examples/twb: format with black

This commit is contained in:
Johannes Schauer Marin Rodrigues 2021-09-16 16:20:15 +02:00
parent 6a22e05d59
commit b3e08897c3
Signed by: josch
GPG key ID: F2CBA5C78FBD83E1
2 changed files with 254 additions and 245 deletions

View file

@ -21,29 +21,31 @@ NOTE: this is the simplest config possible.
""" """
parser = argparse.ArgumentParser(description=__doc__) parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('output_file', nargs='?', default=pathlib.Path('filesystem.img'), type=pathlib.Path) parser.add_argument(
"output_file", nargs="?", default=pathlib.Path("filesystem.img"), type=pathlib.Path
)
args = parser.parse_args() args = parser.parse_args()
filesystem_img_size = '256M' # big enough to include filesystem.squashfs + about 64M of bootloader, kernel, and ramdisk. filesystem_img_size = "256M" # big enough to include filesystem.squashfs + about 64M of bootloader, kernel, and ramdisk.
esp_offset = 1024 * 1024 # 1MiB esp_offset = 1024 * 1024 # 1MiB
esp_label = 'UEFI-ESP' # max 8 bytes for FAT32 esp_label = "UEFI-ESP" # max 8 bytes for FAT32
live_media_path = 'debian-live' live_media_path = "debian-live"
with tempfile.TemporaryDirectory(prefix='debian-live-bullseye-amd64-minimal.') as td: with tempfile.TemporaryDirectory(prefix="debian-live-bullseye-amd64-minimal.") as td:
td = pathlib.Path(td) td = pathlib.Path(td)
subprocess.check_call( subprocess.check_call(
['mmdebstrap', [
'--mode=unshare', "mmdebstrap",
'--variant=apt', "--mode=unshare",
"--variant=apt",
'--aptopt=Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142"', '--aptopt=Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142"',
'--aptopt=Acquire::https::Proxy "DIRECT"', '--aptopt=Acquire::https::Proxy "DIRECT"',
'--dpkgopt=force-unsafe-io', "--dpkgopt=force-unsafe-io",
'--include=linux-image-amd64 init initramfs-tools live-boot netbase', "--include=linux-image-amd64 init initramfs-tools live-boot netbase",
'--include=dbus', # https://bugs.debian.org/814758 "--include=dbus", # https://bugs.debian.org/814758
'--include=live-config iproute2 keyboard-configuration locales sudo user-setup', "--include=live-config iproute2 keyboard-configuration locales sudo user-setup",
'--include=ifupdown isc-dhcp-client', # live-config doesn't support systemd-networkd yet. "--include=ifupdown isc-dhcp-client", # live-config doesn't support systemd-networkd yet.
# Do the **BARE MINIMUM** to make a USB key that can boot on X86_64 UEFI. # Do the **BARE MINIMUM** to make a USB key that can boot on X86_64 UEFI.
# We use mtools so we do not ever need root privileges. # We use mtools so we do not ever need root privileges.
# We can't use mkfs.vfat, as that needs kpartx or losetup (i.e. root). # We can't use mkfs.vfat, as that needs kpartx or losetup (i.e. root).
@ -61,15 +63,15 @@ with tempfile.TemporaryDirectory(prefix='debian-live-bullseye-amd64-minimal.') a
# FIXME: with qemu in UEFI mode (OVMF), I get dumped into startup.nsh (UEFI REPL). # FIXME: with qemu in UEFI mode (OVMF), I get dumped into startup.nsh (UEFI REPL).
# From there, I can manually type in "FS0:\EFI\BOOT\BOOTX64.EFI" to start refind, tho. # From there, I can manually type in "FS0:\EFI\BOOT\BOOTX64.EFI" to start refind, tho.
# So WTF is its problem? Does it not support fallback bootloader? # So WTF is its problem? Does it not support fallback bootloader?
