Deploying a demo amd64 debian-based OS via ostree

This is a prototype outline for building and deploying a debian based OS
with ostree.  For purposes of demonstration, the OS runs from a bootable
USB device on a UEFI capable amd64 machine.  Once a USB device is
created and booted, the OS can be updated using a simple shell script.

<https://ostreedev.github.io/ostree/>
<https://www.nin.wiki/Halo_numbers>

9 files changed, 202 insertions, 0 deletions

diff --git a/hooks/build-os-post/20-ostree-kernel-mangle b/hooks/build-os-post/20-ostree-kernel-mangle
new file mode 100755
index 0000000..1e51905
--- /dev/null
+++ b/hooks/build-os-post/20-ostree-kernel-mangle
@@ -0,0 +1,22 @@
+#!/bin/bash -xe
+set -o pipefail
+
+# Kernel mangling
+
+kver=$(ls -1 "${root:?}"/usr/lib/modules)
+
+# move kernel out of /boot into /usr/lib/modules/
+mv "${root:?}"/boot/vmlinuz-"$kver" "${root:?}"/usr/lib/modules/"$kver"/vmlinuz
+mv "${root:?}"/boot/initrd.img-"$kver" "${root:?}"/usr/lib/modules/"$kver"/initramfs.img
+mv "${root:?}"/boot/config-"$kver" "${root:?}"/usr/lib/modules/"$kver"/config
+mv "${root:?}"/boot/System.map-"$kver" "${root:?}"/usr/lib/modules/"$kver"/System.map
+
+# remove kernel symlinks from root
+rm "${root:?}"/vmlinuz* "${root:?}"/initrd.*
+
+khash=$(sha256sum "${root:?}"/usr/lib/modules/"$kver"/vmlinuz | awk '{print $1}')
+
+# add ostree style kernel links from /usr/lib/ostree-boot
+mkdir -p "${root:?}"/usr/lib/ostree-boot
+ln -s /usr/lib/modules/"$kver"/vmlinuz "${root:?}"/usr/lib/ostree-boot/vmlinuz-"$khash"
+ln -s /usr/lib/modules/"$kver"/initramfs.img "${root:?}"/usr/lib/ostree-boot/initramfs-"$khash"
diff --git a/hooks/build-os-post/40-ostree-demo-scripts b/hooks/build-os-post/40-ostree-demo-scripts
new file mode 100755
index 0000000..6ea5627
--- /dev/null
+++ b/hooks/build-os-post/40-ostree-demo-scripts
@@ -0,0 +1,36 @@
+#!/bin/bash -xe
+
+set -o pipefail
+
+cat > "${root:?}"/usr/sbin/halo-upgrade << EOF
+#!/bin/bash -e
+
+set -o pipefail
+
+remote="${remote:?}"
+branch="${branch:?}"
+
+remote_ref=\$(ostree remote refs -r "\$remote" | egrep ^"\$remote":"\$branch"'\\s' | awk '{print \$2}')
+local_ref=\$(ostree refs -r | egrep ^"\$remote":"\$branch"'\\s' | awk '{print \$2}')
+
+if [ "\$local_ref" != "\$remote_ref" -a -n "\$remote_ref" ]; then
+	echo "OS Update available. Installing..."
+
+	set -x
+
+	ostree admin upgrade
+
+	grub-mkconfig -o /boot/grub/grub.cfg
+
+	set +x
+
+	echo "OS Update Installed. Press Enter to Reboot..."
+
+	read
+
+	reboot
+else
+	echo "No OS Update found."
+fi
+EOF
+chmod 755 "${root:?}"/usr/sbin/halo-upgrade
diff --git a/hooks/build-os-post/90-ostree-path-mangles b/hooks/build-os-post/90-ostree-path-mangles
new file mode 100755
index 0000000..b2709f3
--- /dev/null
+++ b/hooks/build-os-post/90-ostree-path-mangles
@@ -0,0 +1,47 @@
+#!/bin/bash -xe
+set -o pipefail
+
+# remove everything from dev and var
+rm -rf "${root:?}"/dev/* "${root:?}"/var/*
+
+# add sysroot mountpoint and ostree link to root
+mkdir -p "${root:?}"/sysroot
+ln -s /sysroot/ostree "${root:?}"/ostree
+
+# add tmpfiles config to create expected directory structure
+cat > "${root:?}"/etc/tmpfiles.d/var.conf << EOF
+d /var/log/journal 0755 root root -
+L /var/home - - - - ../sysroot/home
+d /var/opt 0755 root root -
+d /var/srv 0755 root root -
+d /var/roothome 0700 root root -
+d /var/usrlocal 0755 root root -
+d /var/usrlocal/bin 0755 root root -
+d /var/usrlocal/etc 0755 root root -
+d /var/usrlocal/games 0755 root root -
+d /var/usrlocal/include 0755 root root -
+d /var/usrlocal/lib 0755 root root -
+d /var/usrlocal/man 0755 root root -
+d /var/usrlocal/sbin 0755 root root -
+d /var/usrlocal/share 0755 root root -
+d /var/usrlocal/src 0755 root root -
+d /var/mnt 0755 root root -
+d /run/media 0755 root root -
+d /var/games 0755 root root -
+EOF
+
+# move /etc to /usr/etc
