCH=${SL_ARCH} /usr/sbin/slackpkg -batch=on -default_answer=y update gpg +ARCH=${SL_ARCH} /usr/sbin/slackpkg -batch=on -default_answer=y update # Let any lingering .new files replace their originals: yes o | ARCH=${SL_ARCH} /usr/sbin/slackpkg new-config @@ -1859,7 +2166,7 @@ EOSL # Add our scripts to the Live OS: mkdir -p ${LIVE_ROOTDIR}/usr/local/sbin -install -m0755 ${LIVE_TOOLDIR}/makemod ${LIVE_TOOLDIR}/iso2usb.sh ${LIVE_TOOLDIR}/upslak.sh ${LIVE_ROOTDIR}/usr/local/sbin/ +install -m0755 ${LIVE_TOOLDIR}/makemod ${LIVE_TOOLDIR}/iso2usb.sh ${LIVE_TOOLDIR}/isocomp.sh ${LIVE_TOOLDIR}/upslak.sh ${LIVE_ROOTDIR}/usr/local/sbin/ # Add PXE Server infrastructure: mkdir -p ${LIVE_ROOTDIR}/var/lib/tftpboot/pxelinux.cfg @@ -1878,6 +2185,7 @@ cat ${LIVE_TOOLDIR}/pxeserver.tpl | sed \ -e "s/@LIVEDE@/$LIVEDE/g" \ -e "s/@LIVEMAIN@/$LIVEMAIN/g" \ -e "s/@MARKER@/$MARKER/g" \ + -e "s/@KAPPEND@/$KAPPEND/g" \ -e "s/@SL_VERSION@/$SL_VERSION/g" \ -e "s/@VERSION@/$VERSION/g" \ > ${LIVE_ROOTDIR}/usr/local/sbin/pxeserver @@ -1953,7 +2261,7 @@ if [ -f ${DEF_SL_PKGROOT}/../isolinux/initrd.img ]; then -e '/.\/var\/log\/setup\/$SCRIPT $T_PX $ROOT_DEVICE/i # Skip stuff that was taken care of by liveslak\nif [ -f $TMP/SeTlive ] && echo $SCRIPT |grep -qE "(make-bootdisk|mouse|setconsolefont|xwmconfig)"; then true; else' \ -e '/.\/var\/log\/setup\/$SCRIPT $T_PX $ROOT_DEVICE/a fi' # Add the Slackware Live HD installer scripts: - for USCRIPT in SeTuacct SeTudiskpart SeTumedia SeTupass SeTpasswd setup.liveslak setup.slackware ; do + for USCRIPT in SeTuacct SeTudiskpart SeTumedia SeTupass SeTpasswd SeTfirewall rc.firewall setup.liveslak setup.slackware ; do cat ${LIVE_TOOLDIR}/setup2hd/${USCRIPT}.tpl | sed \ -e "s/@DIRSUFFIX@/$DIRSUFFIX/g" \ -e "s/@DISTRO@/$DISTRO/g" \ @@ -2018,7 +2326,7 @@ mkdir -p ${LIVE_ROOTDIR}/usr/doc/liveslak-${VERSION} install -m0644 ${LIVE_TOOLDIR}/README* ${LIVE_ROOTDIR}/usr/doc/liveslak-${VERSION}/ mkdir -p ${LIVE_ROOTDIR}/usr/doc/${DISTRO}${DIRSUFFIX}-${SL_VERSION} install -m0644 \ - ${DEF_SL_PKGROOT}/../{CHANGES_AND_HINTS,COPY,README,RELEASE_NOTES,*HOWTO}* \ + ${DEF_SL_PKGROOT}/../{ANNOUNCE,CHANGES_AND_HINTS,COPY,CRYPTO,README,RELEASE_NOTES,SPEAK,*HOWTO,UPGRADE}* \ ${DEF_SL_PKGROOT}/../usb-and-pxe-installers/README* \ ${LIVE_ROOTDIR}/usr/doc/${DISTRO}${DIRSUFFIX}-${SL_VERSION}/ @@ -2029,14 +2337,6 @@ echo "-- Configuring the X base system." # Reduce the number of local consoles, two should be enough: sed -i -e '/^c3\|^c4\|^c5\|^c6/s/^/# /' ${LIVE_ROOTDIR}/etc/inittab -# Also treat members of the 'wheel' group as admins next to root: -mkdir -p ${LIVE_ROOTDIR}/etc/polkit-1/rules.d -cat <<EOT > ${LIVE_ROOTDIR}/etc/polkit-1/rules.d/10-wheel-admin.rules -polkit.addAdminRule(function(action, subject) { - return ["unix-group:wheel"]; -}); -EOT - # Give the 'live' user a face: if [ -f "${LIVE_TOOLDIR}/media/${LIVEDE,,}/icons/default.png" ]; then # Use custom face icon if available for the Live variant: @@ -2071,9 +2371,10 @@ fi # missing modules: echo "mode: blank" > ${LIVE_ROOTDIR}/home/${LIVEUID}/.xscreensaver -# Make the EmojiOne TTF font universally available: -mkdir -p ${LIVE_ROOTDIR}/etc/fonts -cat << EOT > ${LIVE_ROOTDIR}/etc/fonts/local.conf +if [ -x ${LIVE_ROOTDIR}/usr/bin/fc-cache ]; then + # Make the EmojiOne TTF font universally available: + mkdir -p ${LIVE_ROOTDIR}/etc/fonts + cat << EOT > ${LIVE_ROOTDIR}/etc/fonts/local.conf <?xml version="1.0"?> <!DOCTYPE fontconfig SYSTEM "fonts.dtd"> <!-- /etc/fonts/local.conf file to customize system font access --> @@ -2082,7 +2383,8 @@ cat << EOT > ${LIVE_ROOTDIR}/etc/fonts/local.conf <dir>/usr/lib${DIRSUFFIX}/firefox/fonts</dir> </fontconfig> EOT -chroot ${LIVE_ROOTDIR} fc-cache -f + chroot ${LIVE_ROOTDIR} fc-cache -f +fi # Allow direct scanning via xsane (no temporary intermediate files) in Gimp: if [ ! -L ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/gimp/2.0/plug-ins/xsane ]; then @@ -2152,12 +2454,36 @@ for SKEL in ${LIVE_TOOLDIR}/skel/skel*.txz ; do done if [ "$LIVEDE" = "XFCE" ]; then - # Since the XFCE ISO no longer has xpdf, use Firefox as the PDF viewer: + # Since the XFCE ISO no longer has xpdf, use Firefox as the PDF viewer + # if that is present: mkdir -p ${LIVE_ROOTDIR}/etc/skel/.config - cat << EOF > ${LIVE_ROOTDIR}/etc/skel/.config/mimeapps.list + if [ -f ${LIVE_ROOTDIR}/usr/bin/firefox ]; then + cat << EOF > ${LIVE_ROOTDIR}/etc/skel/.config/mimeapps.list [Default Applications] application/pdf=mozilla-firefox.desktop EOF + else + # If firefox is not present, we hope that seamonkey is there; + # you won't have a PDF viewer in that case unfortunately, but you could + # download https://github.com/IsaacSchemm/pdf.js-seamonkey : + cat << EOF > ${LIVE_ROOTDIR}/etc/skel/.config/mimeapps.list +[Default Applications] +x-scheme-handler/http=seamonkey.desktop +x-scheme-handler/https=seamonkey.desktop +x-scheme-handler/ftp=seamonkey.desktop +x-scheme-handler/chrome=seamonkey.desktop +x-scheme-handler/mailto=seamonkey-mail.desktop +text/html=seamonkey.desktop + +[Added Associations] +x-scheme-handler/http=xfce4-web-browser.desktop;seamonkey.desktop; +x-scheme-handler/https=xfce4-web-browser.desktop;seamonkey.desktop; +x-scheme-handler/ftp=seamonkey.desktop; +x-scheme-handler/chrome=seamonkey.desktop; +x-scheme-handler/mailto=seamonkey.desktop; +text/html=seamonkey.desktop; +EOF + fi fi @@ -2271,14 +2597,14 @@ EOT fi # End KDE4 -# Only configure for Plasma5 if it is actually installed: -if [ -d ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/kf5 ]; then +# Only configure for KDE Plasma if it is actually installed: +if [ -d ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/libexec/kf5 ] || [ -d ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/libexec/kf6 ] ; then # -------------------------------------------------------------------------- # - echo "-- Configuring Plasma5." + echo "-- Configuring Plasma Desktop." # -------------------------------------------------------------------------- # - # This section is for any Plasma5 based variant. + # This section is for any Plasma based variant. # Install a custom login/desktop/lock background if an image is present: plasma5_custom_bg @@ -2287,7 +2613,7 @@ if [ -d ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/kf5 ]; then rm -f ${LIVE_ROOTDIR}/usr/share/xsessions/openbox-session.desktop || true # Remove the buggy mediacenter session: rm -f ${LIVE_ROOTDIR}/usr/share/xsessions/plasma-mediacenter.desktop || true - # Remove non-functional wayland session: + # Remove non-functional Qt5 wayland session: if [ ! -f ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/qt5/bin/qtwaylandscanner ]; then rm -f ${LIVE_ROOTDIR}/usr/share/wayland-sessions/plasmawayland.desktop || true @@ -2300,6 +2626,12 @@ if [ -d ${LIVE_ROOTDIR}/usr/lib${DIRSUFFIX}/kf5 ]; then # Set the OS name to "Slackware Live" in "System Information": echo "Name=${DISTRO^} Live" >> ${LIVE_ROOTDIR}/etc/kde/xdg/kcm-about-distrorc + # Use os-release's VERSION (default=false means: use VERSION_ID) + echo "UseOSReleaseVersion=true" >> ${LIVE_ROOTDIR}/etc/kde/xdg/kcm-about-distrorc + if [ "${SL_VERSION}" = "current" ]; then + # Some more detail on development release: + echo "Variant=Post-stable development (-current)" >> ${LIVE_ROOTDIR}/etc/kde/xdg/kcm-about-distrorc + fi # Set sane SDDM defaults on first boot (root-owned file): mkdir -p ${LIVE_ROOTDIR}/var/lib/sddm @@ -2327,6 +2659,18 @@ EOT super-user-command=sudo KDESU_EOF + # For the above to work in Plasma with newer versions of sudo (since 2022), + # we need the following also. KDE fixed this in git on 04-aug-2023, see + # https://bugs.kde.org/show_bug.cgi?id=452532 but it does not hurt to have + # it here, and it helps to support older KDE releases: + if [ -x ${LIVE_ROOTDIR}/usr/lib*/libexec/kf5/kdesu_stub ]; then + mkdir -p ${LIVE_ROOTDIR}/etc/sudoers.d + chmod 750 ${LIVE_ROOTDIR}/etc/sudoers.d + cat <<KDESU_EOF2 >${LIVE_ROOTDIR}/etc/sudoers.d/kdesu +Defaults!/usr/lib*/libexec/kf5/kdesu_stub !use_pty +KDESU_EOF2 + fi + # Set akonadi backend: cat <<AKONADI_EOF >${LIVE_ROOTDIR}/etc/skel/.config/akonadi/akonadiserverrc [%General] @@ -2389,8 +2733,9 @@ Zonetab=/usr/share/zoneinfo/zone.tab EOTZ # Make sure that Plasma and SDDM work on older GPUs, - # by forcing Qt5 to use software GL rendering: - cat <<"EOGL" >> ${LIVE_ROOTDIR}/usr/share/sddm/scripts/Xsetup + # by forcing Qt to use software GL rendering: + if ! grep -q QT_XCB_FORCE_SOFTWARE_OPENGL ${LIVE_ROOTDIR}/usr/share/sddm/scripts/Xsetup ; then + cat <<"EOGL" >> ${LIVE_ROOTDIR}/usr/share/sddm/scripts/Xsetup OPENGL_VERSION=$(LANG=C glxinfo |grep '^OpenGL version string: ' |head -n 1 |sed -e 's/^OpenGL version string: \([0-9]\).*$/\1/g') if [ "$OPENGL_VERSION" -lt 2 ]; then @@ -2399,11 +2744,24 @@ if [ "$OPENGL_VERSION" -lt 2 ]; then fi EOGL + fi + + # Make Wayland instead of X11 the default for SDDM; + # leave commented-out for now: + mkdir -p ${LIVE_ROOTDIR}/etc/sddm.conf.d + cat << EOW > ${LIVE_ROOTDIR}/etc/sddm.conf.d/plasma-wayland.conf +#[General] +#DisplayServer=wayland +#GreeterEnvironment=QT_WAYLAND_SHELL_INTEGRATION=layer-shell +# +#[Wayland] +#CompositorCommand=kwin_wayland --drm --inputmethod qtvirtualkeyboard --no-global-shortcuts --no-lockscreen --locale1 +EOW # Workaround a bug where SDDM does not always use the configured keymap: echo "setxkbmap" >> ${LIVE_ROOTDIR}/usr/share/sddm/scripts/Xsetup - # Do not show the blueman applet, Plasma5 has its own BlueTooth widget: + # Do not show the blueman applet, Plasma has its own BlueTooth widget: echo "NotShowIn=KDE;" >> ${LIVE_ROOTDIR}/etc/xdg/autostart/blueman.desktop # Set QtWebkit as the Konqueror rendering engine if available: @@ -2421,21 +2779,53 @@ EOT mkdir -p ${LIVE_ROOTDIR}/etc/profile.d cat <<EOT > ${LIVE_ROOTDIR}/etc/profile.d/kwayland.sh #!/bin/sh -# Force the usage of XCB platform on Qt5 applications: +# Force the usage of XCB platform on Qt applications: export QT_QPA_PLATFORM=xcb # Force the usage of X11 platform for GDK applications: export GDK_BACKEND=x11 EOT cat <<EOT > ${LIVE_ROOTDIR}/etc/profile.d/kwayland.csh #!/bin/csh -# Force the usage of XCB platform on Qt5 applications: +# Force the usage of XCB platform on Qt applications: setenv QT_QPA_PLATFORM xcb # Force the usage of X11 platform for GDK applications: setenv GDK_BACKEND x11 EOT chmod 755 ${LIVE_ROOTDIR}/etc/profile.d/kwayland.* -fi # End Plasma5 +# Ensure that color Emojis work in Qt applications: +mkdir -p ${LIVE_ROOTDIR}/usr/share/fontconfig/conf.avail +cat <<EOT >${LIVE_ROOTDIR}/usr/share/fontconfig/conf.avail/99-noto-mono-color-emoji.conf: +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE fontconfig SYSTEM "fonts.dtd"> +<fontconfig> + <alias> + <family>serif</family> + <prefer> + <family>Noto Color Emoji</family> + </prefer> + </alias> + <alias> + <family>sans-serif</family> + <prefer> + <family>Noto Color Emoji</family> + </prefer> + </alias> + <alias> + <family>monospace</family> + <prefer> + <family>Noto Color Emoji</family> + </prefer> + </alias> +</fontconfig> +EOT + + if [ "$LIVEDE" = "DAW" ] || [ "$LIVEDE" = "LEAN" ]; then + # These lean installations do not support Wayland graphical sessions: + rm -rf ${LIVE_ROOTDIR}/usr/share/wayland-sessions + fi + +fi # End Plasma if [ "$LIVEDE" = "DLACK" ]; then @@ -2531,8 +2921,13 @@ EOT # Autostart qjackctl: mkdir -p ${LIVE_ROOTDIR}/home/${LIVEUID}/.config/autostart - cp -a ${LIVE_ROOTDIR}/usr/share/applications/qjackctl.desktop \ - ${LIVE_ROOTDIR}/home/${LIVEUID}/.config/autostart + if [ -f ${LIVE_ROOTDIR}/usr/share/applications/org.rncbc.qjackctl.desktop ]; then + QJCDF=/usr/share/applications/org.rncbc.qjackctl.desktop + else + QJCDF=/usr/share/applications/qjackctl.desktop + fi + cp -a ${LIVE_ROOTDIR}/${QJCDF} \ + ${LIVE_ROOTDIR}/home/${LIVEUID}/.config/autostart/ # Add all our programs into their own submenu Applications>Multimedia>DAW # to avoid clutter in the Multimedia menu. We will use a custom category @@ -2574,6 +2969,12 @@ EOT ln -s /usr/share/vcvrack/$(basename ${PLUGIN}) ${LIVE_ROOTDIR}/home/${LIVEUID}/.Rack/plugins-v1/ done + # The new Kickoff application launcher that replaced the old Kickoff, + # does not adhere to the XDG Desktop standards. + # Therefore we will switch the DAW desktop to Kicker instead, to preserve + # our 'Slackware DAW' menu structure in the 'Multimedia' menu: + sed -e 's/kickoff/kicker/g' -i ${LIVE_ROOTDIR}/usr/share/plasma/layout-templates/org.kde.plasma.desktop.defaultPanel/contents/layout.js + fi # End LIVEDE = DAW if [ "$LIVEDE" = "STUDIOWARE" ]; then @@ -2844,12 +3245,14 @@ touch ${LIVE_ROOTDIR}/etc/fastboot # We will not write to the hardware clock: sed -i -e '/systohc/s/^/# /' ${LIVE_ROOTDIR}/etc/rc.d/rc.6 +# Don't try to re-mount our squashfs and overlay filesystems: +sed -e 's/^ *SKIPFS="no/&squashfs,nooverlay,no/' \ + -i ${LIVE_ROOTDIR}/etc/rc.d/rc.S + # Run some package setup scripts (usually run by the slackware installer), # as well as some of the delaying commands in rc.M and rc.modules: -chroot ${LIVE_ROOTDIR} /bin/bash <<EOCR -# Rebuild SSL certificate database: -/usr/sbin/update-ca-certificates --fresh 1>/dev/null 2>${DBGOUT} +chroot ${LIVE_ROOTDIR} /bin/bash <<EOCR # Run bits from rc.M so we won't need to run them again in the live system: /sbin/depmod $KVER /sbin/ldconfig @@ -2999,6 +3402,10 @@ else KVER=$(ls --indicator-style=none ${LIVE_ROOTDIR}/lib/modules/ |grep smp |head -1) fi +# Determine Slackware's GRUB version and build (we will use this later): +GRUBVER=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f3 |rev) +GRUBBLD=$(find ${DEF_SL_PKGROOT}/../ -name "grub-*.t?z" |rev |cut -d- -f1 |cut -d. -f2 |rev) + # Create an initrd for the generic kernel, using a modified init script: echo "-- Creating initrd for kernel-generic $KVER ..." chroot ${LIVE_ROOTDIR} /sbin/mkinitrd -c -w ${WAIT} -l us -o /boot/initrd_${KVER}.img -k ${KVER} -m ${KMODS} -L -C dummy 1>${DBGOUT} 2>${DBGOUT} @@ -3030,6 +3437,12 @@ tar -C ${LIVE_ROOTDIR}/boot/initrd-tree/ -xf ${DHCPD_PKG} \ var/lib/dhcpcd lib/dhcpcd sbin/dhcpcd usr/lib${DIRSUFFIX}/dhcpcd \ etc/dhcpcd.conf.new mv ${LIVE_ROOTDIR}/boot/initrd-tree/etc/dhcpcd.conf{.new,} +# Create the dhcpcd account because we added the package to the initrd: +if ! grep -q dhcpcd ${LIVE_ROOTDIR}/boot/initrd-tree/etc/passwd; then + echo "dhcpcd:x:68:68:User for dhcpcd:/var/lib/dhcpcd:/bin/false" >> ${LIVE_ROOTDIR}/boot/initrd-tree/etc/passwd + echo "dhcpcd:x:68:" >> ${LIVE_ROOTDIR}/boot/initrd-tree/etc/group +fi + # Add getfattr to read extended attributes (even if we won't need it): ATTR_PKG=$(find ${DEF_SL_PKGROOT}/../ -name "attr-*.t?z" |head -1) tar --wildcards -C ${LIVE_ROOTDIR}/boot/initrd-tree/ -xf ${ATTR_PKG} \ @@ -3042,22 +3455,10 @@ cp -a ${LIVE_ROOTDIR}/etc/slackware-version ${LIVE_ROOTDIR}/etc/os-release \ ${LIVE_ROOTDIR}/boot/initrd-tree/etc/ if [ "$NFSROOTSUP" = "YES" ]; then # Add just the right kernel network modules by pruning unneeded stuff: - if [ "$SL_ARCH" = "x86_64" -o "$SMP32" = "NO" ]; then - KMODS_PKG=$(find ${DEF_SL_PKGROOT}/../ -name "kernel-modules-*$(echo $KGEN |tr - _)*.t?z" |grep -v smp |head -1) - else - KMODS_PKG=$(find ${DEF_SL_PKGROOT}/../ -name "kernel-modules-*$(echo $KGEN |tr - _)*.t?z" |grep smp |head -1) - fi - KMODS_TEMP=$(mktemp -d -p /mnt -t liveslak.XXXXXX) - if [ ! -d $KMODS_TEMP ]; then - echo "*** Failed to create a temporary extraction directory for the initrd!" - cleanup - exit 1 - fi - # We need to extract the full kernel-modules package for deps resolving: - tar -C ${KMODS_TEMP} -xf ${KMODS_PKG} + # We need the full kernel-modules package for deps resolving: # Get the kernel modules: for NETMODPATH in ${NETMODS} ; do - cd ${KMODS_TEMP} + cd ${LIVE_ROOTDIR} cp -a --parents lib/modules/${KVER}/${NETMODPATH} \ ${LIVE_ROOTDIR}/boot/initrd-tree/ cd - 1>/dev/null @@ -3068,19 +3469,17 @@ if [ "$NFSROOTSUP" = "YES" ]; then done # Add any dependency modules: for MODULE in $(find ${LIVE_ROOTDIR}/boot/initrd-tree/lib/modules/${KVER}/${NETMODPATH} -type f -exec basename {} .ko \;) ; do - /sbin/modprobe --dirname ${KMODS_TEMP} --set-version $KVER --show-depends --ignore-install $MODULE 2>/dev/null |grep "^insmod " |cut -f 2 -d ' ' |while read SRCMOD; do + /sbin/modprobe --dirname ${LIVE_ROOTDIR} --set-version $KVER --show-depends --ignore-install $MODULE 2>/dev/null |grep "^insmod " |cut -f 2 -d ' ' |while read SRCMOD; do if [ "$(basename $SRCMOD .ko)" != "$MODULE" ]; then - cd ${KMODS_TEMP} - # Need to strip ${KMODS_TEMP} from the start of ${SRCMOD}: - cp -a --parents $(echo $SRCMOD |sed 