From Mageia wiki
Jump to: navigation, search
Currently, this is a draft work-in-progress page.

Introduction

This note describes how to create an encrypted live persistent USB memory stick with Mageia 7.


Requirements

For practical purposes, use the highest speed (eg USB 3.1 or higher) with enough space. It is possible to use as small at 16gb but that leaves very little space for anything useful.

In the example below we use a 128gb ADATA S102.

It also helps greatly if the computer where the USB stick is to be used has fast (USB 3 or higher) USB socket. The computer needs to be configured to allow booting from USB.

On HP systems, for example, on switching on one needs to repeatedly tap on the ESC(ape) key then when presented with the menu pres f9 to choose the bootable device and select the USB.


Overview

  1. preparations: install needed packages
  2. disk space requirements
  3. modify configuration settings for building the ISO using drakelive2
  4. Include mgalive-root.sh modified for LUKS (encryption support)
  5. Build the ISO using draklive2
  6. Plug in and identify the USB stick device name
  7. Run isodumper and select configuration: use persistent storage, enable encryption, provide eecryption key
  8. On receiving confirmation of isodumper completion, test booting with USB


Install pre-requisite rpms

urpmi drakiso drakiso-bootloader-files drakiso-null-bootloader x11-server-xephyr


Prepare the ISO image

ref: https://wiki.mageia.org/en/Draklive2#Quickstart see example 2

Need between 10 and 20 gb free space.


Create a directory in your Downloads for the ISO and configuration files

my_iso=~/Downloads/drakiso/my_iso/
mkdir -p ${my_iso}


Make a working copy from the example for drakiso

cp -r /usr/share/drakiso/examples/gui/ ${my_iso}


Update drakiso configuration files to enable LUKS encryption processing

cd ${my_iso}/gui/


Update file: config/build.cfg

Add the following:

            # Support for encrypted persistent partition.
            [ 'files/mgalive-root.sh', '/lib/dracut/modules.d/90mgalive/mgalive-root.sh', { mode => 755 } ],

below:


            # Fix for sometimes wrong permissions after install.
            [ 'files/draklive-install.d/run.d/home-live-permissions.sh', '/etc/draklive-install.d/run.d/home-live-permissions.sh', { mode => 755 } ],

so it looks like:

            # Fix for sometimes wrong permissions after install.
            [ 'files/draklive-install.d/run.d/home-live-permissions.sh', '/etc/draklive-install.d/run.d/home-live-permissions.sh', { mode => 755 } ],

            # Support for encrypted persistent partition.
            [ 'files/mgalive-root.sh', '/lib/dracut/modules.d/90mgalive/mgalive-root.sh', { mode => 755 } ],
        ],
        remove_files => [


Update file: files/dracut-live.conf

change:

omit_dracutmodules+=" caps crypt dm dmraid mdraid lvm nfs i18n resume modsign "

to:

##omit_dracutmodules+=" caps crypt dm dmraid mdraid lvm nfs i18n resume modsign "
omit_dracutmodules+=" caps dmraid mdraid lvm nfs i18n resume modsign "


Update file: config/settings.cfg

Be aware that if you decide to add:

region all

Then the resulting ISO will be huge. It is probably more practical to avoid using "region all" in config/settings.cfg

change:

desktop=Custom

to:

desktop=MATE_LUKS

Note that this desktop name will show up at the top of the grub splash screen on booting. I prefer the MATE desktop environment. Hence I used "MATE". The "_LUKS" is to remind the user that USB is LUKs encrypted.

Set the correct value for your system arch(itecture): 64 or 32 bit: change:

arch=

to (for example 64 bit):

arch=x86_64

Set correct correct value for your Mageia repository mirror. Example:

repository=http://mirrors.kernel.org/mageia/distrib/7

So, after editing config/settings.cfg should look something like:

vendor=Custom
distro=Mageia
product=Live
desktop=MATE_LUKS
release=7
arch=x86_64
repository=http://mirrors.kernel.org/mageia/distrib/7
workdir=


Add updated mgalive-root.sh (supporting LUKS)

Copy modified version of mgalive-root.sh (see Appendix-1, below) to ${my_iso}/gui/files/mgalive-root.sh.

Reference: Mageia enhancement bug request #24777, comment 16


Build the ISO using draklive2

This can take a long time: perhaps an hour or two. (May be faster if your "repository" is on your local file system.)

