develop

Author: Andrei-Pozolotin

.gitignore

@@ -1,13 +1,9 @@
 # This file is part of https://github.com/random-archer/mkinitcpio-systemd-tool
 
-#
 # eclipse meta data
-#
 .project
 
-#
 # generated resources
-#
 /*/
 /*.xz
 /*.log

README.md

@@ -8,16 +8,19 @@ Never write another mkinitcpio hook again, use systemd-tool.
 
 Provisioning tool for systemd in initramfs (systemd-tool)
 
-Features:
-* initrd debugging
-* early network setup
-* remote ssh access in initrd
-* cryptsetup password answer over ssh
+mkinitcpio hook name: `systemd-tool`
+
+Core features provided by the hook:
 * unified systemd + mkinitcpio configuration
 * automatic provisioning of binary and config resources
 * on-demand invocation of mkinitcpio scripts and in-line functions 
 
-mkinitcpio hook name: `systemd-tool`
+Features provided by the included service units:
+* initrd debugging
+* early network setup
+* interactive user shell
+* remote ssh access in initrd
+* cryptsetup + custom password agent 
 
 ### Example
 
@@ -66,6 +69,10 @@ how can I enable my custom service unit in initrd?
 how can I disable my custom service unit in initrd?
 * alter the tag marker string, i.e.: `ConditionPathExists=/etc/xxx/initrd-release`
 
+how systemd unit transitive dependency provisioning works?
+* see `mkinitcpio-install.sh/add_systemd_unit_X()`
+* services and targets found in `[Unit]/Requires|OnFailure` are recursively installed 
+
 what is the purpose of `[X-SystemdTool]` section in service unit files?
 * see https://github.com/systemd/systemd/issues/3340
 * this section provides configuration interface for `mkinitcpio` provisioning actions
@@ -137,6 +144,7 @@ is there a silent or no-echo mode during password entry in `initrd-shell.sh`?
 ### Package Build Questions and Answers
 
 how can I install a development version of this?
+* create a marker file `.PKGDEV` to build from latest master, for example
 ```
 mkdir -p /tmp/aur
 cd /tmp/aur
@@ -145,3 +153,4 @@ cd mkinitcpio-systemd-tool
 touch .PKGDEV
 makepkg --syncdeps --install   --noconfirm --needed
 ``` 
+* release versions look like `3-1`, development like `3.25.d069dad-1`

crypttab

@@ -10,7 +10,7 @@
 
 # to setup crypto disks in initramfs over ssh
 # manually provide here partition UUID with help of `lsblk`
-# then active initrd-cryptsetup.service as well as "ask password prompt" in shell.sh 
+# then active initrd-cryptsetup.service 
 
 # <name>     <device>                 <password>       <options>
   swap       UUID=${UUID_SWAP}          none            luks

initrd-build.sh

@@ -38,7 +38,7 @@ do_ssh_host_keys() {
         source=$(keypath_openssh "$keytype")
         target=$(keypath_dropbear $(keytype_dropbear "$keytype"))
         if [ -f "$target" ]; then
-            quiet "provision existing dropbear host key: $target"
+            quiet "use existing dropbear host key: $target"
         else
             if [ -f "$source" ] ; then
                 plain "convert openssh to dropbear host key: $target"

initrd-cryptsetup.service

@@ -17,9 +17,10 @@ Before=cryptsetup.target
 Requires=initrd-shell.service
 
 [Service]
-ExecStart=/etc/systemd/system/initrd-shell.sh script_entry=service
+ExecStart=/etc/systemd/system/initrd-shell.sh script_entry=service service_name=cryptsetup
 Restart=on-failure
 RestartSec=1s
+RestartPreventExitStatus=100
 StandardInput=tty
 StandardOutput=inherit
 StandardError=inherit

initrd-debug-progs.service

@@ -20,6 +20,9 @@ WantedBy=initrd-debug-shell.service
 
 [X-SystemdTool]
 
+# debug tools
+InitrdBinary=/usr/bin/strace optional=yes
+
 # systemd tools
 InitrdBinary=/usr/bin/systemd-analyze 
 InitrdBinary=/usr/bin/journalctl

initrd-network.service

@@ -17,10 +17,10 @@ RemainAfterExit=true
 ExecStart=/bin/true
 #### required to recover from emergency service
 ExecStart=/bin/sh -c "echo '%N: enalbe network devices'"
-ExecStart=/bin/sh -c "for dev in $(ls /sys/class/net) ; do iplink set "$dev" up   ; done"
-#### required for interface renaming after root switch
+ExecStart=/bin/sh -c "for dev in $(ls /sys/class/net) ; do ip link set $dev up   ; done"
+#### required for interface renaming after switch-root
 ExecStop=/bin/sh -c  "echo '%N: disable network devices'"
-ExecStop=/bin/sh -c  "for dev in $(ls /sys/class/net) ; do iplink set "$dev" down ; done"
+ExecStop=/bin/sh -c  "for dev in $(ls /sys/class/net) ; do ip link set $dev down ; done"
 
 [Install]
 WantedBy=sysinit.target
@@ -38,3 +38,6 @@ InitrdCall=add_checked_modules /drivers/net/
 
