From 2f63df87727fcac26b06607f793dea181a4f5c1e Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Mon, 17 Feb 2025 04:17:31 +0100 Subject: [PATCH] Upgrade to dracut 105 https://github.com/redhat-plumbers/dracut-rhel10/pull/30 And additonal fixes; respective commits: - fix(systemd-ask-password): do not half-install systemd-ask-password-wall - fix(pcsc): add libpcsclite_real.so.* Additional simple fixes. - revert: "fix(rescue): make rescue always no-hostonly" Do not use "add-confdir", as we do not package those configs. - fix(dracut-install): initize fts pointer Fix for compiler warning; https://github.com/dracut-ng/dracut-ng/pull/1229 - feat: add openssl module Needed for eDNS and fips. - build: make erofs the default requirement for squash subpackage Needed for squashfs removal. Resolves: RHEL-65204,RHEL-68935,RHEL-76323 From-source-git-commit: 9e216f2126a772e4b91b234c90d1debef797dced --- ...fix-rngd-install-system-service-file.patch | 59 - ...ll.d-correctly-install-pre-genned-im.patch | 8 +- ...all-do-nothing-when-KERNEL_INSTALL_I.patch | 96 +- ...ll-do-not-generate-an-initrd-when-on.patch | 10 +- ...ume-always-include-the-resume-module.patch | 39 +- ...applied-patch-in-commit-c6d18c3c7159.patch | 75 -- ...ect-ownership-and-permissions-for-st.patch | 8 +- ....sh-give-force-add-precedence-over-o.patch | 10 +- ...-unlock-encrypted-devices-by-default.patch | 29 - ...h-look-for-initrd-in-usr-lib-modules.patch | 8 +- ...e-include-dash-let-sh-module-make-a-.patch | 30 - ...-include-fips-module-unconditionally.patch | 8 +- ...ions-allow-for-in-get_maj_min-file-p.patch | 31 - ...ions.sh-only-return-block-devices-fr.patch | 42 - ...password-do-not-half-install-systemd.patch | 39 + ...lude-systemd-config-files-from-usr-l.patch | 112 -- 0010-fix-pcsc-add-libpcsclite_real.so.patch | 37 + ...ume-always-include-the-resume-module.patch | 34 - ...escue-make-rescue-always-no-hostonly.patch | 30 + ....sh-allow-changing-the-destination-d.patch | 197 ---- ...x-dracut-install-initize-fts-pointer.patch | 26 + 0013-feat-add-openssl-module.patch | 1021 +++++++++++++++++ ...sh-add-module-to-mods_to_load-before.patch | 82 -- ...-mksquashfs-to-99squash-modules-setu.patch | 192 ---- ...plit-95squash-squashfs-from-99squash.patch | 183 --- ...eat-squash-add-module-95squash-erofs.patch | 128 --- ...sinitrd-add-support-for-erofs-images.patch | 240 ---- ...nitramfs-restore-unpack-erofs-images.patch | 59 - ...plicitly-create-required-directories.patch | 55 - ...9busybox-instead-of-installing-it-ma.patch | 64 -- ...also-entries-from-usr-lib-passwd-gro.patch | 40 - ...it.sh-add-module-to-mods_to_load-bef.patch | 73 -- ...-fix-squash-remove-cyclic-dependency.patch | 313 ----- ...it-when-installing-the-squash-loader.patch | 38 - ...ash-lib-harden-against-empty-initdir.patch | 40 - ...-policies-make-c-p-follow-FIPS-mode-.patch | 158 --- ...policies-make-it-depend-on-fips-drac.patch | 34 - dracut.spec | 138 +-- sources | 2 +- 39 files changed, 1290 insertions(+), 2498 deletions(-) delete mode 100644 0001-fix-rngd-install-system-service-file.patch rename 0002-revert-fix-install.d-correctly-install-pre-genned-im.patch => 0001-revert-fix-install.d-correctly-install-pre-genned-im.patch (97%) rename 0003-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch => 0002-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch (50%) rename 0004-fix-kernel-install-do-not-generate-an-initrd-when-on.patch => 0003-fix-kernel-install-do-not-generate-an-initrd-when-on.patch (85%) rename 0022-fix-resume-do-not-include-resume-if-swap-is-on-netde.patch => 0004-fix-resume-always-include-the-resume-module.patch (57%) delete mode 100644 0005-fix-incorrectly-applied-patch-in-commit-c6d18c3c7159.patch rename 0021-fix-nfs-set-correct-ownership-and-permissions-for-st.patch => 0005-fix-nfs-set-correct-ownership-and-permissions-for-st.patch (89%) rename 0023-feat-dracut-init.sh-give-force-add-precedence-over-o.patch => 0006-feat-dracut-init.sh-give-force-add-precedence-over-o.patch (87%) delete mode 100644 0006-revert-fix-crypt-unlock-encrypted-devices-by-default.patch rename 0024-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch => 0007-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch (87%) delete mode 100644 0007-test-do-not-force-include-dash-let-sh-module-make-a-.patch rename 0025-feat-fips-include-fips-module-unconditionally.patch => 0008-feat-fips-include-fips-module-unconditionally.patch (74%) delete mode 100644 0008-fix-dracut-functions-allow-for-in-get_maj_min-file-p.patch delete mode 100644 0009-fix-dracut-functions.sh-only-return-block-devices-fr.patch create mode 100644 0009-fix-systemd-ask-password-do-not-half-install-systemd.patch delete mode 100644 0010-feat-systemd-include-systemd-config-files-from-usr-l.patch create mode 100644 0010-fix-pcsc-add-libpcsclite_real.so.patch delete mode 100644 0011-fix-resume-always-include-the-resume-module.patch create mode 100644 0011-revert-fix-rescue-make-rescue-always-no-hostonly.patch delete mode 100644 0012-feat-dracut-init.sh-allow-changing-the-destination-d.patch create mode 100644 0012-fix-dracut-install-initize-fts-pointer.patch create mode 100644 0013-feat-add-openssl-module.patch delete mode 100644 0013-fix-dracut-init.sh-add-module-to-mods_to_load-before.patch delete mode 100644 0014-feat-squash-move-mksquashfs-to-99squash-modules-setu.patch delete mode 100644 0015-feat-squash-split-95squash-squashfs-from-99squash.patch delete mode 100644 0016-feat-squash-add-module-95squash-erofs.patch delete mode 100644 0017-feat-lsinitrd-add-support-for-erofs-images.patch delete mode 100644 0018-feat-dracut-initramfs-restore-unpack-erofs-images.patch delete mode 100644 0019-fix-squash-explicitly-create-required-directories.patch delete mode 100644 0020-fix-squash-use-99busybox-instead-of-installing-it-ma.patch delete mode 100644 0026-fix-nfs-include-also-entries-from-usr-lib-passwd-gro.patch delete mode 100644 0027-revert-dracut-init.sh-add-module-to-mods_to_load-bef.patch delete mode 100644 0028-fix-squash-remove-cyclic-dependency.patch delete mode 100644 0029-fix-dracut.sh-exit-when-installing-the-squash-loader.patch delete mode 100644 0030-fix-squash-lib-harden-against-empty-initdir.patch delete mode 100644 0031-feat-fips-crypto-policies-make-c-p-follow-FIPS-mode-.patch delete mode 100644 0032-fix-fips-crypto-policies-make-it-depend-on-fips-drac.patch diff --git a/0001-fix-rngd-install-system-service-file.patch b/0001-fix-rngd-install-system-service-file.patch deleted file mode 100644 index 9177ffe..0000000 --- a/0001-fix-rngd-install-system-service-file.patch +++ /dev/null @@ -1,59 +0,0 @@ -From f75ae29afc829e19834c4cb99ca51b8ebe8481bf Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Sun, 23 Jul 2023 19:44:17 +0200 -Subject: [PATCH 01/32] fix(rngd): install system service file - -as there's no reason to keep a copy; there shouldn't be any modifications. - -In case there are args stored in a separate file (Fedora and alike), -it needs to be supplied too, but without the option to change the user. ---- - modules.d/06rngd/module-setup.sh | 7 ++++++- - modules.d/06rngd/rngd.service | 8 -------- - modules.d/06rngd/sysconfig | 1 + - 3 files changed, 7 insertions(+), 9 deletions(-) - delete mode 100644 modules.d/06rngd/rngd.service - create mode 100644 modules.d/06rngd/sysconfig - -diff --git a/modules.d/06rngd/module-setup.sh b/modules.d/06rngd/module-setup.sh -index aec8d576..e8bdf7f5 100755 ---- a/modules.d/06rngd/module-setup.sh -+++ b/modules.d/06rngd/module-setup.sh -@@ -32,7 +32,12 @@ depends() { - - install() { - inst rngd -- inst_simple "${moddir}/rngd.service" "${systemdsystemunitdir}/rngd.service" -+ inst_simple "${systemdsystemunitdir}/rngd.service" -+ -+ if [ -r /etc/sysconfig/rngd ]; then -+ inst_simple "${moddir}/sysconfig" "/etc/sysconfig/rngd" -+ fi -+ - # make sure dependent libs are installed too - inst_libdir_file opensc-pkcs11.so - -diff --git a/modules.d/06rngd/rngd.service b/modules.d/06rngd/rngd.service -deleted file mode 100644 -index dd5374d7..00000000 ---- a/modules.d/06rngd/rngd.service -+++ /dev/null -@@ -1,8 +0,0 @@ --[Unit] --Description=Hardware RNG Entropy Gatherer Daemon --DefaultDependencies=no --Before=systemd-udevd.service --ConditionVirtualization=!container -- --[Service] --ExecStart=/usr/sbin/rngd -f -diff --git a/modules.d/06rngd/sysconfig b/modules.d/06rngd/sysconfig -new file mode 100644 -index 00000000..68047ec1 ---- /dev/null -+++ b/modules.d/06rngd/sysconfig -@@ -0,0 +1 @@ -+RNGD_ARGS="-x pkcs11 -x nist" --- -2.42.0 - diff --git a/0002-revert-fix-install.d-correctly-install-pre-genned-im.patch b/0001-revert-fix-install.d-correctly-install-pre-genned-im.patch similarity index 97% rename from 0002-revert-fix-install.d-correctly-install-pre-genned-im.patch rename to 0001-revert-fix-install.d-correctly-install-pre-genned-im.patch index 2ab6cfd..c7039ad 100644 --- a/0002-revert-fix-install.d-correctly-install-pre-genned-im.patch +++ b/0001-revert-fix-install.d-correctly-install-pre-genned-im.patch @@ -1,7 +1,7 @@ -From 9b7740eaf33357cc087c83d95d089bdf8ead07dd Mon Sep 17 00:00:00 2001 +From 07151e560561b415f7e016362ab1d180b13f33fb Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Wed, 12 Jun 2024 06:30:42 +0200 -Subject: [PATCH 02/32] revert: "fix(install.d): correctly install pre-genned +Subject: [PATCH 01/13] revert: "fix(install.d): correctly install pre-genned image and die if no args" revert: "fix(install.d): simplify and use what kernel-install gives us" @@ -198,7 +198,7 @@ index 14f87721..441414ac 100755 - "$KERNEL_INSTALL_STAGING_AREA/$IMAGE" || exit 1 +exit $ret diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install -index 25f75557..aa0ccdc5 100755 +index 4ec9e3c5..9312e242 100755 --- a/install.d/51-dracut-rescue.install +++ b/install.d/51-dracut-rescue.install @@ -2,29 +2,11 @@ @@ -234,5 +234,5 @@ index 25f75557..aa0ccdc5 100755 suffix=$1 shift -- -2.42.0 +2.47.1 diff --git a/0003-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch b/0002-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch similarity index 50% rename from 0003-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch rename to 0002-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch index 938aa1f..bd86841 100644 --- a/0003-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch +++ b/0002-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch @@ -1,7 +1,7 @@ -From 0d2983f7dbc1f5fbaa60735c839ea111d3f5d4e0 Mon Sep 17 00:00:00 2001 +From e8c6d93a1fe7ea255754bfb93fad8daad62a85ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Jan 2022 18:08:42 +0100 -Subject: [PATCH 03/32] feat(kernel-install): do nothing when +Subject: [PATCH 02/13] feat(kernel-install): do nothing when $KERNEL_INSTALL_INITRD_GENERATOR says so dracut may be installed without being actually used. This is very common in @@ -15,15 +15,15 @@ something else, skip our kernel-install plugins. (Cherry-picked commit f47bcdd7342ca0d46b889e712a1c7446e18434bc from PR#1825) --- - install.d/50-dracut.install | 31 ++++++------------------------ - install.d/51-dracut-rescue.install | 12 +++++++++--- - 2 files changed, 15 insertions(+), 28 deletions(-) + install.d/50-dracut.install | 9 ++++++++- + install.d/51-dracut-rescue.install | 6 ++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/install.d/50-dracut.install b/install.d/50-dracut.install -index 441414ac..efb184cd 100755 +index 441414ac..3f961b11 100755 --- a/install.d/50-dracut.install +++ b/install.d/50-dracut.install -@@ -6,38 +6,19 @@ BOOT_DIR_ABS="$3" +@@ -6,11 +6,17 @@ BOOT_DIR_ABS="$3" KERNEL_IMAGE="$4" # If KERNEL_INSTALL_MACHINE_ID is defined but empty, BOOT_DIR_ABS is a fake directory. @@ -33,64 +33,40 @@ index 441414ac..efb184cd 100755 exit 0 fi --# Do not attempt to create initramfs if the supplied image is already a UKI --if [[ "$KERNEL_INSTALL_IMAGE_TYPE" = "uki" ]]; then -+# Skip this plugin if we're using a different generator. If nothing is specified, -+# assume we're wanted since we're installed. -+if [ "${KERNEL_INSTALL_INITRD_GENERATOR:-dracut}" != "dracut" ]; then - exit 0 - fi - --# Mismatching the install layout and the --uefi/--no-uefi opts just creates a mess. --if [[ $KERNEL_INSTALL_LAYOUT == "uki" && -n $KERNEL_INSTALL_STAGING_AREA ]]; then -- BOOT_DIR_ABS="$KERNEL_INSTALL_STAGING_AREA" -- if [[ -z $KERNEL_INSTALL_UKI_GENERATOR || $KERNEL_INSTALL_UKI_GENERATOR == "dracut" ]]; then -- # No uki generator preference set or we have been chosen -- IMAGE="uki.efi" -- UEFI_OPTS="--uefi" -- elif [[ -z $KERNEL_INSTALL_INITRD_GENERATOR || $KERNEL_INSTALL_INITRD_GENERATOR == "dracut" ]]; then -- # We aren't the uki generator, but we have been requested to make the initrd -- IMAGE="initrd" -- UEFI_OPTS="--no-uefi" -- else -- exit 0 -- fi --elif [[ $KERNEL_INSTALL_LAYOUT == "bls" && -n $KERNEL_INSTALL_STAGING_AREA ]]; then -- BOOT_DIR_ABS="$KERNEL_INSTALL_STAGING_AREA" -- if [[ -z $KERNEL_INSTALL_INITRD_GENERATOR || $KERNEL_INSTALL_INITRD_GENERATOR == "dracut" ]]; then -- IMAGE="initrd" -- UEFI_OPTS="--no-uefi" -- else -- exit 0 -- fi -+if [[ -d "$BOOT_DIR_ABS" ]]; then -+ INITRD="initrd" - else - # No layout information, use users --uefi/--no-uefi preference - UEFI_OPTS="" -diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install -index aa0ccdc5..be4172b5 100755 ---- a/install.d/51-dracut-rescue.install -+++ b/install.d/51-dracut-rescue.install -@@ -7,9 +7,15 @@ KERNEL_VERSION="$2" - BOOT_DIR_ABS="${3%/*}/0-rescue" - KERNEL_IMAGE="$4" - --dropindirs_sort() { -- suffix=$1 -- shift +# Skip this plugin if we're using a different generator. If nothing is specified, +# assume we're wanted since we're installed. +if [ "${KERNEL_INSTALL_INITRD_GENERATOR:-dracut}" != "dracut" ]; then + exit 0 +fi + -+dropindirs_sort() -+{ -+ suffix=$1; shift - args=("$@") - files=$( - while (($# > 0)); do + # Do not attempt to create initramfs if the supplied image is already a UKI + if [[ "$KERNEL_INSTALL_IMAGE_TYPE" = "uki" ]]; then + exit 0 +@@ -38,6 +44,7 @@ elif [[ $KERNEL_INSTALL_LAYOUT == "bls" && -n $KERNEL_INSTALL_STAGING_AREA ]]; t + else + exit 0 + fi ++ + else + # No layout information, use users --uefi/--no-uefi preference + UEFI_OPTS="" +diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install +index 9312e242..decee283 100755 +--- a/install.d/51-dracut-rescue.install ++++ b/install.d/51-dracut-rescue.install +@@ -7,6 +7,12 @@ KERNEL_VERSION="$2" + BOOT_DIR_ABS="${3%/*}/0-rescue" + KERNEL_IMAGE="$4" + ++# Skip this plugin if we're using a different generator. If nothing is specified, ++# assume we're wanted since we're installed. ++if [ "${KERNEL_INSTALL_INITRD_GENERATOR:-dracut}" != "dracut" ]; then ++ exit 0 ++fi ++ + dropindirs_sort() { + suffix=$1 + shift -- -2.42.0 +2.47.1 diff --git a/0004-fix-kernel-install-do-not-generate-an-initrd-when-on.patch b/0003-fix-kernel-install-do-not-generate-an-initrd-when-on.patch similarity index 85% rename from 0004-fix-kernel-install-do-not-generate-an-initrd-when-on.patch rename to 0003-fix-kernel-install-do-not-generate-an-initrd-when-on.patch index d02e856..07b59e2 100644 --- a/0004-fix-kernel-install-do-not-generate-an-initrd-when-on.patch +++ b/0003-fix-kernel-install-do-not-generate-an-initrd-when-on.patch @@ -1,7 +1,7 @@ -From 65d5bd785458da98b0388ddf3f8e67e569af67c1 Mon Sep 17 00:00:00 2001 +From 430b1b06e60de78c28ed6e70982a30f41585b219 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 18 Jan 2022 18:58:58 +0100 -Subject: [PATCH 04/32] fix(kernel-install): do not generate an initrd when one +Subject: [PATCH 03/13] fix(kernel-install): do not generate an initrd when one was specified According to the synopsis, kernel-install can be called with an @@ -13,7 +13,7 @@ already-prepared initrd. In that case, no initrd should be generated by dracut. 1 file changed, 4 insertions(+) diff --git a/install.d/50-dracut.install b/install.d/50-dracut.install -index efb184cd..3907e303 100755 +index 3f961b11..076b4f5e 100755 --- a/install.d/50-dracut.install +++ b/install.d/50-dracut.install @@ -4,6 +4,7 @@ COMMAND="$1" @@ -24,7 +24,7 @@ index efb184cd..3907e303 100755 # If KERNEL_INSTALL_MACHINE_ID is defined but empty, BOOT_DIR_ABS is a fake directory. # In this case, do not create the initrd. -@@ -34,6 +35,9 @@ ret=0 +@@ -60,6 +61,9 @@ ret=0 case "$COMMAND" in add) @@ -35,5 +35,5 @@ index efb184cd..3907e303 100755 IMAGE_PREGENERATED=${KERNEL_IMAGE%/*}/uki.efi else -- -2.42.0 +2.47.1 diff --git a/0022-fix-resume-do-not-include-resume-if-swap-is-on-netde.patch b/0004-fix-resume-always-include-the-resume-module.patch similarity index 57% rename from 0022-fix-resume-do-not-include-resume-if-swap-is-on-netde.patch rename to 0004-fix-resume-always-include-the-resume-module.patch index bee218c..1971f7f 100644 --- a/0022-fix-resume-do-not-include-resume-if-swap-is-on-netde.patch +++ b/0004-fix-resume-always-include-the-resume-module.patch @@ -1,8 +1,17 @@ -From 4a6806efae05b453bb9b93efe961fb1033bb562b Mon Sep 17 00:00:00 2001 +From 67654956c27c159e29701a2b9fd9430d372a9f91 Mon Sep 17 00:00:00 2001 From: Pavel Valena -Date: Sat, 17 Aug 2024 00:39:17 +0200 -Subject: [PATCH 22/32] fix(resume): do not include resume if swap is on - netdevice +Date: Thu, 8 Aug 2024 00:21:12 +0200 +Subject: [PATCH 04/13] fix(resume): always include the resume module + +as we can't determine with certainity that it won't be needed. + +rhel-only + +Resolves: RHEL-53350 + +(commit messages from squashed commits:) + +fix(resume): do not include resume if swap is on netdevice Additional fix, restoring previous behavior identical to RHEL-9. @@ -10,24 +19,24 @@ rhel-only Resolves: RHEL-53350 --- - modules.d/95resume/module-setup.sh | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) + modules.d/95resume/module-setup.sh | 5 +++++ + 1 file changed, 5 insertions(+) diff --git a/modules.d/95resume/module-setup.sh b/modules.d/95resume/module-setup.sh -index c0f04a6c..785f681a 100755 +index d419566e..785f681a 100755 --- a/modules.d/95resume/module-setup.sh +++ b/modules.d/95resume/module-setup.sh -@@ -4,9 +4,6 @@ - # shellcheck disable=SC2317 - check() { +@@ -1,7 +1,9 @@ + #!/bin/bash -- # Always include resume module -- return 0 -- + # called by dracut ++# shellcheck disable=SC2317 + check() { ++ swap_on_netdevice() { local _dev for _dev in "${swap_devs[@]}"; do -@@ -23,6 +20,9 @@ check() { +@@ -18,6 +20,9 @@ check() { # hibernation support requested on kernel command line return 0 else @@ -38,5 +47,5 @@ index c0f04a6c..785f681a 100755 if [[ -f /sys/power/resume ]]; then if [[ "$(< /sys/power/resume)" == "0:0" ]]; then -- -2.42.0 +2.47.1 diff --git a/0005-fix-incorrectly-applied-patch-in-commit-c6d18c3c7159.patch b/0005-fix-incorrectly-applied-patch-in-commit-c6d18c3c7159.patch deleted file mode 100644 index b5e1ac3..0000000 --- a/0005-fix-incorrectly-applied-patch-in-commit-c6d18c3c7159.