'--include=refind parted mtools', "--include=refind parted mtools",
'--essential-hook=echo refind refind/install_to_esp boolean false | chroot $1 debconf-set-selections', "--essential-hook=echo refind refind/install_to_esp boolean false | chroot $1 debconf-set-selections",
'--customize-hook=echo refind refind/install_to_esp boolean true | chroot $1 debconf-set-selections', "--customize-hook=echo refind refind/install_to_esp boolean true | chroot $1 debconf-set-selections",
'--customize-hook=chroot $1 mkdir -p /boot/USB /boot/EFI/BOOT', "--customize-hook=chroot $1 mkdir -p /boot/USB /boot/EFI/BOOT",
'--customize-hook=chroot $1 cp /usr/share/refind/refind/refind_x64.efi /boot/EFI/BOOT/BOOTX64.EFI', "--customize-hook=chroot $1 cp /usr/share/refind/refind/refind_x64.efi /boot/EFI/BOOT/BOOTX64.EFI",
f'--customize-hook=chroot $1 truncate --size={filesystem_img_size} /boot/USB/filesystem.img', f"--customize-hook=chroot $1 truncate --size={filesystem_img_size} /boot/USB/filesystem.img",
f'--customize-hook=chroot $1 parted --script --align=optimal /boot/USB/filesystem.img mklabel gpt mkpart {esp_label} {esp_offset}b 100% set 1 esp on', f"--customize-hook=chroot $1 parted --script --align=optimal /boot/USB/filesystem.img mklabel gpt mkpart {esp_label} {esp_offset}b 100% set 1 esp on",
f'--customize-hook=chroot $1 mformat -i /boot/USB/filesystem.img@@{esp_offset} -F -v {esp_label}', f"--customize-hook=chroot $1 mformat -i /boot/USB/filesystem.img@@{esp_offset} -F -v {esp_label}",
f'--customize-hook=chroot $1 mmd -i /boot/USB/filesystem.img@@{esp_offset} ::{live_media_path}', f"--customize-hook=chroot $1 mmd -i /boot/USB/filesystem.img@@{esp_offset} ::{live_media_path}",
f"""--customize-hook=echo '"Boot with default options" "boot=live live-media-path={live_media_path}"' >$1/boot/refind_linux.conf""", f"""--customize-hook=echo '"Boot with default options" "boot=live live-media-path={live_media_path}"' >$1/boot/refind_linux.conf""",
# NOTE: find sidesteps the "glob expands before chroot applies" problem. # NOTE: find sidesteps the "glob expands before chroot applies" problem.
f"""--customize-hook=chroot $1 find -O3 /boot/ -xdev -mindepth 1 -maxdepth 1 -regextype posix-egrep -iregex '.*/(EFI|refind_linux.conf|vmlinuz.*|initrd.img.*)' -exec mcopy -vsbpm -i /boot/USB/filesystem.img@@{esp_offset} {{}} :: ';'""", f"""--customize-hook=chroot $1 find -O3 /boot/ -xdev -mindepth 1 -maxdepth 1 -regextype posix-egrep -iregex '.*/(EFI|refind_linux.conf|vmlinuz.*|initrd.img.*)' -exec mcopy -vsbpm -i /boot/USB/filesystem.img@@{esp_offset} {{}} :: ';'""",
@ -77,12 +79,22 @@ with tempfile.TemporaryDirectory(prefix='debian-live-bullseye-amd64-minimal.') a
# Therefore instead leave it in the squashfs, and extract it later. # Therefore instead leave it in the squashfs, and extract it later.
