import dracut-049-201.git20220131.el8

This commit is contained in:
CentOS Sources 2022-02-05 05:25:13 +00:00 committed by Stepan Oksanichenko
parent 4bc500620f
commit 03f5bc1987
12 changed files with 730 additions and 1 deletions

View File

@ -56,3 +56,4 @@ index baf6dcff..4962316d 100644
if (dracut_install(clib, clib, false, false, true) == 0)
log_debug("Lib install: '%s'", clib);
/* also install lib.so for lib.so.* files */

243
SOURCES/0191.patch Normal file
View File

@ -0,0 +1,243 @@
From e2c7b61f97465b26c598d655c8717403c0a73726 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 13 Nov 2021 16:35:23 +0100
Subject: [PATCH] ci: introduce C8S based GHA CI
Loosely based on the upstream dracut CI to make things simpler.
rhel-only
---
.github/workflows/container.yml | 52 +++++++++++++++++++++++++++++
.github/workflows/integration.yml | 48 +++++++++++++++++++++++++++
test/container/Dockerfile-CentOS-8-Stream | 54 +++++++++++++++++++++++++++++++
tools/test-github.sh | 49 ++++++++++++++++++++++++++++
4 files changed, 203 insertions(+)
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
new file mode 100644
index 00000000..0a4c000f
--- /dev/null
+++ b/.github/workflows/container.yml
@@ -0,0 +1,52 @@
+name: Container
+on:
+ schedule:
+ - cron: '30 11 * * *'
+ push:
+ branches: [ main ]
+ paths:
+ - 'test/container/**'
+ - '.github/workflows/container.yml'
+ pull_request:
+ branches: [ main ]
+ paths:
+ - 'test/container/**'
+ - '.github/workflows/container.yml'
+
+permissions:
+ packages: write
+ contents: read
+
+jobs:
+ push_to_registry:
+ name: Build and push containers image to GitHub Packages
+ runs-on: ubuntu-latest
+ concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }}
+ cancel-in-progress: true
+ strategy:
+ fail-fast: false
+ matrix:
+ config:
+ # Use a prefixed image name to not conflict with the "centos"
+ # image from redhat-plumbers/dracut-rhel9
+ - { dockerfile: 'Dockerfile-CentOS-8-Stream', tag: 'rhel8_centos:stream8' }
+ steps:
+ - name: Check out the repo
+ uses: actions/checkout@v2
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v1
+# with:
+# buildkitd-flags: --debug
+ - name: Login to GitHub Container Registry
+ uses: docker/login-action@v1
+ with:
+ registry: ghcr.io
+ username: ${{ github.repository_owner }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+ - name: Build and Push Container
+ uses: docker/build-push-action@v2
+ with:
+ file: test/container/${{ matrix.config.dockerfile }}
+ tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.config.tag }}
+ push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
new file mode 100644
index 00000000..80a856a2
--- /dev/null
+++ b/.github/workflows/integration.yml
@@ -0,0 +1,48 @@
+name: Integration Test
+
+on:
+ pull_request:
+ branches: [ main ]
+
+jobs:
+ centos-8-stream:
+ runs-on: ubuntu-latest
+ timeout-minutes: 45
+ concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.container }}-${{ matrix.test }}
+ cancel-in-progress: true
+ strategy:
+ matrix:
+ container: [
+ "rhel8_centos:stream8",
+ ]
+ # Disabled tests (due to dropped packages in RHEL/CentOS):
+ # 03, 04, 15: requires btrfs
+ # 14: requires dmraid
+ # 30, 31, 35, 36: requires scsi-target-utils
+ test: [
+ "01",
+ "02",
+ "10",
+ "11",