Note that we run this as non-root. At some point draklive2 will prompt for password if it needs to sudo. For this reason, you should install and configure sudo (see: configuring sudo for details).

cd ${my_iso}/gui/
draklive2 --clean --all


Example:

[mpb@zbook my_iso]$ pwd
/home/mpb/Downloads/drakiso/my_iso/gui

[mpb@zbook gui]$ draklive2 --clean --all
Using /home/mpb/Downloads/drakiso/my_iso/gui as directory root
Loaded /home/mpb/Downloads/drakiso/my_iso/gui/config/build.cfg as config file
* entering step "clean"
* step "clean" done
* entering step "root"
Installing Live system
Ignore the following Glib::Object::Introspection & Gtk3 warnings
Too late to run INIT block at /usr/lib64/perl5/vendor_perl/Glib/Object/Introspection.pm line 257.
Subroutine Gtk3::main redefined at /usr/share/perl5/vendor_perl/Gtk3.pm line 525.
MESA-LOADER: failed to open swrast (search paths /usr/lib64/dri)
libGL error: failed to load driver: swrast
Entering step `Language'
Entering step `License'
Entering step `Mouse'
Entering step `Hard drive detection'
Entering step `Installation class'
Entering step `Keyboard'
Entering step `Security'
Entering step `Partitioning'
Partition 3 does not start on physical sector boundary.
Partition 5 does not start on physical sector boundary.
Partition 6 does not start on physical sector boundary.
Partition 7 does not start on physical sector boundary.
Partition 8 does not start on physical sector boundary.
Partition 9 does not start on physical sector boundary.
Partition 3 does not start on physical sector boundary.
Partition 5 does not start on physical sector boundary.
Partition 6 does not start on physical sector boundary.
Partition 7 does not start on physical sector boundary.
Partition 8 does not start on physical sector boundary.
Partition 9 does not start on physical sector boundary.
Entering step `Formatting'
Entering step `Choosing packages'
warning: Generating 18 missing index(es), please wait...
GLib-CRITICAL **: Source ID 1328 was not found when attempting to remove it at /usr/lib/libDrakX/interactive/gtk.pm line 924.
Entering step `Installing'
sh: 1: rpm: not found
warning: /etc/resolv.conf created as /etc/resolv.conf.rpmnew
warning: /etc/rpm/macros created as /etc/rpm/macros.rpmnew
GLib-CRITICAL **: Source ID 1810 was not found when attempting to remove it at /usr/lib/libDrakX/interactive/gtk.pm line 924.
Running in chroot, ignoring request.
      1/1: removing iwlwifi-firmware-20191220-1.mga7.nonfree.noarch
                                 ############################################################################################################################################################
Entering step `Users'
Entering step `Networking'
SIOCETHTOOL: Operation not supported
SIOCETHTOOL: Operation not supported
SIOCETHTOOL: Operation not supported
SIOCETHTOOL: Operation not supported
Entering step `Bootloader'
Entering step `Configure X'
Entering step `Summary'
Entering step `Services'
Entering step `Updates'
Entering step `Exit'
Partition 3 does not start on physical sector boundary.
Partition 5 does not start on physical sector boundary.
Partition 6 does not start on physical sector boundary.
Partition 7 does not start on physical sector boundary.
Partition 8 does not start on physical sector boundary.
Partition 9 does not start on physical sector boundary.
[sudo] password for mpb: 
Customising Live system
* step "root" done
* entering step "boot"
Using kernel 5.4.12-desktop-1.mga7
Creating: target|kernel|dracut args|basicmodules 
/boot/initrd-5.4.12-desktop-1.mga7.img|5.4.12-desktop-1.mga7| -f|
mkfs.fat 4.1 (2017-01-24)
* step "boot" done
* entering step "loop"
Have to process 4643 MB
Unrecognised xattr prefix system.posix_acl_default
Unrecognised xattr prefix system.posix_acl_access
* step "loop" done
* entering step "master"
GNU xorriso 1.5.0 : RockRidge filesystem manipulator, libburnia project.

Created ISO /home/mpb/Downloads/drakiso/my_iso/gui/Mageia-7-Live-Mate_LUKS-x86_64/dist/Mageia-7-Live-Mate_LUKS-x86_64.iso
* step "master" done

2020 01 22 drakiso screenshot a.png

Example screen shot of running drakiso

2020 01 22 drakiso screenshot b.png

Example screen shot of running drakiso: doing the install process to ISO image.


