wiki:doc/TorBOX/Dev/ChangeRoot

Version 4 (modified by proper, 8 years ago) (diff)

--

DRAFT!

#!/bin/bash
# save as ~/TorBOX-chroot



# Verbose output.
set -x







USERNAME="user"



root_check() {
######################################################
# Checking script environment
######################################################
# Check if we are root
if [ "$(id -u)" != "0" ]; then
     echo "ERROR: This must be run as root (sudo)!"
     exit 1
else
     echo "INFO: Script running as root."
fi
}



mount_vm_image() {
# Ensure powered is off. Otherwise disk corruption is at high risk.
sudo -u $USERNAME VBoxManage controlvm "$VMNAME" poweroff

# Make sure required module to mount vdi images is installed.
modprobe nbd

# Create loopback dev for the image.
qemu-nbd -c /dev/nbd0 "/home/$USERNAME/VirtualBox VMs/""$VMNAME"/"$VMNAME".vdi

# Folder has to exist to mount the image.
mkdir -p $CHROOT_FOLDER

# Mount the partitions, that are exposed as /dev/nbd0pXXX.
mount -o noatime /dev/nbd0p1 $CHROOT_FOLDER
}



unmount_vm_image() {
# Shutdown the ndb.
qemu-nbd -d /dev/nbd0

# In the end unmount.
umount $CHROOT_FOLDER

# Delete temporary folder.
# It did not contain anything. It was only a mount point.
rm -r $CHROOT_FOLDER
}



do_chroot() {
# Review: not sure if we better mount more or less of them.
sudo mount --bind /dev $CHROOT_FOLDER/dev
sudo mount --bind /proc $CHROOT_FOLDER/proc
sudo mount --bind /sys $CHROOT_FOLDER/sys

# Discussion: we may also think about mounting everything,
#             i.e. recursively mounting.

# Fixes "Can not write log, openpty() failed (/dev/pts not mounted?)"
# Thanks to
# http://www.gentoo.org/proj/en/base/amd64/howtos/index.xml?part=1&chap=2
# for the idea.
# Review: not sure if we better ommit it.
sudo mount -o bind /dev/pts $XXX/dev/pts

# /etc/resolv.conf controversy:
# When we are inside chroot, we need a functional /etc/resolv.conf,
# otherwise dns lookups and subsequently apt-get and wget would be defunct.
#
# On the other hand, we do not want to copy /etc/resolv.conf from the
# build machine into chroot, to prevent leaking personal data into chroot.
#
# Finally we also require to rewrite /etc/resolv.conf, so that after
# booting the Virtual Machine, localhost (Tor) gets used for dns lookups.

# Remove write protection, if any. Should not be the case after a fresh
# creation of the image. Just to prevent an error if we ever support
# re-running the script. Will not hurt.
chattr -i $CHROOT_FOLDER/etc/resolv.conf

# Must exist to be able to mount.
echo "" > $CHROOT_FOLDER/etc/resolv.conf

# We need two commands to remount an existing file read only.
# Thanks to
# https://lwn.net/Articles/281157/
mount --bind /etc/resolv.conf $CHROOT_FOLDER/etc/resolv.conf
mount -o remount,ro,noload $CHROOT_FOLDER/etc/resolv.conf
}



inside_chroot() {
# chroot $XXX ...



# TODO: sources.list incomplete. Bug in preseed?


## http://lifeonubuntu.com/how-to-prevent-server-daemons-from-starting-during-apt-get-install/
## Prevents Tor from connecting the the public Tor network while building
## (for bridge users). Should also take care of chroot mount getting locked
echo "#!/bin/sh
exit 101" > /usr/sbin/policy-rc.d
chmod 755 /usr/sbin/policy-rc.d

echo '
# TorBOX
Acquire::http { Proxy "http://127.0.0.1:3142"; };
' > /tmp/apt.conf

apt-get --config-file /tmp/apt.conf update
apt-get --config-file /tmp/apt.conf --yes dist-upgrade

