blob: 0e11dfdd432a0ff7f52189afb6f69648963944f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
|
#!/bin/bash
fail_exit ()
{
echo "$*"
echo 'Exiting...'
exit 1
}
print_help ()
{
echo "$*"
echo "Help:"
echo " --username use username for HTTP auth (optional)"
echo " --password use password for HTTP auth (optional)"
exit 1
}
clean_up ()
{
if [ -n "$PART_FILE" ]; then
rm -f $PART_FILE >&/dev/null
fi
umount $CD_SQUASH_ROOT >&/dev/null || true
umount $CD_ROOT >&/dev/null || true
umount $INST_ROOT >&/dev/null || true
umount $READ_ROOT >&/dev/null || true
umount $WRITE_ROOT >&/dev/null || true
if [ -d "$TEMP_DIR" ]; then
rm -rf $TEMP_DIR
fi
}
sig_handler () {
echo "ERROR: Signal received. Exiting..."
clean_up
echo "Done"
trap - EXIT
exit 1
}
exit_handler () {
clean_up
}
# read in commandline - snipped thankfully copied from:
# https://unix.stackexchange.com/a/580258
VRF="default"
while [ $# -gt 0 ]; do
case "$1" in
--url*|-u)
if [[ "$1" != *=* ]]; then shift; fi # Value is next arg if no `=`
# the image to be installed. only used if installing from an installed,
# running system.
NEW_ISO="${1#*=}"
;;
--vrf*|-v)
if [[ "$1" != *=* ]]; then shift; fi # Value is next arg if no `=`
VRF="${1#*=}"
;;
--username*)
if [[ "$1" != *=* ]]; then shift; fi
# Username and password are optional
USERNAME="${1#*=}"
;;
--password*)
if [[ "$1" != *=* ]]; then shift; fi
PASSWORD="${1#*=}"
;;
--help|-h)
print_help
exit 0
;;
*)
print_help
>&2 printf "Error: Invalid argument\n"
exit 1
;;
esac
shift
done
# source in the functions
source /opt/vyatta/sbin/install-functions
if [ -f /etc/profile.d/vyos-system-proxy.sh ]; then
source /etc/profile.d/vyos-system-proxy.sh
fi
# export INSTALL_LOG for the scripts invoked
export INSTALL_LOG=/tmp/install-$$.log
# export PROGRESS_PID for the scripts invoked
export PROGRESS_PID=$$
# file for get-partition output
PART_FILE=''
# Temp directory for downloaded ISO
TEMP_DIR="/var/tmp/install-image.$$"
# Try to fetch the ISO file using a URL provided by the user.
# If successful, we leave $NEW_ISO pointing to the ISO file that
# was downloaded.
fetch_iso_by_url ()
{
mkdir $TEMP_DIR
echo "Trying to fetch ISO file from $NEW_ISO"
if [ -n "$USERNAME" ]; then
AUTH="-u $USERNAME:$PASSWORD"
else
AUTH=""
fi
# This is for statistics collection
vyos_version=`cat /opt/vyatta/etc/version | awk '{print $2}'`
filename="${TEMP_DIR}/${NEW_ISO##*/}"
ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o $filename $NEW_ISO
curlerror=$?
if [ $curlerror -eq 51 ]; then
host=${NEW_ISO##scp://}
host=${host%%/*}
rsa_key=$(ssh-keyscan -t rsa $host 2>/dev/null)
if [[ $VYATTA_PROCESS_CLIENT == "gui2_rest" ]]; then
response="yes"
else
echo "The authenticity of host '$host' can't be established."
echo "RSA key fingerprint is $(ssh-keygen -lf /dev/stdin <<<$rsa_key \
| awk {' print $2 '} ) ."
echo "Are you sure you want to continue connecting (yes/no) [yes]?"
response=$(get_response "Yes" "Yes No Y N")
fi
if [[ "$response" == "yes" || "$response" == "y" ]]; then
mkdir -p ~/.ssh/
echo $rsa_key >> ~/.ssh/known_hosts
ip vrf exec $VRF curl $AUTH -f -o $filename $NEW_ISO
curlerror=$?
fi
fi
if [ $curlerror -ne 0 ]; then
echo "Unable to fetch ISO from $NEW_ISO"
rm -f $filename
exit 1
fi
if [ ! -e $filename ]; then
echo "Download of $NEW_ISO failed"
exit 1
fi
echo "ISO download succeeded."
echo "Checking for digital signature file..."
