fix(dracut.sh): use dynamically uefi's sections offset
* Uefi section are creating by `objcopy` with hardcoded sections
offset. This commit allow to have the correct offset between
each part of the efi file, needed to create an UKI. Offsets
are simply calculated so no sections overlap, as recommended
in https://wiki.archlinux.org/title/Unified_kernel_image#Manually
Moreover, efi stub file's header is parsed to apply the correct
offsets according the section alignment factor.
* Remove EFI_SECTION_VMA_INITRD, no need anymore as initrd
section offset dynamically calculated
Tao Liu [Fri, 3 Mar 2023 10:27:25 +0000 (18:27 +0800)]
fix(lvmthinpool-monitor): activate lvm thin pool before extend its size
The state of lvm thin pool may change into inactived state when kdump into
2nd kernel. As a result, lvextend will fail to extend its size. For example:
“Masahiro [Tue, 7 Feb 2023 09:30:36 +0000 (18:30 +0900)]
feat(test): nfs_fetch_url test into nfs test
This is to check the behavior of nfs_fetch_url() in nfs-lib.sh.
nfs_fetch_url() calls nfs_already_mounted() internally.
A file /nfs/client/root/fetchfile is on NFS server, which is fetched
from clients for testing with nfs_fetch_url().
“Masahiro [Fri, 3 Feb 2023 03:08:26 +0000 (12:08 +0900)]
fix(url-lib.sh): nfs_already_mounted() with trailing slash in nfs path
nfs_already_mounted() doesn't work when the installation ISO and kickstart file on a same NFS share are specified with inst.repo and inst.ks boot parameter as below.
NOTE: /home/data is configured for nfs share on 192.168.1.1
One problem is a file (not a directory) was passed into nfs_already_mounted().
nfs_already_mounted() is the function to judge if the given directory is already mounted.
So, filepath should be passed in nfs_fetch_url().
The other problem is about the trailing slash in the nfs path in /proc/mounts.
The /proc/mounts has an entry after nfs mount of inst.repo.
As LGTM is going to be shut down by EOY[0], let's move the code scanning to
CodeQL as recommended. Thanks to GH integration the results from such
scans will be shown both in the respective PR and in the Security ->
Code Scanning tab[1].
Adrien Thierry [Wed, 15 Feb 2023 19:13:56 +0000 (14:13 -0500)]
fix(dracut-install): prevent possible infinite recursion with suppliers
During search for fw_devlink suppliers, it's possible to encounter a
situation where supplier A depends on supplier B, and supplier B has a
parent node that depends on supplier A. This leads to an infinite
recursion.
To fix this, make sure suppliers are only processed once.
John Meneghini [Tue, 14 Feb 2023 21:28:57 +0000 (16:28 -0500)]
build: remove rpm spec file and build rules
As discussed in issue #2204 this patch removes the dracut.spec file from
the repository. The advantage of this patch is that it creates a
dracut-version.tar.xv file that can be more easily consumed by the
downstream distributions because there's no rpm spec file included in
the distribution.
Tested with a downstream rpm spec fiie:
```
cd dracut
VERSION=`git describe --abbrev=0 --tags --always`
make clean
make dist
cp dracut-${VERSION}.tar.xz ../
cd ..
Adrien Thierry [Mon, 13 Feb 2023 15:43:32 +0000 (10:43 -0500)]
fix(kernel-modules): use modalias info in get_dev_module()
When calling dracut with '--hostonly-mode=strict', get_dev_module() gets
called on the system's block devices to find the required drivers. The
driver name is retrieved using udevadm. However, the driver name
returned by udevadm is not necessarily the same as the module name.
This is the case for the Qualcomm UFS driver: udevadm returns
'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is
not able to find the module afterwards.
To solve this, make get_dev_module() also return the module alias info
from the modalias files contained in the sysfs directories parsed by
udevadm.
On EL8.3 the NetworkManager keep restarting even if it exits successfully
while waiting for Clevis to unlock. This patch ensures NetworkManager runs
only once in initrd.
Yes; NetworkManager is run multiple times, so that it's able to
configure interfaces that haven't been seen previously (because bus was
slow to scan or device took time to initialize).
It's not clear what problem was the original commit trying to fix.
