diff options
Diffstat (limited to 'data/live-build-config/hooks/live')
9 files changed, 66 insertions, 37 deletions
diff --git a/data/live-build-config/hooks/live/01-live-serial.binary b/data/live-build-config/hooks/live/01-live-serial.binary index e138b20d..05785da7 100755 --- a/data/live-build-config/hooks/live/01-live-serial.binary +++ b/data/live-build-config/hooks/live/01-live-serial.binary @@ -10,22 +10,22 @@ SERIAL_CONSOLE="console=tty0 console=ttyS0,115200" GRUB_MENUENTRY=$(sed -e '/menuentry.*hotkey.*/,/^}/!d' -e 's/--hotkey=l//g' $GRUB_PATH) # Update KVM menuentry name -sed -i 's/"Live system \((.*-vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH +sed -i 's/"Live system \((.*vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH # Insert serial menuentry echo "$GRUB_MENUENTRY" | sed \ - -e 's/"Live system \((.*-vyos)\)"/"Live system \1 - Serial console"/' \ + -e 's/"Live system \((.*vyos)\)"/"Live system \1 - Serial console"/' \ -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $GRUB_PATH # Live.cfg Update ISOLINUX_MENUENTRY=$(sed -e '/label live-\(.*\)-vyos$/,/^\tappend.*/!d' $ISOLINUX_PATH) # Update KVM menuentry name -sed -i 's/Live system \((.*-vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH +sed -i 's/Live system \((.*vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH # Insert serial menuentry echo "\n$ISOLINUX_MENUENTRY" | sed \ -e 's/live-\(.*\)-vyos/live-\1-vyos-serial/' \ -e '/^\tmenu default/d' \ - -e 's/Live system \((.*-vyos)\)/Live system \1 - Serial console/' \ + -e 's/Live system \((.*vyos)\)/Live system \1 - Serial console/' \ -e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $ISOLINUX_PATH diff --git a/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot new file mode 100644 index 00000000..20d8a670 --- /dev/null +++ b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot @@ -0,0 +1,7 @@ +#!/bin/sh + +# Delete Dropbear SSH keys that might be generated +# by postinst scripts +# to prevent non-unique keys from appearing in images + +rm -f /etc/dropbear/dropbear_*_host_key diff --git a/data/live-build-config/hooks/live/18-enable-disable_services.chroot b/data/live-build-config/hooks/live/18-enable-disable_services.chroot index 26c7f094..1a464404 100755 --- a/data/live-build-config/hooks/live/18-enable-disable_services.chroot +++ b/data/live-build-config/hooks/live/18-enable-disable_services.chroot @@ -1,6 +1,8 @@ #!/bin/sh echo I: Disabling services +systemctl disable syslog.service +systemctl disable rsyslog.service systemctl disable arpwatch.service systemctl disable smartd.service systemctl disable kea-ctrl-agent.service @@ -40,7 +42,6 @@ systemctl disable snmpd.service systemctl disable conserver-server.service systemctl disable dropbear.service systemctl disable fancontrol.service -systemctl disable fastnetmon.service systemctl disable ddclient.service systemctl disable ocserv.service systemctl disable tuned.service @@ -68,6 +69,11 @@ systemctl disable dpkg-db-backup.timer systemctl disable dpkg-db-backup.service systemctl disable zabbix-agent2.service systemctl disable suricata.service +systemctl disable vyconfd.service +systemctl disable vpp.service +systemctl disable vyos-commitd.service +systemctl disable netplug.service + echo I: Enabling services systemctl enable vyos-hostsd.service diff --git a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot index e63ca263..a7e95e0e 100755 --- a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot +++ b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot @@ -1,6 +1,9 @@ #!/bin/sh -echo I: Creating kernel symlinks. +echo I: Creating Linux Kernel symbolic links cd /boot ln -s initrd.img-* initrd.img ln -s vmlinuz-* vmlinuz + +echo I: Remove Linux Kernel symbolic link to source folder +rm -rf /lib/modules/*/build diff --git a/data/live-build-config/hooks/live/40-init-cracklib-db.chroot b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot new file mode 100755 index 00000000..4d94b08e --- /dev/null +++ b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot @@ -0,0 +1,13 @@ +#!/bin/sh + +CRACKLIB_DIR=/var/cache/cracklib +CRACKLIB_DB=cracklib_dict + +if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then + echo "I: Creating the cracklib database ${CRACKLIB_DIR}/${CRACKLIB_DB}" + mkdir -p $CRACKLIB_DIR + + /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \ + /usr/share/dict/cracklib-small +fi + diff --git a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot b/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot deleted file mode 100755 index 478b88fb..00000000 --- a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/sh - -if ! command -v gpg &> /dev/null; then - echo "gpg binary could not be found" - exit 1 -fi - -GPG_KEY="/usr/share/vyos/keys/vyos-release.pub.asc" - -echo I: Import GPG key -gpg --import ${GPG_KEY} -exit $? diff --git a/data/live-build-config/hooks/live/92-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot index 704f9cb3..f44cb01d 100755 --- a/data/live-build-config/hooks/live/92-strip-symbols.chroot +++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot @@ -15,7 +15,6 @@ STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-sec STRIPDIR_REGULAR=" " STRIPDIR_DEBUG=" -/usr/lib/modules " STRIPDIR_UNNEEDED=" /etc/hsflowd/modules diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot new file mode 100755 index 00000000..8494a5c8 --- /dev/null +++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot @@ -0,0 +1,31 @@ +#!/bin/sh +SIGN_FILE=$(find /usr/lib -name sign-file) +KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key" +KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem" +VMLINUZ=$(readlink /boot/vmlinuz) + +# All Linux Kernel modules need to be cryptographically signed +find /lib/modules -type f -name \*.ko | while read MODULE; do + modinfo ${MODULE} | grep -q "signer:" + if [ $? != 0 ]; then + echo "E: Module ${MODULE} is not signed!" + read -n 1 -s -r -p "Press any key to continue" + fi +done + +if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then + echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" +else + echo "I: Signing Linux Kernel for Secure Boot" + sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ} + sbverify --list /boot/${VMLINUZ} + rm -f ${KERNEL_KEY} +fi + +for cert in $(ls /var/lib/shim-signed/mok/); do + if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then + echo "Found private key - bailing out" + exit 1 + fi +done + diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot deleted file mode 100755 index 031db10d..00000000 --- a/data/live-build-config/hooks/live/93-sign-kernel.chroot +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/sh -SIGN_FILE=$(find /usr/lib -name sign-file) -MOK_KEY="/var/lib/shim-signed/mok/kernel.key" -MOK_CERT="/var/lib/shim-signed/mok/kernel.pem" -kernel_elf=$(readlink /boot/vmlinuz) - -if [ ! -f ${MOK_KEY} ]; then - echo "I: Signing key for Linux Kernel not found - Secure Boot not possible" -else - echo "I: Signing Linux Kernel for Secure Boot" - - sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf} - sbverify --list /boot/${kernel_elf} - - find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do - $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module - done -fi |