Determine memory_stick_device name

In most systems, there will be a single disk drive which will have the reference /dev/sda. So, the when the USB memory stick is plugged in it will be: /dev/sdb.

memory_stick_device=/dev/sdb

We can also check and confirm the correct device name for the USB memory stick as follows:

  1. In a terminal, type:
    journalctl -fa  #Display system log (dynamically updated)
  2. Plug in the USB
  3. Observe the system log (from step 1, above) to see the device name for the memory stick. Example:
    Dec 12 16:19:17 localhost kernel: sd 7:0:0:0: [sdc] 4016128 512-byte logical blocks: (2.06 GB/1.92 GiB)
    Here, the device name is sdc, so we would use: memory_stick_device=/dev/sdc

Use isodumper to write the ISO to USB

Before starting isodumper, plug in the USB memory stick to be used and note the device name.

The version of isodumper described here can be found via: Comment 21 on bug report 24777.


Start isodumper via the graphical user interface (GUI) or from the command line (CLI).

Via GUI:

Applications -> Tools -> System Tools -> IsoDumper (GTK)

From command line:

/bin/sudo /usr/bin/isodumper

Note: as always when running a command that prompts for a password or key, use the full pathname to improve security.


2020 01 23 isodumper screenshot a6.png

Example screen shot of running isodumper with options for persistence and encryption.

Using the LUKS encrypted Mageia live persistent data USB

Steps:

  1. Plug the USB memory stick in highest speed USB port on computer
  2. Power up (or reboot) computer and tap ESC escape key during start to enable choice of boot device
  3. On HP systems: F9 key will select boot options menu
  4. Identify and select USB device to boot with
  5. When prompted, enter the encryption pass phrase you used to encrypt
  6. After startup and login, note the output from df to confirm encrypted 3rd partition is union mounted. You will see "overlay" and the size.

Example: showing the overlay in output from df command:

[user@localhost ~]$ df
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs         16G     0   16G   0% /dev
tmpfs            16G  242M   16G   2% /dev/shm
tmpfs            16G  1.3M   16G   1% /run
/dev/loop0      1.5G  1.5G     0 100% /run/mgalive/ovlsize
overlay         112G  1.5G  105G   2% /
tmpfs            16G     0   16G   0% /sys/fs/cgroup
tmpfs            16G  3.6M   16G   1% /tmp
tmpfs           3.2G   56K  3.2G   1% /run/user/1000

Note: The read-only first partition which is the ISO image created at the start is showing here as:

/dev/loop0      1.5G  1.5G     0 100% /run/mgalive/ovlsize

the encrypted persistent 3rd partition showing here as:

overlay         112G  1.5G  105G   2% /

This is a union mount of the 1st and 3rd partitions. Any changes or updates are saved in the encrypted 3rd partition "overlay".

We can also display partition details on the USB with:

lsblk -f /dev/sda

Or:

lsblk -o NAME,FSTYPE,LABEL,UUID /dev/sda

Example:

[user@localhost ~]$ lsblk -o NAME,FSTYPE,LABEL,UUID /dev/sda
NAME           FSTYPE      LABEL                          UUID
sda            iso9660     Mageia-7-Live-Mate_LUKS-x86_64 2020-01-23-00-01-22-00
├─sda1         iso9660     Mageia-7-Live-Mate_LUKS-x86_64 2020-01-23-00-01-22-00
├─sda2         vfat        MGALIVE-ESP                    1459-4A6B
└─sda3         crypto_LUKS Mageia-7-Live-Mate_LUKS-x86_64 d99dd635-e4c9-448f-b007-a01c617b7d99
  └─crypt_sda3 ext4        mgalive-persist                36d4932d-102d-4282-b42d-0055bff4af91

First use: steps to take when booted up from USB memory stick

Depending on the ISO that was created, there is probably a no-password login for user live. You probably need to create a new login and password for your own use then remove (or password protect) the live account.

You should also set a root password.

After checking you have network connectivity define urpmi sources and apply pending system updates.


Step 1: Security

First check security: make sure you create your own login account and add it to the wheel group (to enable you to sudo). Check for any accounts such as live which may have no password are either removed or password protected. Ensure you have a secure password on the root account.


Example: Create login and set password

In this example, change mylogin (below) to your preferred login account name. Note the use of "-G wheel". This is to enable the account to use sudo. Refer to Configuring_sudo for details on configuring sudo.