's|'${KMODS_TEMP}'/|./|' ) \ + cd ${LIVE_ROOTDIR} + # Need to strip ${LIVE_ROOTDIR} from the start of ${SRCMOD}: + cp -a --parents $(echo $SRCMOD |sed 's|'${LIVE_ROOTDIR}'/|./|' ) \ ${LIVE_ROOTDIR}/boot/initrd-tree/ cd - 1>/dev/null fi done done done - # Remove the temporary tree: - rm -rf ${KMODS_TEMP} # We added extra modules to the initrd, so we run depmod again: chroot ${LIVE_ROOTDIR}/boot/initrd-tree /sbin/depmod $KVER # Add the firmware for network cards that need them: @@ -3111,11 +3510,6 @@ mv ${LIVE_BOOT}/boot/initrd_${KVER}.img ${LIVE_STAGING}/boot/initrd.img # Squash the boot directory into its own module: mksquashfs ${LIVE_BOOT} ${LIVE_MOD_SYS}/0000-${DISTRO}_boot-${SL_VERSION}-${SL_ARCH}.sxz -noappend -comp ${SQ_COMP} ${SQ_COMP_PARAMS} -# Determine additional boot parameters to be added: -if [ -z ${KAPPEND} ]; then - eval KAPPEND=\$KAPPEND_${LIVEDE} -fi - # Copy the syslinux configuration. # The next block checks here for a possible UEFI grub boot image: cp -a ${LIVE_TOOLDIR}/syslinux ${LIVE_STAGING}/boot/ @@ -3123,8 +3517,13 @@ cp -a ${LIVE_TOOLDIR}/syslinux ${LIVE_STAGING}/boot/ # EFI support always for 64bit architecture, but conditional for 32bit. if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then # Copy the UEFI boot directory structure: + rm -rf ${LIVE_STAGING}/EFI/BOOT mkdir -p ${LIVE_STAGING}/EFI/BOOT cp -a ${LIVE_TOOLDIR}/EFI/BOOT/{grub-embedded.cfg,make-grub.sh,*.txt,theme} ${LIVE_STAGING}/EFI/BOOT/ + if [ ${SECUREBOOT} -eq 1 ]; then + # User needs a DER-encoded copy of the signing cert for MOK enrollment: + openssl x509 -outform der -in ${MOKCERT} -out ${LIVE_STAGING}/EFI/BOOT/liveslak.der + fi if [ "$LIVEDE" = "XFCE" ]; then # We do not use the unicode font, so it can be removed to save space: rm -f ${LIVE_STAGING}/EFI/BOOT/theme/unicode.pf2 @@ -3132,7 +3531,7 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then # Create the grub fonts used in the theme. # Command outputs string like this: "Font name: DejaVu Sans Mono Regular 5". - for FSIZE in 5 10 12 20 ; do + for FSIZE in 5 10 12 20 24 ; do grub-mkfont -s ${FSIZE} -av \ -o ${LIVE_STAGING}/EFI/BOOT/theme/dejavusansmono${FSIZE}.pf2 \ /usr/share/fonts/TTF/DejaVuSansMono.ttf \ @@ -3145,6 +3544,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then # Generate the UEFI grub boot image if needed: if [ ! -f ${LIVE_STAGING}/EFI/BOOT/boot${EFISUFF}.efi -o ! -f ${LIVE_STAGING}/boot/syslinux/efiboot.img ]; then ( cd ${LIVE_STAGING}/EFI/BOOT + # Create a SBAT file 'grub_sbat.csv' to be used by make-grub.sh : + cat <<HSBAT > ${LIVE_STAGING}/EFI/BOOT/grub_sbat.csv +sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md +grub,1,Free Software Foundation,grub,2.06,https://www.gnu.org/software/grub/ +grub.liveslak,1,The liveslak project,grub,${GRUBVER}-${GRUBBLD},https://download.liveslak.org/ +HSBAT sed -i -e "s/SLACKWARELIVE/${MARKER}/g" grub-embedded.cfg sh make-grub.sh EFIFORM=${EFIFORM} EFISUFF=${EFISUFF} ) @@ -3152,6 +3557,12 @@ if [ "$SL_ARCH" = "x86_64" -o "$EFI32" = "YES" ]; then # Generate the grub configuration for UEFI boot: gen_uefimenu ${LIVE_STAGING}/EFI/BOOT + + # Add SecureBoot support if requested: + if [ ${SECUREBOOT} -eq 1 ]; then + secureboot ${SHIM_3RDP} + fi + fi # End EFI support menu. if [ "$SYSMENU" = "NO" ]; then @@ -3230,6 +3641,9 @@ fi # verbatim into the overlay root): mkdir -p ${LIVE_STAGING}/${LIVEMAIN}/rootcopy +# Mark our ISO as 'ventoy-compatible': +echo "This ISO is compatible with Ventoy. See https://www.ventoy.net/en/compatible.html" >${LIVE_STAGING}/ventoy.dat + # Create an ISO file from the directories found below ${LIVE_STAGING}: create_iso ${LIVE_STAGING} diff --git a/media/ktown/bg/background.jpg b/media/ktown/bg/background.jpg new file mode 120000 index 0000000..06b955d --- /dev/null +++ b/media/ktown/bg/background.jpg @@ -0,0 +1 @@ +rauwven.jpg
\ No newline at end of file diff --git a/media/ktown/bg/rauwven.jpg b/media/ktown/bg/rauwven.jpg Binary files differnew file mode 100644 index 0000000..f1d4a6e --- /dev/null +++ b/media/ktown/bg/rauwven.jpg diff --git a/media/lean/bg/background.jpg b/media/lean/bg/background.jpg index 37feafc..2094cf4 120000 --- a/media/lean/bg/background.jpg +++ b/media/lean/bg/background.jpg @@ -1 +1 @@ -vijlen.jpg
\ No newline at end of file +willibrordhaeghe.jpg
\ No newline at end of file diff --git a/media/lean/bg/bretagnecancale.jpg b/media/lean/bg/bretagnecancale.jpg Binary files differnew file mode 100644 index 0000000..f3ccc91 --- /dev/null +++ b/media/lean/bg/bretagnecancale.jpg diff --git a/media/lean/bg/demortelen.jpg b/media/lean/bg/demortelen.jpg Binary files differnew file mode 100644 index 0000000..b7677fb --- /dev/null +++ b/media/lean/bg/demortelen.jpg diff --git a/media/lean/bg/groedezeeland.jpg b/media/lean/bg/groedezeeland.jpg Binary files differnew file mode 100644 index 0000000..84020cb --- /dev/null +++ b/media/lean/bg/groedezeeland.jpg diff --git a/media/lean/bg/landgoedgrotebeek.jpg b/media/lean/bg/landgoedgrotebeek.jpg Binary files differnew file mode 100644 index 0000000..d041de8 --- /dev/null +++ b/media/lean/bg/landgoedgrotebeek.jpg diff --git a/media/lean/bg/montsaintmichel.jpg b/media/lean/bg/montsaintmichel.jpg Binary files differnew file mode 100644 index 0000000..5a3891e --- /dev/null +++ b/media/lean/bg/montsaintmichel.jpg diff --git a/media/lean/bg/ruwenberg.jpg b/media/lean/bg/ruwenberg.jpg Binary files differnew file mode 100644 index 0000000..94bff59 --- /dev/null +++ b/media/lean/bg/ruwenberg.jpg diff --git a/media/lean/bg/theme b/media/lean/bg/theme new file mode 100644 index 0000000..37a6131 --- /dev/null +++ b/media/lean/bg/theme @@ -0,0 +1,2 @@ +# either 'dark' or 'light' +dark diff --git a/media/lean/bg/willibrordhaeghe.jpg b/media/lean/bg/willibrordhaeghe.jpg Binary files differnew file mode 100644 index 0000000..f10685a --- /dev/null +++ b/media/lean/bg/willibrordhaeghe.jpg diff --git a/pkglists/alien.lst b/pkglists/alien.lst index ce46e9e..9672d5f 100644 --- a/pkglists/alien.lst +++ b/pkglists/alien.lst @@ -10,17 +10,16 @@ chromium-widevine-plugin #cmark dropbox-client #ffmpeg -freerdp +#freerdp #gcc5 #gecko-mediaplayer #gmtk #gnome-mplayer gst-plugins-ffmpeg0 gst-plugins-libav -#icedtea-web +icedtea-web icu4c-compat keepassxc -#lame libreoffice #libreoffice-dict-af #libreoffice-dict-ar @@ -68,17 +67,14 @@ libreoffice libstatgrab #libtinfo libtorrent-rasterbar -#lumina #mkvtoolnix muparser netsurf nodejs -nvme-cli openconnect -openjdk +openjdk11 #oxygen-gtk2 p7zip -#palemoon podofo poppler-qt5 python-twisted diff --git a/pkglists/cinnamon.lst b/pkglists/cinnamon.lst index 84b2bbc..752fe73 100644 --- a/pkglists/cinnamon.lst +++ b/pkglists/cinnamon.lst @@ -18,6 +18,7 @@ cracklib dbus-python3 gnome-menus graphviz +gsound json-glib krb5 libcroco @@ -29,7 +30,9 @@ libgusb libtimezonemap libsass metacity +mint-cursor-themes mint-themes +mint-l-icons mint-y-icons mint-y-theme mozjs @@ -47,12 +50,15 @@ pygobject3-python3 python-pam python3 python3-xapp +python3-webencodings pytz sassc setproctitle speex tinycss +tinycss2 vala xapp xapps +xdotool zenity diff --git a/pkglists/ktown.conf b/pkglists/ktown.conf index 856f899..cd37cae 100644 --- a/pkglists/ktown.conf +++ b/pkglists/ktown.conf @@ -2,7 +2,9 @@ # or empty directory, then the content of 'SL_REPO_URL' will be rsync-ed # to the local directory 'SL_REPO'. -VARIANT=latest +# Either 'latest' or 'testing': +VARIANT=testing + if [ "${SL_ARCH}" == "x86_64" ]; then LIBSUFFIX="64" else diff --git a/pkglists/ktown.lst b/pkglists/ktown.lst index 2db351e..18d8c74 100644 --- a/pkglists/ktown.lst +++ b/pkglists/ktown.lst @@ -1,74 +1,179 @@ -# Slackware Plasma5 deps: -SDL2 -QtAV -accountsservice -cfitsio -cryfs -cryptopp -dbus -dotconf -dvdauthor -eigen3 -elogind -frei0r-plugins -grantlee +# Slackware Plasma6 deps: +futuresql +gpgme kdsoap -lensfun -libappindicator -libburn -libdbusmenu -libdbusmenu-qt -libdmtx -libindicator -libqalculate -libsass -mlt +libQuotient +libdisplay-info +libfprint +olm opencv phonon -phonon-backend-gstreamer -pipewire -polkit polkit-qt-1 -qrencode -qt5 +poppler +python-html5lib +python-webencodings +qca +qcoro +qt6 qtkeychain quazip -rttr -sassc -speech-dispatcher -upower -vid.stab -# Slackware Plasma5 input-methods: -OpenCC -cldr-emoji-annotation -fcitx -fcitx-anthy -fcitx-configtool -fcitx-hangul -fcitx-kkc -fcitx-libpinyin -fcitx-m17n -fcitx-qt5 -fcitx-sayura -fcitx-table-extra -fcitx-table-other -fcitx-unikey -ibus -ibus-anthy -ibus-hangul -ibus-kkc -ibus-libpinyin -ibus-m17n -ibus-table -ibus-unikey -kcm-fcitx -libgee -libkkc -libkkc-data -libpinyin -marisa -skkdic -# Slackware Plasma5: +wayland-utils +# +# Slackware Plasma6: +# +# Frameworks 5: +attica-5 +baloo-5 +frameworkintegration-5 +kactivities-5 +kactivities-stats-5 +kapidox-5 +karchive-5 +kauth-5 +kbookmarks-5 +kcalendarcore-5 +kcmutils-5 +kcodecs-5 +kcompletion-5 +kconfig-5 +kconfigwidgets-5 +kcontacts-5 +kcoreaddons-5 +kcrash-5 +kdav-5 +kdbusaddons-5 +kdeclarative-5 +kded-5 +kdesignerplugin-5 +kdesu-5 +kdewebkit-5 +kdnssd-5 +kdoctools-5 +kemoticons-5 +kfilemetadata-5 +kglobalaccel-5 +kguiaddons-5 +kholidays-5 +khtml-5 +ki18n-5 +kiconthemes-5 +kidletime-5 +kimageformats-5 +kinit-5 +kio-5 +kirigami-5 +kitemmodels-5 +kitemviews-5 +kjobwidgets-5 +kjs-5 +kjsembed-5 +kmediaplayer-5 +knewstuff-5 +knotifications-5 +knotifyconfig-5 +kpackage-5 +kparts-5 +kpeople-5 +kplotting-5 +kpty-5 +kquickcharts-5 +kross-5 +krunner-5 +kservice-5 +ktexteditor-5 +ktextwidgets-5 +kunitconversion-5 +kwallet-5 +kwayland-5 +kwidgetsaddons-5 +kwindowsystem-5 +kxmlgui-5 +kxmlrpcclient-5 +plasma-framework-5 +prison-5 +purpose-5 +qqc2-breeze5-style +qqc2-desktop-style-5 +solid-5 +sonnet-5 +syndication-5 +syntax-highlighting-5 +threadweaver-5 +# Frameworks: +attica +baloo +bluez-qt +breeze-icons +extra-cmake-modules +frameworkintegration +kapidox +karchive +kauth +kbookmarks +kcalendarcore +kcmutils +kcodecs +kcolorscheme +kcompletion +kconfig +kconfigwidgets +kcontacts +kcoreaddons +kcrash +kdav +kdbusaddons +kdeclarative +kded +kdesu +kdnssd +kdoctools +kfilemetadata +kglobalaccel +kguiaddons +kholidays +ki18n +kiconthemes +kidletime +kimageformats +kio +kirigami +kitemmodels +kitemviews +kjobwidgets +knewstuff +knotifications +knotifyconfig +kpackage +kparts +kpeople +kplotting +kpty +kquickcharts +krunner +kservice +kstatusnotifieritem +ksvg +ktexteditor +ktexttemplate +ktextwidgets +kunitconversion +kuserfeedback +kwallet +kwidgetsaddons +kwindowsystem +kxmlgui +modemmanager-qt +networkmanager-qt +oxygen-icons +prison +purpose +qqc2-desktop-style +solid +sonnet +syndication +syntax-highlighting +threadweaver +# KDEPIM: akonadi akonadi-calendar akonadi-calendar-tools @@ -79,197 +184,250 @@ akonadi-notes akonadi-search akonadiconsole akregator -alkimia +calendarsupport +eventviews +grantlee-editor +grantleetheme +incidenceeditor +kaddressbook +kalarm +kcalutils +kdepim-addons +kdepim-runtime +khealthcertificate +kidentitymanagement +kimap +kitinerary +kldap +kleopatra +kmail +kmail-account-wizard +kmailtransport +kmbox +kmime +knotes +kontact +kontactinterface +kopeninghours +korganizer +kpimtextedit +kpkpass +ksmtp +ktnef +libgravatar +libkdepim +libkgapi +libkleo +libksieve +mailcommon +mailimporter +mbox-importer +messagelib +mimetreeparser +pim-data-exporter +pim-sieve-editor +pimcommon +# Plasma: +#breeze-plymouth +#discover +#ksysguard +#lancelot +#plasma-mobile +#plasma-nano +#plasma-tests +#plasma-thunderbolt +#plasma-welcome +#plymouth-kcm +bluedevil +breeze +breeze-grub +breeze-gtk +drkonqi +kactivitymanagerd +kde-cli-tools +kde-gtk-config +kdecoration +kdeplasma-addons +kgamma +kglobalacceld +kinfocenter +kmenuedit +kpipewire +kscreen +kscreenlocker +ksshaskpass +ksystemstats +kwallet-pam +kwayland +kwayland-integration +kwin +kwrited +layer-shell-qt +libkscreen +libksysguard +libplasma +milou +ocean-sound-theme +oxygen +oxygen-sounds +plasma-activities +plasma-activities-stats +plasma-browser-integration +plasma-desktop +plasma-disks +plasma-firewall +plasma-integration +plasma-nm +plasma-pa +plasma-sdk +plasma-systemmonitor +plasma-vault +plasma-workspace +plasma-workspace-wallpapers +plasma5support +polkit-kde-agent-1 +powerdevil +print-manager +qqc2-breeze-style +sddm-kcm +systemsettings +wacomtablet +xdg-desktop-portal-kde +# Plasma Extra: +##latte-dock +kirigami-addons +kmoretools +kpeoplevcard +ktextaddons +libqaccessibilityclient +oxygen-fonts +plasma-wayland-protocols +pulseaudio-qt +sddm +xwaylandvideobridge +# Applications: +#kajongg +# Still Qt5 based: +artikulate +cantor +cervisia +juk +kamoso +kde-dev-utils +kdesdk-thumbnailers +kdev-php +kdev-python +kdevelop +kgpg +kig +kio-gdrive +kipi-plugins +kmix +konversation +kqtquickcharts +krfb +ktouch +kwave +libkipi +lokalize +marble +poxml +rocs +umbrello +# End Qt5 based +#kaccounts-integration +#kaccounts-providers +#kalendar +#kalk +#kfloppy +#libkgeomap +#tokodon +alligator analitza ark -artikulate -attica audiocd-kio -baloo baloo-widgets blinken -bluedevil -bluez-qt bomber bovo -breeze -breeze-grub -breeze-gtk -breeze-icons -calendarsupport -calligra -calligraplan -cantor -cervisia -digikam +colord-kde dolphin dolphin-plugins dragon -drkonqi elisa -eventviews -extra-cmake-modules falkon ffmpegthumbs filelight -frameworkintegration +ghostwriter granatier -grantlee-editor -grantleetheme gwenview -incidenceeditor -juk +isoimagewriter +itinerary k3b -kactivities -kactivities-stats -kactivitymanagerd -kaddressbook -kalarm -kalarmcal kalgebra +kalk kalzium kamera -kamoso kanagram -kapidox kapman kapptemplate -karchive kate katomic -kauth kbackup kblackbox kblocks -kbookmarks kbounce kbreakout kbruch kcachegrind kcalc -kcalendarcore -kcalutils kcharselect -kcmutils -kcodecs kcolorchooser -kcompletion -kconfig -kconfigwidgets -kcontacts -kcoreaddons -kcrash kcron -kdav -kdbusaddons -kde-cli-tools kde-dev-scripts -kde-dev-utils -kde-gtk-config +kde-inotify-survey kdebugsettings -kdeclarative kdeconnect-kde -kdecoration -kded kdeedu-data kdegraphics-mobipocket kdegraphics-thumbnailers -kdelibs4support kdenetwork-filesharing kdenlive -kdepim-addons -kdepim-apps-libs -kdepim-runtime -kdeplasma-addons -kdesdk-kioslaves -kdesdk-thumbnailers -kdesignerplugin -kdesu -kdev-php -kdev-python -kdevelop -kdevelop-pg-qt -kdewebkit +kdesdk-kio kdf -kdiagram kdialog kdiamond -kdnssd -kdoctools keditbookmarks -kemoticons -kfilemetadata +keysmith kfind -kfloppy kfourinline -kgamma5 kgeography kget -kglobalaccel kgoldrunner -kgpg -kguiaddons khangman khelpcenter -kholidays -khotkeys -khtml -ki18n -kiconthemes -kid3 -kidentitymanagement -kidletime -kig kigo -kile killbots -kimageformats kimagemapeditor -kimap -kinfocenter -kinit -kio +kio-admin kio-extras -kio-gdrive -kipi-plugins +kio-zeroconf kirigami-gallery -kirigami2 kiriki -kitemmodels -kitemviews kiten -kitinerary -kjobwidgets -kjots -kjs -kjsembed kjumpingcube -kldap -kleopatra +klettres klickety klines kmag kmahjongg -kmail -kmail-account-wizard -kmailtransport -kmbox -kmediaplayer -kmenuedit -kmime kmines -kmix kmousetool kmouth kmplot -kmymoney knavalbattle knetwalk -knewstuff knights -knotes -knotifications -knotifyconfig kolf kollision kolourpaint @@ -277,151 +435,78 @@ kompare konqueror konquest konsole -kontact -kontactinterface -kopete -korganizer -kpackage -kparts +kontrast +kosmindoormap kpat -kpeople -kpeoplevcard -kpimtextedit -kpkpass -kplotting kpmcore -kpty -kqtquickcharts -kquickcharts +kpublictransport krdc -krename kreversi -krfb -krita -kross -kross-interpreters kruler -krunner -krusader -kscreen -kscreenlocker -kservice +ksanecore kshisen ksirk -ksmtp ksnakeduel kspaceduel ksquares -ksshaskpass -kstars ksudoku -ksysguard ksystemlog kteatime -ktexteditor -ktextwidgets ktimer -ktimetracker -ktnef ktorrent -ktouch +ktuberling kturtle kubrick -kunitconversion -kwallet -kwallet-pam kwalletmanager -kwave -kwayland -kwayland-integration -kwayland-server -kwidgetsaddons -kwin -kwindowsystem kwordquiz -kwrited -kxmlgui -kxmlrpcclient -latte-dock -libgravatar libkcddb libkcompactdisc libkdcraw libkdegames -libkdepim libkeduvocdocument libkexiv2 -libkgapi -libkgeomap -libkipi -libkleo libkmahjongg libkomparediff2 libksane -libkscreen -libksieve -libksysguard libktorrent -lokalize lskat -mailcommon -mailimporter -marble -mbox-importer -messagelib -milou +markdownpart +merkuro minuet -modemmanager-qt -networkmanager-qt -okteta okular -oxygen -oxygen-fonts -oxygen-gtk2 -oxygen-icons5 palapeli parley partitionmanager picmi -pim-data-exporter -pim-sieve-editor -pimcommon -plasma-browser-integration -plasma-desktop -plasma-disks -plasma-framework -plasma-integration -plasma-nm -plasma-pa -plasma-sdk -plasma-vault -plasma-wayland-protocols -plasma-workspace -plasma-workspace-wallpapers -polkit-kde-agent-1 -powerdevil -poxml -print-manager -prison -pulseaudio-qt -purpose -qqc2-desktop-style -rocs -sddm -sddm-kcm skanlite -solid -sonnet +skanpage spectacle step svgpart sweeper -syndication -syntax-highlighting -systemsettings -threadweaver -umbrello -wacomtablet -xdg-desktop-portal-kde yakuake -zeroconf-ioslave +zanshin +# Applications Extra: +##kstars +##labplot +#kuser +##alkimia +##calligra +##calligraplan +digikam +##kaudiocreator +kdevelop-pg-qt +kdiagram +kdsoap-ws-discovery-client +kid3 +##kile +kjots +kmymoney +krename +krita +krusader +ktimetracker +##okteta +oxygen-gtk2 +libkgapi-5 +# ------ diff --git a/pkglists/ktownalien.lst b/pkglists/ktownalien.lst index b6c6cf4..57bedaa 100644 --- a/pkglists/ktownalien.lst +++ b/pkglists/ktownalien.lst @@ -1,6 +1,5 @@ # Alien's packages that enrich the Plasma5 experience: NetworkManager-openconnect -freerdp openconnect vlc diff --git a/pkglists/ktownslack.lst b/pkglists/ktownslack.lst new file mode 100644 index 0000000..048f93d --- /dev/null +++ b/pkglists/ktownslack.lst @@ -0,0 +1,24 @@ +alkimia +#calligra +#calligraplan +fcitx5-configtool +fcitx5-theme-breeze +kColorPicker +kImageAnnotator +kaudiocreator +kdevelop +kdev-php +kdev-python +kile +kmymoney +kquickimageeditor +krita +kstars +labplot +latte-dock +libindi +libnova +okteta +stellarsolver +wcslib + diff --git a/pkglists/mate.lst b/pkglists/mate.lst index 29e1479..9436ec0 100644 --- a/pkglists/mate.lst +++ b/pkglists/mate.lst @@ -8,11 +8,13 @@ gtk-engines gtk-layer-shell gtksourceview gtksourceview3 +gtksourceview4 gupnp libgksu libgtop libgxps libpeas +libsoup3 libunique libunique3 libwnck3 diff --git a/pkglists/min.lst b/pkglists/min.lst index 919bfc8..a2cf1f6 100644 --- a/pkglists/min.lst +++ b/pkglists/min.lst @@ -5,12 +5,14 @@ aaa_libraries aaa_terminfo acl attr +avahi bash bin binutils # Add 'bind' at the end because it does a chroot: #bind -#bsd-games +bsd-games +btrfs-progs bzip2 ca-certificates coreutils @@ -27,6 +29,7 @@ dialog diffutils dmidecode dnsmasq +duktape e2fsprogs ed elilo @@ -34,6 +37,7 @@ elvis etc eudev exfatprogs +f2fs-tools file findutils floppy @@ -47,7 +51,7 @@ gnupg gnupg2 gnutls gpgme -#gpm +gpm gptfdisk grep gzip @@ -55,10 +59,13 @@ haveged hostname idnkit infozip +inih inotify-tools iproute2 iptables iputils +jemalloc +jfsutils kbd kernel-generic kernel-firmware @@ -68,6 +75,7 @@ kmod krb5 less libassuan +libdaemon libedit libevent libgcrypt @@ -78,6 +86,7 @@ libksba libmnl ##libmpc libpwquality +libseccomp libtermcap libunistring libuv @@ -85,6 +94,7 @@ lilo logrotate lvm2 lz4 +lzip lzlib mc mdadm @@ -94,6 +104,8 @@ mozjs52 mozjs60 mozjs68 mozjs78 +mozjs102 +mozjs115 ##mpfr mtr nano @@ -112,14 +124,15 @@ pam parted pciutils perl +pinentry pkgtools plzip polkit procps-ng pth python -python2 -python2-module-collection +#python2 +#python2-module-collection python3 quota rsync @@ -139,14 +152,17 @@ sysvinit sysvinit-scripts tar terminus-font +tmux traceroute usbutils +userspace-rcu utempter util-linux wget which whois zstd +xfsprogs xxHash xz # Bind needs to run at the end: diff --git a/pkglists/multilib.lst b/pkglists/multilib.lst index 39d6d12..171377e 100644 --- a/pkglists/multilib.lst +++ b/pkglists/multilib.lst @@ -34,6 +34,7 @@ plzip-compat32 util-linux-compat32 xz-compat32 # The AP/ series: +cdparanoia-compat32 cups-compat32 cups-filters-compat32 flac-compat32 @@ -46,6 +47,7 @@ libtool-compat32 llvm-compat32 opencl-headers-compat32 # The L/ series: +Imath-compat32 Mako-compat32 SDL2-compat32 SDL2_gfx-compat32 @@ -53,6 +55,7 @@ SDL2_image-compat32 SDL2_mixer-compat32 SDL2_net-compat32 SDL2_ttf-compat32 +aalib-compat32 alsa-lib-compat32 alsa-oss-compat32 alsa-plugins-compat32 @@ -84,6 +87,7 @@ graphene-compat32 graphite2-compat32 gtk+2-compat32 gtk+3-compat32 +gst-plugins-bad-free-compat32 gst-plugins-base-compat32 gst-plugins-base0-compat32 gst-plugins-good-compat32 @@ -94,6 +98,7 @@ gstreamer0-compat32 harfbuzz-compat32 icu4c-compat32 isl-compat32 +jansson-compat32 jasper-compat32 json-c-compat32 json-glib-compat32 @@ -111,6 +116,8 @@ libcdio-paranoia-compat32 libclc-compat32 libcroco-compat32 libdbusmenu-compat32 +libdeflate-compat32 +libdvdnav-compat32 libedit-compat32 libexif-compat32 libffi-compat32 @@ -120,9 +127,11 @@ libidn-compat32 libidn2-compat32 libieee1284-compat32 libjpeg-turbo-compat32 +libmad-compat32 libmng-compat32 libmpc-compat32 libnl3-compat32 +libnice-compat32 libnotify-compat32 libnsl-compat32 libnss_nis-compat32 @@ -139,7 +148,9 @@ libtheora-compat32 libtiff-compat32 libunistring-compat32 libunwind-compat32 +liburing-compat32 libusb-compat32 +libvisual-compat32 libvorbis-compat32 libvpx-compat32 libwebp-compat32 @@ -150,19 +161,24 @@ lmdb-compat32 lz4-compat32 lzo-compat32 mozilla-nss-compat32 +neon-compat32 ncurses-compat32 ocl-icd-compat32 openal-soft-compat32 +opencv-compat32 +openexr-compat32 openjpeg-compat32 opus-compat32 orc-compat32 pango-compat32 pcre-compat32 pcre2-compat32 +pipewire-compat32 polkit-compat32 popt-compat32 pulseaudio-compat32 python-six-compat32 +qrencode-compat32 qt-compat32 qt5-compat32 readline-compat32 @@ -173,14 +189,21 @@ seamonkey-solibs-compat32 slang-compat32 speex-compat32 speexdsp-compat32 +spirv-llvm-translator-compat32 startup-notification-compat32 svgalib-compat32 +taglib-compat32 +talloc-compat32 +tdb-compat32 +tevent-compat32 v4l-utils-compat32 +vid.stab-compat32 wavpack-compat32 woff2-compat32 xxHash-compat32 zlib-compat32 zstd-compat32 +zxing-cpp-compat32 # The N/ series: curl-compat32 cyrus-sasl-compat32 @@ -190,6 +213,7 @@ libgcrypt-compat32 libgpg-error-compat32 libtirpc-compat32 nettle-compat32 +nghttp2-compat32 openldap-client-compat32 openldap-compat32 openssl-compat32 diff --git a/pkglists/noxbase.lst b/pkglists/noxbase.lst index 612920e..f8bab71 100644 --- a/pkglists/noxbase.lst +++ b/pkglists/noxbase.lst @@ -7,14 +7,19 @@ alsa-oss alsa-plugins alsa-utils audiofile +##autoconf +##automake bc ##bison brotli +c-ares cgmanager db48 dbus dbus-glib ddrescue +efibootmgr +efivar elfutils elogind exiv2 @@ -26,20 +31,24 @@ gamin ##gccmakedep gdk-pixbuf2 gdk-pixbuf2-xlib +##gettext giflib glib-networking glib glib2 glibc-i18n ##guile +htop icu4c ilmbase +iniparser ##intltool inxi ipw2100-fw ipw2200-fw isl iw +jansson js185 lcms2 libX11 @@ -56,14 +65,17 @@ libcddb libcdio libcdio-paranoia libcgroup +libdeflate libdvdnav libdvdread libexif libffi libgphoto2 +libgtop libical libieee1284 libimobiledevice +libimobiledevice-glue libjpeg-turbo libmad libmbim @@ -76,6 +88,7 @@ libnih libnl libnl3 libnotify +libnvme libogg libpcap libpciaccess @@ -90,10 +103,12 @@ libsndfile libssh libssh2 libsoup +libsoup3 libtasn1 libtheora libtiff libtirpc +##libtool libusbmuxd libvorbis libvpx @@ -104,8 +119,10 @@ libxslt llvm lm_sensors lmdb +lsof lynx lzo +##m4 ##make mozilla-nss mpg123 @@ -115,12 +132,17 @@ nettle newt nfs-utils nghttp2 +nmap +nss-mdns +ntfs-3g +nvme-cli openexr openjpeg orc os-prober p11-kit pm-utils +pkg-config pulseaudio radeontool rpcbind @@ -130,7 +152,7 @@ smartmontools speexdsp sqlite svgalib -#tcl +tcl udisks udisks2 upower @@ -145,3 +167,4 @@ wireless-tools wireless_tools wpa_supplicant zd1211-firmware +zlib diff --git a/pkglists/secureboot.conf b/pkglists/secureboot.conf new file mode 100644 index 0000000..a81a7c2 --- /dev/null +++ b/pkglists/secureboot.conf @@ -0,0 +1,12 @@ +# If 'SL_REPO_URL' is a rsync:// URL and 'SL_REPO' points to a non-existent +# or empty directory, then the content of 'SL_REPO_URL' will be rsync-ed +# to the local directory 'SL_REPO'. +SL_REPO_URL="rsync://slackware.uk/people/alien/sbrepos/${SL_VERSION}/${SL_ARCH}" +SL_REPO="/var/cache/liveslak/sbrepos/${SL_VERSION}/${SL_ARCH}" + +# Package root directory: +SL_PKGROOT=${SL_REPO} + +# Patches root directory: +SL_PATCHROOT="" + diff --git a/pkglists/secureboot.lst b/pkglists/secureboot.lst new file mode 100644 index 0000000..260a246 --- /dev/null +++ b/pkglists/secureboot.lst @@ -0,0 +1,3 @@ +mokutil +sbsigntools + diff --git a/pkglists/x_base.lst b/pkglists/x_base.lst index 273074a..07a6ab8 100644 --- a/pkglists/x_base.lst +++ b/pkglists/x_base.lst @@ -1,5 +1,6 @@ ConsoleKit2 GConf +Imath Mako SDL2 SDL2_gfx @@ -23,6 +24,7 @@ cdrtools compositeproto cups cups-filters +cxxopts damageproto dbus-python dejavu-fonts-ttf @@ -45,7 +47,7 @@ font-alias #font-bh-75dpi #font-bh-lucidatypewriter-100dpi #font-bh-lucidatypewriter-75dpi -#font-bh-ttf +font-bh-ttf #font-bitstream-75dpi font-bitstream-100dpi #font-bitstream-type1 @@ -62,11 +64,12 @@ fribidi fslsfonts fstobdf gcr +gcr4 gd gegl gexiv2 -#ghostscript -#ghostscript-fonts-std +ghostscript +ghostscript-fonts-std glew glproto glu @@ -78,17 +81,19 @@ gobject-introspection graphene graphite2 gsettings-desktop-schemas +gst-plugins-bad-free gst-plugins-base gst-plugins-base0 gst-plugins-good gst-plugins-good0 gstreamer gstreamer0 -#gtk+ +gtk+ gtk+2 gtk+3 gtksourceview3 gtkspell +gtkspell3 gvfs harfbuzz hicolor-icon-theme @@ -140,17 +145,19 @@ libXvMC libXxf86dga libXxf86misc libXxf86vm +libappindicator libart_lgpl libbluray libcaca libcanberra libcap-ng +libclc libcroco libdbusmenu libdmx libdrm libepoxy -#liberation-fonts-ttf +liberation-fonts-ttf libevdev libfakekey libfontenc @@ -159,6 +166,7 @@ libglvnd libgnome-keyring libgsf libidl +libindicator libinput libiodbc libmng @@ -175,6 +183,7 @@ libwebp libwmf libwnck libwnck3 +libxcvt libxkbcommon libxkbfile libxklavier @@ -206,14 +215,17 @@ pycairo pygobject pygobject3 pygtk +python2-pycairo +python-MarkupSafe python-distro +qrencode randrproto recordproto rendercheck renderproto resourceproto rgb -#sazanami-fonts-ttf +sazanami-fonts-ttf sbc scrnsaverproto sdl @@ -223,19 +235,22 @@ shared-mime-info showfont sinhala_lklug-font-ttf smproxy +sof-firmware speex +spirv-llvm-translator startup-notification t1lib talloc tdb tevent -#tibmachuni-font-ttf +tibmachuni-font-ttf ttf-indic-fonts videoproto viewres vte +vulkan-sdk wayland -#wqy-zenhei-font-ttf +wqy-zenhei-font-ttf x11-skel x11perf xauth diff --git a/pkglists/xapbase.lst b/pkglists/xapbase.lst index 9bd2893..03d497b 100644 --- a/pkglists/xapbase.lst +++ b/pkglists/xapbase.lst @@ -16,21 +16,25 @@ geeqie gimp gkrellm glibmm -#gnuchess +gnuchess gparted gtkmm3 -#gucharmap +gucharmap gv hexchat imagemagick -jansson +# Needed in Core OS, moved to noxbase: +#jansson libcue -#libnice +libgnt +libnice libnma +libptytty libsigc++ libsigc++3 +libsodium libzip -#lftp +lftp mozilla-firefox #mozilla-thunderbird network-manager-applet @@ -38,22 +42,29 @@ pangomm pavucontrol pidgin polkit-gnome +python-cffi +python-pycparser rdesktop -#rxvt -#rxvt-unicode +ruby +rxvt +rxvt-unicode sane +#seamonkey seamonkey-solibs tigervnc -#vim -#vim-gvim +vid.stab +vim +vim-gvim x11-ssh-askpass -#x3270 -#xaos +x3270 +xaos #xfractint xgames -#xlockmore -#xmms +xlockmore +xmms #xpaint +xorriso # Now needs qt: #xpdf -#xsane +# Needs gimp: +xsane diff --git a/pkglists/z00_plasma5supp.lst b/pkglists/z00_plasma5supp.lst index 35fb126..ff1b96b 100644 --- a/pkglists/z00_plasma5supp.lst +++ b/pkglists/z00_plasma5supp.lst @@ -1,6 +1,7 @@ # # Libraries and programs to support a basic Plasma5 installation: # +#Imath #LibRaw PyQt5 QScintilla @@ -8,46 +9,78 @@ QtAV accountsservice cdparanoia cfitsio +cldr-emoji-annotation cryfs cryptopp +daemon #djvulibre dotconf dvdauthor ebook-tools +editorconfig-core-c #exiv2 +fcitx +fcitx-anthy +fcitx-configtool +fcitx-hangul +fcitx-kkc +fcitx-libpinyin +fcitx-m17n +fcitx-qt5 +fcitx-sayura +fcitx-table-extra +fcitx-table-other +fcitx-unikey fluxbox -font-bh-ttf +# x_base: +#font-bh-ttf font-bitstream-type1 font-xfree86-type1 +freerdp frei0r-plugins fuse -ghostscript -ghostscript-fonts-std +# x_base: +#ghostscript +#ghostscript-fonts-std gmp #gpgme grantlee groff gtkmm2 -gucharmap +# xapbase: +#gucharmap hack-fonts-ttf hyphen +ibus +ibus-anthy +ibus-hangul +ibus-kkc +ibus-libpinyin +ibus-m17n +ibus-table +ibus-unikey id3lib #json-glib kdsoap libXcm -libappindicator libburn libdbusmenu-qt libdmtx -liberation-fonts-ttf +# x_base: +#liberation-fonts-ttf libid3tag -libindicator -libnice +libkkc +libkkc-data +# xapbase: +#libnice liboggz +libpinyin libqalculate libraw1394 libsass +#libseccomp libspectre +liburing libva-utils libvncserver libyaml @@ -68,28 +101,38 @@ phonon-vlc pipewire polkit-qt-1 #poppler +python2 +python2-module-collection python-six pyxdg +python-Jinja2 +python-PyYAML +python-doxypypy +python-doxyqml qca -qrencode +#qrencode qt5 qt5-webkit qtkeychain rttr -ruby +#ruby rxvt -rxvt-unicode +# xapbase: +#libptytty +#rxvt-unicode #sane -sazanami-fonts-ttf +# x_base: +#sazanami-fonts-ttf sip +skkdic sox ssr taglib taglib-extras -vid.stab -vim -vim-gvim -vulkan-sdk +# x_base: +#vim +#vim-gvim +#vulkan-sdk woff2 xcb-util-cursor xcb-util-errors @@ -98,8 +141,8 @@ xcb-util-renderutil xcb-util-wm xcm xconsole +xdg-desktop-portal xdg-user-dirs xedit xine-lib xpdf -xsane diff --git a/pkglists/z01_plasma5base.lst b/pkglists/z01_plasma5base.lst index 8827d88..bb5c62c 100644 --- a/pkglists/z01_plasma5base.lst +++ b/pkglists/z01_plasma5base.lst @@ -44,6 +44,8 @@ kidletime kimageformats kinit kio +kio-admin +kirigami-addons kirigami2 kitemmodels kitemviews @@ -74,6 +76,7 @@ kxmlrpcclient modemmanager-qt networkmanager-qt oxygen-icons5 +oxygen-sounds plasma-framework prison purpose @@ -157,16 +160,19 @@ khelpcenter khotkeys kinfocenter kmenuedit +kpipewire kscreen kscreenlocker ksshaskpass ksysguard +ksystemstats kwallet-pam kwayland kwayland-integration kwayland-server kwin kwrited +layer-shell-qt libkscreen libksysguard milou @@ -270,6 +276,7 @@ kgpg #killbots kimagemapeditor kio-extras +kio-zeroconf kirigami-gallery #kiriki #kiten @@ -307,6 +314,7 @@ krdc #kreversi krfb #kruler +ksanecore #kshisen #ksirk #ksnakeduel @@ -348,12 +356,16 @@ okular #poxml print-manager #rocs +skanlite +skanpage spectacle #step #svgpart #sweeper #umbrello +#zanshin zeroconf-ioslave +zxing-cpp # applications-extra: #alkimia @@ -361,6 +373,13 @@ zeroconf-ioslave #calligraplan #digikam falkon +ktextaddons +kColorPicker +kImageAnnotator +#immer +#lager +#libunibreak +#zug #krita #kdev-php #kdev-python @@ -372,7 +391,7 @@ falkon #kile #kjots #kmymoney -#kpmcore +kpmcore #krename #krusader #kstars @@ -381,7 +400,6 @@ falkon #kuser libktorrent #partitionmanager -skanlite # Issues with 3 files in the squashfs module missing the last character: plasma-workspace diff --git a/pkglists/z01_plasma5extra.lst b/pkglists/z01_plasma5extra.lst index 48d10f2..744e3f6 100644 --- a/pkglists/z01_plasma5extra.lst +++ b/pkglists/z01_plasma5extra.lst @@ -1,3 +1,6 @@ elisa +#kColorPicker +#kImageAnnotator kdenlive +keysmith kwave diff --git a/pkglists/z01_swdev.lst b/pkglists/z01_swdev.lst index cedcb69..7542118 100644 --- a/pkglists/z01_swdev.lst +++ b/pkglists/z01_swdev.lst @@ -3,15 +3,28 @@ glibc libmpc mpfr # noxbase.lst: +autoconf +automake bison flex gcc gccmakedep +gettext guile intltool +libtool +lua +m4 make +python-build +python-flit-core +python-glad2 +python-installer +python-lxml +python-pyproject-hooks +python-tomli-w +python-wheel # z00_plasma5supp.lst: gcc-g++ gcc-gfortran - diff --git a/pkglists/z02_alien4daw.lst b/pkglists/z02_alien4daw.lst index c5895e0..1f3823c 100644 --- a/pkglists/z02_alien4daw.lst +++ b/pkglists/z02_alien4daw.lst @@ -6,7 +6,7 @@ fdk-aac gst-plugins-ffmpeg0 mbedtls obs-studio -openjdk +openjdk11 openconnect soxr unrar diff --git a/pkglists/z02_alienrest4daw.lst b/pkglists/z02_alienrest4daw.lst index 1310653..ebc2f27 100644 --- a/pkglists/z02_alienrest4daw.lst +++ b/pkglists/z02_alienrest4daw.lst @@ -1,2 +1,3 @@ ffmpeg +libfdk-aac vlc diff --git a/pkglists/z03_daw.lst b/pkglists/z03_daw.lst index fe551cc..efe3cd2 100644 --- a/pkglists/z03_daw.lst +++ b/pkglists/z03_daw.lst @@ -7,6 +7,7 @@ ardour aubio audacity avldrums.lv2 +boca cadence calf capnproto @@ -15,25 +16,34 @@ cecilia5 chromaprint cuetools daw_base +dblatex +dgedit +drumgizmo drumstick dssi +elektroid eq10q faad2 faust +freac +frescobaldi geonkick giada glfw +guile1.8 guitarix gxplugins.lv2 helm hidapi hydrogen jack_capture +jack-example-tools jack2 jamulus jq ladspa_sdk libconfig +libcyaml libfishsound libgig liblo @@ -44,8 +54,11 @@ libmicrohttpd libmodplug libmp4v2 libmpdclient +libsbsms +libsmf libwebsockets lilv +lilypond linuxsampler lsp-plugins lv2 @@ -56,44 +69,66 @@ mpc muse musescore mxml +noise-repellent non-daw ntk +pipewire-jack portaudio portmidi +portsmf protobuf pulseaudio-jack +python-attrdict +python-ly python-numpy python-pathlib2 +python-poppler-qt5 +python-pygame python-pyliblo python-pyo qjackctl qmidiarp +qpageview qsampler qsynth qtractor rapidjson raptor2 redkite +rosegarden rtaudio rtmidi rubberband sc3-plugins serd shntool +smooth sonic-pi sonic-visualiser sord +soundfont-unison soundtouch +speex sratom suil supercollider +twolame +uriparser vamp-aubio-plugins vamp-plugin-sdk vcvrack vcvrack-audible-instruments vcvrack-befaco vcvrack-bogaudio +vcvrack-countmodula vcvrack-impromptu-modular +vcvrack-mental +vcvrack-mindmeldmodular +vcvrack-modularfungi +vcvrack-packone +vcvrack-squinkyvcv +vcvrack-studiosixplusone +vcvrack-valley vmpk wxGTK3 wxpython diff --git a/pxeserver.tpl b/pxeserver.tpl index 3a9c206..46e19ee 100755 --- a/pxeserver.tpl +++ b/pxeserver.tpl @@ -1,6 +1,6 @@ #!