# f'--customize-hook=copy-out /boot/USB/filesystem.img /tmp/', # f'--customize-hook=copy-out /boot/USB/filesystem.img /tmp/',
# f'--customize-hook=chroot $1 rm /boot/USB/filesystem.img', # f'--customize-hook=chroot $1 rm /boot/USB/filesystem.img',
"bullseye",
td / "filesystem.squashfs",
]
)
'bullseye', with args.output_file.open("wb") as f:
td / 'filesystem.squashfs' subprocess.check_call(
]) ["rdsquashfs", "--cat=boot/USB/filesystem.img", td / "filesystem.squashfs"],
stdout=f,
with args.output_file.open('wb') as f: )
subprocess.check_call(['rdsquashfs', '--cat=boot/USB/filesystem.img', td / 'filesystem.squashfs'], stdout=f) subprocess.check_call(
subprocess.check_call([ [
'mcopy', '-i', f'{args.output_file}@@{esp_offset}', td / 'filesystem.squashfs', f'::{live_media_path}/filesystem.squashfs']) "mcopy",
"-i",
f"{args.output_file}@@{esp_offset}",
td / "filesystem.squashfs",
f"::{live_media_path}/filesystem.squashfs",
]
)

View file

@ -19,40 +19,46 @@ which in turn includes a bootloader (refind), kernel, ramdisk, and filesystem.sq
""" """
parser = argparse.ArgumentParser(description=__doc__) parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('output_file', nargs='?', default=pathlib.Path('filesystem.img'), type=pathlib.Path) parser.add_argument(
parser.add_argument('--timezone', default='Australia/Melbourne', type=lambda s: s.split('/'), help='NOTE: MUST be "Area/Zone" not e.g. "UTC", for now') "output_file", nargs="?", default=pathlib.Path("filesystem.img"), type=pathlib.Path
parser.add_argument('--locale', default='en_AU.UTF-8', help='NOTE: MUST end in ".UTF-8", for now') )
parser.add_argument(
"--timezone",
default="Australia/Melbourne",
type=lambda s: s.split("/"),
help='NOTE: MUST be "Area/Zone" not e.g. "UTC", for now',
)
parser.add_argument(
"--locale", default="en_AU.UTF-8", help='NOTE: MUST end in ".UTF-8", for now'
)
args = parser.parse_args() args = parser.parse_args()
filesystem_img_size = '512M' # big enough to include filesystem.squashfs + about 64M of bootloader, kernel, and ramdisk. filesystem_img_size = "512M" # big enough to include filesystem.squashfs + about 64M of bootloader, kernel, and ramdisk.
esp_offset = 1024 * 1024 # 1MiB esp_offset = 1024 * 1024 # 1MiB
esp_label = 'UEFI-ESP' # max 8 bytes for FAT32 esp_label = "UEFI-ESP" # max 8 bytes for FAT32
live_media_path = 'debian-live' live_media_path = "debian-live"
with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td: with tempfile.TemporaryDirectory(prefix="debian-sid-zfs.") as td:
td = pathlib.Path(td) td = pathlib.Path(td)
subprocess.check_call( subprocess.check_call(
['mmdebstrap', [
'--mode=unshare', "mmdebstrap",
'--variant=apt', "--mode=unshare",
"--variant=apt",
'--aptopt=Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142"', '--aptopt=Acquire::http::Proxy "http://apt-cacher-ng.cyber.com.au:3142"',
'--aptopt=Acquire::https::Proxy "DIRECT"', '--aptopt=Acquire::https::Proxy "DIRECT"',
'--dpkgopt=force-unsafe-io', "--dpkgopt=force-unsafe-io",
'--components=main contrib non-free', # needed for CPU security patches "--components=main contrib non-free", # needed for CPU security patches
"--include=init initramfs-tools xz-utils live-boot netbase",
'--include=init initramfs-tools xz-utils live-boot netbase', "--include=dbus", # https://bugs.debian.org/814758
'--include=dbus', # https://bugs.debian.org/814758 "--include=linux-image-amd64 firmware-linux",
'--include=linux-image-amd64 firmware-linux',
# Have ZFS 2.0 support. # Have ZFS 2.0 support.
'--include=zfs-dkms zfsutils-linux zfs-zed build-essential linux-headers-amd64', # ZFS 2 support "--include=zfs-dkms zfsutils-linux zfs-zed build-essential linux-headers-amd64", # ZFS 2 support
# Make the initrd a little smaller (41MB -> 20MB), at the expensive of significantly slower image build time. # Make the initrd a little smaller (41MB -> 20MB), at the expensive of significantly slower image build time.
