summaryrefslogtreecommitdiff
path: root/scripts/install/install-image
blob: 57fd86eb4b01fb4b9fe6126a0e8b8026d8fbb479 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
#!/bin/bash

fail_exit ()
{
    echo "$*"
    echo 'Exiting...'
    exit 1
}

print_help ()
{
    echo "$*"
    echo "Help:"
    echo "  --username    use username for HTTP auth (optional)"
    echo "  --password    use password for HTTP auth (optional)"
    exit 1
}

clean_up ()
{
    if [ -n "$PART_FILE" ]; then
        rm -f $PART_FILE >&/dev/null
    fi
    umount $CD_SQUASH_ROOT >&/dev/null || true
    umount $CD_ROOT >&/dev/null || true
    umount $INST_ROOT >&/dev/null || true
    umount $READ_ROOT >&/dev/null || true
    umount $WRITE_ROOT >&/dev/null || true
    if [ -d "$TEMP_DIR" ]; then
        rm -rf $TEMP_DIR
    fi
}

sig_handler () {
    echo "ERROR: Signal received. Exiting..."
    clean_up
    echo "Done"
    trap - EXIT
    exit 1
}

exit_handler () {
    clean_up
}

# read in commandline - snipped thankfully copied from:
# https://unix.stackexchange.com/a/580258
VRF="default"
while [ $# -gt 0 ]; do
  case "$1" in
    --url*|-u)
        if [[ "$1" != *=* ]]; then shift; fi # Value is next arg if no `=`
        # the image to be installed. only used if installing from an installed,
        # running system.
        NEW_ISO="${1#*=}"
        ;;
    --vrf*|-v)
        if [[ "$1" != *=* ]]; then shift; fi # Value is next arg if no `=`
        VRF="${1#*=}"
        ;;
    --username*)
        if [[ "$1" != *=* ]]; then shift; fi
        # Username and password are optional
        USERNAME="${1#*=}"
        ;;
    --password*)
        if [[ "$1" != *=* ]]; then shift; fi
        PASSWORD="${1#*=}"
        ;;
    --help|-h)
        print_help
        exit 0
        ;;
    *)
        print_help
        >&2 printf "Error: Invalid argument\n"
        exit 1
        ;;
    esac
    shift
done

# source in the functions
source /opt/vyatta/sbin/install-functions

if [ -f /etc/profile.d/vyos-system-proxy.sh ]; then
    source /etc/profile.d/vyos-system-proxy.sh
fi

# export INSTALL_LOG for the scripts invoked
export INSTALL_LOG=/tmp/install-$$.log
# export PROGRESS_PID for the scripts invoked
export PROGRESS_PID=$$

# file for get-partition output
PART_FILE=''

# Temp directory for downloaded ISO
TEMP_DIR="/var/tmp/install-image.$$"

# Try to fetch the ISO file using a URL provided by the user.
# If successful, we leave $NEW_ISO pointing to the ISO file that
# was downloaded.
fetch_iso_by_url ()
{
    mkdir $TEMP_DIR
    echo "Trying to fetch ISO file from $NEW_ISO"

    if [ -n "$USERNAME" ]; then
        AUTH="-u $USERNAME:$PASSWORD"
    else
        AUTH=""
    fi

    # This is for statistics collection
    vyos_version=`cat /opt/vyatta/etc/version | awk '{print $2}'`

    filename="${TEMP_DIR}/${NEW_ISO##*/}"
    ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o $filename $NEW_ISO
    curlerror=$?
    if [ $curlerror -eq 51 ]; then
        host=${NEW_ISO##scp://}
        host=${host%%/*}
        rsa_key=$(ssh-keyscan -t rsa $host 2>/dev/null)
        if [[ $VYATTA_PROCESS_CLIENT == "gui2_rest" ]]; then
            response="yes"
        else
            echo "The authenticity of host '$host' can't be established."
            echo "RSA key fingerprint is $(ssh-keygen -lf /dev/stdin <<<$rsa_key \
                | awk {' print $2 '} ) ."
            echo "Are you sure you want to continue connecting (yes/no) [yes]?"
            response=$(get_response "Yes" "Yes No Y N")
        fi
        if [[ "$response" == "yes" || "$response" == "y" ]]; then
            mkdir -p ~/.ssh/
            echo $rsa_key >> ~/.ssh/known_hosts
            ip vrf exec $VRF curl $AUTH -f -o $filename $NEW_ISO
            curlerror=$?
        fi
    fi
    if [ $curlerror -ne 0 ]; then
        echo "Unable to fetch ISO from $NEW_ISO"
        rm -f $filename
        exit 1
    fi
    if [ ! -e $filename ]; then
        echo "Download of $NEW_ISO failed"
        exit 1
    fi
    echo "ISO download succeeded."

