-
Notifications
You must be signed in to change notification settings - Fork 34
/
debian.setup
executable file
·392 lines (323 loc) · 11.9 KB
/
debian.setup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
#! /bin/bash
# Shared .setup between all Debian/Ubuntu flavors
set -ex
IMAGE="$1"
# Enable a console on ttyS0 so that we can log-in via vm-run.
# and make the boot up more verbose
sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT/# GRUB_CMDLINE_LINUX_DEFAULT/' /etc/default/grub
# We install all dependencies of the cockpit packages since we want
# them to not spontaneously change from one test run to the next when
# the distribution repository is updated.
#
COCKPIT_DEPS="\
cryptsetup \
libjson-glib-1.0-0 \
libnss-systemd \
libosinfo-bin \
libpcp3 \
libpolkit-agent-1-0 \
libpolkit-gobject-1-0 \
libpwquality-tools \
libteam-utils \
libvirt-daemon-system \
libvirt-dbus \
network-manager \
packagekit \
pcp \
python3-pcp \
python3-dbus \
qemu-block-extra \
realmd \
selinux-basics \
sscg \
tuned \
udisks2 \
udisks2-btrfs \
udisks2-lvm2 \
unattended-upgrades \
xdg-utils \
"
# udisks >= 2.10 depends on libblockdev-mdraid, so add it manually only for older OSes
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] ; then
COCKPIT_DEPS="$COCKPIT_DEPS libblockdev-mdraid2"
fi
# policykit-1 was split into multiple packages on debian, ubuntu-2204 kept the old name
if [ "$IMAGE" = "ubuntu-2204" ]; then
COCKPIT_DEPS="$COCKPIT_DEPS policykit-1"
else
COCKPIT_DEPS="$COCKPIT_DEPS pkexec"
fi
# We also install the packages necessary to join a FreeIPA domain so
# that we don't have to go to the network during a test run.
IPA_CLIENT_PACKAGES="\
freeipa-client \
python3-gssapi \
sssd-tools \
"
TEST_PACKAGES="\
acl \
bind9-dnsutils \
clevis-luks \
curl \
firewalld \
gdb \
iproute2 \
krb5-user \
lastlog2 \
libnss-myhostname \
libpam-pwquality \
ltrace \
mdadm \
nfs-server \
nftables \
open-iscsi \
packagekit-tools \
podman \
qemu-kvm \
redis \
rsync \
sssd-dbus \
sssd-proxy \
socat \
sosreport \
strace \
systemd-coredump \
systemd-cryptsetup \
tang \
targetcli-fb \
tcsh \
virtinst \
virtiofsd \
wireguard-tools \
xfsprogs \
"
# older libvirt have this builtin
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] ; then
TEST_PACKAGES="${TEST_PACKAGES/virtiofsd/}"
fi
# introduced in util-linux 2.40.1-5
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] || [ "$IMAGE" = "ubuntu-2404" ]; then
TEST_PACKAGES="${TEST_PACKAGES/lastlog2/}"
fi
# These packages are downloaded to the image so that the tests can
# install them on-demand.
PACKAGE_SET_CLEVIS="\
clevis-dracut
clevis-systemd
"
PACKAGE_SET_CHRONYD="\
chrony
tzdata-legacy
"
# introduced in debian 13 (trixie) and Ubuntu 23.10
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] ; then
PACKAGE_SET_CHRONYD="${PACKAGE_SET_CHRONYD/tzdata-legacy/}"
fi
PACKAGE_SET_TIMESYNCD="\
systemd-timesyncd
"
# wait until cloud-init finishes, so that it doesn't clobber sources.list
until systemctl list-jobs | grep -q "No jobs"; do sleep 1; done
RELEASE=$(. /etc/os-release; echo $VERSION_CODENAME)
# debian-testing image gets bootstrapped from debian stable; upgrade
if [ "$IMAGE" = "debian-testing" ]; then
rm --verbose -f /etc/apt/sources.list.d/*
echo 'deb http://deb.debian.org/debian testing main' > /etc/apt/sources.list
RELEASE=testing
# some packages have been RC buggy for a long time and fell out of testing
# https://tracker.debian.org/pkg/freeipa
IPA_CLIENT_PACKAGES="${IPA_CLIENT_PACKAGES/freeipa-client /}"
# https://tracker.debian.org/pkg/sssd
IPA_CLIENT_PACKAGES="${IPA_CLIENT_PACKAGES/sssd-tools /}"
TEST_PACKAGES="${TEST_PACKAGES/sssd-dbus /}"
TEST_PACKAGES="${TEST_PACKAGES/sssd-proxy /}"
# https://tracker.debian.org/pkg/pcp
COCKPIT_DEPS="${COCKPIT_DEPS/libpcp3 /}"
COCKPIT_DEPS="${COCKPIT_DEPS/pcp /}"
COCKPIT_DEPS="${COCKPIT_DEPS/python3-pcp /}"
fi
# Attention: Enable proposed for ubuntu-stable after 24.10 release
if [ "${IMAGE#ubuntu}" != "$IMAGE" ]; then
echo "deb http://archive.ubuntu.com/ubuntu ${RELEASE}-proposed main restricted universe" > /etc/apt/sources.list.d/proposed.list