'--include=zstd', "--include=zstd",
'--essential-hook=mkdir -p $1/etc/initramfs-tools/conf.d', "--essential-hook=mkdir -p $1/etc/initramfs-tools/conf.d",
'--essential-hook=>$1/etc/initramfs-tools/conf.d/zstd echo COMPRESS=zstd', "--essential-hook=>$1/etc/initramfs-tools/conf.d/zstd echo COMPRESS=zstd",
# Be the equivalent of Debian Live GNOME # Be the equivalent of Debian Live GNOME
# '--include=live-task-gnome', # '--include=live-task-gnome',
#'--include=live-task-xfce', #'--include=live-task-xfce',
@ -65,43 +71,37 @@ with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td:
#'--include=live-config user-setup sudo firmware-linux haveged', #'--include=live-config user-setup sudo firmware-linux haveged',
#'--include=calamares-settings-debian udisks2', # 300MB weirdo Qt GUI debian installer #'--include=calamares-settings-debian udisks2', # 300MB weirdo Qt GUI debian installer
#'--include=xfce4-terminal', #'--include=xfce4-terminal',
# x86_64 CPUs are undocumented proprietary RISC chips that EMULATE a documented x86_64 CISC ISA. # x86_64 CPUs are undocumented proprietary RISC chips that EMULATE a documented x86_64 CISC ISA.
# The emulator is called "microcode", and is full of security vulnerabilities. # The emulator is called "microcode", and is full of security vulnerabilities.
# Make sure security patches for microcode for *ALL* CPUs are included. # Make sure security patches for microcode for *ALL* CPUs are included.
# By default, it tries to auto-detect the running CPU, so only patches the CPU of the build server. # By default, it tries to auto-detect the running CPU, so only patches the CPU of the build server.
'--include=intel-microcode amd64-microcode iucode-tool', "--include=intel-microcode amd64-microcode iucode-tool",
'--essential-hook=>$1/etc/default/intel-microcode echo IUCODE_TOOL_INITRAMFS=yes IUCODE_TOOL_SCANCPUS=no', "--essential-hook=>$1/etc/default/intel-microcode echo IUCODE_TOOL_INITRAMFS=yes IUCODE_TOOL_SCANCPUS=no",
'--essential-hook=>$1/etc/default/amd64-microcode echo AMD64UCODE_INITRAMFS=yes', "--essential-hook=>$1/etc/default/amd64-microcode echo AMD64UCODE_INITRAMFS=yes",
'--dpkgopt=force-confold', # Work around https://bugs.debian.org/981004 "--dpkgopt=force-confold", # Work around https://bugs.debian.org/981004
# DHCP/DNS/SNTP clients... # DHCP/DNS/SNTP clients...
# FIXME: use live-config ? # FIXME: use live-config ?
'--include=libnss-resolve libnss-myhostname systemd-timesyncd', "--include=libnss-resolve libnss-myhostname systemd-timesyncd",
'--customize-hook=chroot $1 cp -alf /lib/systemd/resolv.conf /etc/resolv.conf', # This probably needs to happen LAST "--customize-hook=chroot $1 cp -alf /lib/systemd/resolv.conf /etc/resolv.conf", # This probably needs to happen LAST
# FIXME: fix resolv.conf to point to resolved, not "copy from the build-time OS" # FIXME: fix resolv.conf to point to resolved, not "copy from the build-time OS"
# FIXME: fix hostname & hosts to not exist, not "copy from the build-time OS" # FIXME: fix hostname & hosts to not exist, not "copy from the build-time OS"
'--customize-hook=systemctl --root=$1 enable systemd-networkd systemd-timesyncd', # is this needed? "--customize-hook=systemctl --root=$1 enable systemd-networkd systemd-timesyncd", # is this needed?
# Run a DHCP client on *ALL* ifaces. # Run a DHCP client on *ALL* ifaces.
# Consider network "up" (start sshd and local login prompt) when *ANY* (not ALL) ifaces are up. # Consider network "up" (start sshd and local login prompt) when *ANY* (not ALL) ifaces are up.