+ "12",
+ "13",
+ "17",
+ "20",
+ #"21", needs backport (NFS + NM)
+ "40",
+ #"41", needws backport (NBD + NM)
+ "98",
+ ]
+ fail-fast: false
+ container:
+ image: ghcr.io/${{ github.repository_owner }}/${{ matrix.container }}
+ options: "--privileged -v /dev:/dev"
+ steps:
+ - name: "Checkout Repository"
+ uses: actions/checkout@v2
+ with:
+ fetch-depth: 0
+
+ - name: "${{ matrix.container }} TEST-${{ matrix.test }}"
+ run: ./tools/test-github.sh "TEST-${{ matrix.test }}" ${{ matrix.test }}
diff --git a/test/container/Dockerfile-CentOS-8-Stream b/test/container/Dockerfile-CentOS-8-Stream
new file mode 100644
index 00000000..0eda4a7e
--- /dev/null
+++ b/test/container/Dockerfile-CentOS-8-Stream
@@ -0,0 +1,54 @@
+FROM quay.io/centos/centos:stream8
+
+MAINTAINER https://github.com/dracutdevs/dracut
+
+ENV container docker
+LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE"
+
+RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
+
+# Install needed packages for the dracut CI container
+RUN dnf -y install epel-release && \
+ dnf -y install --enablerepo powertools --enablerepo epel --setopt=install_weak_deps=False \
+ qemu-kvm \
+ NetworkManager \
+ asciidoc \
+ bash-completion \
+ bzip2 \
+ cryptsetup \
+ dash \
+ dbus-daemon \
+ dhcp-client \
+ dhcp-server \
+ e2fsprogs \
+ gcc \
+ git \
+ iproute \
+ iputils \
+ iscsi-initiator-utils \
+ kbd \
+ kernel \
+ kmod-devel \
+ lvm2 \
+ make \
+ mdadm \
+ nfs-utils \
+ pigz \
+ python3-imgcreate \
+ rpm-build \
+ strace \
+ sudo \
+ tar \
+ tcpdump \
+ wget \
+ which \
+ xz \
+ && dnf -y update && dnf clean all
+
+# CentOS 8 ships only qemu-kvm, but it disables the KVM accel when it's not
+# available
+RUN ln -sv /usr/libexec/qemu-kvm /usr/bin/qemu-kvm && \
+ ln -sv /usr/libexec/qemu-kvm /usr/bin/qemu-system-$(uname -m)
+
+# Set default command
+CMD ["/usr/bin/bash"]
diff --git a/tools/test-github.sh b/tools/test-github.sh
new file mode 100755
index 00000000..eab59dcc
--- /dev/null
+++ b/tools/test-github.sh
@@ -0,0 +1,49 @@
+#!/bin/bash
+
+set -ex
+
+[[ -d ${0%/*} ]] && cd "${0%/*}"/../
+
+RUN_ID="$1"
+TESTS=$2
+
+./configure
+
+NCPU=$(getconf _NPROCESSORS_ONLN)
+
+if ! [[ $TESTS ]]; then
+ # GitHub workflows fetch a clone of the dracut repository which doesn't
+ # contain git tags, thus "breaking" the RPM build in certain situations
+ # i.e.:
+ # DRACUT_MAIN_VERSION in Makefile is defined as an output of `git describe`,
+ # which in full git clone returns a tag with a numeric version. However,
+ # without tags it returns SHA of the last commit, which later propagates into
+ # `Provides:` attribute of the built RPM and can break dependency tree when
+ # installed
+ [[ -d .git ]] && git fetch --tags && git describe --tags
+ make -j "$NCPU" all syncheck rpm logtee
+else
+ if [[ $TESTS == "99" ]]; then
+ [[ -d .git ]] && git fetch --tags && git describe --tags
+ make_docs=yes
+ else
+ make_docs=no
+ fi
+
+ make -j "$NCPU" enable_documentation=$make_docs all logtee
+
+ cd test
+
+ # shellcheck disable=SC2012
+ time LOGTEE_TIMEOUT_MS=590000 make \
+ enable_documentation=$make_docs \
+ KVERSION="$(
+ cd /lib/modules
+ ls -1 | tail -1
+ )" \
+ DRACUT_NO_XATTR=1 \
+ TEST_RUN_ID="$RUN_ID" \
+ ${TESTS:+TESTS="$TESTS"} \
+ -k V=1 \
+ check
+fi

