Renaud Métrich [Thu, 7 Jun 2018 13:42:12 +0000 (15:42 +0200)]
Harden dracut against BASH_ENV environment variable
When dracut silently produces a broken initramfs, then the system will
likely not boot and this can be very problematic. Typical use case is
after the kernel has been updated.
It appears that dracut is not protected against the BASH_ENV variable,
causing various scripts called by dracut to possibly fail or provide
wrong output (e.g. "ldd" is one of these).
Having a broken output for "ldd" makes the generated initramfs be not
usable, typically because vital binaries will be missing (e.g.
"awk", "udevadm", ...).
Note: because the shebang line cannot contain more than one argument,
the '--norc' option had to be removed. IMHO, it was useless anyway.
Pingfan Liu [Tue, 24 Apr 2018 08:41:21 +0000 (16:41 +0800)]
40network: introduce ip=either6 option
In kdump, if dump-target is ssh on ipv6, we need to sync until ipv6 addr
is ready. Currently ip=auto6/dhcp6 provides such function. But in 1st kernel,
it is hard to know whether the ipv6 addr is got by dhcpv6 or SLAAC.
E.g ifcfg-eth* contains DHCPV6C=yes direction, but there is no dhcpv6
server in the network, and then after the system is up, the user
echo 1 > /proc/sys/net/ipv6/conf/eth0/autoconf && accept_ra by manual
to obtain a ipv6 addr. Or vice.
So this patch suggests to make dhcpv6 as auto6 fallback
Harald Hoyer [Tue, 15 May 2018 11:37:53 +0000 (13:37 +0200)]
shutdown: sleep a little, if a process was killed
If a process (maybe plymouth) was still pinning /oldroot, then shutdown
would
- kill -9 $pid
- umount_a
- umount_a
in a very short timeframe. A small sleep hopefully lets the scheduler free
up /oldroot in the mean time.
Colin Walters [Wed, 2 May 2018 15:11:59 +0000 (11:11 -0400)]
Suppress sync/fsfreeze if not running on a live system
It's possible for e.g. `kernel` to be installed as an RPM BuildRequires or equivalent,
and there's no reason to sync, and *definitely* no reason to fsfreeze.
Another case where this happens is rpm-ostree, which performs its own sync/fsfreeze
globally. See e.g. https://github.com/ostreedev/ostree/commit/8642ef5ab3fec3ac8eb8f193054852f83a8bc4d0
51-dracut-rescue.install: fix initramfs not generated in /boot case
Commit 5e574046e76e ("5?-dracut*.install: Allow scripts to install
the initramfs in /boot dir") added support to generate initramfs
images in the /boot directory and copy the respective BLS files.
Unfortunately, it broke the rescue initramfs generation when it's
not installed on /boot due not checking for the correct condition.
It checks for the 0-rescue sub-dir to exist, but this is created so
instead if the parent sub-dir exists has to be checked. Also, check
if the destination directory is /boot or not, instead if it exists.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Lukas Nykryn [Fri, 2 Mar 2018 11:29:46 +0000 (12:29 +0100)]
all: fix issues found by shellcheck
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/dracut-init.sh:939:20: error: Argument to implicit -n is always true due to literal strings. [SC2157]
937| dracut_kernel_post() {
938| for _f in modules.builtin.bin modules.builtin modules.order; do
939|-> [[ $srcmods/$_f ]] && inst_simple "$srcmods/$_f" "/lib/modules/$kernel/$_f"
940| done
941|
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/98syslog/parse-syslog-opts.sh:18:12: error: This expression is constant. Did you forget a $ somewhere? [SC2078]
16| elif [ -e /sbin/syslogd ]; then
17| syslogtype="syslogd"
18|-> elif [ /sbin/syslog-ng ]; then
19| syslogtype="syslog-ng"
20| else
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/90crypt/crypt-lib.sh:15:29: error: Since you double quoted this, it will not word split, and the loop will only run once. [SC2066]
13| strstr "$d" "${luks##luks-}" && return 0
14| if [ -n "$dev" ]; then
15|-> for _dev in "$(devnames $d)"; do
16| [ "$dev" -ef "$_dev" ] && return 0
17| done
5?-dracut*.install: Allow scripts to install the initramfs in /boot dir
The GRUB 2 bootloaders expect the initrd to be installed in /boot instead
of /boot/$MACHINE_ID/$KERNEL_VERSION/{linux,initrd}, so if that directory
doesn't exists, install the initramfs images on the /boot directory.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
40network: Fix race condition when wait for networks
If no network related params are specific, but rd.neednet=1 is set,
the default initqueue action is to wait until one of the network
interfaces is marked as setup properly.
