agama-project · jreidinger · Jan 14, 2025 · Jan 15, 2025 · Jan 15, 2025 · Jan 16, 2025
diff --git a/.github/workflows/ci-live.yml b/.github/workflows/ci-live.yml
@@ -0,0 +1,59 @@
+name: CI - ISO definition
+
+on:
+  push:
+    paths:
+      # NOTE: GitHub Actions do not allow using YAML references, the same path
+      # list is used below for the pull request event. Keep both lists in sync!!
+
+      # this file as well
+      - .github/workflows/ci-live.yml
+      # any change in the service subfolder
+      - live/**
+
+  pull_request:
+    paths:
+      # NOTE: GitHub Actions do not allow using YAML references, the same path
+      # list is used above for the push event. Keep both lists in sync!!
+
+      # this file as well
+      - .github/workflows/ci-live.yml
+      # any change in the service subfolder
+      - live/**
+
+  # allow running manually
+  workflow_dispatch:
+
+jobs:
+  ruby_tests:
+    runs-on: ubuntu-latest
+    env:
+      COVERAGE: 1
+
+    defaults:
+      run:
+        working-directory: ./live
+
+    strategy:
+      fail-fast: false
+      matrix:
+        distro: [ "tumbleweed" ]
+
+    container:
+      image: registry.opensuse.org/yast/head/containers_${{matrix.distro}}/yast-ruby
+
+    steps:
+
+    - name: Git Checkout
+      uses: actions/checkout@v4
+
+    - name: Configure and refresh repositories
+      # disable unused repositories to have faster refresh
+      run: zypper modifyrepo -d repo-non-oss repo-openh264 repo-update && zypper ref
+
+    - name: Install Ruby development files
+      run: zypper --non-interactive install
+        make
+
+    - name: Run the tests
+      run: make check
diff --git a/live/Makefile b/live/Makefile
@@ -57,4 +57,7 @@ build: $(DESTDIR)
 	$(MAKE) all
 	(cd $(DESTDIR) && osc build -M $(FLAVOR) images)
 
+check:
+	for i in ./test/*_test.*; do $${i}; done
+
 .PHONY: build all clean
diff --git a/live/README.md b/live/README.md
@@ -37,6 +37,7 @@ This directory contains a set of files that are used to build the Agama Live ISO
   PXE boot, see a separate [PXE documentation](PXE.md) for more details about the PXE boot
 - [config-cdroot](config-cdroot) subdirectory contains file which are copied to the uncompressed
   root of the ISO image, the files can be accessed just by mounting the ISO file or the DVD medium
+- [test](test) subdirectory contains tests to verify correctness of content. Can be run with `make check`
 
 ## Building the Sources
 

diff --git a/live/root/etc/systemd/system/agama-cmdline-process.service b/live/root/etc/systemd/system/agama-cmdline-process.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Agama kernel cmdline processing
+
+# have to be after network to be able to download info files
+# TODO: what to do in air gap scenario where we still need process cmdline?
+After=network-online.target
+
+# before starting the Agama servers so they read configuration parsed
+Before=agama-web-server.service
+Before=agama.service
+Before=x11-autologin.service
+
+[Service]
+Type=oneshot
+Environment=TERM=linux
+ExecStart=agama-kernel-cmdline.sh
+StandardInput=tty
+TimeoutSec=0
+
+[Install]
+WantedBy=default.target
diff --git a/live/root/etc/systemd/system/agama-self-update.service b/live/root/etc/systemd/system/agama-self-update.service
@@ -3,6 +3,9 @@ Description=Agama self-update
 
 After=network-online.target
 
+# and after we process agama params like info which can contain password
+After=agama-cmdline-process.service
+
 # before starting the Agama servers so they use the new packages
 Before=agama-web-server.service
 Before=agama.service
@@ -11,11 +14,6 @@ Before=x11-autologin.service
 Before=live-password-dialog.service
 Before=live-password-systemd.service
 