78
SOURCES/0192.patch Normal file
View File

@ -0,0 +1,78 @@
From 436135496469ec24be1fc6fbc03a39d2575c8686 Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Sat, 13 Nov 2021 17:55:45 +0100
Subject: [PATCH] ci: backport TEST-21-NFS-NM
Loosely cherry-picked from a3f73298f287e75810d6784efa52e80af15da2bd.
rhel-only
---
.github/workflows/integration.yml | 3 +--
test/TEST-20-NFS/test.sh | 14 +++++++++++---
test/TEST-21-NFS-NM/Makefile | 12 ++++++++++++
3 files changed, 24 insertions(+), 5 deletions(-)
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index 80a856a2..9c7c8486 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -29,9 +29,8 @@ jobs:
"13",
"17",
"20",
- #"21", needs backport (NFS + NM)
+ "21",
"40",
- #"41", needws backport (NBD + NM)
"98",
]
fail-fast: false
diff --git a/test/TEST-20-NFS/test.sh b/test/TEST-20-NFS/test.sh
index 4ad7fd77..320f9c3e 100755
--- a/test/TEST-20-NFS/test.sh
+++ b/test/TEST-20-NFS/test.sh
@@ -1,5 +1,13 @@
#!/bin/bash
-TEST_DESCRIPTION="root filesystem on NFS"
+if [[ $NM ]]; then
+ USE_NETWORK="network-manager"
+ OMIT_NETWORK="network-legacy"
+else
+ USE_NETWORK="network-legacy"
+ OMIT_NETWORK="network-manager"
+fi
+
+TEST_DESCRIPTION="root filesystem on NFS with $USE_NETWORK"
KVERSION=${KVERSION-$(uname -r)}
@@ -353,8 +361,8 @@ test_setup() {
# Make client's dracut image
$basedir/dracut.sh -l -i $TESTDIR/overlay / \
- -o "plymouth dash" \
- -a "debug watchdog" \
+ -o "plymouth dash ${OMIT_NETWORK}" \
+ -a "debug watchdog ${USE_NETWORK}" \
-d "af_packet piix ide-gd_mod ata_piix sd_mod e1000 nfs sunrpc i6300esb" \
--no-hostonly-cmdline -N \
-f $TESTDIR/initramfs.testing $KVERSION || return 1
diff --git a/test/TEST-21-NFS-NM/Makefile b/test/TEST-21-NFS-NM/Makefile
new file mode 100644
index 00000000..b19122a1
--- /dev/null
+++ b/test/TEST-21-NFS-NM/Makefile
@@ -0,0 +1,12 @@
+.PHONY: all setup clean run
+
+BASETEST=../TEST-20-NFS
+
+all:
+ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) all
+setup:
+ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) setup
+clean:
+ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) clean
+run:
+ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) run

