agama-project · lslezak · Jun 5, 2024 · Jun 5, 2024 · Jun 5, 2024 · imobachgs
diff --git a/live/root/etc/systemd/system/agama-password-cmdline.service b/live/root/etc/systemd/system/agama-password-cmdline.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Set the Agama/root password from kernel command line
+# before starting the SSH and Agama server so they use the new password
+Before=sshd.service
+Before=agama-web-server.service
+
+# plain text password or encrypted password passed via kernel command line
+ConditionKernelCommandLine=|agama.password
+ConditionKernelCommandLine=|agama.password_hash
+
+[Service]
+ExecStart=agama-password --kernel
+Type=oneshot
+
+[Install]
+WantedBy=default.target
diff --git a/live/root/etc/systemd/system/agama-password-dialog.service b/live/root/etc/systemd/system/agama-password-dialog.service
@@ -0,0 +1,45 @@
+[Unit]
+Description=Interactively set the Agama/root password in a dialog
+
+# before starting the SSH and Agama server so they use the new password
+Before=sshd.service
+Before=agama-web-server.service
+# before X11 because it switches the terminal to VT7
+Before=x11-autologin.service
+
+# copied from YaST2-Second-Stage.service
+Before=getty@tty1.service
+Before=getty@tty2.service
+Before=getty@tty3.service
+Before=getty@tty4.service
+Before=getty@tty5.service
+Before=getty@tty6.service
+Before=serial-getty@hvc0.service
+Before=serial-getty@sclp_line0.service
+Before=serial-getty@ttyAMA0.service
+Before=serial-getty@ttyS0.service
+Before=serial-getty@ttyS1.service
+Before=serial-getty@ttyS2.service
+Before=serial-getty@ttysclp0.service
+
+# start at the end to avoid overwriting the screen with systemd messages
+After=agama.service
+After=modprobe@drm.service
+
+# kernel command line option
+ConditionKernelCommandLine=agama.password_dialog
+
+[Service]
+Type=oneshot
+Environment=TERM=linux
+ExecStartPre=dmesg --console-off
+ExecStart=agama-password --dialog
+ExecStartPost=dmesg --console-on
+TTYReset=yes
+TTYVHangup=yes
+StandardInput=tty
+RemainAfterExit=true
+TimeoutSec=0
+
+[Install]
+WantedBy=default.target
diff --git a/live/root/etc/systemd/system/agama-password-systemd.service b/live/root/etc/systemd/system/agama-password-systemd.service
@@ -0,0 +1,42 @@
+[Unit]
+Description=Interactively set the Agama/root password
+
+# before starting the SSH and Agama server so they use the new password
+Before=sshd.service
+Before=agama-web-server.service
+# before X11 because it switches the terminal to VT7
+Before=x11-autologin.service
+
+# copied from YaST2-Second-Stage.service
+Before=getty@tty1.service
+Before=getty@tty2.service
+Before=getty@tty3.service
+Before=getty@tty4.service
+Before=getty@tty5.service
+Before=getty@tty6.service
+Before=serial-getty@hvc0.service
+Before=serial-getty@sclp_line0.service
+Before=serial-getty@ttyAMA0.service
+Before=serial-getty@ttyS0.service
+Before=serial-getty@ttyS1.service
+Before=serial-getty@ttyS2.service
+Before=serial-getty@ttysclp0.service
+
+# start at the end to avoid overwriting the screen with systemd messages
+After=agama.service
+After=modprobe@drm.service
+
+# kernel command line option
+ConditionKernelCommandLine=agama.password_systemd
+
+[Service]
+Type=oneshot
+ExecStartPre=dmesg --console-off
+ExecStart=agama-password --systemd
+ExecStartPost=dmesg --console-on
+StandardOutput=tty
+RemainAfterExit=true
+TimeoutSec=0
+
+[Install]
+WantedBy=default.target
diff --git a/live/root/usr/bin/agama-password b/live/root/usr/bin/agama-password
@@ -0,0 +1,86 @@
+#!/usr/bin/sh
+
+# Helper script wich sets the root (Agama) pasword from several sources
+# - Kernel boot command line (use --kernel option)
+# - Systemd ask password tool (use --systemd option)
+# - Interactively using a dialog (use --dialog option)
+
+MYDIR=$(realpath "$(dirname "$0")")
+export DIALOGRC="$MYDIR/../share/agama/misc/dialog.conf"
+
+# dialog titles
+BTITLE="Agama Configuration (Press Ctrl+L to refresh the screen)"
+TITLE="Set Login Password"
+
+# functions for entering the password in an interactive dialog
+confirm_exit() {
+  if dialog --backtitle "$BTITLE" --defaultno --yesno "Are you sure you want to cancel?" 5 40; then
+    exit 1
+  fi
+}
+
+msg_box() {
+  dialog --backtitle "$BTITLE" --msgbox "$1" 6 30
+}
+
+ask_password() {
+  if ! PWD1=$(dialog --title "$TITLE" --backtitle "$BTITLE" --stdout --insecure --passwordbox "Password:" 8 40); then
+    confirm_exit
+    ask_password
+  fi
+
+  if ! PWD2=$(dialog --title "$TITLE" --backtitle "$BTITLE" --stdout --insecure --passwordbox "Verify Password:" 8 40); then
+    confirm_exit
+    ask_password
+  fi
+
+  if [ "$PWD1" != "$PWD2" ]; then
+    msg_box "Passwords do not match.\nPlease try again."
+    ask_password
+  elif [ -z "$PWD1" ]; then
+    msg_box "Password cannot be empty.\nPlease try again."
+    ask_password
+  else
+    echo "$PWD1" | passwd --stdin
+    exit 0
+  fi
+}
+
+# functions for entering the password using the "systemd-ask-password" tool
+ask_password_systemd() {
+  if ! PWD1=$(systemd-ask-password --timeout=0 "Set login password: "); then
+    exit 1
+  fi
+
+  if ! PWD2=$(systemd-ask-password --timeout=0 "Verify password: "); then
+    exit 1
+  fi
+
+  if [ "$PWD1" != "$PWD2" ]; then
+    echo "Passwords do not match, please try again."
+    ask_password_systemd
+  elif [ -z "$PWD1" ]; then
+    echo "Password cannot be empty, please try again. To skip the password configuration press Ctrl+C."
+    ask_password_systemd
+  else
+    echo "$PWD1" | passwd --stdin
+    exit 0
+  fi
+}
+
+if [ "$1" = "--kernel" ]; then
+  # get the password from the kernel command line
+  PWD=$(awk -F 'agama.password=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline)
+  if [ -n "$PWD" ]; then
+    echo "$PWD" | passwd --stdin
+  fi
+
+  PWD=$(awk -F 'agama.password_hash=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline)
+  if [ -n "$PWD" ]; then
+    usermod -p "$PWD" root
+  fi
+elif [ "$1" = "--dialog" ]; then
+  ask_password
+elif [ "$1" = "--systemd" ]; then
+  ask_password_systemd
+fi
diff --git a/live/root/usr/share/agama/misc/dialog.conf b/live/root/usr/share/agama/misc/dialog.conf
@@ -0,0 +1,10 @@
+#
+# Configuration file for the "dialog" tool
+#
+# To generate a full template with all options run:
+#
+#    dialog --create-rc dialog.conf
+#
+
+# Background screen color
+screen_color = (WHITE,CYAN,ON)
diff --git a/live/src/config.sh b/live/src/config.sh
@@ -1,6 +1,6 @@
 #! /bin/bash
 
