Dan Horák [Wed, 10 Nov 2021 11:14:15 +0000 (12:14 +0100)]
fix(resume): check for presence of /sys/power/resume
On platforms where the kernel is built without suspend/resume support we
see "cat: /sys/power/resume: No such file or directory" message when
creating an initrd image. Check for the presence of /sys/power/resume
first before reading it.
Laszlo Gombos [Fri, 19 Nov 2021 17:45:20 +0000 (12:45 -0500)]
fix(dmsquash-live): do not install systemd files when systemd is not enabled
Systemd is an optional module for the dmsquash-live module. This scenario
is properly handled for other modules (for example livenet module) but not
for dmsquash-live module.
Renaud Métrich [Tue, 16 Nov 2021 10:15:52 +0000 (11:15 +0100)]
fix(shutdown): be robust against forced shutdown
When a forced shutdown is issued through sending a burst of Ctrl-Alt-Del
keys, systemd sends SIGTERM to all processes. This ends up killing
dracut-initramfs-restore as well, preventing the script from detecting
that the unpack of the initramfs is incomplete, which later causes a
crash to happen when "shutdown" tries to execute from the unpacked
initramfs.
This fix makes sure dracut-initramfs-restore remains alive to detect
the unpack failed (because cpio was killed by systemd too).
Frantisek Sumsal [Fri, 12 Nov 2021 20:43:12 +0000 (21:43 +0100)]
test: don't use `-cpu max` in GH Actions
There appears to be an issue with newer QEMU versions (spotted with Arch
Linux and C9S containers) which causes the respective GH Action to hang
when booting a QEMU VM in combination with the `-cpu max` parameter.
During (a particularly painful) debugging session I once managed to get
some output from such "frozen" machine (using `earlycon` and
`earlyprintk` kernel cmdline options), and in that particular case the
VM died with a trap caused by an invalid opcode.
I couldn't reproduce this locally, only in GH Actions environment with
Arch Linux and C9S containers. Also, so far I haven't found out which
specific CPUID flag causes this, but using the `IvyBridge-v2` feature
set seems to mitigate the issue.
Peter Robinson [Sat, 16 Oct 2021 09:41:24 +0000 (10:41 +0100)]
fix(90kernel-modules): add isp1760 USB controller
Like the dwc/chipidea controllers the isp1760 can act in either
host or gadget mode so it ends up in it's own directory. Add this
driver into the initrd as it's part of some arm platforms and
is needed to be able to boot off USB storage.
Fixes issue #1619
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
fix(network-manager): disable tty output if the console is not usable
The network-manager module also writes logs to the console, so that it's easier
to debug network-related boot issues. If systemd can't open the console, the
service fails and network doesn't get configured.
Add a check to disable tty output when the console is not present or not
usable.
feat(systemd): enable support for systemd compiled with ASAN
When systemd is compiled with ASAN library to troubleshoot memory issues
within systemd code, the libasan library expects to have /proc be
available as soon as systemd starts, which isn't the case currently,
causing an assertion to fail, systemd to crash and kernel to panic:
Peter Robinson [Wed, 6 Oct 2021 10:05:49 +0000 (11:05 +0100)]
fix(90kernel-modules): add Type-C USB drivers for generic initrd
We need to pull in Type-C USB drivers as they can provide a number of
differnet bits of functionality in early boot including input, display
(altmode DP) and storage so we need to have them available to ensure
functionality attached to those buses/interfaces are available in early
boot.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Luca BRUNO [Thu, 23 Sep 2021 09:05:44 +0000 (09:05 +0000)]
fix(multipath): drop ExecStop= setting from service unit
This removes the 'ExecStop=' field from `multipathd.service`.
Sometimes CI runs do encounter a failure related to this
service in initrd, which seems to be stemming from a socket
I/O race between the client and the server on shutdown.
It looks like the client (`multipathd shutdown`) can lose the race,
hit an I/O error, and cause the whole unit to fail (even if the server
managed to shutdown properly already).
Notably, the upstream unit does not have such stop command
as the daemon can already perform a graceful exit through
its signal handler.
As such, this commit partially re-aligns the two units,
trying to sidestep any of the existing races.
Alexander Tsoy [Mon, 16 Aug 2021 15:54:34 +0000 (18:54 +0300)]
fix(usrmount): do not empty _dev variable
Currently $_dev is always overridden with the value returned by
label_uuid_to_dev(). This results in an empty value if $_dev is a
device path. Fix this by calling label_uuid_to_dev() conditionally.