57
SOURCES/0193.patch Normal file
View File

@ -0,0 +1,57 @@
From fd907a1b2b1f087afa2eccfa1686043e4dbb5ff6 Mon Sep 17 00:00:00 2001
From: q66 <daniel@octaforge.org>
Date: Sat, 25 Jul 2020 17:28:16 +0200
Subject: [PATCH] dracut.sh: fix early microcode detection logic
This fixes two issues:
1) on non-x86 systems in non-hostonly config this would cause
an annoying warning on every initramfs generation
2) on non-x86 systems in hostonly config this would result in
early microcode not getting disabled
Resolves: rhbz#2022414
---
dracut.sh | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index e559bb96..952c57c8 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1070,19 +1070,26 @@ fi
if [[ $early_microcode = yes ]]; then
if [[ $hostonly ]]; then
- [[ $(get_cpu_vendor) == "AMD" ]] \
- && ! check_kernel_config CONFIG_MICROCODE_AMD \
- && unset early_microcode
- [[ $(get_cpu_vendor) == "Intel" ]] \
- && ! check_kernel_config CONFIG_MICROCODE_INTEL \
- && unset early_microcode
+ if [[ $(get_cpu_vendor) == "AMD" ]]; then
+ check_kernel_config CONFIG_MICROCODE_AMD || unset early_microcode
+ elif [[ $(get_cpu_vendor) == "Intel" ]]; then
+ check_kernel_config CONFIG_MICROCODE_INTEL || unset early_microcode
+ else
+ unset early_microcode
+ fi
else
! check_kernel_config CONFIG_MICROCODE_AMD \
&& ! check_kernel_config CONFIG_MICROCODE_INTEL \
&& unset early_microcode
fi
- [[ $early_microcode != yes ]] \
- && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE_[AMD|INTEL]!=y"
+ # Do not complain on non-x86 architectures as it makes no sense
+ case $(uname -m) in
+ x86_64|i?86)
+ [[ $early_microcode != yes ]] \
+ && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE_[AMD|INTEL]!=y"
+ ;;
+ *) ;;
+ esac
fi
# Need to be able to have non-root users read stuff (rpcbind etc)

24
SOURCES/0194.patch Normal file
View File

@ -0,0 +1,24 @@
From ccd2823f5b75273445c7de36ff306fd23163f955 Mon Sep 17 00:00:00 2001
From: Masahiro Matsuya <mmatsuya@redhat.com>
Date: Fri, 11 Jun 2021 10:40:04 +0900
Subject: [PATCH] fix(url-lib): make pre-pivot hook separetely per nfs mount
Resolves: rhbz#1967802
---
modules.d/45url-lib/url-lib.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/45url-lib/url-lib.sh b/modules.d/45url-lib/url-lib.sh
index 08c3ebb4..56d0d683 100755
--- a/modules.d/45url-lib/url-lib.sh
+++ b/modules.d/45url-lib/url-lib.sh
@@ -143,7 +143,7 @@ nfs_fetch_url() {
local mntdir="$(mkuniqdir /run nfs_mnt)"
mount_nfs "$nfs:$server:$filepath${options:+:$options}" "$mntdir"
# lazy unmount during pre-pivot hook
- inst_hook --hook pre-pivot --name 99url-lib-umount-nfs umount -l -- "$mntdir"
+ inst_hook --hook pre-pivot --name 99url-lib-umount-nfs-"$(basename "$mntdir")" umount -l -- "$mntdir"
fi
if [ -z "$outloc" ]; then

27
SOURCES/0195.patch Normal file
View File

@ -0,0 +1,27 @@
From 8a4e5b5988d716259ad5b684dc2814d265007cb5 Mon Sep 17 00:00:00 2001
From: Peter Levine <plevine457@gmail.com>
Date: Mon, 1 Feb 2021 22:17:06 -0500
Subject: [PATCH] fix(watchdog): replace return with echo
(cherry picked from commit c35cbd2e561714207388af69820cee2743dbcbc3)
Resolves: #1890039
---
modules.d/04watchdog/module-setup.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/04watchdog/module-setup.sh b/modules.d/04watchdog/module-setup.sh
index 15bcd897..fdc62986 100755
--- a/modules.d/04watchdog/module-setup.sh
+++ b/modules.d/04watchdog/module-setup.sh
@@ -7,7 +7,8 @@ check() {
# called by dracut
depends() {
- return "watchdog-modules"
+ echo watchdog-modules
+ return 0
}
# called by dracut

