Add linux-hardened bootfs test

I also reverted the nonpriv user gpg signing as I don't run this script
as root.
Jesus Alvarez 6 years ago
parent 39fa838932
commit 3c7f819f22
  1. 2
  2. 2
  3. 2
  4. 2
  5. 2
  6. 2
  7. 4
  8. 2
  9. 52
  10. 12
  11. 6
  12. 29
  13. 20
  14. 26
  15. 99
  16. 12
  17. 63
  18. 8
  19. 0

@ -1 +1 @@
Subproject commit d372900675da9414f2ca46af484798d2b8b06746
Subproject commit 64a67d4d2228cca61cc52a24eba53f58d394714a

@ -1 +1 @@
Subproject commit a94ea93d1ed2975e7d8fa1c335da5bfdb1f48e14
Subproject commit 3cb16a550dab786eaab2d98359953cccc8a89912

@ -1 +1 @@
Subproject commit 568eb1328f1587cf85c7950028d1404090bdaf82
Subproject commit 2042f0e1c8d84629c0c4c35835857f9e1b6b333c

@ -1 +1 @@
Subproject commit 837fff903cd191f11e614570d9c3482c15b70f1c
Subproject commit b06600a572ff046ab596460c4ccdc9d620f0cb18

@ -1 +1 @@
Subproject commit c79508fc2f3c485c8de57f2d4dacab640994f344
Subproject commit 104ef480c04732393344da6a515d6294494a12d2

@ -1 +1 @@
Subproject commit 42399bcf60a0f8ea1085d2ed898637b50197a715
Subproject commit b4963e0dc461eedb84ddfb7f365f7b4ccf722b9b

@ -242,7 +242,7 @@ repo_add() {
exit 1
run_cmd "su - ${makepkg_nonpriv_user} -c 'repo-add -k ${gpg_sign_key} -s -v ${repo_target}/${arch}/${repo_name}.db.tar.xz ${pkg_add_list[@]}'"
run_cmd "repo-add -k ${gpg_sign_key} -s -v ${repo_target}/${arch}/${repo_name}.db.tar.xz ${pkg_add_list[@]}"
if [[ ${run_cmd_return} -ne 0 ]]; then
error "An error occurred adding the package to the repo!"
exit 1
@ -265,7 +265,7 @@ sign_packages() {
if [[ ! -f "${pkgp}.sig" ]]; then
msg2 "Signing ${pkgp}"
# GPG_TTY prevents "gpg: signing failed: Inappropriate ioctl for device"
run_cmd_no_output "su - ${makepkg_nonpriv_user} -c 'GPG_TTY=$(tty) gpg --batch --yes --detach-sign --use-agent -u ${gpg_sign_key} \"${script_dir}/${pkgp}\"'"
run_cmd_no_output "GPG_TTY=$(tty) gpg --batch --yes --detach-sign --use-agent -u ${gpg_sign_key} \"${script_dir}/${pkgp}\""
if [[ ${run_cmd_return} -ne 0 ]]; then
exit 1

@ -3,7 +3,7 @@ mode_name="hardened"
mode_desc="Select and use the packages for the linux-hardened kernel"
# Kernel versions for hardened packages
# Kernel version for GIT packages