    echo "Checking SHA256 (256-bit) checksum..."
    ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.sha256 ${NEW_ISO}.sha256
    if [ $? -ne 0 ]; then
        echo "Unable to fetch SHA256 checksum file."
        echo -n "Do you want to continue without checksum verification? (yes/no) [yes] "

        response=$(get_response "Yes" "Yes No Y N")
        if [ "$response" == "no" ] || [ "$response" == "n" ]; then
            rm -f $filename
            fail_exit 'OK.  Installation will not be performed.'
        fi
        # In case signature file was partially downloaded...
        rm -f ${filename}.sha256
    fi
    if [ -e ${filename}.sha256 ]; then
        echo "Found it.  Verifying checksum..."
        # save our current working directory
        cwd=$(pwd)
        # checksum validation must be performed in the download directory because
        # of the relative path inside the checksum file
        cd ${TEMP_DIR}
        echo $(cat ${NEW_ISO##*/}.sha256 | awk '{print $1}') ${NEW_ISO##*/} | sha256sum --check --quiet
        if [ $? -ne 0 ]; then
            echo "Signature check FAILED."
            fail_exit 'Installation will not be performed.'
        else
            echo "SHA256 checksum valid."
        fi
        # restore old working directory
        cd $cwd
    fi

    echo "Checking for digital signature file..."
    ip vrf exec $VRF curl -L -H "User-Agent: VyOS/$vyos_version" $AUTH -f -o ${filename}.asc ${NEW_ISO}.asc
    if [ $? -ne 0 ]; then
        echo "Unable to fetch digital signature file."
        echo -n "Do you want to continue without signature check? (yes/no) [yes] "

        response=$(get_response "Yes" "Yes No Y N")
        if [ "$response" == "no" ] || [ "$response" == "n" ]; then
            rm -f $filename
            fail_exit 'OK.  Installation will not be performed.'
        fi
        # In case signature file was partially downloaded...
        rm -f ${filename}.asc
    fi

    if [ -e ${filename}.asc ]; then
        echo "Found it.  Checking digital signature..."
        gpg --keyring /etc/apt/trusted.gpg --verify ${filename}.asc
        if [ $? -ne 0 ]; then
            echo "Signature check FAILED."
            echo -n "Do you want to continue anyway? (yes/no) [no] "
            response=$(get_response "No" "Yes No Y N")
            if [ "$response" == "no" ] || [ "$response" == "n" ]; then
                fail_exit 'OK.  Installation will not be performed.'
            fi

            echo "OK. Proceeding with installation anyway."
        else
            echo "Digital signature is valid."
        fi
    fi

    NEW_ISO=$filename
}

# set up the specified ISO image file or URL for install
set_up_new_iso ()
{
    url_scheme=${NEW_ISO%%:*}

    if [ "$url_scheme" != "$NEW_ISO" ]; then
        if [ "$url_scheme" = "http" -o "$url_scheme" = "https" -o \
             "$url_scheme" = "ftp" -o "$url_scheme" = "tftp" -o \
             "$url_scheme" = "scp" ]; then
            fetch_iso_by_url
        fi
    fi

    if [ ! -f "$NEW_ISO" ] || ! (grep -q ISO9660 $NEW_ISO); then
        fail_exit "\"$NEW_ISO\" is not a valid ISO image file."
    fi

    # make sure mount points exist
    mkdir -p $INST_ROOT $WRITE_ROOT $READ_ROOT $CD_ROOT $CD_SQUASH_ROOT

    # mount ISO
    margs="-o loop,ro $NEW_ISO $CD_ROOT"
    if ! try_mount "$margs"; then
        fail_exit 'Failed to mount the new image.'
    fi