68
SOURCES/0196.patch Normal file
View File

@ -0,0 +1,68 @@
From c7b21c88d27aace097ce9bc1fc36f4b742858737 Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Mon, 22 Nov 2021 16:40:39 +0100
Subject: [PATCH] fix(network): add errors and warnings when network interface
does not exist
End with error, or show a warning when nonexistent device is specified for network setup like
`ip=10.12.8.12::10.12.255.254:255.255.0.0:xk12:eth0:off`.
I've added the error only for `write-ifcfg.sh`, as I think no such setup should be written.
Resolves: #1712424
---
modules.d/35network-legacy/ifup.sh | 6 +++++-
modules.d/35network-legacy/parse-ip-opts.sh | 5 +++++
modules.d/45ifcfg/write-ifcfg.sh | 5 +++++
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/modules.d/35network-legacy/ifup.sh b/modules.d/35network-legacy/ifup.sh
index bd560379..0e9a6928 100755
--- a/modules.d/35network-legacy/ifup.sh
+++ b/modules.d/35network-legacy/ifup.sh
@@ -413,7 +413,11 @@ for p in $(getargs ip=); do
# If this option isn't directed at our interface, skip it
if [ -n "$dev" ]; then
- [ "$dev" != "$netif" ] && continue
+ if [ "$dev" != "$netif" ]; then
+ [ ! -e "/sys/class/net/$dev" ] \
+ && warn "Network interface '$dev' does not exist!"
+ continue
+ fi
else
iface_is_enslaved "$netif" && continue
fi
diff --git a/modules.d/35network-legacy/parse-ip-opts.sh b/modules.d/35network-legacy/parse-ip-opts.sh
index 10a2d19b..eea0988c 100755
--- a/modules.d/35network-legacy/parse-ip-opts.sh
+++ b/modules.d/35network-legacy/parse-ip-opts.sh
@@ -96,6 +96,11 @@ for p in $(getargs ip=); do
fi
# IFACES list for later use
IFACES="$IFACES $dev"
+
+ # Interface should exist
+ if [ ! -e "/sys/class/net/$dev" ]; then
+ warn "Network interface '$dev' does not exist"
+ fi
fi
# Do we need to check for specific options?
diff --git a/modules.d/45ifcfg/write-ifcfg.sh b/modules.d/45ifcfg/write-ifcfg.sh
index abd111fc..7e767f15 100755
--- a/modules.d/45ifcfg/write-ifcfg.sh
+++ b/modules.d/45ifcfg/write-ifcfg.sh
@@ -100,6 +100,11 @@ interface_bind() {
local _netif="$1"
local _macaddr="$2"
+ if [ ! -e "/sys/class/net/$_netif" ]; then
+ derror "Cannot find network interface '$_netif'!"
+ return 1
+ fi
+
# see, if we can bind it to some hw parms
if hw_bind "$_netif" "$_macaddr"; then
# only print out DEVICE, if it's user assigned

54
SOURCES/0197.patch Normal file
View File

@ -0,0 +1,54 @@
From 0a6125bf834c5a1808e4898f46093bc2ab2fed05 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 23 Oct 2019 14:16:56 +0200
Subject: [PATCH] dracut.sh: add check for invalid configuration files
Emit a warning about possible misconfigured configuration files, where
the spaces around values are missing for +=""
Better report a possible source of problems. We can fix annoying false
positives later.
(cherry picked from commit dfe2247a43d6a216d9af533825c9a103e3b056cd)
Resolves: #1946245
---
dracut.sh | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/dracut.sh b/dracut.sh
index 952c57c8..702b2f78 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -277,6 +277,14 @@ read_arg() {
fi
}
+check_conf_file()
+{
+ if grep -H -e '^[^#]*[+]=\("[^ ]\|.*[^ ]"\)' "$@"; then
+ printf '\ndracut: WARNING: <key>+=" <values> ": <values> should have surrounding white spaces!\n' >&2
+ printf 'dracut: WARNING: This will lead to unwanted side effects! Please fix the configuration file.\n\n' >&2
+ fi
+}
+
dropindirs_sort()
{
local suffix=$1; shift
@@ -697,10 +705,14 @@ if [[ ! -d $confdir ]]; then
fi
# source our config file
-[[ -f $conffile ]] && . "$conffile"
+if [[ -f $conffile ]]; then
+ check_conf_file "$conffile"
+ . "$conffile"
+fi
# source our config dir
for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do
+ check_conf_file "$f"
[[ -e $f ]] && . "$f"
done

