systemd: sshd: Disable ssh-keygen

The default _sshd.service_ unit runs `ssh-keygen -A` in `ExecStartPre`, to ensure host keys exist before starting the SSH daemon. Unfortunately, this tool does _not_ respect the `HostKey` settings in `sshd_config`, and unconditionally tries to create the key files in `/etc/ssh`. Since this directory is not writable, the command fails, preventing the SSH daemon from starting.
build-rootfs: Relocate misplaced PAM libs
2025-01-02 12:57:31 -06:00 · 2025-01-02 12:57:14 -06:00 · 2024-12-30 13:15:00 -06:00 · 2024-12-29 15:02:25 -06:00 · 2024-12-22 17:57:18 -06:00 · 2024-12-13 19:34:29 -06:00
19 changed files with 58 additions and 25 deletions
--- a/5
+++ b/5
@@ -51,13 +51,16 @@ $(O)/.ready: \
 		install.packages \
 		$(CONFIGDIR)/install.packages \
 		$(wildcard $(CONFIGDIR)/installonly.packages) \
+		busybox.symlinks \
 		$(wildcard $(CONFIGDIR)/busybox.symlinks) \
 		$(O)/linux/arch/arm64/boot/Image.gz \
 		$(O)/semanage.mods \
 		$(shell find overlay -type f) \
 		$(shell find $(CONFIGDIR)/overlay -type f 2>/dev/null) \
+		$(wildcard $(CONFIGDIR)/customize.sh) \
 		$(O)/.built
 	./build-rootfs.sh "$(O)"
+	if [ -x "$(CONFIGDIR)"/customize.sh ]; then "$(CONFIGDIR)"/customize.sh "$(O)"; fi
 	touch $(O)/.ready

 $(O)/squashfs.exclude: \
@@ -90,7 +93,7 @@ kernel: $(O)/linux/arch/arm64/boot/Image.gz
 $(O)/efi-part/EFI/BOOT/BOOTAA64.efi: \
 		build-grub.sh \
 		grub.cfg \
-		$(O)/.prepared
+		$(O)/.built
 	./build-grub.sh "$(O)"

 grub: $(O)/efi-part/EFI/BOOT/BOOTAA64.efi
--- a/build-grub.sh
+++ b/build-grub.sh
@@ -39,6 +39,8 @@ grub-mkimage \
 echo 'Generating GRUB configuration file ...'
 mkdir -p "${O}"/efi-part/EFI/gentoo
 cp -uv grub.cfg "${O}"/efi-part/EFI/gentoo
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set rootflags='ro'
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set default=0
-grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set timeout=5
+grub-editenv "${O}"/efi-part/EFI/gentoo/grubenv set \
+    rootflags="${rootflags-ro}" \
+    default=0 \
+    timeout=5 \
+    && :
--- a/build-rootfs.sh
+++ b/build-rootfs.sh
@@ -16,13 +16,13 @@ USE=build \
 emerge \
    --root=/mnt/gentoo \
    --config-root="${O}"/portage \
-    -kvnjU \
+    -kvnj \
    sys-apps/baselayout

 cat \
    install.packages \
    "${CONFIGDIR}"/install.packages \
-    | xargs -ro \
+    | xargs -rt \
 ${target}-emerge \
    --root=/mnt/gentoo \
    --config-root="${O}"/portage \
@@ -30,7 +30,7 @@ ${target}-emerge \
    --rebuilt-binaries=y

 if [ -f "${CONFIGDIR}"/installonly.packages ]; then
-    < "${CONFIGDIR}"/installonly.packages xargs -ro \
+    < "${CONFIGDIR}"/installonly.packages xargs -rt \
    ${target}-emerge \
        --root=/mnt/gentoo \
        --config-root="${O}"/portage \
@@ -76,6 +76,24 @@ if [ -f /mnt/gentoo/etc/udev/hwdb.bin ]; then
    mv /mnt/gentoo/etc/udev/hwdb.bin /mnt/gentoo/usr/lib/udev/
 fi

