ln: failed to create symbolic link '/usr/lib/systemd/system/sockets.target.wants/iscsid.socket': Permission denied
ln: failed to create symbolic link '/usr/lib/systemd/system/sockets.target.wants/iscsiuio.socket': Permission denied
No way. Just ensure the links are there in the initramfs image. In fact,
that is already the case for iscsiuio.socket. Add iscsid.socket too.
If the network module obtained a lease using dhclient, NetworkManager
must be configured to use it too, otherwise it would obtain a different
lease (and could potentially break a connection to the network volume).
With all files stored in ramfs, and most of them are not compressed,
the initramfs will take up a lot of memory. Besides, if the file number
is large, each file will waste some memory due to page fragmetation.
This is due to ramfs' design, at least one page will be allocated for
one file however small the file is. On machine with large page size,
this will become worse and waste too many memory.
One approach to reducing the memory usage is to reduce the number of
files that got directly loaded into the root ramfs, and compress files
by put most files will into a read-only squash image and keep a minimum
set of executable and libraries outside as the loader for the squash
image. After the squash image is mounted, the real 'init' will be
executed and then everything behaves as usual.
This patch will introduce a '99squash' module which will never be
included by default. User can force add it, and if it is included,
dracut will perform some extra steps before creating the final image:
For now, "/etc" and "/usr" will be moved into the squashfs image.
"/init" will be renamed to "/init.stock" and replaced by "/init.squash".
Files and folders need to be accessible before mounting the image will
be still avaliable at their original place. And due to squashfs is
readonly, an overlayfs layer will be created on top of squashfs mount
point, as many dracut module require readwrite access to "/etc" and
"/usr", "init.squash" will ultimately call "/init.stock".
An extra systemd service will be installed. This service will umount all
squashfs related mount points right before switch-root to release
resources properly. This service will not actually do anything if
switch-root is not used.
This is very helpful when mem resource is very limited, like Kdump.
According to my tests, this squash module can help save about 35MB of
memory with 64K page size, or about 15MB with 4K page size on an
ordinary kdump capture routine. This module could also help reduce
memory usage for normal boot up process.
Won't change any behavior if squash module is not enabled.
Signed-off-by: Kairui Song <kasong@redhat.com>
On my system the following initrd-release is generated:
...
VERSION="4 dracut-048 dracut-048"
...
VERSION is not defined in /etc/os-release, so the variable is
concatenated with its previous value:
* "4" comes from the kernel build system since dracut is called from the
kernel install hook ("4" is a major kernel version);
* first "dracut-048" comes from the "systemd-initrd" module;
* second "dracut-048" comes from the "base" module.
This is what happened before this patch (edited for brevity):
dracut-cmdline-ask.service in modules.d/98dracut-systemd, which invokes
dracut-cmdline-ask.sh. This script and systemd-vconsole-setup are
started in parallel for the same console (tty1).
Then dracut-cmdline-ask quits immediately without doing anything (unless
rd.cmdline=ask is given). As this is a bash script and it gets tty as
stdin as specified in its *.service, this triggers the hangup of tty1 at
its exit.
Meanwhile systemd-vconsole-setup continues and tries some ioctls after
that, but they fail because of the hung up tty1.
The usual culprit for starting systemd-vconsole-setup early on is
plymouth-start.service, even if plymouth.enable=0 is set.
A popular (and annoying) symptom of this as reported by users was
the inability use their configured keyboard layout in plymouth when
unlocking their crypted block devices.
Reference: boo#1055834
When extra devices are added, initqueue should be enabled to make sure
those devices are present, so following services and routines could
use those devices.
See PR #442 for more detail.
Use multiple lower layer directories in a single OverlayFS mount with
a transient overlay directory.
Tolerate a command line with rd.live.overlay.readonly and NO persistent
overlay by reconfiguring the OverlayFS mount options.
Use more compatible shell syntax for testing symlinks, and use printf
instead of echo -e.
A simplified root filesystem structure may be provided for OverlayFS
overlays by squashing the root filesystem directly instead of squashing
an embedded image file at /LiveOS/rootfs.img. Detect and configure
such a squashed root filesystem for live booting.
For OverlayFS boots, avoid the read-only Device-mapper linear device
at /dev/mapper/live-base.
Create a consistent device link at /dev/live-base for the read-only
base loop device for all overlayed live root filesystems.
Consistently provide a link at /dev/root for wait_for_dev.
Update documentation.
Adjust sysroot.mount configuration for rd.live.overlay.overlayfs option.
Use link at /dev/root as a consistent flag for wait_for_dev.
Adjust documentation.
The old code used /tmp/net.$netif.resolv.conf with $netif being randomly
chosen.
As it is not known which nameserver have which priority, just sort them
and deduplicate.
