if rd.md.uuid is in ID_FS_UUID format with dashes
e40a0234-7e52-5f10-f267-658d8ec463fa
convert it for the /dev/disk/by-id/md-uuid-${uuid} format
e40a0234:7e525f10:f267658d:8ec463fa
This commit basically reverts 5ce7cc73
90-multipath-hostonly module was added in 5ce7cc73, because if hostonly
mode is enabled, multipath module will always hardcode wwids which
causes problems when the initramfs is cloned to another system with same
hardware.
Now with tri-state hostonly mode, the two modules could be merged and only
hardcode wwids when "strict" hostonly mode is enabled.
Only pick rules for interfaces which have a carrier in the running
system. Those interfaces will be assembled by udev to allow booting
from those devices (i.e. iSCSI).
Reference: FATE#323440
The code in 50drm which tries to include all DRM drivers for
hardware attached to the system did not look for virtio devices.
So if the system is a VM using the 'virtio' graphics adapter,
the 'virtio-gpu' module which should be included is not. This
extends the code to also look for virtio devices.
https://bugzilla.redhat.com/show_bug.cgi?id=1593028
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Since the kernel doesn't allow using any non-FIPS-compliant crypto
algorithms, it doesn't make sense to install them. Even if they are
installed, tcrypt will not test them anyway.
Tested on Fedora 28 x86_64 by booting with fips=1 (with hand-patched
module-setup.sh).
This patch cleans up the default list of kernel modules in the 01fips
dracut module. All the algorithms that are tested in tcrypt are listed
by their algorithm name so that all the generic implementations and
drivers are picked up automatically based on the module alias.
This drops several unneeded modules and even a bogus one (rot13 -- this
one was obviously copy-pasted from tcrypt.c where it was listed as an
easter egg :).
The patch adds also some algorithms that weren't included in the
original set. It turns out in FIPS mode we only need those algorithms
that are marked as FIPS-allowed in testmgr.c (failure to find a non-FIPS
algorithm is ignored). The non-FIPS algorithms are further removed in a
subsequent patch.
since kmod-25 keyword "external" was implemented in order to avoid
additional actions(like weak-modules) when kernel was updated, which
makes it more simple while kernels' kabi were compatible.
but if move some special modules such as megaraid_sas, mpt3sas and
so on, to a external path like /opt/modules, these modules will not
be install to initramfs by default, which make the initramfs can't
be used to boot for disk detection failure.
according to kmod's document, you must specify a absolute path with
"external" keyword, so scan the lines in modules.dep that begin with
"/" and install them, to make sure necessary modules in external path
can be installed to initramfs too.
Signed-off-by: Hui Wang <john.wanghui@huawei.com>
The main 01fips module should always load all optimized/driver modules
of all relevant crypto algorithms (based on their aliases), so we can
drop this useless module.
Commit bf5c53a implements support for mounting LUKS devices with
detached headers; however, it assumes that the LUKS device sits on an
unpartitioned disk.
Mirroring the `rd.luks.serial` option, this commit implements the
`rd.luks.partuuid` cmdline option, supporting headless LUKS devices on
drive partitions.
In kdump, if dump-target is ssh on ipv6, we need to sync until ipv6 addr
is ready. Currently ip=auto6/dhcp6 provides such function. But in 1st kernel,
it is hard to know whether the ipv6 addr is got by dhcpv6 or SLAAC.
E.g ifcfg-eth* contains DHCPV6C=yes direction, but there is no dhcpv6
server in the network, and then after the system is up, the user
echo 1 > /proc/sys/net/ipv6/conf/eth0/autoconf && accept_ra by manual
to obtain a ipv6 addr. Or vice.
So this patch suggests to make dhcpv6 as auto6 fallback
Signed-off-by: Pingfan Liu <piliu@redhat.com>
If a process (maybe plymouth) was still pinning /oldroot, then shutdown
would
- kill -9 $pid
- umount_a
- umount_a
in a very short timeframe. A small sleep hopefully lets the scheduler free
up /oldroot in the mean time.
Convert the s390x into s390 to also include s390-specific crypto
modules, for example, aes_s390 into the initramfs.
Signed-off-by: Hendrik Brueckner <brueckner@linux.ibm.com>
Some distros have both /usr/lib/plymouth and /usr/libexec/plymouth
directorirs, so we should check the existance of plymouth-populate-initrd
script.
Fixes: 421b46f8ae
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/dracut-init.sh:939:20: error: Argument to implicit -n is always true due to literal strings. [SC2157]
937| dracut_kernel_post() {
938| for _f in modules.builtin.bin modules.builtin modules.order; do
939|-> [[ $srcmods/$_f ]] && inst_simple "$srcmods/$_f" "/lib/modules/$kernel/$_f"
940| done
941|
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/98syslog/parse-syslog-opts.sh:18:12: error: This expression is constant. Did you forget a $ somewhere? [SC2078]
16| elif [ -e /sbin/syslogd ]; then
17| syslogtype="syslogd"
18|-> elif [ /sbin/syslog-ng ]; then
19| syslogtype="syslog-ng"
20| else
Error: SHELLCHECK_WARNING:
/usr/lib/dracut/modules.d/90crypt/crypt-lib.sh:15:29: error: Since you double quoted this, it will not word split, and the loop will only run once. [SC2066]
13| strstr "$d" "${luks##luks-}" && return 0
14| if [ -n "$dev" ]; then
15|-> for _dev in "$(devnames $d)"; do
16| [ "$dev" -ef "$_dev" ] && return 0
17| done
If no network related params are specific, but rd.neednet=1 is set,
the default initqueue action is to wait until one of the network
interfaces is marked as setup properly.
This also help with initqueue's race condition when the network interface
shows up late
References: bnc#866771
Signed-off-by: Hannes Reinecke <hare@suse.de>
The existence of dpkg-achitecture is not indicative of a debian
installation. It may well be installed on systems of people who
package for both distros. The previous code path did not take
that into account.
We now traverse all known plymouth directories, locking on the first
valid one, and try to work with it.
At the same time, we do not include the module if the plymouth directory
could not be found.
Previously if no symmetric key was configured for EVM, then the
initialization process was aborted. It can be a valid use case, however,
to only use EVM digital signatures. In this case only X.509 certificates
need to be loaded.
With this change EVM initialization will continue if any of the
symmetric or X.509 keys could be loaded.
This implements logic analogous to the one already implemented in
ima-keys-load.sh, only for the .evm/_evm keyrings.
If the kernel was built with CONFIG_IMA_TRUSTED_KEYRING then the kernel
initially creates and configures .ima and .evm keyrings. These keyrings
only accept x509 certificates that have been signed by a local CA which
belongs to the kernel builtin trusted keyring.
Thus if such a keyring is already present then additional evm keys
should be loaded into them. If this is not the case then the _evm
keyring needs to be created in userspace and keys will be loaded into
it instead.
Before this change dracut always created the _evm keyring and loaded
keys into it without considering an existing .evm keyring. In case of
CONFIG_IMA_TRUSTED_KEYRING being enabled, the _evm keyring will not be
used by the kernel, however, and EVM digital signatures will not work as
expected.
Harald Hoyer