I suspect there was no problem, just a misunderstanding.
fix(dracut.sh): handle sbsign errors for UEFI builds
`sbsign` does not issue any error if there is not enough disk space to create
the signed file using its `--output` option. So, verify the signed image after
its creation using `sbverify`.
Martin Wilck [Tue, 7 Feb 2023 21:24:15 +0000 (22:24 +0100)]
fix(network): IPv6: don't wait for RA for static IPv6 assignments
This patch reverts commit c603419 ("wait for IPv6 RA if using none/static IPv6 assignment").
It's not generally correct wait for a default route to be established
for an interface, or to wait for "proto ra" routes in general.
For example, if the system is a router itself, it will receive no
RAs. In isolated networks, no gateway may be advertized, either.
This is similar in spirit to 76f6566 ("Revert "wait for IPv6 RA
if using none/static IPv6 assignment"")
Whatever c603419 ("wait for IPv6 RA if using none/static IPv6 assignment")
was supposed to achieve, it should be done differently.
Martin Wilck [Tue, 7 Feb 2023 20:59:51 +0000 (21:59 +0100)]
fix(network-legacy): always include af_packet
For static IPv4 configurations, we use arping to check for duplicate
IP addresses. arping requires the af_packet module to work, and if arping
fails, the IP address will not be set and booting will fail.
af_packet may not be loaded / required in the running system, for example if
the system had been booted in an IPv6 configuration, or if it had been
manually unloaded. Make sure it's included in initramfs in hostonly mode, too.
Martin Wilck [Fri, 3 Feb 2023 20:39:02 +0000 (21:39 +0100)]
fix(network): don't assume prefix length 64 by default
Assuming a default prefix length of 64 by default if no explicit
prefix length is given is wrong and known to cause connectivity
problems in some networks. A prefix length of 128 should be assumed
in this case.
See https://www.rfc-editor.org/rfc/rfc5942 (specifically section 5)
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684009
Martin Wilck [Fri, 3 Feb 2023 20:26:28 +0000 (21:26 +0100)]
fix(iscsi): prefix syntax for static iBFT IPv6 addresses
ibft_to_cmdline() formats a static IPv6 address like this
(without peer, gateway, hostname):
ip="[fd09:9a46:b5c1:1fe:1::10/64]:::::ibft0:none"
This means that the "mask" field (4th) is left blank. When this is
parsed later by parse-ip-opts.sh, it bails out with the error
message "Sorry, automatic calculation of netmask is not yet supported".
parse-ip-opts.sh rather expects the prefix in the 4th field:
ip="[fd09:9a46:b5c1:1fe:1::10]:::64::ibft0:none"
This syntax will be correctly transformed to the command
ip addr add fd09:9a46:b5c1:1fe::10/64 dev ibft0
This patch fixes the formatting of the "ip=" line in ibft_to_cmdline().
Martin Wilck [Thu, 12 Jan 2023 10:06:35 +0000 (11:06 +0100)]
fix(iscsi): install 8021q module unconditionally
In iBFT setups, VLAN can be configured in the firmware.
Add the 8021q module in hostonly mode even if VLAN is currently
not used to be prepared for such configuration change.
Adrien Thierry [Mon, 5 Dec 2022 21:28:17 +0000 (16:28 -0500)]
feat(dracut-install): add fw_devlink suppliers as module dependencies
Dracut currently finds kernel module dependencies using two methods:
depmod and softdeps. However, these are often insufficient on embedded
systems where a lot of driver dependencies are only described in the
device tree. This is often the case for low-level devices such as
clocks, regulators, pinctrls, etc.
This patch allows dracut to find those device tree dependencies, by
parsing the sysfs supplier nodes populated by fw_devlink.
This is needed in s390x to be able to use the same `boot=` command line
parameter in grub and zipl. Otherwise, `boot=` would need to be added only to
`grub.cfg` (not `/etc/default/grub` and thereby not to `/boot/zipl/config`).
The `mount_boot` method called from fips-noboot.sh in the pre-pivot hook blindly
executes `rm -rf /boot` if there is no `boot=` command line parameter, without
first checking that /boot is not already mounted by other means.
fix(network-manager): add "After" dependency on dbus.service
During shutdown, there is no ordering dependency between the nm-initrd service
and the D-Bus daemon, and so the latter can be stopped before. This causes
issues to NetworkManager, especially when team interfaces are present because
NM will see teamd dropping from the bus and will try to reactivate the
connection.