[live@localhost ~]$ /bin/su -c "/sbin/useradd -m mylogin -G wheel -s /bin/bash"

[live@localhost ~]$ /bin/su -c "/usr/bin/passwd mylogin"
Changing password for user mylogin.
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.


Step 2: Disable updating of the mgalive-root.sh file

Recall that we used a modified for LUKS version of mgalive-root.sh.

If this was changed by system update to a version that does not support LUKS then we would lose access to the encrypted persistent 3rd partiton on the USB. To prevent this we can exclude the RPM package containing "mgalive-root.sh" from being updated (eg when "urpmi --auto-update" is run). First, find the full pathname for mgalive-root.sh:

[user@localhost ~]$ locate mgalive-root.sh
/usr/lib/dracut/modules.d/90mgalive/mgalive-root.sh

Next, determine the package that /usr/lib/dracut/modules.d/90mgalive/mgalive-root.sh is part of:

[user@localhost ~]$  rpm -q --whatprovides  /usr/lib/dracut/modules.d/90mgalive/mgalive-root.sh
dracut-046-11.mga7

So the RPM package we need to exclude from updates is: dracut-046-11.mga7

We can add dracut to the URPMI exclusion list in: /etc/urpmi/skip.list:

echo "/^dracut/" >> /etc/urpmi/skip.list

Example:

[root@localhost ~]# echo "/^dracut/" >>/etc/urpmi/skip.list

[root@localhost ~]# nl -ba /etc/urpmi/skip.list
     1	# Here you can specify the packages that won't be upgraded automatically
     2	# for example, to exclude all apache packages :
     3	# /^apache/
     4	
     5	/^dracut/


Step 3: Network connectivity

Example: Check network configuration

[user@localhost ~]$ /usr/sbin/ifconfig
enp0s31f6: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether e4:e7:49:0a:04:8e  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xde400000-de420000  

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 2208  bytes 5724001 (5.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2208  bytes 5724001 (5.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.114  netmask 255.255.255.0  broadcast 192.168.101.255
        inet6 fe80::224:d6ff:fef5:b69e  prefixlen 64  scopeid 0x20<link>
        ether 00:24:d6:f5:b6:9e  txqueuelen 1000  (Ethernet)
        RX packets 348345  bytes 455328105 (434.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 179419  bytes 24441450 (23.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Note: This shows ethernet interface enp0s31f6 is not in use and has no IP address. Also, wireless interface wlp2s0 is configured and has IP address 192.168.1.114.


Example: verify network connectivity

[live@localhost ~]$ ping -c2 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=53 time=10.4 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=53 time=10.8 ms

--- 8.8.4.4 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 10.361/10.593/10.826/0.254 ms

Note: Showing that 2 ICMP echo requests (ping) get responses from 8.8.4.4 (one of Google's public DNS servers).


