public
/
j7s-os
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Delete encryption.

This commit is contained in:
James Pace 2022-08-22 20:12:52 -04:00
parent ed293e5dba
commit d4bdb2c1eb
5 changed files with 0 additions and 245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
osbuild-manifests/images/encrypted.mpp.yml
View File

@ -1,67 +0,0 @@
# This image demontrates how to use an encrypted rootfs
# Due to the use of luks_auto_unlock, the passphrase is copied to the initrd and
# the rootfs uses this to automatically unlock the system on the first boot.
# However, the autosig-sample-tpm-enroll service is also installed, and this
# will replace the passphrase with a TPM based token, meaning that later
# boots are tied to this machine only.
# Remember to pass --tpm2 to runvm when testing this.
version: '2'
mpp-vars:
name: encrypted
use_luks: true
luks_auto_unlock: true
extra_boot_rpms:
- clevis-dracut
pipelines:
- mpp-import-pipelines:
path: include/build.ipp.yml
- name: rootfs
build: name:build
stages:
- type: org.osbuild.kernel-cmdline
options:
root_fs_uuid:
mpp-eval: rootfs_uuid
kernel_opts:
mpp-eval: ''' '' .join(kernel_opts)'
- type: org.osbuild.rpm
options:
gpgkeys:
- mpp-eval: centos_gpg_key
- mpp-eval: redhat_gpg_key
disable_dracut: true
exclude:
docs: true
inputs:
packages:
type: org.osbuild.files
origin: org.osbuild.source
mpp-depsolve:
architecture: $arch
ignore-weak-deps: true
module-platform-id: $distro_module_id
baseurl: $distro_baseurl/BaseOS/$arch/os/
repos:
mpp-join:
- mpp-eval: distro_repos
- mpp-eval: target_repos
- mpp-eval: extra_repos
packages:
mpp-join:
- mpp-eval: base_rpms
- mpp-eval: image_rpms
- mpp-eval: extra_rpms
# Install the tools and service files
- - autosig-sample-tpm-enroll
excludes:
- dracut-config-rescue
- type: org.osbuild.locale
options:
language: en_US.UTF-8
- type: org.osbuild.systemd
options:
enabled_services:
- NetworkManager.service
- rngd.service
- mpp-import-pipelines:
path: include/image.ipp.yml

12
osbuild-manifests/include/image-directboot.ipp.yml
View File

@ -54,18 +54,12 @@ pipelines:
mpp-embed:
id: directboot.csv
path: directboot.csv
extra-tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:extra-tree-content
options:
paths:
mpp-join:
- - from:
mpp-format-string: input://bootcsv/{embedded['directboot.csv']}
to: tree:///boot/efi/EFI/Linux/boot.csv
- mpp-eval: extra_tree_content
- type: org.osbuild.dracut
options:
kernel:
@ -95,17 +89,11 @@ pipelines:
origin: org.osbuild.pipeline
references:
- name:rootfs
extra-tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:extra-tree-content
options:
paths:
mpp-join:
- - from: input://tree/
to: tree:///
- mpp-eval: extra_tree_content
- type: org.osbuild.copy
inputs:
kernel:

6
osbuild-manifests/include/image-ostree.ipp.yml
View File

@ -25,17 +25,11 @@ pipelines:
origin: org.osbuild.pipeline
references:
- name:rootfs
extra-tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:extra-tree-content
options:
paths:
mpp-join:
- - from: input://tree/
to: tree:///
- mpp-eval: extra_tree_content
- type: org.osbuild.systemd
options:
enabled_services:

6
osbuild-manifests/include/image-regular.ipp.yml
View File

@ -18,17 +18,11 @@ pipelines:
origin: org.osbuild.pipeline
references:
- name:rootfs
extra-tree:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- name:extra-tree-content
options:
paths:
mpp-join:
- - from: input://tree/
to: tree:///
- mpp-eval: extra_tree_content
- type: org.osbuild.users
options:
users:

