diff mbox series

[bug#48314,v5] Install guix system on Raspberry Pi

Message ID j-6Mh97olCgYy-HTnXD1Wddae1w06eUlRPTw9m2QCxidzQeWs7nIp9EBjGrtgSdImIddGLbRv6mI9cwKeFr5Y9KiaOQfVsMVmFy1DXbQ3I4=@protonmail.com
State New
Headers show
Series [bug#48314,v5] Install guix system on Raspberry Pi | expand

Checks

Context Check Description
cbaines/applying patch fail View Laminar job
cbaines/issue success View issue

Commit Message

phodina April 14, 2022, 12:23 p.m. UTC 
Thanks Maxime,

sorry for silly mistake.

Here are the updated patches. The last changes are part of the 4th patch in the patch set.

After build I installed it to the SD card using following command:

sudo -E ./pre-inst-env guix system init gnu/system/examples/raspberry-pi-64.tmpl /mnt

However, I experience an issue when login into the system. I can get there using my SSH key, but it seems the passwd set-uid binary is missing from the profile:

$ ssh pi@192.168.1.181
You are required to change your password immediately (administrator enforced).
WARNING: Your password has expired.
passwd: no such file or directory

I understand that the password is not set and the account is accessed through SSH so it asks after login to change it. How come it's possible to change it? I tried to add shadow into the packages, but the error said, it's already part of the system, so my guess is that it's just missing in the PATH variable. Could it be due to the fact it's present in /run/setuid-programs?

----
Petr

Comments

phodina April 14, 2022, 1:03 p.m. UTC | #1 
Here's more details about the login issue.

I've chrooted into the SDcard and setup the password for the pi user manually.

Then booted the board and login:

~$ ssh pi@192.168.1.181
Last login: Thu Apr 14 14:52:56 2022 from 192.168.1.224
Could not chdir to home directory /home/pi: Permission denied
-bash: /home/pi/.bash_profile: Permission denied
-bash-5.1$ id -u
1002
-bash-5.1$ id -gn
users
-bash-5.1$ sudo -E /gnu/store/ja92d7xpmyh94gm6n83bajx9dy4h6pbl-bash-5.1.8/bin/bash
root@raspberrypi-guix /# ls -al /home/pi
total 40
drwx------ 4 1000 users 4096 Nov 24 08:16 ./
drwxr-xr-x 4 root root  4096 Jan  1  1970 ../
-rw-r--r-- 1 1000 users   85 Jan  1  1970 .bash_profile
-rw-r--r-- 1 1000 users  834 Jan  1  1970 .bashrc
drwxr-xr-x 3 1000 users 4096 Jan  1  1970 .config/
-rw-r--r-- 1 1000 users  235 Jan  1  1970 .gdbinit
-rw-r--r-- 1 1000 users  789 Jan  1  1970 .guile
drwxr-xr-x 2 root root  4096 Nov 24 08:16 .ssh/
-rw-r--r-- 1 1000 users   47 Jan  1  1970 .Xdefaults
-rw-r--r-- 1 1000 users   62 Jan  1  1970 .zprofile


As you can see the execute bit is missing. Therefore running

chmod +x /home/pi/

fixed the problem. But I'm unsure why the home dir was created without the those flags.

Is it a side effect of using the following declaration?

(home-directory "/home/pi")

----
Petr
M April 14, 2022, 1:57 p.m. UTC | #2 
phodina schreef op do 14-04-2022 om 13:03 [+0000]:
> ~$ ssh pi@192.168.1.181
> Last login: Thu Apr 14 14:52:56 2022 from 192.168.1.224
> Could not chdir to home directory /home/pi: Permission denied
> -bash: /home/pi/.bash_profile: Permission denied
> -bash-5.1$ id -u
> 1002
> -bash-5.1$ id -gn
> users
> -bash-5.1$ sudo -E /gnu/store/ja92d7xpmyh94gm6n83bajx9dy4h6pbl-bash-5.1.8/bin/bash
> root@raspberrypi-guix /# ls -al /home/pi
> total 40
> drwx------ 4 1000 users 4096 Nov 24 08:16 ./

You are logging in as 1002.  /home/pi is owned by ‘1000’.  Is this
difference intentional?

Maybe you have added two users, but with the home directory?
(guesswork).

> As you can see the execute bit is missing. Therefore running

The user has the read-write-execute bits, the group and other don't.

> chmod +x /home/pi/
>
> fixed the problem. But I'm unsure why the home dir was created
> without the those flags.

I'm not on Guix System at the moment, so I cannot tell what the usual
behaviour is, but why wouldn't the home directory be non-group-
executable and non-other executable? 

Unless you want to share the contents of your home to other users on
the system, or if you have a web server that looks for
http://.../~pi/index.html in /home/pi/web/index.html or the like,
restricting readability, writability and executability to the actual
‘owner’ of the directory seems good security practice to me.

Usually, AFAICT, all that's needed is for $HOME to be user-readable,
writable and executable.