Step 4: Configuring URPMI resources

Example: configure Mageia URPMI media sources to network only

/bin/su -c "/usr/sbin/urpmi.removemedia -a && /usr/sbin/urpmi.addmedia --distrib --mirrorlist"
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi.removemedia -a && /usr/sbin/urpmi.addmedia --distrib --mirrorlist"
removing medium "Live Core"
removing medium "Live Nonfree"
adding medium "Core Release"
adding medium "Core Release Debug" (ignored by default)
adding medium "Core Updates"
adding medium "Core Updates Debug" (ignored by default)
adding medium "Core Updates Testing" (ignored by default)
adding medium "Core Updates Testing Debug" (ignored by default)
adding medium "Core Backports" (ignored by default)
adding medium "Core Backports Debug" (ignored by default)
adding medium "Core Backports Testing" (ignored by default)
adding medium "Core Backports Testing Debug" (ignored by default)
adding medium "Nonfree Release"
adding medium "Nonfree Release Debug" (ignored by default)
adding medium "Nonfree Updates"
adding medium "Nonfree Updates Debug" (ignored by default)
adding medium "Nonfree Updates Testing" (ignored by default)
adding medium "Nonfree Updates Testing Debug" (ignored by default)
adding medium "Nonfree Backports" (ignored by default)
adding medium "Nonfree Backports Debug" (ignored by default)
adding medium "Nonfree Backports Testing" (ignored by default)
adding medium "Nonfree Backports Testing Debug" (ignored by default)
adding medium "Tainted Release" (ignored by default)
adding medium "Tainted Release Debug" (ignored by default)
adding medium "Tainted Updates" (ignored by default)
adding medium "Tainted Updates Debug" (ignored by default)
adding medium "Tainted Updates Testing" (ignored by default)
adding medium "Tainted Updates Testing Debug" (ignored by default)
adding medium "Tainted Backports" (ignored by default)
adding medium "Tainted Backports Debug" (ignored by default)
adding medium "Tainted Backports Testing" (ignored by default)
adding medium "Tainted Backports Testing Debug" (ignored by default)
adding medium "Core 32bit Release" (ignored by default)
adding medium "Core 32bit Updates" (ignored by default)
adding medium "Core 32bit Updates Testing" (ignored by default)
adding medium "Core 32bit Backports" (ignored by default)
adding medium "Core 32bit Backports Testing" (ignored by default)
adding medium "Nonfree 32bit Release" (ignored by default)
adding medium "Nonfree 32bit Updates" (ignored by default)
adding medium "Nonfree 32bit Updates Testing" (ignored by default)
adding medium "Nonfree 32bit Backports" (ignored by default)
adding medium "Nonfree 32bit Backports Testing" (ignored by default)
adding medium "Tainted 32bit Release" (ignored by default)
adding medium "Tainted 32bit Updates" (ignored by default)
adding medium "Tainted 32bit Updates Testing" (ignored by default)
adding medium "Tainted 32bit Backports" (ignored by default)
adding medium "Tainted 32bit Backports Testing" (ignored by default)
    $MIRRORLIST: media/core/release/media_info/20190627-235351-synthesis.hdlist.cz
    $MIRRORLIST: media/core/updates/media_info/20191208-180358-synthesis.hdlist.cz                                                                                                  
    $MIRRORLIST: media/nonfree/release/media_info/20190628-001219-synthesis.hdlist.cz                                                                                               
    $MIRRORLIST: media/nonfree/updates/media_info/20191119-211043-synthesis.hdlist.cz 


Example: Verify Mageia URPMI sources configuration

Here we install a single package in order to check package installation is working correctly. In this case, we install package: tcptraceroute

/bin/su -c "/usr/sbin/urpmi tcptraceroute"
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi tcptraceroute"                                                                                                                      
To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  lib64net1                      1.1.6        8.mga7        x86_64  
  tcptraceroute                  1.5          1.beta7.11.m> x86_64  
233KB of additional disk space will be used.
97KB of packages will be retrieved.
Proceed with the installation of the 2 packages? (Y/n) y


    $MIRRORLIST: media/core/release/lib64net1-1.1.6-8.mga7.x86_64.rpm
    $MIRRORLIST: media/core/release/tcptraceroute-1.5-1.beta7.11.mga7.x86_64.rpm                                                                                                    
installing tcptraceroute-1.5-1.beta7.11.mga7.x86_64.rpm lib64net1-1.1.6-8.mga7.x86_64.rpm from /var/cache/urpmi/rpms                                                                
Preparing...                     ###################################################################################
      1/2: lib64net1             ###################################################################################
      2/2: tcptraceroute         ###################################################################################


Example: apply pending updates

/usr/sbin/urpmi --auto-update
[live@localhost ~]$ /bin/su -c "/usr/sbin/urpmi --auto-update"
medium "Core Release" is up-to-date
medium "Core Updates" is up-to-date
medium "Nonfree Release" is up-to-date
medium "Nonfree Updates" is up-to-date
Packages are up to date


Appendix-1: modified mgalive-root.sh with LUKS support

#!/usr/bin/sh

. /lib/dracut-lib.sh

can_decrypt=0
if [ -f /lib/dracut-crypt-lib.sh ] ; then
    . /lib/dracut-crypt-lib.sh
    can_decrypt=1
fi

[ -f /tmp/root.info ] && . /tmp/root.info

PATH=/usr/sbin:/usr/bin:/sbin:/bin

[ -z "$1" ] && exit 1
livedev="$1"

# Create the live tree
mkdir -m 0755 -p /live/distrib
mkdir -m 0755 -p /live/media
mkdir -m 0755 -p /live/overlay
mkdir -m 0755 -p /live/union
mkdir -m 0755 -p /run/mgalive/ovlsize

# Get the base device name
basedev=$(echo $livedev | sed -e 's,\(/dev/sd[a-z]\)1,\1,g' -e 's,\(/dev/mmcblk[0-9]\)p1,\1,g')
# Make it available to draklive-install and mgalive-shutdown
echo $basedev > /run/mgalive/basedev