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 35326479721f8b439f291bf8ff35354107144012 Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Thu, 11 Jul 2024 07:33:05 +0200 -Subject: [PATCH 05/32] fix: incorrectly applied patch in commit - c6d18c3c71597e78572378fc4dde391f1845b8 - -named: "feat(kernel-install): do nothing when $KERNEL_INSTALL_INITRD_GENERATOR says so" - -Resolves: rhbz#2276271 ---- - install.d/50-dracut.install | 30 ++++++++++++++++++++++++++++-- - install.d/51-dracut-rescue.install | 6 +++--- - 2 files changed, 31 insertions(+), 5 deletions(-) - -diff --git a/install.d/50-dracut.install b/install.d/50-dracut.install -index 3907e303..076b4f5e 100755 ---- a/install.d/50-dracut.install -+++ b/install.d/50-dracut.install -@@ -18,8 +18,34 @@ if [ "${KERNEL_INSTALL_INITRD_GENERATOR:-dracut}" != "dracut" ]; then - exit 0 - fi - --if [[ -d "$BOOT_DIR_ABS" ]]; then -- INITRD="initrd" -+# Do not attempt to create initramfs if the supplied image is already a UKI -+if [[ "$KERNEL_INSTALL_IMAGE_TYPE" = "uki" ]]; then -+ exit 0 -+fi -+ -+# Mismatching the install layout and the --uefi/--no-uefi opts just creates a mess. -+if [[ $KERNEL_INSTALL_LAYOUT == "uki" && -n $KERNEL_INSTALL_STAGING_AREA ]]; then -+ BOOT_DIR_ABS="$KERNEL_INSTALL_STAGING_AREA" -+ if [[ -z $KERNEL_INSTALL_UKI_GENERATOR || $KERNEL_INSTALL_UKI_GENERATOR == "dracut" ]]; then -+ # No uki generator preference set or we have been chosen -+ IMAGE="uki.efi" -+ UEFI_OPTS="--uefi" -+ elif [[ -z $KERNEL_INSTALL_INITRD_GENERATOR || $KERNEL_INSTALL_INITRD_GENERATOR == "dracut" ]]; then -+ # We aren't the uki generator, but we have been requested to make the initrd -+ IMAGE="initrd" -+ UEFI_OPTS="--no-uefi" -+ else -+ exit 0 -+ fi -+elif [[ $KERNEL_INSTALL_LAYOUT == "bls" && -n $KERNEL_INSTALL_STAGING_AREA ]]; then -+ BOOT_DIR_ABS="$KERNEL_INSTALL_STAGING_AREA" -+ if [[ -z $KERNEL_INSTALL_INITRD_GENERATOR || $KERNEL_INSTALL_INITRD_GENERATOR == "dracut" ]]; then -+ IMAGE="initrd" -+ UEFI_OPTS="--no-uefi" -+ else -+ exit 0 -+ fi -+ - else - # No layout information, use users --uefi/--no-uefi preference - UEFI_OPTS="" -diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install -index be4172b5..5310229e 100755 ---- a/install.d/51-dracut-rescue.install -+++ b/install.d/51-dracut-rescue.install -@@ -13,9 +13,9 @@ if [ "${KERNEL_INSTALL_INITRD_GENERATOR:-dracut}" != "dracut" ]; then - exit 0 - fi - --dropindirs_sort() --{ -- suffix=$1; shift -+dropindirs_sort() { -+ suffix=$1 -+ shift - args=("$@") - files=$( - while (($# > 0)); do --- -2.42.0 - diff --git a/0021-fix-nfs-set-correct-ownership-and-permissions-for-st.patch b/0005-fix-nfs-set-correct-ownership-and-permissions-for-st.patch similarity index 89% rename from 0021-fix-nfs-set-correct-ownership-and-permissions-for-st.patch rename to 0005-fix-nfs-set-correct-ownership-and-permissions-for-st.patch index b408e1b..76b7bc3 100644 --- a/0021-fix-nfs-set-correct-ownership-and-permissions-for-st.patch +++ b/0005-fix-nfs-set-correct-ownership-and-permissions-for-st.patch @@ -1,7 +1,7 @@ -From c6c9f871b87cdc334be989b42e9a5d2070ae17c5 Mon Sep 17 00:00:00 2001 +From 3e33ee5ce614059c9e4a81e8003df5142f1312c5 Mon Sep 17 00:00:00 2001 From: Lukas Nykryn Date: Mon, 19 Jul 2021 11:27:28 +0200 -Subject: [PATCH 21/32] fix(nfs): set correct ownership and permissions for +Subject: [PATCH 05/13] fix(nfs): set correct ownership and permissions for statd directory The directory ownership for the statd directory should be @@ -15,7 +15,7 @@ Resolves: RHEL-53361 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules.d/95nfs/module-setup.sh b/modules.d/95nfs/module-setup.sh -index 5cc42892..fbaeeb00 100755 +index c6fdd506..e36cd144 100755 --- a/modules.d/95nfs/module-setup.sh +++ b/modules.d/95nfs/module-setup.sh @@ -120,8 +120,13 @@ install() { @@ -35,5 +35,5 @@ index 5cc42892..fbaeeb00 100755 # Rather than copy the passwd file in, just set a user for rpcbind # We'll save the state and restart the daemon from the root anyway -- -2.42.0 +2.47.1 diff --git a/0023-feat-dracut-init.sh-give-force-add-precedence-over-o.patch b/0006-feat-dracut-init.sh-give-force-add-precedence-over-o.patch similarity index 87% rename from 0023-feat-dracut-init.sh-give-force-add-precedence-over-o.patch rename to 0006-feat-dracut-init.sh-give-force-add-precedence-over-o.patch index 5b4ebec..fa0394a 100644 --- a/0023-feat-dracut-init.sh-give-force-add-precedence-over-o.patch +++ b/0006-feat-dracut-init.sh-give-force-add-precedence-over-o.patch @@ -1,7 +1,7 @@ -From 2f3c9cb56cc7ccdccbd8f8056b21d39fa736da1e Mon Sep 17 00:00:00 2001 +From 7fea469146481fdf30e6f2c933fa85426b6a2927 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Sat, 17 Aug 2024 01:43:50 +0200 -Subject: [PATCH 23/32] feat(dracut-init.sh): give --force-add precedence over +Subject: [PATCH 06/13] feat(dracut-init.sh): give --force-add precedence over --omit This gives precedence of force_add_dracutmodules to omit_dracutmodules, @@ -23,10 +23,10 @@ Resolves: RHEL-53791 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/dracut-init.sh b/dracut-init.sh -index 746362d1..3917bb0d 100755 +index 1ce0d7ed..d78d3cd0 100755 --- a/dracut-init.sh +++ b/dracut-init.sh -@@ -969,8 +969,10 @@ check_module() { +@@ -935,8 +935,10 @@ check_module() { [[ $2 ]] || mods_checked_as_dep+=" $_mod " if [[ " $omit_dracutmodules " == *\ $_mod\ * ]]; then @@ -40,5 +40,5 @@ index 746362d1..3917bb0d 100755 if [[ " $dracutmodules $add_dracutmodules $force_add_dracutmodules" == *\ $_mod\ * ]]; then -- -2.42.0 +2.47.1 diff --git a/0006-revert-fix-crypt-unlock-encrypted-devices-by-default.patch b/0006-revert-fix-crypt-unlock-encrypted-devices-by-default.patch deleted file mode 100644 index 13e2b45..0000000 --- a/0006-revert-fix-crypt-unlock-encrypted-devices-by-default.patch +++ /dev/null @@ -1,29 +0,0 @@ -From afcfd7378110969cce445d7613d9e81c9d85cac0 Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Thu, 11 Jul 2024 16:24:14 +0200 -Subject: [PATCH 06/32] revert: "fix(crypt): unlock encrypted devices by - default during boot" - -This reverts commit 2339acfaeee60d6bb26a1103db2e53bc8f9cb2d1. - -Resolves: rhbz#2295215 ---- - modules.d/90crypt/parse-crypt.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules.d/90crypt/parse-crypt.sh b/modules.d/90crypt/parse-crypt.sh -index 9567a4a9..e46e347a 100755 ---- a/modules.d/90crypt/parse-crypt.sh -+++ b/modules.d/90crypt/parse-crypt.sh -@@ -174,7 +174,7 @@ else - } >> "$hookdir/emergency/90-crypt.sh" - fi - done -- elif getargbool 1 rd.auto && [ -z "$(getargs rd.luks.name)" ]; then -+ elif getargbool 0 rd.auto; then - if [ -z "$DRACUT_SYSTEMD" ]; then - { - printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)" --- -2.42.0 - diff --git a/0024-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch b/0007-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch similarity index 87% rename from 0024-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch rename to 0007-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch index 62fbeff..e649f05 100644 --- a/0024-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch +++ b/0007-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch @@ -1,7 +1,7 @@ -From 226de396c97d483380bd0604bfe2ff7f6a2ef48c Mon Sep 17 00:00:00 2001 +From 9e9193f6da0348eb476c3aff6d066292b10cefe1 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Fri, 16 Aug 2024 20:40:15 +0200 -Subject: [PATCH 24/32] feat(lsinitrd.sh): look for initrd in /usr/lib/modules/ +Subject: [PATCH 07/13] feat(lsinitrd.sh): look for initrd in /usr/lib/modules/ Introduce new path for lsinitrd.sh to look into: @@ -19,7 +19,7 @@ Resolves: RHEL-54650 1 file changed, 4 insertions(+) diff --git a/lsinitrd.sh b/lsinitrd.sh -index 6799f938..35314b78 100755 +index ac49b5d7..f8696e68 100755 --- a/lsinitrd.sh +++ b/lsinitrd.sh @@ -125,6 +125,10 @@ find_initrd_for_kernel_version() { @@ -34,5 +34,5 @@ index 6799f938..35314b78 100755 echo "/boot/initramfs-${kernel_version}.img" else -- -2.42.0 +2.47.1 diff --git a/0007-test-do-not-force-include-dash-let-sh-module-make-a-.patch b/0007-test-do-not-force-include-dash-let-sh-module-make-a-.patch deleted file mode 100644 index 0cfed75..0000000 --- a/0007-test-do-not-force-include-dash-let-sh-module-make-a-.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 02bc9391cfdf7f3b16c49cde9d881642c13fc8c0 Mon Sep 17 00:00:00 2001 -From: Laszlo Gombos -Date: Sat, 20 Jul 2024 18:49:38 -0400 -Subject: [PATCH 07/32] test: do not force include dash, let sh module make a - selection - -This is important for alpine, so that it does not install both -dash and busybox dracut modules that are potentially conflicting. - -(cherry picked from commit 6e3c2bf9d01ad0f93176ee121bb70404f24de4e7) ---- - modules.d/80test-makeroot/module-setup.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules.d/80test-makeroot/module-setup.sh b/modules.d/80test-makeroot/module-setup.sh -index f311e4a0..fc105d7e 100755 ---- a/modules.d/80test-makeroot/module-setup.sh -+++ b/modules.d/80test-makeroot/module-setup.sh -@@ -6,7 +6,7 @@ check() { - } - - depends() { -- echo "dash rootfs-block kernel-modules qemu" -+ echo "rootfs-block kernel-modules qemu" - } - - installkernel() { --- -2.42.0 - diff --git a/0025-feat-fips-include-fips-module-unconditionally.patch b/0008-feat-fips-include-fips-module-unconditionally.patch similarity index 74% rename from 0025-feat-fips-include-fips-module-unconditionally.patch rename to 0008-feat-fips-include-fips-module-unconditionally.patch index 766f52a..f597926 100644 --- a/0025-feat-fips-include-fips-module-unconditionally.patch +++ b/0008-feat-fips-include-fips-module-unconditionally.patch @@ -1,7 +1,7 @@ -From 3e25517a0d1f0054e69409eb89484879251f47a3 Mon Sep 17 00:00:00 2001 +From c41f441214a98284475f0965973c3541bd158df7 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Mon, 19 Aug 2024 09:41:27 +0200 -Subject: [PATCH 25/32] feat(fips): include fips module unconditionally +Subject: [PATCH 08/13] feat(fips): include fips module unconditionally rhel-only @@ -11,7 +11,7 @@ Resolves: RHEL-39404 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh -index 1e0c9d09..005f0b6d 100755 +index a497ac5c..e3b7ca33 100755 --- a/modules.d/01fips/module-setup.sh +++ b/modules.d/01fips/module-setup.sh @@ -2,7 +2,7 @@ @@ -24,5 +24,5 @@ index 1e0c9d09..005f0b6d 100755 # called by dracut -- -2.42.0 +2.47.1 diff --git a/0008-fix-dracut-functions-allow-for-in-get_maj_min-file-p.patch b/0008-fix-dracut-functions-allow-for-in-get_maj_min-file-p.patch deleted file mode 100644 index a0ebb22..0000000 --- a/0008-fix-dracut-functions-allow-for-in-get_maj_min-file-p.patch +++ /dev/null @@ -1,31 +0,0 @@ -From bdfdbdee356cb83dad86f1d49fc21df9117ba8eb Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Thu, 8 Aug 2024 01:30:50 +0200 -Subject: [PATCH 08/32] fix(dracut-functions): allow for \ in get_maj_min file - path - -as the path might be f.e. /dev/disk/by-partlabel/EFI\x20System\x20Partition - -which would produce Warning 'grep: warning: stray \ before x' in get_maj_min - -Resolves: RHEL-47145 ---- - dracut-functions.