This is needed since few gpio/pinctrl can be built as modules and are
useful on early boot.
One example is jetson-tx1 where sata and external mmc can work only
after loading pinctrl-max77620 and gpio-max77620 modules.
Having theses kind of drivers bundled into the initramfs will also
avoid some deferred probes.
V2: add pinctrl for all arches
Signed-off-by: Nicolas Chauvet <kwizart@gmail.com>
Add module for setting correct timezone.
References: bnc#830060
For now, this module will not be included automatically due to different
expectations (see e.g. https://bugzilla.redhat.com/show_bug.cgi?id=981617)
Signed-off-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Daniel Molkentin <daniel.molkentin@suse.com>
if rd.md.uuid is in ID_FS_UUID format with dashes
e40a0234-7e52-5f10-f267-658d8ec463fa
convert it for the /dev/disk/by-id/md-uuid-${uuid} format
e40a0234:7e525f10:f267658d:8ec463fa
This commit basically reverts 5ce7cc73
90-multipath-hostonly module was added in 5ce7cc73, because if hostonly
mode is enabled, multipath module will always hardcode wwids which
causes problems when the initramfs is cloned to another system with same
hardware.
Now with tri-state hostonly mode, the two modules could be merged and only
hardcode wwids when "strict" hostonly mode is enabled.
Only pick rules for interfaces which have a carrier in the running
system. Those interfaces will be assembled by udev to allow booting
from those devices (i.e. iSCSI).
Reference: FATE#323440
The code in 50drm which tries to include all DRM drivers for
hardware attached to the system did not look for virtio devices.
So if the system is a VM using the 'virtio' graphics adapter,
the 'virtio-gpu' module which should be included is not. This
extends the code to also look for virtio devices.
https://bugzilla.redhat.com/show_bug.cgi?id=1593028
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.
Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
This patch cleans up the default list of kernel modules in the 01fips
dracut module. All the algorithms that are tested in tcrypt are listed
by their algorithm name so that all the generic implementations and
drivers are picked up automatically based on the module alias.
This drops several unneeded modules and even a bogus one (rot13 -- this
one was obviously copy-pasted from tcrypt.c where it was listed as an
easter egg :).
The patch adds also some algorithms that weren't included in the
original set. It turns out in FIPS mode we only need those algorithms
that are marked as FIPS-allowed in testmgr.c (failure to find a non-FIPS
algorithm is ignored). The non-FIPS algorithms are further removed in a
subsequent patch.
since kmod-25 keyword "external" was implemented in order to avoid
additional actions(like weak-modules) when kernel was updated, which
makes it more simple while kernels' kabi were compatible.
but if move some special modules such as megaraid_sas, mpt3sas and
so on, to a external path like /opt/modules, these modules will not
be install to initramfs by default, which make the initramfs can't
be used to boot for disk detection failure.
according to kmod's document, you must specify a absolute path with
"external" keyword, so scan the lines in modules.dep that begin with
"/" and install them, to make sure necessary modules in external path
can be installed to initramfs too.
Signed-off-by: Hui Wang <john.wanghui@huawei.com>
The main 01fips module should always load all optimized/driver modules
of all relevant crypto algorithms (based on their aliases), so we can
drop this useless module.
Commit bf5c53a implements support for mounting LUKS devices with
detached headers; however, it assumes that the LUKS device sits on an
unpartitioned disk.
Mirroring the `rd.luks.serial` option, this commit implements the
`rd.luks.partuuid` cmdline option, supporting headless LUKS devices on
drive partitions.
In kdump, if dump-target is ssh on ipv6, we need to sync until ipv6 addr
is ready. Currently ip=auto6/dhcp6 provides such function. But in 1st kernel,
it is hard to know whether the ipv6 addr is got by dhcpv6 or SLAAC.
E.g ifcfg-eth* contains DHCPV6C=yes direction, but there is no dhcpv6
server in the network, and then after the system is up, the user
echo 1 > /proc/sys/net/ipv6/conf/eth0/autoconf && accept_ra by manual
to obtain a ipv6 addr. Or vice.
So this patch suggests to make dhcpv6 as auto6 fallback
Signed-off-by: Pingfan Liu <piliu@redhat.com>
If a process (maybe plymouth) was still pinning /oldroot, then shutdown
would
- kill -9 $pid
- umount_a
- umount_a
in a very short timeframe. A small sleep hopefully lets the scheduler free
up /oldroot in the mean time.
Convert the s390x into s390 to also include s390-specific crypto
modules, for example, aes_s390 into the initramfs.
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Some distros have both /usr/lib/plymouth and /usr/libexec/plymouth
directorirs, so we should check the existance of plymouth-populate-initrd
script.