On hostonly mode, the platform driver is not copied blindless. There
should be a way to detect the real hardware driver, which probes a block
device.
/sys/dev/block/major:minor is a symbol link, which points to the real
device, recording the hardware stack. And those info can help to
identify the associated drivers for the hardware stack.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
---
v2 -> v3:
address shellcheck in dracut-functions.sh
v1 -> v2:
remove local variable _extra_mod
shorten subject
Kairui Song [Mon, 9 Aug 2021 10:23:43 +0000 (18:23 +0800)]
fix(squash): apply FIPS and libpthread workaround
There are some workarounds in dracut.sh for FIPS/libpthread covering
some hidden lib dependency issues. These workarounds didn't take effect
for the squash loader since the squash loader is installed
independently. So apply these workarounds again.
Also skip the lib detection code, since these extra installed libs
are small, and squash loader contents are dropped after switch root,
won't be an issue to be always installed. And this makes the code
cleaner.
When NetworkManager is running as systemd service, it's not enough to write
connection files; the module should also tell NetworkManager to reload the
connections from disk so that any new connection can be auto-activated.
fix(network-manager): check for nm-initrd-generator in both /usr/{libexec,lib}
Sice commit 22d6863ef1b2 ("fix(network-manager): cope with distributions not
using `libexec`") nm-initrd-generator can be installed in either /usr/libexec
or /usr/lib. Change other modules to check for the binary in both locations.
Thomas Haller [Tue, 27 Jul 2021 14:04:58 +0000 (16:04 +0200)]
fix(network-manager): ensure safe content of /tmp/dhclient."$ifname".dhcpopts
NetworkManager leaves state files behind in "/run/NetworkManager/devices".
These files are in keyfile format (glib's GKeyFile API [1]).
From the statefile, the dracut module writes a .dhcpopts file. And other users
want to parse that file, for example anaconda ([2]). To be fair,
anaconda seems to parse a different file, so I am a bit confused who
uses this file how. In any case, it seems somebody might be tempted to
execute this as a script.
We need to write the .dhcpopts file in a format that is defined and easy
to handle from a shell script. As already previously, this format is
a bash script that sets certain variables. That means, to load the file,
the user could execute it as bash script. But this is dangerous, as the
file contains potentially untrusted data from the network.
Optimally, users still don't trust the .dhcpopts file to be safe for
executing! It would be better if users too try to parse the file
instead of executing it. That is not trivial however because in face
of special characters, as we use bash's `printf '%q'` to escape the values
and parsing bash escaping is not trivial.
Anyway, make sure we properly quote and handle the content so that also
executing is safe. In the best case, there are no special characters
that require escaping, and naive parsing can be done with `sed`.
Otherwise, executing is now also supposed to be safe.
In this case we parse DHCP options from the state file. They are themselves
backslash escaped UTF-8 strings (C escape sequences), which then are stored
via keyfile API. The properly parse them, we would first need to load the file
with GKeyFile (which undoes one level of backslash escaping) and then
use g_str_compress() (to undo the second level). We mimic that with
shell.
Stefan Berger [Fri, 18 Jun 2021 17:26:29 +0000 (13:26 -0400)]
fix(integrity): add support for loading multiple EVM x509 certs
Add support for loading EVM x509 certs from a directory that the user can
specify with the EVMKEYSDIR variable in the evm config file. By default
the additional certs are loaded from /etc/keys/evm.
Support for multiple EVM keys allows the usage in a system of files with
signed metadata from multiple parties.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Mike Gilbert [Fri, 23 Jul 2021 18:35:07 +0000 (14:35 -0400)]
fix(base): do not quote $initargs for switch_root
We want word splitting to occur so that the arguments are passed
separately, and we don't end up passing an empty string if no arguments
are specified.
fix(network-manager): include nm-daemon-helper binary
Since version 1.32, NetworkManager launches a tiny external helper to determine
the hostname via reverse DNS resolution through glibc's nss-dns. Include the
binary.
fix(dracut-systemd): do not use Requires for vconsole-setup.service
systemd-vconsole-setup.service may fail if the user specifies a missing keymap,
see [1,2,3], or font. This is unfortunate, but the system should not refuse
boot. It is better to continue, possible without the desired font or keymap.
All other systemd services that depend on systemd-vconsole-setup.service do so
without a hard Requires=.
(In particular, systemd-vconsole-setup internally will try to do as much setup
as possible, and will load the font even if it cannot load the keymap and vice
versa.)