+gccver=$(qlist -I -F '%{PV}' cross-${target}/gcc | sed 's/[^0-9].*//')
+for lib in \
+    libstdc++ \
+    libgcc_s \
+; do
+    cp /usr/lib/gcc/${target}/${gccver}/${lib}.so.* /mnt/gentoo/usr/lib64/
+done
+
+qemu-${target%%-*} \
+/mnt/gentoo/usr/sbin/ldconfig \
+    -r /mnt/gentoo \
+    -f /mnt/gentoo/etc/ld.so.conf
+
+if [ -d /mnt/gentoo/lib64/security ]; then
+    find /mnt/gentoo/lib64/security -name 'pam_*.so' \
+        -exec mv -t /mnt/gentoo/lib/security {} +
+fi
+
 rm -f /mnt/gentoo/lib/tmpfiles.d/provision.conf
 systemd-tmpfiles --root=/mnt/gentoo -E --exclude-prefix=/var --create

--- a/build.sh
+++ b/build.sh
@@ -16,6 +16,6 @@ cat \
    install.packages \
    "${CONFIGDIR}"/build.packages \
    "${CONFIGDIR}"/install.packages \
-    | xargs -rot \
+    | xargs -rt \
 ${target}-emerge -bkvnuUDj
 ${target}-emerge -bv @preserved-rebuild
--- a/busybox.symlinks
+++ b/busybox.symlinks
@@ -8,6 +8,7 @@ du
 echo
 env
 false
+find
 free
 fsync
 fuser
--- a/install-update.sh
+++ b/install-update.sh
@@ -20,7 +20,8 @@ set_default_boot() {
    _rc=0
    mkdir -p newroot || return
    mount -oro "$1" newroot || return
-    _kernel=$(find newroot/boot -name 'vmlinuz-*' -printf '%P\n' \
+    _kernel=$(find newroot/boot -name 'vmlinuz-*' \
+        | awk -F/ '{print $NF}' \
        | sort -V \
        | tail -n1
    )
--- a/install.packages
+++ b/install.packages
@@ -1,5 +1,8 @@
+app-alternatives/awk
 net-misc/openssh
 net-misc/wget
 sys-apps/busybox
+sys-apps/kbd
+sys-apps/gentoo-functions
 sys-apps/systemd
 sys-fs/btrfs-progs
--- a/overlay/etc/ssh/sshd_config.d/authorized-keys-command.conf
+++ b/overlay/etc/ssh/sshd_config.d/authorized-keys-command.conf
@@ -1,2 +0,0 @@
-AuthorizedKeysCommand /usr/libexec/ssh-authorized-keys %u %t
-AuthorizedKeysCommandUser nobody
--- a/overlay/etc/systemd/network/95-default.network
+++ b/overlay/etc/systemd/network/95-default.network
@@ -3,3 +3,9 @@ Type=ether

 [Network]
 DHCP=yes
+
+[DHCPv4]
+UseDomains=yes
+
+[DHCPv6]
+UseDomains=yes
--- a/overlay/usr/bin/system-update
+++ b/overlay/usr/bin/system-update
@@ -119,6 +119,8 @@ trap cleanup INT TERM QUIT EXIT
 workdir=$(mktemp -d)
 cd "${workdir}"

+systemctl daemon-reload
+
 fetch_update "${source_url}" || die 'Failed to fetch update source'
 extract_update || die 'Failed to extact update source'
 ./install "${newroot}" || die 'Error installing system update'
--- a/overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.bin.xz
+++ b/overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.bin.xz
@@ -1 +0,0 @@
-../cypress/cyfmac43455-sdio.bin.xz
--- a/overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.txt.xz
+++ b/overlay/usr/lib/firmware/brcm/brcmfmac43455-sdio.raspberrypi,4-compute-module-ha-yellow.txt.xz
@@ -1 +0,0 @@
-brcmfmac43455-sdio.raspberrypi,4-model-b.txt.xz
--- a/overlay/usr/lib/systemd/sshd.service.d/no-keygen.conf
+++ b/overlay/usr/lib/systemd/sshd.service.d/no-keygen.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPre=
--- a/overlay/usr/libexec/init-storage
+++ b/overlay/usr/libexec/init-storage
@@ -23,7 +23,7 @@ copy_var() {

    echo 'Copying /var contents to data volume'
    mount -o subvol=var "${dev}" "${tmpdir}" || exit
-    cp -acuv /var/. "${tmpdir}" || exit
+    cp -auv /var/. "${tmpdir}" || exit
    umount "${tmpdir}"
 }

