From 0d6279517117a581498dd3ca1eb5a9817b3ada97 Mon Sep 17 00:00:00 2001 From: horcs Date: Sat, 22 Jul 2023 19:52:02 +0200 Subject: [PATCH 01/12] Disabled webcam, bluetooth --- setup.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/setup.sh b/setup.sh index 5d84c98..529a236 100755 --- a/setup.sh +++ b/setup.sh @@ -413,6 +413,13 @@ if [ -n "$VERSION" ] ; then echo "$VERSION" > /opt/ioi/misc/VERSION fi +# Disable some of the hardware's capabilities +# Disable webcam +echo "blacklist uvcvideo" >> /etc/modprobe.d/blacklist.conf +# Disable bluetooth +echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist.conf +systemctl disable bluetooth.service + # Deny ioi user from SSH login echo "DenyUsers ioi" >> /etc/ssh/sshd_config From deaec1b3efb77afe76747e5ded6909a50234d668 Mon Sep 17 00:00:00 2001 From: horcs Date: Sat, 22 Jul 2023 19:54:36 +0200 Subject: [PATCH 02/12] Disabled bluetooth even more --- setup.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/setup.sh b/setup.sh index 529a236..27c9a10 100755 --- a/setup.sh +++ b/setup.sh @@ -417,7 +417,11 @@ fi # Disable webcam echo "blacklist uvcvideo" >> /etc/modprobe.d/blacklist.conf # Disable bluetooth -echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist.conf +echo "blacklist btusb" >> /etc/modprobe.d/blacklist.conf +echo "blacklist btrtl" >> /etc/modprobe.d/blacklist.conf +echo "blacklist btbcm" >> /etc/modprobe.d/blacklist.conf +echo "blacklist btintel" >> /etc/modprobe.d/blacklist.conf +echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist.conf systemctl disable bluetooth.service # Deny ioi user from SSH login From ad0965c518b0b5106ac58ef4938b65f8340f380a Mon Sep 17 00:00:00 2001 From: horcs Date: Sat, 22 Jul 2023 20:03:34 +0200 Subject: [PATCH 03/12] Disabled wifi --- setup.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/setup.sh b/setup.sh index 27c9a10..f85ae3a 100755 --- a/setup.sh +++ b/setup.sh @@ -423,6 +423,12 @@ echo "blacklist btbcm" >> /etc/modprobe.d/blacklist.conf echo "blacklist btintel" >> /etc/modprobe.d/blacklist.conf echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist.conf systemctl disable bluetooth.service +# Disable wifi +echo "blacklist iwlwifi" >> /etc/modprobe.d/blacklist.conf +echo "blacklist iwlmvm" >> /etc/modprobe.d/blacklist.conf +echo "blacklist cfg80211" >> /etc/modprobe.d/blacklist.conf +echo "blacklist mac80211" >> /etc/modprobe.d/blacklist.conf +echo "blacklist libarc4" >> /etc/modprobe.d/blacklist.conf # Deny ioi user from SSH login echo "DenyUsers ioi" >> /etc/ssh/sshd_config From d776a828156d8f4ea3cac75d1b81ac5842e82c0a Mon Sep 17 00:00:00 2001 From: horcs Date: Sun, 23 Jul 2023 11:22:13 +0200 Subject: [PATCH 04/12] Added some description --- setup.sh | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 51 insertions(+), 1 deletion(-) diff --git a/setup.sh b/setup.sh index f85ae3a..6d0c919 100755 --- a/setup.sh +++ b/setup.sh @@ -413,9 +413,57 @@ if [ -n "$VERSION" ] ; then echo "$VERSION" > /opt/ioi/misc/VERSION fi -# Disable some of the hardware's capabilities +# On IOI 2023, Acer Aspire 3 notebooks are given to the contestants. +# These have an Intel i5-1135G7, a FullHD display, 8 GB of DDR4 RAM, 256 GB of NVMe SSD, ethernet port. But they also have a: +# - webcam +# - WiFi + Bluetooth card +# These are hardware components that are not needed for the contest, therefore we disable their drivers. + +# YOU MIGHT NEED TO UPDATE THIS IF YOU WILL BE USING A DIFFERENT LAPTOP, OR IF THE OS CHANGES. Therefore, here is an explanation how this part of the configuration was created. Otherwise, it could have been quite magical why certain kernel modules have been disabled. + +# It is important to note that it is good practice to use ethernet during a competition since it is more stable than WiFi. We will also use ethernet on IOI 2023. + +# While we were trying out the notebooks, we have noticed that the WiFi + Bluetooth did not work due to problems with drivers on Linux. It is probably a feature in this case. I am sure that an update will eventually remove this "feature", therefore I am disabling the card's drivers altogether. (Check https://community.intel.com/t5/Wireless/AX101-Ubuntu-22-04-or-22-10-driver/td-p/1468063) I have tested, on Ubuntu 23.04 and I have updated the kernel to 6.4.0, and both WiFi and Bluetooth worked fine with it. +# Command `sudo dmesg` showed that there have been attempts on starting up WiFi and Bluetooth even on Ubuntu 22.04 with the current kernel (5.15.0). + # Disable webcam +# This is done in accordance with https://askubuntu.com/questions/166809/how-can-i-disable-my-webcam echo "blacklist uvcvideo" >> /etc/modprobe.d/blacklist.conf + +# To disable bluetooth, I disabled the bluetooth kernel module and everything else that depends on it (recursively). Probably disabling only one module would have been sufficient, I am not sure, I had problems if only the `bluetooth` module was disabled. + +# So I ran the command `sudo lsmod | grep bluetooth`. I got: +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb +# ecdh_generic XXXXX X bluetooth + +# Therefore btrtl, btintel, btbcm, btusb depend on bluetooth, so I also wanted to disable them. +# Checking them one-by-one they didn't show any other modules. + +# sudo lsmod | grep btrtl +# btrtl XXXXX X btusb +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb + +# sudo lsmod | grep btintel +# btintel XXXXX X btusb +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb + +# sudo lsmod | grep btbcm +# btbcm XXXXX X btusb +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb + +# sudo lsmod | grep bnep +# bnep XXXXX X +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb + +# sudo lsmod | grep btusb +# btusb XXXXX X +# btrtl XXXXX X btusb +# btbcm XXXXX X btusb +# btintel XXXXX X btusb +# bluetooth XXXXXX XX btrtl,btintel,btbcm,bnep,btusb + +# I have also disabled the bluetooth service for good measure. + # Disable bluetooth echo "blacklist btusb" >> /etc/modprobe.d/blacklist.conf echo "blacklist btrtl" >> /etc/modprobe.d/blacklist.conf @@ -423,6 +471,8 @@ echo "blacklist btbcm" >> /etc/modprobe.d/blacklist.conf echo "blacklist btintel" >> /etc/modprobe.d/blacklist.conf echo "blacklist bluetooth" >> /etc/modprobe.d/blacklist.conf systemctl disable bluetooth.service + +# From dmesg I got a hint that the WiFi card's kernel module is `iwlwifi`. Then I have went it with the exact same method as in bluetooth (described above). # Disable wifi echo "blacklist iwlwifi" >> /etc/modprobe.d/blacklist.conf echo "blacklist iwlmvm" >> /etc/modprobe.d/blacklist.conf From c143caf337bd4cbb3706dcb431fd2708f2f7ef77 Mon Sep 17 00:00:00 2001 From: radl97 Date: Thu, 27 Jul 2023 15:11:11 +0200 Subject: [PATCH 05/12] Use LVM --- autoinstall/user-data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/autoinstall/user-data b/autoinstall/user-data index 3117bb2..ec5ad54 100644 --- a/autoinstall/user-data +++ b/autoinstall/user-data @@ -18,9 +18,9 @@ autoinstall: dhcp4: yes storage: layout: - name: direct #lvm + name: lvm identity: - hostname: ioi-test-0713 + hostname: ioi-test-0726 username: ansible # ansible DO CHANGE! password: $6$NH0tTrHw/4v3.Jbi$6NCVzJ45i3N4HFF1vJpPobpdkGhgBq0t56KAGzjm4/wg1saD8N7akmBMaLbSH.UmpIdmZV8TUaqN2/pDaSSS0. From 98c4644eda46c89205338fba735e43fd279d6358 Mon Sep 17 00:00:00 2001 From: radl97 Date: Mon, 7 Aug 2023 15:21:56 +0200 Subject: [PATCH 06/12] Native: Use UEFI to boot --- autoinstall/start-autoinstall.sh | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/autoinstall/start-autoinstall.sh b/autoinstall/start-autoinstall.sh index ab9809b..6f7ca67 100755 --- a/autoinstall/start-autoinstall.sh +++ b/autoinstall/start-autoinstall.sh @@ -3,6 +3,11 @@ set -x set -e +if [ -z "$OVMF_PATH" ] +then + OVMF_PATH=/usr/share/qemu/OVMF.fd +fi + # 25G -> https://bugs.launchpad.net/subiquity/+bug/1907128 qemu-img create -f qcow2 disk.img 50G wget -c -O ubuntu.iso https://www.releases.ubuntu.com/22.04/ubuntu-22.04.2-live-server-amd64.iso @@ -15,4 +20,4 @@ trap 'kill $HTTP_SRV_PID' EXIT # Make contestant-vm available tar czvf contestant-vm.tar.gz --exclude autoinstall --exclude .git --exclude .github -C ../.. contestant-vm -qemu-system-x86_64 -display gtk -hda disk.img -cdrom ubuntu.iso -m 2048 -net nic -net user -cpu host -machine accel=kvm -smbios type=1,serial=ds='nocloud-net;s=http://10.0.2.2:8000/' +qemu-system-x86_64 -display gtk -hda disk.img -cdrom ubuntu.iso -m 2048 -net nic -net user -cpu host -machine accel=kvm -smbios type=1,serial=ds='nocloud-net;s=http://10.0.2.2:8000/' -bios "$OVMF_PATH" From c7aade56af2415ea9d890693662fb7727328f60b Mon Sep 17 00:00:00 2001 From: radl97 Date: Mon, 7 Aug 2023 15:25:37 +0200 Subject: [PATCH 07/12] Allow all VPN ports, and only from the config server's IP --- misc/iptables.save | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/misc/iptables.save b/misc/iptables.save index 0b6d21c..402a7a3 100644 --- a/misc/iptables.save +++ b/misc/iptables.save @@ -11,8 +11,8 @@ -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -p icmp -j ACCEPT --A OUTPUT -p tcp -m tcp --dport 655 -j ACCEPT --A OUTPUT -p udp -m udp --dport 655 -j ACCEPT +-A OUTPUT -p tcp -m tcp -m multiport -d {POP_SERVER} --dport 655,656,657 -j ACCEPT +-A OUTPUT -p udp -m udp -m multiport -d {POP_SERVER} --dport 655,656,657 -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --dport 123 -j ACCEPT From 5f9971027a0a42c3bd9b837565d06e78a3864ad9 Mon Sep 17 00:00:00 2001 From: radl97 Date: Wed, 9 Aug 2023 11:13:03 +0200 Subject: [PATCH 08/12] Update hostname --- autoinstall/user-data | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/autoinstall/user-data b/autoinstall/user-data index 255547e..940cba6 100644 --- a/autoinstall/user-data +++ b/autoinstall/user-data @@ -20,7 +20,7 @@ autoinstall: layout: name: lvm identity: - hostname: ioi-0804 + hostname: ioi-0809 username: ansible # ansible DO CHANGE! password: $6$NH0tTrHw/4v3.Jbi$6NCVzJ45i3N4HFF1vJpPobpdkGhgBq0t56KAGzjm4/wg1saD8N7akmBMaLbSH.UmpIdmZV8TUaqN2/pDaSSS0. From e4488118c49fab1de8860660f858c091fb0d11c4 Mon Sep 17 00:00:00 2001 From: radl97 Date: Wed, 9 Aug 2023 11:13:43 +0200 Subject: [PATCH 09/12] Fix comment --- autoinstall/user-data | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/autoinstall/user-data b/autoinstall/user-data index 940cba6..61d0d71 100644 --- a/autoinstall/user-data +++ b/autoinstall/user-data @@ -22,7 +22,8 @@ autoinstall: identity: hostname: ioi-0809 username: ansible - # ansible DO CHANGE! + # Note: the real password will be ANSIBLE_PASSWORD + # ansible password: $6$NH0tTrHw/4v3.Jbi$6NCVzJ45i3N4HFF1vJpPobpdkGhgBq0t56KAGzjm4/wg1saD8N7akmBMaLbSH.UmpIdmZV8TUaqN2/pDaSSS0. ssh: install-server: yes From e8bed92f3d5d00d6daf5c17c1ce5bc48a6bc82b0 Mon Sep 17 00:00:00 2001 From: radl97 Date: Wed, 9 Aug 2023 12:33:58 +0200 Subject: [PATCH 10/12] Enable boot-setup --- setup.d/40-boot-setup.sh | 6 ------ 1 file changed, 6 deletions(-) diff --git a/setup.d/40-boot-setup.sh b/setup.d/40-boot-setup.sh index bd0f119..238667d 100755 --- a/setup.d/40-boot-setup.sh +++ b/setup.d/40-boot-setup.sh @@ -6,12 +6,6 @@ set -e sed -i '/GRUB_CMDLINE_LINUX_DEFAULT/ s/splash//' /etc/default/grub update-grub2 -echo "boot-setup: works, but disabled due to inconveniences" -echo "- snapshot can be found by Ubuntu's sidebar, which is annoying" -echo "- Rethink logic:" -echo " - is 15 sec enough?" -exit 0 - VG="ubuntu-vg" ORIGIN_LV="ubuntu-lv" SNAPSHOT_LV="ubuntu-snapshot" From eee31da62054bef41e392611a738295677a86916 Mon Sep 17 00:00:00 2001 From: radl97 Date: Fri, 11 Aug 2023 15:12:08 +0200 Subject: [PATCH 11/12] Boot-up process did not really like booting after creating snapshot --- setup.d/40-boot-setup.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/setup.d/40-boot-setup.sh b/setup.d/40-boot-setup.sh index 238667d..3a7bd95 100755 --- a/setup.d/40-boot-setup.sh +++ b/setup.d/40-boot-setup.sh @@ -115,7 +115,8 @@ if lvm lvs --noheadings -o lv_name "${VG}" 2>/dev/null | grep -qs "${SNAPSHOT_LV banner "Restoring OS and booting up" create_snapshot - banner "Snapshot created!" + banner "Snapshot created! Will reboot now..." + reboot -f else # No snapshot banner "First boot after setting up! Will zerofree disk and create snapshot!" From 4465dffc61d62773e5b753c4c514403421fd4d48 Mon Sep 17 00:00:00 2001 From: radl97 Date: Fri, 11 Aug 2023 15:17:18 +0200 Subject: [PATCH 12/12] Remove zerofree hook, and reboot between each operation --- setup.d/40-boot-setup.sh | 40 ++-------------------------------------- 1 file changed, 2 insertions(+), 38 deletions(-) diff --git a/setup.d/40-boot-setup.sh b/setup.d/40-boot-setup.sh index 3a7bd95..061191b 100755 --- a/setup.d/40-boot-setup.sh +++ b/setup.d/40-boot-setup.sh @@ -10,32 +10,6 @@ VG="ubuntu-vg" ORIGIN_LV="ubuntu-lv" SNAPSHOT_LV="ubuntu-snapshot" -cat </etc/initramfs-tools/hooks/zerofree -#!/bin/sh -PREREQ="" -prereqs() -{ - echo "\$PREREQ" -} - -case \$1 in -prereqs) - prereqs - exit 0 - ;; -esac - -. /usr/share/initramfs-tools/hook-functions - -if [ ! -x "/sbin/zerofree" ]; then - exit 1 -fi - -copy_exec /sbin/zerofree /sbin -exit 0 -EOM -chmod 755 /etc/initramfs-tools/hooks/zerofree - cat </etc/initramfs-tools/scripts/local-premount/prompt #!/bin/sh PREREQ="lvm" @@ -113,24 +87,14 @@ if lvm lvs --noheadings -o lv_name "${VG}" 2>/dev/null | grep -qs "${SNAPSHOT_LV # Perform rollback rollback_snapshot banner "Restoring OS and booting up" - - create_snapshot - banner "Snapshot created! Will reboot now..." reboot -f else # No snapshot - banner "First boot after setting up! Will zerofree disk and create snapshot!" - - # Perform snapshot creation - if [ ! -x "/sbin/zerofree" ]; then - panic "zerofree executable not found" - fi + banner "First boot after setting up! Will create snapshot!" - zerofree /dev/${VG}/${ORIGIN_LV} create_snapshot banner "Snapshot created! Will shut down now." - - poweroff -f + reboot -f fi EOM chmod 755 /etc/initramfs-tools/scripts/local-premount/prompt