34
SOURCES/0198.patch Normal file
View File

@ -0,0 +1,34 @@
From c99f396a5d456520b34c60f43c589ca39a301955 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Wed, 14 Nov 2018 13:19:27 +0100
Subject: [PATCH] fips: removed false-positive 'FATAL: Module xxx not found'
error message when kernel provides a generic algo for module
Resolves: rhbz#1996019
---
modules.d/01fips/fips.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 03da6861..1d57a889 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -77,7 +77,7 @@ fips_load_crypto()
mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak
for _module in $FIPSMODULES; do
if [ "$_module" != "tcrypt" ]; then
- if ! modprobe "${_module}"; then
+ if ! modprobe "${_module}" 2>/tmp/fips.modprobe_err; then
# check if kernel provides generic algo
_found=0
while read _k _s _v || [ -n "$_k" ]; do
@@ -86,7 +86,7 @@ fips_load_crypto()
_found=1
break
done </proc/crypto
- [ "$_found" = "0" ] && return 1
+ [ "$_found" = "0" ] && cat /tmp/fips.modprobe_err >&2 && return 1
fi
fi
done

37
SOURCES/0199.patch Normal file
View File

@ -0,0 +1,37 @@
From 876196e809f4ffac055737921cfe273d8399b6e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
Date: Tue, 16 Nov 2021 11:15:52 +0100
Subject: [PATCH] fix(shutdown): be robust against forced shutdown
When a forced shutdown is issued through sending a burst of Ctrl-Alt-Del
keys, systemd sends SIGTERM to all processes. This ends up killing
dracut-initramfs-restore as well, preventing the script from detecting
that the unpack of the initramfs is incomplete, which later causes a
crash to happen when "shutdown" tries to execute from the unpacked
initramfs.
This fix makes sure dracut-initramfs-restore remains alive to detect
the unpack failed (because cpio was killed by systemd too).
Resolves: rhbz#2023665
---
dracut-initramfs-restore.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/dracut-initramfs-restore.sh b/dracut-initramfs-restore.sh
index 74a952c4..708f98d7 100644
--- a/dracut-initramfs-restore.sh
+++ b/dracut-initramfs-restore.sh
@@ -6,6 +6,11 @@ set -e
[ -e /run/initramfs/bin/sh ] && exit 0
[ -e /run/initramfs/.need_shutdown ] || exit 0
+# SIGTERM signal is received upon forced shutdown: ignore the signal
+# We want to remain alive to be able to trap unpacking errors to avoid
+# switching root to an incompletely unpacked initramfs
+trap 'echo "Received SIGTERM signal, ignoring!" >&2' TERM
+
KERNEL_VERSION="$(uname -r)"
[[ $dracutbasedir ]] || dracutbasedir=/usr/lib/dracut

84
SOURCES/0200.patch Normal file
View File

@ -0,0 +1,84 @@
From f5ffe8bc95ee989ef39b7c149d268b5988f952a0 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Thu, 17 Jun 2021 10:47:33 -0400
Subject: [PATCH] fix(fips): handle s390x OSTree systems
On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path
to the kernel image, but rather an integer describing the index of the
menu entry selected. Because of the way the s390x bootloader works,
there is no information retained about e.g. the path of the kernel that
was loaded.
This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is
a path to the kernel image to derive the HMAC path. In non-OSTree
systems, this ends up working anyway, because the kernel is located at
the root of the boot partition. In OSTree systems, this is not the
case. However, OSTree systems use BLS configs, and they are named in
reverse order of precedence (i.e. menu ordering). So from the
`BOOT_IMAGE` integer, we can figure out which BLS entry was selected.
Add some code to do just this on s390x. This isn't completely foolproof,
because it presumes that (1) BLS configs were used to populate the
bootloader (and that they were exactly in the same state they currently
are when `zipl` was run), and (2) there are no other menu entries
originating from outside the BLS configs. However, if these assumptions
are wrong we would simply fail the boot, which is currently what is
happening anyway.
See also:
https://github.com/openshift/os/pull/546
https://github.com/ibm-s390-linux/s390-tools/issues/78
Tested-by: Muhammad Adeel <muhammad.adeel@ibm.com>
Resolves: rhbz#2007586
---
modules.d/01fips/fips.sh | 21 +++++++++++++++++++++
modules.d/01fips/module-setup.sh | 2 +-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 1d57a889..c57fd426 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -114,6 +114,27 @@ do_fips()
else
BOOT_IMAGE="$(getarg BOOT_IMAGE)"
+ # On s390x, BOOT_IMAGE isn't a path but an integer representing the
+ # entry number selected. Let's try the root of /boot first, and
+ # otherwise fallback to trying to parse the BLS entries if it's a
+ # BLS-based system.
+ if [ "$(uname -m)" = s390x ]; then
+ if [ -e "/boot/vmlinuz-${KERNEL}" ]; then
+ BOOT_IMAGE="vmlinuz-${KERNEL}"
+ elif [ -d /boot/loader/entries ]; then
+ i=0
+ for bls in $(ls -d /boot/loader/entries/*.conf | sort -rV); do
+ ((i++))
+
+ if [ $i -eq ${BOOT_IMAGE:-0} ] && [ -r "$bls" ]; then
+ BOOT_IMAGE="$(grep -e '^linux' "$bls" | grep -o ' .*$')"
+ BOOT_IMAGE=${BOOT_IMAGE:1}
+ break
+ fi
+ done
+ fi
+ fi
+
# Trim off any leading GRUB boot device (e.g. ($root) )
BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 8800a49e..71bea53a 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -67,7 +67,7 @@ install() {
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
- inst_multiple sha512hmac rmmod insmod mount uname umount
+ inst_multiple sha512hmac rmmod insmod mount uname umount grep sort
inst_simple /etc/system-fips
[ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \

View File

@ -5,7 +5,7 @@
# strip the automatically generated dep here and instead co-own the
# directory.
%global __requires_exclude pkg-config
%define dist_free_release 191.git20210920
%define dist_free_release 201.git20220131
Name: dracut
Version: 049
@ -218,6 +218,16 @@ Patch187: 0187.patch
Patch188: 0188.patch
Patch189: 0189.patch
Patch190: 0190.patch
Patch191: 0191.patch
Patch192: 0192.patch
Patch193: 0193.patch
Patch194: 0194.patch
Patch195: 0195.patch
Patch196: 0196.patch
Patch197: 0197.patch
Patch198: 0198.patch
Patch199: 0199.patch
Patch200: 0200.patch
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
@ -670,6 +680,18 @@ echo '# Since rhel-8.3 dracut moved to use NetworkManager
add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/50-network-legacy.conf
%changelog
* Mon Jan 31 2022 Pavel Valena <pvalena@redhat.com> - 049-201.git20220131
- ci: introduce C8S based GHA CI
- ci: backport TEST-21-NFS-NM
- dracut.sh: fix early microcode detection logic
- fix(url-lib): make pre-pivot hook separetely per nfs mount
- fix(watchdog): replace return with echo
- fix(network): add errors and warnings when network interface
- dracut.sh: add check for invalid configuration files
- fips: removed false-positive 'FATAL: Module xxx not found'
- fix(shutdown): be robust against forced shutdown
- fix(fips): handle s390x OSTree systems
* Mon Sep 20 2021 Lukas Nykryn <lnykryn@redhat.com> - 049-191.git20210920
- fix(install): extend hwcaps library handling to libraries