ec4291293e
QEMU boot test of v0.5.1 (commit 3cbffaf) revealed both scripts
missing from /usr/local/sbin/ on running system, despite being in
overlay/usr/local/sbin/ in the source tree.
Root cause: Fedora's filesystem package (or post-install scriptlet)
rewrites /usr/local/sbin → /usr/local/bin symlink AFTER kickstart
%post --nochroot's overlay copy runs. The cp -a placed files in
/usr/local/sbin/ as a real directory; the symlink replacement
deleted them.
Confirmed via tty diagnostic: `ls -la /usr/local` shows
`lrwxrwxrwx ... sbin -> bin` with bin mtime predating sbin symlink
ctime by ~5min — overlay copy ran first, scriptlet rewrote sbin
second.
Fix: move both binaries to overlay/usr/local/bin/ where they're
safe from the symlink rewrite. Update all references:
- kickstart/veilor-os.ks chmod path + chown + diagnostic ls
- overlay/etc/systemd/system/getty@tty1.service.d/veilor-installer.conf ExecStart
- overlay/etc/systemd/system/veilor-firstboot.service ExecStart
- scripts/selinux/build-policy.sh fcontext + restorecon paths
- generated install ks template inside veilor-installer
Service drop-in stays at /etc/systemd/system/getty@tty1.service.d/
unchanged. The veilor-installer binary in /usr/local/bin/ is
discoverable via $PATH same as before.
54 lines
1.8 KiB
Bash
Executable file
54 lines
1.8 KiB
Bash
Executable file
#!/usr/bin/bash
|
|
# veilor-firstboot — set admin password on first boot, then self-disable.
|
|
# Runs on TTY1 before SDDM. Only fires while admin password is empty/expired.
|
|
|
|
set -uo pipefail
|
|
|
|
STATE=/var/lib/veilor-firstboot.done
|
|
[[ -f $STATE ]] && exit 0
|
|
|
|
# Branded banner
|
|
clear
|
|
cat << 'EOF'
|
|
|
|
┌──────────────────────────────────────────────────────────┐
|
|
│ │
|
|
│ veilor-os │
|
|
│ first boot — admin password │
|
|
│ │
|
|
└──────────────────────────────────────────────────────────┘
|
|
|
|
Set a password for the local admin account.
|
|
|
|
Requirements: minimum 14 characters, at least one digit,
|
|
one uppercase, one lowercase, one special character.
|
|
|
|
EOF
|
|
|
|
# Loop until passwd succeeds (pwquality enforces complexity)
|
|
until passwd admin; do
|
|
echo
|
|
echo " Password not accepted. Try again."
|
|
echo
|
|
sleep 1
|
|
done
|
|
|
|
# Mark done so service doesn't fire again
|
|
touch "$STATE"
|
|
|
|
# Disable self for next boots
|
|
systemctl disable veilor-firstboot.service >/dev/null 2>&1 || true
|
|
|
|
echo
|
|
echo " Password set."
|
|
echo " Re-enabling SELinux enforcing mode..."
|
|
|
|
# Re-enable SELinux (build-time disabled to bypass pcre2/regex mismatch).
|
|
# Set to enforcing for next boot, schedule full relabel.
|
|
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config 2>/dev/null
|
|
touch /.autorelabel 2>/dev/null
|
|
echo " Starting graphical session..."
|
|
sleep 2
|
|
|
|
# Start SDDM (was held back by service ordering)
|
|
systemctl start sddm.service
|