summaryrefslogtreecommitdiff
path: root/data/live-build-config
diff options
context:
space:
mode:
Diffstat (limited to 'data/live-build-config')
-rw-r--r--data/live-build-config/archives/buster.list.chroot3
-rw-r--r--data/live-build-config/archives/buster.pref.chroot11
-rw-r--r--data/live-build-config/archives/zabbix-official-repo.key.chrootbin0 -> 1183 bytes
-rwxr-xr-xdata/live-build-config/hooks/live/01-live-serial.binary8
-rw-r--r--data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot7
-rwxr-xr-xdata/live-build-config/hooks/live/18-enable-disable_services.chroot8
-rwxr-xr-xdata/live-build-config/hooks/live/19-kernel_symlinks.chroot5
-rwxr-xr-xdata/live-build-config/hooks/live/40-init-cracklib-db.chroot13
-rwxr-xr-xdata/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot12
-rwxr-xr-xdata/live-build-config/hooks/live/92-strip-symbols.chroot1
-rwxr-xr-xdata/live-build-config/hooks/live/93-sb-sign-kernel.chroot31
-rwxr-xr-xdata/live-build-config/hooks/live/93-sign-kernel.chroot18
-rw-r--r--data/live-build-config/includes.binary/isolinux/splash.pngbin39611 -> 23666 bytes
-rw-r--r--data/live-build-config/includes.chroot/etc/systemd/system.conf1
-rw-r--r--data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry20
-rw-r--r--data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc52
-rw-r--r--data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md22
-rw-r--r--data/live-build-config/package-lists/vyos-base.list.chroot2
-rw-r--r--data/live-build-config/rootfs/excludes3
19 files changed, 89 insertions, 128 deletions
diff --git a/data/live-build-config/archives/buster.list.chroot b/data/live-build-config/archives/buster.list.chroot
deleted file mode 100644
index 06eb2dab..00000000
--- a/data/live-build-config/archives/buster.list.chroot
+++ /dev/null
@@ -1,3 +0,0 @@
-deb http://deb.debian.org/debian/ buster main non-free
-deb http://deb.debian.org/debian/ buster-updates main non-free
-deb http://security.debian.org/debian-security buster/updates main non-free
diff --git a/data/live-build-config/archives/buster.pref.chroot b/data/live-build-config/archives/buster.pref.chroot
deleted file mode 100644
index 8caa1e6d..00000000
--- a/data/live-build-config/archives/buster.pref.chroot
+++ /dev/null
@@ -1,11 +0,0 @@
-Package: bash
-Pin: release n=buster
-Pin-Priority: 600
-
-Package: bash-completion
-Pin: release n=buster
-Pin-Priority: 600
-
-Package: *
-Pin: release n=buster
-Pin-Priority: -10
diff --git a/data/live-build-config/archives/zabbix-official-repo.key.chroot b/data/live-build-config/archives/zabbix-official-repo.key.chroot
new file mode 100644
index 00000000..660c453a
--- /dev/null
+++ b/data/live-build-config/archives/zabbix-official-repo.key.chroot
Binary files differ
diff --git a/data/live-build-config/hooks/live/01-live-serial.binary b/data/live-build-config/hooks/live/01-live-serial.binary
index e138b20d..05785da7 100755
--- a/data/live-build-config/hooks/live/01-live-serial.binary
+++ b/data/live-build-config/hooks/live/01-live-serial.binary
@@ -10,22 +10,22 @@ SERIAL_CONSOLE="console=tty0 console=ttyS0,115200"
GRUB_MENUENTRY=$(sed -e '/menuentry.*hotkey.*/,/^}/!d' -e 's/--hotkey=l//g' $GRUB_PATH)
# Update KVM menuentry name
-sed -i 's/"Live system \((.*-vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
+sed -i 's/"Live system \((.*vyos)\)"/"Live system \1 - KVM console"/' $GRUB_PATH
# Insert serial menuentry
echo "$GRUB_MENUENTRY" | sed \
- -e 's/"Live system \((.*-vyos)\)"/"Live system \1 - Serial console"/' \
+ -e 's/"Live system \((.*vyos)\)"/"Live system \1 - Serial console"/' \
-e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $GRUB_PATH
# Live.cfg Update
ISOLINUX_MENUENTRY=$(sed -e '/label live-\(.*\)-vyos$/,/^\tappend.*/!d' $ISOLINUX_PATH)