# apt-get --config-file purge locales
# sudo dpkg-reconfigure locales
# sudo locale-gen en_US.UTF-8


# ...

## make daemons start again
rm -f /usr/sbin/policy-rc.d
}



do_unchroot() {
umount $CHROOT_FOLDER/dev/pts
umount $CHROOT_FOLDER/dev
umount $CHROOT_FOLDER/proc
umount $CHROOT_FOLDER/sys
umount $CHROOT_FOLDER/etc/resolv.conf
}



# TODO:
# Changing disk uuids has do be done somewhere...



# Do we need this any longer or can it be moved to
# T-G/W scripts?
inside_chroot_old() {
# part of the script that runs inside of chroot

# VARIABLES
ROOT_UUID="26ada0c0-1165-4098-884d-aafd2220c2c6"

# TODO this would leak uuid of the host disk!
#grep -v rootfs /proc/mounts > /etc/mtab

## TODO Missing info on mounted /dev/loop, needs testing.
echo "/dev/sda1 / ext4 rw,noatime,errors=remount-ro 0 0
proc /proc proc rw,noexec,nosuid,nodev 0 0
sysfs /sys sysfs rw,noexec,nosuid,nodev 0 0
none /sys/fs/fuse/connections fusectl rw 0 0
none /sys/kernel/debug debugfs rw 0 0
none /sys/kernel/security securityfs rw 0 0
udev /dev devtmpfs rw,mode=0755 0 0
devpts /dev/pts devpts rw,noexec,nosuid,gid=5,mode=0620 0 0
tmpfs /run tmpfs rw,noexec,nosuid,size=10%,mode=0755 0 0
none /run/lock tmpfs rw,noexec,nosuid,nodev,size=5242880 0 0
none /run/shm tmpfs rw,nosuid,nodev 0 0" > /etc/mtab

#No longer neccessary?
#locale-gen en_US.UTF-8
# dpkg-reconfigure locales 
#echo 'LANG="en_US.UTF-8"' > /etc/default/locale

apt-get update
apt-get dist-upgrade --yes
apt-get install dialog sudo bash lsb-release net-tools iptables ed nano iputils-ping isc-dhcp-client \
kbd console-setup ifupdown netbase less dnsutils --yes
# something is broken...
#console-tools console-data

#No longer neccessary.
#apt-get install linux-generic --yes

#No longer neccessary.
#echo "GRUB_TERMINAL=console" >> /etc/default/grub
#update-grub

echo "UUID="$ROOT_UUID" /               ext4    noatime,errors=remount-ro 0       1
# swap...
" > /etc/fstab

useradd -m -d /home/user -s /bin/bash user
usermod -a -G adm,cdrom,audio,dip,sudo,plugdev user
}



################################################################ 
# -tg-mount                                                    #
################################################################ 
if [[ "$1" = "-tg-mount" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   mount_vm_image
   exit 0
fi



################################################################ 
# -tg-chroot                                                   #
################################################################ 
if [[ "$1" = "-tg-chroot" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_chroot
   exit 0
fi


################################################################ 
# -tg-unchroot                                                 #
################################################################ 
if [[ "$1" = "-tg-unchroot" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_unchroot
   exit 0
fi



################################################################ 
# -tg-unmount                                                  #
################################################################ 
if [[ "$1" = "-tg-unmount" ]]; then
   root_check
   VMNAME="TorBOX-Gateway"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   unmount_vm_image
   exit 0
fi



################################################################ 
# -tw-mount                                                    #
################################################################ 
if [[ "$1" = "-tw-mount" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   mount_vm_image
   exit 0
fi



################################################################ 
# -tw-chroot                                                   #
################################################################ 
if [[ "$1" = "-tw-chroot" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_chroot
   exit 0
fi



################################################################ 
# -tw-unchroot                                                 #
################################################################ 
if [[ "$1" = "-tw-unchroot" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   do_unchroot
   exit 0
fi



################################################################ 
# -tw-unmount                                                  #
################################################################ 
if [[ "$1" = "-tw-unmount" ]]; then
   root_check
   VMNAME="TorBOX-Workstation"
   CHROOT_FOLDER=/home/"$USERNAME"/TorBOX_binary/"$VMNAME"_image
   unmount_vm_image
   exit 0
fi