/bin/sh # -# Copyright 2011, 2016, 2017, 2019 Eric Hameleers, Eindhoven, NL +# Copyright 2011, 2016, 2017, 2019, 2023 Eric Hameleers, Eindhoven, NL # Copyright 2011 Patrick Volkerding, Sebeka, Minnesota USA # All rights reserved. # @@ -43,6 +43,8 @@ # - The script will detect if you have an outside network connection on # another interface and will enable IP forwarding if needed, so that the # PXE clients will also have network access. +# - Optionally, the script can hide its PXE clients behind a NAT router +# in case external network is not accessible via normal routing. # - The Live OS booted via pxelinux is configured with additional boot # parameters: # * nfsroot=${LOCAL_IPADDR}:/mnt/livemedia @@ -83,6 +85,14 @@ GLOBAL_GW_INT="" GLOBAL_GATEWAY="" LOCAL_GATEWAY="" +# Defining more global variables ahead of time: +LOCAL_IPADDR="" +LOCAL_NETMASK="" +LOCAL_NETWORK="" + +# The script optionally configures a NAT gateway: +ENABLE_NAT="no" + # The Slackware setup depends on english language settings because it # parses program output like that of "fdisk -l". So, we need to override # the Live user's local language settings here: @@ -128,10 +138,25 @@ if [ -n "$PXETXTSRC" ]; then fi # For UEFI computers: +if [ ! -f /mnt/livemedia${UEFIPREFIX}/SLACKWARELIVE ]; then + # We boot from a USB stick created with isu2usb.sh: + if ! mount |grep -q 'on /boot/efi' ; then + # USB EFI partition is not yet mounted, let's find where it is: + LIVEPART="$(df -P /mnt/livemedia/ |tail -n1 |cut -d' ' -f1)" + USBDEV="/dev/$(lsblk -no pkname ${LIVEPART=})" + EFIPART="$(blkid -t PARTLABEL="EFI System Partition" ${USBDEV=}* |cut -d: -f1)" + mkdir -p /boot/efi + mount -t vfat -o defaults ${EFIPART} /boot/efi + fi + UEFI_TFTP="/boot/efi" +else + UEFI_TFTP="/mnt/livemedia" +fi +# Allow the boot files to be served by tftp: mkdir -p /var/lib/tftpboot${UEFIPREFIX} -ln -sf /mnt/livemedia${UEFIPREFIX}/@MARKER@ /var/lib/tftpboot${UEFIPREFIX}/ -ln -sf /mnt/livemedia${UEFIPREFIX}/bootx64.efi /var/lib/tftpboot${UEFIPREFIX}/ -ln -sf /mnt/livemedia${UEFIPREFIX}/theme /var/lib/tftpboot${UEFIPREFIX}/ +ln -sf ${UEFI_TFTP}${UEFIPREFIX}/SLACKWARELIVE /var/lib/tftpboot${UEFIPREFIX}/ +ln -sf ${UEFI_TFTP}${UEFIPREFIX}/bootx64.efi /var/lib/tftpboot${UEFIPREFIX}/ +ln -sf ${UEFI_TFTP}${UEFIPREFIX}/theme /var/lib/tftpboot${UEFIPREFIX}/ # # Function definitions: @@ -168,7 +193,7 @@ int_to_ip() { echo $(($1>>24)).$(($1>>16&0xff)).$(($1>>8&0xff)).$(($1&0xff)) } -# Find the location of the dhcpcd PID file: +# Find out whether the interface is managed by DHCP: get_dhcpcd_pid() { # Find the location of the PID file of dhcpcd: MYDEV="$1" @@ -180,6 +205,20 @@ get_dhcpcd_pid() { echo "/run/dhcpcd-${MYDEV}.pid" elif [ -s /run/dhcpcd-${MYDEV}-4.pid ]; then echo "/run/dhcpcd-${MYDEV}-4.pid" + elif [ -s /run/${MYDEV}.pid ]; then + echo "/run/${MYDEV}.pid" + else + echo UNKNOWNLOC + fi +} + +# Find out whether the interface is managed by DHCP: +get_nm_internal_lease() { + # Find the lease of NetworkManager internal dhcp client: + MYDEV="$1" + if [ -s /var/lib/NetworkManager/intern*-${MYDEV}.lease ]; then + # NM is indeed managing this interface: + echo "$(ls --indicator-style=none /var/lib/NetworkManager/intern*-${MYDEV}.lease)" else echo UNKNOWNLOC fi @@ -199,7 +238,7 @@ devconfig() { elif ! ip -f inet -o addr show |grep -v " lo " |grep -qw 172.16 ; then MYIP="172.16.10.10" else - MYIP="10.10.10.10" + MYIP="10.16.10.10" fi # Main loop IP configuration: @@ -300,17 +339,20 @@ EOF dhcpcd -k $MYIF 1>/dev/null 2>&1 rm -f /run/dhcpcd/dhcpcd-${MYIF}.pid 2>/dev/null rm -f /run/dhcpcd-${MYIF}.pid 2>/dev/null + rm -f /run/${MYIF}.pid 2>/dev/null # Broadcast and network are derived from IP and netmask: - LOCAL_BROADCAST=$(ipmask $LOCAL_NETMASK $LOCAL_IPADDR | cut -f 1 -d ' ') - LOCAL_NETWORK=$(ipmask $LOCAL_NETMASK $LOCAL_IPADDR | cut -f 2 -d ' ') + LOCAL_BROADCAST="$(ipmask $LOCAL_NETMASK $LOCAL_IPADDR | cut -f 1 -d ' ')" + LOCAL_NETWORK="$(ipmask $LOCAL_NETMASK $LOCAL_IPADDR | cut -f 2 -d ' ')" if [ -x /etc/rc.d/rc.networkmanager 2>/dev/null ]; then # Use nmcli to reconfigure NetworkManager: - nmcli con add con-name pxe-${MYIF} ifname ${MYIF} type ethernet ip4 $LOCAL_IPADDR/$(mask_cvt $LOCAL_NETMASK) + nmcli con add save no con-name pxe-${MYIF} ifname ${MYIF} type ethernet + nmcli con mod pxe-${MYIF} ipv4.addresses ${LOCAL_IPADDR}/$(mask_cvt ${LOCAL_NETMASK}) ipv4.method manual connection.autoconnect no if [ "x$GLOBAL_GATEWAY" = "x" -a "x$LOCAL_GATEWAY" != "x" ]; then nmcli con mod pxe-${MYIF} ipv4.gateway $LOCAL_GATEWAY fi - nmcli dev connect ${MYIF} + nmcli con up pxe-${MYIF} + if [ $DEBUG -ne 0 ]; then read -p "Press ENTER to continue: " JUNK ; fi else # Use ifconfig and route commands: ifconfig $MYIF $LOCAL_IPADDR netmask $LOCAL_NETMASK broadcast $LOCAL_BROADCAST @@ -392,9 +434,11 @@ Alternate keys may also be used: '+', '-', and TAB." 13 72 9 \ # We now know what network interface to use. # - # If dhcpcd is running, it likely has a lease from a LAN DHCP server, - # so we should not activate another DHCP server ourselves now: - if [ -s $(get_dhcpcd_pid ${INTERFACE}) -a -n "$(ps -q $(cat $(get_dhcpcd_pid ${INTERFACE})) -o comm=)" ]; then + # If our interface is configured by DHCP, it likely has a lease from a + # LAN DHCP server, so we should not activate another DHCP server ourself now: + if [ -s $(get_dhcpcd_pid ${INTERFACE}) -a -n "$(ps -q $(cat $(get_dhcpcd_pid ${INTERFACE})) -o comm= 2>/dev/null)" ]; then + OWNDHCP="no" + elif [ -s $(get_nm_internal_lease ${INTERFACE}) ]; then OWNDHCP="no" else # Assume nothing... we will ask the user for confirmation later! @@ -439,6 +483,23 @@ not in reach of any DHCP server." 13 68 fi fi + if [ "$OWNDHCP" == "yes" ]; then + if [ "$INTERFACE" != "$GLOBAL_GW_INT" ]; then + # The default gateway for this computer is on another interface; + $DIALOG --title "ENABLE NAT FIREWALL" --defaultno --yesno " \ +This computer's default gateway is network interface ${GLOBAL_GW_INT}. \ +The network behind the PXE server's interface ${INTERFACE} seems to be isolated.\n\ +Do you want to hide your PXE clients behind a NAT gateway?\n\ +This may be helpful if PXE clients cannot reach the external network otherwise.\n\ +Say 'NO' if you are not sure which is best." 12 68 + if [ $? = 0 ]; then + ENABLE_NAT="yes" + else + ENABLE_NAT="no" + fi + fi + fi + # Assemble the network parameters: LOCAL_IPADDR=$(ip -f inet -o addr show ${INTERFACE} |tr -s ' ' |head -1 |cut -f4 -d' ' |cut -f1 -d/) if [ "x$LOCAL_IPADDR" = "x" ]; then # no IP Address was configured?!? @@ -568,9 +629,9 @@ dhcp-leasefile=$TMP/pxe_dnsmasq.leases # Test for the architecture of a netboot client. PXE clients are # supposed to send their architecture as option 93. (See RFC 4578) . -# The known types are x86PC, PC98, IA64_EFI, Alpha, Arc_x86, +# The known types are X86PC, PC98, IA64_EFI, Alpha, Arc_x86, # Intel_Lean_Client, IA32_EFI, BC_EFI, Xscale_EFI and X86-64_EFI -dhcp-match=x86PC, option:client-arch, 0 #BIOS x86 +dhcp-match=X86PC, option:client-arch, 0 #BIOS x86 dhcp-match=BC_EFI, option:client-arch, 7 #EFI Byte Code dhcp-match=X86-64_EFI, option:client-arch, 9 #EFI x86_64 @@ -600,13 +661,14 @@ pxe-service=X86PC, "Boot from local hard disk", 0 # The above 'pxe-service' menu does not always work for UEFI-based clients, # so alternatively you could implement a combination of 'dhcp-match' and # 'dhcp-boot' to provide a boot image. Here is a commented-out example: -#dhcp-match=set:efi-x86_64,option:client-arch,7 -#dhcp-match=set:efi-x86_64,option:client-arch,9 -#dhcp-match=set:efi-x86,option:client-arch,6 -#dhcp-match=set:bios,option:client-arch,0 -#dhcp-boot=tag:efi-x86_64,"${UEFIPREFIX}/bootx64.efi" -#dhcp-boot=tag:efi-x86,"${UEFIPREFIX}/bootia32.efi" -#dhcp-boot=tag:bios,"bios/lpxelinux.0" +#dhcp-match=set:BC_EFI,option:client-arch,7 +#dhcp-match=set:X86-64_EFI,option:client-arch,9 +#dhcp-match=set:X86_EFI,option:client-arch,6 +#dhcp-match=set:X86PC,option:client-arch,0 +#dhcp-boot=tag:X86-64_EFI,"${UEFIPREFIX}/bootx64.efi,${LOCAL_IPADDR}" +#dhcp-boot=tag:BC_EFI,"${UEFIPREFIX}/bootx64.efi,${LOCAL_IPADDR}" +#dhcp-boot=tag:X86_EFI,"${UEFIPREFIX}/bootia32.efi,${LOCAL_IPADDR}" +#dhcp-boot=tag:X86PC,"pxelinux.0,${LOCAL_IPADDR}" EOF @@ -667,7 +729,7 @@ F4 f4.txt #00000000 menu hshift 1 menu vshift 9 -menu width 45 +menu width 55 menu margin 1 menu rows 10 menu helpmsgrow 14 @@ -697,7 +759,7 @@ menu color help 37;40 #ff354172 #00000000 none label pxelive menu label Boot @CDISTRO@ Linux Live (@LIVEDE@) from network kernel /generic - append initrd=/initrd.img load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 nfsroot=${LOCAL_IPADDR}:/mnt/livemedia luksvol= nop hostname=@DISTRO@ tz=$(cat /etc/timezone) locale=${SYSLANG:-"en_US.UTF-8"} kbd=${KBD:-"us"} + append initrd=/initrd.img @KAPPEND@ load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 nfsroot=${LOCAL_IPADDR}:/mnt/livemedia luksvol= nop hostname=@DISTRO@ tz=$(cat /etc/timezone) locale=${SYSLANG:-"en_US.UTF-8"} kbd=${KBD:-"us"} EOF # And a Grub configuration for UEFI boot: @@ -725,6 +787,8 @@ insmod ext2 # Determine whether we can show a graphical themed menu: insmod font if loadfont \$prefix/theme/dejavusansmono12.pf2 ; then + loadfont \$prefix/theme/dejavusansmono24.pf2 + loadfont \$prefix/theme/dejavusansmono20.pf2 loadfont \$prefix/theme/dejavusansmono10.pf2 loadfont \$prefix/theme/dejavusansmono5.pf2 set font="DejaVu Sans Mono Regular 12" @@ -743,7 +807,7 @@ set gfxpayload=keep menuentry 'Boot @CDISTRO@ Linux Live (@LIVEDE@) from network' --class slackware --class gnu-linux --class gnu --class os { echo "Loading @CDISTRO@ kernel" - linux generic load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 nfs root=${LOCAL_IPADDR}:/mnt/livemedia luksvol= nop hostname=@DISTRO@ tz=$(cat /etc/timezone) locale=${SYSLANG:-"en_US.UTF-8"} kbd=${KBD:-"us"} + linux generic @KAPPEND@ load_ramdisk=1 prompt_ramdisk=0 rw printk.time=0 nfsroot=${LOCAL_IPADDR}:/mnt/livemedia luksvol= nop hostname=@DISTRO@ tz=$(cat /etc/timezone) locale=${SYSLANG:-"en_US.UTF-8"} kbd=${KBD:-"us"} initrd initrd.img echo "Booting @CDISTRO@ kernel" } @@ -764,7 +828,7 @@ while [ 0 ]; do --menu \ "Welcome to @CDISTRO@ Linux Live PXE Server.\n\ Select an option below using the UP/DOWN keys and SPACE or ENTER.\n\ -Alternate keys may also be used: '+', '-', and TAB." 13 72 9 \ +Alternate keys may also be used: '+', '-', and TAB." 11 72 7 \ "NETWORK" "Configure your network parameters" \ "ACTIVATE" "Activate the @CDISTRO@ PXE Server" \ "EXIT" "Exit @CDISTRO@ PXE Setup" 2> $TMP/hdset @@ -805,7 +869,11 @@ Press ENTER to return to the main menu." 14 68 Ready to start the PXE Server!\n\ The PXE server log will be displayed in the next screen. \n\ -Press ENTER to start." 14 68 +Press ENTER to start or ESCAPE to return to the main menu." 14 68 + if [ $? -ne 0 ]; then + # User did not press ENTER, let's return to main menu: + continue + fi fi # Time to start the BOOTP/TFTP/NFS servers: @@ -824,9 +892,16 @@ EOT # we need to enable forwarding: OLDROUTING=$(cat /proc/sys/net/ipv4/ip_forward) echo 1 > /proc/sys/net/ipv4/ip_forward - # also start the route daemon: - if [ -z "$(pidof routed)" ]; then - /usr/sbin/routed -g -s + if [ "${ENABLE_NAT}" == "yes" ]; then + # Add NAT firewall rule: + iptables -t nat -A POSTROUTING -o ${GLOBAL_GW_INT} -j MASQUERADE + iptables -A FORWARD -p ALL -i ${GLOBAL_GW_INT} -j ACCEPT + iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i ${GLOBAL_GW_INT} -j ACCEPT + else + if [ -z "$(pidof routed)" ]; then + # Also start the route daemon: + /usr/sbin/routed -g -s /var/log/routed_pxeserver.log + fi fi else OLDROUTING="" @@ -838,8 +913,16 @@ EOT --ok-label "EXIT" \ --tailbox /var/log/pxe_dnsmasq.log 20 68 - # Time to kill the BOOTP/TFTP/NFS servers: - [ -n "$OLDROUTING" ] && echo $OLDROUTING > /proc/sys/net/ipv4/ip_forward + # Time to kill the BOOTP/TFTP/NFS servers and revert network settings: + if [ "${ENABLE_NAT}" == "yes" ]; then + # Remove NAT firewall rule: + iptables -D FORWARD -m state --state ESTABLISHED,RELATED -i ${GLOBAL_GW_INT} -j ACCEPT + iptables -D FORWARD -p ALL -i ${GLOBAL_GW_INT} -j ACCEPT + iptables -t nat -D POSTROUTING -o ${GLOBAL_GW_INT} -j MASQUERADE + fi + if [ -n "$OLDROUTING" ]; then + echo $OLDROUTING > /proc/sys/net/ipv4/ip_forward + fi kill -TERM $(cat ${TMP}/pxe_dnsmasq.pid) sh /etc/rc.d/rc.nfsd stop sed -i -e "s%^/mnt/livemedia.*%#&%" /etc/exports @@ -847,6 +930,18 @@ EOT if [ "$MAINSELECT" = "EXIT" ]; then clear + + if [ -x /etc/rc.d/rc.networkmanager 2>/dev/null ]; then + # Use nmcli to remove the NetworkManager connection: + nmcli con down pxe-${INTERFACE} + nmcli con del pxe-${INTERFACE} + else + # Manually bring the interface down: + dhcpcd -k ${INTERFACE} 2>/dev/null + ip link set dev ${INTERFACE} down + ip address flush dev ${INTERFACE} + fi + break fi diff --git a/setup2hd.local.tpl b/setup2hd.local.tpl index 8edb7a5..7693159 100644 --- a/setup2hd.local.tpl +++ b/setup2hd.local.tpl @@ -50,15 +50,12 @@ live_post_install () { cat << EOF > $TMP/tempmsg @CDISTRO@ Live Edition (@LIVEDE@) has been installed to your hard drive! - We installed the ${ACT_MODS} active modules (out of ${TOT_MODS} available). + We installed the ${ACT_MODS} active modules. After rebooting, your installed computer will look exactly like the Live OS. - After finishing system configuration and before rebooting, you can add any further Live modules from /@LIVEMAIN@/addons/ and /@LIVEMAIN@/optional/ to your hard drive, using a command similar to this: - # unsquashfs -f -dest $T_PX /mnt/livemedia/@LIVEMAIN@/addons/mymodule.sxz - EOF dialog --title "POST INSTALL HINTS AND TIPS" --msgbox "`cat $TMP/tempmsg`" \ - 20 65 + 18 65 rm $TMP/tempmsg # Setting MAINSELECT to "CONFIGURE" will call the usual Slackware diff --git a/setup2hd.tpl b/setup2hd.tpl index 8a47755..f87a697 100755 --- a/setup2hd.tpl +++ b/setup2hd.tpl @@ -97,7 +97,7 @@ sleep 1 vgchange -ay 1> /dev/null 2> /dev/null if probe -l 2> /dev/null | grep -E 'Linux$' 1> /dev/null 2> /dev/null ; then RUNPART=no - probe -l 2> /dev/null | grep -E 'Linux$' | sort 1> $TMP/SeTplist 2> /dev/null + probe -l 2>/dev/null |grep -E 'Linux$' |sort |uniq 1>$TMP/SeTplist 2>/dev/null ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ --title "LINUX PARTITIONS DETECTED" \ --yes-label "Continue" --no-label "Skip" --defaultno \ @@ -121,6 +121,10 @@ To do this, you'll get a chance to make these partitions now using \ 'cfdisk' (MBR partitions) or 'cgdisk' (GPT partitions)." 10 64 fi if [ -d /sys/firmware/efi ]; then + # First, let's make sure that efivarfs is active: + if [ "$(/bin/ls /sys/firmware/efi/efivars 2> /dev/null | wc -l)" = "0" ]; then + mount -t efivarfs none /sys/firmware/efi/efivars + fi if ! probe -l 2> /dev/null | grep "EFI System Partition" 1> /dev/null 2> /dev/null ; then RUNPART=yes ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ @@ -156,11 +160,11 @@ ROOT_DEVICE="`mount | grep "on / " | cut -f 1 -d ' '`" echo "$ROOT_DEVICE" > $TMP/SeTrootdev if mount | grep /var/log/mount 1> /dev/null 2> /dev/null ; then # clear source location: # In case of bind mounts, try to unmount them first: - umount /var/log/mount/dev 2> /dev/null - umount /var/log/mount/proc 2> /dev/null - umount /var/log/mount/sys 2> /dev/null + umount -R /var/log/mount/dev 2> /dev/null + umount -R /var/log/mount/proc 2> /dev/null + umount -R /var/log/mount/sys 2> /dev/null # Unmount target partition: - umount /var/log/mount + umount -R /var/log/mount fi # Anything mounted on /var/log/mount now is a fatal error: if mount | grep /var/log/mount 1> /dev/null 2> /dev/null ; then @@ -260,9 +264,9 @@ Alternate keys may also be used: '+', '-', and TAB." 14 72 5 \ cat /usr/sbin/eliloconfig > $T_PX/usr/sbin/eliloconfig fi # Make bind mounts for /dev, /proc, and /sys: - mount -o bind /dev $T_PX/dev 2> /dev/null - mount -o bind /proc $T_PX/proc 2> /dev/null - mount -o bind /sys $T_PX/sys 2> /dev/null + mount -o rbind /dev $T_PX/dev 2> /dev/null + mount -o rbind /proc $T_PX/proc 2> /dev/null + mount -o rbind /sys $T_PX/sys 2> /dev/null SeTconfig REPLACE_FSTAB=Y if [ -r $TMP/SeTnative ]; then @@ -317,7 +321,7 @@ if mount | grep /var/log/mntiso 1> /dev/null 2> /dev/null ; then umount -f /var/log/mntiso fi if mount | grep /var/log/mount 1> /dev/null 2> /dev/null ; then - umount /var/log/mount + umount -R /var/log/mount fi # Anything mounted on /var/log/mount now is a fatal error: if mount | grep /var/log/mount 1> /dev/null 2> /dev/null ; then diff --git a/setup2hd/SeTfirewall.tpl b/setup2hd/SeTfirewall.tpl new file mode 100644 index 0000000..e2e2687 --- /dev/null +++ b/setup2hd/SeTfirewall.tpl @@ -0,0 +1,704 @@ +#!