From ada76caa1f8daa5183663fa101d8c8ec5e15acf6 Mon Sep 17 00:00:00 2001 From: veilor-org Date: Sat, 2 May 2026 05:33:22 +0100 Subject: [PATCH] v0.5.2: move veilor-installer + veilor-firstboot to /usr/local/bin MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit QEMU boot test of v0.5.1 (commit 1c99ae0) revealed both scripts missing from /usr/local/sbin/ on running system, despite being in overlay/usr/local/sbin/ in the source tree. Root cause: Fedora's filesystem package (or post-install scriptlet) rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart %post --nochroot's overlay copy runs. The cp -a placed files in /usr/local/sbin/ as a real directory; the symlink replacement deleted them. Confirmed via tty diagnostic: `ls -la /usr/local` shows `lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin second. Fix: move both binaries to overlay/usr/local/bin/ where they're safe from the symlink rewrite. Update all references: - kickstart/veilor-os.ks chmod path + chown + diagnostic ls - overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart - overlay/etc/systemd/system/veilor-firstboot.service ExecStart - scripts/selinux/build-policy.sh fcontext + restorecon paths - generated install ks template inside veilor-installer Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/ unchanged. The veilor-installer binary in /usr/local/bin/ is discoverable via $PATH same as before. --- kickstart/veilor-os.ks | 6 +++--- .../system/getty@tty1.service.d/veilor-installer.conf | 2 +- overlay/etc/systemd/system/veilor-firstboot.service | 2 +- overlay/usr/local/{sbin => bin}/veilor-firstboot | 0 overlay/usr/local/{sbin => bin}/veilor-installer | 8 ++++---- scripts/selinux/build-policy.sh | 6 +++--- 6 files changed, 12 insertions(+), 12 deletions(-) rename overlay/usr/local/{sbin => bin}/veilor-firstboot (100%) rename overlay/usr/local/{sbin => bin}/veilor-installer (98%) diff --git a/kickstart/veilor-os.ks b/kickstart/veilor-os.ks index 483ba05..581b4ab 100644 --- a/kickstart/veilor-os.ks +++ b/kickstart/veilor-os.ks @@ -182,7 +182,7 @@ cp -a "$SRC/scripts" "$DEST/usr/share/veilor-os/" || echo "[ERR] scripts cp fail ls -la "$DEST/usr/share/veilor-os/" 2>&1 || echo "[ERR] dest dir missing post-cp" # Force root ownership on everything we copied — `cp -a` preserves # CI runner uid (1001), which makes sudo refuse to read /etc/sudoers.d. -chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" "$DEST/usr/local/sbin" 2>&1 || echo "[WARN] chown failed" +chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" 2>&1 || echo "[WARN] chown failed" set +x # Persist nochroot log into installed system for diagnostics @@ -191,7 +191,7 @@ set +x date echo "SRC=$SRC DEST=$DEST" ls -la "$DEST/usr/share/veilor-os/" 2>&1 - ls -la "$DEST/usr/local/sbin/" 2>&1 + ls -la "$DEST/usr/local/bin/" 2>&1 } > "$DEST/var/log/veilor-nochroot.log" 2>&1 || true %end @@ -205,7 +205,7 @@ echo " veilor-os install — %post" echo "════════════════════════════════════════════════════════" REPO=/usr/share/veilor-os -chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/bin/veilor-update /usr/local/bin/veilor-doctor /usr/local/sbin/veilor-firstboot /usr/local/sbin/veilor-installer +chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh /usr/local/bin/veilor-power /usr/local/bin/veilor-update /usr/local/bin/veilor-doctor /usr/local/bin/veilor-firstboot /usr/local/bin/veilor-installer # Live image plumbing (matches upstream Fedora live ks). Without these the # squashfs/EFI build fails — livesys-scripts ships systemd units lorax expects. diff --git a/overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf b/overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf index a2735ee..df2fcca 100644 --- a/overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf +++ b/overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf @@ -3,7 +3,7 @@ # isn't copied into target system — see kickstart/install.ks). [Service] ExecStart= -ExecStart=-/usr/local/sbin/veilor-installer +ExecStart=-/usr/local/bin/veilor-installer StandardInput=tty StandardOutput=tty StandardError=tty diff --git a/overlay/etc/systemd/system/veilor-firstboot.service b/overlay/etc/systemd/system/veilor-firstboot.service index fb75342..9a8f27f 100644 --- a/overlay/etc/systemd/system/veilor-firstboot.service +++ b/overlay/etc/systemd/system/veilor-firstboot.service @@ -9,7 +9,7 @@ Conflicts=sddm.service [Service] Type=oneshot RemainAfterExit=no -ExecStart=/usr/local/sbin/veilor-firstboot +ExecStart=/usr/local/bin/veilor-firstboot StandardInput=tty StandardOutput=tty StandardError=tty diff --git a/overlay/usr/local/sbin/veilor-firstboot b/overlay/usr/local/bin/veilor-firstboot similarity index 100% rename from overlay/usr/local/sbin/veilor-firstboot rename to overlay/usr/local/bin/veilor-firstboot diff --git a/overlay/usr/local/sbin/veilor-installer b/overlay/usr/local/bin/veilor-installer similarity index 98% rename from overlay/usr/local/sbin/veilor-installer rename to overlay/usr/local/bin/veilor-installer index f1c7047..deb84c7 100644 --- a/overlay/usr/local/sbin/veilor-installer +++ b/overlay/usr/local/bin/veilor-installer @@ -418,7 +418,7 @@ cp -a "$SRC/scripts" "$DEST/usr/share/veilor-os/" || echo "[ERR] scripts cp fail ls -la "$DEST/usr/share/veilor-os/" 2>&1 || echo "[ERR] dest dir missing post-cp" # Force root ownership on everything we copied — `cp -a` preserves # CI runner uid (1001), which makes sudo refuse to read /etc/sudoers.d. -chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" "$DEST/usr/local/sbin" 2>&1 || echo "[WARN] chown failed" +chown -R 0:0 "$DEST/etc" "$DEST/usr/share/veilor-os" "$DEST/usr/local/bin" 2>&1 || echo "[WARN] chown failed" set +x { @@ -426,7 +426,7 @@ set +x date echo "SRC=$SRC DEST=$DEST" ls -la "$DEST/usr/share/veilor-os/" 2>&1 - ls -la "$DEST/usr/local/sbin/" 2>&1 + ls -la "$DEST/usr/local/bin/" 2>&1 } > "$DEST/var/log/veilor-nochroot.log" 2>&1 || true %end @@ -441,8 +441,8 @@ echo "════════════════════════ REPO=/usr/share/veilor-os chmod +x $REPO/scripts/*.sh $REPO/scripts/selinux/*.sh \ - /usr/local/bin/veilor-power /usr/local/sbin/veilor-firstboot \ - /usr/local/sbin/veilor-installer 2>/dev/null || true + /usr/local/bin/veilor-power /usr/local/bin/veilor-firstboot \ + /usr/local/bin/veilor-installer 2>/dev/null || true # /etc/machine-id reset on first boot > /etc/machine-id diff --git a/scripts/selinux/build-policy.sh b/scripts/selinux/build-policy.sh index 809f1ab..a64fa5c 100755 --- a/scripts/selinux/build-policy.sh +++ b/scripts/selinux/build-policy.sh @@ -3,7 +3,7 @@ # # Modules: # veilor-systemd — capabilities for systemd-modules-load (post-boot lock) -# veilor-firstboot — confine /usr/local/sbin/veilor-firstboot one-shot +# veilor-firstboot — confine /usr/local/bin/veilor-firstboot one-shot # # Usage: # sudo ./build-policy.sh # build + install all @@ -33,9 +33,9 @@ done if printf '%s\n' "${MODULES[@]}" | grep -qx veilor-firstboot; then if command -v restorecon >/dev/null 2>&1; then # Mark the binary + state file with the right types. - semanage fcontext -a -t veilor_firstboot_exec_t '/usr/local/sbin/veilor-firstboot' 2>/dev/null || true + semanage fcontext -a -t veilor_firstboot_exec_t '/usr/local/bin/veilor-firstboot' 2>/dev/null || true semanage fcontext -a -t veilor_firstboot_state_t '/var/lib/veilor-firstboot\.done' 2>/dev/null || true - restorecon -v /usr/local/sbin/veilor-firstboot 2>/dev/null || true + restorecon -v /usr/local/bin/veilor-firstboot 2>/dev/null || true [[ -e /var/lib/veilor-firstboot.done ]] && restorecon -v /var/lib/veilor-firstboot.done 2>/dev/null || true fi fi