# Update KVM menuentry name
-sed -i 's/Live system \((.*-vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
+sed -i 's/Live system \((.*vyos)\)/Live system \1 - KVM console/' $ISOLINUX_PATH
# Insert serial menuentry
echo "\n$ISOLINUX_MENUENTRY" | sed \
-e 's/live-\(.*\)-vyos/live-\1-vyos-serial/' \
-e '/^\tmenu default/d' \
- -e 's/Live system \((.*-vyos)\)/Live system \1 - Serial console/' \
+ -e 's/Live system \((.*vyos)\)/Live system \1 - Serial console/' \
-e "s/$KVM_CONSOLE/$SERIAL_CONSOLE/g" >> $ISOLINUX_PATH
diff --git a/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot
new file mode 100644
index 00000000..20d8a670
--- /dev/null
+++ b/data/live-build-config/hooks/live/100-remove-dropbear-keys.chroot
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+# Delete Dropbear SSH keys that might be generated
+# by postinst scripts
+# to prevent non-unique keys from appearing in images
+
+rm -f /etc/dropbear/dropbear_*_host_key
diff --git a/data/live-build-config/hooks/live/18-enable-disable_services.chroot b/data/live-build-config/hooks/live/18-enable-disable_services.chroot
index 26c7f094..1a464404 100755
--- a/data/live-build-config/hooks/live/18-enable-disable_services.chroot
+++ b/data/live-build-config/hooks/live/18-enable-disable_services.chroot
@@ -1,6 +1,8 @@
#!/bin/sh
echo I: Disabling services
+systemctl disable syslog.service
+systemctl disable rsyslog.service
systemctl disable arpwatch.service
systemctl disable smartd.service
systemctl disable kea-ctrl-agent.service
@@ -40,7 +42,6 @@ systemctl disable snmpd.service
systemctl disable conserver-server.service
systemctl disable dropbear.service
systemctl disable fancontrol.service
-systemctl disable fastnetmon.service
systemctl disable ddclient.service
systemctl disable ocserv.service
systemctl disable tuned.service
@@ -68,6 +69,11 @@ systemctl disable dpkg-db-backup.timer
systemctl disable dpkg-db-backup.service
systemctl disable zabbix-agent2.service
systemctl disable suricata.service
+systemctl disable vyconfd.service
+systemctl disable vpp.service
+systemctl disable vyos-commitd.service
+systemctl disable netplug.service
+
echo I: Enabling services
systemctl enable vyos-hostsd.service
diff --git a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
index e63ca263..a7e95e0e 100755
--- a/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
+++ b/data/live-build-config/hooks/live/19-kernel_symlinks.chroot
@@ -1,6 +1,9 @@
#!/bin/sh
-echo I: Creating kernel symlinks.
+echo I: Creating Linux Kernel symbolic links
cd /boot
ln -s initrd.img-* initrd.img
ln -s vmlinuz-* vmlinuz
+
+echo I: Remove Linux Kernel symbolic link to source folder
+rm -rf /lib/modules/*/build
diff --git a/data/live-build-config/hooks/live/40-init-cracklib-db.chroot b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot
new file mode 100755
index 00000000..4d94b08e
--- /dev/null
+++ b/data/live-build-config/hooks/live/40-init-cracklib-db.chroot
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+CRACKLIB_DIR=/var/cache/cracklib
+CRACKLIB_DB=cracklib_dict
+
+if [ ! -f "${CRACKLIB_DIR}/${CRACKLIB_DB}.pwd" ]; then
+ echo "I: Creating the cracklib database ${CRACKLIB_DIR}/${CRACKLIB_DB}"
+ mkdir -p $CRACKLIB_DIR
+
+ /usr/sbin/create-cracklib-dict -o $CRACKLIB_DIR/$CRACKLIB_DB \
+ /usr/share/dict/cracklib-small
+fi
+
diff --git a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot b/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot
deleted file mode 100755
index 478b88fb..00000000
--- a/data/live-build-config/hooks/live/82-import-vyos-gpg-signing-key.chroot
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/bin/sh
-
-if ! command -v gpg &> /dev/null; then
- echo "gpg binary could not be found"
- exit 1
-fi
-
-GPG_KEY="/usr/share/vyos/keys/vyos-release.pub.asc"
-
-echo I: Import GPG key
-gpg --import ${GPG_KEY}
-exit $?