@ -0,0 +1,52 @@
Test archzfs-qemu-lts-test-01-root-bootfs
Tests all the steps required for archzfs-linux-lts to be used as a boot filesystem.
Builds a custom archiso with the linux-lts kernel used by packer to create a Qemu base image. Syslinux is used as the boot
1. The archzfs-linux-lts packages are built for the linux-lts kernel and added to a package repository named "archzfs-testing".
#. The archzfs-testing repo is shared over NFS.
#. A custom archiso is built that boots into the linux-lts kernel. See `Archiso customization`_
#. The test files are compressed into a tar archive.
#. Packer is used to build a qemu base image using the custom archiso.
#. `` is ran in the archiso to install arch on ZFS.
#. After installation of Arch on ZFS, the VM is rebooted and packer finalizes the base image.
#. The qemu base image created by packer is booted, if the boot is successful, the test is considered passed.
Archiso customization
At the time of putting this test together (2016.09.03), there was no stable ZFSonLinux release that supported kernel 4.7 and
the archiso release at the time shipped with kernel 4.7. In order to install Arch on ZFS for test, I needed an archiso with
the linux-lts kernel. Thus, the archzfs-archiso was born!
The archiso is built by `` and used by packer to create a Qemu base image with ZFS as the root filesystem for testing.
The archiso comes with a bunch of features that are not needed in test, so they have been stripped out or modified. This
* boot straight into the linux-lts kernel to speed up the testing cycle.
* ZFS does not support arch-i686, so it was stripped.
* iPXE was not needed.
The archiso sources are copied from `/usr/share/archiso/configs/releng` after installation of the "archiso" package. The
modifed code is contained in the `testing/archiso-linux-lts` directory of this project.

@ -0,0 +1,12 @@
# We need an archiso with the lts kernel used by default
test_build_archiso() {
msg "Building archiso"
cd ${test_root_dir}/../../../archiso/ &> /dev/null
if [[ -d ${packer_work_dir}/out ]] && [[ $(ls -1 | wc -l) -gt 0 ]]; then
run_cmd "rm -rf ${test_root_dir}/archiso/out/archlinux*"
run_cmd "./ -v"
msg2 "Copying archiso to packer_work_dir"
run_cmd "cp ${test_root_dir}/../../../archiso/out/archlinux* ${packer_work_dir} && rm -rf ${test_root_dir}/archiso/work"
cd - &> /dev/null

@ -0,0 +1,6 @@
test_bootloader_install() {
# Setup the boot loader
run_cmd "mkdir -p ${arch_target_dir}/boot/syslinux; cp -f /root/syslinux.cfg '${arch_target_dir}/boot/syslinux/syslinux.cfg'"
run_cmd "arch-chroot ${arch_target_dir} /usr/bin/syslinux-install_update -i -a -m"
run_cmd_check 1

@ -0,0 +1,29 @@
test_chroot_setup() {
# $1 arch-chroot target dir
msg "Setting up arch install..."
export arch_target_dir="${test_target_dir}"
if [[ -n $1 ]]; then
msg2 "Setting base image pacman mirror"
run_cmd "/usr/bin/cp /etc/pacman.d/mirrorlist ${arch_target_dir}/etc/pacman.d/mirrorlist"
msg2 "generating the filesystem table"
run_cmd "/usr/bin/genfstab -p ${arch_target_dir} >> '${arch_target_dir}/etc/fstab'"
msg2 "Adding workaround for shutdown race condition"
run_cmd "/usr/bin/install --mode=0644 poweroff.timer '${arch_target_dir}/etc/systemd/system/poweroff.timer'"
msg2 "Create"
run_cmd "/usr/bin/install --mode=0755 /dev/null '${arch_target_dir}/usr/bin/'"
# Special filesystem configure script
source_safe /root/
msg2 "Entering chroot and configuring system"
run_cmd "/usr/bin/arch-chroot ${arch_target_dir} /usr/bin/"
msg2 "Deleting"
rm ${arch_target_dir}/usr/bin/

@ -0,0 +1,20 @@
export test_root_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
debug "test_root_dir='${test_root_dir}'"
export test_target_dir='/mnt'
export test_archzfs_repo_name="archzfs-testing"
# Additional packages to install in the archiso
export test_archiso_packages="archzfs-linux-lts"
# Additional packages to install in the archiso. The 'packages' file is placed in /root on the archiso qemu environment.
export test_chroot_packages="$(< packages) archzfs-linux-hardened"
export fqdn='test.archzfs.test'
export keymap='us'
export language='en_US.UTF-8'
export password=$(/usr/bin/openssl passwd -crypt 'azfstest')
export timezone='UTC'