Pingfan Liu [Fri, 9 Jul 2021 03:55:16 +0000 (11:55 +0800)]
fix(squash): keep ld cache under initdir
When running kdump on PowerPC, the following bug is hit:
[ 0.391629] Freeing unused kernel memory: 5568K
[ 0.391634] This architecture does not have kernel memory protection.
/bin/sh: error while loading shared libraries: libc.so.6: cannot open shared object file: No such file or directory
[ 0.392214] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
[ 0.392214]
[ 0.392223] CPU: 6 PID: 1 Comm: init Not tainted 4.18.0-319.el8.ppc64le #1
[ 0.392228] Call Trace:
[ 0.392234] [c00000000c703c10] [c000000008ecb94c] dump_stack+0xb0/0xf4 (unreliable)
[ 0.392243] [c00000000c703c50] [c000000008167324] panic+0x148/0x3c4
[ 0.392249] [c00000000c703cf0] [c000000008170474] do_exit+0xcd4/0xd40
[ 0.392255] [c00000000c703dc0] [c0000000081705b0] do_group_exit+0x60/0x110
[ 0.392261] [c00000000c703e00] [c000000008170684] sys_exit_group+0x24/0x30
[ 0.392268] [c00000000c703e20] [c00000000800b408] system_call+0x5c/0x70
This is due to the non-conventional library path:
ldd /bin/bash
linux-vdso64.so.1 (0x00007fffbdc90000)
libtinfo.so.6 => /lib64/libtinfo.so.6 (0x00007fffbda80000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007fffbda50000)
libc.so.6 => /lib64/glibc-hwcaps/power9/libc-2.28.so (0x00007fffbd830000)
^^^
/lib64/ld64.so.2 (0x00007fffbdcb0000)
ldd finds the path by libc.so.6 -> /usr/lib64/libc.so.6 ->
/usr/lib64/glibc-hwcaps/power9/libc-2.28.so and cache the result. So
when dracut_install, it only saw
'/usr/lib64/glibc-hwcaps/power9/libc-2.28.so' and blind to
'/usr/lib64/libc.so.6'
In the final kdumpimg, the symlink /usr/lib64/libc.so.6 is not created,
hence ld.so can not find the /usr/lib64/glibc-hwcaps/power9/libc-2.28.so
On the other hand, during the process of building kdumpimg, all of dynamic library info
have been cached in ld.so.cache. Hence this bug can be simplely resolved
by keeping ld cache under $initdir/etc.
Signed-off-by: Pingfan Liu <piliu@redhat.com>
---
v3 -> v4:
use inst() instead of copy
v2 -> v3:
fix format by shfmt -s -w modules.d/99squash/module-setup.sh
v1 -> v2:
cp -r /etc/ld.so* instead of move, since after switch-root, initdir
can not be seen any longer
fix(qeth_rules): check the existence of /sys/devices/qeth/*/online beforehand
On s390x KVM machines, the follow errors occurred,
$ kdumpctl rebuild
kdump: Rebuilding /boot/initramfs-4.18.0-321.el8.s390xkdump.img
/usr/lib/dracut/modules.d/95qeth_rules/module-setup.sh: line 13: /sys/devices/qeth/*/online: No such file or directory
/usr/lib/dracut/modules.d/95qeth_rules/module-setup.sh: line 13: /sys/devices/qeth/*/online: No such file or directory
because s390x KVM uses virtual devices and /sys/devices/qeth/*/online
doesn't exist. Eliminate this error by checking the existence
beforehand.
Dusty Mabe [Tue, 29 Jun 2021 19:11:00 +0000 (15:11 -0400)]
fix(network-manager): don't pull in systemd-udev-settle
We get a nice warning about it being deprecated:
```
systemd-udev-settle.service is deprecated. Please fix nm-initrd.service not to pull it in.
```
The service is deprecated because its purpose was to wait for the
discovery of all hardware, but it didn't guarantee that (see the
systemd-udev-settle man page).
NM now runs as an independent service and can deal with devices showing
up at any point, but it does need udev to be started. For now just
Want/After systemd-udev-trigger.
LinkTed [Mon, 21 Jun 2021 17:15:01 +0000 (19:15 +0200)]
fix(crypt-gpg): execute --card-status on each try
If the gpg card is not inserted before the --card-status command is
executed then the public key is not linked with the card. Therefore,
the LUKS partition cannot be decrypted. To solve this, the
--card--status command is executed on each try.
