fix(dracut-install): protect against broken links pointing to themselves
`readlink` does not return an error if a symbolic link points to itself, which
can cause a stack overflow due to infinite recursion in the `get_real_file`
function.
Although this type of recursive links should not exist, we discovered this
issue on a real system. It can be reproduced as follows:
fix(dracut.sh): exit if resolving executable dependencies fails
We came across an issue where, when resolving executable dependencies, a call to
a buggy glib function in `dracut-install` was causing a termination with
SIGSEGV, but dracut didn't stop the build process, which resulted in an
unbootable initrd, due to missing required libraries.
feat(dracut): add --sbat option to add sbat policy to UKI
Take existing .sbat section from the uefi stub and merge it
with vmlinux .sbat (if it exists) and user-provided .sbat parameters
using the new --sbat option.
For some reasons, --update-section in objcopy does not resize the
.sbat section, so remove the section from the stub and add it
to the UKI as new one, to avoid having incomplete SBAT strings.
Signed-off-by: Emanuele Giuseppe Esposito <eesposit@redhat.com>
David Disseldorp [Wed, 26 Jul 2023 13:49:41 +0000 (15:49 +0200)]
refactor(install): log about missing firmware only once
When attempting to locate a firmware path under each of the firwaredirs
parent directories, Dracut logs an error for every missing path.
Instead, only log the error if the firmware path isn't found under any
of the firmwaredirs.
When the `module_check` method is called passing 3 arguments (all calls right
now), the `forced` option is ignored, so the `hostonly` variable is never unset
before the module's `check` method is called.
fix(man): add missing initrd-root-device.target to flow chart
This target was added since https://github.com/dracutdevs/dracut/commit/d4efc0ae
and is ordered between `basic.target` and `sysroot.mount`, see `man bootup.7`
(`dracut-pre-mount.service` starts after).
Thomas Blume [Mon, 17 Apr 2023 13:41:07 +0000 (15:41 +0200)]
feat(livenet): add memory size check depending on live image size
For writeable live images, the memory must hold the complete image.
That means it must be at least the size of the image plus some RAM
necessary to run processes.
With too small RAM, the OOM Killer steps in and makes the boot hang.
This patch lets the system go into the emergency shell instead.
The default minimum RAM after subtracting the live image size is set to 1G.
The parameter rd.minmem is added to modify this.
Michał Zegan [Wed, 26 Oct 2022 16:10:38 +0000 (18:10 +0200)]
fix(modsign): load keys to correct keyring
Until now, 03modsign module was loading keys from /lib/modules/keys/* into the
current session keyring.
This change makes it add keys to the secondary trusted keyring. This works
only as long as added certificate is signed by key from the same keyring.
Martin Wilck [Fri, 16 Sep 2022 19:36:52 +0000 (21:36 +0200)]
feat(nvmf): add code for parsing the NBFT
Add code to parse the Nvme-oF Boot Firmware Table (NBFT) according
to the NVM Express Boot Specification 1.0 [1]. The implementation in
dracut follows a similar general approach as iBFT support in the
iscsi module.
NBFT support requires two steps:
(1) Setting up the network and routing according to the
HFI ("Host Fabric Interface") records in the NBFT,
(2) Establishing the actual NVMe-oF connection.
(1) is accomplished by reading the NBFT using JSON output from
the "nvme nbft show" command, and transforming it into command
line options ("ip=", "rd.neednet", etc.) understood by dracut's
network module and its backends. The resulting network setup code
is backend-agnostic. It has been tested with the "network-legacy"
and "network-manager" network backend modules. The network setup
code supports IPv4 and IPv6 with static, RA, or DHCP configurations,
802.1q VLANs, and simple routing / gateway setup.
(2) is done using the "nvme connect-all" command [2] in the netroot handler,
which is invoked by networking backends when an interface gets fully
configured. This patch adds support for "netboot=nbft". The "nbftroot"
handler calls nvmf-autoconnect.sh, which contains the actual connect
logic. nvmf-autoconnect.sh itself is preserved, because there are
other NVMe-oF setups like NVMe over FC which don't depend on the
network.
The various ways to configure NVMe-oF are prioritized like this:
1 FC autoconnect from kernel commandline (rd.nvmf.discover=fc,auto)
2 NBFT, if present
3 discovery.conf or config.json, if present, and cmdline.d parameters,
if present (rd.nvmf.discovery=...)
