From: Andrew Hewus Fresh Subject: Re: [patch] Autoinstall with disk encryption To: tech@openbsd.org Date: Tue, 30 Jan 2024 22:05:19 -0800 On Tue, Jan 30, 2024 at 09:58:12PM -0800, Andrew Hewus Fresh wrote: > On Tue, Jan 30, 2024 at 07:47:31PM -0800, Andrew Hewus Fresh wrote: > > On Wed, Jan 31, 2024 at 01:53:40AM +0000, Klemens Nanni wrote: > > > On Fri, Jan 26, 2024 at 01:48:21AM +0000, Klemens Nanni wrote: > > > > Untested idea: ask_passphrase() question (match interactive bioctl prompt) > > > > in unattended install only. > > > > > > What do you think? > > > > Could you give it a try? > > > > > > All four interactive/unattended passphrase/key disk combinations work. > > > Anyone else interested? > > > > Thinking this through, it looks OK to me. Unfortunately my test setup > > is giving me trouble, so I haven't yet been able to give it a try. > > > > Not entirely sure I'll have time to get it fixed before vacation in one > > week, but I'll let you know if I get to it before this gets committed. > > > It turns out it wasn't that broken, below is the script I am using to > test install.sub changes, it has now been enhanced to support looking > for the keydisk answer in the answer file and setting up a keydisk. > > > The passphrase version seemed to work well. I do wish there was a way > to avoid the cleartext password in the file, but I suppose a best > practice would be to use `bioctl -P` after install to change it. In any > case, that worked great. autioinstall(8) does say Passwords may be in plaintext, encrypted with encrypt(1), or set to ‘*************’ (13 '*'s) to disable password logins, only permitting alternative access methods (for example, ssh(1) keys). So the documentation will need improving since we can't use a value from encrypt(1) here. > You may notice in the script that the "second" disk is commented out. > That's because pick_keydisk doesn't filter for only disks with RAID > partitions, it just complains if the disk isn't. That means it failed > to work when there were three disks and the keydisk wasn't the second > one. Perhaps we can add `get_dkdevs_raid` that does the `disklabel > $_disk 2>/dev/null | ! grep -qw RAID` before even allowing an option. > I'm not sure if that could cause issues though. > > In any case, even with the limitations, this seems like a nice > improvement. > > OK afresh1@ > > > #!/bin/ksh > set -e > > DIR= > VND=vnd3 > > rcctl check vmd > > if vmctl status | grep -q test-install-sub; then > echo "vm still running" >&2 > exit 1 > fi > > OLDPWD=${PWD} > cd /tmp > [ -e bsd.rd ] || oget snapshots/bsd.rd > if file bsd.rd | grep -q 'gzip compressed'; then > mv bsd.rd bsd.rd.gz > gunzip bsd.rd > fi > > cleanup() { > mount | grep -q "^/dev/${VND}a on /" && doas umount /dev/${VND}a > doas vnconfig -l ${VND} | grep -q 'not in use' || doas vnconfig -u ${VND} > > rm -rf -- "$DIR" > } > trap cleanup EXIT > cleanup > > forwarding=$( sysctl net.{inet.ip,inet6.ip6}.forwarding | sed -n 's/=0/=1/p' ) > [ "$forwarding" ] && doas sysctl $forwarding > > # Add to pf.conf > #dns_server=192.168.1.2 > #pass out on egress from 100.64.0.0/10 to any nat-to (egress) > #pass in proto { udp tcp } from 100.64.0.0/10 to any port domain \ > # rdr-to $dns_server port domain > > DIR=$( mktemp -dt install-sub-XXXXXXXXX ) > > rdsetroot -dx bsd.rd ${DIR}/root.fs > doas vnconfig ${VND} ${DIR}/root.fs > > mkdir ${DIR}/root > doas mount /dev/${VND}a ${DIR}/root > > doas cp /usr/src/distrib/miniroot/install.sub $DIR/root > > keydisk=false > for f in "${OLDPWD}"/auto_{install,upgrade}.conf; do > [ -e "$f" ] || continue > doas cp "$f" "$DIR/root/" > grep -iq 'Encrypt the root disk with a (p)assphrase or (k)eydisk? = k' "$f" && keydisk=true > done > > doas umount /dev/${VND}a > doas vnconfig -u ${VND} > rdsetroot -d bsd.rd $DIR/root.fs > > vmctl create -s 5G "$DIR"/first.img > #vmctl create -s 1G "$DIR"/second.img > images=first #,second > > if "$keydisk"; then > vmctl create -s 1M "$DIR"/third.img > doas vnconfig ${VND} ${DIR}/third.img > > doas dd if=/dev/urandom of=/dev/${VND}c bs=1m count=1 > doas fdisk -iy ${VND} > echo 'RAID *' | doas disklabel -wAT- ${VND} > > doas vnconfig -u ${VND} > > images="$images,third" > fi > > doas vmctl start -cLb bsd.rd -i 4 -d"$DIR"/{$images}.img "$@" test-install-sub > -- andrew If your computer says, "Printer out of Paper," this problem cannot be resolved by continuously clicking the "OK" button.