https://blog.moe.ph/tags/debian/DebianHugo Blox Builder (https://hugoblox.com)en-usTue, 28 Jan 2020 00:00:00 +0000https://blog.moe.ph/media/logo_hu_230979b687bad52e.pnghttps://blog.moe.ph/tags/debian/https://blog.moe.ph/blog/building-live-cd-of-debian-testing-repository/Tue, 28 Jan 2020 00:00:00 +0000https://blog.moe.ph/blog/building-live-cd-of-debian-testing-repository/<p>Using testing release of Debian as live CD distribution is not as straight forward as building with stable release. The reason for that is there are some steps that should be taken first, before you can use the testing repository. Refer to this link for comprehensive guide for switching from stable to testing release.</p> <p> </p> <p>These are the steps given in the documentation.</p> <p>Edit your , changing <strong>stable</strong> (or buster, the current codename for stable) to <strong>testing</strong> (or bullseye, the current code name for the next stable release).</p> <p>Remove, disable or comment out your stable security updates apt sources (anything with <em><strong>security.debian.org</strong></em> in it).</p> <p>Remove, disable or comment out any other stable-specific apt sources, like *-backports or *-updates.</p> <p>Verify that your installation is not fixed to a specific release in <strong>/etc/apt/apt.conf.d/00default-release</strong>.</p> <p>In short, you must also integrate these requirements on your live-build configuration.</p> <h2 id="step-1">Step 1</h2> <p>Change the distribution related configuration in the config. To change the required settings, run the commands below. I used the testing release instead of bullseye so that I can still use the configuration once the bullseye release is considered as stable.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">lb config -d testing; </span></span><span class="line"><span class="cl">lb config --debian-installer-distribution testing; </span></span><span class="line"><span class="cl">lb config --parent-distribution testing; </span></span><span class="line"><span class="cl">lb config --parent-debian-installer-distribution testing; </span></span></code></pre></div><h2 id="step-2">Step 2</h2> <p>Disable the security updates source.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">lb config --security false; </span></span></code></pre></div><h2 id="step-3">Step 3</h2> <p>Disable the backport and updates sources.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">lb config --backports false; </span></span><span class="line"><span class="cl">lb config --updates false; </span></span></code></pre></div><h2 id="step-4">Step 4</h2> <p>You also need to add the unstable repository on your archive sources, since some packages are not yet available on the testing release repository. You can do that by adding a configuration on config/archives/. Your archives folder should have the files below with corresponding settings. Take note that you should pin the unstable release to lower priority. Setting this incorrectly may cause some issues on the prioritized packages.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl"># cat config/archives/unstable.list.chroot </span></span><span class="line"><span class="cl">deb http://deb.debian.org/debian/ unstable main contrib non-free </span></span><span class="line"><span class="cl"># cat config/archives/unstable.pref.chroot </span></span><span class="line"><span class="cl">Package: * </span></span><span class="line"><span class="cl">Pin: release a=unstable </span></span><span class="line"><span class="cl">Pin-Priority: 100 </span></span></code></pre></div><p>Once you completed the give steps above, you should be able to successfully build a live CD from testing release.</p>https://blog.moe.ph/blog/encrypted-persistent-filesystem-in-live-debian/Mon, 09 Dec 2019 00:00:00 +0000https://blog.moe.ph/blog/encrypted-persistent-filesystem-in-live-debian/<p>In the past few months, I really struggled to make my persistent storage encrypted. Every time I rebuilt my system and tested it, dm-crypt module missing error always pops-out during boot-up. Finally, I have able to make it work. Here&rsquo;s how I fix it.</p> <p>Initially, including these packages will just easily make the LUKS integration works.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cryptsetup </span></span><span class="line"><span class="cl">cryptsetup-run </span></span><span class="line"><span class="cl">cryptsetup-bin </span></span><span class="line"><span class="cl">cryptsetup-initramfs </span></span></code></pre></div><p>Installing cryptsetup is indicated on the live-build manual on Debian site. I also include cryptsetup-initramfs, since it&rsquo;s probably required. Having crypto module in initramfs is a must, since decrypting the volumes would happen in early stage of boot-up.