Fixes: 421b46f8ae
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/dracut-init.sh:939:20: error: Argument to implicit -n is always true due to literal strings. [SC2157]
937| dracut_kernel_post() {
938| for _f in modules.builtin.bin modules.builtin modules.order; do
939|-> [[ $srcmods/$_f ]] && inst_simple "$srcmods/$_f" "/lib/modules/$kernel/$_f"
940| done
941|
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/98syslog/parse-syslog-opts.sh:18:12: error: This expression is constant. Did you forget a $ somewhere? [SC2078]
16| elif [ -e /sbin/syslogd ]; then
17| syslogtype="syslogd"
18|-> elif [ /sbin/syslog-ng ]; then
19| syslogtype="syslog-ng"
20| else
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/90crypt/crypt-lib.sh:15:29: error: Since you double quoted this, it will not word split, and the loop will only run once. [SC2066]
13| strstr "$d" "${luks##luks-}" && return 0
14| if [ -n "$dev" ]; then
15|-> for _dev in "$(devnames $d)"; do
16| [ "$dev" -ef "$_dev" ] && return 0
17| done
If no network related params are specific, but rd.neednet=1 is set,
the default initqueue action is to wait until one of the network
interfaces is marked as setup properly.
This also help with initqueue's race condition when the network interface
shows up late
References: bnc#866771
Signed-off-by: Hannes Reinecke <hare@suse.de>
The existence of dpkg-achitecture is not indicative of a debian
installation. It may well be installed on systems of people who
package for both distros. The previous code path did not take
that into account.
We now traverse all known plymouth directories, locking on the first
valid one, and try to work with it.
At the same time, we do not include the module if the plymouth directory
could not be found.
Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.
With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.
This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.
Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.
Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
As the 'multipath' program will be triggered directly from
udev events it will be called before the multipath service
unit has started up. Which means we cannot rely on the
service unit to load the module for us, but we rather
have to do it early before udev is started.
References: bsc#986734
Signed-off-by: Hannes Reinecke <hare@suse.com>
81cio_ignore: handle cio_ignore commandline
References: bnc#874902
Incorporates following on-top patches/fixes:
----------------------------
Subject: 81cio_ignore: skip module if cio_ignore is not active
When cio_ignore is not active we should skip the entire module
during boot; otherwise it'll lead to adverse effects.
References: bnc#882685
----------------------------
Subject: 81cio_ignore: rewrite module
Rewrite cio_ignore module to rely on the dracut commandline
parameter 'rd.cio_accept', which takes a comma-separated list
of CCW IDs. Each of those IDs are being removed from the
list of devices from cio_ignore.
The default values for rd.cio_accept are taken from
/boot/zipl/active_devices.txt.
References: bnc#882685
-----------------------------
Subject: More empty cmdline fixes
This fixes up some more modules which might print out empty
commandline files.
-----------------------------
Subject: Mark scripts as executable
All scripts need to be marked as executable, otherwise dracut
won't be running them.
References: bnc#887010
Signed-off-by: Thomas Renninger <trenn@suse.de>
According to Cathy Zhou <Cathy.Zhou@Oracle.COM>:
"iscsistart is not designed to be working together with iscsid. When an
interface gets the dhcp offer successfully, the iscsiroot script is run
which starts the iscsistart service to establish the iSCSI session. With
the existence of iscsid, the iscsistart service's attempt to setup its
own mgmt ipc fails. Instead, the request to login to the iscsi target
is handled by the mgmt ipc of iscsid. After iscsistart finishes its
login attempt, it eventually sends a stop_event_loop request to stop
the mgmt process. As the result, it terminates iscsid."
So, iscsid is kicked out again.
Additionally iscsistart-flocked is used to make sure iscsistart is not
run in parallel.
91zipl tries to read the filesystem for the /boot/zipl device.
On SLE12, however, the ext2 and ext3 filesystems are handled
by the ext4 module.
And due to bug#886839 no error is registered and booting fails.
So implement a band-aid to translate it into ext4.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Add new module to update the dracut commandline values
during booting with the values found in the file
dracut-cmdline.conf on the device specified by
rd.zipl.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Contrary to the original patch, this one has been modified
to check for /boot/zipl, the location of the first stage kernel
in indirect boot, in order not to install on systems
booting directly via zipl.
Signed-off-by: Daniel Molkentin <daniel.molkentin@suse.com>
Add s390 dcssblk driver and introduce rd.dcssblk= to pass mounts
that should get activated at initrd stage.
References: FATE#308263
Signed-off-by: Hannes Reinecke <hare@suse.de>
Allow filesystem modules to install a fs-specific text file with
instructions on what to do when mount fails. This is printed when we go into
an emergency shell.
Signed-off-by: Mark Fasheh <mfasheh@suse.de>
Lubomir Rintel