-# kernel command line option
-ConditionKernelCommandLine=|agama.self_update
-# linuxrc/YaST backward compatibility
-ConditionKernelCommandLine=|agama.selfupdate
-
 [Service]
 Type=oneshot
 Environment=TERM=linux

diff --git a/live/root/etc/systemd/system/live-password-cmdline.service b/live/root/etc/systemd/system/live-password-cmdline.service
@@ -9,9 +9,8 @@ Before=agama-web-server.service
 Before=live-password-dialog.service
 Before=live-password-systemd.service
 
-# plain text password or hashed password passed via kernel command line
-ConditionKernelCommandLine=|live.password
-ConditionKernelCommandLine=|live.password_hash
+# and after we process agama params like info which can contain password
+After=agama-cmdline-process.service
 
 [Service]
 ExecStart=live-password --kernel

diff --git a/live/root/etc/systemd/system/live-password-dialog.service b/live/root/etc/systemd/system/live-password-dialog.service
@@ -22,8 +22,8 @@ [email protected]
 [email protected]
 [email protected]
 
-# kernel command line option
-ConditionKernelCommandLine=live.password_dialog
+# and after we process agama params like info which can contain kernel parameters
+After=agama-cmdline-process.service
 
 [Service]
 Type=oneshot

diff --git a/live/root/etc/systemd/system/live-password-systemd.service b/live/root/etc/systemd/system/live-password-systemd.service
@@ -22,8 +22,8 @@ [email protected]
 [email protected]
 [email protected]
 
-# kernel command line option
-ConditionKernelCommandLine=live.password_systemd
+# and after we process agama params like info which can contain kernel parameters
+After=agama-cmdline-process.service
 
 [Service]
 Type=oneshot

diff --git a/live/root/usr/bin/agama-kernel-cmdline.sh b/live/root/usr/bin/agama-kernel-cmdline.sh
@@ -0,0 +1,4 @@
+#! /bin/sh
+
+kernel-cmdline-conf.sh
+info-cmdline-conf.sh
diff --git a/live/root/usr/bin/agama-self-update b/live/root/usr/bin/agama-self-update
@@ -5,6 +5,10 @@
 # This script updates the Agama packages in the Live system from the
 # Agama Devel OBS project.
 
+# check if self-update is required
+if ! grep -q "[[:space:]^]agama.self_update=1\([[:space:]]\|$\)" /etc/agama.d/cmdline.conf; then
+  exit 0
+fi
 
 # first try a quick and simple solution, refreshing the distributions repository takes a
 # lot of time so try using only the agama-devel for update

diff --git a/live/root/usr/bin/info-cmdline-conf.sh b/live/root/usr/bin/info-cmdline-conf.sh
@@ -0,0 +1,23 @@
+#! /bin/sh
+
+set -e
+
+TARGET="${1:-/etc/agama.d/cmdline.conf}"
+INFO_CONTENT="${2:-/etc/agama.d/cmdline.info.conf}"
+
+expand_info_arg() {
+  INFO_URL=$(sed -n 's/\(.*[[:space:]]\|^\)agama\.info=\([^[:space:]]\+\).*/\2/p' "$TARGET")
+  if [ -z "${INFO_URL}" ]; then
+    return 0
+  fi
+
+  curl --silent "${INFO_URL}" > "${INFO_CONTENT}"
+  # remove info param
+  sed -in 's/\([[:space:]]\|^\)agama\.info=[^[:space:]]\+//' "${TARGET}"
+  # and add content of info file
+  cat "${INFO_CONTENT}" >> "${TARGET}"
+
+  return 0
+}
+
+expand_info_arg
diff --git a/live/root/usr/bin/kernel-cmdline-conf.sh b/live/root/usr/bin/kernel-cmdline-conf.sh
@@ -0,0 +1,32 @@
+#! /bin/sh
+
+SOURCE="${1:-/proc/cmdline}"
+TARGET="${2:-/etc/agama.d/kernel.cmdline.conf}"
+
+write_kernel_args() {
+  DIR=$(dirname "${TARGET}")
+  mkdir -p "$DIR"
+  # ensure that kernel cmdline line is created to avoid reading agama params
+  # if there is no kernel params
+  touch "${TARGET}"
+
+  for _i in $(cat "${SOURCE}"); do
+    case ${_i} in
+    # remove all agama kernel params
+    # Add here also all linuxrc supported parameters
+    LIBSTORAGE_* | YAST_* | agama* | Y2* | ZYPP_* | autoyast* )
+      _found=1
+      ;;
+    esac
+
+    if [ -z "$_found" ]; then
+      echo "Non-Agama parameter found ($_i)"
+      echo -n " $_i" >>"${TARGET}"
+    fi
+    unset _found
+  done
+
+  return 0
+}
+
+write_kernel_args
diff --git a/live/root/usr/bin/live-password b/live/root/usr/bin/live-password
@@ -27,6 +27,11 @@ msg_box() {
 }
 