Add a "After" dependency to make sure the D-Bus daemon is stopped after NM on
shutdown.
The `ldd` script uses the following code to resolve dependencies:
```
RTLDLIST="/lib/ld-linux.so.2 /lib64/ld-linux-x86-64.so.2 /libx32/ld-linux-x32.so.2"
...
RTLD=
ret=1
for rtld in ${RTLDLIST}; do
if test -x $rtld; then
verify_out=`${rtld} --verify "$file"`
ret=$?
case $ret in
[02]) RTLD=${rtld}; break;;
esac
fi
done
```
So, if the 32-bit library fails, the 64-bit library may work, so don't stop
parsing the `ldd` output unconditionally when the message "cannot execute binary
file" is printed.
- it sets up a bridge on net1 and net2, however those interfaces
are part of the same qemu hub and this causes switching loops;
- the bonds are created on two interfaces but only one has a DHCP server, and
this causes random failures;
- the checks performed on the client are pretty limited.
Rework the test:
- avoid the bridging loop;
- update the topology to use a bond interface on the server side;
- introduce additional checks on the client: start a ping and check that ports
are properly attached to bonds and bridge;
- make it possible to return module-specific information from the client; in
the future this can be added for example to check that the NetworkManager or
systemd-networkd configuration is correct.
Kernel uses the lowest MAC of all attached ports as MAC address of the
bridge. However, after the first port gets attached, DHCP can be started on the
bridge and it will use the MAC (and client-id) of the first port; so, the MAC
used for DHCP depends on the order of attachment of ports, which is not
guaranteed to be stable in general.
To make sure that the DHCP server always sees the request from the MAC of
enp0s1, assign that MAC to the bridge from the kernel command line.
The current interval (3 seconds) is very low and causes sporadic failures
especially when DHCP is run on a bridge (TEST-50-MULTINIC); in that specific
case, interfaces take time to be attached to the bridge and before enp0s1 is
attached all DISCOVER packets are lost.
Bump the timeout to a more robust value of 30 seconds.
fix(test): remove check on dhclient support for --timeout
The network-legacy dracut module already ignores the DHCP timeout option when
it's not supported by dhclient. Other network modules don't use dhclient for
DHCP.
Khem Raj [Sat, 31 Dec 2022 22:41:52 +0000 (14:41 -0800)]
fix(install): do not undef _FILE_OFFSET_BITS
_FILE_OFFSET_BITS is a feature test macro to determine largefile
support. Usually its set to 64 on systems supporting LFS. Its also
needed to be set to 64 for supporting 64bit time_t on glibc on 32bit
systems. If its undefined explicitly, then 64bit time_t can not be
enabled.
fix(dracut.sh): --sysroot option broken if global variables not set in conf
When `$dracutsysrootdir` is set and references an existing directory, the
internal global variables are never set, unless their value is assigned via
configuration file.
But this patch also includes a refactoring, removing duplicate code using the
same `set_global_var` function to set and export global variables, and improving
readability.
fix(lsinitrd.sh): handle filenames with special characters
Printing and unpacking of specific files passed as arguments does not work if
their filenames contain special characters with a hexadecimal character escape
(\x), which is often the case for systemd device units.
feat(lvm): always include all drivers that LVM can use
This patch adds all the kernel modules that might be needed by LVM, to avoid
having to rebuild the initrd in hostonly mode after a dynamic change that
requires new drivers to boot.
For example, LVM allows to dynamically convert a linear logical volume to a
RAID-1 type (`lvconvert --type raid1 vg/lv`), which, in hostonly mode, will
require the user to manually rebuild the initrd again to include the new RAID
drivers in use, otherwise the system will fail to boot.
LinkTed [Fri, 23 Dec 2022 19:16:31 +0000 (20:16 +0100)]
fix(crypt-gpg): do not use always --card-status
If no GPG smart card is used then the card-status breaks the decryption
of the keyfile. Therefore, use the card-status only if a smart card is
used to decrypt the keyfie.