+mv "${root:?}"/etc "${root:?}"/usr/etc
+mkdir "${root:?}"/etc # do we need this?
+
+# link persistent directories to /var
+for dir in home opt srv mnt tmp; do
+	rmdir "${root:?}"/"$dir"
+	ln -s /var/"$dir" "${root:?}"/"$dir"
+done
+
+rm -rf "${root:?}"/root
+ln -s /var/roothome "${root:?}"/root
+
+rm -rf "${root:?}"/usr/local
+ln -s /var/usrlocal "${root:?}"/usr/local
diff --git a/hooks/build-os/10-apt b/hooks/build-os/10-apt
new file mode 100755
index 0000000..65c7056
--- /dev/null
+++ b/hooks/build-os/10-apt
@@ -0,0 +1,15 @@
+#!/bin/bash -xe
+set -o pipefail
+
+# Enable additional sources
+cat > "${root:?}"/etc/apt/sources.list << EOF
+deb https://deb.debian.org/debian trixie main contrib non-free non-free-firmware
+
+deb https://deb.debian.org/debian trixie-updates main contrib non-free non-free-firmware
+
+deb https://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
+EOF
+
+# update/upgrade system
+chroot "${root:?}" apt-get update
+chroot "${root:?}" apt-get upgrade
diff --git a/hooks/build-os/20-kernel-boot b/hooks/build-os/20-kernel-boot
new file mode 100755
index 0000000..8aca938
--- /dev/null
+++ b/hooks/build-os/20-kernel-boot
@@ -0,0 +1,5 @@
+#!/bin/bash -xe
+set -o pipefail
+
+chroot "${root:?}" apt-get --assume-yes install firmware-linux grub-efi-amd64 \
+	linux-image-amd64 ostree-boot
diff --git a/hooks/build-os/50-network b/hooks/build-os/50-network
new file mode 100755
index 0000000..c2cb6ee
--- /dev/null
+++ b/hooks/build-os/50-network
@@ -0,0 +1,16 @@
+#!/bin/bash -xe
+set -o pipefail
+
+# Append motd
+
+cat >> "${root:?}"/etc/motd << EOF
+
+${osname:?}/${osversion:?} (${osdesc:?}) v${version:?}
+EOF
+
+# Set hostname
+echo "${osname:?}-${osversion:?}" > "${root:?}"/etc/hostname
+echo "127.0.1.1 ${osname:?}-${osversion:?}" >> "${root:?}"/etc/hosts
+
+# Install network manager
+chroot "${root:?}" apt-get install -y network-manager
diff --git a/hooks/build-os/70-system-config b/hooks/build-os/70-system-config
new file mode 100755
index 0000000..0fc5bde
--- /dev/null
+++ b/hooks/build-os/70-system-config
@@ -0,0 +1,10 @@
+#!/bin/bash -xe
+set -o pipefail
+
+# Set a root password
+echo "root:guest" | chroot "${root:?}" chpasswd
+
+# Make console quieter
+cat > "${root:?}"/etc/sysctl.d/printk.conf << EOF
+kernel.printk = 3	4	1	3
+EOF
diff --git a/hooks/build-os/80-firstboot-repart-growfs b/hooks/build-os/80-firstboot-repart-growfs
new file mode 100755
index 0000000..78648cc
--- /dev/null
+++ b/hooks/build-os/80-firstboot-repart-growfs
@@ -0,0 +1,47 @@
+#!/bin/bash -xe
+
+set -o pipefail
+
+# Configure systemd-growfs-root
+mkdir "${root:?}"/etc/systemd/system/systemd-growfs-root.service.d
+
+cat > "${root:?}"/etc/systemd/system/systemd-growfs-root.service.d/override.conf << EOF
+[Unit]
+ConditionFirstBoot=yes
+
+[Service]
+ExecStart=/usr/lib/systemd/systemd-growfs /sysroot
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+chroot "${root:?}" systemctl enable systemd-growfs-root.service
+
+# Configure systemd-repart
+
+mkdir "${root:?}"/etc/repart.d
+
+cat > "${root:?}"/etc/repart.d/50-root.conf << EOF
+[Partition]
+Type=linux-generic
+GrowFileSystem=yes
+EOF
+
+chroot "${root:?}" apt-get install -y systemd-repart
+
+# Configure systemd-firstboot
+
+mkdir "${root:?}"/etc/systemd/system/systemd-firstboot.service.d
+cat > "${root:?}"/etc/systemd/system/systemd-firstboot.service.d/install.conf << EOF
+[Service]
+ExecStart=
+ExecStart=/usr/bin/systemd-firstboot --prompt
+
+[Install]
+WantedBy=sysinit.target
+EOF
+
+chroot "${root:?}" systemctl enable systemd-firstboot.service
+
+rm "${root:?}"/etc/{machine-id,localtime}
diff --git a/hooks/build-os/90-cleanup b/hooks/build-os/90-cleanup
new file mode 100755
index 0000000..d0b7b6f
--- /dev/null
+++ b/hooks/build-os/90-cleanup
@@ -0,0 +1,4 @@
+#!/bin/bash -xe
+set -o pipefail
+
+chroot "${root:?}" apt-get clean