@@ -89,6 +89,9 @@ partition_number() {
 }

 relabel_all() {
+    if [ ! "$(command -v selinuxenabled)" ] || !selinuxenabled; then
+        return 0
+    fi
    selinuxtype=$(. /etc/selinux/config && echo ${SELINUXTYPE})
    find "${tmpdir}" | \
    setfiles \
@@ -129,7 +132,7 @@ setup_etc() {
    echo 'Initializing writable paths in /etc'
    mount -o subvol=etc "${dev}" "${tmpdir}" || exit
    if [ ! -f "${tmpdir}"/shadow ]; then
-        cp -ca /etc/shadow "${tmpdir}"/shadow || exit
+        cp -a /etc/shadow "${tmpdir}"/shadow || exit
    fi
    mount -o bind "${tmpdir}"/shadow /etc/shadow || exit
    if [ -f /etc/aimee-os/writable-etc ]; then
@@ -141,7 +144,7 @@ setup_etc() {
                        mkdir -p "${tmpdir}/${path%/*}"
                        ;;
                    esac
-                    cp -ca /etc/"${path}" "${tmpdir}/${path}"
+                    cp -a /etc/"${path}" "${tmpdir}/${path}"
                elif [ "${type}" = d ]; then
                    mkdir -p "${tmpdir}/${path}"
                elif [ "${type}" = f ]; then
--- a/overlay/usr/libexec/ssh-authorized-keys
+++ b/overlay/usr/libexec/ssh-authorized-keys
@@ -1,4 +0,0 @@
-#!/bin/sh
-# vim: set sw=4 ts=4 sts=4 et :
-
-exec wget -q -O - https://sshkeys.pyrocufflink.blue/"$1"/"$2".pub
--- a/portage/package.accept_keywords/uboot
+++ b/portage/package.accept_keywords/uboot
@@ -0,0 +1 @@
+sys-boot/u-boot ~arm64
--- a/portage/savedconfig/sys-apps/busybox
+++ b/portage/savedconfig/sys-apps/busybox
@@ -441,7 +441,7 @@ CONFIG_FEATURE_VI_UNDO_QUEUE_MAX=0
 #
 # Finding Utilities
 #
-# CONFIG_FIND is not set
+CONFIG_FIND=y
 # CONFIG_FEATURE_FIND_PRINT0 is not set
 # CONFIG_FEATURE_FIND_MTIME is not set
 # CONFIG_FEATURE_FIND_MMIN is not set
--- a/prepare.sh
+++ b/prepare.sh
@@ -37,14 +37,12 @@ if [ ! -f portage/make.conf/10-crossdev.conf ]; then
    sed -r \
        -e 's: ?-pam::' \
        -e '/PKGDIR=/d' \
+        -e '/ACCEPT_KEYWORDS/d' \
        /usr/${target}/etc/portage/make.conf \
        > "${O}"/portage/etc/portage/make.conf/10-crossdev.conf
 fi

-ln -snf /var/db/repos/gentoo/profiles/${profile} \
-    /usr/${target}/etc/portage/make.profile
-
-FEATURES="${FEATURES}" \
+FEATURES="${FEATURES} -preserve-libs -protect-owned" \
 PKGDIR="${PKGDIR}" \
 ${target}-emerge -bk1nvj sys-libs/glibc