diff --git a/data/live-build-config/hooks/live/92-strip-symbols.chroot b/data/live-build-config/hooks/live/92-strip-symbols.chroot
index 704f9cb3..f44cb01d 100755
--- a/data/live-build-config/hooks/live/92-strip-symbols.chroot
+++ b/data/live-build-config/hooks/live/92-strip-symbols.chroot
@@ -15,7 +15,6 @@ STRIPCMD_UNNEEDED="strip --strip-unneeded --remove-section=.comment --remove-sec
STRIPDIR_REGULAR="
"
STRIPDIR_DEBUG="
-/usr/lib/modules
"
STRIPDIR_UNNEEDED="
/etc/hsflowd/modules
diff --git a/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
new file mode 100755
index 00000000..8494a5c8
--- /dev/null
+++ b/data/live-build-config/hooks/live/93-sb-sign-kernel.chroot
@@ -0,0 +1,31 @@
+#!/bin/sh
+SIGN_FILE=$(find /usr/lib -name sign-file)
+KERNEL_KEY="/var/lib/shim-signed/mok/vyos-dev-2025-linux.key"
+KERNEL_CERT="/var/lib/shim-signed/mok/vyos-dev-2025-linux.pem"
+VMLINUZ=$(readlink /boot/vmlinuz)
+
+# All Linux Kernel modules need to be cryptographically signed
+find /lib/modules -type f -name \*.ko | while read MODULE; do
+ modinfo ${MODULE} | grep -q "signer:"
+ if [ $? != 0 ]; then
+ echo "E: Module ${MODULE} is not signed!"
+ read -n 1 -s -r -p "Press any key to continue"
+ fi
+done
+
+if [ ! -f ${KERNEL_KEY} ] && [ ! -f ${KERNEL_CERT} ]; then
+ echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
+else
+ echo "I: Signing Linux Kernel for Secure Boot"
+ sbsign --key ${KERNEL_KEY} --cert ${KERNEL_CERT} /boot/${VMLINUZ} --output /boot/${VMLINUZ}
+ sbverify --list /boot/${VMLINUZ}
+ rm -f ${KERNEL_KEY}
+fi
+
+for cert in $(ls /var/lib/shim-signed/mok/); do
+ if grep -rq "BEGIN PRIVATE KEY" /var/lib/shim-signed/mok/${cert}; then
+ echo "Found private key - bailing out"
+ exit 1
+ fi
+done
+
diff --git a/data/live-build-config/hooks/live/93-sign-kernel.chroot b/data/live-build-config/hooks/live/93-sign-kernel.chroot
deleted file mode 100755
index 031db10d..00000000
--- a/data/live-build-config/hooks/live/93-sign-kernel.chroot
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-SIGN_FILE=$(find /usr/lib -name sign-file)
-MOK_KEY="/var/lib/shim-signed/mok/kernel.key"
-MOK_CERT="/var/lib/shim-signed/mok/kernel.pem"
-kernel_elf=$(readlink /boot/vmlinuz)
-
-if [ ! -f ${MOK_KEY} ]; then
- echo "I: Signing key for Linux Kernel not found - Secure Boot not possible"
-else
- echo "I: Signing Linux Kernel for Secure Boot"
-
- sbsign --key $MOK_KEY --cert $MOK_CERT /boot/${kernel_elf} --output /boot/${kernel_elf}
- sbverify --list /boot/${kernel_elf}
-