Kairui Song [Fri, 11 Jun 2021 18:25:09 +0000 (02:25 +0800)]
fix(dracut.sh): handle symlinks appropriately while using '-i' option
[[ -d $symlink ]] will return true if the symlink points to a directory.
So the symlink will not be copied, instead a directory is created with
the symlink name and the content is copied.
Hari Bathini [Fri, 11 Jun 2021 09:50:28 +0000 (15:20 +0530)]
fix(dracut.sh): handle '-i' option to include files beginning with '.'
While including a directory using '--include' option, the file and
subdirectory names that begin with '.' are not included. Also, dracut
throws a warning message when a subdirectory is empty or only has
files or subdirectories that begin with '.'.
For example, while trying to include /tmpdata directory with the
below tree:
# tree -a /tmpdata
/tmpdata
├── .anothertestdir
├── testdir
│ └── .testsubdir
└── .testfile
dracut throws the below warning message:
# dracut --include /tmpdata /root
cp: cannot stat '/tmpdata/testdir/*': No such file or directory
#
and this is how the included /tmpdata directory tree looks:
# tree -a root
root
└── testdir
No file or directory beginning with '.' is included & also, copying
/tmpdata/testdir reported "No such file or directory" warning. Using
'.' instead of '*' in the below command will fix the warning whether
the directory being copied is empty or only has files or directories
that begin with dot:
Also, enable 'dotglob' temporarily to include files and directories
beginning with a `.' in the results of pathname expansion of source
directory being included.
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Dusty Mabe [Thu, 24 Jun 2021 18:41:08 +0000 (14:41 -0400)]
fix(network-manager): support teaming under NM+systemd
Previously when NM was run without dbus then teaming would come
up appropriately [1], but now that dbus exists we also need to
include some supporting infrastructure to allow for it to work
again.
Jonathan Lebon [Thu, 17 Jun 2021 14:47:33 +0000 (10:47 -0400)]
fix(fips): handle s390x OSTree systems
On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path
to the kernel image, but rather an integer describing the index of the
menu entry selected. Because of the way the s390x bootloader works,
there is no information retained about e.g. the path of the kernel that
was loaded.
This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is
a path to the kernel image to derive the HMAC path. In non-OSTree
systems, this ends up working anyway, because the kernel is located at
the root of the boot partition. In OSTree systems, this is not the
case. However, OSTree systems use BLS configs, and they are named in
reverse order of precedence (i.e. menu ordering). So from the
`BOOT_IMAGE` integer, we can figure out which BLS entry was selected.
Add some code to do just this on s390x. This isn't completely foolproof,
because it presumes that (1) BLS configs were used to populate the
bootloader (and that they were exactly in the same state they currently
are when `zipl` was run), and (2) there are no other menu entries
originating from outside the BLS configs. However, if these assumptions
are wrong we would simply fail the boot, which is currently what is
happening anyway.
See also:
https://github.com/openshift/os/pull/546
https://github.com/ibm-s390-linux/s390-tools/issues/78
Tested-by: Muhammad Adeel <muhammad.adeel@ibm.com>
Kairui Song [Tue, 22 Jun 2021 13:49:20 +0000 (21:49 +0800)]
feat(squash): install umount util
Also install umount binary, make it possible to cleanup squash overlay
mounts. This is useful for other tools reusing the dracut initramfs built
with squash module enabled.
Stefan Berger [Wed, 12 May 2021 13:26:11 +0000 (09:26 -0400)]
fix(integrity): require ALLOW_METADATA_WRITES to come from EVM config file
Upcoming versions of EVM will not require the ALLOW_METADATA_WRITES anymore,
therefore we remove it from the script and require it to be set in the EVM
config file variable EVM_ACTIVATION_BITS for those versions that need it.
Patch 9 in this patch set deprecates the EVM_ALLOW_METADATA_WRITES flag:
https://lore.kernel.org/linux-integrity/20210514152753.982958-1-roberto.sassu@huawei.com/
Harald Hoyer [Tue, 18 May 2021 08:13:56 +0000 (10:13 +0200)]
fix(base): add missing `str_replace` to `dracut-dev-lib.sh`
```
dracut-dev-lib.sh: line 92: str_replace: command not found
dracut-dev-lib.sh: line 98: /var/tmp/dracut.sabKZg/initramfs/initqueue/finished/devexists-.sh: No such file or directory
dracut-dev-lib.sh: line 83: /var/tmp/dracut.sabKZg/initramfs/emergency/80-.sh: No such file or directory
```
projects / thirdparty / dracut.git / log