@ -0,0 +1,26 @@
cat <<-EOF > "${arch_target_dir}/usr/bin/"
echo '${fqdn}' > /etc/hostname
/usr/bin/ln -s /usr/share/zoneinfo/${timezone} /etc/localtime
echo 'KEYMAP=${keymap}' > /etc/vconsole.conf
/usr/bin/sed -i 's/#${language}/${language}/' /etc/locale.gen
/usr/bin/sed -i 's/filesystems/zfs filesystems/' /etc/mkinitcpio.conf
/usr/bin/mkinitcpio -p linux-hardened
/usr/bin/usermod --password ${password} root
/usr/bin/ln -s /dev/null /etc/udev/rules.d/80-net-setup-link.rules
/usr/bin/ln -s '/usr/lib/systemd/system/dhcpcd@.service' '/etc/systemd/system/'
# Configure ssh
sed -e '/^#PermitRootLogin prohibit-password$/c PermitRootLogin yes' \
-e '/^#UseDNS no$/c UseDNS no' \
-i /etc/ssh/sshd_config
/usr/bin/systemctl enable sshd.service

@ -0,0 +1,99 @@
test_fs_config_nfs() {
# $1 arch-chroot directory
# prefix="${test_target_dir}"
if [[ -n $1 ]]; then
msg "Create NFS mount points"
run_cmd "/usr/bin/mkdir -p ${prefix}/repo"
msg "Setting the package cache (nfs mount)"
run_cmd "mount -t nfs4 -o rsize=32768,wsize=32768,timeo=3 ${prefix}/var/cache/pacman/pkg"
msg "Mounting the AUR package repo"
run_cmd "mount -t nfs4 -o rsize=32768,wsize=32768,timeo=3 ${prefix}/repo"
test_fs_config_root_preinstall() {
msg "Configuring root filesystem!"
export disk='/dev/vda'
export root_partition="${disk}1"
msg2 "Clearing partition table on ${disk}"
run_cmd "sgdisk --zap ${disk}"
run_cmd_check 1 "Could not clear partition table!"
msg2 "Destroying magic strings and signatures on ${disk}"
run_cmd "dd if=/dev/zero of=${disk} bs=512 count=2048"
run_cmd_check 1 "Problem clearing disk using dd!"
run_cmd "wipefs --all ${disk}"
run_cmd_check 1 "Problem clearing disk using wipefs!"
# See
msg2 "Creating boot partition on ${disk}"
run_cmd "sgdisk --new=1:0:512M --typecode=1:8300 ${disk}"
run_cmd_check 1 "A problem occurred creating boot partition using sgdisk!"
msg2 "Creating root partition on ${disk}"
run_cmd "sgdisk --new=2:0:0 --typecode=2:bf00 ${disk}"
run_cmd_check 1 "A problem occurred creating root partition using sgdisk!"
msg2 "The disk"
run_cmd "sgdisk -p ${disk}"
msg2 "Creating root filesystem"
run_cmd "zpool create -m ${test_target_dir} -f zroot /dev/vda2"
run_cmd_check 1 "Failed to create zfs pool"
run_cmd "zfs create -o mountpoint=none zroot/ROOT"
run_cmd_check 1 "Failed to create zfs root!"
run_cmd "zfs create -o compression=lz4 -o mountpoint=${test_target_dir}/ROOT zroot/ROOT/default"
run_cmd_check 1 "Failed to create zfs zroot/ROOT/default mountpoint!"
run_cmd "zfs create -o mountpoint=none zroot/data"
run_cmd_check 1 "Failed to create zfs zroot/data mountpoint!"
run_cmd "zfs create -o compression=lz4 -o mountpoint=${test_target_dir}/ROOT/home zroot/data/home"
run_cmd_check 1 "Failed to create zfs zroot/data/home mountpoint!"
run_cmd "zfs set mountpoint=legacy zroot/data/home"
run_cmd_check 1 "Failed to set zfs legacy mount option on mountpoint!"
msg2 "Mounting /home"
run_cmd "mount -t zfs -o default,noatime zroot/data/home ${test_target_dir}/ROOT/home"
run_cmd_check 1 "Problem mount the zfs home mountpoint!"
msg2 "Create boot directory"
run_cmd "mkdir -p ${test_target_dir}/ROOT/boot"
run_cmd_check 1 "Problem occurred creating boot directory!"
msg2 "Creating /boot filesystem (ext4)"
run_cmd "mkfs.ext4 -F -m 0 -q -L boot /dev/vda1"
run_cmd_check 1 "Problem occurred formatting the bootfs!"
msg2 "Mounting boot filesystem"
run_cmd "mount -o noatime,errors=remount-ro /dev/vda1 ${test_target_dir}/ROOT/boot"
run_cmd_check 1 "Problem occurred mounting the boot fs!"
test_fs_config_root_postinstall() {
msg "Performing final filesystem operations"
msg2 "Unmounting boot partition"
run_cmd "umount ${test_target_dir}/ROOT/boot"
msg2 "Unmounting nfs partitions"
run_cmd "umount -a -t nfs4"
msg2 "Unmounting home partition"
run_cmd "umount ${test_target_dir}/ROOT/home"
msg2 "Setting flags and exporting ZFS root"
run_cmd "zfs umount -a"
run_cmd "zpool set bootfs=zroot/ROOT/default zroot"
run_cmd "zfs set mountpoint=none zroot"
run_cmd "zfs set mountpoint=/ zroot/ROOT/default"
run_cmd "zfs set mountpoint=/home zroot/data/home"
run_cmd "zfs set mountpoint=legacy zroot/data/home"
run_cmd "zpool export zroot"

