Creating a Linux livecd

2012-12-05

Part one: Why?

I use a Linux livecd frequently in my work.

However, there is a huge, crippling problem with every single livecd out there.

They all ship with caps lock as caps lock by default.

Fuck.

That.

Shit.

And, though that is obviously the worst problem with livecds, there are others. (God does alias l=ls instead of alias l=less annoy me.) If I’m going to build my own livecd anyway, I might as well include a decent screenrc/bashrc/profile/inputrc, and actually install

And since this is a totally custom livecd, I could also do pretty interesting things like

Part two: Selecting the tools

I have tried several methods for creating a Linux livecd, and found several with downsides. I eventually settled on Debian Live under a dedicated Debian Wheezy (currently “testing”, and will be released as 7.x). (I couldn’t make it work under Ubuntu, which is my normal distribution.)

Here are some notes about my somewhat frustrating selection process.

I heard about, but didn’t get around to, these methods:

Part three: Working with Debian Live

Here’s a straight walkthrough to get to what I’m using (with sensitive bits removed).

Part four: checking the configuration into git.

Part five: Misc

Part six: Security

There are some things I do that should give you cause for concern. Here’s a list of concerns and my reasoning for doing what I did.

Possible security solution - full disc encryption

I really want to completely encrypt the livecd filesystem. This is possible - old versions (2.x) of debian-live supported the --encryption switch, but the 3.x version removed it. I think that TAILS may have done some work in this area?

This would solve my main security problems:

Other security stuff

Tangents

Interesting shit I discovered while writing this post:

Addendum - adding third party repositories

Of course, APT supports third party repositories. The documented Debian Live way to do this, however, won’t work for us.

Debian Live lets you add a repository line to the config/archives/live.list.{binary,chroot} files in order to add the repository to the livecd system and the chroot respectively. (I don’t really understnad this distinction well, but it doesn’t matter because we can’t really use this anyway.) Almost all apt repositories have their packages signed by a GPG key, however, Debian Live provides no way to add a key to the trusted list.

All I do is create a hook that adds the repository manually and then installs the packages I want from it.

An example, config/hooks/drbl-apt-repository-gpg.chroot:

slist=/etc/apt/sources.list.d/albacore.list
rm $slist
touch $slist
packages=""

## DRBL repository, contains Clonezilla
# NOTE: you could replace 'testing' with 'stable' or 'unstable' if you like:
echo "deb http://free.nchc.org.tw/drbl-core drbl testing" >> $slist
gpg --keyserver keys.gnupg.net --recv 40009511D7E8DF3A
gpg --export 40009511D7E8DF3A | sudo apt-key add -
packages="${packages} clonezilla"

## Add other repositories here:
echo "deb http://deb.torproject.org/torproject.org sid main" >> $slist
gpg --keyserver keys.gnupg.net --recv 886DDD89
gpg --export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | sudo apt-key add -
packages="${packages} deb.torproject.org-keyring tor tor-geoipdb torsocks"

apt-get update
apt-get install --yes $packages

Almost all apt repositories are signed by GPG keys.

One of the reasons I wanted to do this was to replace the seperate Clonezilla livecd with this one. I had thought that the clonezilla packages was installed from my package list, but it turns out that it’s not in Debian at all. You need to add this repository to the chroot’s sources.list.