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dracut-functions.sh b/dracut-functions.sh -index 1f7a9052..d436a357 100755 ---- a/dracut-functions.sh -+++ b/dracut-functions.sh -@@ -243,7 +243,7 @@ get_maj_min() { - local _out - - if [[ $get_maj_min_cache_file ]]; then -- _out="$(grep -m1 -oE "^$1 \S+$" "$get_maj_min_cache_file" | grep -oE "\S+$")" -+ _out="$(grep -m1 -oE "^${1//\\/\\\\} \S+$" "$get_maj_min_cache_file" | grep -oE "\S+$")" - fi - - if ! [[ "$_out" ]]; then --- -2.42.0 - diff --git a/0009-fix-dracut-functions.sh-only-return-block-devices-fr.patch b/0009-fix-dracut-functions.sh-only-return-block-devices-fr.patch deleted file mode 100644 index 63a6fc8..0000000 --- a/0009-fix-dracut-functions.sh-only-return-block-devices-fr.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 31fe330589cfd564790c4255c951567a3479df94 Mon Sep 17 00:00:00 2001 -From: Fabian Vogt -Date: Mon, 5 Aug 2024 11:28:32 +0200 -Subject: [PATCH 09/32] fix(dracut-functions.sh): only return block devices - from get_persistent_dev - -With udev 256, there are now directories such as -/dev/disk/by-path/pci-0000:02:00.0-nvme-1-part/ which match here. - -In case a nonexisting file/device was passed to get_persistent_dev, it -returned the first directory it looked at because both have maj:min 0:0. -This accidental conversion from garbage to a sensible looking path leads -to weird behaviour later. - -Instead of filtering out directories explicitly switch the check to only -return block devices, which also takes care of the character special -/dev/mapper/control. - -(cherry picked from commit 55d2fb5b459f356fdbde60ddefb97be942a0c141) - -Resolves: RHEL-49744 ---- - dracut-functions.sh | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/dracut-functions.sh b/dracut-functions.sh -index d436a357..b4d57454 100755 ---- a/dracut-functions.sh -+++ b/dracut-functions.sh -@@ -294,8 +294,7 @@ get_persistent_dev() { - /dev/disk/by-partlabel/* \ - /dev/disk/by-id/* \ - /dev/disk/by-path/*; do -- [[ -e $i ]] || continue -- [[ $i == /dev/mapper/control ]] && continue -+ [[ -b $i ]] || continue - [[ $i == /dev/mapper/mpath* ]] && continue - _tmp=$(get_maj_min "$i") - if [ "$_tmp" = "$_dev" ]; then --- -2.42.0 - diff --git a/0009-fix-systemd-ask-password-do-not-half-install-systemd.patch b/0009-fix-systemd-ask-password-do-not-half-install-systemd.patch new file mode 100644 index 0000000..183ffb8 --- /dev/null +++ b/0009-fix-systemd-ask-password-do-not-half-install-systemd.patch @@ -0,0 +1,39 @@ +From 8002a6125bf3f36144a92643ea02ad3abfa5d6d8 Mon Sep 17 00:00:00 2001 +From: Jo Zzsi +Date: Sun, 12 Jan 2025 20:01:09 -0500 +Subject: [PATCH 09/13] fix(systemd-ask-password): do not half-install + systemd-ask-password-wall + +Do not install the path unit when the service unit is not installed +for systemd-ask-password-wall. + +Fixes the following warning on the CI: + +[FAILED] Failed to start Forward Password Requests to Wall Directory Watch. +See 'systemctl status systemd-ask-password-wall.path' for details. +... +systemd[1]: systemd-ask-password-wall.path: Refusing to start, unit systemd-ask-password-wall.service to trigger not loaded. +systemd[1]: Failed to start Forward Password Requests to Wall Directory Watch. + +(cherry picked from commit 4ddc0053e869eb37b7c3d4e08876a687e1a995ae) + +Related: RHEL-65204 +--- + modules.d/01systemd-ask-password/module-setup.sh | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/modules.d/01systemd-ask-password/module-setup.sh b/modules.d/01systemd-ask-password/module-setup.sh +index 40774ab9..8b09b69f 100755 +--- a/modules.d/01systemd-ask-password/module-setup.sh ++++ b/modules.d/01systemd-ask-password/module-setup.sh +@@ -43,7 +43,6 @@ install() { + inst_multiple -o \ + "$systemdsystemunitdir"/systemd-ask-password-console.path \ + "$systemdsystemunitdir"/systemd-ask-password-console.service \ +- "$systemdsystemunitdir"/multi-user.target.wants/systemd-ask-password-wall.path \ + "$systemdsystemunitdir"/sysinit.target.wants/systemd-ask-password-console.path \ + systemd-ask-password \ + systemd-tty-ask-password-agent +-- +2.47.1 + diff --git a/0010-feat-systemd-include-systemd-config-files-from-usr-l.patch b/0010-feat-systemd-include-systemd-config-files-from-usr-l.patch deleted file mode 100644 index e3e06b8..0000000 --- a/0010-feat-systemd-include-systemd-config-files-from-usr-l.patch +++ /dev/null @@ -1,112 +0,0 @@ -From e90249443fe2285f221849359e9066aefff29eff Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Wed, 12 Jun 2024 06:06:32 +0200 -Subject: [PATCH 10/32] feat(systemd*): include systemd config files from - /usr/lib/systemd - -and also use proper variables for the paths, and fixup invalid paths. --- - -The new systemd reads from both /etc and /usr/, so to accomodate this, -I've added new paths to install configs from (I probably haven't covered -all). This changes only hostonly behaviour; uses global variables: - -systemdutilconfdir: "/etc/systemd" -systemdutildir: "/lib/systemd:/lib/systemd/systemd-udevd" "/usr/lib/systemd:/usr/lib/systemd/systemd-udevd" - -(cherry picked from commit ea4905e944a2acd75ba3a48a5dfeaba417f724e8) - -Resolves: RHEL-32506 ---- - modules.d/00systemd/module-setup.sh | 6 ++++-- - modules.d/01systemd-coredump/module-setup.sh | 3 ++- - modules.d/01systemd-pstore/module-setup.sh | 2 ++ - modules.d/01systemd-resolved/module-setup.sh | 1 + - modules.d/01systemd-timesyncd/module-setup.sh | 1 + - 5 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/modules.d/00systemd/module-setup.sh b/modules.d/00systemd/module-setup.sh -index ce7bb520..70a2a78f 100755 ---- a/modules.d/00systemd/module-setup.sh -+++ b/modules.d/00systemd/module-setup.sh -@@ -42,6 +42,8 @@ install() { - "$systemdutildir"/system-generators/systemd-debug-generator \ - "$systemdutildir"/system-generators/systemd-fstab-generator \ - "$systemdutildir"/system-generators/systemd-gpt-auto-generator \ -+ "$systemdutildir"/system.conf \ -+ "$systemdutildir"/system.conf.d/*.conf \ - "$systemdsystemunitdir"/debug-shell.service \ - "$systemdsystemunitdir"/cryptsetup.target \ - "$systemdsystemunitdir"/cryptsetup-pre.target \ -@@ -94,8 +96,8 @@ install() { - - if [[ $hostonly ]]; then - inst_multiple -H -o \ -- /etc/systemd/system.conf \ -- /etc/systemd/system.conf.d/*.conf \ -+ "$systemdutilconfdir"/system.conf \ -+ "$systemdutilconfdir"/system.conf.d/*.conf \ - /etc/hosts \ - /etc/hostname \ - /etc/nsswitch.conf \ -diff --git a/modules.d/01systemd-coredump/module-setup.sh b/modules.d/01systemd-coredump/module-setup.sh -index 0c5cbcfb..6acbe75f 100755 ---- a/modules.d/01systemd-coredump/module-setup.sh -+++ b/modules.d/01systemd-coredump/module-setup.sh -@@ -35,6 +35,7 @@ install() { - inst_multiple -o \ - "$sysctld"/50-coredump.conf \ - "$systemdutildir"/coredump.conf \ -+ "$systemdutildir/coredump.conf.d/*.conf" \ - "$systemdutildir"/systemd-coredump \ - "$systemdsystemunitdir"/systemd-coredump.socket \ - "$systemdsystemunitdir"/systemd-coredump@.service \ -@@ -52,7 +53,7 @@ install() { - if [[ $hostonly ]]; then - inst_multiple -H -o \ - "$systemdutilconfdir"/coredump.conf \ -- "$systemdsystemconfdir/coredump.conf.d/*.conf" \ -+ "$systemdutilconfdir/coredump.conf.d/*.conf" \ - "$systemdsystemconfdir"/systemd-coredump.socket \ - "$systemdsystemconfdir/systemd-coredump.socket.d/*.conf" \ - "$systemdsystemconfdir"/systemd-coredump@.service \ -diff --git a/modules.d/01systemd-pstore/module-setup.sh b/modules.d/01systemd-pstore/module-setup.sh -index 67034bbf..5de5db4b 100755 ---- a/modules.d/01systemd-pstore/module-setup.sh -+++ b/modules.d/01systemd-pstore/module-setup.sh -@@ -34,6 +34,8 @@ install() { - inst_dir /var/lib/systemd/pstore - inst_multiple -o \ - "$tmpfilesdir/systemd-pstore.conf" \ -+ "$systemdutildir"/pstore.conf \ -+ "$systemdutildir/pstore.conf.d/*.conf" \ - "$systemdutildir"/systemd-pstore \ - "$systemdsystemunitdir"/systemd-pstore.service \ - "$systemdsystemunitdir/systemd-pstore.service.d/*.conf" -diff --git a/modules.d/01systemd-resolved/module-setup.sh b/modules.d/01systemd-resolved/module-setup.sh -index b354bc6c..d20f211c 100755 ---- a/modules.d/01systemd-resolved/module-setup.sh -+++ b/modules.d/01systemd-resolved/module-setup.sh -@@ -50,6 +50,7 @@ install() { - # Install the hosts local user configurations if enabled. - if [[ $hostonly ]]; then - inst_multiple -H -o \ -+ "$systemdutilconfdir"/resolv.conf \ - "$systemdutilconfdir"/resolved.conf \ - "$systemdutilconfdir/resolved.conf.d/*.conf" \ - "$systemdsystemconfdir"/systemd-resolved.service \ -diff --git a/modules.d/01systemd-timesyncd/module-setup.sh b/modules.d/01systemd-timesyncd/module-setup.sh -index 0c065af6..82902b3b 100755 ---- a/modules.d/01systemd-timesyncd/module-setup.sh -+++ b/modules.d/01systemd-timesyncd/module-setup.sh -@@ -40,6 +40,7 @@ install() { - "$systemdntpunits/*.list" \ - "$systemdutildir"/systemd-timesyncd \ - "$systemdutildir"/systemd-time-wait-sync \ -+ "$systemdutildir"/timesyncd.conf \ - "$systemdutildir/timesyncd.conf.d/*.conf" \ - "$systemdsystemunitdir"/systemd-timesyncd.service \ - "$systemdsystemunitdir/systemd-timesyncd.service.d/*.conf" \ --- -2.42.0 - diff --git a/0010-fix-pcsc-add-libpcsclite_real.so.patch b/0010-fix-pcsc-add-libpcsclite_real.so.patch new file mode 100644 index 0000000..7204023 --- /dev/null +++ b/0010-fix-pcsc-add-libpcsclite_real.so.patch @@ -0,0 +1,37 @@ +From 8f3b92db19bf4654d7346a1532928fcf172c09e6 Mon Sep 17 00:00:00 2001 +From: Manuel Fombuena +Date: Thu, 31 Oct 2024 12:01:46 +0000 +Subject: [PATCH 10/13] fix(pcsc): add libpcsclite_real.so.