-set -x
+set -ex
 
 # KIWI functions
 test -f /.kconfig && . /.kconfig
@@ -18,23 +18,29 @@ systemctl enable NetworkManager.service
 systemctl enable avahi-daemon.service
 systemctl enable agama.service
 systemctl enable agama-web-server.service
+systemctl enable agama-password-cmdline.service
+systemctl enable agama-password-dialog.service
+systemctl enable agama-password-systemd.service
 systemctl enable agama-auto.service
 systemctl enable agama-hostname.service
 systemctl enable agama-proxy-setup.service
 systemctl enable setup-systemd-proxy-env.path
 systemctl enable x11-autologin.service
-systemctl enable spice-vdagent.service
+systemctl enable spice-vdagentd.service
 systemctl enable zramswap
 
 # default target
 systemctl set-default graphical.target
 
-# adjust owner of extracted files
-chown -R root:root /root
-find /etc -user 1000 | xargs chown root:root
+# disable snapshot cleanup
+systemctl disable snapper-cleanup.timer
+systemctl disable snapper-timeline.timer
 
-### setup dracut for live system
+# disable unused services
+systemctl disable YaST2-Firstboot.service
+systemctl disable YaST2-Second-Stage.service
 
+### setup dracut for live system
 label=${kiwi_install_volid:-$kiwi_iname}
 arch=$(uname -m)