sudo-ldap is providing cmd:sudo/sudo-virt.
Replace files from sudo-ldap to solve conflict about /etc/sudoers
Fixes#2032
[ci:skip-build]: already built successfully in CI
Changes the dependency from pmos-mkinitfs to pmos-initramfs, so now the
dependency chain for boot config packages is:
base -> postmarketos-initramfs -> postmarketos-mkinitfs -> boot-deploy
Sorting dependencies this way makes sense because "base" just needs an
initramfs, it doesn't care about the implementation (that currently uses
"postmarketos-mkinitfs.")
[ci:ignore-count]
[ci:skip-build] already successfully built in CI
This installs zram-init and sets it to start on boot for all
devices/UIs. The included conf.d/zram-init also allows diabling using
zram swap or overriding the size by using a deviceinfo var.
I did an analysis of the pmos base install size with the 'none' UI
selected, after depending on zram-init, and the following new package is
installed:
zram-init-11.1-r1 installed size: 40 KiB
These packages are dependencies of zram-init, however they are already
installed in the base image (with 'none' UI) so they are not counted
above:
util-linux-misc-2.38.1-r0 installed size: 6816 KiB
e2fsprogs-extra-1.46.5-r4 installed size: 1324 KiB
So this seems like a very small price to pay for the benefit of not
making the logic/implementation more complicated than this.
* Starting busybox syslog ... [ ok ]
ssh-keygen: generating new host keys: RSA ECDSA ED25519
* Starting sshd ... [ ok ]
zram swap: activating with size: 243 MB
* Loading zram module...
[ ok ]
* Swap->zram0
[ ok ]
* Starting local ... [ ok ]
This change introduces one new deviceinfo variable:
deviceinfo_zram_swap_pct: percentage of RAM to use for zram swap
Default percentages if the second var is unset are explained in the
zram-init file this commit adds. A value of 0 disables zram swap.
fixes#1133
Add rules for regulator-haptic, which is used on:
- samsung-e5/e7
- samsung-cprime/gprime
- samsung-j3/j5(x)
Note that regulator-haptic is not supported on some devices yet,
and samsung-e5 is not ported at the moment.
[ci:skip-build]: already built successfully in CI
At the moment almost all device packages force installation of the Mesa
drivers, even when they are not used by any application (for example on
a minimal headless installation with "none" or "console" UI).
Omitting mesa-dri-gallium from such installations saves about ~150 MiB
of disk space (469 MiB -> 317 MiB rootfs for minimal installation on
arrow-db410c).
The "classic" drivers have been removed from Mesa so only one mesa-dri-
package exists now: mesa-dri-gallium contains all Mesa drivers,
llvmpipe, freedreno, lima, panfrost, Intel (iris/crocus), ...
This means we can easily create an install_if package in
postmarketos-base that installs that driver package only if needed
(= only if another package requires the "mesa" package).
Strictly speaking the install_if could be restricted further since
mesa-dri-gallium is only needed by "mesa-egl", "mesa-gbm" and "mesa-gl"
but not e.g. the Vulkan drivers. Having three postmarketos-base
subpackages (one install_if for each of them) seems a bit
overengineered, though. "mesa" is a common dependency of all three
of them, so using install_if="... mesa" should be good enough.
This would mitigate issues where apk unexpectedly replaces packages
somewhat as this way the user will be able to see precisely what changes
will happen to their system before they are committed. Furthermore, most
users are likely accustomed to package managers like apt, dnf, pacman,
among others that all are interactive by default and as such this would
provide a more familiar experience for them.
This will not affected pre-existing installs, and advanced users who
do not like this behaviour can restore the old one by deleting
/etc/apk/interactive.
[ci:skip-build]: already built successfully in CI
Alpine does not use setup-udev anymore and provides the same
functionality through setup-devd. The setup-udev script was deleted [1]
but postmarketos-base still used it and caused pmbootstrap to fail when
building a device image. Use the rc-service setup directly from
setup-devd.