* + +systemd-cryptsetup requires libpcsclite_real.so.1 + +Without it you get the following error: + +systemd-cryptsetup[697]: loading "libpcsclite_real.so.1" failed: libpcsclite_real.so.1: cannot open shared object file: No such file or directory + +Signed-off-by: Manuel Fombuena + +(cherry picked from commit bfa00c2a03b07efae5a826aa881317acea9a4ec6) + +Related: RHEL-65204 +--- + modules.d/91pcsc/module-setup.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules.d/91pcsc/module-setup.sh b/modules.d/91pcsc/module-setup.sh +index 26b463d4..5ae1272b 100755 +--- a/modules.d/91pcsc/module-setup.sh ++++ b/modules.d/91pcsc/module-setup.sh +@@ -51,7 +51,8 @@ install() { + {"tls/$_arch/",tls/,"$_arch/",}"pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist" \ + {"tls/$_arch/",tls/,"$_arch/",}"pcsc/drivers/ifd-ccid.bundle/Contents/Linux/libccid.so" \ + {"tls/$_arch/",tls/,"$_arch/",}"pcsc/drivers/serial/libccidtwin.so" \ +- {"tls/$_arch/",tls/,"$_arch/",}"libpcsclite.so.*" ++ {"tls/$_arch/",tls/,"$_arch/",}"libpcsclite.so.*" \ ++ {"tls/$_arch/",tls/,"$_arch/",}"libpcsclite_real.so.*" + + # Install the hosts local user configurations if enabled. + if [[ $hostonly ]]; then +-- +2.47.1 + diff --git a/0011-fix-resume-always-include-the-resume-module.patch b/0011-fix-resume-always-include-the-resume-module.patch deleted file mode 100644 index ad98ace..0000000 --- a/0011-fix-resume-always-include-the-resume-module.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 91f878a4fe4ed694baad59cdb1c7366b002cf1da Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Thu, 8 Aug 2024 00:21:12 +0200 -Subject: [PATCH 11/32] fix(resume): always include the resume module - -as we can't determine with certainity that it won't be needed. - -rhel-only - -Resolves: RHEL-53350 ---- - modules.d/95resume/module-setup.sh | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/modules.d/95resume/module-setup.sh b/modules.d/95resume/module-setup.sh -index d419566e..c0f04a6c 100755 ---- a/modules.d/95resume/module-setup.sh -+++ b/modules.d/95resume/module-setup.sh -@@ -1,7 +1,12 @@ - #!/bin/bash - - # called by dracut -+# shellcheck disable=SC2317 - check() { -+ -+ # Always include resume module -+ return 0 -+ - swap_on_netdevice() { - local _dev - for _dev in "${swap_devs[@]}"; do --- -2.42.0 - diff --git a/0011-revert-fix-rescue-make-rescue-always-no-hostonly.patch b/0011-revert-fix-rescue-make-rescue-always-no-hostonly.patch new file mode 100644 index 0000000..0e78c6b --- /dev/null +++ b/0011-revert-fix-rescue-make-rescue-always-no-hostonly.patch @@ -0,0 +1,30 @@ +From ad4549b5e8fb66ee33126ba01bbb24f4801a3936 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Wed, 29 Jan 2025 20:25:03 +0100 +Subject: [PATCH 11/13] revert: "fix(rescue): make rescue always no-hostonly" + +This partly reverts commit 224c00914bfb4ba1dee48e094ebb137facfd5947. + +Related: RHEL-65204 +--- + install.d/51-dracut-rescue.install | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install +index decee283..1be9b882 100755 +--- a/install.d/51-dracut-rescue.install ++++ b/install.d/51-dracut-rescue.install +@@ -119,8 +119,8 @@ case "$COMMAND" in + + if [[ ! -f "$BOOT_DIR_ABS/$INITRD" ]]; then + # shellcheck disable=SC2046 +- dracut -f \ +- --add-confdir rescue \ ++ dracut -f --no-hostonly --no-uefi \ ++ -a "rescue" \ + $([[ $KERNEL_INSTALL_VERBOSE == 1 ]] && echo --verbose) \ + --kver "$KERNEL_VERSION" \ + "$BOOT_DIR_ABS/$INITRD" +-- +2.47.1 + diff --git a/0012-feat-dracut-init.sh-allow-changing-the-destination-d.patch b/0012-feat-dracut-init.sh-allow-changing-the-destination-d.patch deleted file mode 100644 index 58af470..0000000 --- a/0012-feat-dracut-init.sh-allow-changing-the-destination-d.patch +++ /dev/null @@ -1,197 +0,0 @@ -From 5ed57d866f2be5dc73c7c70a70f51ccae9bdd47d Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Mon, 22 Jul 2024 16:46:47 +0200 -Subject: [PATCH 12/32] feat(dracut-init.sh): allow changing the destination - directory for inst et al - -When using 99squash dracut actually builds two separate initrds. The -"normal" one, that gets squashed into a squashfs image, and a -"minimalistic" one, whose only task is to mount and switch_root to the -squashfs image. - -This is currently done the following way: -1. Skipp install() for 99squash during the "normal" installation phase. -2. Trigger a special postinstall hook in 99squash that moves the content - of $initdir to $squashdir and installs the "minimalistic" initrd to - $initdir. -3. Strip the binaries in $initdir (of which $squashdir is a sub - directory of). -4. Squash the content of $squashdir into the squashfs image and remove - $squashdir. - -The problem with this approach is that the steps 2 and 4 specific to -99squash but need to be done in dracut.sh. Thus a lot of special -handling for 99squash is needed in dracut.sh. This will get even more -complex once support for different filesystem images, e.g. erofs, are -implemented. - -In order to be able to move most of the functionality into 99squash -itself a new approach will be chosen, i.e. -1. During the installation phase install the "normal" initrd into - $initdir and the "minimalistic" initrd into $squashdir. -2. Strip the binaries in $initdir. -3. Trigger a special postinstall hook in 99squash that squashes the - content of $initdir (excluding $squashdir) into the squashfs image, - removes the content of $intidir (excluding $suqashdir) and, moves the - content of $squashdir into $initdir. - -With that the only special handling remaining in dracut.sh is triggering -the postinstall hook. - -However, in inst et al. the destination directory is hard coded to -$initdir. Thus allow setting a different destination directory in inst -et al. to get the new approach to work. For the time being only do that -for the functions required by 99squash. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit 5ab4470cf136c2d9983564b84b49fd700d4b8514) - -Related: RHEL-43460 ---- - dracut-init.sh | 40 +++++++++++++++++++++++++--------------- - 1 file changed, 25 insertions(+), 15 deletions(-) - -diff --git a/dracut-init.sh b/dracut-init.sh -index 986da96b..8e943493 100755 ---- a/dracut-init.sh -+++ b/dracut-init.sh -@@ -240,34 +240,36 @@ inst_dir() { - } - - inst() { -+ local dstdir="${dstdir:-"$initdir"}" - local _ret _hostonly_install - if [[ $1 == "-H" ]]; then - _hostonly_install="-H" - shift - fi -- [[ -e ${initdir}/"${2:-$1}" ]] && return 0 # already there -- if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@"; then -+ [[ -e ${dstdir}/"${2:-$1}" ]] && return 0 # already there -+ if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@"; then - return 0 - else - _ret=$? -- derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@" -+ derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@" - return $_ret - fi - } - - inst_simple() { -+ local dstdir="${dstdir:-"$initdir"}" - local _ret _hostonly_install - if [[ $1 == "-H" ]]; then - _hostonly_install="-H" - shift - fi -- [[ -e ${initdir}/"${2:-$1}" ]] && return 0 # already there -- [[ -e $1 ]] || return 1 # no source -- if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} ${loginstall:+-L "$loginstall"} ${_hostonly_install:+-H} "$@"; then -+ [[ -e ${dstdir}/"${2:-$1}" ]] && return 0 # already there -+ [[ -e $1 ]] || return 1 # no source -+ if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} ${loginstall:+-L "$loginstall"} ${_hostonly_install:+-H} "$@"; then - return 0 - else - _ret=$? -- derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} ${loginstall:+-L "$loginstall"} ${_hostonly_install:+-H} "$@" -+ derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} ${loginstall:+-L "$loginstall"} ${_hostonly_install:+-H} "$@" - return $_ret - fi - } -@@ -290,16 +292,17 @@ inst_symlink() { - } - - inst_multiple() { -+ local dstdir="${dstdir:-"$initdir"}" - local _ret _hostonly_install - if [[ $1 == "-H" ]]; then - _hostonly_install="-H" - shift - fi -- if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} -a ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@"; then -+ if $DRACUT_INSTALL ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} -a ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@"; then - return 0 - else - _ret=$? -- derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${initdir:+-D "$initdir"} -a ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@" -+ derror FAILED: "$DRACUT_INSTALL" ${dracutsysrootdir:+-r "$dracutsysrootdir"} ${dstdir:+-D "$dstdir"} -a ${loginstall:+-L "$loginstall"} ${DRACUT_RESOLVE_DEPS:+-l} ${DRACUT_FIPS_MODE:+-f} ${_hostonly_install:+-H} "$@" - return $_ret - fi - } -@@ -566,6 +569,8 @@ inst_rules_wildcard() { - - # make sure that library links are correct and up to date - build_ld_cache() { -+ local dstdir="${dstdir:-"$initdir"}" -+ - for f in "$dracutsysrootdir"/etc/ld.so.conf "$dracutsysrootdir"/etc/ld.so.conf.d/*; do - [[ -f $f ]] && inst_simple "${f#"$dracutsysrootdir"}" - done -@@ -1056,13 +1061,15 @@ for_each_module_dir() { - } - - dracut_kernel_post() { -+ local dstdir="${dstdir:-"$initdir"}" -+ - for _f in modules.builtin modules.builtin.alias modules.builtin.modinfo modules.order; do - [[ -e $srcmods/$_f ]] && inst_simple "$srcmods/$_f" "/lib/modules/$kernel/$_f" - done - - # generate module dependencies for the initrd -- if [[ -d $initdir/lib/modules/$kernel ]] \ -- && ! depmod -a -b "$initdir" "$kernel"; then -+ if [[ -d $dstdir/lib/modules/$kernel ]] \ -+ && ! depmod -a -b "$dstdir" "$kernel"; then - dfatal "\"depmod -a $kernel\" failed." - exit 1 - fi -@@ -1076,6 +1083,7 @@ instmods() { - # can be