Harald Hoyer [Wed, 26 Feb 2020 15:53:47 +0000 (16:53 +0100)]
network-legacy/net-genrules.sh: use $name instead of $env{INTERFACE}
The original behavior of $env{INTERFACE} was undocumented and changed in
the recent udev versions, breaking the ability to bring up networking
reliably. Switching to $name directive should fix this issue.
Previously, we were doing `setup_net` from `ifup` for any setup that
wasn't DHCP, since those are already taken care of by `dhclient-script`.
The issue is that the case-statement we use to detect this doesn't catch
options like `ip=dhcp,dhcp6`.
Fix this by reworking the logic here to just check if a
`setup_net_$netif.sh` hook exists. If so, then we know that `setup_net`
will be called for this interface later.
This was causing issues in RHCOS which now ships with `ip=dhcp,dhcp6` to
support IPv6 environments[1]. The code here would make us do `setup_net`
pre-emptively which IIUC would then cause the initqueue to finish
earlier even if we had more udev netif events to process.
Donovan Tremura [Sat, 15 Feb 2020 05:18:19 +0000 (05:18 +0000)]
Support the EFI Stub loader's splash image feature.
Checks if `uefi_splash_image` exists in `dracutsysroot` if not unset
`uefi_splash_image`. Alternate Value parameter expansion adds section-vma
for splash image to EFI stub loader when the path to image is valid and
not an empty file.
I did not test on other distributions, but on Arch Linux the `systemd`
package includes a splash image at the path
`/usr/share/systemd/bootctl/splash-arch.bmp`. Perhaps, if this is a
common practice, a default image could be gathered from that directory.
It is required that the image be in bitmap (`.bmp`) format according to
`splash.c`.
The code for `stub.c` and `splash.c` can be found at:
https://github.com/systemd/systemd/blob/master/src/boot/efi/stub.c
https://github.com/systemd/systemd/blob/master/src/boot/efi/splash.c
wait_for_ipv6_dad_link is only called from dhclient script,
so the original intent "wait for IPv6 RA if using none/static IPv6 assignment"
does not seem to be correct.
Anyway, this brings an issue on isolated networks, where you don't
have any routes outside. dhclient-script hangs on this check
and after it times out, dhclient is able to set the address normally.
Daniel Cordero [Tue, 21 Jan 2020 18:43:59 +0000 (18:43 +0000)]
dracut-install: fetch kernel modules from kmoddir
dracut, when passing --kmoddir, would only install modules that exist at
the same location as it will appear in the initramfs.
For most (possibly all) outputs, the output path would be /lib/modules,
so previously all kernel modules must be copied there or the module
installation silently fails.
Now use the original path variable, and install to the shortened path
variable (as calculated by kerneldirlen).
Note: This means that the argument to --kmoddir (and the modules filetree)
should be a directory that ends in 'lib/modules/$kernelversion'.
Jonas Witschel [Tue, 24 Dec 2019 14:48:19 +0000 (15:48 +0100)]
ucode: use microcode found in packed cpio images
Some distributions (Arch, Gentoo) ship prepacked microcode images. These
are cpio images that follow the structure specified in the Linux kernel
documentation (x86/microcode.rst, "Early load microcode"), the same
structure dracut uses for its early microcode images.
In case of Arch Linux, the microcode for Intel CPUs is currently only
available in this packed form, /usr/lib/firmware/intel-ucode does not
exist. This commit adds a way to make use of these images on such
systems by unpacking them to the early cpio directory. (Note that the
packed image cannot be used directly since dracut might need to add ACPI
tables to the early initramfs.)
This approach has the drawback that it is not possible to control the
selection of CPUs to be included in the microcode file in host-only
mode, so we only try it as a last ressort if no unpacked microcode could
be found in fw_dir.
The list of possible file names for the packed microcode image is taken
from GRUB (cf. GRUB_EARLY_INITRD_LINUX_STOCK), but can be adapted by
setting "early_microcode_image_name" (and "early_microcode_image_dir")
in a dracut configuration file.
Jonathan Lebon [Tue, 21 Jan 2020 22:57:31 +0000 (17:57 -0500)]
network-legacy/ifup: nuke pid and lease files if dhclient failed
Otherwise we won't retry dhclient again on that interface. In
FCOS/RHCOS, we want to bake in `ip=dhcp,dhcp6` so we automatically try
getting a DHCPv6 lease if DHCPv4 failed.
Jacob Wen [Tue, 26 Nov 2019 07:50:36 +0000 (15:50 +0800)]
35network-legacy: using 'replace' instead of 'add' to add route
This is a simple trick to honor RFC 3442:
If the DHCP server returns both a Classless Static Routes option and
a Router option, the DHCP client MUST ignore the Router option.