4 FC autoconnect (without kernel command line)
The reason for this priorization is that in the initial RAM fs, we try
to activate only those connections that are necessary to mount the root
file system. This avoids confusion, possible contradicting or ambiguous
configuration, and timeouts from unavailable targets.
A retry logic is implemented for enabling the NVMe-oF connections,
using the "settled" initqueue, the netroot handler, and eventually, the
"timeout" initqueue. This is similar to the retry logic of the iscsi module.
In the "timeout" case, connection to all possible NVMe-oF subsystems
is attempted.
Two new command line parameters are introduced to make it possible to
change the priorities above:
- "rd.nvmf.nonbft" causes the NBFT to be ignored,
- "rd.nvmf.nostatic" causes any statically configured NVMe-oF targets
(config.json, discovery.conf, and cmdline.d) to be ignored.
These parameters may be helpful to skip attempts to set up broken
configurations.
At initramfs build time, the nvmf module is now enabled if an NBFT
table is detected in the system.
[1] https://nvmexpress.org/wp-content/uploads/NVM-Express-Boot-Specification-2022.11.15-Ratified.pdf
[2] NBFT support in nvme-cli requires the latest upstream code (> v2.4).
Signed-off-by: Martin Wilck <mwilck@suse.com> Co-authored-by: John Meneghini <jmeneghi@redhat.com> Co-authored-by: Charles Rose <charles.rose@dell.com>
Martin Wilck [Thu, 9 Mar 2023 15:55:36 +0000 (16:55 +0100)]
fix(nvmf): support /etc/nvme/config.json
Since nvme-cli 2.0, configuration of subsystems to connect to is
stored under `/etc/nvme` in either `discovery.conf` or `config.json`.
Attempt discovery also if the latter exists, but not the former.
Also, install "config.json" if it's present on the root FS.
As before, "rd.nvmf.discover=fc,auto" will force either file to be ignored,
and NBFT-defined targets take precedence if found.
Martin Wilck [Thu, 12 Jan 2023 10:06:35 +0000 (11:06 +0100)]
fix(nvmf): install 8021q module unconditionally
In NBFT setups, VLAN can be configured in the firmware.
Add the 8021q module in hostonly mode even if VLAN is currently
not used to be prepared for such configuration change.
Andrew Ammerlaan [Sat, 17 Jun 2023 06:18:55 +0000 (08:18 +0200)]
fix(install.d): respect more kernel-install env variables
- If kernel-install has defined a staging area for us
(KERNEL_INSTALL_STAGING_AREA) install generated initrd/uki.efi there.
The actual install is then handled by 90-loaderentry.install or
90-uki-copy-install.
- Also skip regeneration if an uki.efi already exists.
- Pass --kernel-image to dracut, this is required to generate an uki (uefi=yes)
- Add --no-uefi argument to dracut rescue image generation, this ensures that
it at least installs correctly. TODO: Rework 51-dracut-rescue.install to also
work with uki's.
This fixes installing a kernel with uefi=yes in dracut config and layout=uki
in kernel/install.conf.
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
fix(bluetooth): include it if Appearance matches the value assigned for keyboard
Following the Bluetooth spec [1], Assigned Numbers Document, Rev. 2023-05-04,
Section 2.6.3, Appearance Sub-category, the Appearance value defined for
keyboards is 0x03C1.
This value must be checked to include the bluetooth module in hostonly mode,
because some Bluetooth keyboards do not set the Class attribute.
fix(dracut-init.sh): correct check in `is_qemu_virtualized` function
Do not redirect `systemd-detect-virt` to /dev/null, otherwise, the `vm` variable
is always empty. This function was working only thanks to the following /sys
check.
Henrik Gombos [Wed, 14 Jun 2023 19:17:20 +0000 (19:17 +0000)]
ci: add dependencies to Debian container
- add systemd-boot-efi for test 18
- tgt is needed for test 30 and 35
- nbd-server is needed for test 40
- gawk dependency has been introduced by f32e95bcadbc5158843530407adc1e7b700561b1
- install dracut instead of initramfs-tools to match actual usage
- remove workaround for https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962300
as it is now fixed on Debian 12.
fix(systemd-pcrphase): only include systemd-pcrphase-initrd.service
The only systemd-pcrphase related unit configured to run in the initrd is
systemd-pcrphase-initrd.service.
