From 6b327be31124310a417cb1a318d96f9238711466 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Sat, 1 Mar 2025 14:08:59 +0100 Subject: [PATCH 1/5] Detect and enable swap partitions on live The laptops owned by SOI have 8 GB of RAM, and live systems running on them sometimes run out of memory. To mitigate this, find and enable the swap partition of the installed OS on the internal SSD. --- .../etc/systemd/system/detect-swap.service | 14 ++++++++++++++ .../live/includes.chroot/usr/local/bin/detect-swap | 13 +++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service create mode 100644 os/layers/live/includes.chroot/usr/local/bin/detect-swap diff --git a/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service b/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service new file mode 100644 index 0000000..912c92e --- /dev/null +++ b/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service @@ -0,0 +1,14 @@ +[Unit] +Description=detect and enable swap partitions. +Before=basic.target +After=local-fs.target systemd-tmpfiles-setup.service +DefaultDependencies=no +ConditionKernelCommandLine=boot=live + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/local/bin/detect-swap + +[Install] +WantedBy=basic.target diff --git a/os/layers/live/includes.chroot/usr/local/bin/detect-swap b/os/layers/live/includes.chroot/usr/local/bin/detect-swap new file mode 100644 index 0000000..19a5042 --- /dev/null +++ b/os/layers/live/includes.chroot/usr/local/bin/detect-swap @@ -0,0 +1,13 @@ +#!/usr/bin/python3 + +import subprocess +import json + +SD_GPT_SWAP = '0657fd6d-a4ab-43c4-84e5-0933c84b4f4f' + +lsblk_result = subprocess.run(['lsblk', '--json', '--output=PATH,PARTTYPE'], check=True, stdout=subprocess.PIPE) +lablk_out = json.loads(lsblk_result.stdout) +for block in lablk_out['blockdevices']: + if block['parttype'] == SD_GPT_SWAP: + print('Enabling swap on', block['path']) + subprocess.run(['swapon', block['path']]) From e1fe68ad5959eba6b7380146765fe1bea3498e31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Sat, 1 Mar 2025 14:15:02 +0100 Subject: [PATCH 2/5] Enable zram on live This allows Linux to compress RAM, which should help mitigate memory pressure. --- os/layers/live/includes.chroot/etc/default/zramswap | 2 ++ os/layers/live/package-lists/live-extra.list.chroot | 5 +++++ .../training-live/package-lists/training-live.list.chroot | 3 --- 3 files changed, 7 insertions(+), 3 deletions(-) create mode 100644 os/layers/live/includes.chroot/etc/default/zramswap create mode 100644 os/layers/live/package-lists/live-extra.list.chroot diff --git a/os/layers/live/includes.chroot/etc/default/zramswap b/os/layers/live/includes.chroot/etc/default/zramswap new file mode 100644 index 0000000..1f43fca --- /dev/null +++ b/os/layers/live/includes.chroot/etc/default/zramswap @@ -0,0 +1,2 @@ +ALGO=zstd +PERCENT=80 diff --git a/os/layers/live/package-lists/live-extra.list.chroot b/os/layers/live/package-lists/live-extra.list.chroot new file mode 100644 index 0000000..4f7a935 --- /dev/null +++ b/os/layers/live/package-lists/live-extra.list.chroot @@ -0,0 +1,5 @@ +# Show progress while copying squashfs to RAM. +rsync + +# Enable zram to make better use of available RAM. +zram-tools diff --git a/os/layers/training-live/package-lists/training-live.list.chroot b/os/layers/training-live/package-lists/training-live.list.chroot index 56e00e8..7864d0d 100644 --- a/os/layers/training-live/package-lists/training-live.list.chroot +++ b/os/layers/training-live/package-lists/training-live.list.chroot @@ -1,4 +1 @@ sudo - -# Show progress while copying squashfs to RAM. -rsync From 2f296fa0e5da718acf352e4cdc56e069eeb02007 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Sat, 1 Mar 2025 14:25:29 +0100 Subject: [PATCH 3/5] Use zstd for squashfs compression zstd decompression is a lot faster than xz (default). This is especially noticeable when starting Firefox, Chromium or VS Code for the first time; with zstd, the startup time is cut in half. Compression time is also faster with zstd at the default level. The downside is that the squashfs is larger by 138 MB. This is a tradeoff, but I think it's worth it. Increasing the zstd compression level does not significantly