</p> <p>Unfortunately, once you built the image and test it, it would not work.</p> <p>After testing for several months, I decided to check the documentation of cryptsetup-initramfs, and the hooks during chroot build. Upon checking, I noticed these two configuration files.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">root</span><span class="err">@</span><span class="n">debian</span><span class="p">:</span><span class="o">~</span><span class="c1"># find /etc -name *cryptsetup*</span> </span></span><span class="line"><span class="cl"><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">cryptsetup</span><span class="o">-</span><span class="n">initramfs</span> </span></span><span class="line"><span class="cl"><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">initramfs</span><span class="o">-</span><span class="n">tools</span><span class="o">/</span><span class="n">conf</span><span class="o">.</span><span class="n">d</span><span class="o">/</span><span class="n">cryptsetup</span> </span></span></code></pre></div><p>The <strong>/etc/initramfs-tools/conf.d/cryptsetup</strong> file was generated by the 0030 hook. It seems fine, but I noticed cryptsetup-initramfs. Upon checking, there is a separate configuration about the same settings as cryptsetup, but the CRYPTSETUP was not set.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-go" data-lang="go"><span class="line"><span class="cl"><span class="nx">root</span><span class="err">@</span><span class="nx">debian</span><span class="p">:~</span><span class="err">#</span><span class="w"> </span><span class="nx">cat</span><span class="w"> </span><span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">cryptsetup</span><span class="o">-</span><span class="nx">initramfs</span><span class="o">/</span><span class="nx">conf</span><span class="o">-</span><span class="nx">hook</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">Configuration</span><span class="w"> </span><span class="nx">file</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">cryptroot</span><span class="w"> </span><span class="nx">initramfs</span><span class="w"> </span><span class="nx">hook</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">CRYPTSETUP</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="nx">y</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="nx">n</span><span class="w"> </span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">Add</span><span class="w"> </span><span class="nx">cryptsetup</span><span class="w"> </span><span class="nx">and</span><span class="w"> </span><span class="nx">its</span><span class="w"> </span><span class="nx">dependencies</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">initramfs</span><span class="w"> </span><span class="nx">image</span><span class="p">,</span><span class="w"> </span><span class="nx">regardless</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">of</span><span class="w"> </span><span class="nx">_this_</span><span class="w"> </span><span class="nx">machine</span><span class="w"> </span><span class="nx">configuration</span><span class="p">.</span><span class="w"> </span><span class="nx">By</span><span class="w"> </span><span class="k">default</span><span class="p">,</span><span class="w"> </span><span class="nx">they</span><span class="err">&#39;</span><span class="nx">re</span><span class="w"> </span><span class="nx">only</span><span class="w"> </span><span class="nx">added</span><span class="w"> </span><span class="nx">when</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">a</span><span class="w"> </span><span class="nx">device</span><span class="w"> </span><span class="nx">is</span><span class="w"> </span><span class="nx">detected</span><span class="w"> </span><span class="nx">that</span><span class="w"> </span><span class="nx">needs</span><span class="w"> </span><span class="nx">to</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">unlocked</span><span class="w"> </span><span class="nx">at</span><span class="w"> </span><span class="nx">initramfs</span><span class="w"> </span><span class="nx">stage</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="p">(</span><span class="nx">such</span><span class="w"> </span><span class="nx">as</span><span class="w"> </span><span class="nx">root</span><span class="w"> </span><span class="nx">or</span><span class="w"> </span><span class="nx">resume</span><span class="w"> </span><span class="nx">devices</span><span class="w"> </span><span class="nx">or</span><span class="w"> </span><span class="nx">ones</span><span class="w"> </span><span class="nx">with</span><span class="w"> </span><span class="nx">explicit</span><span class="w"> </span><span class="err">&#39;</span><span class="nx">initramfs</span><span class="err">&#39;</span><span class="w"> </span><span class="nx">flag</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">in</span><span class="w"> </span><span class="o">/</span><span class="nx">etc</span><span class="o">/</span><span class="nx">crypttab</span><span class="p">).