Add linux-hardened bootfs test

I also reverted the nonpriv user gpg signing as I don't run this script
as root.

packages/common-git/spl-utils-common-git

@@ -1 +1 @@
-Subproject commit d372900675da9414f2ca46af484798d2b8b06746
+Subproject commit 64a67d4d2228cca61cc52a24eba53f58d394714a

packages/common-git/zfs-utils-common-git

@@ -1 +1 @@
-Subproject commit a94ea93d1ed2975e7d8fa1c335da5bfdb1f48e14
+Subproject commit 3cb16a550dab786eaab2d98359953cccc8a89912

packages/linux-hardened/spl-linux-hardened

@@ -1 +1 @@
-Subproject commit 568eb1328f1587cf85c7950028d1404090bdaf82
+Subproject commit 2042f0e1c8d84629c0c4c35835857f9e1b6b333c

packages/linux-hardened/spl-linux-hardened-git

@@ -1 +1 @@
-Subproject commit 837fff903cd191f11e614570d9c3482c15b70f1c
+Subproject commit b06600a572ff046ab596460c4ccdc9d620f0cb18

packages/linux-hardened/zfs-linux-hardened

@@ -1 +1 @@
-Subproject commit c79508fc2f3c485c8de57f2d4dacab640994f344
+Subproject commit 104ef480c04732393344da6a515d6294494a12d2

packages/linux-hardened/zfs-linux-hardened-git

@@ -1 +1 @@
-Subproject commit 42399bcf60a0f8ea1085d2ed898637b50197a715
+Subproject commit b4963e0dc461eedb84ddfb7f365f7b4ccf722b9b

repo.sh

@@ -242,7 +242,7 @@ repo_add() {
         exit 1
     fi
 
-    run_cmd "su - ${makepkg_nonpriv_user} -c 'repo-add -k ${gpg_sign_key} -s -v ${repo_target}/${arch}/${repo_name}.db.tar.xz ${pkg_add_list[@]}'"
+    run_cmd "repo-add -k ${gpg_sign_key} -s -v ${repo_target}/${arch}/${repo_name}.db.tar.xz ${pkg_add_list[@]}"
     if [[ ${run_cmd_return} -ne 0 ]]; then
         error "An error occurred adding the package to the repo!"
         exit 1
@@ -265,7 +265,7 @@ sign_packages() {
         if [[ ! -f "${pkgp}.sig" ]]; then
             msg2 "Signing ${pkgp}"
             # GPG_TTY prevents "gpg: signing failed: Inappropriate ioctl for device"
-            run_cmd_no_output "su - ${makepkg_nonpriv_user} -c 'GPG_TTY=$(tty) gpg --batch --yes --detach-sign --use-agent -u ${gpg_sign_key} \"${script_dir}/${pkgp}\"'"
+            run_cmd_no_output "GPG_TTY=$(tty) gpg --batch --yes --detach-sign --use-agent -u ${gpg_sign_key} \"${script_dir}/${pkgp}\""
             if [[ ${run_cmd_return} -ne 0 ]]; then
                 exit 1
             fi

src/kernels/linux-hardened.sh

@@ -3,7 +3,7 @@ mode_name="hardened"
 mode_desc="Select and use the packages for the linux-hardened kernel"
 
 # Kernel versions for hardened packages
-pkgrel="1"
+pkgrel="2"
 kernel_version="4.12.4.a-1"
 
 # Kernel version for GIT packages

testing/tests/archzfs-qemu-hardened-test-00-bootfs/README.rst

@@ -0,0 +1,52 @@
+=========================================
+Test archzfs-qemu-lts-test-01-root-bootfs
+=========================================
+
+Tests all the steps required for archzfs-linux-lts to be used as a boot filesystem.
+
+--------
+Overview
+--------
+
+Builds a custom archiso with the linux-lts kernel used by packer to create a Qemu base image. Syslinux is used as the boot
+loader.
+
+---
+How
+---
+
+1. The archzfs-linux-lts packages are built for the linux-lts kernel and added to a package repository named "archzfs-testing".
+
+#. The archzfs-testing repo is shared over NFS.
+
+#. A custom archiso is built that boots into the linux-lts kernel. See `Archiso customization`_
+
+#. The test files are compressed into a tar archive.
+
+#. Packer is used to build a qemu base image using the custom archiso.
+
+#. `setup.sh` is ran in the archiso to install arch on ZFS.
+
+#. After installation of Arch on ZFS, the VM is rebooted and packer finalizes the base image.
+
+#. The qemu base image created by packer is booted, if the boot is successful, the test is considered passed.
+
+---------------------
+Archiso customization
+---------------------
+
+At the time of putting this test together (2016.09.03), there was no stable ZFSonLinux release that supported kernel 4.7 and
+the archiso release at the time shipped with kernel 4.7. In order to install Arch on ZFS for test, I needed an archiso with
+the linux-lts kernel. Thus, the archzfs-archiso was born!
+
+The archiso is built by `test.sh` and used by packer to create a Qemu base image with ZFS as the root filesystem for testing.
+
+The archiso comes with a bunch of features that are not needed in test, so they have been stripped out or modified. This
+includes:
+
+* boot straight into the linux-lts kernel to speed up the testing cycle.
+* ZFS does not support arch-i686, so it was stripped.
+* iPXE was not needed.
+
+The archiso sources are copied from `/usr/share/archiso/configs/releng` after installation of the "archiso" package. The
+modifed code is contained in the `testing/archiso-linux-lts` directory of this project.