/bin/bash + +# ------------------------------------------------------------------------------ +# Configure a basic firewall, +# by generating a set of iptables rules (ipv4 and ipv6), +# and saving those to /etc/firewall/ipv4 and /etc/firewall/ipv6 . +# The accompanying script /etc/rc.d/rc.firewall will restore these configs. +# +# This script and rc.firewall are part of liveslak, +# a project by Eric Hameleers, see https://download.liveslak.org/ +# +# Iptables ruleset handling courtesy of Easy Firewall Generator for IPTables, +# Copyright 2002 Timothy Scott Morizot +# ------------------------------------------------------------------------------ + +# The script accepts one parameter: the target filesystem: +DESTDIR="$1" + +# This tmp directory is only writable by root: +TMP=${TMP:-"/var/log/setup/tmp"} +if [ ! -d $TMP ]; then + mkdir -p $TMP +fi + +# The script defaults to curses dialog but Xdialog is a good alternative: +DIALOG=${DIALOG:-"dialog"} + +# The iptables tools we use: +IPT="/usr/sbin/iptables" +IP6T="/usr/sbin/ip6tables" +IPTS="/usr/sbin/iptables-save" +IP6TS="/usr/sbin/ip6tables-save" +IPTR="/usr/sbin/iptables-restore" +IP6TR="/usr/sbin/ip6tables-restore" + +# Localhost Interface +LO_IFACE="lo" +LO_IP="127.0.0.1" +LO_IP6="::1" + +# The default gateway device will be our primary candidate to firewall: +GWDEV=$(/sbin/ip route show |grep ^default |cut -d' ' -f5) + +# Generate a list of network devices, minus the default gateway and loopback: +AVAILDEV=$(ls --indicator-style=none /sys/class/net/ |sed -e "s/${GWDEV}//" -e "s/lo//") + +# Store all network interfaces in an associative array: +declare -A NETDEVARR +NETDEVARR=( [$GWDEV]=on ) +for INDEV in $AVAILDEV ; do NETDEVARR+=( [$INDEV]=off ) ; done +unset INDEV + +# Store network services in another array: +declare -A SERVARR=( + ['SSH']=off + ['RSYNC']=off + ['GIT']=off + ['HTTP']=off + ['HTTPS']=off + ['SMTP']=off + ['SMPTS']=off + ['IMAP']=off + ['IMAPS']=off + ['NTP']=off +) + +# Store the list of custom ports/port ranges: +CUSTOM_TCP_LIST="" +CUSTOM_UDP_LIST="" + +# Will we auto-configure a restrictive firewall? +AUTOCONFIG="YES" + +# User pressing ESC will change the default choice in the 1st dialog: +DEFAULTNO="" + +# Loop over the configuration until the user is done: +MAINSELECT="start" +while [ "$MAINSELECT" != "done" ]; do + if [ "$MAINSELECT" = "start" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CONFIGURE FIREWALL" ${DEFAULTNO} \ + --yesno "Would you like to protect the system with a basic firewall?\n\n\ +You can either block all external connections, +or you can expose specific TCP/UDP ports.\n\n\ +DHCP will never be blocked." 11 68 + if [ $? != 0 ]; then + # Not needed. + exit 0 + else + DEFAULTNO="" + fi + MAINSELECT="devices" + fi + + if [ "$MAINSELECT" = "devices" ]; then + # Populate the network device checklist for the dialog: + NETDEVLIST="$(for I in ${!NETDEVARR[@]};do echo $I ${NETDEVARR[$I]};done)" + unset I + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "PICK INTERFACES" \ + --stdout --separate-output \ + --no-items \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --checklist "\ +Select the network interface(s) exposed to the outside world.\n\ +Your default gateway is pre-selected.\n\ +Un-selected interfaces will accept all incoming traffic." 13 68 5 $NETDEVLIST \ + > $TMP/SeTnics + RETVAL=$? + # Zero out the array values and re-enable only the ones we got returned: + for INDEV in ${!NETDEVARR[@]} ; do NETDEVARR[$INDEV]=off ; done + for INDEV in $(cat $TMP/SeTnics) ; do NETDEVARR[$INDEV]=on ; done + unset INDEV + case "$RETVAL" in + 0) MAINSELECT="autoselect" ;; + 3) MAINSELECT="start" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTnics + fi + + if [ "$MAINSELECT" = "autoselect" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "ALL CLOSED?" \ + --yesno "Do you want to block all incoming external connections?\n\ +If 'no', then you will be able to specify ports that need to be open." 7 68 + RETVAL=$? + case "$RETVAL" in + 0) AUTOCONFIG="YES" + MAINSELECT="done" ;; + 1) AUTOCONFIG="NO" + MAINSELECT="services" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + fi + + if [ "$MAINSELECT" = "services" ]; then + # Populate the services checklist for the dialog: + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "OPEN PORTS" \ + --stdout --separate-output \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --checklist "\ +Select the service ports you want to remain open for the outside world.\n\ +You can enter more ports or portranges in the next dialog." 19 68 13 \ +SSH 'SSH (port 22)' ${SERVARR['SSH']} \ +RSYNC 'RSYNC (port 873)' ${SERVARR['RSYNC']} \ +GIT 'GIT (port 9418)' ${SERVARR['GIT']} \ +HTTP 'Web Server (HTTP port 80)' ${SERVARR['HTTP']} \ +HTTPS 'Secure Web Server (HTTPS port 443)' ${SERVARR['HTTPS']} \ +SMTP 'Receiving Email (SMTP port 25)' ${SERVARR['SMTP']} \ +SMTPS 'Secure Receiving Email (SMPTS port 587)' ${SERVARR['SMPTS']} \ +IMAP 'IMAP Email Server (IMAP port 143)' ${SERVARR['IMAP']} \ +IMAPS 'Secure IMAP Email Server (IMAPS port 993)' ${SERVARR['IMAPS']} \ +NTP 'Time Server (NTP port 123)' ${SERVARR['NTP']} \ + > $TMP/SeTservices + RETVAL=$? + # Zero out the array values and re-enable only the ones we got returned: + for INSRV in ${!SERVARR[@]} ; do SERVARR[$INSRV]=off ; done + for INSRV in $(cat $TMP/SeTservices) ; do SERVARR[$INSRV]=on ; done + unset INSRV + case $RETVAL in + 0) MAINSELECT="customports" ;; + 3) MAINSELECT="autoselect" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTservices + fi + + if [ "$MAINSELECT" = "customports" ]; then + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CUSTOM PORTS" \ + --stdout \ + --ok-label "Next" --no-cancel --extra-button --extra-label "Previous" \ + --form "\ +Enter additional ports or port ranges.\n\ +Port ranges consist of two numbers separated by a colon (example: 3000:3011).\n\ +Separate multiple entries with commas,\n\ +for example: 22,465,3000:3011,6660:6669,7000" \ +13 68 2 \ +"TCP ports/portranges:" 1 1 "$CUSTOM_TCP_LIST" 1 25 40 0 \ +"UDP ports/portranges:" 2 1 "$CUSTOM_UDP_LIST" 2 25 40 0 \ + > $TMP/SeTcustomports + RETVAL=$? + CUSTOM_TCP_LIST=$(head -1 $TMP/SeTcustomports) + CUSTOM_UDP_LIST=$(tail -1 $TMP/SeTcustomports) + case $RETVAL in + 0) MAINSELECT="confirm" ;; + 3) MAINSELECT="services" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + rm -f $TMP/SeTcustomports + fi + + if [ "$MAINSELECT" = "confirm" ]; then + # Collect all service ports that need to be remotely accessible. + # TCP: + TCP_LIST="" + if [ "${SERVARR['HTTP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 80" + fi + if [ "${SERVARR['HTTPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 443" + fi + if [ "${SERVARR['SMTP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 25" + fi + if [ "${SERVARR['SMTPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 587" + fi + if [ "${SERVARR['IMAP']}" = "on" ]; then + TCP_LIST="$TCP_LIST 143" + fi + if [ "${SERVARR['IMAPS']}" = "on" ]; then + TCP_LIST="$TCP_LIST 993" + fi + if [ "${SERVARR['SSH']}" = "on" ]; then + TCP_LIST="$TCP_LIST 22" + fi + if [ "${SERVARR['GIT']}" = "on" ]; then + TCP_LIST="$TCP_LIST 9418" + fi + if [ "${SERVARR['RSYNC']}" = "on" ]; then + TCP_LIST="$TCP_LIST 873" + fi + TCP_LIST=$(echo $TCP_LIST | sed 's/^ *//g' | tr ' ' ',') + # UDP: + UDP_LIST="" + if [ "${SERVARR['NTP']}" = "on" ]; then + UDP_LIST="$UDP_LIST 123" + fi + if [ "${SERVARR['RSYNC']}" = "on" ]; then + UDP_LIST="$UDP_LIST 873" + fi + UDP_LIST=$(echo $UDP_LIST | sed 's/^ *//g' | tr ' ' ',') + + TCP_LIST=$(echo $TCP_LIST $CUSTOM_TCP_LIST | sed 's/^ *//g' | tr ' ' ',') + UDP_LIST=$(echo $UDP_LIST $CUSTOM_UDP_LIST | sed 's/^ *//g' | tr ' ' ',') + DEV_LIST=$(for INDEV in ${!NETDEVARR[@]} ; do if [ "${NETDEVARR[$INDEV]}" = "on" ]; then echo -n $INDEV" " ; fi ; done) + + ${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --title "CONFIRM CONFIGURATION" \ + --yes-label "Generate" --no-label "Redo" \ + --yesno "These are the ports you configured. Are you OK with them?\n\n\ +Press 'Generate' to generate the firewall configuration.\n\ +Else press 'Redo' to re-do the setup.\n\n\ +Firewalled interface(s): $DEV_LIST \n\ +TCP Ports: $TCP_LIST \n\ +UDP Ports: $UDP_LIST" 12 68 + RETVAL=$? + case $RETVAL in + 0) MAINSELECT="done" ;; + 1) MAINSELECT="devices" ;; + *) MAINSELECT="start" ; DEFAULTNO="--defaultno" ;; + esac + fi + +done + +# ------------------------------------------------------------------------------ +# End of configuration, let's get to work. +# ------------------------------------------------------------------------------ + +# +# Flush Any Existing Rules or Chains +# + +${DIALOG} --backtitle "@UDISTRO@ (@LIVEDE@) Basic Firewall Setup" \ + --infobox "Configuring your firewall ..." 4 68 + +# Reset Default Policies +$IPT -P INPUT ACCEPT +$IPT -P FORWARD ACCEPT +$IPT -P OUTPUT ACCEPT +$IPT -t nat -P PREROUTING ACCEPT +$IPT -t nat -P POSTROUTING ACCEPT +$IPT -t nat -P OUTPUT ACCEPT +$IPT -t mangle -P PREROUTING ACCEPT +$IPT -t mangle -P OUTPUT ACCEPT +# +$IP6T -P INPUT ACCEPT +$IP6T -P FORWARD ACCEPT +$IP6T -P OUTPUT ACCEPT +$IP6T -t mangle -P PREROUTING ACCEPT +$IP6T -t mangle -P OUTPUT ACCEPT + +# Flush all rules +$IPT -F +$IPT -t nat -F +$IPT -t mangle -F +# +$IP6T -F +$IP6T -t mangle -F + +# Erase all non-default chains +$IPT -X +$IPT -t nat -X +$IPT -t mangle -X +# +$IP6T -X +$IP6T -t mangle -X + +# +# Rules Configuration +# +# Filter Table +# + +# Set Policies +$IPT -P INPUT DROP +$IPT -P OUTPUT DROP +$IPT -P FORWARD DROP +# +$IP6T -P INPUT DROP +$IP6T -P OUTPUT DROP +$IP6T -P FORWARD DROP + +# +# User-Specified Chains +# +# Create user chains to reduce the number of rules each packet must traverse. +# + +# Create a chain to filter INVALID packets +$IPT -N bad_packets +$IP6T -N bad_packets + +# Create another chain to filter bad tcp packets +$IPT -N bad_tcp_packets +$IP6T -N bad_tcp_packets + +# Create separate chains for icmp, tcp (incoming and outgoing), +# and incoming udp packets. +$IPT -N icmp_packets +$IP6T -N icmp_packets + +# Used for UDP packets inbound from the Internet +$IPT -N udp_inbound +$IP6T -N udp_inbound + +# Used to block outbound UDP services from internal network +# Default to allow all +$IPT -N udp_outbound +$IP6T -N udp_outbound + +# Used to allow inbound services if desired +# Default fail except for established sessions +$IPT -N tcp_inbound +$IP6T -N tcp_inbound + +# Used to block outbound services from internal network +# Default to allow all +$IPT -N tcp_outbound +$IP6T -N tcp_outbound + +# +# Populate User Chains +# +# bad_packets chain +# + +# Drop INVALID packets immediately +$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP +$IP6T -A bad_packets -p ALL -m state --state INVALID -j DROP + +# Then check the tcp packets for additional problems +$IPT -A bad_packets -p tcp -j bad_tcp_packets +$IP6T -A bad_packets -p tcp -j bad_tcp_packets + +# All good, so return +$IPT -A bad_packets -p ALL -j RETURN +$IP6T -A bad_packets -p ALL -j RETURN + +# bad_tcp_packets chain +# +# All tcp packets will traverse this chain. +# Every new connection attempt should begin with +# a syn packet. If it doesn't, it is likely a +# port scan. This drops packets in state +# NEW that are not flagged as syn packets. +$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP +$IP6T -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP +$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP +$IP6T -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP + +# All good, so return +$IPT -A bad_tcp_packets -p tcp -j RETURN +$IP6T -A bad_tcp_packets -p tcp -j RETURN + +# icmp_packets chain +# +# This chain is for inbound (from the Internet) icmp packets only. +# Type 8 (Echo Request) is not accepted by default +# Enable it if you want remote hosts to be able to reach you. +# 11 (Time Exceeded) is the only one accepted +# that would not already be covered by the established +# connection rule. Applied to INPUT on the external interface. +# +# See: http://www.ee.siue.edu/~rwalden/networking/icmp.html +# for more info on ICMP types. +# +# Note that the stateful settings allow replies to ICMP packets. +# These rules allow new packets of the specified types. + +# ICMP packets should fit in a Layer 2 frame, thus they should +# never be fragmented. Fragmented ICMP packets are a typical sign +# of a denial of service attack. +$IPT -A icmp_packets --fragment -p icmp -j DROP +$IP6T -A icmp_packets -p ipv6-icmp -m ipv6header --header frag --soft -j DROP + +# Echo - uncomment to allow your system to be pinged. +# $IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j ACCEPT +# $IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 8 -j ACCEPT + +# By default, however, drop pings without logging. Blaster +# and other worms have infected systems blasting pings. +# Comment the line below if you want pings logged, but it +# will likely fill your logs. +$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 8 -j DROP +$IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 8 -j DROP + +# Time Exceeded +$IPT -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT +$IP6T -A icmp_packets -p ipv6-icmp -s 0/0 --icmpv6-type 11 -j ACCEPT + +# Not matched, so return so it will be logged +$IPT -A icmp_packets -p icmp -j RETURN +$IP6T -A icmp_packets -p ipv6-icmp -j RETURN + +# TCP & UDP +# Identify ports at: +# http://www.chebucto.ns.ca/~rakerman/port-table.html +# http://www.iana.org/assignments/port-numbers + +# udp_inbound chain +# +# This chain describes the inbound UDP packets it will accept. +# It's applied to INPUT on the external or Internet interface. +# Note that the stateful settings allow replies. +# These rules are for new requests. +# It drops netbios packets (windows) immediately without logging. + +# Drop netbios calls +# Please note that these rules do not really change the way the firewall +# treats netbios connections. Connections from the localhost and +# internal interface (if one exists) are accepted by default. +# Responses from the Internet to requests initiated by or through +# the firewall are also accepted by default. To get here, the +# packets would have to be part of a new request received by the +# Internet interface. You would have to manually add rules to +# accept these. I added these rules because some network connections, +# such as those via cable modems, tend to be filled with noise from +# unprotected Windows machines. These rules drop those packets +# quickly and without logging them. This prevents them from traversing +# the whole chain and keeps the log from getting cluttered with +# chatter from Windows systems. +$IPT -A udp_inbound -p udp -s 0/0 --dport 137 -j DROP +$IPT -A udp_inbound -p udp -s 0/0 --dport 138 -j DROP +$IP6T -A udp_inbound -p udp -s 0/0 --dport 137 -j DROP +$IP6T -A udp_inbound -p udp -s 0/0 --dport 138 -j DROP + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A udp_inbound -p udp -s 0/0 --dport 113 -j REJECT +$IP6T -A udp_inbound -p udp -s 0/0 --dport 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A udp_inbound -p udp -s 0/0 --dport 113 -j ACCEPT +# $IP6T -A udp_inbound -p udp -s 0/0 --dport 113 -j ACCEPT + +# IPv4 only: +# Allow DHCP client request packets inbound from external network +$IPT -A udp_inbound -p udp -s 0/0 --source-port 68 --dport 67 \ + -j ACCEPT +# Dynamic Address +# If DHCP, the initial request is a broadcast. The response +# doesn't exactly match the outbound packet. This explicitly +# allow the DHCP ports to