- find /lib/modules -type f -name \*.ko -o -name \*.ko.xz | while read module; do
- $SIGN_FILE sha512 $MOK_KEY $MOK_CERT $module
- done
-fi
diff --git a/data/live-build-config/includes.binary/isolinux/splash.png b/data/live-build-config/includes.binary/isolinux/splash.png
index 4137d52b..f6b43d56 100644
--- a/data/live-build-config/includes.binary/isolinux/splash.png
+++ b/data/live-build-config/includes.binary/isolinux/splash.png
Binary files differ
diff --git a/data/live-build-config/includes.chroot/etc/systemd/system.conf b/data/live-build-config/includes.chroot/etc/systemd/system.conf
index 91af4090..0c30472a 100644
--- a/data/live-build-config/includes.chroot/etc/systemd/system.conf
+++ b/data/live-build-config/includes.chroot/etc/systemd/system.conf
@@ -53,3 +53,4 @@ ShowStatus=yes
#DefaultLimitNICE=
#DefaultLimitRTPRIO=
#DefaultLimitRTTIME=
+StatusUnitFormat=description
diff --git a/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry b/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry
new file mode 100644
index 00000000..49f4afc4
--- /dev/null
+++ b/data/live-build-config/includes.chroot/opt/vyatta/etc/grub/default-union-grub-entry
@@ -0,0 +1,20 @@
+menuentry "VyOS (KVM console)" {
+ linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0
+ initrd /boot//initrd.img
+}
+
+menuentry "VyOS (Serial console)" {
+ linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200
+ initrd /boot//initrd.img
+}
+
+menuentry "Lost password change (KVM console)" {
+ linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=ttyS0,115200 console=tty0 init=/opt/vyatta/sbin/standalone_root_pw_reset
+ initrd /boot//initrd.img
+}
+
+menuentry "Lost password change (Serial console)" {
+ linux /boot//vmlinuz boot=live quiet rootdelay=5 noautologin net.ifnames=0 biosdevname=0 udev.exec_delay=3 vyos-union=/boot/ console=tty0 console=ttyS0,115200 init=/opt/vyatta/sbin/standalone_root_pw_reset
+ initrd /boot//initrd.img
+}
+
diff --git a/data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc b/data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc
deleted file mode 100644
index bf9a7aca..00000000
--- a/data/live-build-config/includes.chroot/usr/share/vyos/keys/vyos-release.pub.asc
+++ /dev/null
@@ -1,52 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.22 (GNU/Linux)
-
-mQINBFXKsiIBEACyid9PR/v56pSRG8VgQyRwvzoI7rLErZ8BCQA2WFxA6+zNy+6G
-+0E/6XAOzE+VHli+wtJpiVJwAh+wWuqzOmv9css2fdJxpMW87pJAS2i3EVVVf6ab
-wU848JYLGzc9y7gZrnT1m2fNh4MXkZBNDp780WpOZx8roZq5X+j+Y5hk5KcLiBn/