 ask_password() {
+  # check if user wants dialog password
+  if ! grep -q "[[:space:]^]live.password_dialog=1\([[:space:]]\|$\)" /etc/agama.d/cmdline.conf; then
+    exit 0
+  fi
+
   if ! PWD1=$(dialog --keep-tite --title "$TITLE" --backtitle "$BTITLE" --stdout --insecure --passwordbox "Password:" 8 40); then
     confirm_exit
     ask_password
@@ -36,7 +41,7 @@ ask_password() {
     confirm_exit
     ask_password
   fi
-  
+
   if [ "$PWD1" != "$PWD2" ]; then
     msg_box "Passwords do not match.\nPlease try again."
     ask_password
@@ -51,6 +56,10 @@ ask_password() {
 
 # functions for entering the password using the "systemd-ask-password" tool
 ask_password_systemd() {
+  # check if user wants systemd password
+  if ! grep -q "[[:space:]^]live.password_systemd=1\([[:space:]]\|$\)" /etc/agama.d/cmdline.conf; then
+    exit 0
+  fi
   if ! PWD1=$(systemd-ask-password --timeout=0 "Set login password: "); then
     exit 1
   fi
@@ -141,13 +150,14 @@ random_password() {
 }
 
 if [ "$1" = "--kernel" ]; then
-  # get the password from the kernel command line
-  PWD=$(awk -F 'live.password=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline)
+  # get the password from the kernel command line. It can contain newlines
+  PWD=$(grep 'live.password=' < /etc/agama.d/cmdline.conf | awk -F 'live.password=' '{sub(/ .*$/, "", $2); print $2}')
   if [ -n "$PWD" ]; then
     echo "$PWD" | passwd --stdin
   fi
 
-  PWD=$(awk -F 'live.password_hash=' '{sub(/ .*$/, "", $2); print $2}' < /proc/cmdline)
+  # get the password hash from the kernel command line. It can contain newlines
+  PWD=$(grep 'live.password_hash=' < /etc/agama.d/cmdline.conf | awk -F 'live.password_hash=' '{sub(/ .*$/, "", $2); print $2}')
   if [ -n "$PWD" ]; then
     usermod -p "$PWD" root
   fi

diff --git a/live/src/config.sh b/live/src/config.sh
@@ -44,6 +44,7 @@ systemctl enable agama-hostname.service
 systemctl enable agama-proxy-setup.service
 systemctl enable agama-certificate-issue.path
 systemctl enable agama-certificate-wait.service
+systemctl enable agama-cmdline-process.service
 systemctl enable agama-welcome-issue.service
 systemctl enable agama-avahi-issue.service
 systemctl enable agama-url-issue.service

