The current EVM script does not handle the EVM setup properly when X509
certificates are involved. In this patch we extend the setup and add
the necessary flags for support of EVM activation that include
x509 certificates, possibly in conjunction with an HMAC key. We also
first try activating EVM for x509 certificates using
EVM_ALLOW_METADATA_WRITES for newer kernels, then without it for older
ones that did not support this flag.
We add support for additional EVM activation bits to be set, such
as EVM_SETUP_COMPLETE (0x80000000) via the config file and
EVM_ACTIVATION_BITS variable.
To avoid error messages related to unloading the HMAC key if none is
used, only attempt to unload the HMAC key if one was actually set.
We add documentation about the variables that can be set in the EVM
config file.
Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Cc: Roberto Sassu <roberto.sassu@huawei.com>
Removing sourcing of network link files from the udev-rules module.
What always should be included should be placed in the systemd-network
module and other modules that provide/require spesific link files
should add them, themselves via their relevant include section.
dracut-install triggers "ERROR: installing '/usr/lib/wicked/bin/*'"
when find_binary is being used to determine if wicked is installed
so let's just check for the wicked type service unit instead.
All device-mapper based devices, including device-mapper-multipath,
do reuse the udev db from the initramfs after switching to the root fs.
Therefore device-mapper devices have to be correctly initialized before
the udev daemon is stopped, to have the correct entries in the udev db.
See also https://bugzilla.redhat.com/show_bug.cgi?id=1949076
Introducing the systemd-network-management meta module which will
allow distribution users and vendors to easily include
systemd + systemd's network management modules by simply include this
module instead of systemd network modules individually.
Obviously if the intent is to glue together somekind of network stack
out of random existing modules such as NetworkManager and or Wicked,
this meta module should not be enabled.
The system currently throws numerous nasty warning messages during
the boot, about ignored null bytes in input.
This patch adds a filter to the dd command, to filter these null
bytes out, and thus to prevent these warning messages.
Signed-off-by: Lev Veyde <lveyde@redhat.com>
- Removing dependency on the systemd meta module since it causes circular dependency,
prevents the existance of multiple systemd based meta modules and is redunant.
- Removing directory creation for modules-load since it should not be
necessary and if it turns out that it is, it will be re-introduced in the
form of a systemd tmpfile instead of inst_dir.
- Add a missing inclusion of configuration files placed in /usr/lib/modules-load.d
and /etc/modules-load.d ( hostonly ) directories.
- Fix a spelling error in the systemd type unit file conf directory overwrite
in the hostonly section.
Create the `/run/NetworkManager/initrd` directory before creating
`/run/NetworkManager/initrd/neednet`. Somehow on Fedora 32 this
directory is missing, when the script is running.
This fixes all NetworkManager tests for Fedora 32.
The watchdog module pulls in the device specific watchdog if that
module is enabled, but in the case where we need a generic initrd
we don't get all watchdog drivers which means if we have a watchdog
enabled for that usecase it may get kicked too late in the boot
process so we need the drivers in the initrd for the generic case too.
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
* Correct the systemd generated sysroot.mount unit with the options
received by the DHCP request and do a `daemon-reload`.
* Inject the `nbd-client -check /dev/nbd0` in the finished initqueue.
* Reactivate the NBD tests and prepare them for NetworkManager tests.
Don't hard exit in `check()`. The transaction logic only checks if it
should/can include the module. Just return `255` and the `dbus` meta
module will pick its dependency.
- Included a bluetooth module that installs modules, firmware, udev rules and bluetoothd.
- systemd and dbus are required by bluetoothd
- Include bluetooth by default if BT keyboard or combo found
This commit changes how NM is started inside the initrd. Instead of running NM
in the special --configure-and-quit=initrd mode, which sets up network and
quits, start it as a daemon.
This has multiple advantages. First, we no longer need to run NM in a special
mode that requires additional code and maintenance. NetworkManager works
exactly as in the real root.
One problem of the current configure-and-quit approach is that once NM has
quit, dynamic addresses can expire if the initrd setup takes longer than the
DHCP lease interval or than the IPv6 address lifetime. Running NM as a service
solves this problem.
Now NM runs with D-Bus support and therefore its API can be used by other
modules. This open the possibility, for example, to integrate nm-cloud-setup to
automatically configure networking based on cloud metadata.
Use the NetworkManager-wait-online.service, ordered before
dracut-initqueue.service, to delay the initqueue until NM has terminated its
configuration.
We don't want to start NetworkManager if networking is not needed.
Right now nm-config.sh lays down /usr/lib/dracut/hooks/initqueue/finished/nm.sh
which will cause the initqueue to run. If nothing exists in
/usr/lib/dracut/hooks/initqueue/finished/ then it will short circuit and
the initqueue won't run anything. But what if something else needed
something to run in the initqueue? nm-run.sh would still get started,
even though /usr/lib/dracut/hooks/initqueue/finished/nm.sh didn't exist.
In this case let's just trigger off of /run/NetworkManager/initrd/neednet
like we are doing in the systemd unit (nm-run.service).
Don't run the new systemd unit (nm-run.service) if rd.neednet=1
isn't set. nm-initrd-generator will generate configuration even
without rd.neednet=1 so determining if we should start based on
just if connection profiles exist isn't enough. We need some other
indicator. In this case we lay down a /run/NetworkManager/initrd/neednet
if rd.neednet=1, which is used by nm-run.service to determine the
need to run.
Jóhann B. Guðmundsson