[1] b56c4c2b9d
Fixes error: postmarketos-base-18-r0: trying to overwrite etc/fstab owned by alpine-baselayout-data-3.2.0-r20.
caused by 9ecba8a514
[ci:skip-build] already built successfully in CI
MMS support (via mmsd-tng) involves sending/receiving network
requests/responses over the wwan interface. If it's ipv4-only and the
device is connected to some other ipv4 network on another iface (like
wifi), this can cause the rp_filter to reject responses on wwan iface
because it incorrectly thinks they are martian packets.
This does theoretically disable some "security" feature in the kernel,
but it's worth noting that:
1) rp_filter isn't implemented at all in the kernel for ipv6
2) other distros (mobian, pureos at least) are also disabling rp_filter
3) this seems to be a relatively common problem with folks using mms on
pmOS, since many carriers' data networks are ipv4-only
also see:
https://gitlab.com/kop316/mmsd/-/merge_requests/55/diffs?commit_id=b22c253fb939ff1eb949ea4e628706e6a28c851a
[ci:skip-build] already built successfully in CI
This configures bootmisc to clear /tmp on bootup. I think most folks
expect distros to do this, many even mount /tmp as tmpfs. I don't think
that's a great idea in pmOS since RAM is usually limited on many
devices. So this, clearing it on boot, seems like a reasonable compromise.
Fixes#1342
Installing postmarketos-base currently changes the file permissions
of /etc/sudoers:
# apk add sudo
# stat /etc/sudoers
Access: (0440/-r--r-----) Uid: ( 0/ root) Gid: ( 0/ root)
# apk add postmarketos-base
# stat /etc/sudoers
Access: (0044/----r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
The file mode 0044 decodes to:
- User *cannot* read
- Group can read
- Other can read
which does not make any sense. The "sudoers" man page makes it very
clear that this file should have a file mode of 0440 [1]
("readable by owner and group, writable by none").
This looks like a bad typo. However, given that only read permissions
were given out this shouldn't have major security implications
(except allowing all users to see who can use sudo).
Install the file with 0440 instead of 0044 to fix this:
# apk add postmarketos-base
# stat /etc/sudoers
Access: (0440/-r--r-----) Uid: ( 0/ root) Gid: ( 0/ root)
[1]: https://www.sudo.ws/man/1.9.8/sudoers.man.html#Error_log_entries
Allow users in group "input" to control the tm2-touchkey leds.
Additionally correcting the udev rule for disabling the tm2-touchkey leds by default.
[ci:skip-build] already built successfully in CI
The udev file "20-tm2-touchkey-leds.rules" disables the leds of
tm2-touchkey by default because they are in an unconfigured state.
The udev file "95-rt5033-battery-refresh.rules" triggers a refresh
of the rt5033-battery information within UPower 5 secs after
initialization. This avoids a wrong battery icon after boot.
The udev file "50-firmware.rules" was moved from /etc/udev/rules.d
to /lib/udev/rules.d.
Related: https://wiki.postmarketos.org/wiki/Packaging#Device_specific_quirks
This enables the firewall by default, and could be split off into a
future ui-base package so that the firewall (among other things) are
enabled only when UIs are installed.
Don't suspend the device while alsa is playing. I ran this for two days
in combination with suspend time set to 1 min on the pinephone and it
works great. Finally no suspend while VLC is playing podcasts.
CRDA in the kernel requires a regulatory database to be available
to configure the WiFi card correctly following the regulations in
each possible environment.
Add post-upgrade file with a warning, so we don't symlink it to the
post-install script.
[ci:skip-vercheck]: no need to rebuild the package
Related: build.postmarketos.org#85
Remove devmappings service. The original purpose of this service was to
ensure that /boot is mounted properly after the initramfs passed control
to OpenRC, because the initramfs used to umount /boot before that. With
/etc/fstab alone, /boot get not get mounted with subpartitions (which we
use on Android devices), if util-linux >= 2.33 was installed (MR 115).