 # runtime location of resolv.conf provided by systemd-resolved.service
 InitrdLink=/etc/resolv.conf /run/systemd/resolve/resolv.conf
+
+# dns resolution support
+InitrdBinary=/usr/lib/libnss_dns.so.2 optional=yes

initrd-shell.service

@@ -21,7 +21,7 @@ WantedBy=sysinit.target
 
 # provision initrd shell
 InitrdPath=/etc/systemd/system/initrd-shell.sh mode=700
-#InitrdBinary=/usr/bin/sulogin
+InitrdBinary=/usr/bin/sulogin
 InitrdBinary=/usr/bin/systemctl
 InitrdBinary=/usr/bin/systemd-cat
 InitrdBinary=/usr/bin/journalctl
@@ -34,7 +34,7 @@ InitrdPath=/etc/group
 InitrdPath=/etc/passwd
 InitrdPath=/etc/shadow
 InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_root_shell
-#InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_secret_clean
+InitrdBuild=/etc/systemd/system/initrd-build.sh command=do_secret_clean
 
 # include ssh credentials
 InitrdPath=/root/.ssh/authorized_keys source=/root/.ssh/authorized_keys mode=600

initrd-shell.sh

@@ -100,8 +100,7 @@ convert_ask_file() {
 # read named field from string of [name=value] entries
 extract_property() {
     local text="$1" name="$2" 
-    local $text # inject
-    eval echo \${$name} # extract
+    local $text && eval echo \${$name}
 }
 
 # remove any pending content from the console input 
@@ -245,13 +244,29 @@ entry_console() {
     fi
 }
 
-# process invocation from systemd unit initrd-cryptsetup.service
+# process invocation from a systemd service unit
 entry_service() {
+    case "$service_name" in
+        default)    service_default ;;
+        cryptsetup) service_cryptsetup ;;
+                 *) log_error "invalid service_name=$service_name" ;;
+    esac
+}
+
+# default service implementation
+service_default() {
+    log_info "default service" 
+    do_exit $service_restart_prevent_code
+}
+
+# cryptsetup service implementation
+service_cryptsetup() {
+    log_info "cryptsetup service" 
     if has_crypt_jobs ; then
         run_crypt_jobs
     else
         log_info "nothing to do" 
-        do_exit 0
+        do_exit $service_restart_prevent_code
     fi
 }
 
@@ -267,11 +282,11 @@ do_prompt() {
         read -n 1 -p "?> " choice
         print_eol
         case "$choice" in
-        a) do_agent_custom ;;
-        s) do_shell ;;
-        r) do_reboot ;;
-        q) do_exit 0 ;;
-        *) echo "$choice ?" ;;
+            a) do_agent_custom ;;
+            s) do_shell ;;
+            r) do_reboot ;;
+            q) do_exit 0 ;;
+            *) echo "$choice ?" ;;
         esac
     done
 }
@@ -329,7 +344,10 @@ setup_defaults() {
     [ -z "$script_verbose" ] && readonly script_verbose="error" # can be {info,warn,error}
     [ -z "$script_tool_vars" ] && readonly script_tool_vars="$MC_SID" # tool shell detection 
     [ -z "$script_identifier" ] && readonly script_identifier="shell" # systemd journal log tag
-    # reboot options 
+    # service settings
+    [ -z "$service_name" ] && readonly service_name="default"
+    [ -z "$service_restart_prevent_code" ] && readonly service_restart_prevent_code=100 # see [Unit]/RestartPreventExitStatus
+    # reboot options
     [ -z "$reboot_options" ] && readonly reboot_options="--force --force --no-ask-password" 
     # password query settings
     [ -z "$query_prompt" ] && readonly query_prompt=" secret>"
@@ -353,8 +371,8 @@ setup_defaults() {
 setup_interrupts() {
     trap trap_HUP HUP
     trap trap_INT INT
-    #trap trap_QUIT QUIT
-    #trap trap_TSTP TSTP
+    trap trap_QUIT QUIT
+    trap trap_TSTP TSTP
     trap trap_TERM TERM
 }
 

mkinitcpio-install.sh

@@ -96,20 +96,24 @@ add_systemd_unit_X() {
             InitrdBinary)
                 # provision binaries
                 # format:
-                # InitrdBinary=/path/exec [replace=yes]
-                local target= args= replace=
+                # InitrdBinary=/path/exec [replace=yes] [optional=yes]
+                local target= args= replace= optional=
                 target=${values[0]} ; args=${values[@]:1:9}
                 [[ $args ]] && local ${args[*]}
                 if [[ -f $BUILDROOT$target ]] ; then
                     if [[ $replace == "yes" ]] ; then 
-                         quiet "replace present binary $target"
-                         add_binary "$target"
+                        quiet "replace present binary $target"
+                        add_binary "$target"
                     else 
-                         quiet "reuse present binary $target"
+                        quiet "reuse present binary $target"
                     fi
+                elif [[ -f $target ]] ; then
+                    quiet "provision new binary $target"
+                    add_binary "$target"
+                elif [[ $optional = "yes" ]] ; then
+                    quiet "skip optional binary $target"
                 else
-                     quiet "provision new binary $target"
-                     add_binary "$target"
+                    error "missing host binary $target"
                 fi
                 ;;
             InitrdPath)