testing/tests/archzfs-qemu-hardened-test-00-bootfs/archiso.sh

@@ -0,0 +1,12 @@
+# We need an archiso with the lts kernel used by default
+test_build_archiso() {
+    msg "Building archiso"
+    cd ${test_root_dir}/../../../archiso/ &> /dev/null
+    if [[ -d ${packer_work_dir}/out ]] && [[ $(ls -1 | wc -l) -gt 0 ]]; then
+        run_cmd "rm -rf ${test_root_dir}/archiso/out/archlinux*"
+    fi
+    run_cmd "./build.sh -v"
+    msg2 "Copying archiso to packer_work_dir"
+    run_cmd "cp ${test_root_dir}/../../../archiso/out/archlinux* ${packer_work_dir} && rm -rf ${test_root_dir}/archiso/work"
+    cd - &> /dev/null
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/boot.sh

@@ -0,0 +1,6 @@
+test_bootloader_install() {
+    # Setup the boot loader
+    run_cmd "mkdir -p ${arch_target_dir}/boot/syslinux; cp -f /root/syslinux.cfg '${arch_target_dir}/boot/syslinux/syslinux.cfg'"
+    run_cmd "arch-chroot ${arch_target_dir} /usr/bin/syslinux-install_update -i -a -m"
+    run_cmd_check 1
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/chroot.sh

@@ -0,0 +1,29 @@
+test_chroot_setup() {
+    # $1 arch-chroot target dir
+    msg "Setting up arch install..."
+    export arch_target_dir="${test_target_dir}"
+    if [[ -n $1 ]]; then
+        arch_target_dir="${1}"
+    fi
+    msg2 "Setting base image pacman mirror"
+    run_cmd "/usr/bin/cp /etc/pacman.d/mirrorlist ${arch_target_dir}/etc/pacman.d/mirrorlist"
+
+    msg2 "generating the filesystem table"
+    run_cmd "/usr/bin/genfstab -p ${arch_target_dir} >> '${arch_target_dir}/etc/fstab'"
+
+    # http://comments.gmane.org/gmane.linux.arch.general/48739
+    msg2 "Adding workaround for shutdown race condition"
+    run_cmd "/usr/bin/install --mode=0644 poweroff.timer '${arch_target_dir}/etc/systemd/system/poweroff.timer'"
+
+    msg2 "Create config.sh"
+    run_cmd "/usr/bin/install --mode=0755 /dev/null '${arch_target_dir}/usr/bin/config.sh'"
+
+    # Special filesystem configure script
+    source_safe /root/test-config.sh
+
+    msg2 "Entering chroot and configuring system"
+    run_cmd "/usr/bin/arch-chroot ${arch_target_dir} /usr/bin/config.sh"
+
+    msg2 "Deleting config.sh"
+    rm ${arch_target_dir}/usr/bin/config.sh
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/conf.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+export test_root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+debug "test_root_dir='${test_root_dir}'"
+
+export test_target_dir='/mnt'
+
+export test_archzfs_repo_name="archzfs-testing"
+
+# Additional packages to install in the archiso
+export test_archiso_packages="archzfs-linux-lts"
+
+# Additional packages to install in the archiso. The 'packages' file is placed in /root on the archiso qemu environment.
+export test_chroot_packages="$(< packages) archzfs-linux-hardened"
+
+export fqdn='test.archzfs.test'
+export keymap='us'
+export language='en_US.UTF-8'
+export password=$(/usr/bin/openssl passwd -crypt 'azfstest')
+export timezone='UTC'