cat <<EOF > /etc/apt/preferences.d/all-proposed
Package: *
Pin: release a=*-proposed
Pin-Priority: 600
EOF
fi
# systemd-cryptsetup was split out in 256.1-2, older releases don't have it yet
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] || [ "$IMAGE" = "ubuntu-2404" ]; then
TEST_PACKAGES="${TEST_PACKAGES/systemd-cryptsetup /}"
fi
# smaller and faster initrd; see https://launchpad.net/bugs/1592684
echo 'MODULES=dep' > /etc/initramfs-tools/conf.d/modules-dep.conf
if grep -q 'ID=ubuntu' /etc/os-release; then
PBUILDER_OPTS='COMPONENTS="main universe"'
# we want to have some snaps installed
TEST_PACKAGES="$TEST_PACKAGES snapd"
fi
# some cloud images have a pre-defined admin user or group, for them cloud-init admin creation fails
userdel -r admin || true
groupdel admin || true
useradd -m -U -c Administrator -G sudo -s /bin/bash admin
echo admin:foobar | chpasswd
cp -r ~root/.ssh ~admin/
chown -R admin:admin ~admin/.ssh
# avoid NM-wait-online hanging on disconnected interfaces
mkdir -p /etc/NetworkManager/conf.d/
printf '[main]\nno-auto-default=*\n' > /etc/NetworkManager/conf.d/noauto.conf
export DEBIAN_FRONTEND=noninteractive
apt-get -y update
# apt go-faster
echo 'Acquire::Languages "none";' > /etc/apt/apt.conf.d/90nolanguages
apt-get install -y eatmydata
APT='eatmydata apt-get -y -o Dpkg::Options::=--force-confold'
# remove packages that we don't need
for p in lxd snapd landscape-common accountsservice open-vm-tools ufw cloud-init; do $APT purge --auto-remove $p || true; done
# python3-rtslib-fb postinst starts rtslib-fb-targetctl.service , but that may fail due to kernel being upgraded
mkdir -p /run/systemd/system
ln -s /dev/null /run/systemd/system/rtslib-fb-targetctl.service
systemctl daemon-reload
# upgrade the system
$APT dist-upgrade
# HACK: on systemd update `systemd-network` may end up in failed state
systemctl restart systemd-networkd.service || true
# install our dependencies
$APT install $TEST_PACKAGES $COCKPIT_DEPS $IPA_CLIENT_PACKAGES
# download package sets
mkdir -p /var/lib/package-sets/clevis
( cd /var/lib/package-sets/clevis; $APT download $PACKAGE_SET_CLEVIS )
mkdir -p /var/lib/package-sets/chronyd
( cd /var/lib/package-sets/chronyd; $APT download $PACKAGE_SET_CHRONYD )
mkdir -p /var/lib/package-sets/timesyncd
( cd /var/lib/package-sets/timesyncd; $APT download $PACKAGE_SET_TIMESYNCD )
# Pre-install distribution cockpit packages, for testing cockpit extensions offline and for convenient interactive debugging
$APT --no-install-recommends install cockpit
if grep -q 'ID=ubuntu' /etc/os-release; then
# Extract scsi_debug and team modules from full kernel; let's not install linux-image-generic
# just for that, it increases boot time by over 10s and image size by > 600 MB
EXTRAS=$(apt-cache show linux-image-generic | grep Depends: | grep -o 'linux-modules-extra[^,]*')
(cd /tmp/
apt-get download $EXTRAS
for pkg in $EXTRAS; do
dpkg-deb --fsys-tarfile ${pkg}_*.deb | tar -C / --wildcards -xv '*/scsi_debug.ko*' '*/team*.ko*'
rm ${pkg}_*.deb
depmod "${pkg#linux-modules-extra-}"
done
)
fi
# Prepare for building
#
# extract control files, so that we can parse the build deps
mkdir -p /tmp/out
curl -L https://github.com/cockpit-project/cockpit/archive/main.tar.gz | tar -C /tmp/out --strip-components=1 --wildcards -zxf - '*/debian/'
# HACK: auto-detection is broken: https://bugs.debian.org/1038689
if grep -q 'ID=ubuntu' /etc/os-release; then
MIRRORSITE=http://archive.ubuntu.com/ubuntu
else
MIRRORSITE=http://deb.debian.org/debian
fi
# Disable build-dep installation for the real builds
cat > /etc/pbuilderrc <<- EOF
DISTRIBUTION=$RELEASE
PBUILDERSATISFYDEPENDSCMD=true
MIRRORSITE=$MIRRORSITE
$PBUILDER_OPTS
EOF
$APT install dpkg-dev pbuilder
pbuilder --create --extrapackages "fakeroot $PBUILDER_EXTRA"
# our static build deps approach cannot resolve alternate build dependencies,
# so hide systemd-dev on older releases which don't have it yet
if [ "$IMAGE" = "debian-stable" ] || [ "$IMAGE" = "ubuntu-2204" ] ; then