--- a/squashfs.exclude
+++ b/squashfs.exclude
@@ -48,6 +48,7 @@ usr/share/portage
 usr/share/selinux/*/include
 usr/share/selinux/devel
 usr/share/zsh
+usr/src
 var/.updated
 var/cache/edb
 var/db/Makefile
Author	SHA1	Message	Date
Dustin C. Hatch	b43e8319f4	systemd: sshd: Disable ssh-keygen The default _sshd.service_ unit runs `ssh-keygen -A` in `ExecStartPre`, to ensure host keys exist before starting the SSH daemon. Unfortunately, this tool does _not_ respect the `HostKey` settings in `sshd_config`, and unconditionally tries to create the key files in `/etc/ssh`. Since this directory is not writable, the command fails, preventing the SSH daemon from starting.	2025-01-02 12:57:31 -06:00
Dustin C. Hatch	f914df7866	build-rootfs: Relocate misplaced PAM libs Some packages, notably _systemd_, place their PAM modules in `/usr/lib64/security` instead of `/usr/lib/security`. PAM only seems to look in the latter location, though, so anything in the former needs to be moved in order to be used.	2025-01-02 12:57:14 -06:00
Dustin C. Hatch	5bce7dfab3	build-rootfs: Copy GCC libs to target Software written in C++ typically depends on `libstdc++.so.6` and `libgcc_s.so.1`. These library dependencies are implicit, as Gentoo expects GCC to be installed as part of the _@system_ set. Since that set does not get installed in the target root, anything that depends on those libraries will not function. Rather than install _sys-devel/gcc_ in the target environment to get those libraries, we can copy ones built by `crossdev` manually. This way, we do not end up with a full C compiler and development toolchain in the target environment, while still making the libraries available for applications that need them.	2024-12-30 13:15:00 -06:00
Dustin C. Hatch	c30da6a5ff	prepare: disable preserve-libs for glibc Since installing _sys-libs/glibc_ in the crossdev root overwrites the libraries built by crossdev, Portage records the latter as needing to be protected. This results in _everything_ being pulled in to @preserved-rebuild, which ultimately does nothing since the preserved library is never replaced. To avoid this pointlessness, we need to disable the _preserve-libs_ feature when reinstalling _glibc_. We also disable _protect-owned_ to avoid spam from Portage when initially overwriting the libraries and headers in the crossdev root.	2024-12-29 15:02:25 -06:00
Dustin C. Hatch	554063e1f4	build-rootfs: Pass config path to ldconfig `ldconfig` has started complaining that it needs a configuration file when using the `-r` argument: > /mnt/gentoo/usr/sbin/ldconfig: need absolute file name for > configuration file when using -r	2024-12-22 17:57:18 -06:00
Dustin C. Hatch	0f32bf3fcb	prepare: Ignore ACCEPT_KEYWORDS in crossdev.conf _crossdev_ sets `ACCEPT_KEYWORDS="${ARCH} ~${ARCH}" by default, even when run with `--stable`. This can cause conflicts when the host system does not accept ~arch, and may not be desirable anyway. Projects that want to use ~arch can set it in their own `make.conf`. The _u-boot_ package does not have any stable keywords, so we have to explicitly accept it.	2024-12-13 19:34:29 -06:00
Dustin C. Hatch	c4740e4e5e	system-update: Reload systemd before beginning This will silence warnings from `mount` about `/etc/fstab` having changed since the last time the `systemd-fstab-generator` was run. It's not true, since it's immutable, but the warning comes up on Raspberry Pis without an RTC.	2024-12-13 19:32:49 -06:00
Dustin C. Hatch	6e49d6a254	squashfs.exclude: Add /usr/src It's empty, but let's get rid of it anyway.	2024-12-13 19:32:01 -06:00
Dustin C. Hatch	c35b7cfb72	overlay: default.network: Enable UseDomains For whatever reason, _systemd-networkd_ does not resepect the DNS domain search list sent by the DHCP server by default. This means single-label name lookups will fail in most cases.	2024-12-13 19:30:56 -06:00