Nowadays, we don't umount /boot in the initramfs before passing control
to OpenRC anymore (MR 1398). So this service isn't needed anymore, and
prevented the previous pmOS_inst_boot <> pmOS_boot patch from working
correctly.
This adds sleep-inhibitor as a dependency when elogind is present, and
installs a conf for it with some plugins enabled that are beneficial to
devices running pmOS. The elogind suspend hook is dropped.
This resolves issues where suspend is aborted in the hook *after*
PrepareForSleep is sent over dbus (which might cause some things to
disable radios/modems, etc for suspend).
The 'period' in the conf is in minutes, a value of 0.1 is 6 seconds,
which seems reasonable for releasing the lock when conditions for
inhibiting no longer apply, without spinning the CPU too frequently.
Do not change config files in post-install scripts anymore (with sed
commands or by other means). Instead, ship the files inside the packages
and use "replaces", so apk allows the package to overwrite files from
other packages:
https://wiki.alpinelinux.org/wiki/APKBUILD_Reference#replaces
Notes on specific files:
* /etc/elogind/logind.conf: original file only consists of commented out
compile defaults. Copy them over for now. In the future we should be
able to install our own config into a .d directory, without all the
comments: 8358fc5950
* /etc/fstab: original file only has /dev/cdrom and /dev/usbdisk
entries, which are not useful for postmarketOS:
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/alpine-baselayout/APKBUILD
* /etc/motd: reformat the text, add link to the chat
* /etc/conf.d/syslog: original file only contained 'SYSLOGD_OPTS="-t"',
make the override file as if the sed statement from post-install was
executed
* /etc/wpa_supplicant/wpa_supplicant.conf: post-install script touches
this file. We probably added it back in 2017 in relation to enabling
D-Bus (though the PR does not mention it explicity), but at least with
the current init.d script of NetworkManager, we can simply have '-u' in
wpa_supplicant_args:
https://github.com/postmarketOS/pmbootstrap/pull/578https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/wpa_supplicant/wpa_supplicant.initd
* /etc/sudoers: base on original /etc/sudoers, but remove all the
commented out stuff except for the visudo note at the top. We could
also put a file in /etc/sudoers.d, but since the wheel line is present
in the original /etc/sudoers and only commented out, it would be kind
of unexpected to enable it in a file in /etc/sudoers.d. I prefer this
stripped down version of the file, that is easy to read.
Refactor the install code to be generic, so we only need to add the new
path in one place when adding a new file. Put the full path into the
filename to make this possible.
I've tried to mimic the final directory structure in the aport first
(e.g. $pkgdir/sbin/swapfile -> main/postmarketos-base/sbin/swapfile),
but that leads to conflicts as abuild only takes the filename for
checksums (conflict with etc/conf.d/swapfile):
https://gitlab.alpinelinux.org/alpine/abuild/-/issues/10013
We don't really need checksum verification for the files shipped in the
same directory (not downloaded), but nevertheless this is a bug. It
leads to confusing behavior and might be fixed by letting abuild demand
that there is only one source file with the same name, as I suggested in
the issue linked above. So let's avoid this altogether with the flat
file name.
Pressing power button should not power off a device. Although it is
expected on desktops and laptops, it isn't expected on phones and
tablets. Instead it should just turn off the screen or go into a deep
sleep, but that isn't handled by elogind. So let elogind just ignore the
button altogether.
Also re-order the dependencies alphabetically while we're touching the
package anyway
Only add a comment, do not try to mount the root or boot partitions
anymore. The initramfs is doing this already.
Related: https://postmarketos.org/fstab
Get rid of the "write_unless_modified" code, which was supposed to only
change /etc/fstab, /etc/issue, /etc/motd if the user did not modify it.
This is nice in theory, but we have a bug report where the code did not
do what it should (apk audit possibly failed due to a qemu bug?), and
then it lead to strange bugs related to not having the expected
/etc/fstab installed.
Fixes: #661, #258