154
osbuild-manifests/include/image.ipp.yml
View File

@ -1,16 +1,8 @@
version: '2'
mpp-vars:
extra_tree_content:
- mpp-if: use_luks and luks_auto_unlock
then:
from: input://extra-tree/luks-key
to: tree:///usr/.auto-unlock-key
dracut_install:
mpp-join:
- mpp-eval: dracut_install
- mpp-if: use_luks and luks_auto_unlock
then:
- /usr/.auto-unlock-key
kernel_opts:
mpp-join:
- - ro
@ -18,30 +10,8 @@ mpp-vars:
- mpp-if: use_efi_runtime
then: efi=runtime
- mpp-eval: kernel_opts
- mpp-if: use_luks
then:
- rd.luks.uuid=$luks_uuid
- rd.luks.options=discard
- mpp-if: luks_auto_unlock
then: rd.luks.key=$luks_uuid=/usr/.auto-unlock-key
pipelines:
# Some variables need to be written to files, do that here
- name: extra-tree-content
build: name:build
stages:
- type: org.osbuild.copy
inputs:
inlinefile:
type: org.osbuild.files
origin: org.osbuild.source
mpp-embed:
id: luks-key
text: $luks_passphrase
options:
paths:
- from:
mpp-format-string: input://inlinefile/{embedded['luks-key']}
to: tree:///luks-key
- mpp-import-pipelines:
path: image-$image_type.ipp.yml
- name: image
@ -87,83 +57,9 @@ pipelines:
uuid:
mpp-eval: bootfs_uuid
label: boot
- mpp-if: use_luks
then:
type: org.osbuild.luks2.format
devices:
device:
type: org.osbuild.loopback
options:
filename: disk.img
start:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
lock: true
options:
passphrase:
mpp-eval: luks_passphrase
uuid:
mpp-eval: luks_uuid
label: luks-rootfs
pbkdf:
method: argon2i
memory: 32
parallelism: 1
iterations: 4
integrity:
mpp-if: luks_use_integrity
then: hmac-sha256
- mpp-if: use_luks
then:
type: org.osbuild.lvm2.create
devices:
luks:
type: org.osbuild.loopback
options:
filename: disk.img
start:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
device:
type: org.osbuild.luks2
parent: luks
options:
passphrase:
mpp-eval: luks_passphrase
options:
volumes:
- name: root
extents: 100%FREE
- type: org.osbuild.mkfs.ext4
devices:
luks:
mpp-if: use_luks
then:
type: org.osbuild.loopback
options:
filename: disk.img
start:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
lvm:
mpp-if: use_luks
then:
type: org.osbuild.luks2
parent: luks
options:
passphrase:
mpp-eval: luks_passphrase
device:
mpp-if: use_luks
then:
type: org.osbuild.lvm2.lv
parent: lvm
options:
volume: root
else:
type: org.osbuild.loopback
options:
filename: disk.img
@ -187,13 +83,6 @@ pipelines:
origin: org.osbuild.pipeline
references:
- name:build
extra-tree:
mpp-if: "'extra_image_source_' + image_type in locals()"
then:
type: org.osbuild.tree
origin: org.osbuild.pipeline
references:
- mpp-format-string: "name:{locals().get('extra_image_source_' + image_type)}"
options:
paths:
mpp-join:
@ -218,13 +107,6 @@ pipelines:
size:
mpp-eval: image.layout['boot'].size
root:
mpp-if: use_luks
then:
type: org.osbuild.lvm2.lv
parent: root-luks
options:
volume: root
else:
type: org.osbuild.loopback
options:
filename: disk.img
@ -232,24 +114,6 @@ pipelines:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
root-raw:
mpp-if: use_luks
then:
type: org.osbuild.loopback
options:
filename: disk.img
start:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
root-luks:
mpp-if: use_luks
then:
type: org.osbuild.luks2
parent: root-raw
options:
passphrase:
mpp-eval: luks_passphrase
mounts:
- name: root
type: org.osbuild.ext4
@ -263,24 +127,6 @@ pipelines:
type: org.osbuild.fat
source: efi
target: /boot/efi
- mpp-if: use_luks
then:
type: org.osbuild.lvm2.metadata
devices:
luks:
type: org.osbuild.loopback
options:
filename: disk.img
start:
mpp-eval: image.layout['root'].start
size:
mpp-eval: image.layout['root'].size
device:
type: org.osbuild.luks2
parent: luks
options:
passphrase:
mpp-eval: luks_passphrase
options:
vg_name: osbuild
creation_host: osbuild