On Tue, Jan 30, 2024 at 07:47:31PM -0800, Andrew Hewus Fresh wrote:
> On Wed, Jan 31, 2024 at 01:53:40AM +0000, Klemens Nanni wrote:
> > On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote:
> > > Untested idea:  ask_passphrase() question (match interactive bioctl prompt)
> > > in unattended install only.
> <SNIP>
> > > What do you think?
> > > Could you give it a try?
> > 
> > All four interactive/unattended passphrase/key disk combinations work.
> > Anyone else interested?
> 
> Thinking this through, it looks OK to me.  Unfortunately my test setup
> is giving me trouble, so I haven't yet been able to give it a try.
> 
> Not entirely sure I'll have time to get it fixed before vacation in one
> week, but I'll let you know if I get to it before this gets committed.


It turns out it wasn't that broken, below is the script I am using to
test install.sub changes, it has now been enhanced to support looking
for the keydisk answer in the answer file and setting up a keydisk.


The passphrase version seemed to work well.  I do wish there was a way
to avoid the cleartext password in the file, but I suppose a best
practice would be to use `bioctl -P` after install to change it.  In any
case, that worked great.

You may notice in the script that the "second" disk is commented out.
That's because pick_keydisk doesn't filter for only disks with RAID
partitions, it just complains if the disk isn't.  That means it failed
to work when there were three disks and the keydisk wasn't the second
one.  Perhaps we can add `get_dkdevs_raid` that does the `disklabel
$_disk 2>/dev/null | ! grep -qw RAID` before even allowing an option.
I'm not sure if that could cause issues though.

In any case, even with the limitations, this seems like a nice
improvement.

OK afresh1@


#!/bin/ksh
set -e

DIR=
VND=vnd3

rcctl check vmd

if vmctl status | grep -q test-install-sub; then
	echo "vm still running" >&2
	exit 1
fi

OLDPWD=${PWD}
cd /tmp
[ -e bsd.rd ] || oget snapshots/bsd.rd
if file bsd.rd | grep -q 'gzip compressed'; then
	mv bsd.rd bsd.rd.gz
	gunzip bsd.rd
fi

cleanup() {
    mount | grep -q "^/dev/${VND}a on /" && doas umount /dev/${VND}a
    doas vnconfig -l ${VND} | grep -q 'not in use' || doas vnconfig -u ${VND}

    rm -rf -- "$DIR"
}
trap cleanup EXIT
cleanup

forwarding=$( sysctl net.{inet.ip,inet6.ip6}.forwarding | sed -n 's/=0/=1/p' )
[ "$forwarding" ] && doas sysctl $forwarding

# Add to pf.conf
#dns_server=192.168.1.2
#pass out on egress from 100.64.0.0/10 to any nat-to (egress)
#pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \
#        rdr-to $dns_server port domain

DIR=$( mktemp -dt install-sub-XXXXXXXXX )

rdsetroot -dx bsd.rd ${DIR}/root.fs
doas vnconfig ${VND} ${DIR}/root.fs

mkdir ${DIR}/root
doas mount /dev/${VND}a ${DIR}/root

doas cp /usr/src/distrib/miniroot/install.sub $DIR/root

keydisk=false
for f in "${OLDPWD}"/auto_{install,upgrade}.conf; do
    [ -e "$f" ] || continue
    doas cp "$f" "$DIR/root/"
    grep -iq 'Encrypt the root disk with a (p)assphrase or (k)eydisk? = k' "$f" && keydisk=true
done

doas umount /dev/${VND}a
doas vnconfig -u ${VND}
rdsetroot -d bsd.rd $DIR/root.fs

vmctl create -s 5G "$DIR"/first.img
#vmctl create -s 1G "$DIR"/second.img
images=first #,second

if "$keydisk"; then
    vmctl create -s 1M "$DIR"/third.img
    doas vnconfig ${VND} ${DIR}/third.img

    doas dd if=/dev/urandom of=/dev/${VND}c bs=1m count=1
    doas fdisk -iy ${VND}
    echo 'RAID *' | doas disklabel -wAT- ${VND}

    doas vnconfig -u ${VND}

    images="$images,third"
fi

doas vmctl start -cLb bsd.rd -i 4 -d"$DIR"/{$images}.img "$@" test-install-sub