reduce the size and takes much longer to compress, so I left it at the default. --- os/build.py | 1 + 1 file changed, 1 insertion(+) diff --git a/os/build.py b/os/build.py index c84070d..6ba41fd 100755 --- a/os/build.py +++ b/os/build.py @@ -129,6 +129,7 @@ def main(): # We need ca-certificates for fetching https packages repos. "--debootstrap-options", "--exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=ca-certificates" + VARIANT_EXTRA_BOOTSTRAP.get(args.variant, ""), + "--chroot-squashfs-compression-type", "zstd", "--loadlin", "false", "--iso-volume", f"SOI {VARIANT_LABEL[args.variant]} @ISOVOLUME_TS@", "--bootappend-live", "boot=live toram=filesystem.squashfs", From 0352ad997f3088547dbb5588575f013aa203637b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Fri, 7 Mar 2025 12:37:49 +0100 Subject: [PATCH 4/5] Enable minimize and maximize buttons --- .../includes.chroot/etc/dconf/db/local.d/00-window-buttons | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons diff --git a/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons b/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons new file mode 100644 index 0000000..7ed7b76 --- /dev/null +++ b/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons @@ -0,0 +1,4 @@ +# Enable minimize and maximize buttons, which should make gnome a bit easier to +# use for people more familiar with Windows or macOS. +[org/gnome/desktop/wm/preferences] +button-layout = 'appmenu:minimize,maximize,close' From 500ca364447877c3c3a05a4b6435d4183df9b0c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20Sch=C3=A4r?= Date: Fri, 7 Mar 2025 12:41:24 +0100 Subject: [PATCH 5/5] Fix stuck nftables load Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh. --- contestops/configure-machines.sh | 4 +--- contestops/readme.md | 1 - .../hooks/live/2010-contestant.hook.chroot | 3 +++ .../includes.chroot/etc/nftables.conf | 19 +++++++++++++++++++ 4 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 os/layers/contestant/includes.chroot/etc/nftables.conf diff --git a/contestops/configure-machines.sh b/contestops/configure-machines.sh index c3d8fd6..6e2f61e 100755 --- a/contestops/configure-machines.sh +++ b/contestops/configure-machines.sh @@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts # Configure firewall. parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf -parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service -# For some unknown reason nft gets stuck the first time it is run. -parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service +parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service # Uncomment these lines if machines have 4K displays. This scales display to 2x. # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py diff --git a/contestops/readme.md b/contestops/readme.md index 14a3f5d..d0a392b 100644 --- a/contestops/readme.md +++ b/contestops/readme.md @@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`. Edit `contest-lock.json` to fill in the title and start time of the contest. Apply the configuration to machines. -If the script gets stuck, press Ctrl+C and run it again. ```bash ./configure-machines.sh diff --git a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot index e65b6fd..c8c0dea 100755 --- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot +++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot @@ -28,3 +28,6 @@ systemctl disable kexec.service # Restrict access to the config which contains the WiFi password. chmod og= /etc/NetworkManager/system-connections/contest.nmconnection + +# Enable firewall. +systemctl enable nftables.service diff --git a/os/layers/contestant/includes.chroot/etc/nftables.conf b/os/layers/contestant/includes.chroot/etc/nftables.conf new file mode 100644 index 0000000..190685b --- /dev/null +++ b/os/layers/contestant/includes.chroot/etc/nftables.conf @@ -0,0 +1,19 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + # Add a rule which references conntrack, to make sure that conntrack is + # already enabled when we activate a restrictive ruleset. + ct state { established, related } accept + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + ct state { established, related } accept + } +}