It allows to preconfigure a list of known host keys.
But the primary use case will probably be trusting signatures from SSH CAs for host keys.
Example:
---
sysconfig:
ssh_known_hosts:
myhost.example.org: "ssh-ed25519 AAAAC3NzaC1l...JJTO48B"
"@cert-authority *.mydomain.org": "ssh-rsa AAAAB3NzaC1y...Zhk0="
Do this by asking max 6 times for a password, then continue with the next device.
Also fix a bug when an encrypted device on LVM leads to the same device
name for the encrypted and unencrypted device.
Application indicators are supported since xfce4-panel 4.16.0. Update panel's systray configuration accordingly:
- show-frame was removed.
d77b3b382d8a9c40600a
- size-max was renamed to icon-size. Specifying 0 means "Adjust size automatically".
3d12067c0837b15df58c
- names-visible was renamed to known-items (application indicator) and known-legacy-items (xembed).
6e5e8f5f617a0b8c36bc
Precreating the file and directory makes it easier for the user to add their key
since the correct permissions are already set.
This does not interfere with using the yaml config to set a key or using
the mechanisms described in https://systemd.io/CREDENTIALS/
Without this second faketime call the TLS certificate validity times will pose a problem when
downloading from https mirrors.
Hopefully fixes#313 for good.
Allows to preconfigure common commands so that they can be accessed by just pressing
the up arrow key or searched with ctrl+r.
Move the "setkmap" command (which was previously hardcoded into .bash_history) into
100-defaults.yaml, allowing it to be overridden.
Example config:
sysconfig:
bash_history:
100: "setkmap"
200: "reverse_ssh support.example.com 1234"
The Mapping / dict key is used for lexicographic reverse-ordering of the entries. Reverse-ordering
means the lowest key will show up first when pressing the up arrow key.
Given some circumstances like matching IDs and partition setup, systemd-gpt-auto-generator
will auto-mount specially marked partitions. This would interfere with SystemRescue and also
go against the no-automount policy of SystemRescue.
So remove systemd-gpt-auto-generator during build.
VNC does not make much sense if X11 isn't running.
Automatically starting X11 on dovnc was done before SystemRescue 9.00, but
this logic seems to have been lost in the option handling code refactoring.
since recently /run/archiso/copytoram is bind-mounted to /run/archiso/bootmnt.
This means sysrescue-configuration.lua should just load yaml files from
/run/archiso/bootmnt and not both, otherwise they would be loaded twice.
Configuring the nofirewall option by the sysrescue-initialize script must be done before the ip6?tables service.
Configuring the firewall should be finished before beginning to initialize the network.
But the rest of sysrescue-initialize should still be done in parallel to networking
being set up for a fast boot sequence. Also some services in sysrescue-initialize require
networking being online, for example load_srm with a remote url.
The proper way to accommodate all these needs is to split sysrescue:
sysrescue-initialize-prenet: must be finished before the network-pre.target
sysrescue-initialize-whilenet: started after sysrescue-initialize-prenet, can run in parallel
to networking being set up.
- Implement a new style configuring autorun scripts ("autorun.exec"), more suited to a YAML config file than the old style (#287)
- The old style autorun scripts are still fully supported, they are loaded into keys from "1000-autorun" to "1026-autorunF"
- change the default for ar_nowait to true
- add "shell" option for new autorun exec scripts: let bash interpret the command instead of directly forking it from python
- allow to wait for keypress with a countdown timer, all keys are accepted now (instead of just enter as in the past)
- fix is_elf_binary
- improve output and logging (#253)
- use curl instead of wget for downloading scripts from URLs
- bind-mount /run/archios/bootmnt in case of copytoram to create a stable path for the new-style scripts
- deprecate storing autorun scripts in the root of the boot disk (#252)
- don't check /var/autorun/cdrom for autorun scripts anymore, it was not documented and there are more than enough better alternatives
- call yay through a wrapper to take care of root/sudo handling
- add yay-prepare to reinstall everything that was stripped for size (like /usr/include)
- yay-prepare creates a yay user and sudo rights
- the wrapper is installed in /usr/bin/yay, we want it to clash with yay-packages that aren't adapted to SystemRescue
The binutils package is installed in SystemRescue for some time, so actually use it.
The busybox ar is inferior to the binutils one, causing problems when building
some packages with yay.
mkpasswd is finally available packaged on Arch, so add it to allow
manually replacing a password in /etc/shadow, for when chroots or
pam don't work as wanted. Also supports advanced hash algos like
yescrypt that can't be set via the pam stack yet.
Because the source for mkpasswd is part of the whois package, it
is currently packaged as part of whois. But it might get it's own
package in the future, so add a check for /usr/bin/mkpasswd during
build time.
rclone needs a rclone.conf file before it can be used, it contains
the urls, login data and similar.
Use the sysconfig.rclone.config hierarchy instead of just sysconfig.rclone
to allow adding features later. These could be support for encrypted
rclone config files (these would then go into sysconfig.rclone.crypted_config)
or things like automounting.
it is usually run during initramfs: we don't have a CA database there, so
all https downloads would fail otherwise.
Not doing cert verification at this step is clearly documented, so no
unexpected security risk for the user.
Qt 5 and 6 package translation files for common widgets that programs
can opt to use. These translation files take up about 2 MB of the final
iso image.
When the translations are removed, qt is designed to show messages
in the default language, English.
SystemRescue currently contains 2 programs using qt5 and qt6. I
tested both with the default en_US.UTF-8 and custom de_DE.UTF-8 locales:
featherpad: contains it's own complete translation. It's UI uses the
configured locale and it works regardless if the qt-translations are
installed or not.
yubikey-personalization-gui: doesn't use the translations at all and
is always shown in English. Removing the qt translations doesn't change
anything.
So programs coming with SystemRescue by default aren't affected. Also
other qt programs the user could install won't be affected. Only if the
user also changes the default locale, parts of some programs might be
now shown in English, like many other parts of SystemRescue that don't
come with translations.