"--customize-hook=>$1/etc/systemd/network/up.network printf '%s\n' '[Match]' Name='en*' '[Network]' DHCP=yes", # try DHCP on all ethernet ifaces "--customize-hook=>$1/etc/systemd/network/up.network printf '%s\n' '[Match]' Name='en*' '[Network]' DHCP=yes", # try DHCP on all ethernet ifaces
'--customize-hook=mkdir $1/etc/systemd/system/systemd-networkd-wait-online.service.d', "--customize-hook=mkdir $1/etc/systemd/system/systemd-networkd-wait-online.service.d",
"--customize-hook=>$1/etc/systemd/system/systemd-networkd-wait-online.service.d/any-not-all.conf printf '%s\n' '[Service]' 'ExecStart=' 'ExecStart=/lib/systemd/systemd-networkd-wait-online --any'", "--customize-hook=>$1/etc/systemd/system/systemd-networkd-wait-online.service.d/any-not-all.conf printf '%s\n' '[Service]' 'ExecStart=' 'ExecStart=/lib/systemd/systemd-networkd-wait-online --any'",
# Hope there's a central smarthost SMTP server called "mail" in the local search domain. # Hope there's a central smarthost SMTP server called "mail" in the local search domain.
# FIXME: can live-config do this? # FIXME: can live-config do this?
'--include=msmtp-mta', "--include=msmtp-mta",
"--customize-hook=>$1/etc/msmtprc printf '%s\n' 'account default' 'syslog LOG_MAIL' 'host mail' 'auto_from on'", "--customize-hook=>$1/etc/msmtprc printf '%s\n' 'account default' 'syslog LOG_MAIL' 'host mail' 'auto_from on'",
# Hope there's a central RELP logserver called "logserv" in the local domain. # Hope there's a central RELP logserver called "logserv" in the local domain.
# FIXME: can live-config do this? # FIXME: can live-config do this?
'--include=rsyslog-relp', "--include=rsyslog-relp",
"""--customize-hook=>$1/etc/rsyslog.conf printf '%s\n' 'module(load="imuxsock")' 'module(load="imklog")' 'module(load="omrelp")' 'action(type="omrelp" target="logserv" port="2514" template="RSYSLOG_SyslogProtocol23Format")'""", """--customize-hook=>$1/etc/rsyslog.conf printf '%s\n' 'module(load="imuxsock")' 'module(load="imklog")' 'module(load="omrelp")' 'action(type="omrelp" target="logserv" port="2514" template="RSYSLOG_SyslogProtocol23Format")'""",
# Run self-tests on all discoverable hard disks, and (try to) email if something goes wrong. # Run self-tests on all discoverable hard disks, and (try to) email if something goes wrong.
'--include=smartmontools bsd-mailx', "--include=smartmontools bsd-mailx",
"--customize-hook=>$1/etc/smartd.conf echo 'DEVICESCAN -n standby,15 -a -o on -S on -s (S/../../7/00|L/../01/./01) -t -H -m root -M once'", "--customize-hook=>$1/etc/smartd.conf echo 'DEVICESCAN -n standby,15 -a -o on -S on -s (S/../../7/00|L/../01/./01) -t -H -m root -M once'",
# For rarely-updated, rarely-rebooted SOEs, apply what security updates we can into transient tmpfs COW. # For rarely-updated, rarely-rebooted SOEs, apply what security updates we can into transient tmpfs COW.
# This CANNOT apply kernel security updates (though it will download them). # This CANNOT apply kernel security updates (though it will download them).
# This CANNOT make the upgrades persistent across reboots (they re-download each boot). # This CANNOT make the upgrades persistent across reboots (they re-download each boot).
@ -109,7 +109,7 @@ with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td:
# apt-daily-upgrade.service and/or # apt-daily-upgrade.service and/or
# unattended-upgrades.service, so # unattended-upgrades.service, so
# needrestart is noninteractive only when apt is noninteractive? # needrestart is noninteractive only when apt is noninteractive?
'--include=unattended-upgrades needrestart', "--include=unattended-upgrades needrestart",
"--customize-hook=echo 'unattended-upgrades unattended-upgrades/enable_auto_updates boolean true' | chroot $1 debconf-set-selections", "--customize-hook=echo 'unattended-upgrades unattended-upgrades/enable_auto_updates boolean true' | chroot $1 debconf-set-selections",
"""--customize-hook=>$1/etc/needrestart/conf.d/unattended-needrestart.conf echo '$nrconf{restart} = "a";'""", # https://bugs.debian.org/894444 """--customize-hook=>$1/etc/needrestart/conf.d/unattended-needrestart.conf echo '$nrconf{restart} = "a";'""", # https://bugs.debian.org/894444
# Do an apt update & apt upgrade at boot time (as well as @daily). # Do an apt update & apt upgrade at boot time (as well as @daily).