e.g. "=block" or "=drivers/usb/storage" - # -c check - # -s silent -+ local dstdir="${dstdir:-"$initdir"}" - local _optional="-o" - local _silent - local _ret -@@ -1101,7 +1109,7 @@ instmods() { - fi - - $DRACUT_INSTALL \ -- ${initdir:+-D "$initdir"} \ -+ ${dstdir:+-D "$dstdir"} \ - ${dracutsysrootdir:+-r "$dracutsysrootdir"} \ - ${loginstall:+-L "$loginstall"} \ - ${hostonly:+-H} \ -@@ -1115,7 +1123,7 @@ instmods() { - if ((_ret != 0)) && [[ -z $_silent ]]; then - derror "FAILED: " \ - "$DRACUT_INSTALL" \ -- ${initdir:+-D "$initdir"} \ -+ ${dstdir:+-D "$dstdir"} \ - ${dracutsysrootdir:+-r "$dracutsysrootdir"} \ - ${loginstall:+-L "$loginstall"} \ - ${hostonly:+-H} \ -@@ -1132,14 +1140,16 @@ instmods() { - - if [[ "$(ln --help)" == *--relative* ]]; then - ln_r() { -- ln -sfnr "${initdir}/$1" "${initdir}/$2" -+ local dstdir="${dstdir:-"$initdir"}" -+ ln -sfnr "${dstdir}/$1" "${dstdir}/$2" - } - else - ln_r() { -+ local dstdir="${dstdir:-"$initdir"}" - local _source=$1 - local _dest=$2 - [[ -d ${_dest%/*} ]] && _dest=$(readlink -f "${_dest%/*}")/${_dest##*/} -- ln -sfn -- "$(convert_abs_rel "${_dest}" "${_source}")" "${initdir}/${_dest}" -+ ln -sfn -- "$(convert_abs_rel "${_dest}" "${_source}")" "${dstdir}/${_dest}" - } - fi - --- -2.42.0 - diff --git a/0012-fix-dracut-install-initize-fts-pointer.patch b/0012-fix-dracut-install-initize-fts-pointer.patch new file mode 100644 index 0000000..69e080c --- /dev/null +++ b/0012-fix-dracut-install-initize-fts-pointer.patch @@ -0,0 +1,26 @@ +From 2c33b7315571dd0fd8240111018ce474fc45f667 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Thu, 13 Feb 2025 22:18:06 +0100 +Subject: [PATCH 12/13] fix(dracut-install): initize fts pointer + +Related: RHEL-65204 +--- + src/install/dracut-install.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c +index 96bc2eb6..3cd4e5cb 100644 +--- a/src/install/dracut-install.c ++++ b/src/install/dracut-install.c +@@ -1681,7 +1681,7 @@ static void find_suppliers_for_sys_node(Hashmap *suppliers, const char *node_pat + + static void find_suppliers(struct kmod_ctx *ctx) + { +- _cleanup_fts_close_ FTS *fts; ++ _cleanup_fts_close_ FTS *fts = NULL; + char *paths[] = { "/sys/devices/platform", NULL }; + fts = fts_open(paths, FTS_NOSTAT | FTS_PHYSICAL, NULL); + +-- +2.47.1 + diff --git a/0013-feat-add-openssl-module.patch b/0013-feat-add-openssl-module.patch new file mode 100644 index 0000000..99bf06b --- /dev/null +++ b/0013-feat-add-openssl-module.patch @@ -0,0 +1,1021 @@ +From 73122f8b3430e8ecab30a5c261391081f8289d31 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 20 Jan 2025 14:16:38 +0100 +Subject: [PATCH 13/13] feat: add openssl module + +Resolves: RHEL-76323 +--- + Makefile | 15 +- + modules.d/01fips/module-setup.sh | 4 + + modules.d/99openssl/module-setup.sh | 31 ++ + modules.d/99openssl/openssl-check.sh | 29 ++ + src/ossl/Makefile | 35 +++ + src/ossl/src/ossl-config.c | 144 +++++++++ + src/ossl/src/ossl-files.c | 280 ++++++++++++++++++ + src/ossl/tests/config/escapes.cnf | 11 + + src/ossl/tests/config/escapes.cnf.expected | 12 + + src/ossl/tests/config/included-file.noncnf | 2 + + .../tests/config/includes.1.d/includes1.cnf | 2 + + .../tests/config/includes.1.d/includes1.conf | 2 + + .../tests/config/includes.1.d/nonconf.bak | 2 + + src/ossl/tests/config/includes.2.d/main.cnf | 4 + + .../includes.2.d/subincludes.d/subconf.cnf | 2 + + src/ossl/tests/config/includes.cnf | 6 + + src/ossl/tests/config/includes.cnf.expected | 12 + + .../leading-and-trailing-whitespace.cnf | 6 + + ...ading-and-trailing-whitespace.cnf.expected | 7 + + src/ossl/tests/config/order.cnf | 21 ++ + src/ossl/tests/config/order.cnf.expected | 16 + + src/ossl/tests/config/variables.cnf | 33 +++ + src/ossl/tests/config/variables.cnf.expected | 27 ++ + src/ossl/tests/files/engines.cnf | 22 ++ + src/ossl/tests/files/engines.cnf.expected | 4 + + src/ossl/tests/files/providers.cnf | 31 ++ + src/ossl/tests/files/providers.cnf.expected | 4 + + 27 files changed, 763 insertions(+), 1 deletion(-) + create mode 100755 modules.d/99openssl/module-setup.sh + create mode 100755 modules.d/99openssl/openssl-check.sh + create mode 100644 src/ossl/Makefile + create mode 100644 src/ossl/src/ossl-config.c + create mode 100644 src/ossl/src/ossl-files.c + create mode 100644 src/ossl/tests/config/escapes.cnf + create mode 100644 src/ossl/tests/config/escapes.cnf.expected + create mode 100644 src/ossl/tests/config/included-file.noncnf + create mode 100644 src/ossl/tests/config/includes.1.d/includes1.cnf + create mode 100644 src/ossl/tests/config/includes.1.d/includes1.conf + create mode 100644 src/ossl/tests/config/includes.1.d/nonconf.bak + create mode 100644 src/ossl/tests/config/includes.2.d/main.cnf + create mode 100644 src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf + create mode 100644 src/ossl/tests/config/includes.cnf + create mode 100644 src/ossl/tests/config/includes.cnf.expected + create mode 100644 src/ossl/tests/config/leading-and-trailing-whitespace.cnf + create mode 100644 src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected + create mode 100644 src/ossl/tests/config/order.cnf + create mode 100644 src/ossl/tests/config/order.cnf.expected + create mode 100644 src/ossl/tests/config/variables.cnf + create mode 100644 src/ossl/tests/config/variables.cnf.expected + create mode 100644 src/ossl/tests/files/engines.cnf + create mode 100644 src/ossl/tests/files/engines.cnf.expected + create mode 100644 src/ossl/tests/files/providers.cnf + create mode 100644 src/ossl/tests/files/providers.cnf.expected + +diff --git a/Makefile b/Makefile +index bcb2bc8f..4bc88561 100644 +--- a/Makefile ++++ b/Makefile +@@ -50,7 +50,7 @@ manpages = $(man1pages) $(man5pages) $(man7pages) $(man8pages) + + .PHONY: install clean archive testimage test all check AUTHORS CONTRIBUTORS doc + +-all: dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ++all: dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ossl-config ossl-files + + %.o : %.c + $(CC) -c $(CFLAGS) $(CPPFLAGS) $(KMOD_CFLAGS) $< -o $@ +@@ -88,6 +88,12 @@ util/util: $(UTIL_OBJECTS) + dracut-util: src/util/util + cp -a $< $@ + ++ossl: src/ossl/Makefile ++ $(MAKE) -C src/ossl ++ ++ossl-config: ossl ++ossl-files: ossl ++ + .PHONY: indent-c + indent-c: + astyle -n --quiet --options=.astylerc $(wildcard *.[ch] */*.[ch] src/*/*.[ch]) +@@ -208,6 +214,12 @@ endif + if [ -f dracut-util ]; then \ + install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \ + fi ++ if [ -f src/ossl/src/ossl-config ]; then \ ++ install -m 0755 src/ossl/src/ossl-config $(DESTDIR)$(pkglibdir)/ossl-config; \ ++ fi ++ if [ -f src/ossl/src/ossl-files ]; then \ ++ install -m 0755 src/ossl/src/ossl-files $(DESTDIR)$(pkglibdir)/ossl-files; \ ++ fi + ifeq ($(enable_dracut_cpio),yes) + install -m 0755 dracut-cpio $(DESTDIR)$(pkglibdir)/dracut-cpio + endif +@@ -234,6 +246,7 @@ clean: + $(RM) dracut.pc + $(RM) dracut-cpio src/dracut-cpio/target/release/dracut-cpio* + $(MAKE) -C test clean ++ $(MAKE) -C src/ossl clean + + syncheck: + @ret=0;for i in dracut-initramfs-restore.sh modules.d/*/*.sh; do \ +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index e3b7ca33..206f0456 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -5,6 +5,10 @@ check() { + return 0 + } + ++depends() { ++ echo openssl ++} ++ + # called by dracut + installkernel() { + local _fipsmodules _mod _bootfstype +diff --git a/modules.d/99openssl/module-setup.sh b/modules.d/99openssl/module-setup.sh +new file mode 100755 +index 00000000..8614f254 +--- /dev/null ++++ b/modules.d/99openssl/module-setup.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++ ++check() { ++ return 255 ++} ++ ++install() { ++ ++ local ossl_files openssl_cnf initrd_openssl_cnf ++ ++ ossl_files="${dracutbasedir}/ossl-files" ++ ++ openssl_cnf="$($ossl_files --config)" ++ ++ initrd_openssl_cnf="${initdir}/${openssl_cnf}" ++ ++ if [[ ! -r $openssl_cnf ]]; then ++ dfatal "'$ossl_files --config' does not return a path!!" ++ exit 1 ++ fi ++ ++ # ossl-files gives us one line per file ++ # shellcheck disable=SC2046 ++ inst_multiple -o \ ++ /etc/crypto-policies/back-ends/opensslcnf.config \ ++ $($ossl_files --engines --providers) ++ ++ mkdir -p "${initrd_openssl_cnf%/*}" ++ ++ "${dracutbasedir}/ossl-config" > "${initrd_openssl_cnf}" ++} +diff --git a/modules.d/99openssl/openssl-check.sh b/modules.d/99openssl/openssl-check.sh +new file mode 100755 +index 00000000..67951f45 +--- /dev/null ++++ b/modules.d/99openssl/openssl-check.sh +@@ -0,0 +1,29 @@ ++#!