# XXX: T2108: We will first download and try to verify the image using the
# generated minisign signature. If this fails, we try to retrieve the GPG
# signature file.
ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.minisig ${NEW_ISO}.minisig
if [ $? -ne 0 ]; then
ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc
fi
if [ $? -ne 0 ]; then
echo "Unable to fetch digital signature file."
echo -n "Do you want to continue without signature check? (yes/no) [yes] "
response=$(get_response "Yes" "Yes No Y N")
if [ "$response" == "no" ] || [ "$response" == "n" ]; then
rm -f $filename
fail_exit 'OK. Installation will not be performed.'
fi
# In case signature file was partially downloaded...
rm -f ${filename}.asc ${filename}.minisig
fi
if [ -e ${filename}.minisig ]; then
echo "Found it. Checking digital signature..."
minisign -V -q -p /usr/share/vyos/keys/vyos-release.minisign.pub -m ${filename} -x ${filename}.minisig
if [ $? -ne 0 ]; then
echo "Signature check FAILED."
echo -n "Do you want to continue anyway? (yes/no) [no] "
response=$(get_response "No" "Yes No Y N")
if [ "$response" == "no" ] || [ "$response" == "n" ]; then
fail_exit 'OK. Installation will not be performed.'
fi
echo "OK. Proceeding with installation anyway."
else
echo "Digital signature is valid."
fi
fi
if [ -e ${filename}.asc ]; then
echo "Found it. Checking digital signature..."
gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc
if [ $? -ne 0 ]; then
echo "Signature check FAILED."
echo -n "Do you want to continue anyway? (yes/no) [no] "
response=$(get_response "No" "Yes No Y N")
if [ "$response" == "no" ] || [ "$response" == "n" ]; then
fail_exit 'OK. Installation will not be performed.'
fi
echo "OK. Proceeding with installation anyway."
else
echo "Digital signature is valid."
fi
fi
NEW_ISO=$filename
}
# set up the specified ISO image file or URL for install
set_up_new_iso ()
{
url_scheme=${NEW_ISO%%:*}
if [ "$url_scheme" != "$NEW_ISO" ]; then
if [ "$url_scheme" = "http" -o "$url_scheme" = "https" -o \
"$url_scheme" = "ftp" -o "$url_scheme" = "tftp" -o \
"$url_scheme" = "scp" ]; then
fetch_iso_by_url
fi
fi
if [ ! -f "$NEW_ISO" ] || ! (grep -q ISO9660 $NEW_ISO); then
fail_exit "\"$NEW_ISO\" is not a valid ISO image file."
fi
# make sure mount points exist
mkdir -p $INST_ROOT $WRITE_ROOT $READ_ROOT $CD_ROOT $CD_SQUASH_ROOT
# mount ISO
margs="-o loop,ro $NEW_ISO $CD_ROOT"
if ! try_mount "$margs"; then
fail_exit 'Failed to mount the new image.'
fi
# check squash image
local squash_file=$CD_ROOT/live/filesystem.squashfs
if [ ! -f "$squash_file" ] \
|| ! (file $squash_file | grep -q Squashfs) \
|| ! grep -q '^ii vyatta-version ' $CD_ROOT/live/packages.txt; then
fail_exit "\"$NEW_ISO\" is not a VyOS ISO image file."
fi
# Verify checksums of all files in ISO image
if [ ! -f $CD_ROOT/sha256sum.txt ]; then
if [ ! -f $CD_ROOT/md5sum.txt ]; then
fail_exit "Checksum file not found. The image file is either corrupt or not a VyOS image."
