diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0495970..3720339 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -2,7 +2,7 @@ name: Build on: push: branches: - - master + - main pull_request: types: - opened @@ -10,7 +10,7 @@ on: - synchronize - ready_for_review branches: - - master + - main permissions: contents: read jobs: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index bad9844..b26e048 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -2,7 +2,7 @@ name: Linting on: push: branches: - - master + - main pull_request: types: - opened @@ -10,10 +10,22 @@ on: - synchronize - ready_for_review branches: - - master + - main permissions: contents: read jobs: + commitlint: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: ${{ github.event.pull_request.commits }} + ref: ${{ github.event.pull_request.head.sha }} + - name: Commit-Lint + uses: bugbundle/commits@v1.1.0 + id: commits + - run: echo ${{ steps.commits.outputs.major }}.${{ steps.commits.outputs.minor }}.${{ steps.commits.outputs.patch }} golangci-lint: runs-on: ubuntu-latest steps: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 766d6b6..fb32337 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,8 +1,8 @@ name: Release -on: +on: push: - tags: - - "v*" + tags: + - "v*" permissions: contents: read jobs: diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index d18d7e2..1fb93c5 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -2,7 +2,7 @@ name: Tests on: push: branches: - - master + - main pull_request: types: - opened @@ -10,7 +10,7 @@ on: - synchronize - ready_for_review branches: - - master + - main permissions: contents: read jobs: diff --git a/.gitignore b/.gitignore index 53752db..b1b7161 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -output +init diff --git a/README.md b/README.md index f195cf8..98ef51b 100644 --- a/README.md +++ b/README.md @@ -1,51 +1,6 @@ -# Template Repository +# u-bmc system init -## Files +[![License](https://img.shields.io/badge/License-BSD_3--Clause-blue.svg)](https://opensource.org/licenses/BSD-3-Clause) -### `.golangci.yml` - -The configuration of the main linter in use. Visit the [golangci](https://golangci-lint.run/) website for more details. - -### `.goreleaser.yml` - -The configuration of the release tool in use. Visit the [goreleaser](https://goreleaser.com/) website for more details. - -### `renovate.json` - -The configuration of the dependency monitoring bot. Visit the [renovate](https://docs.renovatebot.com/) website for more details. - -## Directories - -### `/.github` - -Directory for GitHub specific configuration, but GitHub Actions and Issue Templates. - -### `/ci` - -This directory contains the sources for the CI helper tool which is based on Dagger. It allows easier reproduction of CI results locally. - ---- - -The following general directory structure recommendations are taken from the [project layout](https://github.com/golang-standards/project-layout) - -### `/cmd` - -Main applications for this project. - -The directory name for each application should match the name of the executable you want to have (e.g., `/cmd/myapp`). - -Don't put a lot of code in the application directory. If you think the code can be imported and used in other projects, then it should live in the `/pkg` directory. If the code is not reusable or if you