Welcome
Welcome to refracta

You are currently viewing our boards as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content, and access many other special features. In addition, registered members also see less advertisements. Registration is fast, simple, and absolutely free, so please, join our community today!

Alternative usb installation method, part 3 (jessie)

Stuff that has not yet gone into the official build.

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Thu Apr 23, 2015 2:31 pm

I thought maybe it would be possible to do this during refracta2usb by running update-initramfs in chroot on the mounted iso, but that doesn't work. For one thing, the squashfs needs to be mounted, and that doesn't work, because it mounts read-only. There's no place to write the rebuilt initrd. The squashfs would need to be unsquashed, and then you could chroot it.

This should work:
make live-usb with patched initrd for rw live media.
boot the live system, update-initramfs to add cryptsetup, edit the boot menu, reboot.

And in case anyone has forgotten what I'm trying to do, I want an encrypted persistent volume associated with a stock debian-live (or other iso) that I don't have installed anywhere to be able to run updtate-initramfs. If there's some really simple solution that I'm missing, hit me with a brick.

Edit: Forgot to mention this - meld is waaaay cool. Much easier than what I've been doing - write a for-loop on the command line to run diff on same files in two different directories. Wow. Nice find, dzz.
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby dzz » Fri Apr 24, 2015 1:31 am

Code: Select all
CRYPSETUP=y /usr/sbin/update-initramfs.orig.initramfs-tools -u

should work in any debian-live type live-session. Works here without editing initramfs.conf. Copy it from /boot to a partition or a removable for later use, patched for RW mount if required.

"archivemount" is a useful tool to inspect an initrd. You will see /lib/cryptsetup/askpass if cryptsetup is enabled.
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Fri Apr 24, 2015 11:04 am

Yeah, I was just hoping there was a way to do it without having to boot into the live system first. The other piece I want to work out is to make a snapshot of an encrypted system (have to run nocrypt.sh which removes cryptroot and resume files) and then making a usb with encrypted persistence. I'll have to make another VM to test this. Sometime soon.
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Sun Jun 28, 2015 5:28 pm

Updated r2u 2.0 beta is here -
http://distro.ibiblio.org/refracta/file ... a02.tar.gz

Merged patch-live-initrd_402-1. As before, you can just unpack the tarball and run the script inside as root. You need to have refracta2usb installed already or else install the deps manually. It won't do anything with the existing r2u installation.

Tested with live-usb jessie-sysv, dzz's sample refracta64 (or whatever we're calling it) and refracta_7.8-amd64 (wheezy).

read-write media works
swap did not wo... oops. I just checked, and the only swap partitions I had were on the fourth hard drive that got pulled out a few months ago. I'll bet it works just fine.

Encrypted, persistent loopback file works.
Encrypted, persistent partition hasn't been written yet. I have to reorganize the whole mkpersist section.

I didn't get to try rebuilding the initrd on the fly for encryption. Have to find (or make) an iso that hasn't already had the initrd rebuilt for that.

If you run one of the Create functions first, and then run Patch-Initrd, you'll need to Rescan. $usb_mountpoint doesn't get unmounted at the end of the create tasks. At the moment, I can't recall why I did it that way (it was several months ago.) Maybe it's so the device didn't get unmounted and remounted unnecessarily if you follow up with making a persistent volume, when you'd need to access the boot files and menu.

I only tested the script running in wheezy, but everything except the patch-initrd part has been tested in jessie.
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby dzz » Thu Jul 02, 2015 7:00 pm

Looks like a major overhaul!

I always tried to avoid running this as root but it has got too difficult.

Not much time to do dev stuff and testing just now, will try at the weekend.
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Thu Jul 02, 2015 10:39 pm

I rewrote the part for persistent partition and added encryption. Still need to test it a couple more times, but it does work. The live system must have cryptsetup installed, or the partition won't get opened and mounted. I'll upload a beta3 tarball tonight or (more likely) tomorrow. Preliminary directions for use are below. It might be less complicated than this, but I'll have to play with it some more.