/bin/sh ++ ++eok() { ++ ++ { ++ [ "$1" -eq 0 ] && echo OK || echo FAIL ++ ++ echo ++ ++ } 2> /dev/null ++} ++ ++echo ++ ++set -x ++ ++openssl list -providers ++ ++eok "$?" ++ ++#openssl s_client -connect “$dns_server_ip:$dns_server_port” -servername “$dns_server_name” "$$TEST.1" && \ ++ OPENSSL_CONF="$$TEST.1" src/ossl-config >"$$TEST.2" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ diff -u <(sed 1d "$$TEST.1") <(sed 1d "$$TEST.2") && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done ++ ++ @for TEST in $(TESTS_FILES); do \ ++ echo "Test $$TEST..."; \ ++ OPENSSL_CONF="$$TEST" src/ossl-files --engines --providers >"$$TEST.1" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done +diff --git a/src/ossl/src/ossl-config.c b/src/ossl/src/ossl-config.c +new file mode 100644 +index 00000000..4324341c +--- /dev/null ++++ b/src/ossl/src/ossl-config.c +@@ -0,0 +1,144 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-config ossl-config.c -lcrypto ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 202311L ++# define FALLTHROUGH [[fallthrough]] ++#elif (defined(__GNUC__) && __GNUC__ >= 7) || (defined(__clang__) && __clang_major__ >= 12) ++# define FALLTHROUGH __attribute__((fallthrough)) ++#else ++# define FALLTHROUGH ((void) 0) ++#endif ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++cleanupfunc(ossl_sk_cstring_t, sk_OPENSSL_CSTRING_free) ++ ++/** ++ * Print the given value to stdout escaped for the OpenSSL configuration file ++ * format. ++ */ ++static void print_escaped_value(const char *value) { ++ for (const char *p = value; *p; p++) { ++ switch (*p) { ++ case '"': ++ case '\'': ++ case '#': ++ case '\\': ++ case '$': ++ putchar('\\'); ++ putchar(*p); ++ break; ++ case '\n': ++ fputs("\\n", stdout); ++ break; ++ case '\r': ++ fputs("\\r", stdout); ++ break; ++ case '\b': ++ fputs("\\b", stdout); ++ break; ++ case '\t': ++ fputs("\\t", stdout); ++ break; ++ case ' ': ++ if (p == value || p[1] == '\0') { ++ /* Quote spaces if they are the first or last char of the ++ * value. We could quote the entire string (and it would ++ * certainly produce nicer output), but in quoted strings ++ * the escape sequences for \n, \r, \t, and \b do not work. ++ * To make sure we're producing correct results we'd thus ++ * have to selectively not use those in quoted strings and ++ * close and re-open the quotes if they appear, which is ++ * more trouble than adding the quotes just around the ++ * first and last leading and trailing space. */ ++ fputs("\" \"", stdout); ++ break; ++ } ++ FALLTHROUGH; ++ default: ++ putchar(*p); ++ break; ++ } ++ } ++} ++ ++/** ++ * Print all values in in the configuration section identified by section_name to stdout. ++ */ ++static void print_section(const CONF *cnf, OPENSSL_CSTRING section_name) { ++ STACK_OF(CONF_VALUE) *values = NCONF_get_section(cnf, section_name); ++ for (int idx = 0; idx < sk_CONF_VALUE_num(values); idx++) { ++ CONF_VALUE *value = sk_CONF_VALUE_value(values, idx); ++ printf("%s = ", value->name); ++ print_escaped_value(value->value); ++ putchar('\n'); ++ } ++} ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ char *configfile cleanup(char) = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ STACK_OF(OPENSSL_CSTRING) *sections cleanup(ossl_sk_cstring_t) = NCONF_get_section_names(cnf); ++ if (sections == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ printf("# This configuration file was linarized and expanded from %s\n", configfile); ++ ++ int default_section_idx = sk_OPENSSL_CSTRING_find(sections, "default"); ++ if (default_section_idx != -1) { ++ print_section(cnf, "default"); ++ } ++ for (int idx = 0; idx < sk_OPENSSL_CSTRING_num(sections); idx++) { ++ if (idx == default_section_idx) { ++ continue; ++ } ++ OPENSSL_CSTRING section_name = sk_OPENSSL_CSTRING_value(sections, idx); ++ printf("\n[%s]\n", section_name); ++ print_section(cnf, section_name); ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/src/ossl-files.c b/src/ossl/src/ossl-files.c +new file mode 100644 +index 00000000..4f252800 +--- /dev/null ++++ b/src/ossl/src/ossl-files.c +@@ -0,0 +1,280 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-files ossl-files.c -lcrypto ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++ ++typedef enum flag { ++ CONFIG_FILE = 1, ++ ENGINES, ++ PROVIDERS, ++ PKCS11_MODULES, ++} flag_t; ++ ++static const OPENSSL_CSTRING get_option(STACK_OF(CONF_VALUE) *section, const OPENSSL_CSTRING name) { ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(section); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(section, idx); ++ if (strcmp(name, value->name) == 0) { ++ return value->value; ++ } ++ } ++ ++ return NULL; ++} ++ ++/** ++ * Locate a section in the OpenSSL configuration file given its path ++ * components, separated by dots. ++ * ++ * Returns the STACK_OF(CONF_VALUE) that represents the section, if it exists ++ * and NULL otherwise. ++ */ ++static STACK_OF(CONF_VALUE) *locate_section(const CONF* cnf, const OPENSSL_CSTRING path) { ++ STACK_OF(CONF_VALUE) *sect = NCONF_get_section(cnf, "default"); ++ if (sect == NULL) ++ return NULL; ++ ++ char *pathbuf cleanup(char) = OPENSSL_strdup(path); ++ char *curpath = pathbuf; ++ while (curpath) { ++ char *split = strchr(curpath, '.'); ++ char *nextpath = NULL; ++ ++ if (split != NULL) { ++ *split = '\0'; ++ nextpath = split + 1; ++ } ++ ++ const OPENSSL_CSTRING next_section_name = get_option(sect, curpath); ++ if (next_section_name == NULL) ++ return NULL; ++ ++ sect = NCONF_get_section(cnf, next_section_name); ++ if (sect == NULL) ++ return NULL; ++ ++ curpath = nextpath; ++ } ++ ++ return sect; ++} ++ ++static void list_providers(const CONF *cnf) { ++ const char *modulesdir = OPENSSL_info(OPENSSL_INFO_MODULES_DIR); ++ ++ { ++ struct stat st; ++ size_t pathlen = strlen(modulesdir) + 1 /* "/" */ + strlen("fips.so") + 1; ++ char pathbuf[pathlen]; ++ ++ snprintf(pathbuf, pathlen, "%s/fips.so", modulesdir); ++ pathbuf[pathlen - 1] = '\0'; ++ ++ if (stat(pathbuf, &st) == 0) { ++ /* Print the path to the FIPS provider if it exists on disk, ++ * regardless of whether it is enabled or not. This is because some ++ * distributions (like Fedora and RHEL) auto-enable the FIPS ++ * provider if the kernel command line contains fips=1. */ ++ puts(pathbuf); ++ } ++ } ++ ++ STACK_OF(CONF_VALUE) *providers_sect = locate_section(cnf, "openssl_conf.providers"); ++ if (providers_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(providers_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(providers_sect, idx); ++ /* The section name in the providers section is typically the basename ++ * of the loadable module, unless the section for this provider ++ * contains a 'module' option. */ ++ const OPENSSL_CSTRING provider_name = value->name; ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ if (strcmp(provider_name, "default") == 0 ++ || strcmp(provider_name, "base") == 0 ++ || strcmp(provider_name, "fips") == 0) { ++ /* This is either a builtin provider, which does not exist on disk, ++ * or it was handled earlier. */ ++ continue; ++ } ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } else { ++ OPENSSL_CSTRING module_path = get_option(section, "module"); ++ if (module_path) { ++ if (*module_path == '/') { ++ puts(module_path); ++ } else { ++ printf("%s/%s\n", modulesdir, module_path); ++ } ++ } else { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } ++ } ++ } ++} ++ ++static void list_engines(const CONF *cnf) { ++ const char *enginesdir = OPENSSL_info(OPENSSL_INFO_ENGINES_DIR); ++ ++ STACK_OF(CONF_VALUE) *engines_sect = locate_section(cnf, "openssl_conf.engines"); ++ if (engines_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(engines_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(engines_sect, idx); ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) ++ continue; ++ OPENSSL_CSTRING dynamic_path = get_option(section, "dynamic_path"); ++ if (dynamic_path == NULL) ++ continue; ++ ++ if (*dynamic_path == '/') { ++ puts(dynamic_path); ++ } else { ++ printf("%s/%s\n", enginesdir, dynamic_path); ++ } ++ } ++} ++ ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ struct option long_options[] = { ++ {"config", no_argument, NULL, CONFIG_FILE}, ++ {"engines", no_argument, NULL, ENGINES}, ++ {"providers", no_argument, NULL, PROVIDERS}, ++ {"help", no_argument, NULL, 'h'}, ++ {NULL, 0, NULL, 0}, ++ }; ++ int chosen_options[sizeof(long_options) / sizeof(*long_options) - 2] = {0}; ++ ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ long_options[idx].flag = &chosen_options[idx]; ++ } ++ ++ int c; ++ char *configfile cleanup(char) = NULL; ++ while (1) { ++ c = getopt_long(argc, argv, "", long_options, NULL); ++ switch (c) { ++ case -1: ++ // end of options ++ goto options_parsed; ++ break; ++ case 0: ++ /* option detected, we use flags to react, so no need for ++ * custom code here. */ ++ break; ++ case 'h': ++ // --help output requested ++ fprintf(stderr, "Usage: %s OPTIONS\n\n", argv[0]); ++ fputs( ++ "OPTIONS are:\n" ++ " --config\n" ++ " Print the path of the OpenSSL configuration file on\n" ++ " this system\n" ++ " --engines\n" ++ " Print the path of any OpenSSL ENGINEs configured in\n" ++ " the configuration file\n" ++ " --providers\n" ++ " Print the path of any OpenSSL providers configured in\n" ++ " the configuration file\n" ++ " --help\n" ++ " Print this help output\n", ++ stderr ++ ); ++ return EXIT_FAILURE; ++ break; ++ case '?': ++ case ':': ++ // error, getopt(3) already printed a message ++ return EXIT_FAILURE; ++ break; ++ default: ++ fprintf(stderr, "getopt(3) returned unexpected character code 0%o\n", c); ++ return EXIT_FAILURE; ++ break; ++ } ++ } ++options_parsed: ++ ++ configfile = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ bool any_chosen = false; ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ if (chosen_options[idx] != 0) { ++ any_chosen = true; ++ } ++ switch (chosen_options[idx]) { ++ case CONFIG_FILE: ++ puts(configfile); ++ break; ++ case ENGINES: ++ list_engines(cnf); ++ break; ++ case PROVIDERS: ++ list_providers(cnf); ++ break; ++ case PKCS11_MODULES: ++ break; ++ } ++ } ++ ++ if (!any_chosen) { ++ fprintf(stderr, "No options were provided, so no output was produced. See --help for instructions.\n"); ++ return EXIT_FAILURE; ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/tests/config/escapes.cnf b/src/ossl/tests/config/escapes.cnf +new file mode 100644 +index 00000000..9fe2fbc8 +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf +@@ -0,0 +1,11 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = "/C=FI/O=Insta # Demo/CN=Insta Demo CA" ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = "/C=FI/O=Insta ' Demo/CN=Insta Demo CA" ++6.recipient = '/C=FI/O=Insta " Demo/CN=Insta Demo CA' ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/escapes.cnf.expected b/src/ossl/tests/config/escapes.cnf.expected +new file mode 100644 +index 00000000..eff959fc +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/escapes.