don't want others to reuse it, put that code in the `/internal` directory. You'll be surprised what others will do, so be explicit about your intentions! - -It's common to have a small `main` function that imports and invokes the code from the `/internal` and `/pkg` directories and nothing else. - -### `/pkg` - -Library code that's ok to use by external applications (e.g., `/pkg/mypubliclib`). Other projects will import these libraries expecting them to work, so think twice before you put something here :-) Note that the `internal` directory is a better way to ensure your private packages are not importable because it's enforced by Go. The `/pkg` directory is still a good way to explicitly communicate that the code in that directory is safe for use by others. The [`I'll take pkg over internal`](https://travisjeffery.com/b/2019/11/i-ll-take-pkg-over-internal/) blog post by Travis Jeffery provides a good overview of the `pkg` and `internal` directories and when it might make sense to use them. - -### `/internal` - -Private application and library code. This is the code you don't want others importing in their applications or libraries. Note that this layout pattern is enforced by the Go compiler itself. See the Go 1.4 [`release notes`](https://golang.org/doc/go1.4#internalpackages) for more details. Note that you are not limited to the top level `internal` directory. You can have more than one `internal` directory at any level of your project tree. - -### `/tools` - -Supporting tools for this project. Note that these tools can import code from the `/pkg` and `/internal` directories. +This is a small init program meant to be run from inside an initramfs as the first program the Linux Kernel launches. +While this tool can be built standalone it is designed to be built and bundled by the [u-bmc](https://github.com/u-bmc/u-bmc) build process. diff --git a/cmd/example/main.go b/cmd/example/main.go deleted file mode 100644 index 48a005c..0000000 --- a/cmd/example/main.go +++ /dev/null @@ -1,9 +0,0 @@ -// SPDX-License-Identifier: BSD-3-Clause - -package main - -import "log" - -func main() { - log.Println("Template") -} diff --git a/cmd/example/main_test.go b/cmd/example/main_test.go deleted file mode 100644 index 545bda6..0000000 --- a/cmd/example/main_test.go +++ /dev/null @@ -1,11 +0,0 @@ -// SPDX-License-Identifier: BSD-3-Clause - -package main - -import ( - "testing" -) - -func TestFunc(t *testing.T) { - main() -} diff --git a/go.mod b/go.mod index ce35e3b..ad912c5 100644 --- a/go.mod +++ b/go.mod @@ -1,8 +1,11 @@ -module github.com/u-bmc/go-project-template +module github.com/u-bmc/init go 1.21 -require dagger.io/dagger v0.9.3 +require ( + dagger.io/dagger v0.9.3 + golang.org/x/sys v0.13.0 +) require ( github.com/99designs/gqlgen v0.17.31 // indirect @@ -12,5 +15,4 @@ require ( github.com/vektah/gqlparser/v2 v2.5.6 // indirect golang.org/x/exp v0.0.0-20231006140011-7918f672742d // indirect golang.org/x/sync v0.4.0 // indirect - golang.org/x/sys v0.13.0 // indirect ) diff --git a/internal/example/main.go b/internal/example/main.go deleted file mode 100644 index 48a005c..0000000 --- a/internal/example/main.go +++ /dev/null @@ -1,9 +0,0 @@ -// SPDX-License-Identifier: BSD-3-Clause - -package main - -import "log" - -func main() { - log.Println("Template") -} diff --git a/main.go b/main.go index de86783..e789b6e 100644 --- a/main.go +++ b/main.go @@ -1,3 +1,69 @@ // SPDX-License-Identifier: BSD-3-Clause -package template +package main + +import ( + "flag" + "log" + + "github.com/u-bmc/init/pkg/keyring" + "github.com/u-bmc/init/pkg/mount" + "github.com/u-bmc/init/pkg/switchroot" + "golang.org/x/sys/unix" +) + +const logo = ` +⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣤⣤⣤⣤⣤⣀ +⠀⠀⠀⠀⠀⠀⠀⠀⠀⣴⣿⠟⠉⠁⠀⠈⠉⠛⢿⣦⡀ +⠀⠀⠀⠀⠀⠀⠀⣠⣿⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⣿⣆ +⠀⠀⠀⠀⠀⠀⢠⣿⠁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣿⡆ +⠀⠀⠀⠀⠀⠀⣿⡇⠀⠀⣶⣶⣦⠀⠀⠀⣠⣾⣶⡀⠀⠸⣿ +⠀⠀⠀⠀⠀⠀⣿⠀⠀⠘⠛⠀⠟⠀⠀⠀⠻⠁⠙⠃⠀⠀⣿ +⠀⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⠀⣴⡆⠀⢠⣦⠀⠀⠀⠀⢠⣿ +⠀⠀⠀⠀⠀⠀⠘⣿⠀⠀⠀⠀⠘⣿⣶⣿⠃⠀⠀⠀⠀⣿⠇ +⠀⠀⠀⠀⠀⠀⠀⠙⣿⣾⠿⠀⠀⠀⠀⠀⠀⠀⠿⣿⣾⠟ +⠀⠀⠀⠀⠀⠀⢀⣿⠛⠀⠀⠀⢀⣤⣤⣤⡀⠀⠀⠀⠙⣿⡄ +⠀⠀⠀⠀⠀⢀⣿⠃⠀⠀⠀⣴⡿⠋⠉⠉⢿⣷⠀⠀⠀⠈⣿⡄ +⠀⠀⠀⠀⠀⣼⡏⠀⠀⠀⢠⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⢸⣿ +⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⢸⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⠀⢀⣿ +⠀⠀⠀⢰⣿⠛⠻⣿⠀⠀⢸⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⣾⠟⠛⢿⣦ +⠀⠀⠀⢿⣇⠀⠀⣿⠇⠀⢸⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⣿⠀⠀⢠⣿ +⠀⠀⠀⠈⠻⣿⡿⠋⠀⠀⢸⣿⠀⠀⠀⠀⠀⣿⡇⠀⠀⠙⠿⣿⠿⠁ +⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⣼⣿⣤⠀⠀⠀⣠⣿⣧⣄ +⠀⠀⠀⠀⠀⠀⠀⠀⢠⣿⠁⠀⢻⣷⠀⣸⡟⠀⠈⣿⡆ +⠀⠀⠀⠀⠀⠀⠀⠀⠈⣿⣄⣀⣾⠏⠀⠸⣷⣄⣠⣿⠃ +⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠙⠛⠁⠀⠀⠀⠈⠛⠛ + +⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣶⡄ +⠀⣠⣄⠀⢠⣦⠀⠀⠀⠀⣿⣁⣶⣤⡀⠀⢀⣤⣦⣀⣴⣦⡀⠀⠀⣤⣶⣤⡀ +⠀⣿⡷⠀⢸⣿⢀⣤⣤⠀⣿⡟⠉⢻⣿⠀⣿⠏⠉⣿⠋⠙⣿⠀⣿⡟⠉⠛⠃ +⠀⢻⣷⣀⣾⡟⠀⠉⠉⠀⣿⣧⣀⣼⣿⠀⣿⠀⠀⣿⠀⠀⣿⠀⣿⣧⣀⣴⡆ +⠀⠀⠉⠛⠋⠀⠀⠀⠀⠀⠛⠉⠛⠋⠀⠀⠛⠀⠀⠛⠀⠀⠛⠀⠀⠙⠛⠋ +` + +func main() { + log.Print(logo) + + key := flag.String("key", "", "Filesystem authentication key") + rootfs := flag.String("rootfs", "", "Root filesystem") + flag.Parse() + + log.Println("Mounting all file systems") + m := mount.NewMounter( + mount.WithDefaultMounts(), + mount.WithMount(mount.Mount{ + Source: *rootfs, + Destination: "/newroot", + Type: "ubifs", + GenericFlags: unix.MS_NOSUID | unix.MS_RELATIME | unix.MS_LAZYTIME | unix.MS_RDONLY, + Flags: []string{"ro", "auth_key=ubifs:auth", "auth_hash_name=sha256", "chk_data_crc", "bulk_read"}, + }), + ) + m.MountAll() + + log.Println("Populating kernel keyring") + keyring.AddUbifsAuthKey([]byte(*key)) + + log.Println("Changing into new rootfs") + switchroot.SwitchRoot("/newroot", "/sbin/operator") +} diff --git a/pkg/example/main.go b/pkg/example/main.go deleted file mode 100644 index 48a005c..0000000 --- a/pkg/example/main.go +++ /dev/null @@ -1,9 +0,0 @@ -// SPDX-License-Identifier: BSD-3-Clause - -package main - -import "log" - -func main() { - log.Println("Template") -} diff --git a/pkg/keyring/keyring.go b/pkg/keyring/keyring.go new file mode 100644 index 0000000..1f64613 --- /dev/null +++ b/pkg/keyring/keyring.go @@ -0,0 +1,18 @@ +// SPDX-License-Identifier: BSD-3-Clause + +package keyring + +import ( + "log" + + "golang.org/x/sys/unix" +) + +func AddUbifsAuthKey(key []byte) { + id, err := unix.AddKey("logon", "ubifs:auth", key, unix.KEY_SPEC_SESSION_KEYRING) + if err != nil { + log.Printf("Unable to add ubifs auth key: %v", err) + } + + log.Printf("Added ubifs auth key with id %d", id) +} diff --git a/pkg/mount/mount.go b/pkg/mount/mount.go new file mode 100644 index 0000000..a6a3464 --- /dev/null +++ b/pkg/mount/mount.go @@ -0,0 +1,42 @@ +// SPDX-License-Identifier: BSD-3-Clause + +package mount + +import ( + "log" + "strings" + + "golang.org/x/sys/unix" +) + +type Mount struct { + Source string + Destination string + Type string + GenericFlags uintptr + Flags []string +} + +type Mounter struct { + config config +} + +func NewMounter(options ...Option) *Mounter { + cfg := config{} + + for _, opt := range options { + opt.apply(&cfg) + } + + return &Mounter{ + config: cfg, + } +} + +func (m *Mounter) MountAll() { + for _, m := range m.config.mounts { + if err := unix.Mount(m.Source, m.Destination, m.Type, 0, strings.Join(m.Flags, ",")); err != nil { + log.Printf("Unable to mount file system %s\n", m.Destination) + } + } +} diff --git a/pkg/mount/opts.go b/pkg/mount/opts.go new file mode 100644 index 0000000..6c40caf --- /dev/null +++ b/pkg/mount/opts.go @@ -0,0 +1,137 @@ +// SPDX-License-Identifier: BSD-3-Clause + +package mount + +import "golang.org/x/sys/unix" + +type config struct { + mounts []Mount +} + +type Option interface { + apply(*config) +} + +type mountOption struct { + mount Mount +} + +func (o *mountOption) apply(c *config) { + c.mounts = append(c.mounts, o.mount) +} + +func WithMount(m Mount) Option { + return &mountOption{ + mount: m, + } +} + +type mountsOption struct { + mounts []Mount +} + +func (o *mountsOption) apply(c *config) { + c.mounts = append(c.mounts, o.mounts...) +} + +func WithMounts(m []Mount) Option { + return &mountsOption{ + mounts: m, + } +} + +const ( + DefaultFlagMask uintptr = unix.MS_NOEXEC | unix.MS_NOSUID | unix.MS_NODEV | unix.MS_RELATIME | unix.MS_LAZYTIME + DefaultFlags = "rw,noexec,nosuid,nodev,relatime,lazytime" +) + +func WithDefaultMounts() Option { + return &mountsOption{ + mounts: []Mount{ + { + Source: "proc", + Destination: "/proc", + Type: "proc", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags}, + }, + { + Source: "sys", + Destination: "/sys", + Type: "sysfs", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags}, + }, + { + Source: "securityfs", + Destination: "/sys/kernel/security", + Type: "securityfs", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags}, + }, + { + Source: "cgroup2", + Destination: "/sys/fs/cgroup", + Type: "cgroup2", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags, "nsdelegate", "memory_recursiveprot"}, + }, + { + Source: "bpf", + Destination: "/sys/fs/bpf", + Type: "bpf", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags, "mode=700"}, + }, + { + Source: "configfs", + Destination: "/sys/kernel/config", + Type: "configfs", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags}, + }, + { + Source: "debugfs", + Destination: "/sys/kernel/debug", + Type: "debugfs", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags, "mode=700"}, + }, + { + Source: "tracefs", + Destination: "/sys/kernel/tracing", + Type: "tracefs", + GenericFlags: DefaultFlagMask, + Flags: []string{DefaultFlags, "mode=700"}, + }, + { + Source: "dev", + Destination: "/dev", + Type: "devtmpfs", + GenericFlags: unix.MS_NOSUID | unix.MS_RELATIME | unix.MS_LAZYTIME, + Flags: []string{"rw", "nosuid", "relatime", "lazytime", "mode=755"}, + }, + { + Source: "shm", + Destination: "/dev/shm", + Type: "tmpfs", + GenericFlags: unix.MS_NOSUID | unix.MS_NODEV | unix.MS_RELATIME | unix.MS_LAZYTIME, + Flags: []string{"rw", "nosuid", "nodev", "relatime", "lazytime"}, + }, + { + Source: "devpts", + Destination: "/dev/pts", + Type: "devpts", + GenericFlags: unix.MS_NOSUID | unix.MS_RELATIME | unix.MS_LAZYTIME, + Flags: []string{"rw", "nosuid", "relatime", "lazytime", "mode=620", "gid=5", "ptmxmode=000"}, + }, + { + Source: "run", + Destination: "/run", + Type: "tmpfs", + GenericFlags: unix.MS_NOSUID | unix.MS_NODEV | unix.MS_RELATIME | unix.MS_LAZYTIME, + Flags: []string{"rw", "nosuid", "nodev", "relatime", "lazytime", "mode=755"}, + }, + }, + } +} diff --git a/pkg/switchroot/switchroot.go b/pkg/switchroot/switchroot.go new file mode 100644 index 0000000..e9bd373 --- /dev/null +++ b/pkg/switchroot/switchroot.go @@ -0,0 +1,98 @@ +// SPDX-License-Identifier: BSD-3-Clause + +package switchroot + +import ( + "log" + "os" + "path/filepath" + + "golang.org/x/sys/unix" +) + +func SwitchRoot(newroot string, init string) { + log.Println("Moving mounts") + + mounts := []string{"/dev", "/proc", "/sys", "/run"} + for _, mount := range mounts { + moveMount(mount, filepath.Join(newroot, mount)) + } + + oldroot, err := os.Open("/") + if err != nil { + log.Printf("switch_root: failed to open /: %v", err) + } + defer oldroot.Close() + + moveMount(newroot, "/") + + if err := unix.Chroot("."); err != nil { + log.Printf("switch_root: failed to call chroot: %v", err) + } + + recursiveDelete(int(oldroot.Fd())) + + log.Printf("Executing %s", init) + if err := unix.Exec(init, []string{init}, []string{}); err != nil { + log.Printf("switch_root: failed to exec %s: %v", init, err) + } +} + +func moveMount(oldPath, newPath string) { + if err := unix.Mount(oldPath, newPath, "", unix.MS_MOVE, ""); err != nil { + log.Printf("switch_root: failed to move mount %s: %v", oldPath, err) + } +} + +func recursiveDelete(fd int) { + parentDev, err := getDev(fd) + if err != nil { + log.Printf("switch_root: unable to get underlying dev for dir: %v", err) + return + } + + dir := os.NewFile(uintptr(fd), "__ignored__") + defer dir.Close() + + names, err := dir.Readdirnames(-1) + if err != nil { + log.Printf("switch_root: unable to read dir %s: %v", dir.Name(), err) + return + } + + for _, name := range names { + recusiveDeleteInner(fd, parentDev, name) + } +} + +func recusiveDeleteInner(parentFd int, parentDev uint64, childName string) { + childFd, err := unix.Openat(parentFd, childName, unix.O_DIRECTORY|unix.O_NOFOLLOW, unix.O_RDWR) + if err != nil { + if err := unix.Unlinkat(parentFd, childName, 0); err != nil { + log.Printf("switch_root: unable to remove file %s: %v", childName, err) + } + } else { + defer unix.Close(childFd) + + if childFdDev, err := getDev(childFd); err != nil { + log.Printf("switch_root: unable to get underlying dev for dir: %s: %v", childName, err) + return + } else if childFdDev != parentDev { + return + } + + recursiveDelete(childFd) + + if err := unix.Unlinkat(parentFd, childName, unix.AT_REMOVEDIR); err != nil { + log.Printf("switch_root: unable to remove dir %s: %v", childName, err) + } + } +} + +func getDev(fd int) (uint64, error) { + var stat unix.Stat_t + if err := unix.Fstat(fd, &stat); err != nil { + return 0, err + } + return uint64(stat.Dev), nil +} diff --git a/tools/example/main.go b/tools/example/main.go deleted file mode 100644 index 48a005c..0000000 --- a/tools/example/main.go +++ /dev/null @@ -1,9 +0,0 @@ -// SPDX-License-Identifier: BSD-3-Clause - -package main - -import "log" - -func main() { - log.Println("Template") -}