@ -117,7 +117,6 @@ with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td:
# FIXME: use dropin in /etc. # FIXME: use dropin in /etc.
"--customize-hook=>>$1/lib/systemd/system/apt-daily.service printf '%s\n' '[Install]' 'WantedBy=multi-user.target'", "--customize-hook=>>$1/lib/systemd/system/apt-daily.service printf '%s\n' '[Install]' 'WantedBy=multi-user.target'",
"--customize-hook=>>$1/lib/systemd/system/apt-daily-upgrade.service printf '%s\n' '[Install]' 'WantedBy=multi-user.target'", "--customize-hook=>>$1/lib/systemd/system/apt-daily-upgrade.service printf '%s\n' '[Install]' 'WantedBy=multi-user.target'",
# FIXME: add support for this stuff (for the non-live final install this happens via ansible): # FIXME: add support for this stuff (for the non-live final install this happens via ansible):
# #
# unattended-upgrades # unattended-upgrades
@ -126,48 +125,39 @@ with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td:
# refind (bootloader config) # refind (bootloader config)
# misc safety nets # misc safety nets
# double-check that mmdebstrap's machine-id support works properly # double-check that mmdebstrap's machine-id support works properly
# Bare minimum to let me SSH in. # Bare minimum to let me SSH in.
# FIXME: make this configurable. # FIXME: make this configurable.
# FIXME: trust a CA certificate instead -- see Zero Trust SSH, Jeremy Stott, LCA 2020 <https://youtu.be/lYzklWPTbsQ> # FIXME: trust a CA certificate instead -- see Zero Trust SSH, Jeremy Stott, LCA 2020 <https://youtu.be/lYzklWPTbsQ>
# WARNING: tinysshd does not support RSA, nor MaxStartups, nor sftp (unless you also install openssh-client, which is huge). # WARNING: tinysshd does not support RSA, nor MaxStartups, nor sftp (unless you also install openssh-client, which is huge).
# FIXME: double-check no host keys are baked into the image (openssh-server and dropbear do this). # FIXME: double-check no host keys are baked into the image (openssh-server and dropbear do this).
'--include=tinysshd rsync', "--include=tinysshd rsync",
'--essential-hook=install -dm700 $1/root/.ssh', "--essential-hook=install -dm700 $1/root/.ssh",
'--essential-hook=echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIapAZ0E0353DaY6xBnasvu/DOvdWdKQ6RQURwq4l6Wu twb@cyber.com.au (Trent W. Buck)" >$1/root/.ssh/authorized_keys', '--essential-hook=echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIapAZ0E0353DaY6xBnasvu/DOvdWdKQ6RQURwq4l6Wu twb@cyber.com.au (Trent W. Buck)" >$1/root/.ssh/authorized_keys',
# Bare minimum to let me log in locally. # Bare minimum to let me log in locally.
# DO NOT use this on production builds! # DO NOT use this on production builds!
'--essential-hook=chroot $1 passwd --delete root', "--essential-hook=chroot $1 passwd --delete root",
# Configure language (not needed to boot). # Configure language (not needed to boot).
# Racism saves a **LOT** of space -- something like 2GB for Debian Live images. # Racism saves a **LOT** of space -- something like 2GB for Debian Live images.
# FIXME: use live-config instead? # FIXME: use live-config instead?
'--include=locales localepurge', "--include=locales localepurge",
f'--essential-hook=echo locales locales/default_environment_locale select {args.locale} | chroot $1 debconf-set-selections', f"--essential-hook=echo locales locales/default_environment_locale select {args.locale} | chroot $1 debconf-set-selections",
f'--essential-hook=echo locales locales/locales_to_be_generated multiselect {args.locale} UTF-8 | chroot $1 debconf-set-selections', f"--essential-hook=echo locales locales/locales_to_be_generated multiselect {args.locale} UTF-8 | chroot $1 debconf-set-selections",
# FIXME: https://bugs.debian.org/603700 # FIXME: https://bugs.debian.org/603700
"--customize-hook=chroot $1 sed -i /etc/locale.nopurge -e 's/^USE_DPKG/#ARGH#&/'", "--customize-hook=chroot $1 sed -i /etc/locale.nopurge -e 's/^USE_DPKG/#ARGH#&/'",
"--customize-hook=chroot $1 localepurge", "--customize-hook=chroot $1 localepurge",
"--customize-hook=chroot $1 sed -i /etc/locale.nopurge -e 's/^#ARGH#//'", "--customize-hook=chroot $1 sed -i /etc/locale.nopurge -e 's/^#ARGH#//'",
# Removing documentation also saves a LOT of space. # Removing documentation also saves a LOT of space.
'--dpkgopt=path-exclude=/usr/share/doc/*', "--dpkgopt=path-exclude=/usr/share/doc/*",
'--dpkgopt=path-exclude=/usr/share/info/*', "--dpkgopt=path-exclude=/usr/share/info/*",
'--dpkgopt=path-exclude=/usr/share/man/*', "--dpkgopt=path-exclude=/usr/share/man/*",
'--dpkgopt=path-exclude=/usr/share/omf/*', "--dpkgopt=path-exclude=/usr/share/omf/*",
'--dpkgopt=path-exclude=/usr/share/help/*', "--dpkgopt=path-exclude=/usr/share/help/*",
'--dpkgopt=path-exclude=/usr/share/gnome/help/*', "--dpkgopt=path-exclude=/usr/share/gnome/help/*",
# Configure timezone (not needed to boot)` # Configure timezone (not needed to boot)`
# FIXME: use live-config instead? # FIXME: use live-config instead?
'--include=tzdata', "--include=tzdata",
f'--essential-hook=echo tzdata tzdata/Areas select {args.timezone[0]} | chroot $1 debconf-set-selections', f"--essential-hook=echo tzdata tzdata/Areas select {args.timezone[0]} | chroot $1 debconf-set-selections",
f'--essential-hook=echo tzdata tzdata/Zones/{args.timezone[0]} select {args.timezone[1]} | chroot $1 debconf-set-selections', f"--essential-hook=echo tzdata tzdata/Zones/{args.timezone[0]} select {args.timezone[1]} | chroot $1 debconf-set-selections",
# Do the **BARE MINIMUM** to make a USB key that can boot on X86_64 UEFI. # Do the **BARE MINIMUM** to make a USB key that can boot on X86_64 UEFI.
# We use mtools so we do not ever need root privileges. # We use mtools so we do not ever need root privileges.
# We can't use mkfs.vfat, as that needs kpartx or losetup (i.e. root). # We can't use mkfs.vfat, as that needs kpartx or losetup (i.e. root).
@ -185,31 +175,38 @@ with tempfile.TemporaryDirectory(prefix='debian-sid-zfs.') as td:
# FIXME: with qemu in UEFI mode (OVMF), I get dumped into startup.nsh (UEFI REPL). # FIXME: with qemu in UEFI mode (OVMF), I get dumped into startup.nsh (UEFI REPL).
# From there, I can manually type in "FS0:\EFI\BOOT\BOOTX64.EFI" to start refind, tho. # From there, I can manually type in "FS0:\EFI\BOOT\BOOTX64.EFI" to start refind, tho.
# So WTF is its problem? Does it not support fallback bootloader? # So WTF is its problem? Does it not support fallback bootloader?
'--include=refind parted mtools', "--include=refind parted mtools",
'--essential-hook=echo refind refind/install_to_esp boolean false | chroot $1 debconf-set-selections', "--essential-hook=echo refind refind/install_to_esp boolean false | chroot $1 debconf-set-selections",
'--customize-hook=echo refind refind/install_to_esp boolean true | chroot $1 debconf-set-selections', "--customize-hook=echo refind refind/install_to_esp boolean true | chroot $1 debconf-set-selections",
'--customize-hook=chroot $1 mkdir -p /boot/USB /boot/EFI/BOOT', "--customize-hook=chroot $1 mkdir -p /boot/USB /boot/EFI/BOOT",
'--customize-hook=chroot $1 cp /usr/share/refind/refind/refind_x64.efi /boot/EFI/BOOT/BOOTX64.EFI', "--customize-hook=chroot $1 cp /usr/share/refind/refind/refind_x64.efi /boot/EFI/BOOT/BOOTX64.EFI",
'--customize-hook=chroot $1 cp /usr/share/refind/refind/refind.conf-sample /boot/EFI/BOOT/refind.conf', "--customize-hook=chroot $1 cp /usr/share/refind/refind/refind.conf-sample /boot/EFI/BOOT/refind.conf",
f'--customize-hook=chroot $1 truncate --size={filesystem_img_size} /boot/USB/filesystem.img', f"--customize-hook=chroot $1 truncate --size={filesystem_img_size} /boot/USB/filesystem.img",
f'--customize-hook=chroot $1 parted --script --align=optimal /boot/USB/filesystem.img mklabel gpt mkpart {esp_label} {esp_offset}b 100% set 1 esp on', f"--customize-hook=chroot $1 parted --script --align=optimal /boot/USB/filesystem.img mklabel gpt mkpart {esp_label} {esp_offset}b 100% set 1 esp on",
f'--customize-hook=chroot $1 mformat -i /boot/USB/filesystem.img@@{esp_offset} -F -v {esp_label}', f"--customize-hook=chroot $1 mformat -i /boot/USB/filesystem.img@@{esp_offset} -F -v {esp_label}",
f'--customize-hook=chroot $1 mmd -i /boot/USB/filesystem.img@@{esp_offset} ::{live_media_path}', f"--customize-hook=chroot $1 mmd -i /boot/USB/filesystem.img@@{esp_offset} ::{live_media_path}",
f"""--customize-hook=echo '"Boot with default options" "boot=live live-media-path={live_media_path}"' >$1/boot/refind_linux.conf""", f"""--customize-hook=echo '"Boot with default options" "boot=live live-media-path={live_media_path}"' >$1/boot/refind_linux.conf""",
f"""--customize-hook=chroot $1 find /boot/ -xdev -mindepth 1 -maxdepth 1 -not -name filesystem.img -not -name USB -exec mcopy -vsbpm -i /boot/USB/filesystem.img@@{esp_offset} {{}} :: ';'""", f"""--customize-hook=chroot $1 find /boot/ -xdev -mindepth 1 -maxdepth 1 -not -name filesystem.img -not -name USB -exec mcopy -vsbpm -i /boot/USB/filesystem.img@@{esp_offset} {{}} :: ';'""",
# FIXME: copy-out doesn't handle sparseness, so is REALLY slow (about 50 seconds). # FIXME: copy-out doesn't handle sparseness, so is REALLY slow (about 50 seconds).
# Therefore instead leave it in the squashfs, and extract it later. # Therefore instead leave it in the squashfs, and extract it later.
# f'--customize-hook=copy-out /boot/USB/filesystem.img /tmp/', # f'--customize-hook=copy-out /boot/USB/filesystem.img /tmp/',
# f'--customize-hook=chroot $1 rm /boot/USB/filesystem.img', # f'--customize-hook=chroot $1 rm /boot/USB/filesystem.img',
"sid",
td / "filesystem.squashfs",
]
)
with args.output_file.open("wb") as f:
'sid', subprocess.check_call(
td / 'filesystem.squashfs' ["rdsquashfs", "--cat=boot/USB/filesystem.img", td / "filesystem.squashfs"],
]) stdout=f,
)
with args.output_file.open('wb') as f: subprocess.check_call(
subprocess.check_call(['rdsquashfs', '--cat=boot/USB/filesystem.img', td / 'filesystem.squashfs'], stdout=f) [
subprocess.check_call([ "mcopy",
'mcopy', '-i', f'{args.output_file}@@{esp_offset}', td / 'filesystem.squashfs', f'::{live_media_path}/filesystem.squashfs']) "-i",
f"{args.output_file}@@{esp_offset}",
td / "filesystem.squashfs",
f"::{live_media_path}/filesystem.squashfs",
]
)