(/me quickly does "chmod go-rwx $HOME")

Greetings,
Maxime.
M April 14, 2022, 2 p.m. UTC | #3 
phodina schreef op do 14-04-2022 om 12:23 [+0000]:
> However, I experience an issue when login into the system. I can get
> there using my SSH key, but it seems the passwd set-uid binary is
> missing from the profile:
> 
> $ ssh pi@192.168.1.181
> You are required to change your password immediately (administrator
> enforced).
> WARNING: Your password has expired.
> passwd: no such file or directory
> [...]

I don't know what's going in here, though the ‘passwd not in $PATH’
seems a plausible hypothesis to me.

Greetings,
Maxime.
diff mbox series

Patch

From 7e13ab0bb33e0f90b094ad4e2759e6e8bc1e8e9c Mon Sep 17 00:00:00 2001
From: Stefan <stefan-guix@vodafonemail.de>
Date: Wed, 13 Apr 2022 21:19:41 +0200
Subject: [PATCH v5 8/8] gnu: raspberry-pi: Add a bootloader-chain for the
 Raspberry Pi and os examples.

* gnu/packages/raspberry-pi.scm (grub-efi-bootloader-chain-raspi-64): New
bootloader variable, capable to boot a Raspberry Pi over network or from a
local storage.
* gnu/system/examples/raspberry-pi-64.tmpl: New operating-system example.
* gnu/system/examples/raspberry-pi-64-nfs-root.tmpl: New operating-system
example for booting over network.

diff --git a/gnu/packages/raspberry-pi.scm b/gnu/packages/raspberry-pi.scm
index d808f61ac2..d52a4a72c5 100644
--- a/gnu/packages/raspberry-pi.scm
+++ b/gnu/packages/raspberry-pi.scm
@@ -18,11 +18,14 @@ 
 ;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
 
 (define-module (gnu packages raspberry-pi)
+  #:use-module (gnu bootloader)
+  #:use-module (gnu bootloader grub)
   #:use-module (gnu packages)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages algebra)
   #:use-module (gnu packages base)
   #:use-module (gnu packages bash)
+  #:use-module (gnu packages bootloaders)
   #:use-module (gnu packages commencement)
   #:use-module (gnu packages cross-base)
   #:use-module (gnu packages documentation)
@@ -312,6 +315,22 @@  (define-public (make-raspi-bcm28-dtbs linux)
      (simple-format #f "The device-tree files for Raspberry Pi models from ~a."
              (package-name linux)))))
 