alleviate this problem. +# If you receive your dynamic address by a different means, you +# can probably comment this line. +$IPT -A udp_inbound -p udp -s 0/0 --source-port 67 --dport 68 \ + -j ACCEPT + +# Open the custom UDP ports if they have been configured: +if [ -n "$UDP_LIST" ]; then + $IPT -A INPUT -p udp -m multiport --dport $UDP_LIST -j ACCEPT + $IP6T -A INPUT -p udp -m multiport --dport $UDP_LIST -j ACCEPT +fi + +# Not matched, so return for logging +$IPT -A udp_inbound -p udp -j RETURN +$IP6T -A udp_inbound -p udp -j RETURN + +# udp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# UDP requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + + +# No match, so ACCEPT +$IPT -A udp_outbound -p udp -s 0/0 -j ACCEPT +$IP6T -A udp_outbound -p udp -s 0/0 -j ACCEPT + +# tcp_inbound chain +# +# This chain is used to allow inbound connections to the +# system/gateway. Use with care. It defaults to none. +# It's applied on INPUT from the external or Internet interface. + +# Ident requests (Port 113) must have a REJECT rule rather than the +# default DROP rule. This is the minimum requirement to avoid +# long delays while connecting. Also see the tcp_inbound rule. +$IPT -A tcp_inbound -p tcp -s 0/0 --dport 113 -j REJECT +$IP6T -A tcp_inbound -p tcp -s 0/0 --dport 113 -j REJECT + +# A more sophisticated configuration could accept the ident requests. +# $IPT -A tcp_inbound -p tcp -s 0/0 --dport 113 -j ACCEPT +# $IP6T -A tcp_inbound -p tcp -s 0/0 --dport 113 -j ACCEPT + +# Open the requested TCP service ports if they have been configured: +if [ -n "$TCP_LIST" ]; then + $IPT -A INPUT -p tcp -m multiport --dport $TCP_LIST -j ACCEPT + $IP6T -A INPUT -p tcp -m multiport --dport $TCP_LIST -j ACCEPT +fi + +# Not matched, so return so it will be logged +$IPT -A tcp_inbound -p tcp -j RETURN +$IP6T -A tcp_inbound -p tcp -j RETURN + +# tcp_outbound chain +# +# This chain is used with a private network to prevent forwarding for +# requests on specific protocols. Applied to the FORWARD rule from +# the internal network. Ends with an ACCEPT + +# No match, so ACCEPT +$IPT -A tcp_outbound -p tcp -s 0/0 -j ACCEPT +$IP6T -A tcp_outbound -p tcp -s 0/0 -j ACCEPT + +# +# INPUT Chain +# +# Allow all on localhost interface +$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT +$IP6T -A INPUT -p ALL -i $LO_IFACE -j ACCEPT + +# Allow all on other internal interfaces: +for INDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$INDEV]}" = "off" ] ; then + $IPT -A INPUT -p ALL -i $INDEV -j ACCEPT + $IP6T -A INPUT -p ALL -i $INDEV -j ACCEPT + fi +done +unset INDEV + +# Drop bad packets +$IPT -A INPUT -p ALL -j bad_packets +$IP6T -A INPUT -p ALL -j bad_packets + +# DOCSIS compliant cable modems +# Some DOCSIS compliant cable modems send IGMP multicasts to find +# connected PCs. The multicast packets have the destination address +# 224.0.0.1. You can accept them. If you choose to do so, +# Uncomment the rule to ACCEPT them and comment the rule to DROP +# them The firewall will drop them here by default to avoid +# cluttering the log. The firewall will drop all multicasts +# to the entire subnet (224.0.0.1) by default. To only affect +# IGMP multicasts, change '-p ALL' to '-p 2'. Of course, +# if they aren't accepted elsewhere, it will only ensure that +# multicasts on other protocols are logged. +# Drop them without logging. +$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP +# The rule to accept the packets. +# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT + +# Inbound Internet Packet Rules + +for INDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$INDEV]}" = "on" ] ; then + # Accept Established Connections + $IPT -A INPUT -p ALL -i $INDEV -m state --state ESTABLISHED,RELATED \ + -j ACCEPT + $IP6T -A INPUT -p ALL -i $INDEV -m state --state ESTABLISHED,RELATED \ + -j ACCEPT + + # Route the rest to the appropriate user chain + $IPT -A INPUT -p tcp -i $INDEV -j tcp_inbound + $IP6T -A INPUT -p tcp -i $INDEV -j tcp_inbound + $IPT -A INPUT -p udp -i $INDEV -j udp_inbound + $IP6T -A INPUT -p udp -i $INDEV -j udp_inbound + $IPT -A INPUT -p icmp -i $INDEV -j icmp_packets + $IP6T -A INPUT -p ipv6-icmp -i $INDEV -j icmp_packets + fi +done +unset INDEV + +# Drop without logging broadcasts that get this far. +# Cuts down on log clutter. +# Comment this line if testing new rules that impact +# broadcast protocols. +$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP +$IP6T -A INPUT -m pkttype --pkt-type broadcast -j DROP + +# Log packets that still don't match +$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "INPUT packet died: " +$IP6T -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "INPUT packet ipv6 died: " + +# +# FORWARD Chain +# +# Used if forwarding for a private network + +# +# OUTPUT Chain +# +# Generally trust the firewall on output + +# However, invalid icmp packets need to be dropped +# to prevent a possible exploit. +$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP +$IP6T -A OUTPUT -m state -p ipv6-icmp --state INVALID -j DROP + +# Localhost +$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT +$IP6T -A OUTPUT -p ALL -s $LO_IP6 -j ACCEPT +$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT +$IP6T -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT + +# Allow all on other internal interfaces: +for OUTDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$OUTDEV]}" = "off" ] ; then + $IPT -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + $IP6T -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + fi +done +unset OUTDEV + +# To internet +for OUTDEV in ${!NETDEVARR[@]} ; do + if [ "${NETDEVARR[$OUTDEV]}" = "on" ] ; then + $IPT -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + $IP6T -A OUTPUT -p ALL -o $OUTDEV -j ACCEPT + fi +done + +# Log packets that still don't match +$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "OUTPUT packet died: " +$IP6T -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ + --log-prefix "OUTPUT packet ipv6 died: " + +# +# nat table +# +# The nat table is where network address translation occurs if there +# is a private network. If the gateway is connected to the Internet +# with a static IP, snat is used. If the gateway has a dynamic address, +# masquerade must be used instead. There is more overhead associated +# with masquerade, so snat is better when it can be used. +# The nat table has a builtin chain, PREROUTING, for dnat and redirects. +# Another, POSTROUTING, handles snat and masquerade. + +# +# PREROUTING chain +# + +# +# POSTROUTING chain +# + + +# +# mangle table +# +# The mangle table is used to alter packets. It can alter or mangle them in +# several ways. For the purposes of this generator, we only use its ability +# to alter the TTL in packets. However, it can be used to set netfilter +# mark values on specific packets. Those marks could then be used in another +# table like filter, to limit activities associated with a specific host, for +# instance. The TOS target can be used to set the Type of Service field in +# the IP header. Note that the TTL target might not be included in the +# distribution on your system. If it is not and you require it, you will +# have to add it. That may require that you build from source. + +# Save the firewall configuration so that 'rc.firewall' can load it: +mkdir -p $DESTDIR/etc/firewall +${IPTS} > $DESTDIR/etc/firewall/ipv4 +${IP6TS} > $DESTDIR/etc/firewall/ipv6 + diff --git a/setup2hd/rc.firewall.tpl b/setup2hd/rc.firewall.tpl new file mode 100644 index 0000000..4019b1a --- /dev/null +++ b/setup2hd/rc.firewall.tpl @@ -0,0 +1,141 @@ +#!/bin/bash + +# --------------------------------------------------------------------------- +# Slackware init script for iptables firewall: +# /etc/rc.d/rc.firewall +# Written by Eric Hameleers <alien@slackware.com> for the liveslak project. +# --------------------------------------------------------------------------- + +# Specify path to the iptables binaries: +IPT_PATH="/usr/sbin" + +# Save location for firewall rules: +[ ! -d /etc/firewall ] && mkdir /etc/firewall + +# Is ipv6 supported on this computer? +if [ $(cat /sys/module/ipv6/parameters/disable) -eq 1 ]; then + HAVE_IPV6=0 +else + HAVE_IPV6=1 +fi + +fwflush() { + local IPT=${1:-iptables} + # Accept all traffic first: + ${IPT_PATH}/${IPT} -P INPUT ACCEPT + ${IPT_PATH}/${IPT} -P FORWARD ACCEPT + ${IPT_PATH}/${IPT} -P OUTPUT ACCEPT + # Flush all iptables chains and rules: + ${IPT_PATH}/${IPT} -F + # Delete all iptables chains: + ${IPT_PATH}/${IPT} -X + # Flush all counters: + ${IPT_PATH}/${IPT} -Z + # Flush/delete all nat and mangle rules: + if [ "$IPT" != "ip6tables" ]; then + ${IPT_PATH}/${IPT} -t nat -F + ${IPT_PATH}/${IPT} -t nat -X + fi + ${IPT_PATH}/${IPT} -t mangle -F + ${IPT_PATH}/${IPT} -t mangle -X + ${IPT_PATH}/${IPT} -t raw -F + ${IPT_PATH}//${IPT} -t raw -X +} + +basic_protection() { + # Basic measures to applied on first start: + + # Turn off packet forwarding in the kernel + echo 0 > /proc/sys/net/ipv4/ip_forward + # Enable TCP SYN Cookie Protection + echo 1 > /proc/sys/net/ipv4/tcp_syncookies + # Disable ICMP Redirect Acceptance + echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects + # Accept only from gateways in the default gateways list + echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects + # Do not send Redirect Messages + echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects + # Enable bad error message protection + echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses + # Enable broadcast echo protection + echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts + # Disable source-routed packets + echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route + # Do not log spoofed packets, source-routed packets, and redirect packets + echo 0 > /proc/sys/net/ipv4/conf/all/log_martians +} + +fw_start() { + echo "Loading firewall rules..." + # Apply basic protection in the kernel: + basic_protection + # Restore firewall rules: + if [ -f /etc/firewall/ipv4 ]; then + ${IPT_PATH}/iptables-restore < /etc/firewall/ipv4 + else + echo "** No saved ipv4 firewall rules found. Run 'myfwconf' first." + fi + if [ $HAVE_IPV6 -eq 1 ]; then + if [ -f /etc/firewall/ipv6 ]; then + ${IPT_PATH}/ip6tables-restore < /etc/firewall/ipv6 + else + echo "** No saved ipv6 firewall rules found. Run 'myfwconf' first." + fi + fi +} + +fw_reload() { + fw_flush + fw_start +} + +fw_save() { + # Save firewall rules: + echo "Saving firewall rules..." + ${IPT_PATH}/iptables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/iptables-save > /etc/firewall/ipv4 + ${IPT_PATH}/ip6tables -Ln 2>/dev/null + [ $? -eq 0 ] && ${IPT_PATH}/ip6tables-save > /etc/firewall/ipv6 +} + +fw_flush() { + # Flush firewall rules, delete all custom chains and reset counters: + # also resetting all policies to ACCEPT: + echo "Flushing firewall rules..." + fwflush iptables + if [ $HAVE_IPV6 -eq 1 ]; then + fwflush ip6tables + fi +} + +fw_status() { + ${IPT_PATH}/iptables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv4 support in the kernel!" + ${IPT_PATH}/ip6tables -L -n 2>/dev/null + [ $? -ne 0 ] && echo "** No ipv6 support in the kernel!" +} + +case "$1" in + start) + fw_start + ;; + stop|flush) + fw_flush + ;; + reload) + fw_reload + ;; + save) + fw_save + ;; + status) + fw_status + ;; + *) + echo "Usage: $0 start|stop|reload|save|flush|status" + exit 1 + ;; +esac + +exit 0 + diff --git a/setup2hd/setup.liveslak.tpl b/setup2hd/setup.liveslak.tpl index 3f34852..fb6e03e 100644 --- a/setup2hd/setup.liveslak.tpl +++ b/setup2hd/setup.liveslak.tpl @@ -108,7 +108,7 @@ After that, you will be asked to set the root password." 11 55 root:${UACCOUNT}:OWNPASS root:ALL EXCEPT GROUP wheel:DENY EOT - chmod 600 ${LIVE_ROOTDIR}/etc/suauth + chmod 600 ${T_PX}/etc/suauth fi # Configure sudoers: @@ -125,6 +125,18 @@ EOT unset UPASS fi + # Add a rc.firewall script: + install -D -m0775 -t ${T_PX}/etc/rc.d/ /usr/share/@LIVEMAIN@/rc.firewall + # Install a firewall configuration script: + install -D -m755 /usr/share/@LIVEMAIN@/SeTfirewall ${T_PX}/usr/sbin/myfwconf + # Add a Slackware setup script invoking that 'myfwconf' script: + cat <<EOT >${T_PX}/var/log/setup/setup.firewall +#!/bin/sh +#BLURB="Configure a basic firewall." +chroot . usr/sbin/myfwconf +EOT + chmod 0775 ${T_PX}/var/log/setup/setup.firewall + # Re-use some of the custom configuration from 0099-@DISTRO@_zzzconf-*.sxz # (some of these may not be present but the command will not fail): ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ @@ -150,7 +162,7 @@ EOT /etc/slackpkg \ /etc/vconsole.conf \ /var/lib/sddm/state.conf \ - /var/lib/slackpkg/current + /var/lib/slackpkg # Point xdm to the custom /etc/X11/xdm/liveslak-xdm/xdm-config: sed -i ${T_PX}/etc/rc.d/rc.4 -e 's,bin/xdm -nodaemon,& -config /etc/X11/xdm/liveslak-xdm/xdm-config,' # If gcc was not installed, create a symlink to cpp pointing to mcpp; @@ -161,7 +173,7 @@ EOT # If nvi was not installed, do not use it as a default selection: if [ ! -x ${T_PX}/usr/bin/nvi ] && [ -e ${T_PX}/var/log/setup/setup.vi-ex ]; then - sed -e 's/default-item "nvi/"default-item "elvis"/' -i ${T_PX}/var/log/setup/setup.vi-ex + sed -e 's/default-item "nvi/default-item "elvis/' -i ${T_PX}/var/log/setup/setup.vi-ex fi # Prevent SeTconfig from asking redundant questions later on: sed -i /usr/share/@LIVEMAIN@/SeTconfig \ @@ -212,7 +224,8 @@ EOT /home/@LIVEUID@/.jackdrc \ /home/@LIVEUID@/.config/autostart/qjackctl.desktop \ /home/@LIVEUID@/.config/rncbc.org/QjackCtl.conf \ - /home/@LIVEUID@/.config/kscreenlockerrc + /home/@LIVEUID@/.config/kscreenlockerrc \ + /home/@LIVEUID@/.config/plasmarc fi fi @@ -239,13 +252,12 @@ EOT - default runlevel - keyboard layout - language setting - After finishing system configuration and before rebooting, you can add any further Live modules from /@LIVEMAIN@/addons/ and /@LIVEMAIN@/optional/ to your hard drive, using a command similar to this: - # unsquashfs -f -dest $T_PX /mnt/livemedia/@LIVEMAIN@/addons/mymodule.sxz + - slackpkg/slackpkg+ EOF ${DIALOG} --backtitle "@CDISTRO@ Linux Setup (Live Edition)" \ --title "POST INSTALL HINTS AND TIPS" --msgbox "`cat $TMP/tempmsg`" \ - 20 65 + 19 65 rm $TMP/tempmsg MAINSELECT="CONFIGURE" diff --git a/setup2hd/setup.slackware.tpl b/setup2hd/setup.slackware.tpl index eff6b9a..e1b9fa1 100644 --- a/setup2hd/setup.slackware.tpl +++ b/setup2hd/setup.slackware.tpl @@ -150,6 +150,10 @@ to choose packages individually." 4 60 else slackinstall --device noremount --promptmode $MODE --srcpath `cat $TMP/SeTDS` --mountpoint /var/log/mount --target $T_PX --series $SERIES fi + # Run ldconfig on the newly installed system: + if [ -x $T_PX/sbin/ldconfig ]; then + $T_PX/sbin/ldconfig -r $T_PX + fi if [ $MODE = terse ]; then # Let's pause a moment and then restore the terminal settings sleep 1 diff --git a/syslinux/f2.txt b/syslinux/f2.txt index 2451b39..1a41e5c 100644 --- a/syslinux/f2.txt +++ b/syslinux/f2.txt @@ -8,11 +8,15 @@ kbd=fr xkb=ch,fr => Example of custom X keyboard layout. livepw="somestring" => Change the password for user "live". + The password is passed as a cleartext string. + You can pass an empty string (livepw=) to remove the password. locale=nl_NL kbd=nl tz=Europe/Amsterdam => Example of language, keyboard and/or timezone customization. rootpw="somestring" => Change the password for user "root". + The password is passed as a cleartext string. + You can pass an empty string (rootpw=) to remove the password. === Custom software === diff --git a/syslinux/f3.txt b/syslinux/f3.txt index 7d14801..833956b 100644 --- a/syslinux/f3.txt +++ b/syslinux/f3.txt @@ -21,18 +21,29 @@ livemedia=/dev/sdX => Tell the init script which partition become necessary if you have another copy of Slackware Live installed in another partition. Also accepted: UUID or LABEL. -livemedia=/dev/sdX:/path/to/live.iso => Use this if you want to +livemedia=/dev/sdX:/path/to/live.iso +livemedia=scandev:/path/to/live.iso => Use this if you want to load the live OS from an ISO file on a local harddisk partition. livemain=directoryname => Use this if you copied the content of the ISO to a different directory than "liveslak". -nop => No persistence, i.e. boot the virgin installation in - case your "persistence" directory got corrupted. - -persistence=directoryname => Use this if you want to use - a different directory than "persistence" for storing - persistent data. +nop => No persistence, i.e. boot the virgin installation in + case your "persistence" directory got corrupted. + If you want to ignore any persistent data during boot, + including LUKS data, specify "nop luksvol=" . + +nop=wipe => Wipe all data from persistence directory or container. + Useful in cases where your persistent data got corrupted. + +persistence=name => Use this if you are using a different + directory/file than "persistence" for storing persistent data. + +persistence=/dev/sdX:/path/to/mypersistence +persistence=scandev:/path/to/mypersistence => Use this if + the persistence directory or container is not located on the USB stick, + but on a local hard disk partition. Useful for network (PXE) boot + where you still want to offer users persistence. toram => copy the OS from the media to to RAM before running it. You can remove the boot media after booting. @@ -40,6 +51,10 @@ toram => copy the OS from the media to to RAM before running it. toram=all => Prevent writes to disk since we are supposed to run from RAM; equivalent to parameter "toram". +toram=core => Load Console OS modules into RAM. Console-only Slackware + loads fast, contains 'setup2hd' and frees up your USB drive so you can + overwrite it with a Persistent Live OS. + toram=os => Load OS modules into RAM, but write persistent data to USB. == [F1]: Home [F2]: Desktop setup [F4]: HW/debug [F5]: Network boot == diff --git a/syslinux/f4.txt b/syslinux/f4.txt index c890348..80ca985 100644 --- a/syslinux/f4.txt +++ b/syslinux/f4.txt @@ -6,8 +6,10 @@ localhd => initialize RAID/LVM on local hard drives. tweaks=tweak1[,tweak2,[,...]] => Implemented tweaks: nga - no glamor 2D acceleration, avoids error "EGL_MESA_drm_image required". + nsh - no sub-pixel hinting in freetype. tpb - enable TrackPoint scrolling while holding down middle mouse button. syn - start the syndaemon for better support of Synaptics touchpads. + ssh - start SSH daemon (disabled by default). nomodeset => Boot without kernel mode setting, needed with some machines. @@ -1,6 +1,6 @@ #!