testing/tests/archzfs-qemu-hardened-test-00-bootfs/config.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+cat <<-EOF > "${arch_target_dir}/usr/bin/config.sh"
+    echo '${fqdn}' > /etc/hostname
+    /usr/bin/ln -s /usr/share/zoneinfo/${timezone} /etc/localtime
+    echo 'KEYMAP=${keymap}' > /etc/vconsole.conf
+    /usr/bin/sed -i 's/#${language}/${language}/' /etc/locale.gen
+    /usr/bin/locale-gen
+
+    /usr/bin/sed -i 's/filesystems/zfs filesystems/' /etc/mkinitcpio.conf
+
+    /usr/bin/mkinitcpio -p linux-hardened
+
+    /usr/bin/usermod --password ${password} root
+
+    # https://wiki.archlinux.org/index.php/Network_Configuration#Device_names
+    /usr/bin/ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
+    /usr/bin/ln -s '/usr/lib/systemd/system/dhcpcd@.service' '/etc/systemd/system/multi-user.target.wants/dhcpcd@eth0.service'
+
+    # Configure ssh
+    sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
+        -e '/^#UseDNS no$/c UseDNS no' \
+        -i /etc/ssh/sshd_config
+
+    /usr/bin/systemctl enable sshd.service
+EOF

testing/tests/archzfs-qemu-hardened-test-00-bootfs/fs.sh

@@ -0,0 +1,99 @@
+test_fs_config_nfs() {
+    # $1 arch-chroot directory
+    # prefix="${test_target_dir}"
+    if [[ -n $1 ]]; then
+        prefix="${1}"
+    fi
+
+    msg "Create NFS mount points"
+    run_cmd "/usr/bin/mkdir -p ${prefix}/repo"
+
+    msg "Setting the package cache (nfs mount)"
+    run_cmd "mount -t nfs4 -o rsize=32768,wsize=32768,timeo=3 10.0.2.2:/var/cache/pacman/pkg ${prefix}/var/cache/pacman/pkg"
+
+    msg "Mounting the AUR package repo"
+    run_cmd "mount -t nfs4 -o rsize=32768,wsize=32768,timeo=3 10.0.2.2:/mnt/data/pacman/repo ${prefix}/repo"
+}
+
+
+test_fs_config_root_preinstall() {
+    msg "Configuring root filesystem!"
+
+    export disk='/dev/vda'
+    export root_partition="${disk}1"
+
+    msg2 "Clearing partition table on ${disk}"
+    run_cmd "sgdisk --zap ${disk}"
+    run_cmd_check 1 "Could not clear partition table!"
+
+    msg2 "Destroying magic strings and signatures on ${disk}"
+    run_cmd "dd if=/dev/zero of=${disk} bs=512 count=2048"
+    run_cmd_check 1 "Problem clearing disk using dd!"
+    run_cmd "wipefs --all ${disk}"
+    run_cmd_check 1 "Problem clearing disk using wipefs!"
+
+    # See http://www.rodsbooks.com/gdisk/sgdisk-walkthrough.html
+    # http://www.rodsbooks.com/gdisk/sgdisk.htm
+    msg2 "Creating boot partition on ${disk}"
+    run_cmd "sgdisk --new=1:0:512M --typecode=1:8300 ${disk}"
+    run_cmd_check 1 "A problem occurred creating boot partition using sgdisk!"
+    msg2 "Creating root partition on ${disk}"
+    run_cmd "sgdisk --new=2:0:0 --typecode=2:bf00 ${disk}"
+    run_cmd_check 1 "A problem occurred creating root partition using sgdisk!"
+
+    msg2 "The disk"
+    run_cmd "sgdisk -p ${disk}"
+
+    msg2 "Creating root filesystem"
+    run_cmd "zpool create -m ${test_target_dir} -f zroot /dev/vda2"
+    run_cmd_check 1 "Failed to create zfs pool"
+    run_cmd "zfs create -o mountpoint=none zroot/ROOT"
+    run_cmd_check 1 "Failed to create zfs root!"
+    run_cmd "zfs create -o compression=lz4 -o mountpoint=${test_target_dir}/ROOT zroot/ROOT/default"
+    run_cmd_check 1 "Failed to create zfs zroot/ROOT/default mountpoint!"
+    run_cmd "zfs create -o mountpoint=none zroot/data"
+    run_cmd_check 1 "Failed to create zfs zroot/data mountpoint!"
+    run_cmd "zfs create -o compression=lz4 -o mountpoint=${test_target_dir}/ROOT/home zroot/data/home"
+    run_cmd_check 1 "Failed to create zfs zroot/data/home mountpoint!"
+    run_cmd "zfs set mountpoint=legacy zroot/data/home"
+    run_cmd_check 1 "Failed to set zfs legacy mount option on mountpoint!"
+
+    msg2 "Mounting /home"
+    run_cmd "mount -t zfs -o default,noatime zroot/data/home ${test_target_dir}/ROOT/home"
+    run_cmd_check 1 "Problem mount the zfs home mountpoint!"
+
+    msg2 "Create boot directory"
+    run_cmd "mkdir -p ${test_target_dir}/ROOT/boot"
+    run_cmd_check 1 "Problem occurred creating boot directory!"
+
+    msg2 "Creating /boot filesystem (ext4)"
+    run_cmd "mkfs.ext4 -F -m 0 -q -L boot /dev/vda1"
+    run_cmd_check 1 "Problem occurred formatting the bootfs!"
+
+    msg2 "Mounting boot filesystem"
+    run_cmd "mount -o noatime,errors=remount-ro /dev/vda1 ${test_target_dir}/ROOT/boot"
+    run_cmd_check 1 "Problem occurred mounting the boot fs!"
+
+}
+
+test_fs_config_root_postinstall() {
+    msg "Performing final filesystem operations"
+
+    msg2 "Unmounting boot partition"
+    run_cmd "umount ${test_target_dir}/ROOT/boot"
+
+    msg2 "Unmounting nfs partitions"
+    run_cmd "umount -a -t nfs4"
+
+    msg2 "Unmounting home partition"
+    run_cmd "umount ${test_target_dir}/ROOT/home"
+
+    msg2 "Setting flags and exporting ZFS root"
+    run_cmd "zfs umount -a"
+    run_cmd "zpool set bootfs=zroot/ROOT/default zroot"
+    run_cmd "zfs set mountpoint=none zroot"
+    run_cmd "zfs set mountpoint=/ zroot/ROOT/default"
+    run_cmd "zfs set mountpoint=/home zroot/data/home"
+    run_cmd "zfs set mountpoint=legacy zroot/data/home"
+    run_cmd "zpool export zroot"
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/hooks.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+
+test_setup_exit() {
+    msg "Installation complete!"
+    systemctl reboot
+}
+
+
+test_met_acceptance_criteria() {
+    return 1
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/pacman.sh