    # check squash image
    local squash_file=$CD_ROOT/live/filesystem.squashfs
    if [ ! -f "$squash_file" ] \
        || ! (file $squash_file | grep -q Squashfs) \
        || ! grep -q '^ii  vyatta-version ' $CD_ROOT/live/packages.txt; then
        fail_exit "\"$NEW_ISO\" is not a VyOS ISO image file."
    fi

    # Verify checksums of all files in ISO image
    if [ ! -f $CD_ROOT/md5sum.txt ]; then
        fail_exit "MD5 checksum file is missing from ISO."
    fi

    echo -n "Checking MD5 checksums of files on the ISO image..."
    resfile=`mktemp /tmp/install-image-md5check-XXXXXXXX`
    (cd $CD_ROOT ; md5sum -c md5sum.txt > $resfile)
    failures=`grep -v 'OK$' $resfile | wc -l`
    rm -f $resfile
    if [ $failures == 0 ]; then
        echo "OK."
    else
        echo "Failed!"
        echo "$failures checksum failures found!"
        echo "ISO image is corrupted and can not be used."
        exit 1
    fi

    # mount squash image
    margs="-o loop,ro $squash_file $CD_SQUASH_ROOT"
    if ! try_mount "$margs"; then
    fail_exit 'Failed to mount the squashfs image.'
    fi
}

# install new image into a newly-formatted partition.
# will exit with error if installation fails.
install_new ()
{
    local root_part=$1
    local inst_drv=$2

    if [ ! -e "/dev/$root_part" ] || [ ! -e "/dev/$inst_drv" ]; then
        fail_exit "Invalid drive/partition ($inst_drv and $root_part)."
    fi

    # install new image
    if ! /opt/vyatta/sbin/install-image-new "$root_part"; then
        exit 1
    fi

    # postinst operations
    if ! /opt/vyatta/sbin/install-postinst-new "$inst_drv" "$root_part" union; then
        exit 1
    fi
}

# install new image into the current boot partition.
# will exit with error if installation fails.
install_existing ()
{
    local ctype=$1
    if ! /opt/vyatta/sbin/install-image-existing "$ctype"; then
        exit 1
    fi
}

if [ -z "$USERNAME" ] && [ -n "$PASSWORD" ]; then
    fail_exit "Password can not be specified without username"
fi
if [ -n "$USERNAME" ] && [ -z "$PASSWORD" ]; then
    fail_exit "Username can not be specified without password"
fi
if [ $(id -u) != 0 ]; then
    fail_exit "Image installation requires root privileges!"
fi

trap sig_handler INT KILL
trap exit_handler EXIT

if is_live_cd_boot; then
    cat <<EOF
Welcome to the VyOS install program.  This script
will walk you through the process of installing the
VyOS image to a local hard drive.
EOF

    response=''
    while [ -z "$response" ]
    do
        echo -n "Would you like to continue? (Yes/No) [Yes]: "
        response=$(get_response "Yes" "Yes No Y N")
        if [ "$response" == "no" ] || [ "$response" == "n" ]; then
            fail_exit 'Ok then.'
        fi
    done
fi

if is_live_cd_boot; then
    if [ -n "$NEW_ISO" ]; then
        echo 'You are trying to install from a live CD boot. The live CD image'
        fail_exit 'will be used. Do not specify an ISO image file or URL.'
    fi
elif [ -z "$NEW_ISO" ]; then
    echo 'You are trying to install from an already installed system. An ISO'
    fail_exit 'image file to install or URL must be specified.'
else
    # installing on an installed system. set up the new image.
    set_up_new_iso
fi

# get install partition
PART_FILE=$(mktemp /tmp/inst-get-part.XXXXXX) \
  || fail_exit 'Failed to create temporary file'
if ! /opt/vyatta/sbin/install-get-partition $PART_FILE; then
    exit 1
fi

# get the partition params
root_part_type=''
root_part=''
inst_drv=''
eval "read root_part_type root_part inst_drv <$PART_FILE" >&/dev/null
rm -f $PART_FILE >&/dev/null

# handle different types
case "$root_part_type" in
    new)
        install_new "$root_part" "$inst_drv"
        exit 0
        ;;
    union|old)
        install_existing "$root_part_type"
        exit 0
        ;;
    *)
        fail_exit "Unknown partition type \"$root_part_type\"."
        ;;
esac