I tried to do this as if I got the iso from somewhere else and didn't have the installation that created the iso. If you make your own iso, there should be fewer steps (or at least fewer reboots.)

Add iso to usb.
Patch the initrd for rw-media.
Boot usb with rw-media.
Create /live folder in root of usb. (update-initramfs expects it to be there.)
Run "CRYPTSETUP=y update-initramfs -u"
Copy initrd from /live to the folder where it will be used. (where the original came from)
Boot back into the installed system and patch the updated initrd. (maybe this can be done in the live session)
Make encrypted persistent partition, and set it to use the patched and updated initrd.
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Fri Jul 03, 2015 6:56 pm

beta3 -
http://distro.ibiblio.org/refracta/file ... a03.tar.gz

You can now create an encrypted persistent partition.

Also, I forgot to mention - if you want to use xz compression on the initrd, you can set it in the config file.

Here's an alternate set of instructions. I used an iso that I know contains cryptsetup - the jessie-sysv-amd64nox iso.

Add iso (contents) to make live usb.
Add encrypted persistent partition.
Boot with persistence. It won't ask for the password or mount the partition, but root will be able to write to the media. (mounted at /lib/live/mount/persistence/sdX1)
Create symlink /lib/live/mount/medium pointing to the actual mountpoint of the media.
Run 'CRYPTSETUP=y update-initramfs.orig -u' (that's not the full name of the command.)
Copy /boot/initrd.img-<version> to the appropriate directory on the usb. (/target-name/live/initrd.whatever-you-want)
Edit the boot menu entry.

Can we skip all this if we run 'CRYPTSETUP=y update-initramfs -u' in an installed system right before making a snapshot?
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby dzz » Sat Jul 04, 2015 2:52 pm

Can we skip all this if we run 'CRYPTSETUP=y update-initramfs -u' in an installed system right before making a snapshot?

Don't see why not. BTW snapshot iso size can by reduced by up to 20MB using xz compressed initrd's in /boot and the iso's "live" dir.
dzz
 
Posts: 647
Joined: Wed Apr 27, 2011 11:53 am
Location: Devon, England

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Mon Jul 06, 2015 1:11 am

Been playing with this some more and narrowing down the process. The following seems to work.

Add an iso (contents) to usb.

Create encrypted, persistent partition or loopback file (not on first partition). If the initrd you choose to use with this volume is not ready for encryption, you'll get a warning, and a script will be copied to the root of the usb device.

Reboot into the live system, using the menu entry for persistence. This is not true persistence (you won't be asked for the password to decrypt the volume.) but root will be able to write to the medium.

Run the script (as root) to update the initrd.
/lib/live/mount/persistence/sdX1/update-init-crypt.sh
https://gist.github.com/fsmithred/f15665561e517d8b2050

The script ends with nano opening the boot menu. Make sure the name of the initrd is right.

For user read/write media, I assume you'll need to patch the initrd before you reboot into the live system. Then run the script. Then I think you'll need to patch the resulting initrd and use that one.

Also haven't tested it with a live system that's using findiso. The code should handle it properly, but that hasn't been proven yet.

Updated select_initrd function (in functions.common):
https://gist.github.com/fsmithred/cca6f68c20a598393097
archivemount is required for the initrd test.
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

Re: Alternative usb installation method, part 3 (jessie)

Postby fsmithred » Mon Jul 06, 2015 8:08 pm

I merged patch-initrd with update-init-crypt, so that the updated initrd could be patched in the live session, but it didn't work. When rebuilding the initrd, there were a lot of errors about files that could not be symlinked to busybox. On reboot with the patched initrd, I got a kernel panic.

@dzz, have you ever run patch-live-initrd in a live session?
User avatar
fsmithred
 
Posts: 2081
Joined: Wed Mar 09, 2011 9:13 pm

PreviousNext

Return to Experimental

Who is online

Users browsing this forum: No registered users and 0 guests

suspicion-preferred