@ -0,0 +1,12 @@
test_setup_exit() {
msg "Installation complete!"
systemctl reboot
test_met_acceptance_criteria() {
return 1

@ -0,0 +1,63 @@
# Requires the pacman cache and pacman package repos be mounted via NFS
test_pacman_config() {
# $1 arch-chroot target directory
if [[ -n $1 ]]; then
arch_chroot="/usr/bin/arch-chroot ${1}"
debug "ARCH_CHROOT: ${arch_chroot}"
msg "Overriding mirrorlist"
run_cmd "cp mirrorlist /etc/pacman.d/mirrorlist"
msg "Installing archzfs repo into chroot"
printf "\n%s\n%s\n" "[${test_archzfs_repo_name}]" "Server = file:///repo/\$repo/\$arch" >> ${arch_target_dir}/etc/pacman.conf
msg2 "Setting up gnupg"
run_cmd "${arch_chroot} dirmngr < /dev/null"
# Wait for networking
for i in `seq 1 10`; do
if [[ check_internet -eq 0 ]]; then
msg2 "Attempt $i -- did not respond, trying again in 3 seconds..."
sleep 3
if [[ $i == "10" ]]; then
error "Tried 10 times, giving up!"
exit 1
msg2 "Installing the signer key"
run_cmd "${arch_chroot} pacman-key -r 0EE7A126"
run_cmd_check 1
run_cmd "${arch_chroot} pacman-key --lsign-key 0EE7A126"
run_cmd_check 1
if [[ ! -n $1 ]]; then
msg2 "Installing test packages"
# Install the required packages in the image
run_cmd "${arch_chroot} pacman -Sy --noconfirm ${arch_packages}"
run_cmd_check 1
msg2 "Loading zfs modules"
run_cmd "modprobe zfs"
msg2 "Removing the linux kernel package"
# Install the required packages in the image
run_cmd "${arch_chroot} pacman -Rs --noconfirm linux"
run_cmd_check 1
test_pacman_pacstrap() {
msg "bootstrapping the base installation"
run_cmd "/usr/bin/pacstrap -c '${test_target_dir}/ROOT' base base-devel ${test_chroot_packages}"
run_cmd_check 1

@ -0,0 +1,8 @@
LABEL arch
MENU LABEL Arch Linux Hardened
LINUX ../vmlinuz-linux-hardened
APPEND zfs=zroot/ROOT/default rw
INITRD ../initramfs-linux-hardened.img