</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">Note</span><span class="p">:</span><span class="w"> </span><span class="nx">Honoring</span><span class="w"> </span><span class="nx">this</span><span class="w"> </span><span class="nx">setting</span><span class="w"> </span><span class="nx">will</span><span class="w"> </span><span class="nx">be</span><span class="w"> </span><span class="nx">deprecated</span><span class="w"> </span><span class="nx">in</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="nx">future</span><span class="p">.</span><span class="w"> </span><span class="nx">Please</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">uninstall</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span><span class="err">&#39;</span><span class="nx">cryptsetup</span><span class="o">-</span><span class="nx">initramfs</span><span class="err">&#39;</span><span class="w"> </span><span class="kn">package</span><span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="nx">you</span><span class="w"> </span><span class="nx">don</span><span class="err">&#39;</span><span class="nx">t</span><span class="w"> </span><span class="nx">want</span><span class="w"> </span><span class="nx">the</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">cryptsetup</span><span class="w"> </span><span class="nx">initramfs</span><span class="w"> </span><span class="nx">integration</span><span class="p">.</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"></span><span class="err">#</span><span class="w"> </span><span class="nx">CRYPTSETUP</span><span class="p">=</span><span class="w"> </span></span></span></code></pre></div><p>Since I have nothing more to lose, I set the cryptsetup-initramfs settings by overwriting the configuration via includes.chroot. I have make sure that <strong>CRYPTSETUP=y</strong> is in the file.</p> <p>I have proceed to rebuilding it again, and I noticed that the weird cryptsetup error during initramfs compilation process is gone. Seems good, right?</p> <p>I download the new image, burn it to my flashdrive, setup persistence storage, then boot. Guess what? The cryptsetup prompt me to my LUKS password. The thing was able to work finally!</p> <h2 id="findings">Findings</h2> <p>If you are planning to use encrypted persistent storage, always enable the CRYPTSETUP in cryptsetup-initramfs settings. It will make your life easier. You can enable it via hooks, or overwrite it with your custom includes.chroot file. For me, I just use the includes.chroot option to reduce clutter in my hooks.</p> <p>Here&rsquo;s the reference for this.</p> <p> </p>https://blog.moe.ph/blog/using-persistent-live-system-as-poor-mans-system/Sat, 16 Nov 2019 00:00:00 +0000https://blog.moe.ph/blog/using-persistent-live-system-as-poor-mans-system/<p>I have a weird setup of my work station. I am currently using a system with damaged SATA boards, so I search for a way to use a diskless work station. It&rsquo;s not entirely diskless, since I&rsquo;m now using a flashdrive with live Debian.</p> <p>If you are interested, here is the link for the base configuration of my live system.</p> <p> </p> <h2 id="building">Building</h2> <p>The image will be built by using container. Use the Dockerfile to generate a container for live build. Buildah is used in creating the container image.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">buildah bud -f Dockerfile -t debian-live . </span></span></code></pre></div><p>Run the container using podman. The container needs privilaged access to the host system. You also need to use persistent storage for the image file, with exec,dev flags.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">podman run -ti --privileged --name debian-live -v vdebian:/app:exec,dev debian-live </span></span></code></pre></div><p>Go to /app directory. Clone this repository, and go inside the repository&rsquo;s directory.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">cd /app; </span></span><span class="line"><span class="cl">git clone https://github.com/ZeroExistence/debian-live-workstation.git; </span></span><span class="line"><span class="cl">cd debian-live-workstation; </span></span></code></pre></div><p>Run the live build command.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">lb build </span></span></code></pre></div>