@@ -0,0 +1,63 @@
+# Requires the pacman cache and pacman package repos be mounted via NFS
+test_pacman_config() {
+    # $1 arch-chroot target directory
+    arch_target_dir=""
+    arch_packages="${test_archiso_packages}"
+    arch_chroot=""
+    if [[ -n $1 ]]; then
+        arch_target_dir="${1}"
+        arch_chroot="/usr/bin/arch-chroot ${1}"
+    fi
+    debug "ARCH_CHROOT: ${arch_chroot}"
+
+    msg "Overriding mirrorlist"
+    run_cmd "cp mirrorlist /etc/pacman.d/mirrorlist"
+
+    msg "Installing archzfs repo into chroot"
+    printf "\n%s\n%s\n" "[${test_archzfs_repo_name}]" "Server = file:///repo/\$repo/\$arch" >> ${arch_target_dir}/etc/pacman.conf
+
+    msg2 "Setting up gnupg"
+    run_cmd "${arch_chroot} dirmngr < /dev/null"
+
+    # Wait for networking
+    for i in `seq 1 10`; do
+        if [[ check_internet -eq 0 ]]; then
+            break
+        fi
+        msg2 "Attempt $i -- Google.com did not respond, trying again in 3 seconds..."
+        sleep 3
+        if [[ $i == "10" ]]; then
+            error "Tried 10 times, giving up!"
+            exit 1
+        fi
+    done
+
+    msg2 "Installing the signer key"
+    run_cmd "${arch_chroot} pacman-key -r 0EE7A126"
+    run_cmd_check 1
+
+    run_cmd "${arch_chroot} pacman-key --lsign-key 0EE7A126"
+    run_cmd_check 1
+
+    if [[ ! -n $1 ]]; then
+        msg2 "Installing test packages"
+        # Install the required packages in the image
+        run_cmd "${arch_chroot} pacman -Sy --noconfirm ${arch_packages}"
+        run_cmd_check 1
+
+        msg2 "Loading zfs modules"
+        run_cmd "modprobe zfs"
+
+        msg2 "Removing the linux kernel package"
+        # Install the required packages in the image
+        run_cmd "${arch_chroot} pacman -Rs --noconfirm linux"
+        run_cmd_check 1
+    fi
+}
+
+
+test_pacman_pacstrap() {
+    msg "bootstrapping the base installation"
+    run_cmd "/usr/bin/pacstrap -c '${test_target_dir}/ROOT' base base-devel ${test_chroot_packages}"
+    run_cmd_check 1
+}

testing/tests/archzfs-qemu-hardened-test-00-bootfs/syslinux.cfg

@@ -0,0 +1,8 @@
+DEFAULT arch
+TIMEOUT 0.1
+
+LABEL arch
+    MENU LABEL Arch Linux Hardened
+    LINUX ../vmlinuz-linux-hardened
+    APPEND zfs=zroot/ROOT/default rw
+    INITRD ../initramfs-linux-hardened.img