# Unlock any encrypted partitions on the base device
if [ $can_decrypt -eq 1 ] ; then
    for dev in $(blkid -t TYPE=crypto_LUKS -o device | grep $basedev) ; do
        ask_for_password \
            --ply-cmd "cryptsetup open -T1 $dev crypt_${dev##/dev/}" \
            --ply-prompt "Password ($dev)" \
            --ply-tries 3 \
            --tty-cmd "cryptsetup open -T3 $dev crypt_${dev##/dev/}" \
            --tty-tries 1
    done
fi

# Get the base directory for locating the loopback file. In normal use this is
# the root directory, but a multi-boot USB stick may want to override this.
basedir=$(getarg mgalive.basedir)

# Get the device or path used for persistent storage (if it exists). In normal
# use this is another partition on the same base device, but a multi-boot USB
# stick may want to override this.
overlay=$(getarg mgalive.overlay)
if [ -z "$overlay" ] ; then
    overlay=$(blkid -t LABEL=mgalive-persist -o device | grep $basedev'\|'/dev/mapper)
else
    overlay=$livedev$overlay
fi

info "mgalive basedev is $basedev"
info "mgalive livedev is $livedev"
info "mgalive basedir is $basedir/"
info "mgalive overlay is $overlay"

media=$livedev
if [ -z "$(blkid $livedev)" ] ; then
    if strstr "$(blkid $basedev)" "iso9660" ; then
        # This happens when we boot from a USB stick with a isohybrid partition
        # scheme where the first sector is unclaimed, so the first partition starts
        # at sector 1. The iso9660 filesystem starts at sector 0, so blkid doesn't
        # detect a valid filesystem in the first partition. udev, however, links
        # the entry in /dev/disk/by-label to the first partition, not to the raw
        # device, and that is what we get passed in $1 (mga#3334).
        if [ -n "$overlay" ] ; then
            # If we mount the raw device, we can't then also mount a partition
            # on that device. So to enable persistence, we need to extend the
            # first partition to claim the full range  of the iso9660 filesystem.
            ps=$(partx -go START $livedev)
            pe=$(partx -go END   $livedev)
            if [ $ps -eq 1 ] ; then
                info "Extending $livedev to cover sector 0"
                delpart $basedev 1
                addpart $basedev 1 0 $pe
            else
                info "$livedev is not a valid protective partition"
            fi
        else
            # If we don't have a persistent partition, take the easy option.
            info "Using $basedev to mount the iso9660 filesystem"
            media=$basedev
        fi
    else
        info "$livedev does not contain a valid filesystem"
    fi
fi

# Mount the live media
mount -n -o ro $media /live/media

# Mount the loopback filesystem
LOOPDEV=$( losetup -f )
if [ -e /live/media$basedir/loopbacks/distrib-lzma.sqfs ] ; then
    # Retain support for the original draklive. Note that despite the file
    # name, it uses xz compression.
    losetup -r $LOOPDEV /live/media$basedir/loopbacks/distrib-lzma.sqfs
else
    losetup -r $LOOPDEV /live/media$basedir/loopbacks/distrib.sqfs
fi
mount -n -t squashfs -o ro $LOOPDEV /live/distrib
mount -n -t squashfs -o ro $LOOPDEV /run/mgalive/ovlsize

# Mount the overlay filesystem
if [ -z "$overlay" ] ; then
    mount -n -t tmpfs -o mode=755 none /live/overlay
else
    mount -n -o noatime $overlay /live/overlay
    echo 1 > /run/mgalive/persistent
fi
# work and memory must be on same root
mkdir -m 0755 -p /live/overlay/work
mkdir -m 0755 -p /live/overlay/memory
mount -n -t overlay overlay -o lowerdir=/live/distrib,upperdir=/live/overlay/memory,workdir=/live/overlay/work,noatime /live/union

ln -s /live/union /dev/root

printf '/bin/mount --rbind /live/union %s\n' "$NEWROOT" > $hookdir/mount/01-$$-live.sh
printf '/bin/umount /live/union\n'                     >> $hookdir/mount/01-$$-live.sh

# /live will not be visible once we pivot, so schedule its cleanup now.
# This is needed to allow a persistent overlay to be shutdown cleanly.
umount -l /live/distrib
umount -l /live/overlay
umount -l /live/media

need_shutdown

exit 0