diff --git a/live/root/etc/systemd/system/agama-password-cmdline.service b/live/root/etc/systemd/system/agama-password-cmdline.service new file mode 100644 index 0000000000..3176560d17 --- /dev/null +++ b/live/root/etc/systemd/system/agama-password-cmdline.service @@ -0,0 +1,16 @@ +[Unit] +Description=Set the Agama/root password from kernel command line +# before starting the SSH and Agama server so they use the new password +Before=sshd.service +Before=agama-web-server.service + +# plain text password or encrypted password passed via kernel command line +ConditionKernelCommandLine=|agama.password +ConditionKernelCommandLine=|agama.password_hash + +[Service] +ExecStart=agama-password --kernel +Type=oneshot + +[Install] +WantedBy=default.target diff --git a/live/root/etc/systemd/system/agama-password-dialog.service b/live/root/etc/systemd/system/agama-password-dialog.service new file mode 100644 index 0000000000..3267dca187 --- /dev/null +++ b/live/root/etc/systemd/system/agama-password-dialog.service @@ -0,0 +1,45 @@ +[Unit] +Description=Interactively set the Agama/root password in a dialog + +# before starting the SSH and Agama server so they use the new password +Before=sshd.service +Before=agama-web-server.service +# before X11 because it switches the terminal to VT7 +Before=x11-autologin.service + +# copied from YaST2-Second-Stage.service +Before=getty@tty1.service +Before=getty@tty2.service +Before=getty@tty3.service +Before=getty@tty4.service +Before=getty@tty5.service +Before=getty@tty6.service +Before=serial-getty@hvc0.service +Before=serial-getty@sclp_line0.service +Before=serial-getty@ttyAMA0.service +Before=serial-getty@ttyS0.service +Before=serial-getty@ttyS1.service +Before=serial-getty@ttyS2.service +Before=serial-getty@ttysclp0.service + +# start at the end to avoid overwriting the screen with systemd messages +After=agama.service +After=modprobe@drm.service + +# kernel command line option +ConditionKernelCommandLine=agama.password_dialog + +[Service] +Type=oneshot +Environment=TERM=linux +ExecStartPre=dmesg --console-off +ExecStart=agama-password --dialog +ExecStartPost=dmesg --console-on +TTYReset=yes +TTYVHangup=yes +StandardInput=tty +RemainAfterExit=true +TimeoutSec=0 + +[Install] +WantedBy=default.target diff --git a/live/root/etc/systemd/system/agama-password-systemd.service b/live/root/etc/systemd/system/agama-password-systemd.service new file mode 100644 index 0000000000..4ea29d6957 --- /dev/null +++ b/live/root/etc/systemd/system/agama-password-systemd.service @@ -0,0 +1,42 @@ +[Unit] +Description=Interactively set the Agama/root password + +# before starting the SSH and Agama server so they use the new password +Before=sshd.service +Before=agama-web-server.service +# before X11 because it switches the terminal to VT7 +Before=x11-autologin.service + +# copied from YaST2-Second-Stage.service +Before=getty@tty1.service +Before=getty@tty2.service +Before=getty@tty3.service +Before=getty@tty4.service +Before=getty@tty5.service +Before=getty@tty6.service +Before=serial-getty@hvc0.service +Before=serial-getty@sclp_line0.service +Before=serial-getty@ttyAMA0.service +Before=serial-getty@ttyS0.service +Before=serial-getty@ttyS1.service +Before=serial-getty@ttyS2.service +Before=serial-getty@ttysclp0.service + +# start at the end to avoid overwriting the screen with systemd messages +After=agama.service +After=modprobe@drm.service + +# kernel command line option +ConditionKernelCommandLine=agama.password_systemd + +[Service] +Type=oneshot +ExecStartPre=dmesg --console-off +ExecStart=agama-password --systemd +ExecStartPost=dmesg --console-on +StandardOutput=tty +RemainAfterExit=true +TimeoutSec=0 + +[Install] +WantedBy=default.target diff --git a/live/root/usr/bin/agama-password b/live/root/usr/bin/agama-password new file mode 100755 index 0000000000..aec52d7c02 --- /dev/null +++ b/live/root/usr/bin/agama-password @@ -0,0 +1,86 @@ +#!