-lh9Zoh8yzrWDSXQsz0BGoAbVnLUEWyo0tcRcHuC0eLx6oNG/IHvd/+kxWB1uULHU
-SlB/6vcx56lLqgzywkmhP01050ZDyTqrFRIfrvw6gLQaWlgR3lB93txvF/sz87Il
-VblV7e6HEyVUQxedDS8ikOyzdb5r9a6Zt/j8ZPSntFNM6OcKAI7U1nDD3FVOhlVn
-7lhUiNc+/qjC+pR9CrZjr/BTWE7Zpi6/kzeH4eAkfjyALj18oC5udJDjXE5daTL3
-k9difHf74VkZm29Cy9M3zPckOZpsGiBl8YQsf+RXSBMDVYRKZ1BNNLDofm4ZGijK
-mriXcaY+VIeVB26J8m8y0zN4/ZdioJXRcy72c1KusRt8e/TsqtC9UFK05YpzRm5R
-/nwxDFYb7EdY/vHUFOmfwXLaRvyZtRJ9LwvRUAqgRbbRZg3ET/tn6JZk8hqx3e1M
-IxuskOB19t5vWyAo/TLGIFw44SErrq9jnpqgclTSRgFjcjHEm061r4vjoQARAQAB
-tDZWeU9TIE1haW50YWluZXJzIChWeU9TIFJlbGVhc2UpIDxtYWludGFpbmVyc0B2
-eW9zLm5ldD6JAjgEEwECACIFAlXKsiICGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4B
-AheAAAoJEP0iAoWg/m1+xbgP+QEDYZi5dA4IPY+vU1L95Bavju2m2o35TSUDPg5B
-jfAGuhbsNUceU+l/yUlxjpKEmvshyW3GHR5QzUaKGup/ZDBo1CBxZNhpSlFida2E
-KAYTx4vHk3MRXcntiAj/hIJwRtzCUp5UQIqHoU8dmHoHOkKEP+zhJuR6E2s+WwDr
-nTwE6eRa0g/AHY+chj2Je6flpPm2CKoTfUE7a2yBBU3wPq3rGtsQgVxPAxHRZz7A
-w4AjH3NM1Uo3etuiDnGkJAuoKKb1J4X3w2QlbwlR4cODLKhJXHIufwaGtRwEin9S
-1l2bL8V3gy2Hv3D2t9TQZuR5NUHsibJRXLSa8WnSCcc6Bij5aqfdpYB+YvKH/rIm
-GvYPmLZDfKGkx0JE4/qtfFjiPJ5VE7BxNyliEw/rnQsxWAGPqLlL61SD8w5jGkw3
-CinwO3sccTVcPz9b6A1RsbBVhTJJX5lcPn1lkOEVwQ7l8bRhOKCMe0P53qEDcLCd
-KcXNnAFbVes9u+kfUQ4oxS0G2JS9ISVNmune+uv+JR7KqSdOuRYlyXA9uTjgWz4y
-Cs7RS+CpkJFqrqOtS1rmuDW9Ea4PA8ygGlisM5d/AlVkniHz/2JYtgetiLCj9mfE
-MzQpgnldNSPumKqJ3wwmCNisE+lXQ5UXCaoaeqF/qX1ykybQn41LQ+0xT5Uvy7sL
-9IwGuQINBFXKsiIBEACg2mP3QYkXdgWTK5JyTGyttE6bDC9uqsK8dc1J66Tjd5Ly
-Be0amO+88GHXa0o5Smwk2QNoxsRR41G/D/eAeGsuOEYnePROEr3tcLnDjo4KLgQ+
-H69zRPn77sdP3A34Jgp+QIzByJWM7Cnim31quQP3qal2QdpGJcT/jDJWdticN76a
-Biaz+HN13LyvZM+DWhUDttbjAJc+TEwF9YzIrU+3AzkTRDWkRh4kNIQxjlpNzvho
-9V75riVqg2vtgPwttPEhOLb0oMzy4ADdfezrfVvvMb4M4kY9npu4MlSkNTM97F/I
-QKy90JuSUIjE05AO+PDXJF4Fd5dcpmukLV/2nV0WM2LAERpJUuAgkZN6pNUFVISR
-+nSfgR7wvqeDY9NigHrJqJbSEgaBUs6RTk5hait2wnNKLJajlu3aQ2/QfRT/kG3h
-ClKUz3Ju7NCURmFE6mfsdsVrlIsEjHr/dPbXRswXgC9FLlXpWgAEDYi9Wdxxz8o9
-JDWrVYdKRGG+OpLFh8AP6QL3YnZF+p1oxGUQ5ugXauAJ9YS55pbzaUFP8oOO2P1Q
-BeYnKRs1GcMI8KWtE/fze9C9gZ7Dqju7ZFEyllM4v3lzjhT8muMSAhw41J22mSx6
-VRkQVRIAvPDFES45IbB6EEGhDDg4pD2az8Q7i7Uc6/olEmpVONSOZEEPsQe/2wAR
-AQABiQIfBBgBAgAJBQJVyrIiAhsMAAoJEP0iAoWg/m1+niUQAKTxwJ9PTAfB+XDk
-3qH3n+T49O2wP3fhBI0EGhJp9Xbx29G7qfEeqcQm69/qSq2/0HQOc+w/g8yy71jA
-6rPuozCraoN7Im09rQ2NqIhPK/1w5ZvgNVC0NtcMigX9MiSARePKygAHOPHtrhyO
-rJQyu8E3cV3VRT4qhqIqXs8Ydc9vL3ZrJbhcHQuSLdZxM1k+DahCJgwWabDCUizm
-sVP3epAP19FP8sNtHi0P1LC0kq6/0qJot+4iBiRwXMervCD5ExdOm2ugvSgghdYN
-BikFHvmsCxbZAQjykQ6TMn+vkmcEz4fGAn4L7Nx4paKEtXaAFO8TJmFjOlGUthEm