Kairui Song [Fri, 29 Nov 2019 13:29:58 +0000 (21:29 +0800)]
95iscsi: Fix /etc/iscsi installation
Previous all files are installed with inst_dir, which will not install
the files under /etc/iscsi/, and it create folders with the same of the
files which is wrong.
Now only use inst_dir to install the config dir and ensure it
exists, and use inst_multiple to install the config files.
Brian C. Lane [Fri, 13 Dec 2019 17:47:43 +0000 (09:47 -0800)]
Check .hmac of boot.iso in fips mode
Instead of carrying the kernel and hmac in the install.img (which takes
up more space) use the vmlinuz installed under /images/pxeboot/ and the
.hmac in the install.img /boot.
This check is triggered by the presence of /run/install/repo/images/pxeboot/vmlinuz
Petr Tesarik [Thu, 14 Nov 2019 18:06:08 +0000 (19:06 +0100)]
95ssh-client: improve nsswitch.conf parser
The actual syntax of nsswitch.conf is slightly different from the
current regular expression:
- A comment can appear anywhere, not just at the beginning of a
line.
- Action items take the general form [STATUS=ACTION] or
[!STATUS=ACTION] (with some optional whitespace).
- A service name cannot include a colon. This is a nitpick,
because there should never be more than a single colon per
line.
Lubomir Rintel [Thu, 24 Oct 2019 15:46:17 +0000 (17:46 +0200)]
TEST-30-ISCSI: test iBFT boot as well
Setting up the machinery to boot with the aid of real networked boot loader
(such as iPXE) would involve much hassle, including possibly serving the kernel
and initrd via TFTP, etc.
Let us generate the iBFT table ourselves, with a Perl script. Include the
pregenerated table as well so that the test run won't depend on Perl. In the
end it's just reproducibly built static data, totally independent of the host
system.
Lubomir Rintel [Thu, 7 Nov 2019 14:15:21 +0000 (15:15 +0100)]
TEST-{20,50,60,70): set MACAddressPolicy=keep
New systemd defaults to generating MAC addresses for software devices (whereas
previously they would inherit them from the first enslaved slave).
Sadly, among the things this breaks is our test fixture, where the dhcp servers
are configured to expect a particular MAC address. Disable this for the
affected tests, which are essentially the ones that use bridges and bonds.
Lubomir Rintel [Mon, 11 Nov 2019 17:12:58 +0000 (18:12 +0100)]
TEST-{20,30,31,40,50,60,70): wait for server interfaces to come up
The network interfaces appear asynchronously and sometimes just too late,
after we're already halfway throught server-init.sh:
+ ip link set dev eth0 name ens3
Cannot find device "eth0"
+ ip addr add 192.168.50.1/24 dev ens3
Cannot find device "ens3"
+ dhcpd -cf /etc/dhcpd.conf -lf /var/lib/dhcpd/dhcpd.leases ens3 ens5
...
[ 8.040825] e1000 0000:00:03.0 eth0: (PCI:33MHz:32-bit) 52:54:01:12:34:56
[ 8.047105] e1000 0000:00:03.0 eth0: Intel(R) PRO/1000 Network Connection
...
No subnet declaration for ens3 (no IPv4 addresses).
** Ignoring requests on ens3. If this is not what
you want, please write a subnet declaration
in your dhcpd.conf file for the network segment
to which interface ens3 is attached. **
Whoopsie. Let's ensure all the interfaces are there before we proceed
fiddling around with them.
Lubomir Rintel [Wed, 30 Oct 2019 18:25:51 +0000 (19:25 +0100)]
network-manager: fix getting of ifname from the sysfs path
commit 5e0f8c8a4ced ('network-manager: remove useless use of basename')
somewhat carelessly didn't take into account that $_i has a slash at
the end which made the result of the ## substitution be just an empty
string.
The slash was put to the end of /sys/class/net/*/ to make sure we're only
iterating directories, but it's not strictly necessary. In an unlikely case
something else than a directory appears in /sys/class/net/, we'll already deal
with it gracefully. Remove it.
Which of course is a GRUB thing, not an actual pathname we'll be able to
resolve. In fact, we can simply scrap it off from the variable. Our code
is already able to handle both cases: whether the device refers to a
separate boot partition, or just the root filesystem with a regular
`/boot` directory.
Jonathan Lebon [Tue, 29 Oct 2019 20:53:00 +0000 (16:53 -0400)]
01fips: add / in BOOT_IMAGE_HMAC filename for clarity
It's already the case the `BOOT_IMAGE_PATH` today, in the non-empty
case, includes a trailing `/`, but let's add it to the path we build
here too to make it more obvious.