- Remove the reference to Harald's git ci alias
- Added a missing push to master
- Added a warning not to add the Rendered View entry from the NEWS.md to
the tags. ( Github adds that to the release with no way of removing it, see 058 )
- Added validation of the new tag ( Good practice )
- Clarify milestone handover.
Without this service, timedatectl fails to run in the initrd.
```
sh-5.2# timedatectl
Failed to query server: Could not activate remote peer: activation request failed: unknown unit.
sh-5.2# systemctl status dbus | grep timedate
Dec 22 13:57:03 sd-net-test dbus-broker-launch[219]: Activation request for 'org.freedesktop.timedate1' failed: The systemd unit 'dbus-org.freedesktop.timedate1.service' could not be found.
```
Without this service, hostnamectl fails to run in the initrd.
```
sh-5.2# hostnamectl
Failed to query system properties: Could not activate remote peer: activation request failed: unknown unit.
sh-5.2# systemctl status dbus | grep hostname
Dec 22 11:07:56 sd-net-test dbus-broker-launch[216]: Activation request for 'org.freedesktop.hostname1' failed: The systemd unit 'dbus-org.freedesktop.hostname1.service' could not be found.
```
Also, remove duplicate code by creating a function to get the zipl boot device,
prepend $dracutsysrootdir to /etc/fstab and print cmdline properly: start
with a space and do not print a newline.
fix(dracut): allow to set persistent policy based on /dev/mapper device names
Currently, dracut only allows to configure the persistent policy to address
disks and partitions using any directory name found in /dev/disk, but there is
no defined way to set the default policy based on /dev/mapper device names. So,
for example, if the persistent policy is set by the distribution in any
configuration file, the user cannot set the default if he wants to.
The current workaround is to set persistent_policy="" in a conf file or pass
--persistent-policy " " (white space) as an argument. This patch aims to
establish a specific value for this case.
Kairui Song [Tue, 6 Dec 2022 16:06:34 +0000 (00:06 +0800)]
fix(iscsi): don't install the module if kernel doesn't support iscsi
The cmdline hook of iscsi module will force check if iscsi_tcp module
is available, and abort the boot progress is not. But actually iscsi
module shouldn't be allowed to be installed in the first place if the
corresponding kernel doesn't support it.
So print an warning and refuse to install the iscsi dracut module
in such case, instead of dying on reboot.
Kairui Song [Tue, 6 Dec 2022 09:24:47 +0000 (17:24 +0800)]
feat(dracut-init.sh): introduce a new helper require_kernel_modules
Some dracut modules won't work without certain kernel modules,
this helper will be helpful for checking such kernel configs in
check() and error out early.
Kairui Song [Tue, 6 Dec 2022 09:20:26 +0000 (17:20 +0800)]
fix(dracut-functions.sh): check_kernel_module should follow dracutsysrootdir
check_kernel_module calls modprobe and tries to dry-run a module load to
check if a module is available. modprobe supports `-d` to specify a
rootdir, so just pass dracutsysrootdir to it to make it work as expected
when building initramfs for another rootfs.
Laszlo Gombos [Wed, 7 Dec 2022 20:04:27 +0000 (20:04 +0000)]
ci: reduce the timeout for local tests to 30 min
The main motivation here is to do not allow each test to grow beyond
30 min. If a longer test is needed for some reason, it should be
split into two tests.
Currently each local test is passing at 20 min.
The longest running local test is test 12: encrypted LVM PV
on a degraded RAID-5.
Laszlo Gombos [Tue, 25 Oct 2022 17:54:34 +0000 (17:54 +0000)]
refactor(dmsquash-live): move ntfs-3g code to dmsquash-live-ntfs
Since the installation of ntfs-3g binary is in the
dmsquash-live-ntfs module, calling ntfs-3g from dmsquash-live fails
when dmsquash-live-ntfs module is not installed anyways.
The directory where to look for kernel modules can be set via the -k/--kmoddir
command line option or the drivers_dir configuration option. Its current check
should be split into two different ones to avoid misleading error messages (see
referenced issue):
- First check that its basename matches the kernel version set for the initramfs
(via --kver or automatically set by "uname -r").
- Second check that the parent directory of the last provided directory contains
"/lib/modules/". This check was also fixed to avoid accepting other directories
like "xxxlib/modules".