Dustin C. Hatch	c2e85681a8	install.packages: Add kbd This is needed for _systemd-vconsole-setup.service_.	2024-12-13 19:30:31 -06:00
Dustin C. Hatch	fef6685876	build-rootfs: Ignore USE changes for baselayout We don't want to reinstall _baselayout_ when its USE flags change. Indeed, USE flag changes are expected, because we first install it with USE=build, but only temporarily. Once the initial symlinks for merged-usr are in place, it can be reinstalled without that flag. We don't need to keep reinstalling and toggling between states, so we ignore USE flag changes for the first pass.	2024-12-13 19:29:55 -06:00
Dustin C. Hatch	869257701c	make: rootfs: Support customize.sh Projects can now include a `customize.sh` script. If present, this script will be run after the root filesystem hierarchy has been created, but before the image is captured. This allows projects to apply additional customizations beyond adding or removing files.	2024-12-13 19:26:05 -06:00
Dustin C. Hatch	6fff371b81	make: Build GRUB after packages are built The `build-grub.sh` script needs the GRUB image from the target build root.	2024-12-13 19:24:13 -06:00
Dustin C. Hatch	4a27f46e68	make: Add busybox.symlinks dep for rootfs This ensures the root filesystem image will be regenerated if the base `busybox.symlinks` file from Aimee OS changes.	2024-12-13 19:22:49 -06:00
Dustin C. Hatch	b9356f619c	init-storage: Skip fs relabel w/o SELinux If SELinux support is not available or enabled, attempting to relabel files will fail.	2024-12-13 19:21:26 -06:00
Dustin C. Hatch	8d28c55b79	install.packages: Add gentoo-functions This package installs the `functions.sh` script library, which is used by the `install-update` script.	2024-12-13 19:20:07 -06:00
Dustin C. Hatch	3cdd4c24c5	install-update: Do not use find -printf Busybox `find` does not implement `-printf`. We have to use `awk` to get the base name of the file from its path.	2024-12-13 19:17:21 -06:00
Dustin C. Hatch	2beae39208	busybox: Enable find applet The `install-update` script uses `find` to identify the kernel image included in the new root filesystem.	2024-12-13 19:15:33 -06:00
Dustin C. Hatch	0b7519c07d	overlay: Remove obsolete files	2024-12-13 19:14:31 -06:00
Dustin C. Hatch	a51dc99b9b	build-grub: Support setting rootflags from config The project configuration file can now contain an optional `rootflags` variable. If specified, this variable will be used to set the GRUB environment variable of the same name. The value will be appended to the kernel command line.	2024-12-13 18:58:08 -06:00
Dustin C. Hatch	a244197d3c	install.packages: Add awk The _app-alternatives/awk_ package installs a symlink to `busybox` for for `awk`. Using this package instead of `busybox.symlinks` allows it to satisfy other packages that depend on a generic `awk` implementation.	2024-12-13 18:52:58 -06:00
Dustin C. Hatch	e4407b1573	init-storage: Drop -c argument to cp Busybox `cp` doesn't implement `-c` (copy SELinux context). GNU coreutils has deprecated it as well.	2024-12-13 18:50:15 -06:00
Dustin C. Hatch	b3760e7345	build-rootfs: Run ldconfig via QEMU Using the host's `ldconfig` doesn't work, as it only considers libraries for the same machine type as itself. THus, we have to execute the target's copy, which means running it via QEMU userspace emulation.	2024-12-13 18:47:51 -06:00
Dustin C. Hatch	da64f49bd6	build-rootfs: Run ldconfig Need to update the loader search path in the final root filesystem.	2024-12-10 16:56:12 -06:00
Dustin C. Hatch	79e69cf70d	build{,-rootfs}: Do not force TTY The `-o` argument to `xargs` tells it to reopen a TTY to pass to the spawned process's standard input. If there is no controlling TTY, this will fail. There's no reason to do this anyway, so let's avoid it.	2024-12-09 12:11:53 -06:00
Dustin C. Hatch	565497cab1	wip: prepare: do not set profile	2024-12-09 08:32:27 -06:00
				`@@ -1 +0,0 @@`
				`brcmfmac43455-sdio.raspberrypi,4-model-b.txt.xz`