Jonathan Lebon [Tue, 29 Oct 2019 20:47:34 +0000 (16:47 -0400)]
01fips: run sha512hmac from directory HMAC file directory
That way, the HMAC file can contain a relative path instead of an
absolute one. The issue is that right now the kernel RPM bakes the
`/boot/vmlinuz-${kver}` path into the HMAC file which poses an issue for
rpm-ostree systems (and any other system where the kernel isn't simply
in the top-level `/boot`.
For now, we're hacking around this in rpm-ostree:
https://github.com/coreos/rpm-ostree/pull/1934
Though I'd like to propose the same change in the kernel spec file.
Jonathan Lebon [Tue, 29 Oct 2019 13:35:41 +0000 (09:35 -0400)]
01fips: fix HMAC file path resolution
There is a small regression in #343: when handling the 'separate boot
partition' case, we're checking for the kernel image in the wrong
location: `BOOT_IMAGE` is the `/boot`-relative path to the kernel image,
so `/boot/${BOOT_IMAGE_PATH}/${BOOT_IMAGE}` expands to e.g.
`/boot/mysubdir1/mysubdir2/mysubdir1/mysubdir2/vmlinuz...`.
We should be using `BOOT_IMAGE_NAME` here instead (and in fact, the next
if-statement does this correctly, so it might've just been accidentally
left out of #343).
For the shell scripts, new environment variables were introduced.
dracutsysrootdir is the root directory, file existence checks use it.
DRACUT_LDCONFIG can override ldconfig with a different one that works
on the sysroot with foreign binaries.
DRACUT_LDD can override ldd with a different one that works
with foreign binaries.
DRACUT_TESTBIN can override /bin/sh. A cross-compiled sysroot
may use symlinks that are valid only when running on the target
so a real file must be provided that exist in the sysroot.
DRACUT_INSTALL now supports debugging dracut-install in itself
when run by dracut but without debugging the dracut scripts.
E.g. DRACUT_INSTALL="valgrind dracut-install or
DRACUT_INSTALL="dracut-install --debug".
DRACUT_COMPRESS_BZIP2, DRACUT_COMPRESS_LBZIP2, DRACUT_COMPRESS_LZMA,
DRACUT_COMPRESS_XZ, DRACUT_COMPRESS_GZIP, DRACUT_COMPRESS_PIGZ,
DRACUT_COMPRESS_LZOP, DRACUT_COMPRESS_ZSTD, DRACUT_COMPRESS_LZ4,
DRACUT_COMPRESS_CAT: All of the compression utilities may be
overridden, to support the native binaries in non-standard places.
DRACUT_ARCH overrides "uname -m".
SYSTEMD_VERSION overrides "systemd --version".
The dracut-install utility was overhauled to support sysroot via
a new option -r and fixes for clang-analyze. It supports
cross-compiler-ldd from
https://gist.github.com/jerome-pouiller/c403786c1394f53f44a3b61214489e6f
DRACUT_INSTALL_PATH was introduced so dracut-install can work with
a different PATH. In a cross-compiled environment (e.g. Yocto), PATH
points to natively built binaries that are not in the host's /bin,
/usr/bin, etc. dracut-install still needs plain /bin and /usr/bin
that are relative to the cross-compiled sysroot.
The hashmap pool allocate_tile/deallocate_tile code was removed
because clang-analyze showed errors in it. hashmap_copy was removed
because it wasn't used and clang-analyze showed errors in it.
DRACUT_INSTALL_LOG_TARGET and DRACUT_INSTALL_LOG_LEVEL were
introduced so dracut-install can use different settings from
DRACUT_LOG_TARGET and DRACUT_LOG_LEVEL.
It looks like only the 'fips=1' is really supported and it is working
correctly. So instead of failing on 'fips' not clear way give user
information why we are failing.
Daniel Molkentin [Thu, 28 Mar 2019 12:46:35 +0000 (13:46 +0100)]
ucode: properly include early only ucode
Intel has notified us that some microcode updates are not safe
to be applied during runtime. To accomodate for that, microcode
files shipped by SUSE and openSUSE have an '.early' postfix such
that triggering
/sys/devices/system/cpu/microcode/reload
from a booted system cannot pick up the ucode by accident, while
still allowing the code to be picked up during initrd time.
This change is needed to make this scheme work also in a hostonly
situation.
Currently, this affects only 06-4f-01, which is now 06-4f-01.early.
If a distro does not change the filename, the behavior does not
change.