This also help with initqueue's race condition when the network interface
shows up late
Daniel Molkentin [Thu, 18 Jan 2018 16:45:01 +0000 (17:45 +0100)]
50plymouth: improve distro compatibility
The existence of dpkg-achitecture is not indicative of a debian
installation. It may well be installed on systems of people who
package for both distros. The previous code path did not take
that into account.
We now traverse all known plymouth directories, locking on the first
valid one, and try to work with it.
At the same time, we do not include the module if the plymouth directory
could not be found.
Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.
With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.
98integrity: support loading x509 into the trusted/builtin .evm keyring
This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.
Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.
Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
Martin Wilck [Wed, 5 Oct 2016 11:54:26 +0000 (13:54 +0200)]
Give --persistent_policy precedence over /dev/mapper names
There is currently no way to override dracut's preference for
/dev/mapper device names. But using these is problematic in
different scenarios: For example, if a user has a multipath-
enabled system but wants to disable multipath, or if the
names of multipath maps change because of configuration changes
(e.g. toggling user_friendly_names in /etc/multipath.conf).
This patch makes dracut prefer the user-specified
--persistent_policy names over /dev/mapper names.
It might be worthwhile to discuss why dracut prefers /dev/mapper
of /dev/disk/by-uuid at all. This preference was introduced
in 9037b63e with the argument "dm devices maintain /dev/mapper/* as
persistent names", but that's wrong for the scenarios mentioned
above, and is not a compelling reason for preferring /dev/mapper
over /dev/disk/by-uuid.
Hannes Reinecke [Wed, 24 Aug 2016 10:44:31 +0000 (12:44 +0200)]
90multipath: load dm_multipath module during startup
As the 'multipath' program will be triggered directly from
udev events it will be called before the multipath service
unit has started up. Which means we cannot rely on the
service unit to load the module for us, but we rather
have to do it early before udev is started.
Rewrite cio_ignore module to rely on the dracut commandline
parameter 'rd.cio_accept', which takes a comma-separated list
of CCW IDs. Each of those IDs are being removed from the
list of devices from cio_ignore.
The default values for rd.cio_accept are taken from
/boot/zipl/active_devices.txt.
References: bnc#882685
-----------------------------
Subject: More empty cmdline fixes
This fixes up some more modules which might print out empty
commandline files.
-----------------------------
Subject: Mark scripts as executable
All scripts need to be marked as executable, otherwise dracut
won't be running them.
Harald Hoyer [Fri, 12 Jan 2018 09:24:20 +0000 (10:24 +0100)]
iSCSI: no more iscsid
According to Cathy Zhou <Cathy.Zhou@Oracle.COM>:
"iscsistart is not designed to be working together with iscsid. When an
interface gets the dhcp offer successfully, the iscsiroot script is run
which starts the iscsistart service to establish the iSCSI session. With
the existence of iscsid, the iscsistart service's attempt to setup its
own mgmt ipc fails. Instead, the request to login to the iscsi target
is handled by the mgmt ipc of iscsid. After iscsistart finishes its
login attempt, it eventually sends a stop_event_loop request to stop
the mgmt process. As the result, it terminates iscsid."
So, iscsid is kicked out again.
Additionally iscsistart-flocked is used to make sure iscsistart is not
run in parallel.
Hannes Reinecke [Fri, 11 Jul 2014 10:55:55 +0000 (12:55 +0200)]
91zipl: Translate 'ext2/3' into ext4
91zipl tries to read the filesystem for the /boot/zipl device.
On SLE12, however, the ext2 and ext3 filesystems are handled
by the ext4 module.
And due to bug#886839 no error is registered and booting fails.
So implement a band-aid to translate it into ext4.
Hannes Reinecke [Fri, 27 Jun 2014 09:43:28 +0000 (11:43 +0200)]
91zipl: Add new module to update s390x configuration
Add new module to update the dracut commandline values
during booting with the values found in the file
dracut-cmdline.conf on the device specified by
rd.zipl.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Contrary to the original patch, this one has been modified
to check for /boot/zipl, the location of the first stage kernel
in indirect boot, in order not to install on systems
booting directly via zipl.
Signed-off-by: Daniel Molkentin <daniel.molkentin@suse.com>
Yu Watanabe [Thu, 11 Jan 2018 04:53:27 +0000 (13:53 +0900)]
dracut.sh: do not invoke fsfreeze on EFI System Partition
When the system boots with EFI, then initrd image is stored
on EFI System Partition. Thus dracut always warn about the
failure to invoke fsfreeze on the partition.
This prevents to run fsfreeze on ESP and suppress the warning.