sed -i 's/systemd-dev |.*,/systemd,/' /tmp/out/tools/debian/control
fi
# HACK: pcp fell out of testing, get it from unstable
if [ "$IMAGE" = "debian-testing" ]; then
cat <<EOS > /tmp/pbuilder_script
echo 'deb http://deb.debian.org/debian unstable main' >> /etc/apt/sources.list
cat <<EOF > /etc/apt/preferences.d/unstable
Package: *
Pin: release a=unstable
Pin-Priority: -1
Package: *pcp*
Pin: release a=unstable
Pin-Priority: 10
EOF
apt-get update
EOS
fi
cat <<EOS >> /tmp/pbuilder_script
$(/usr/lib/pbuilder/pbuilder-satisfydepends-classic --control /tmp/out/tools/debian/control --force-version --echo|grep apt-get)
EOS
pbuilder execute --save-after-exec -- /tmp/pbuilder_script
rm -rf /tmp/out
# libvirtd might need a restart after installing other packages
systemctl restart libvirtd
# Debian does not automatically start the default libvirt network
virsh net-autostart default
# Disable services which we don't want running by default
systemctl disable --now redis-server tuned
# Disable expensive maintenance jobs
systemctl disable apt-daily.timer apt-daily-upgrade.timer fstrim.timer man-db.timer || true
# Enable coredumping via systemd
echo "kernel.core_pattern=|/lib/systemd/systemd-coredump %P %u %g %s %t %c %e" > /etc/sysctl.d/50-coredump.conf
printf 'DefaultLimitCORE=infinity\n' >> /etc/systemd/system.conf
# We want to use/test NetworkManager instead of netplan/networkd for ethernets
printf 'network:\n renderer: NetworkManager\n' > /etc/netplan/10-nm.yaml
mkdir -p /etc/NetworkManager/conf.d
touch /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
systemctl disable --now systemd-networkd-wait-online.service
# Final tweaks
# Prevent longish shutdown delays with broken inhibitor lock holders
# like https://gitlab.com/libvirt/libvirt/-/issues/705.
#
# "unattended-upgrades" changes the default of 5 seconds to 30
# seconds. Let's override that.
if [ "$1" != "debian-stable" ] && [ "$1" != "ubuntu-2204" ]; then
mkdir -p /etc/systemd/logind.conf.d
cat >/etc/systemd/logind.conf.d/zz-quick.conf <<EOF
[Login]
InhibitDelayMaxSec=5
EOF
systemctl reload systemd-logind
fi
# Enable persistent journal
mkdir -p /var/log/journal
# Allow root login with password
sed -i 's/^[# ]*PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
# At least debian-9 cloud image only has RSA key
[ -e /etc/ssh/ssh_host_ed25519_key ] || ssh-keygen -f /etc/ssh/ssh_host_ed25519_key -N '' -t ed25519
[ -e /etc/ssh/ssh_host_ecdsa_key ] || ssh-keygen -f /etc/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
# Prevent SSH from hanging for a long time when no external network access
echo 'UseDNS no' >> /etc/ssh/sshd_config
# HACK: https://bugzilla.mindrot.org/show_bug.cgi?id=2512
# Disable the restarting of sshd when networking changes
ln -snf /bin/true /etc/network/if-up.d/openssh-server
# Stop showing 'To run a command as administrator (user "root"), use "sudo <command>". See "man
# sudo_root" for details.` message in admins terminal.
touch /home/admin/.sudo_as_admin_successful
# Pull podman containers if we have podman
/var/lib/testvm/podman-images.setup
# Pull a small snap on Ubuntu so that we can test its effect on the
# Storage page and elsewhere.
if grep -q 'ID=ubuntu' /etc/os-release; then
snap install hello-world
fi
# HACK: https://bugs.debian.org/1032990
if [ "$RELEASE" = "testing" ]; then
sed -i '/subid:.*sss/d' /etc/nsswitch.conf
fi
# HACK: https://launchpad.net/bugs/2040483
if [ "$IMAGE" = "ubuntu-2404" ]; then
mkdir -p /etc/containers/containers.conf.d
printf '[CONTAINERS]\napparmor_profile=""\n' > /etc/containers/containers.conf.d/disable-apparmor.conf
fi
# pmlogger.service sometimes causes long shutdown hangs; disable all PCP services and timers
systemctl --all --legend=false list-units 'pm*' | awk '{print $1}' | xargs --no-run-if-empty systemctl disable
# reduce image size; don't keep old kernels
sed -i '/linux/d' /etc/apt/apt.conf.d/01autoremove
$APT autoremove --purge || true
apt-get clean
pbuilder clean
rm -f /var/cache/apt/*cache.bin
/var/lib/testvm/zero-disk.setup