Fix stuck nftables load

Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh.
Enable minimize and maximize buttons
2025-03-07 12:41:24 +01:00 · 2025-03-07 12:37:49 +01:00 · 2025-03-01 14:25:29 +01:00 · 2025-03-01 14:15:02 +01:00 · 2025-03-01 14:08:59 +01:00
11 changed files with 62 additions and 7 deletions
--- a/contestops/configure-machines.sh
+++ b/contestops/configure-machines.sh
@ -10,9 +10,7 @@ parallel-scp -x "-F local.ssh_config" -h hostlist ./config-hosts /etc/hosts

 # Configure firewall.
 parallel-scp -x "-F local.ssh_config" -h hostlist ./config-nftables.conf /etc/nftables.conf
-parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl enable nftables.service
-# For some unknown reason nft gets stuck the first time it is run.
-parallel-ssh -x "-F local.ssh_config" -h hostlist --par 30 systemctl start nftables.service
+parallel-ssh -x "-F local.ssh_config" -h hostlist systemctl reload nftables.service

 # Uncomment these lines if machines have 4K displays. This scales display to 2x.
 # parallel-scp -x "-F local.ssh_config" -h hostlist ./set-display-scale.py /usr/local/bin/set-display-scale.py
--- a/contestops/readme.md
+++ b/contestops/readme.md
@ -122,7 +122,6 @@ You can look these up with `host contest.soi.ch`.
 Edit `contest-lock.json` to fill in the title and start time of the contest.

 Apply the configuration to machines.
-If the script gets stuck, press Ctrl+C and run it again.

 ```bash
 ./configure-machines.sh
--- a/os/build.py
+++ b/os/build.py
@ -129,6 +129,7 @@ def main():
            # We need ca-certificates for fetching https packages repos.
            "--debootstrap-options", "--exclude=isc-dhcp-client,isc-dhcp-common,ifupdown --include=ca-certificates" +
                VARIANT_EXTRA_BOOTSTRAP.get(args.variant, ""),
+            "--chroot-squashfs-compression-type", "zstd",
            "--loadlin", "false",
            "--iso-volume", f"SOI {VARIANT_LABEL[args.variant]} @ISOVOLUME_TS@",
            "--bootappend-live", "boot=live toram=filesystem.squashfs",
--- a/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
+++ b/os/layers/contestant/hooks/live/2010-contestant.hook.chroot
@ -28,3 +28,6 @@ systemctl disable kexec.service

 # Restrict access to the config which contains the WiFi password.
 chmod og= /etc/NetworkManager/system-connections/contest.nmconnection
+
+# Enable firewall.
+systemctl enable nftables.service
--- a/os/layers/contestant/includes.chroot/etc/nftables.conf
+++ b/os/layers/contestant/includes.chroot/etc/nftables.conf
@ -0,0 +1,19 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+    # Add a rule which references conntrack, to make sure that conntrack is
+    # already enabled when we activate a restrictive ruleset.
+    ct state { established, related } accept
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+    ct state { established, related } accept
+	}
+}
--- a/os/layers/live/includes.chroot/etc/default/zramswap
+++ b/os/layers/live/includes.chroot/etc/default/zramswap
@ -0,0 +1,2 @@
+ALGO=zstd
+PERCENT=80
--- a/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service
+++ b/os/layers/live/includes.chroot/etc/systemd/system/detect-swap.service
@ -0,0 +1,14 @@
+[Unit]
+Description=detect and enable swap partitions.
+Before=basic.target
+After=local-fs.target systemd-tmpfiles-setup.service
+DefaultDependencies=no
+ConditionKernelCommandLine=boot=live
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/local/bin/detect-swap
+
+[Install]
+WantedBy=basic.target
--- a/os/layers/live/includes.chroot/usr/local/bin/detect-swap
+++ b/os/layers/live/includes.chroot/usr/local/bin/detect-swap
@ -0,0 +1,13 @@
+#!/usr/bin/python3
+
+import subprocess
+import json
+
+SD_GPT_SWAP = '0657fd6d-a4ab-43c4-84e5-0933c84b4f4f'
+
+lsblk_result = subprocess.run(['lsblk', '--json', '--output=PATH,PARTTYPE'], check=True, stdout=subprocess.PIPE)
+lablk_out = json.loads(lsblk_result.stdout)
+for block in lablk_out['blockdevices']:
+    if block['parttype'] == SD_GPT_SWAP:
+        print('Enabling swap on', block['path'])
+        subprocess.run(['swapon', block['path']])
--- a/os/layers/live/package-lists/live-extra.list.chroot
+++ b/os/layers/live/package-lists/live-extra.list.chroot
@ -0,0 +1,5 @@
+# Show progress while copying squashfs to RAM.
+rsync
+
+# Enable zram to make better use of available RAM.
+zram-tools
--- a/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons
+++ b/os/layers/participant/includes.chroot/etc/dconf/db/local.d/00-window-buttons
@ -0,0 +1,4 @@
+# Enable minimize and maximize buttons, which should make gnome a bit easier to
+# use for people more familiar with Windows or macOS.
+[org/gnome/desktop/wm/preferences]
+button-layout = 'appmenu:minimize,maximize,close'
--- a/os/layers/training-live/package-lists/training-live.list.chroot
+++ b/os/layers/training-live/package-lists/training-live.list.chroot
@ -1,4 +1 @@
 sudo
-
-# Show progress while copying squashfs to RAM.
-rsync
Author	SHA1	Message	Date
Jan Schär	500ca36444	Fix stuck nftables load Previously, the ssh connection got stuck when first loading the nftables ruleset. I now found the reason for this: conntrack was not active before loading the ruleset, so there was no conntrack entry for the ssh connection. This means the traffic was not matched by 'ct state established', and the other output rules did not allow the traffic. To fix this, we can load a ruleset at boot which uses conntrack; this ensures that conntrack is already enabled when loading the actual ruleset over ssh.	2025-03-07 12:41:24 +01:00
Jan Schär	0352ad997f	Enable minimize and maximize buttons	2025-03-07 12:37:49 +01:00
Jan Schär	2f296fa0e5	Use zstd for squashfs compression zstd decompression is a lot faster than xz (default). This is especially noticeable when starting Firefox, Chromium or VS Code for the first time; with zstd, the startup time is cut in half. Compression time is also faster with zstd at the default level. The downside is that the squashfs is larger by 138 MB. This is a tradeoff, but I think it's worth it. Increasing the zstd compression level does not significantly reduce the size and takes much longer to compress, so I left it at the default.	2025-03-01 14:25:29 +01:00
Jan Schär	e1fe68ad59	Enable zram on live This allows Linux to compress RAM, which should help mitigate memory pressure.	2025-03-01 14:15:02 +01:00
Jan Schär	6b327be311	Detect and enable swap partitions on live The laptops owned by SOI have 8 GB of RAM, and live systems running on them sometimes run out of memory. To mitigate this, find and enable the swap partition of the installed OS on the internal SSD.	2025-03-01 14:08:59 +01:00