+(define-public grub-efi-bootloader-chain-raspi-64
+  ;; A bootloader capable to boot a Raspberry Pi over network via TFTP or from
+  ;; a local storage like a micro SD card.
+  ;; It neither installs firmware nor device-tree files for the Raspberry Pi.
+  ;; It just assumes them to be existing in boot/efi in the same way that some
+  ;; UEFI firmware with ACPI data is usually assumed to be existing on PCs.
+  ;; It creates firmware configuration files and a bootloader-chain with U-Boot
+  ;; to provide an EFI API for the final GRUB bootloader.
+  ;; It also serves as a blue-print to create an own bootloader-chain with
+  ;; firmwre and device-tree packages or files.
+  (efi-bootloader-chain grub-efi-netboot-removable-bootloader
+                        #:packages (list u-boot-rpi-efi-64)
+                        #:files (list %raspi-config-txt
+                                      %raspi-bcm27-dtb-txt
+                                      %raspi-u-boot-bootloader-txt)))
+
 (define (make-raspi-defconfig arch defconfig sha256-as-base32)
   "Make for the architecture ARCH a file-like object from the DEFCONFIG file
 with the hash SHA256-AS-BASE32.  This object can be used as the #:defconfig
diff --git a/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
new file mode 100644
index 0000000000..c006a287fb
--- /dev/null
+++ b/gnu/system/examples/raspberry-pi-64-nfs-root.tmpl
@@ -0,0 +1,73 @@ 
+;; This is an operating-system configuration template of a
+;; 64-bit minimal system for a Raspberry Pi with an NFS root file-system.
+
+;; It neither installs firmware nor device-tree files for the Raspberry Pi.
+;; It just assumes them to be existing in boot/efi in the same way that some
+;; UEFI firmware with ACPI data is usually assumed to be existing on PCs.
+
+;; It expects the boot/efi directory to be served via TFTP and the root
+;; file-system to be served via NFS. See the grub-efi-netboot-bootloader
+;; description in the manual for more details.
+
+(use-modules (gnu)
+             (gnu artwork)
+             (gnu system nss))
+(use-service-modules admin
+                     avahi
+                     networking
+                     ssh)
+(use-package-modules certs
+                     linux
+                     raspberry-pi
+                     ssh)
+
+(define %my-public-key
+  (local-file (string-append (getenv "HOME") "/.ssh/id_ecdsa.pub")))
+
+(define-public raspberry-pi-64-nfs-root
+  (operating-system
+   (host-name "raspberrypi-guix")
+   (timezone "Europe/Berlin")
+   (bootloader (bootloader-configuration
+                (bootloader grub-efi-bootloader-chain-raspi-64)
+                (targets '("/boot/efi"))
+                (theme (grub-theme (resolution '(1920 . 1080))
+                       (image (file-append
+                               %artwork-repository
+                               "/grub/GuixSD-fully-black-16-9.svg"))))))
+   (kernel-arguments '("ip=dhcp"))
+   (kernel (modify-linux #:linux linux-libre-arm64-generic
+                         #:extra-version "arm64-generic-netboot"
+                         #:configs '("CONFIG_NFS_SWAP=y"
+                                     "CONFIG_USB_USBNET=y"
+                                     "CONFIG_USB_LAN78XX=y"
+                                     "CONFIG_USB_NET_SMSC95XX=y")))
+   (initrd-modules '())
+   (file-systems (cons* (file-system
+                         (mount-point "/")
+                         (type "nfs")
+                         (device ":/export/raspberrypi/guix")
+                         (options "addr=10.20.30.40,vers=4.1"))
+                        %base-file-systems))
+   (swap-devices (list (swap-space (target "/run/swapfile"))))
+   (users (cons* (user-account
+                  (name "pi")
+                  (group "users")
+                  (supplementary-groups '("wheel" "netdev" "audio" "video"))
+                  (home-directory "/home/pi"))
+                 %base-user-accounts))
+   (packages (cons* nss-certs
+                    openssh
+                    %base-packages))
+   (services (cons* (service avahi-service-type)
+                    (service dhcp-client-service-type)
+                    (service ntp-service-type)
+                    (service openssh-service-type
+                             (openssh-configuration
+                              (x11-forwarding? #t)
+                              (authorized-keys
+                              `(("pi" ,%my-public-key)))))
+                    %base-services))
+   (name-service-switch %mdns-host-lookup-nss)))
+
+raspberry-pi-64-nfs-root
diff --git a/gnu/system/examples/raspberry-pi-64.tmpl b/gnu/system/examples/raspberry-pi-64.tmpl
new file mode 100644
index 0000000000..6b0178c861
--- /dev/null
+++ b/gnu/system/examples/raspberry-pi-64.tmpl
@@ -0,0 +1,77 @@ 
+;; This is an operating-system configuration template of a
+;; 64-bit minimal system for a Raspberry Pi with local storage.
+
+;; It neither installs firmware nor device-tree files for the Raspberry Pi.
+;; It just assumes them to be existing in boot/efi in the same way that some
+;; UEFI firmware with ACPI data is usually assumed to be existing on PCs.
+
+;; It expects the boot-partition to be mounted as boot/efi in the same way
+;; as it is usually expeted on PCs with UEFI firmware.
+
+(use-modules (gnu)
+             (gnu artwork)
+             (gnu system nss))
+(use-service-modules admin
+                     avahi
+                     networking
+                     ssh)
+(use-package-modules certs
+                     linux
+                     raspberry-pi
+                     ssh)
+
+(define %my-public-key
+  (local-file (string-append (getenv "HOME") "/.ssh/id_ecdsa.pub")))
+
+(define-public raspberry-pi-64
+  (operating-system
+   (host-name "raspberrypi-guix")
+   (timezone "Europe/Berlin")
+   (bootloader (bootloader-configuration
+                (bootloader grub-efi-bootloader-chain-raspi-64)
+                (targets '("/boot/efi"))
+                (theme (grub-theme (resolution '(1920 . 1080))
+                       (image (file-append
+                               %artwork-repository
+                               "/grub/GuixSD-fully-black-16-9.svg"))))))
+   (kernel (modify-linux #:linux linux-libre-arm64-generic
+                         #| It is possible to use a specific defconfig file,
+                            for example the "bcmrpi3_defconfig" with the
+                            variable shown below.  Unfortunately the kernel
+                            build from the linux-libre sources with this
+                            defconfig file does not boot.
+                            #:extra-version "gnu-bcmrpi3"
+                            #:defconfig %bcmrpi3-defconfig
+                         |#))
+   (initrd-modules '())
+   (file-systems (cons* (file-system
+                         (mount-point "/")
+                         (type "ext4")
+                         (device (file-system-label "Guix")))
+                        (file-system
+                         (mount-point "/boot/efi")
+                         (type "vfat")
+                         (device (file-system-label "EFI")))
+                        %base-file-systems))
+   (swap-devices (list (swap-space (target "/run/swapfile"))))
+   (users (cons* (user-account
+                  (name "pi")
+                  (group "users")
+                  (supplementary-groups '("wheel" "netdev" "audio" "video"))
+                  (home-directory "/home/pi"))
+                 %base-user-accounts))
+   (packages (cons* nss-certs
+                    openssh
+                    %base-packages))
+   (services (cons* (service avahi-service-type)
+                    (service dhcp-client-service-type)
+                    (service ntp-service-type)
+                    (service openssh-service-type
+                             (openssh-configuration
+                              (x11-forwarding? #t)
+                              (authorized-keys
+                              `(("pi" ,%my-public-key)))))
+                    %base-services))
+   (name-service-switch %mdns-host-lookup-nss)))
+
+raspberry-pi-64
-- 
2.34.0