else
# Falling back to MD5 since SHA256 could not be found.
# This must be an older image.
echo -n "Checking MD5 checksums of files on the ISO image... "
sum='md5sum'
fi
else
echo -n "Checking SHA256 checksums of files on the ISO image... "
sum='sha256sum'
fi
resfile=$(mktemp /tmp/install-image-md5check-XXXXXXXX)
(cd $CD_ROOT ; $sum -c $sum.txt > $resfile)
failures=$(grep -cv 'OK$' $resfile)
rm -f $resfile
if [ $failures == 0 ]; then
echo "OK."
else
echo "Failed!"
echo "$failures checksum failures found!"
echo "ISO image is corrupted and can not be used."
exit 1
fi
# mount squash image
margs="-o loop,ro $squash_file $CD_SQUASH_ROOT"
if ! try_mount "$margs"; then
fail_exit 'Failed to mount the squashfs image.'
fi
}
# install new image into a newly-formatted partition.
# will exit with error if installation fails.
install_new ()
{
local root_part=$1
local inst_drv=$2
if [ ! -e "/dev/$root_part" ] || [ ! -e "/dev/$inst_drv" ]; then
fail_exit "Invalid drive/partition ($inst_drv and $root_part)."
fi
# install new image
if ! /opt/vyatta/sbin/install-image-new "$root_part"; then
exit 1
fi
# postinst operations
if ! /opt/vyatta/sbin/install-postinst-new "$inst_drv" "$root_part" union; then
exit 1
fi
}
# install new image into the current boot partition.
# will exit with error if installation fails.
install_existing ()
{
local ctype=$1
if ! /opt/vyatta/sbin/install-image-existing "$ctype"; then
exit 1
fi
}
if [ -z "$USERNAME" ] && [ -n "$PASSWORD" ]; then
fail_exit "Password can not be specified without username"
fi
if [ -n "$USERNAME" ] && [ -z "$PASSWORD" ]; then
fail_exit "Username can not be specified without password"
fi
if [ $(id -u) != 0 ]; then
fail_exit "Image installation requires root privileges!"
fi
trap sig_handler INT KILL
trap exit_handler EXIT
if is_live_cd_boot; then
cat <<EOF
Welcome to the VyOS install program. This script
will walk you through the process of installing the
VyOS image to a local hard drive.
EOF
response=''
while [ -z "$response" ]
do
echo -n "Would you like to continue? (Yes/No) [Yes]: "
response=$(get_response "Yes" "Yes No Y N")
if [ "$response" == "no" ] || [ "$response" == "n" ]; then
fail_exit 'Ok then.'
fi
done
fi
if is_live_cd_boot; then
if [ -n "$NEW_ISO" ]; then
echo 'You are trying to install from a live CD boot. The live CD image'
fail_exit 'will be used. Do not specify an ISO image file or URL.'
fi
elif [ -z "$NEW_ISO" ]; then
echo 'You are trying to install from an already installed system. An ISO'
fail_exit 'image file to install or URL must be specified.'
else
# installing on an installed system. set up the new image.
set_up_new_iso
fi
# get install partition
PART_FILE=$(mktemp /tmp/inst-get-part.XXXXXX) \
|| fail_exit 'Failed to create temporary file'
if ! /opt/vyatta/sbin/install-get-partition $PART_FILE; then
exit 1
fi
# get the partition params
root_part_type=''
root_part=''
inst_drv=''
eval "read root_part_type root_part inst_drv <$PART_FILE" >&/dev/null
rm -f $PART_FILE >&/dev/null
# handle different types
case "$root_part_type" in
new)
install_new "$root_part" "$inst_drv"
exit 0
;;
union|old)
install_existing "$root_part_type"
exit 0
;;
*)
fail_exit "Unknown partition type \"$root_part_type\"."
;;
esac
|