/bin/bash # -# Copyright 2017, 2019 Eric Hameleers, Eindhoven, NL +# Copyright 2017, 2019, 2021, 2022, 2023 Eric Hameleers, Eindhoven, NL # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -62,15 +62,28 @@ UPKERNEL=0 # Do not change usb wait time by default: WAIT=-1 +# Not extending any container by default: +EXTENSION="" + # --------------------------------------------------------------------------- # END possible tasks to be executed by the script: # --------------------------------------------------------------------------- +# The extension for containerfiles accompanying an ISO is '.icc', +# whereas the persistent USB stick created with iso2usb.sh uses '.img'. +DEFEXT=".img" +CNTEXT="${DEFEXT}" + +# Default filesystem for devices/containers: +DEF_FS="ext4" +FSYS="${DEF_FS}" + # Determine whether the USB stick has a supported kernel configuration # i.e. one active and optionally one backup kernel plus mmodules: SUPPORTED=1 # Values obtained from the init script on the USB: +CORE2RAMMODS="" DEF_KBD="" DEF_LOCALE="" DEF_TZ="" @@ -81,7 +94,6 @@ LIVEUID="" MARKER="" MEDIALABEL="" PERSISTENCE="" -CORE2RAMMODS="" SQ_EXT_AVAIL="" VERSION="" @@ -89,9 +101,15 @@ VERSION="" KBACKUP=1 # Does the initrd contain an old kernel that we can restore? -# The 'read_initrd' routing may set this to '0': +# The 'read_initrddir' routine may set this to '0': KRESTORE=1 +# By default we create an addon live module for the new kernel modules, +# otherwise the Live OS will be broken after reboot. +# User can skip this if they already installed the kernel-modules package +# in the Live OS earlier: +NOLIVEMODS=0 + # Timeout when scanning for inserted USB device, 30 seconds by default, # but this default can be changed from outside the script: SCANWAIT=${SCANWAIT:-30} @@ -110,7 +128,6 @@ MINFREE=${MINFREE:-10} # Variables to store content from an initrd we are going to refresh: OLDKERNELSIZE="" OLDKMODDIRSIZE="" -OLDKVER="" OLDWAIT="" # Record the version of the new kernel: @@ -121,18 +138,31 @@ IMGDIR="" KERDIR="" USBMNT="" EFIMNT="" +CNTDEV="" +LODEV="" + +# Empty initialization: +INCSIZE="" +PARTFREE="" +PARTSIZE="" # These tools are required by the script, we will check for their existence: REQTOOLS="cpio gdisk inotifywait lsblk strings xz" +# Minimim free space (in MB) we want to have left in any partition +# after we are done. +# The default value can be changed from the environment: +MINFREE=${MINFREE:-10} + # Compressor used on the initrd ("gzip" or "xz --check=crc32"); # Note that the kernel's XZ decompressor does not understand CRC64: COMPR="xz --check=crc32" # -- START: Taken verbatim from make_slackware_live.sh -- # # List of kernel modules required for a live medium to boot properly; -# Lots of HID modules added to support keyboard input for LUKS password entry: -KMODS=${KMODS:-"squashfs:overlay:loop:xhci-pci:ohci-pci:ehci-pci:xhci-hcd:uhci-hcd:ehci-hcd:mmc-core:mmc-block:sdhci:sdhci-pci:sdhci-acpi:usb-storage:hid:usbhid:i2c-hid:hid-generic:hid-apple:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd:mbcache:ext3:ext4:isofs:fat:nls_cp437:nls_iso8859-1:msdos:vfat:ntfs"} +# Lots of HID modules added to support keyboard input for LUKS password entry; +# Virtio modules added to experiment with liveslak in a VM. +KMODS=${KMODS:-"squashfs:overlay:loop:efivarfs:xhci-pci:ohci-pci:ehci-pci:xhci-hcd:uhci-hcd:ehci-hcd:mmc-core:mmc-block:sdhci:sdhci-pci:sdhci-acpi:rtsx_pci:rtsx_pci_sdmmc:usb-storage:uas:hid:usbhid:i2c-hid:hid-generic:hid-apple:hid-cherry:hid-logitech:hid-logitech-dj:hid-logitech-hidpp:hid-lenovo:hid-microsoft:hid_multitouch:jbd:mbcache:ext3:ext4:zstd_compress:lz4hc_compress:lz4_compress:btrfs:f2fs:jfs:xfs:isofs:fat:nls_cp437:nls_iso8859-1:msdos:vfat:exfat:ntfs:virtio_ring:virtio:virtio_blk:virtio_balloon:virtio_pci:virtio_pci_modern_dev:virtio_net"} # Network kernel modules to include for NFS root support: NETMODS="kernel/drivers/net kernel/drivers/virtio" @@ -146,22 +176,32 @@ NETEXCL="appletalk arcnet bonding can dummy.ko hamradio hippi ifb.ko irda macvla # # Clean up in case of failure: -cleanup() { +function cleanup() { # Clean up by unmounting our loopmounts, deleting tempfiles: echo "--- Cleaning up the staging area..." # During cleanup, do not abort due to non-zero exit code: set +e sync + + if [ -n "$CNTDEV" ]; then + # In case of failure, only most recent LUKS mapped device is still open: + if mount | grep -q ${CNTDEV} ; then + umount -f ${CNTDEV} + cryptsetup luksClose $(basename ${CNTDEV}) + losetup -d ${LODEV} + fi + fi + # No longer needed: [ -n "${IMGDIR}" ] && ( rm -rf $IMGDIR ) [ -n "${KERDIR}" ] && ( rm -rf $KERDIR ) if [ -n "${USBMNT}" ]; then if mount |grep -qw ${USBMNT} ; then umount ${USBMNT} ; fi - rm -rf $USBMNT + rmdir $USBMNT fi if [ -n "${EFIMNT}" ]; then if mount |grep -qw ${EFIMNT} ; then umount ${EFIMNT} ; fi - rm -rf $EFIMNT + rmdir $EFIMNT fi set -e } # End of cleanup() @@ -169,7 +209,7 @@ cleanup() { trap 'echo "*** $0 FAILED at line $LINENO ***"; cleanup; exit 1' ERR INT TERM # Show the help text for this script: -showhelp() { +function showhelp() { cat <<EOT # # Purpose: to update the content of a Slackware Live USB stick. @@ -177,6 +217,7 @@ cat <<EOT # $(basename $0) accepts the following parameters: # -b|--nobackup Do not try to backup original kernel and modules. # -d|--devices List removable devices on this computer. +# -e|--examples Show some common usage examples. # -h|--help This help. # -i|--init <filename> Replacement init script. # -k|--kernel <filename> The kernel file (or package). @@ -189,21 +230,71 @@ cat <<EOT # providing a devicename (using option '-o'). # -v|--verbose Show verbose messages. # -w|--wait<number> Add <number> seconds wait time to initialize USB. +# -x|--extend <fullpath> Full path (either in your filesystem or else +# relative to the USB partition root) +# to an existing (encrypted) container file, +# whose size you want to extend. +# Limitations: +# - container needs to be LUKS encrypted. +# - filename extension needs to be '${CNTEXT}'. +# Supported filesystems inside container: +# - $(resizefs). +# -N|--nolivemods Don't create an addon live module containing +# the new kernelmodules. Normally you *will* need +# this addon module, *unless* you have already +# installed these kernel-modules in the Live OS. +# FYI: the kernel and module upgrade applies only +# to the USB boot kernel and its initrd. +# -X|--extendsize <size|perc> Extend size of existing container; value +# is the requested extension of the container +# in kB, MB, GB, or as percentage of free space +# (integer numbers only). +# Examples: '-X 125M', '-X 2G', '-X 20%'. # EOT } # End of showhelp() +function showexamples() { +cat <<EOT +# +# Some common usage examples for $(basename $0) +# --------------------------------------------------------------------------- +# +# Get a listing of all available removable devices on the computer: +# ./$(basename $0) -d +# +# Updating kernel and modules, providing two packages as input and assuming +# that the USB stick is known as /dev/sdX: +# ./$(basename $0) -o /dev/sdX -m kernel-modules-4.19.0-x86_64-1.txz -k kernel-generic-4.19.0-x86_64-1.txz +# +# Restore the previous kernel and modules after a failed update, +# and let the script scan your computer for the insertion of your USB stick: +# ./$(basename $0) -s -r +# +# Replace the Live init script with the latest template taken from +# the liveslak git repository: +# wget https://git.liveslak.org/liveslak/plain/liveinit.tpl +# ./$(basename $0) -o /dev/sdX -i liveinit.tpl +# +# Extend the size of the pre-existing LUKS container for your homedirectory +# with 3 GB, and let the script scan for the insertion of your USB stick: +# ./$(basename $0) -s -x /slhome.img -X 3G +# +EOT +} # End of showexamples() + # Scan for insertion of a USB device: -scan_devices() { +function scan_devices() { + local MYSCANWAIT="${1}" local BD # Inotifywatch does not trigger on symlink creation, # so we can not watch /sys/block/ - BD=$(inotifywait -q -t ${SCANWAIT} -e create /dev 2>/dev/null |cut -d' ' -f3) + BD=$(inotifywait -q -t ${MYSCANWAIT} -e create /dev 2>/dev/null |cut -d' ' -f3) echo ${BD} } # End of scan_devices() # Show a list of removable devices detected on this computer: -show_devices() { +function show_devices() { local MYDATA="${*}" if [ -z "${MYDATA}" ]; then MYDATA="$(ls --indicator-style=none /sys/block/ |grep -Ev '(ram|loop|dm-)')" @@ -217,8 +308,110 @@ show_devices() { echo "#" } # End of show_devices() +# Determine size of a mounted partition (in MB): +function get_part_mb_size() { + local MYPART="${1}" + local MYSIZE + MYSIZE=$(df -P -BM ${MYPART} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f2) + echo "${MYSIZE%M}" +} # End of get_part_mb_size() + +# Determine free space of a mounted partition (in MB): +function get_part_mb_free() { + local MYPART="${1}" + local MYSIZE + MYSIZE=$(df -P -BM ${MYPART} |tail -n -1 |tr -s '\t' ' ' |cut -d' ' -f4) + echo "${MYSIZE%M}" +} # End of get_part_mb_free() + +# Determine requested container size in MB (allow for '%|k|K|m|M|g|G' suffix). +# Note: sizes need to be integer values! Bash arithmetics don't work for floats. +function cont_mb() { + # Uses global variables: PARTFREE + local MYSIZE="$1" + case "${MYSIZE: -1}" in + "%") MYSIZE="$(( $PARTFREE * ${MYSIZE%\%} / 100 ))" ;; + "k") MYSIZE="$(( ${MYSIZE%k} / 1024 ))" ;; + "K") MYSIZE="$(( ${MYSIZE%K} / 1024 ))" ;; + "m") MYSIZE="${MYSIZE%m}" ;; + "M") MYSIZE="${MYSIZE%M}" ;; + "g") MYSIZE="$(( ${MYSIZE%g} * 1024 ))" ;; + "G") MYSIZE="$(( ${MYSIZE%G} * 1024 ))" ;; + *) MYSIZE=-1 ;; + esac + echo "$MYSIZE" +} # End of cont_mb() + +# Expand existing encrypted container file: +function expand_container() { + # Uses external function: cleanup + # Uses global variables: CNTEXT, MINFREE + # Sets global variables: CNTDEV, LODEV, PARTFREE, PARTSIZE + local MYPART="$1" # disk partition + local MYINC="$2" # requested increase ('%|k|K|m|M|g|G' suffix) + local MYFILE="$3" # full path to ${CNTEXT} containerfile + local MYMAP="" # Name of the device-mapped file + local CNTIS="" # Stores size of the container + + # Determine requested container increase in MB: + MYINC=$(cont_mb ${MYINC}) + + # Determine size of the target partition (in MB), and the free space: + PARTSIZE=$(get_part_mb_size ${MYPART}) + PARTFREE=$(get_part_mb_free ${MYPART}) + + if [ $PARTFREE -lt $(( ${MYINC} + ${MINFREE} )) ]; then + echo "*** Free space on USB partition after file-resizing would be less than ${MINFREE} MB;" + echo "*** Not resizing the container file!" + cleanup + exit 1 + fi + + if ! file ${MYFILE} |grep -q 'LUKS' ; then + echo "*** No LUKS container: '${MYFILE}'" + cleanup + exit 1 + else + echo "--- Expanding '$(basename ${MYFILE})' on '${MYPART}' with ${MYINC} MB..." + fi + + # Append random bytes to the end of the container file: + dd if=/dev/urandom of=${MYFILE} bs=1M count=${MYINC} oflag=append conv=notrunc 2>/dev/null + + # Setup a loopback device that we can use with or without cryptsetup: + LODEV=$(losetup -f) + losetup ${LODEV} ${MYFILE} + + if cryptsetup isLuks ${LODEV} ; then + # Unlock LUKS encrypted container first: + MYMAP=$(basename ${MYFILE} ${CNTEXT}) + CNTDEV=/dev/mapper/${MYMAP} + echo "--- Unlocking the LUKS container requires your passphrase..." + until cryptsetup luksOpen ${LODEV} ${MYMAP} ; do + echo ">>> Did you type an incorrect passphrases?" + read -p ">>> Press [ENTER] to try again or Ctrl-C to abort ..." REPLY + done + else + # Use the loopmounted block device for the un-encrypted container: + CNTDEV=${LODEV} + fi + + # Run fsck so the filesystem is clean before we resize it: + fsck -fvy ${CNTDEV} + # Resize the filesystem to occupy the full new size: + resizefs ${CNTDEV} + # Just to be safe: + fsck -fvy ${CNTDEV} + + # Don't forget to clean up after ourselves: + if cryptsetup isLuks ${LODEV} ; then + cryptsetup luksClose ${MYMAP} + fi + losetup -d ${LODEV} || true +} # End of expand_container() + # Uncompress the initrd based on the compression algorithm used: -uncompressfs () { +function uncompressfs () { if $(file "${1}" | grep -qi ": gzip"); then gzip -cd "${1}" elif $(file "${1}" | grep -qi ": XZ"); then @@ -226,10 +419,76 @@ uncompressfs () { fi } # End of uncompressfs () +# Resize the filesystem on a block device: +function resizefs() { + # Uses external function: cleanup + local MYDEV="${1}" + local MYFS + local TMPMNT + + if [ -z "${MYDEV}" ]; then + # Without arguments given, reply with list of supported fs'es: + echo "btrfs,ext2,ext4,f2fs,jfs,xfs" + return + fi + + # Determine the current filesystem for the block device: + MYFS=$(lsblk -n -o FSTYPE ${MYDEV}) + if [ -z "${MYFS}" ]; then + echo "*** Failed to resize filesystem on device '${MYDEV}'!" + echo "*** No filesystem found." + cleanup + exit 1 + fi + + TMPMNT=$(mktemp -d -p ${TMP:=/tmp} -t alienres.XXXXXX) + if [ ! -d $TMPMNT ]; then + echo "*** Failed to create temporary mount for the filesystem resize!" + cleanup + exit 1 + else + chmod 711 ${TMPMNT} + fi + + # Mount the block device prior to the resize + # (btrfs, jfs and xfs do not support offline resize): + mount -o rw -t ${MYFS} ${MYDEV} ${TMPMNT} + + # Resize the filesystem to occupy the full new device capacity: + case "${MYFS}" in + btrfs) btrfs filesystem resize max ${TMPMNT} + ;; + ext*) resize2fs ${MYDEV} + ;; + f2fs) resize.f2fs ${MYDEV} + ;; + jfs) mount -o remount,resize,rw ${TMPMNT} + ;; + xfs) xfs_growfs -d ${TMPMNT} + ;; + *) echo "*** Unsupported filesystem '${MYFS}'!" + cleanup + exit 1 + ;; + esac + + if [ ! $? ]; then + echo "*** Failed to resize '${MYFS}'filesystem on device '${MYDEV}'!" + cleanup + exit 1 + else + # Un-mount the device again: + sync + umount ${TMPMNT} + rmdir ${TMPMNT} + fi +} # End of resizefs() + + # Collect the kernel modules we need for the liveslak initrd. # When calling this function, the old module tree must already # have been renamed to ${OLDKVER}.prev -collect_kmods() { +function collect_kmods() { local IMGDIR="$1" # Borrow (and mangle) code from Slackware's mkinitrd @@ -362,9 +621,14 @@ collect_kmods() { fi } # End of collect_kmods () -# Read configuration data from old initrd: -read_initrd() { +# Read configuration data from old initrd, +# after it has been extracted into a directory: +function read_initrddir() { local IMGDIR="$1" + local INITVARS="$2" + local OLDKVER + local OLDMODDIR + local PREVMODDIR cd ${IMGDIR} @@ -372,7 +636,7 @@ read_initrd() { OLDWAIT=$(cat ./wait-for-root) # Read the values of liveslak template variables in the init script: - for TEMPLATEVAR in DEF_KBD DEF_LOCALE