diff --git a/live/test/fixtures/expected/cmdline b/live/test/fixtures/expected/cmdline
@@ -0,0 +1 @@
+ BOOT_IMAGE=/boot/vmlinuz splash=silent mitigations=auto quiet nosimplefb=1
diff --git a/live/test/fixtures/expected/info_cmdline b/live/test/fixtures/expected/info_cmdline
@@ -0,0 +1,3 @@
+BOOT_IMAGE=/boot/vmlinuz splash=silent nosimplefb=1
+agama.install_url=ftp://test.com/repo
+live.password=secret
diff --git a/live/test/fixtures/expected/info_cmdline.info b/live/test/fixtures/expected/info_cmdline.info
@@ -0,0 +1,2 @@
+agama.install_url=ftp://test.com/repo
+live.password=secret
diff --git a/live/test/fixtures/source/cmdline b/live/test/fixtures/source/cmdline
@@ -0,0 +1 @@
+BOOT_IMAGE=/boot/vmlinuz splash=silent agama.auto=ftp://example.suse.cz/profile.json LIBSTORAGE_MULTIPATH=1 mitigations=auto Y2DEBUG=1 quiet nosimplefb=1
diff --git a/live/test/fixtures/source/info_cmdline b/live/test/fixtures/source/info_cmdline
@@ -0,0 +1 @@
+BOOT_IMAGE=/boot/vmlinuz splash=silent agama.info=https://pastebin.com/raw/krzAVL8S nosimplefb=1
diff --git a/live/test/info_cmdline_test.rb b/live/test/info_cmdline_test.rb
@@ -0,0 +1,51 @@
+#! /usr/bin/rspec
+require "tmpdir"
+
+describe "info-cmdline-conf.sh" do
+  let(:script_path) { File.expand_path("../root/usr/bin/info-cmdline-conf.sh", __dir__, ) }
+
+  context "There is no info parameter" do
+    let(:source_path) { File.expand_path("fixtures/source/cmdline", __dir__, ) }
+    let(:expected_path) { File.expand_path("fixtures/source/cmdline", __dir__, ) }
+
+
+    it "does nothing" do
+      Dir.mktmpdir do |tmpdir|
+        target_path = File.join(tmpdir, "cmdline")
+        FileUtils.cp(source_path, target_path)
+        info_path = File.join(tmpdir, "cmdline.info")
+        command = "#{script_path} #{target_path} #{info_path}"
+        cmd_result = system(command)
+        expect(cmd_result).to eq true
+        expected = File.read(expected_path)
+        result = File.read(target_path)
+        expect(result).to eq expected
+        expect(File.exists?(info_path)).to eq false
+      end
+    end
+  end
+
+  context "There is info parameter" do
+    let(:source_path) { File.expand_path("fixtures/source/info_cmdline", __dir__, ) }
+    let(:expected_path) { File.expand_path("fixtures/expected/info_cmdline", __dir__, ) }
+    let(:expected_info_path) { File.expand_path("fixtures/expected/info_cmdline.info", __dir__, ) }
+
+    it "removes info parameter and add its content" do
+      Dir.mktmpdir do |tmpdir|
+        target_path = File.join(tmpdir, "cmdline")
+        FileUtils.cp(source_path, target_path)
+        info_path = File.join(tmpdir, "cmdline.info")
+        command = "#{script_path} #{target_path} #{info_path}"
+        cmd_result = system(command)
+        expect(cmd_result).to eq true
+        expected = File.read(expected_path)
+        result = File.read(target_path)
+        expect(result).to eq expected
+
+        expected_info = File.read(expected_info_path)
+        result_info = File.read(info_path)
+        expect(result_info).to eq expected_info
+      end
+    end
+  end
+end
diff --git a/live/test/kernel_cmdline_test.rb b/live/test/kernel_cmdline_test.rb
@@ -0,0 +1,20 @@
+#! /usr/bin/rspec
+require "tmpdir"
+
+describe "kernel-cmdline-conf.sh" do
+  it "filters out any agama params" do
+    script_path = File.expand_path("../root/usr/bin/kernel-cmdline-conf.sh", __dir__, )
+    source_path = File.expand_path("fixtures/source/cmdline", __dir__, )
+    expected_path = File.expand_path("fixtures/expected/cmdline", __dir__, )
+    tmpdir = Dir.mktmpdir do |tmpdir|
+      target_path = File.join(tmpdir, "cmdline")
+      command = "#{script_path} #{source_path} #{target_path}"
+      puts command
+      cmd_result = system(command)
+      expect(cmd_result).to eq true
+      expected = File.read(expected_path)
+      result = File.read(target_path)
+      expect(result).to eq expected
+    end
+  end
+end
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		BOOT_IMAGE=/boot/vmlinuz splash=silent mitigations=auto quiet nosimplefb=1
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		agama.install_url=ftp://test.com/repo
		live.password=secret
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		BOOT_IMAGE=/boot/vmlinuz splash=silent agama.auto=ftp://example.suse.cz/profile.json LIBSTORAGE_MULTIPATH=1 mitigations=auto Y2DEBUG=1 quiet nosimplefb=1