/usr/bin/sh + +# Helper script wich sets the root (Agama) pasword from several sources +# - Kernel boot command line (use --kernel option) +# - Systemd ask password tool (use --systemd option) +# - Interactively using a dialog (use --dialog option) + +MYDIR=$(realpath "$(dirname "$0")") +export DIALOGRC="$MYDIR/../share/agama/misc/dialog.conf" + +# dialog titles +BTITLE="Agama Configuration (Press Ctrl+L to refresh the screen)" +TITLE="Set Login Password" + +# functions for entering the password in an interactive dialog +confirm_exit() { + if dialog --backtitle "$BTITLE" --defaultno --yesno "Are you sure you want to cancel?" 5 40; then + exit 1 + fi +} + +msg_box() { + dialog --backtitle "$BTITLE" --msgbox "$1" 6 30 +} + +ask_password() { + if ! PWD1=$(dialog --title "$TITLE" --backtitle "$BTITLE" --stdout --insecure --passwordbox "Password:" 8 40); then + confirm_exit + ask_password + fi + + if ! PWD2=$(dialog --title "$TITLE" --backtitle "$BTITLE" --stdout --insecure --passwordbox "Verify Password:" 8 40); then + confirm_exit + ask_password + fi + + if [ "$PWD1" != "$PWD2" ]; then + msg_box "Passwords do not match.\nPlease try again." + ask_password + elif [ -z "$PWD1" ]; then + msg_box "Password cannot be empty.\nPlease try again." + ask_password + else + echo "$PWD1" | passwd --stdin + exit 0 + fi +} + +# functions for entering the password using the "systemd-ask-password" tool +ask_password_systemd() { + if ! PWD1=$(systemd-ask-password --timeout=0 "Set login password: "); then + exit 1 + fi + + if ! PWD2=$(systemd-ask-password --timeout=0 "Verify password: "); then + exit 1 + fi + + if [ "$PWD1" != "$PWD2" ]; then + echo "Passwords do not match, please try again." + ask_password_systemd + elif [ -z "$PWD1" ]; then + echo "Password cannot be empty, please try again. To skip the password configuration press Ctrl+C." + ask_password_systemd + else + echo "$PWD1" | passwd --stdin + exit 0 + fi +} + +if [ "$1" = "--kernel" ]; then + # get the password from the kernel command line + PWD=$(awk -F 'agama.password=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline) + if [ -n "$PWD" ]; then + echo "$PWD" | passwd --stdin + fi + + PWD=$(awk -F 'agama.password_hash=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline) + if [ -n "$PWD" ]; then + usermod -p "$PWD" root + fi +elif [ "$1" = "--dialog" ]; then + ask_password +elif [ "$1" = "--systemd" ]; then + ask_password_systemd +fi diff --git a/live/root/usr/share/agama/misc/dialog.conf b/live/root/usr/share/agama/misc/dialog.conf new file mode 100644 index 0000000000..4284be71e1 --- /dev/null +++ b/live/root/usr/share/agama/misc/dialog.conf @@ -0,0 +1,10 @@ +# +# Configuration file for the "dialog" tool +# +# To generate a full template with all options run: +# +# dialog --create-rc dialog.conf +# + +# Background screen color +screen_color = (WHITE,CYAN,ON) diff --git a/live/src/config.sh b/live/src/config.sh index f3e2a990c6..014ceb8363 100644 --- a/live/src/config.sh +++ b/live/src/config.sh @@ -1,6 +1,6 @@ #! /bin/bash -set -x +set -ex # KIWI functions test -f /.kconfig && . /.kconfig @@ -18,23 +18,29 @@ systemctl enable NetworkManager.service systemctl enable avahi-daemon.service systemctl enable agama.service systemctl enable agama-web-server.service +systemctl enable agama-password-cmdline.service +systemctl enable agama-password-dialog.service +systemctl enable agama-password-systemd.service systemctl enable agama-auto.service systemctl enable agama-hostname.service systemctl enable agama-proxy-setup.service systemctl enable setup-systemd-proxy-env.path systemctl enable x11-autologin.service -systemctl enable spice-vdagent.service +systemctl enable spice-vdagentd.service systemctl enable zramswap # default target systemctl set-default graphical.target -# adjust owner of extracted files -chown -R root:root /root -find /etc -user 1000 | xargs chown root:root +# disable snapshot cleanup +systemctl disable snapper-cleanup.timer +systemctl disable snapper-timeline.timer -### setup dracut for live system +# disable unused services +systemctl disable YaST2-Firstboot.service +systemctl disable YaST2-Second-Stage.service +### setup dracut for live system label=${kiwi_install_volid:-$kiwi_iname} arch=$(uname -m)