DEF_TZ DISTRO LIVE_HOSTNAME LIVEMAIN LIVEUID MARKER MEDIALABEL PERSISTENCE CORE2RAMMODS SQ_EXT_AVAIL VERSION ; do + for TEMPLATEVAR in ${INITVARS} ; do eval $(grep "^ *${TEMPLATEVAR}=" ./init |head -1) done @@ -404,23 +668,36 @@ read_initrd() { fi fi fi -} # End read_initrd() - -# Extract the initrd: -extract_initrd() { - local IMGFILE="$1" +} # End read_initrddir() + +# Extract the initrd into a new directory and report the dirname back: +function extract_initrd() { + local MYIMGFILE="$1" + local MYIMGDIR=$(mktemp -d -p ${TMP:=/tmp} -t alienimg.XXXXXX) + if [ ! -d $MYIMGDIR ]; then + echo "*** Failed to create temporary extraction directory for the initrd!" + cleanup + exit 1 + else + chmod 711 $MYIMGDIR + fi - cd ${IMGDIR} - uncompressfs ${IMGFILE} \ - | cpio -i -d -m -H newc + cd ${MYIMGDIR} + uncompressfs ${MYIMGFILE} 2>/dev/null \ + | cpio -i -d -m -H newc 2>/dev/null + echo "$MYIMGDIR" } # End of extract_initrd() # Modify the extracted initrd and re-pack it: -update_initrd() { - local IMGFILE="$1" +function update_initrd() { + local MYIMGFILE="$1" + local MYIMGDIR="$2" local NEED_RECOMP=0 + local NEWMODDIR + local OLDMODDIR + local OLDKVER - cd ${IMGDIR} + cd ${MYIMGDIR} if [ ${WAIT} -ge 0 ]; then if [ $WAIT != $OLDWAIT ]; then echo "--- Updating 'waitforroot' time from '$OLDWAIT' to '$WAIT'" @@ -431,24 +708,23 @@ update_initrd() { if [ $UPKERNEL -eq 1 ]; then OLDMODDIR=$(find ./lib/modules -type d -mindepth 1 -maxdepth 1 |grep -v .prev) + OLDKVER=$(strings $(find ${OLDMODDIR}/kernel/ -name "*.ko*" |head -1) |grep ^vermagic |cut -d= -f2 |cut -d' ' -f1) rm -rf ./lib/modules/*.prev if [ $KBACKUP -eq 1 ]; then # We make one backup: - if [ $VERBOSE -eq 1 ]; then - echo "--- Making backup of kernel modules" - fi + echo "--- Making backup of kernel modules (${OLDKVER}) in initrd" mv -i ${OLDMODDIR} ${OLDMODDIR}.prev else - echo "--- No room for backing up old kernel modules" + echo "--- No room for backing up old kernel modules in initrd" rm -rf ${OLDMODDIR} fi # Add modules for the new kernel: - echo "--- Adding new kernel modules" - collect_kmods ${IMGDIR} + echo "--- Adding new kernel modules (${KVER}) to initrd" + collect_kmods ${MYIMGDIR} NEED_RECOMP=1 elif [ $RESTORE -eq 1 -a $KRESTORE -eq 1 ]; then # Restore previous kernel module tree. - # The 'read_initrd' routine will already have checked that we have + # The 'read_initrddir' routine will already have checked that we have # one active and one .prev modules tree: OLDMODDIR=$(find ./lib/modules -type d -mindepth 1 -maxdepth 1 |grep .prev || true) NEWMODDIR=$(find ./lib/modules -type d -mindepth 1 -maxdepth 1 |grep -v .prev) @@ -459,6 +735,11 @@ update_initrd() { fi if [ -n "${LIVEINIT}" ]; then + if ! file "${LIVEINIT}" |grep -q 'shell script' ; then + echo "*** Not a shell script: "${LIVEINIT}"!" + cleanup + exit 1 + fi echo "--- Replacing live init script" cp ./init ./init.prev if grep -q "@LIVEMAIN@" ${LIVEINIT} ; then @@ -473,19 +754,21 @@ update_initrd() { if [ ${NEED_RECOMP} -eq 1 ]; then echo "--- Compressing the initrd image again" - chmod 0755 ${IMGDIR} - find . |cpio -o -H newc |$COMPR > ${IMGFILE} + chmod 0755 ${MYIMGDIR} + find . |cpio -o -H newc |$COMPR > ${MYIMGFILE} fi - cd - 1>/dev/null # End of 'cd ${IMGDIR}' + cd - 1>/dev/null # End of 'cd ${MYIMGDIR}' } # End of update_initrd() # Accept either a kernelimage or a packagename, # and return the path to a kernelimage: -getpath_kernelimg () { +function getpath_kernelimg () { local MYDATA="${*}" - [ -z "${MYDATA}" ] && echo "" - if [ -n "$(file "${MYDATA}" |grep -E 'x86 boot (executable|sector)')" ]; then + if [ -z "${MYDATA}" ]; then + echo "" + return + elif [ -n "$(file "${MYDATA}" |grep -E 'x86 boot (executable|sector)')" ]; then # We have a kernel image: echo "${MYDATA}" else @@ -498,38 +781,48 @@ getpath_kernelimg () { # Accept either a directory containing module tree, or a packagename, # and return the path to a module tree: -getpath_kernelmods () { +function getpath_kernelmods () { local MYDATA="${*}" - [ -z "${MYDATA}" ] && echo "" + local MYKVER - if [ -d "${MYDATA}" ]; then + if [ -z "${MYDATA}" ]; then + echo "" + return + elif [ -d "${MYDATA}" ]; then # We have directory, assume it contains the kernel modules: - echo "${MYDATA}" + MYKVER=$(strings $(find ${MYDATA}/kernel/ -name "*.ko*" |head -1) |grep ^vermagic |cut -d= -f2 |cut -d' ' -f1) + if [ -z "${MYKVER}" ]; then + echo "*** Could not determine new kernel version from module directory!" + cleanup + exit 1 + fi + mkdir -p ${KERDIR}/lib/modules/${MYKVER} + rsync -a ${MYDATA}/ ${KERDIR}/lib/modules/${MYKVER}/ else # We assume a Slackware package: # Extract the kernel modules from the package and return the path: tar -C ${KERDIR} -xf ${MYDATA} lib/modules - cd ${KERDIR}/lib/modules/* - pwd fi + cd ${KERDIR}/lib/modules/* + pwd } # End of getpath_kernelmods # Determine size of a mounted partition (in MB): -get_part_mb_size() { +function get_part_mb_size() { local MYSIZE MYSIZE=$(df -P -BM ${1} |tail -1 |tr -s '\t' ' ' |cut -d' ' -f2) echo "${MYSIZE%M}" } # End of get_part_mb_size # Determine free space of a mounted partition (in MB): -get_part_mb_free() { +function get_part_mb_free() { local MYSIZE MYSIZE=$(df -P -BM ${1} |tail -1 |tr -s '\t' ' ' |cut -d' ' -f4) echo "${MYSIZE%M}" } # End of get_part_mb_free -parse_template() { - # Parse a liveslak template file and substitute the placeholders. +# Parse a liveslak template file and substitute the placeholders. +function parse_template() { local INFILE="$1" local OUTFILE="$2" @@ -580,6 +873,10 @@ while [ ! -z "$1" ]; do show_devices exit ;; + -e|--examples) + showexamples + exit + ;; -h|--help) showhelp exit @@ -624,6 +921,18 @@ while [ ! -z "$1" ]; do WAIT="$2" shift 2 ;; + -N|--nolivemods) + NOLIVEMODS=1 + shift + ;; + -x|--extend) + EXTENSION="$2" + shift 2 + ;; + -X|--extendsize) + INCSIZE="$2" + shift 2 + ;; *) echo "*** Unknown parameter '$1'!" exit 1 @@ -644,8 +953,8 @@ fi # Either provide a block device, or else scan for a block device: if [ -z "$TARGET" ]; then if [ $SCAN -eq 1 ]; then - echo "-- Waiting ${SCANWAIT} seconds for a USB stick to be inserted..." - TARGET=$(scan_devices) + echo "--- Waiting ${SCANWAIT} seconds for a USB stick to be inserted..." + TARGET=$(scan_devices ${SCANWAIT}) if [ -z "$TARGET" ]; then echo "*** No new USB device detected during $SCANWAIT seconds scan." exit 1 @@ -654,6 +963,7 @@ if [ -z "$TARGET" ]; then fi else echo "*** You must specify the Live USB devicename (option '-o')!" + echo "*** Alternatively, let the script scan for insertion (option '-s')!" exit 1 fi elif [ $SCAN -eq 1 ]; then @@ -705,7 +1015,6 @@ else KVER=$(strings $(find ${KMODDIR}/kernel/ -name "*.ko*" |head -1) |grep ^vermagic |cut -d= -f2 |cut -d' ' -f1) if [ -z "${KVER}" ]; then echo "*** Could not determine kernel version from the module directory" - echo "*** (querying module kernel/fs/overlayfs/overlay.ko)!" cleanup exit 1 fi @@ -719,7 +1028,16 @@ if [ -n "${LIVEINIT}" -a ! -f "${LIVEINIT}" ]; then exit 1 fi -if [ $CHANGES2SXZ -eq 1 ]; then +if [ -n "${EXTENSION}" ]; then + if [ -z "${INCSIZE}" ]; then + echo "*** LUKS container '${EXTENSION}' defined but no extension size provided!" + echo "*** Not extending encrypted ${EXTENSION}, please use '-X' parameter." + cleanup + exit 1 + fi +fi + +if [ $CHANGES2SXZ -eq 1 ] || [ $UPKERNEL -eq 1 ]; then # We need to create a module, so add squashfs to the required tools: REQTOOLS="${REQTOOLS} mksquashfs" fi @@ -732,9 +1050,9 @@ for PROGN in ${REQTOOLS} ; do fi done if [ ! -z "$PROG_MISSING" ] ; then - echo "-- Required program(s) not found in search path '$PATH'!" + echo "--- Required program(s) not found in search path '$PATH'!" echo -e ${PROG_MISSING} - echo "-- Exiting." + echo "--- Exiting." cleanup exit 1 fi @@ -759,7 +1077,7 @@ echo q |gdisk -l $TARGET 2>/dev/null | \ # If the user just used the scan option (-s) and did not select a task, # we will exit the script gracefully now: -if [[ $WAIT -lt 0 && $UPKERNEL -ne 1 && $RESTORE -ne 1 && $NETSUPPORT -ne 1 && $LIVEINIT = "" && $CHANGES2SXZ -ne 1 ]]; then +if [[ $WAIT -lt 0 && $UPKERNEL -ne 1 && $RESTORE -ne 1 && $NETSUPPORT -ne 1 && $LIVEINIT = "" && $CHANGES2SXZ -ne 1 && $EXTENSION = "" ]]; then cleanup exit 0 else @@ -779,15 +1097,19 @@ TARGETP1=$(fdisk -l $TARGET |grep ^$TARGET |cut -d' ' -f1 |grep -E '[^0-9]1$') TARGETP2=$(fdisk -l $TARGET |grep ^$TARGET |cut -d' ' -f1 |grep -E '[^0-9]2$') TARGETP3=$(fdisk -l $TARGET |grep ^$TARGET |cut -d' ' -f1 |grep -E '[^0-9]3$') -# Create a temporary extraction directory for the initrd: -mkdir -p /mnt -IMGDIR=$(mktemp -d -p /mnt -t alienimg.XXXXXX) -if [ ! -d $IMGDIR ]; then - echo "*** Failed to create temporary extraction directory for the initrd!" - cleanup - exit 1 +# Normalize filepath: +if [ -f "${EXTENSION}" ]; then + # Container is an actual file, so where are we mounted? + EXTPART=$(cd "$(dirname "${EXTENSION}")" ; df --output=source . |tail -1) + EXTMNT=$(cd "$(dirname "${EXTENSION}")" ; df --output=target . |tail -1) + if [ "${EXTPART}" == "${TARGETP3}" ]; then + # User already mounted the USB linux partition; remove mountpoint: + EXTENSION="${EXTENSION#$EXTMNT}" + fi +elif [ -n "${EXTENSION}" && "$(dirname ${EXTENSION})" == "." ]; then + # Containerfile was provided without leading slash, add one: + EXTENSION="/${EXTENSION}" fi -chmod 711 $IMGDIR # Create temporary mount point for the USB device: mkdir -p /mnt @@ -825,13 +1147,27 @@ EFIPFREE=$(get_part_mb_free ${EFIMNT}) # Record the Slackware Live version: OLDVERSION="$(cat ${USBMNT}/.isoversion 2>/dev/null)" -echo "-- The medium '${TARGET}' contains '${OLDVERSION}'" +echo "--- The medium '${TARGET}' contains '${OLDVERSION}'" + +# Try a write to the partition: +if touch ${USBMNT}/.rwtest 2>/dev/null && rm ${USBMNT}/.rwtest 2>/dev/null +then + echo "--- The partition '${TARGETP3}' is writable." +else + echo "--- Trying to remount readonly partition '${TARGETP3}' as writable..." + mount -o remount,rw ${USBMNT} + if [ $? -ne 0 ]; then + echo "*** Failed to remount '${TARGETP3}' writable, unable to continue!" + cleanup + exit 1 + fi +fi # Find out if the USB contains an EFI bootloader and use it: if [ ! -f ${EFIMNT}/EFI/BOOT/boot*.efi ]; then EFIBOOT=0 - echo "-- Note: UEFI boot file 'bootx64.efi' or 'bootia32.efi' not found on ISO." - echo "-- UEFI boot will not be supported" + echo "--- Note: UEFI boot file 'bootx64.efi' or 'bootia32.efi' not found on ISO." + echo "--- UEFI boot will not be supported" else EFIBOOT=1 fi @@ -846,10 +1182,10 @@ fi OLDKERNELSIZE=$(du -sm "${KIMG}" |tr '\t' ' ' |cut -d' ' -f1) # Collect data from the USB initrd: -extract_initrd ${USBMNT}/boot/initrd.img -read_initrd ${IMGDIR} +IMGDIR="$( extract_initrd ${USBMNT}/boot/initrd.img )" +read_initrddir ${IMGDIR} "DEF_KBD DEF_LOCALE DEF_TZ DISTRO LIVE_HOSTNAME LIVEMAIN LIVEUID MARKER MEDIALABEL PERSISTENCE CORE2RAMMODS SQ_EXT_AVAIL VERSION" -# The read_initrd routine will set SUPPORTED to '0' +# The read_initrddir routine will set SUPPORTED to '0' # if it finds a non-standard configuration for kernel & modules: if [ $KBACKUP -eq 1 ]; then if [ $SUPPORTED -ne 1 ]; then @@ -876,14 +1212,27 @@ if [ $KBACKUP -eq 1 ]; then fi # Update the initrd with regard to USB wait time, liveinit, kernel: -update_initrd ${USBMNT}/boot/initrd.img +update_initrd ${USBMNT}/boot/initrd.img ${IMGDIR} + +# Add the new kernel modules as a squashfs module: +if [ $UPKERNEL -eq 1 ] && [ $NOLIVEMODS -eq 0 ]; then + LIVE_MOD_SYS=$(dirname $(find ${USBMNT} -name "0099-${DISTRO}_zzzconf*.sxz" |head -1)) + LIVE_MOD_ADD=$(dirname ${LIVE_MOD_SYS})/addons + MODNAME="0100-${DISTRO}_kernelmodules_${KVER}.sxz" + echo "--- Creating kernelmodules addon live module '${MODNAME}'" + rm -f ${LIVE_MOD_ADD}/${MODNAME} + mksquashfs ${KERDIR} ${LIVE_MOD_ADD}/${MODNAME} -e boot -noappend -comp xz -b 1M + unset LIVE_MOD_SYS LIVE_MOD_ADD MODNAME +fi # Take care of the kernel in the Linux partition: if [ $UPKERNEL -eq 1 ]; then if [ $KBACKUP -eq 1 ]; then # We always make one backup with the suffix ".prev": if [ $VERBOSE -eq 1 ]; then - echo "-- Backing up ${KIMG} to ${USBMNT}/boot/$(basename \"${KIMG}\").prev" + echo "--- Backing up ${KIMG} to ${USBMNT}/boot/$(basename \"${KIMG}\").prev" + else + echo "--- Backing up old kernel" fi mv "${KIMG}" ${USBMNT}/boot/$(basename "${KIMG}").prev else @@ -891,15 +1240,21 @@ if [ $UPKERNEL -eq 1 ]; then fi # And we name our new kernel exactly as the old one: if [ $VERBOSE -eq 1 ]; then - echo "-- Copying \"${KERNEL}\" to ${USBMNT}/boot/$(basename \"${KIMG}\")" + echo "--- Copying \"${KERNEL}\" to ${USBMNT}/boot/$(basename \"${KIMG}\")" + else + echo "--- Adding new kernel" fi cp "${KERNEL}" ${USBMNT}/boot/$(basename "${KIMG}") elif [ $RESTORE -eq 1 -a $KRESTORE -eq 1 ]; then if [ $VERBOSE -eq 1 ]; then - echo "-- Restoring ${USBMNT}/boot/$(basename \"${KIMG}\").prev to ${KIMG}" + echo "--- Restoring ${USBMNT}/boot/$(basename \"${KIMG}\").prev to ${KIMG}" + else + echo "--- Restoring old kernel" fi + OLDKVER=$(file "${KIMG}" |sed 's/^.*\(version [^ ]* \).*$/\1/' |cut -d' ' -f2) rm -f "${KIMG}" mv ${USBMNT}/boot/$(basename "${KIMG}").prev "${KIMG}" + echo "--- You may remove obsolete 'addons/0100-${DISTRO}_kernelmodules_${OLDKVER}.sxz' module" fi if [ $EFIBOOT -eq 1 ]; then @@ -925,16 +1280,40 @@ if [ $CHANGES2SXZ -eq 1 ]; then echo "*** Unable to create file '/mnt/live/changes/.wipe'!" echo "*** Are you sure you are running ${DISTRO^} Live Edition?" else - # Squash the persistence data into a Live .sxz module: + # Squash the persistence data into a Live .sxz module, + # but only if we find the space to do so: + CHANGESSIZE=$(du -sm /mnt/live/changes/ |tr '\t' ' ' |cut -d' ' -f1) + if [ $(( $USBPFREE - $CHANGESSIZE )) -lt $MINFREE ]; then + CHANGES2SXZ=-1 + fi + if [ $CHANGES2SXZ -eq -1 ]; then + echo "*** Not enough space to squash persistence data into a module." + # Don't wipe persistence data on next boot! + rm -f /mnt/live/changes/.wipe + cleanup + exit 1 + fi LIVE_MOD_SYS=$(dirname $(find ${USBMNT} -name "0099-${DISTRO}_zzzconf*.sxz" |head -1)) LIVE_MOD_ADD=$(dirname ${LIVE_MOD_SYS})/addons MODNAME="0100-${DISTRO}_customchanges-$(date +%Y%m%d%H%M%S).sxz" - echo "-- Moving current persistence data into addons module '${MODNAME}'" + echo "--- Moving current persistence data into addons module '${MODNAME}'" mksquashfs /mnt/live/changes ${LIVE_MOD_ADD}/${MODNAME} -noappend -comp xz -b 1M -e .wipe fi fi fi +# Should we extend the size of a container? +if [ -n "${EXTENSION}" ]; then + if [ "$(basename ${EXTENSION} ${CNTEXT})" == "$(basename ${EXTENSION})" ]; + then + echo "*** File '${EXTENSION}' does not have an '${CNTEXT}' extension!" + cleanup + exit 1 + fi + # Expand existing container file: + expand_container ${TARGETP3} ${INCSIZE} ${USBMNT}/${EXTENSION} +fi + # Unmount/remove stuff: cleanup diff --git a/xdm/Xresources b/xdm/Xresources index f0de167..91f066a 100644 --- a/xdm/Xresources +++ b/xdm/Xresources @@ -19,6 +19,8 @@ xlogin.Login.greeting: !xlogin.Login.greeting: CLIENTHOST xlogin.Login.namePrompt: Username:\040 xlogin.Login.passwdPrompt: Password:\040 +xlogin.Login.echoPasswd: true +xlogin.Login.allowNullPasswd: true xlogin.Login.fail: incorrect xlogin.Login.greetFace: Terminus-14:style=Bold xlogin.Login.promptFace: Terminus-12:style=Bold @@ -34,8 +36,30 @@ xlogin.Login.y: LOGIN_POS_Y xlogin.Login.borderWidth: 0 xlogin.Login.foreground: #ffe4e4 xlogin.Login.background: black +xlogin.Login.hiColor: black +xlogin.Login.shdColor: black +xlogin.Login.inpColor: black +xlogin.Login.innerFramesWidth: 0 +xlogin.Login.sepWidth: 0 xlogin.Login.logoFileName: /etc/X11/xdm/liveslak-xdm/bluepiSW.xpm +xlogin*login.translations: #override \ + Ctrl<Key>R: abort-display()\n\ + <Key>Delete: delete-character()\n\ + <Key>Left: move-backward-character()\n\ + <Key>Right: move-forward-character()\n\ + <Key>Home: move-to-begining()\n\ + <Key>End: move-to-end()\n\ + Ctrl<Key>KP_Enter: set-session-argument(failsafe) finish-field()\n\ + <Key>KP_Enter: set-session-argument() finish-field()\n\ + Ctrl<Key>Return: set-session-argument(failsafe) finish-field()\n\ + <Key>Return: set-session-argument() finish-field() + <Key>F1: set-session-argument(failsafe) finish-field()\n\ + <Key>F2: set-session-argument(kde) finish-field()\n\ + <Key>F3: set-session-argument(xfce) finish-field()\n\ + <Key>F4: set-session-argument(fvwm2) finish-field()\n\ + <Key>F5: set-session-argument(fluxbox) finish-field()\n\ + .XClock.geometry: 350x28+0-0 .XClock.Clock.analog: false .XClock.Clock.strftime: (%A)\040%F\040%T |
