Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: How to limit LiveCD persistency to home/data only and have an immutable system?

  1. #11
    Join Date
    Oct 2020
    Beans
    10

    Re: How to limit LiveCD persistency to home/data only and have an immutable system?

    I was able to figure out how to create "home-rw" instead of "writable" partition. It is a 2-step. First, apply following patch. Secondly, run "update-initramfs -u" inside chroot environment.


    Code:
    diff -Nru chroot/usr/share/initramfs-tools/scripts/casper-helpers.orig chroot/usr/share/initramfs-tools/scripts/casper-helpers
    --- chroot/usr/share/initramfs-tools/scripts/casper-helpers.orig    2020-10-21 20:09:08.714542488 -0700
    +++ chroot/usr/share/initramfs-tools/scripts/casper-helpers    2020-10-21 21:16:47.486258899 -0700
    @@ -300,7 +300,9 @@
         echo "start=$start" | sfdisk --no-reread -q $DEVICE -a || return
         for d in ${DEVICE}$newpartno ${DEVICE}p$newpartno ${DEVICE}-part$newpartno; do
             if [ -e $d ]; then
    -            mkfs.ext4 -q -L "$(root_persistence_label)" -F $d
    +            # [eroas] create "home-rw" partition instead for better security
    +            # mkfs.ext4 -q -L "$(root_persistence_label)" -F $d
    +            mkfs.ext4 -q -L "home-rw" -F $d
                 break
             fi
         done
    Right now the problem is to make wifi settings persistent after this change. Simply creating a symlink to /home/ubuntu/some-directory does not work! Any pointers appreciated.

  2. #12
    Join Date
    Jun 2007
    Location
    Hikkaduwa, Sri Lanka
    Beans
    3,300
    Distro
    Ubuntu 20.04 Focal Fossa

    Re: How to limit LiveCD persistency to home/data only and have an immutable system?

    To change the "writable" partition to "home-rw", I open GParted, right click the partition, click "Label File System", and change the label. To make a new "home-rw" partition I right click an empty space and select "New" then I add the "home-rw" label and select "Add".

    Does using a script make anything different?
    Last edited by C.S.Cameron; October 23rd, 2020 at 04:07 AM.

  3. #13
    Join Date
    Oct 2020
    Beans
    10

    Re: How to limit LiveCD persistency to home/data only and have an immutable system?

    Quote Originally Posted by C.S.Cameron View Post
    To change the "writable" partition to "home-rw", I open GParted, right click the partition, click "Label File System", and change the label. To make a new "home-rw" partition I right click an empty space and select "New" then I add the "home-rw" label and select "Add".

    Does using a script make anything different?
    Yes. I'm creating a project that hopefully can be used many people. By changing it in the script, none of my users will have to do this by hand later.

    Actually in my project the default user ("ubuntu") is not a sudoer. Thus we cannot change "writable" to "home-rw" later.

    The reason for such restriction is security. The project is a bitcoin wallet called eroas. If anyone is interested, take a look at https://github.com/monkey-jsun/eroas

  4. #14
    Join Date
    Oct 2020
    Beans
    10

    Re: How to limit LiveCD persistency to home/data only and have an immutable system?

    I have figured out how to make wifi connections persistent with "home-rw" persistency only. Just want to share it here in case someone else chase the same issue later.

    The main idea is to create a directory under /home partition (persistent) and bind mount that directory to /etc/NetworkManager/system-connections directory. As I explained earlier, symbolic link does not work.

    Detailed implementation is a little complicated. The /home partition is automatically created by casper when system starts for the first time. Thus we cannot pre-create it during build time. Also, when NetworkManager starts /home partition is not mounted as rw yet (it is ro somehow).

    To work around these challenges, I created a new systemd service, which runs at the end of startup sequence. It will create and bind-mount the persistent directory for wifi settings under /home. It will also re-start NetworkManager because NetworkManager has already started with ro directory earlier in the bootup process.

    See the 2 files below for reference.

    eroas.service - the system service desc file
    Code:
    [Unit]
    Description=EROAS setup
    After=graphical.target
    
    
    [Service]
    #ExecStartPre=/usr/bin/sleep 60
    ExecStart=/usr/sbin/eroas_setup.sh
    Type=idle               # we run last
    
    
    [Install]
    WantedBy=graphical.target
    eroas_setup.sh : the script that does bind mount
    Code:
    #!/bin/bash
    
    
    # create wifi persistent directory if not existing
    if [ ! -d /home/casper ]; then
        mkdir -p /home/casper/etc/NetworkManager/system-connections
        chmod o-rx /home/casper
    fi
    
    
    # mount over the RO part and restart NetworkManager
    mount --bind /home/casper/etc/NetworkManager/system-connections /etc/NetworkManager/system-connections
    systemctl restart NetworkManager
    
    
    # remove ubuntu from sudo/adm groups
    sed -i "s#adm:x:4:ubuntu#adm:x:4:#" /etc/group
    sed -i "s#sudo:x:27:ubuntu#sudo:x:27:#" /etc/group
    
    
    exit 0
    By now, with home/ only persistency and removing ubuntu sudoer priviledge, the system becomes immutable, a very important security property. I need this for my bitcoin wallet project. If you are interested, take a look at https://github.com/monkey-jsun/eroas

  5. #15
    Join Date
    Nov 2011
    Location
    /dev/root
    Beans
    Hidden!

    Re: How to limit LiveCD persistency to home/data only and have an immutable system?

    Thanks for sharing your solution

Page 2 of 2 FirstFirst 12

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •