- use [ ] instead of calling test manually, as most of the script is
doing.
- use quotes in hostonly_cmdline blocks, specially when dealing with the
conf files, whose names are set by users/system administrators
- uefi_splash_image was being assigned set to `${dracutsysroot}...`, which
is a variable that doesn't exist.
- we don't want the conditional to run the output of fsfreeze as
commands. Instead, we just need to know if any of the fsfreeze commands
failed.
The kernel command line was being written both into
/etc/cmdline.d/01-default.conf and the UEFI executable.
During boot, getcmdline would concatenate these two
resulting in all arguments being duplicated. Some
args, such as ip=, are sensitive to the number of
times they are specified.
The new dracutsysrootdir could be used to replace the shell function
required_in_root, so drop it and also simplify the code.
Signed-off-by: Kairui Song <kasong@redhat.com>
This fixes two issues:
1) on non-x86 systems in non-hostonly config this would cause
an annoying warning on every initramfs generation
2) on non-x86 systems in hostonly config this would result in
early microcode not getting disabled
On Fedora/RHEL, libcryto will verify both itself and libssl on start, if
libssl is missing, FIPS self test will fail. However libssl is not a
dependency of libcryto so dracut will not install it, unless some other
binary or library pulls it in. Systemd requires libssl, so in most cases
it just worked, but could fail in some corner cases where systemd is not
used.
Signed-off-by: Kairui Song <kasong@redhat.com>
Emit a warning about possible misconfigured configuration files, where
the spaces around values are missing for +=""
Better report a possible source of problems. We can fix annoying false
positives later.
Ability to use `$TMPDIR` was introduced in bc1e69b but
causes the `--tmpdir` option on the command line to be
ignored. Switch to only using `$TMPDIR` if `--tmpdir`
wasn't specified.
Use environment variable TMPDIR (typically /run/user/$UID) as default
temporary directory, if available. This should be more private
location than /var/tmp. Path specified with --tmpdir is takes
precedence over TMPDIR and /var/tmp is still used as last resort if
neither TMPDIR is set nor --tmpdir is used.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
dracut.sh already doesn't call fsfreeze if the output file is on
the root file system. For btrfs, however, this is not sufficient.
Because fsfreeze is a superblock operation, and all btrfs subvolumes
share the same superblock, fsfreeze may freeze the entire system
if the subvolume on which the output file is written and / are
subvolumes of the same file system. Avoid this by comparing file
system UUIDs for btrfs.
Fixes: de576db3c2 ("call fsfreeze(8) on /boot to flush initramfs data & metadata to media")
If the temporary directory for images is mounted with 'noexec', dracut
would construct unbootable images because most dynamic libraries
aren't installed. Avoid this by not resolving library dependencies
lazily if the temporary directory is mounted with 'noexec'.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Checks if `uefi_splash_image` exists in `dracutsysroot` if not unset
`uefi_splash_image`. Alternate Value parameter expansion adds section-vma
for splash image to EFI stub loader when the path to image is valid and
not an empty file.
I did not test on other distributions, but on Arch Linux the `systemd`
package includes a splash image at the path
`/usr/share/systemd/bootctl/splash-arch.bmp`. Perhaps, if this is a
common practice, a default image could be gathered from that directory.
It is required that the image be in bitmap (`.bmp`) format according to
`splash.c`.
The code for `stub.c` and `splash.c` can be found at:
https://github.com/systemd/systemd/blob/master/src/boot/efi/stub.chttps://github.com/systemd/systemd/blob/master/src/boot/efi/splash.c
Due to the way dracut-install handles modules from custom kmoddirs, add
a test that ensures the kmoddir argument seems sane.
In addition to erroring out, provide some guidance on how to proceed, as
well as a method of skipping the test via environment variable.
Some distributions (Arch, Gentoo) ship prepacked microcode images. These
are cpio images that follow the structure specified in the Linux kernel
documentation (x86/microcode.rst, "Early load microcode"), the same
structure dracut uses for its early microcode images.
In case of Arch Linux, the microcode for Intel CPUs is currently only
available in this packed form, /usr/lib/firmware/intel-ucode does not
exist. This commit adds a way to make use of these images on such
systems by unpacking them to the early cpio directory. (Note that the
packed image cannot be used directly since dracut might need to add ACPI
tables to the early initramfs.)
This approach has the drawback that it is not possible to control the
selection of CPUs to be included in the microcode file in host-only
mode, so we only try it as a last ressort if no unpacked microcode could
be found in fw_dir.
The list of possible file names for the packed microcode image is taken
from GRUB (cf. GRUB_EARLY_INITRD_LINUX_STOCK), but can be adapted by
setting "early_microcode_image_name" (and "early_microcode_image_dir")
in a dracut configuration file.
For the shell scripts, new environment variables were introduced.
dracutsysrootdir is the root directory, file existence checks use it.
DRACUT_LDCONFIG can override ldconfig with a different one that works
on the sysroot with foreign binaries.
DRACUT_LDD can override ldd with a different one that works
with foreign binaries.
DRACUT_TESTBIN can override /bin/sh. A cross-compiled sysroot
may use symlinks that are valid only when running on the target
so a real file must be provided that exist in the sysroot.
DRACUT_INSTALL now supports debugging dracut-install in itself
when run by dracut but without debugging the dracut scripts.
E.g. DRACUT_INSTALL="valgrind dracut-install or
DRACUT_INSTALL="dracut-install --debug".
DRACUT_COMPRESS_BZIP2, DRACUT_COMPRESS_LBZIP2, DRACUT_COMPRESS_LZMA,
DRACUT_COMPRESS_XZ, DRACUT_COMPRESS_GZIP, DRACUT_COMPRESS_PIGZ,
DRACUT_COMPRESS_LZOP, DRACUT_COMPRESS_ZSTD, DRACUT_COMPRESS_LZ4,
DRACUT_COMPRESS_CAT: All of the compression utilities may be
overridden, to support the native binaries in non-standard places.
DRACUT_ARCH overrides "uname -m".
SYSTEMD_VERSION overrides "systemd --version".
The dracut-install utility was overhauled to support sysroot via
a new option -r and fixes for clang-analyze. It supports
cross-compiler-ldd from
https://gist.github.com/jerome-pouiller/c403786c1394f53f44a3b61214489e6f
DRACUT_INSTALL_PATH was introduced so dracut-install can work with
a different PATH. In a cross-compiled environment (e.g. Yocto), PATH
points to natively built binaries that are not in the host's /bin,
/usr/bin, etc. dracut-install still needs plain /bin and /usr/bin
that are relative to the cross-compiled sysroot.
The hashmap pool allocate_tile/deallocate_tile code was removed
because clang-analyze showed errors in it. hashmap_copy was removed
because it wasn't used and clang-analyze showed errors in it.
DRACUT_INSTALL_LOG_TARGET and DRACUT_INSTALL_LOG_LEVEL were
introduced so dracut-install can use different settings from
DRACUT_LOG_TARGET and DRACUT_LOG_LEVEL.
Signed-off-by: Böszörményi Zoltán <zboszor@pr.hu>
Intel has notified us that some microcode updates are not safe
to be applied during runtime. To accomodate for that, microcode
files shipped by SUSE and openSUSE have an '.early' postfix such
that triggering
/sys/devices/system/cpu/microcode/reload
from a booted system cannot pick up the ucode by accident, while
still allowing the code to be picked up during initrd time.
This change is needed to make this scheme work also in a hostonly
situation.
Currently, this affects only 06-4f-01, which is now 06-4f-01.early.
If a distro does not change the filename, the behavior does not
change.
Reference: osc#1098915
Since Bash 4.4, command substitutions containing null bytes produce a
warning of the form
/usr/sbin/dracut: line 1958: warning: command substitution: ignored null byte in input
Remove the trailing null byte from the UEFI kernel command line file
before printing it to suppress this warning.
Previously with squash module, some binaries will be reinstalled, but
stripping happens before that so new installed binaries is not stripped.
So adjust the squash and strip order, ensure new installed binaries are
stripped just the same way with the old binaries.
Also split squash into two stage to make the split easier, move the
squash temp dir into initdir so stripping will cover that too,
and print more usefule message.
Signed-off-by: Kairui Song <kasong@redhat.com>
on line 1086 it's used to check for the uefi_stub:
"${systemdutildir}/boot/efi/linux${EFI_MACHINE_TYPE_NAME}.efi.stub"
so it needs to be defined before that
The EFI executables produced by dracut --uefi must be placed in the
subdirectory /EFI/Linux of the EFI system partition (ESP) according to
the Boot Loader Specification, see
https://systemd.io/BOOT_LOADER_SPECIFICATION#logic
This is done correctly for the mount points /boot and /boot/efi, but for
the mount point /efi, the files are placed in /efi/Linux instead of the
correct /efi/EFI/Linux. This commit fixes the directory so that the EFI
executables are picked up correctly by conforming boot loaders.
Apart from complying to the specification, the change is also in line
with the commit message of 5c57209ba5
("dracut.sh: add default path for --uefi") which introduced this feature
as well as the documentation in dracut.8.asc.
systemctl need to be accessible on switch-root, but we unmount the
squash image on switch-root, so it will fail. systemctl depends on a lot
of libraries, squash them can save more RAM. So allow modules
(eg. kdump) to tell dracut that switch-root will be intercepted,
then we don't need to take care of that.
Signed-off-by: Kairui Song <kasong@redhat.com>
If required target is a symbol link, create the link then following the
link. If it's a directory, create new directory, else just move it.
Signed-off-by: Kairui Song <kasong@redhat.com>
systemd binary and udevadm are not needed to be outside the squash
image. Some binaries are kept outside because they are required before
mounting the image, or after umounting the image (when switching root),
or they may block umounting the image. But we are using lazy umounting,
so actually nothing will block the umount.
Keep more binaries outside the squash image won't hurt but cost extra
memories, the idea of squash image is to save memory usage.
So, there is no reason to keep udevadm outside, that should be a debug
left over. For systemd binary, it's running when switch root happens,
But we have lazy umounted the image and overlay, once systemd process
exec the new systemd in new root, everything will be cleared by kernel.
Also tidy up the comment make it less confussing.
Signed-off-by: Kairui Song <kasong@redhat.com>
Previous in commit 7047294, dracut will include the loaded kernel module
list in initramfs, so other tools could check if the loaded kernel
module is changed and rebuild the host only initramfs in case some
module required to boot the machine is missing due to host only install.
It's better to use modalias list generated by dracut-install, that
list includes the device modalias list combined with current loaded
kernel module list. In this way, if any kernel module is yet to be
loaded when the initramfs is built, or got unloaded by accident the
module list will not change. This make the list more stable over
initramfs builds.
Signed-off-by: Kairui Song <kasong@redhat.com>
In commit [9d1b81c dracut.sh: improve udevdir and systemdutildir
fallback logic] , it checked a common binary `collect' to location
udevdir.
But upstream systemd drop binary `collect' since systemd v240
[a168792c2d]
So check binary `ata_id' to instead.
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Let the caller pass in the module path instead of try to find the module
path everytime. This helps optimize the overall runtime.
Test results (3 rounds) on Fedora 30 in KVM VM with 8 CPUs, 2G memory, HDD:
$ time ./dracut.sh --local --quiet --hostonly --hostonly-cmdline --hostonly-i18n --hostonly-mode 'strict' -o 'plymouth dash resume ifcfg' --mount '/dev/mapper/fedora-root /sysroot xfs defaults' --no-hostonly-default-device -f initramfs.img
Before the commit:
real 0m11.782s | real 0m11.505s | real 0m11.958s
user 0m9.169s | user 0m9.218s | user 0m9.327s
sys 0m10.839s | sys 0m10.829s | sys 0m10.925s
After this commit:
real 0m9.866s | real 0m9.580s | real 0m9.638s
user 0m9.048s | user 0m9.142s | user 0m9.120s
sys 0m7.411s | sys 0m7.775s | sys 0m7.745s
Test result of building a ordinary image:
$ time ./dracut.sh --local --quiet -f initramfs.img
Before the commit:
real 0m34.697s | real 0m34.371s | real 0m35.122s
user 0m27.608s | user 0m27.524s | user 0m27.705s
sys 0m22.341s | sys 0m22.032s | sys 0m22.246s
After the commit:
real 0m31.914s | real 0m31.006 | real 0m31.289ss
user 0m27.315s | user 0m27.324 | user 0m27.290ss
sys 0m19.051s | sys 0m18.916 | sys 0m19.022ss
This will have an ~2s speed up.
Signed-off-by: Kairui Song <kasong@redhat.com>
When building squash image, squash module forgot to install the new
shutdown.sh, and the shutdown hooks are always skipped on ordinary
shutdown if squash module is enabled.
The new shutdown.sh will remount the squash image and then everything
will just work, but currently re-mounting the squash image on shutdown
may have selinux problem and make the system hang, and there is no
easy way to fix it.
So skip fixing the shutdown.sh not being install problem, instead
just drop the new shutdown.sh, and unsquash the image on ordinary
shutdown, which is safer and should always work.
Signed-off-by: Kairui Song <kasong@redhat.com>
With all files stored in ramfs, and most of them are not compressed,
the initramfs will take up a lot of memory. Besides, if the file number
is large, each file will waste some memory due to page fragmetation.
This is due to ramfs' design, at least one page will be allocated for
one file however small the file is. On machine with large page size,
this will become worse and waste too many memory.
One approach to reducing the memory usage is to reduce the number of
files that got directly loaded into the root ramfs, and compress files
by put most files will into a read-only squash image and keep a minimum
set of executable and libraries outside as the loader for the squash
image. After the squash image is mounted, the real 'init' will be
executed and then everything behaves as usual.
This patch will introduce a '99squash' module which will never be
included by default. User can force add it, and if it is included,
dracut will perform some extra steps before creating the final image:
For now, "/etc" and "/usr" will be moved into the squashfs image.
"/init" will be renamed to "/init.stock" and replaced by "/init.squash".
Files and folders need to be accessible before mounting the image will
be still avaliable at their original place. And due to squashfs is
readonly, an overlayfs layer will be created on top of squashfs mount
point, as many dracut module require readwrite access to "/etc" and
"/usr", "init.squash" will ultimately call "/init.stock".
An extra systemd service will be installed. This service will umount all
squashfs related mount points right before switch-root to release
resources properly. This service will not actually do anything if
switch-root is not used.
This is very helpful when mem resource is very limited, like Kdump.
According to my tests, this squash module can help save about 35MB of
memory with 64K page size, or about 15MB with 4K page size on an
ordinary kdump capture routine. This module could also help reduce
memory usage for normal boot up process.
Won't change any behavior if squash module is not enabled.
Signed-off-by: Kairui Song <kasong@redhat.com>
A hostonly image will not include every possibly required kernel module,
so if any hardware or configuration changed, the image may fail to boot.
One way to know if there are any hardware change or configuration change
that will require an image rebuild or not is to check the loaded kernel
module list. If the loaded kernel module list differs from last build
time, then the image may require to be rebuilt.
This commit will let dracut record the loaded kernel module list when
the image is being built, so other tools or services can compare this
list with currently loaded kernel modules to decide if dracut should be
called to rebuild the image.
To retrieve the loaded kernel modules list when an image is built, use
lsinitrd command:
lsinitrd $image -f */lib/dracut/loaded-kernel-modules.txt
Check for a common binary in systemdutildir. This resolves an issue on
split-usr systems, where it is common to have both /lib/systemd[/system]
and /usr/lib/systemd[/user] present.
Check for systemd-udevd specifically, since some distros (Gentoo) allow
udev to be installed without the rest of the systemd stack.
Similar logic is applied to udevdir simply for consistency.
Add a new option --hostonly-mode which accept an <mode> parameter, so we have a tri-state hostonly mode:
* generic: by passing "--no-hostonly" or not passing anything.
"--hostonly-mode" has no effect in such case.
* sloppy: by passing "--hostonly --hostonly-mode sloppy". This
is also the default mode when only "--hostonly" is given.
* strict: by passing "--hostonly --hostonly-mode strict".
Sloppy mode is the original hostonly mode, the new introduced strict
mode will allow modules to ignore more drivers or do some extra job to
save memory and disk space, while making the image less portable.
Also introduced a helper function "optional_hostonly" to make it
easier for modules to leverage new hostonly mode.
To force install modules only in sloppy hostonly mode, use the form:
hostonly="$(optional_hostonly)" instmods <modules>
Signed-off-by: Kairui Song <kasong@redhat.com>
When dracut silently produces a broken initramfs, then the system will
likely not boot and this can be very problematic. Typical use case is
after the kernel has been updated.
It appears that dracut is not protected against the BASH_ENV variable,
causing various scripts called by dracut to possibly fail or provide
wrong output (e.g. "ldd" is one of these).
Having a broken output for "ldd" makes the generated initramfs be not
usable, typically because vital binaries will be missing (e.g.
"awk", "udevadm", ...).
Note: because the shebang line cannot contain more than one argument,
the '--norc' option had to be removed. IMHO, it was useless anyway.
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
It's possible for e.g. `kernel` to be installed as an RPM BuildRequires or equivalent,
and there's no reason to sync, and *definitely* no reason to fsfreeze.
Another case where this happens is rpm-ostree, which performs its own sync/fsfreeze
globally. See e.g. 8642ef5ab3
We initially enabled it for Haswell TSX bug (mga#16657)
Now there is also Meltdown and Spectre security issues,
and more microcode issues will most likely show up...
So the sane default for 'early_microcode' to have it enabled,
as theese changes must be done early in boot process to take
effect as intended.
Update documentation accordingly.
Reference: https://bugs.mageia.org/show_bug.cgi?id=16657
Signed-off-by: Thomas Backlund <tmb@mageia.org>
Signed-off-by: Neal Gompa <ngompa13@gmail.com>
When the system boots with EFI, then initrd image is stored
on EFI System Partition. Thus dracut always warn about the
failure to invoke fsfreeze on the partition.
This prevents to run fsfreeze on ESP and suppress the warning.
- dracut replaced every instance of "-i" in the cmdline,
even if it was part of a kernel image name, e.g. "vmlinuz-i"
- Fixes boo#908452
Signed-off-by: Fabian Vogt <fvogt@suse.com>
Adjusted to not support "dracut -ifoo bar", as this breaks expected
upstream behavior.
Currently in Fedora/RedHat dracut installs its fedora.conf.example
as the default config file, in which sysloglvl is set 5. This leads
to maxloglvl=5 in dracut calls, making unnecessary lsinitrd calls
during initramfs builds by kdump.
This patch disables lsinitrd logging when --quiet option is given,
which is controlled by maxloglvl only before. This will speed up
dracut image building as the following if --quiet is used in kdump:
1) Before this patch
$ kdumpctl stop; touch /etc/kdump.conf; time kdumpctl start
kexec: unloaded kdump kernel
Stopping kdump: [OK]
Detected change(s) in the following file(s):
/etc/kdump.conf
Rebuilding /boot/initramfs-4.13.0-0.rc1.git4.1.fc27.x86_64kdump.img
kexec: loaded kdump kernel
Starting kdump: [OK]
real 0m26.824s
user 0m9.958s
sys 0m15.106s
2) After this patch
$ kdumpctl stop; touch /etc/kdump.conf; time kdumpctl start
kexec: unloaded kdump kernel
Stopping kdump: [OK]
Detected change(s) in the following file(s):
/etc/kdump.conf
Rebuilding /boot/initramfs-4.13.0-0.rc1.git4.1.fc27.x86_64kdump.img
kexec: loaded kdump kernel
Starting kdump: [OK]
real 0m20.420s
user 0m8.385s
sys 0m10.468s
Signed-off-by: Ziyue Yang <ziyang@redhat.com>
In case of "--no-hostonly-default-device", we do not need
the root device, thus add this check.
Also fixed the stale "root_dev" export.
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
Kdump doesn't need default host devices like root, swap, fstab, etc,
we only care about the dump target which can be added via "--mount"
or "--add-device". We met several issues that kdump kernel failed
due to one of those host devices added by dracut, additionally, the
needless devices(e.g. LVM) consume some appreciable amount of memory
which is more likely to cause OOM under memory-limited kdump.
So this patch introduced "--no-hostonly-default-device" to avoid
adding those default devices as host_devs.
Signed-off-by: Xunlei Pang <xlpang@redhat.com>
If we trigger crash just after creating initramfs, sometimes it is
observed that initramfs is not written to disk causing the subsequent
boot to fail. A sync should resolve this.
Signed-off-by: Ankit Kumar <ankit@linux.vnet.ibm.com>
This is intended for minimum host OSes where 36 MB used by binutils
are deemed too expensive. We only need "strip", which exists as eu-strip
in elfutils, which in turn is < 1 MB in size.
Note that the tests (TEST-04-FULL-SYSTEMD/test.sh) still depend on
strip from binutils. It could use sstrip in the future.
The default output filename for --uefi is
<EFI>/EFI/Linux/linux-$kernel$-<MACHINE_ID>-<BUILD_ID>.efi.
<EFI> might be /efi, /boot or /boot/efi depending on where the ESP partition
is mounted. The <BUILD_ID> is taken from BUILD_ID in /usr/lib/os-release or
if it exists /etc/os-release and is left out, if BUILD_ID is non-existant or
empty.
Also a new option --no-machineid was added, which affects the default output
filename of --uefi and will discard the <MACHINE_ID> part.
Dracut changes working directory before attempting to output files under
$DRACUT_TMPDIR , resulting in an IO failure if $DRACUT_TMPDIR is a path
relative to the working directory when dracut was started.
Fixes: https://github.com/dracutdevs/dracut/issues/156
Signed-off-by: David Disseldorp <ddiss@suse.de>
Handle module aliases correctly to not generate unbootable
initrds with different kernel versions when modules were renamed
or replaced.
Signed-off-by: Fabian Vogt <fvogt@suse.com>
Kairui Song