Both systemd-pcrphase.service and systemd-pcrphase-sysinit.service contain
`ConditionPathExists=!/etc/initrd-release`.
Henrik Gombos [Fri, 2 Jun 2023 14:05:12 +0000 (14:05 +0000)]
ci: cleanup containers
Remove /etc/profile.d/dracut-test.sh from test containers
No use to override default command
Remove references to docker. These files work just fine
with podman as well.
Frederick Grose [Sun, 21 May 2023 22:05:12 +0000 (18:05 -0400)]
fix(resolve-deps): check the existing file—not the source
Check for dependencies on the file actually installed, otherwise,
such as when the shebang is a link not equal to the initramfs link,
the wrong file may be tested.
If some "finished" initscripts keep failing, dracut will start
printing warnings after a while. But it will warn about all scripts
in the finished initqueue, not only those that have failed. That
makes it difficult to identify the script that has actually
caused the failure.
To avoid this, delete finished initqueue scripts when they succeed.
Also, instead of returning as soon as one of the scripts fails, try
all scripts, deleting those that succeed, and return failure if at
least one script failed.
If a previously deleted script is recreated by some other part of
the code, it will be re-run the next time the check_finished() function
is called, and will be re-deleted if it still succeeds.
The only case where I see that this might cause issues is if some
condition needs to be tested over and over again, because it succeeds
and then fails later (for example, a device showing up and then being
removed again). But I think that this is not the intended logic.
In general, when a device shows up or another "finished" condition
is met, we assume that this condition will hold at least until the
initramfs switches root and exits. If all conditions are met, the
current code will also exit the initqueue without retrying any of
the conditions again.
fix(dracut-systemd): rootfs-generator cannot write outside of generator dir
Although it was already documented in systemd.generator(7) that generators must
not write to locations other than those passed as arguments, since
https://github.com/systemd/systemd/commit/ca6ce62d systemd executes generators
in a mount namespace "sandbox", so now the hooks created by the rootfs-generator
are lost.
These hooks are created using the root= cmdline argument, so this patch moves
the creation of these hooks to a cmdline hook.
keentux [Wed, 22 Mar 2023 10:40:39 +0000 (10:40 +0000)]
fix(dracut.sh): handle imagebase for uefi
* UEFI creation didn't handle the ImageBase data for the PE file
generation. Create an UKI thanks a stub file with a non zero BaseImage
logs some warning ans generate a bad file offset management. The efi
becomes unloadable.
* This commit parse the PE file header, get the data and apply the
ImageBase on the objcopy command.
Daniel McIlvaney [Fri, 28 Apr 2023 21:02:05 +0000 (14:02 -0700)]
fix(dracut-functions): avoid calling grep with PCRE (-P)
Invoking grep in Perl mode requires JIT'ing the Perl regex.
This can run into issues with SELinix policy which will generally try to
limit use of execmem in general purpose scripts. This occurs since the
JIT'd code will live in executable memory.
The PCRE only '\K' command in the Perl REGEX can be replaced by a call
to awk instead.
Tao Liu [Wed, 12 Apr 2023 15:02:25 +0000 (23:02 +0800)]
fix(dracut-functions.sh): convert mmcblk to the real kernel module name
In some x86_64 platforms such as Intel Elkhartlake, an issue of missing
necessary modules due to udevadm drivers field unmatch the real kernel module
name is found:
$ udevadm info -a /dev/block/179:1
looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001':
KERNELS=="mmc0:0001"
SUBSYSTEMS=="mmc"
DRIVERS=="mmcblk"
....
The DRIVERS field, aka mmcblk will be given to instmods to install the
corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be
selected by string mmcblk, as a result, mmc_block.ko cannot be installed
in hostonly-mode strict, which will fail to bootup the machine such as in
kdump cases:
`Also=multipathd.socket` is not the correct behavior for a
socket-activated service. This directive has been removed upstream
and dracut should do the same.
This fixes #2289, #2175 where in the cleanup hook running multipath
binary triggers activation of multipathd.service after it is stopped
as dracut prepares to switch root in initrd-cleanup.service.
projects / thirdparty / dracut.git / log