-CtHDKjCTh9WV4pwG2WnXuACjnJcs6LcK377EjWU25H4y1ff+NDIUg/DWfSS85iIc
-UgkOlQO6HJy0O96L5uxn7VJpXNYFa20lpfTVZv7uu3BC3RW/FyOYsGtSiUKYq6cb
-CMxGTfFxGeynwIlPRlH68BqH6ctR/mVdo+5UIWsChSnNd1GreIEI6p2nBk3mc7jZ
-7pTEHpjarwOjs/S/lK+vLW53CSFimmW4lw3MwqiyAkxl0tHAT7QMHH9Rgw2HF/g6
-XD76fpFdMT856dsuf+j2uuJFlFe5B1fERBzeU18MxML0VpDmGFEaxxypfACeI/iu
-8vzPzaWHhkOkU8/J/Ci7+vNtUOZb
-=Ld8S
------END PGP PUBLIC KEY BLOCK-----
diff --git a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md b/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
deleted file mode 100644
index 5a6edbba..00000000
--- a/data/live-build-config/includes.chroot/var/lib/shim-signed/mok/README.md
+++ /dev/null
@@ -1,22 +0,0 @@
-# Secure Boot
-
-## CA
-
-Create Certificate Authority used for Kernel signing. CA is loaded into the
-Machine Owner Key store on the target system.
-
-```bash
-openssl req -new -x509 -newkey rsa:2048 -keyout MOK.key -outform DER -out MOK.der -days 36500 -subj "/CN=VyOS Secure Boot CA/" -nodes
-openssl x509 -inform der -in MOK.der -out MOK.pem
-```
-
-## Kernel Module Signing Key
-
-We do not make use of ephemeral keys for Kernel module signing. Instead a key
-is generated and signed by the VyOS Secure Boot CA which signs all the Kernel
-modules during ISO assembly if present.
-
-```bash
-openssl req -newkey rsa:2048 -keyout kernel.key -out kernel.csr -subj "/CN=VyOS Secure Boot Signer 2024 - linux/" -nodes
-openssl x509 -req -in kernel.csr -CA MOK.pem -CAkey MOK.key -CAcreateserial -out kernel.pem -days 730 -sha256
-```
diff --git a/data/live-build-config/package-lists/vyos-base.list.chroot b/data/live-build-config/package-lists/vyos-base.list.chroot
index 4ccc7f76..b20c2962 100644
--- a/data/live-build-config/package-lists/vyos-base.list.chroot
+++ b/data/live-build-config/package-lists/vyos-base.list.chroot
@@ -1,6 +1,4 @@
debconf
-gpgv
-gnupg
vyos-1x
vyos-user-utils
zstd
diff --git a/data/live-build-config/rootfs/excludes b/data/live-build-config/rootfs/excludes
index a5fe41e5..558e637b 100644
--- a/data/live-build-config/rootfs/excludes
+++ b/data/live-build-config/rootfs/excludes
@@ -44,7 +44,8 @@ usr/games/*
usr/local/games/*
# T5511: We do not need any caches on the system (will be recreated when needed).
-var/cache/*
+# T7278: We need directory created by python3-cracklib for password checks
+var/cache/!(cracklib)
# T5511: We do not need any log-files on the system (will be recreated when needed).
var/log/*.log
generated by cgit v1.2.3 (git 2.39.1) at 2025-07-01 13:15:57 +0000