Martin Wilck [Thu, 21 Mar 2019 13:40:33 +0000 (14:40 +0100)]
iscsi: fix error messages with iSCSI root
Fixes these error messages during intird build:
cat: '/sys/devices/platform/host2/flashnode_sess-*/is_boot_target': No such file or directory
/usr/lib/dracut/modules.d/95iscsi/module-setup.sh: line 91: [: -eq: unary operator expected
cat: '/sys/devices/platform/host3/flashnode_sess-*/is_boot_target': No such file or directory
/usr/lib/dracut/modules.d/95iscsi/module-setup.sh: line 91: [: -eq: unary operator expected
modules.d: add a module for early fan control on PowerPC Macs
The goal of this module is to enable automatic loading of the
thermal/fan control modules on PowerPC based Macs, as on some
modular kernel configurations this will not happen automatically
which will result in the fans spinning up to 100% until they are
manually loaded.
This is especially a problem in live systems where it takes some
time to boot up and the spin-up happens before the system even
leaves initramfs.
Martin Wilck [Fri, 27 Sep 2019 11:26:10 +0000 (13:26 +0200)]
35network-legacy: only skip waiting for interfaces if netroot is set
Commmit 8a33e52e2f94 assumes that dracut's work is done if a root device
is found. This holds usually for booting computers, but it may be wrong
for other environments.
Only short-cut the waiting if $netroot is also set.
Fixes: 8a33e52e2f94 ("network: stop waiting for interfaces if root device is present")
References: bsc#1152006
Martin Wilck [Tue, 1 Oct 2019 10:02:04 +0000 (12:02 +0200)]
fixup "Dracut: only login to one target at a time"
On SLE15-SP1 at least, iscsiadm doesn't support combining --op and --login":
> # iscsiadm -m node -T iqn.2018-06.de.suse.zeus:01 --op=update --name=node.startup --value=onboot --login
> iscsiadm: Invalid parameters. Login/logout and op passed in
This breaks iSCSI login in initrd, and thus, iSCSI boot.
Fix it by not coalescing everything into a single iscsiadm command. Fixes: a59b776bc215 ("Dracut: only login to one target at a time")
References: bsc#1152650
Martin Wilck [Thu, 4 Apr 2019 15:12:07 +0000 (17:12 +0200)]
iscsiroot: remove bashisms
According to the dracut README, module code to be run in
the initrd must be POSIX-compliant. Replace remaining
bashisms (as reported by checkbashisms) with POSIX compliant
code.
The use of "type" is not strictly POSIX compliant, but it's
all over the place in dracut code. dash supports it, anyway.
Martin Wilck [Thu, 4 Apr 2019 14:16:40 +0000 (16:16 +0200)]
iscsiroot: try targets only once
In multipath scenarios, "iscsiadm -m node" may contain
several records with the same target.
There's no point in trying "iscsiadm --login" multiple
time for the same target, through the same portal.
Moreover, warn if the desired target is not on the node
list.
Martin Wilck [Thu, 21 Mar 2019 15:27:04 +0000 (16:27 +0100)]
iscsi: don't continue waiting if the root device is present
dracut waits for every iscsiroot connection to be established
before switching root. This is not necessary in multipath scenarios,
where a single path is usually sufficient to set up the root device,
and where users expect booting to succeed unless all paths are down.
Don't wait for the iscsi portal to start if the root device has
already been found.
Lee Duncan [Mon, 25 Mar 2019 23:49:19 +0000 (16:49 -0700)]
Dracut: only login to one target at a time
For handling the configuration where there are two
paths to an iscsi root target, each using a different
NIC. In such a case, the initramfs was trying to configure
the first NIC, then call iscsiroot to login to both targets,
which would fail for the 2nd target, since the path to the
2nd target was not yet configured. This would eventually
work after a timeout. But it's better to login to just
one target at a time.
This change makes the initramfs handle multiple paths to an
iscsi target better by logging into only one target at a time,
rather than trying to login to all targets when only one of
several NICs is up.
This can be further optimized by using the initrd parameter
"rd.iscsi.testroute", which would skip iscsiadm login attempts
for targets to which no route exists.
If the script is called again via the timeout initqueue,
we try "iscsiadm -L onboot" again, hoping that some targets
may now have become reachable.
Kairui Song [Tue, 6 Aug 2019 07:39:31 +0000 (15:39 +0800)]
99squash: Only start the cleaner on switch-root
Currently it starts the cleaner early and do the clean up job if switch
root is called. It's better to just start the service only on switch
root to avoid any risk of service dependency failure and make is
simpler.
Lukas Nykryn [Mon, 7 Oct 2019 14:48:09 +0000 (16:48 +0200)]
net-lib: check if addr exists before checking for dad state
Before we check if dad is done we should first make sure,
that there is a link local address where we do the check.
Due to this issue, on ipv6 only setups sometimes dhclient started
asking for ip address, before the link local address was present
and failed immediately.