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = /C=FI/O=Insta \# Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = /C=FI/O=Insta \' Demo/CN=Insta Demo CA ++6.recipient = /C=FI/O=Insta \" Demo/CN=Insta Demo CA ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/included-file.noncnf b/src/ossl/tests/config/included-file.noncnf +new file mode 100644 +index 00000000..51089f51 +--- /dev/null ++++ b/src/ossl/tests/config/included-file.noncnf +@@ -0,0 +1,2 @@ ++[included-file] ++present = true +diff --git a/src/ossl/tests/config/includes.1.d/includes1.cnf b/src/ossl/tests/config/includes.1.d/includes1.cnf +new file mode 100644 +index 00000000..44c17ecd +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.cnf +@@ -0,0 +1,2 @@ ++[includes1] ++cnf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/includes1.conf b/src/ossl/tests/config/includes.1.d/includes1.conf +new file mode 100644 +index 00000000..c6e3c0c6 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.conf +@@ -0,0 +1,2 @@ ++[includes1] ++conf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/nonconf.bak b/src/ossl/tests/config/includes.1.d/nonconf.bak +new file mode 100644 +index 00000000..f5835c63 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/nonconf.bak +@@ -0,0 +1,2 @@ ++[includes1] ++nonconf = not present +diff --git a/src/ossl/tests/config/includes.2.d/main.cnf b/src/ossl/tests/config/includes.2.d/main.cnf +new file mode 100644 +index 00000000..a9141010 +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/main.cnf +@@ -0,0 +1,4 @@ ++[includes2] ++main = present ++ ++.include tests/config/include.2.d/subincludes.d +diff --git a/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +new file mode 100644 +index 00000000..9cbf6c7e +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +@@ -0,0 +1,2 @@ ++[includes2] ++subconf = absent +diff --git a/src/ossl/tests/config/includes.cnf b/src/ossl/tests/config/includes.cnf +new file mode 100644 +index 00000000..fd243487 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++.include = tests/config/includes.1.d ++.include tests/config/includes.2.d ++.include tests/config/nonexistant.d ++.include tests/config/included-file.noncnf +diff --git a/src/ossl/tests/config/includes.cnf.expected b/src/ossl/tests/config/includes.cnf.expected +new file mode 100644 +index 00000000..519729f1 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/includes.cnf ++openssl_conf = openssl_init ++ ++[included-file] ++present = true ++ ++[includes1] ++cnf-file = present ++conf-file = present ++ ++[includes2] ++main = present +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +new file mode 100644 +index 00000000..2801bd72 +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA" ++1.recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA " ++2.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA " +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +new file mode 100644 +index 00000000..3dd985cc +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +@@ -0,0 +1,7 @@ ++# This configuration file was linarized and expanded from tests/config/leading-and-trailing-whitespace.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta Demo/CN=Insta Demo CA" " ++2.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA" " +diff --git a/src/ossl/tests/config/order.cnf b/src/ossl/tests/config/order.cnf +new file mode 100644 +index 00000000..89662a1a +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf +@@ -0,0 +1,21 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++[def] ++# Sections are alphabetically ordered ++0.recipient = 0 ++ ++[abc] ++# Order within sections is preserved, even if it isn't sorted ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[default] ++# The default section is consolidated and always printed first ++aaatest = value +diff --git a/src/ossl/tests/config/order.cnf.expected b/src/ossl/tests/config/order.cnf.expected +new file mode 100644 +index 00000000..50a62c90 +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf.expected +@@ -0,0 +1,16 @@ ++# This configuration file was linarized and expanded from tests/config/order.cnf ++openssl_conf = openssl_init ++aaatest = value ++ ++[abc] ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[def] ++0.recipient = 0 +diff --git a/src/ossl/tests/config/variables.cnf b/src/ossl/tests/config/variables.cnf +new file mode 100644 +index 00000000..04916116 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf +@@ -0,0 +1,33 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++default_var = ABC ++nested = "\${default_var}" ++ ++[othersection] ++ ++[test] ++# These should expand to ABC read from the default section ++0.recipient = ${default_var} ++1.recipient = $default_var ++2.recipient = $(default_var) ++# These should expand to DEF as the other section was explicitly referenced ++3.recipient = ${othersection::default_var} ++4.recipient = $othersection::default_var ++5.recipient = $(othersection::default_var) ++ ++[test2] ++default_var = GHI ++# These should expand to GHI since the local section is always searched first ++0.recipient = ${default_var} ++1.recipient = $default_var ++ ++[test3] ++.pragma dollarid:on ++# Out of these, the first should contain the literal "$default_var", the others should expand ++0.recipient = literal$default_var ++1.recipient = expanded${default_var} ++2.recipient = expanded$(default_var) ++ ++[test4] ++recipient = literal$nested +diff --git a/src/ossl/tests/config/variables.cnf.expected b/src/ossl/tests/config/variables.cnf.expected +new file mode 100644 +index 00000000..a2bccf23 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf.expected +@@ -0,0 +1,27 @@ ++# This configuration file was linarized and expanded from tests/config/variables.cnf ++openssl_conf = openssl_init ++default_var = ABC ++nested = \${default_var} ++ ++[othersection] ++ ++[test] ++0.recipient = ABC ++1.recipient = ABC ++2.recipient = ABC ++3.recipient = ABC ++4.recipient = ABC ++5.recipient = ABC ++ ++[test2] ++default_var = GHI ++0.recipient = GHI ++1.recipient = GHI ++ ++[test3] ++0.recipient = literal\$default_var ++1.recipient = expandedABC ++2.recipient = expandedABC ++ ++[test4] ++recipient = literal\$nested +diff --git a/src/ossl/tests/files/engines.cnf b/src/ossl/tests/files/engines.cnf +new file mode 100644 +index 00000000..5ca8be01 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf +@@ -0,0 +1,22 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++engines = engines_sect ++ ++[engines_sect] ++afalg = afalg_sect ++loader_attic = loader_attic_sect ++pkcs11 = pkcs11_sect ++ ++[afalg_sect] ++dynamic_path = afalg.so ++ ++[loader_attic_sect] ++dynamic_path = /usr/lib64/engines-3/loader_attic.so ++init = 1 ++ ++[pkcs11_sect] ++engine_id = pkcs11 ++dynamic_path = /usr/lib64/engines-3/libpkcs11.so ++MODULE_PATH = opensc-pkcs11.so ++init = 1 +diff --git a/src/ossl/tests/files/engines.cnf.expected b/src/ossl/tests/files/engines.cnf.expected +new file mode 100644 +index 00000000..2d60cc52 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/engines-3/afalg.so ++/usr/lib64/engines-3/loader_attic.so ++/usr/lib64/engines-3/libpkcs11.so ++/usr/lib64/ossl-modules/fips.so +diff --git a/src/ossl/tests/files/providers.cnf b/src/ossl/tests/files/providers.cnf +new file mode 100644 +index 00000000..fee4c826 +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf +@@ -0,0 +1,31 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++providers = providers_sect ++ ++[providers_sect] ++default = default_sect ++fips = fips_sect ++legacy = legacy_sect ++base = base_sect ++pkcs11 = pkcs11_sect ++oqs = oqs_sect ++ ++[default_sect] ++activate = 1 ++ ++[fips_sect] ++activate = 1 ++ ++[legacy_sect] ++activate = 1 ++ ++[base_sect] ++activate = 1 ++ ++[pkcs11_sect] ++activate = 1 ++ ++[oqs_sect] ++activate = 1 ++module = /usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +diff --git a/src/ossl/tests/files/providers.cnf.expected b/src/ossl/tests/files/providers.cnf.expected +new file mode 100644 +index 00000000..23b1b7de +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/ossl-modules/fips.so ++/usr/lib64/ossl-modules/legacy.so ++/usr/lib64/ossl-modules/pkcs11.so ++/usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +-- +2.47.1 + diff --git a/0013-fix-dracut-init.sh-add-module-to-mods_to_load-before.patch b/0013-fix-dracut-init.sh-add-module-to-mods_to_load-before.patch deleted file mode 100644 index 2965b4e..0000000 --- a/0013-fix-dracut-init.sh-add-module-to-mods_to_load-before.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 150e428c0e8d40257a983c2f82be5e8e0f30920f Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Thu, 25 Jul 2024 12:47:00 +0200 -Subject: [PATCH 13/32] fix(dracut-init.sh): add module to mods_to_load before - checking dependencies - -When implementing erofs support for 99squash we end up with three -modules 99squash, 95squash-squashfs and 95squash-erofs. Where 99squash -contains the common code for filesystem images and -95squash-{squashfs,erofs} the special handing depending on the -filesystem used. This leads to a dependency cycle as we want to allow -users both to choose 99squash, when the exact filesystem doesn't matter, -as well as 95squash-{squashfs,erofs} when a specific filesystem is -required. - -But when 99squash is added as a dependency calling -dracut_module_included fails in its depends() function. This lead to -cases where both handlers, 95squash-squashfs and 95squash-erofs, were -added to the initrd. - -Reason for the failure is that a module only is marked to be loaded -after all it's dependencies have been checked as well. Thus a child -module cannot detect which parent module wants it to be included. Fix -this by marking modules to be loaded before checking its dependencies in -check_module. Do the same change in check_mount for consistency. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit 634b4a5c6fbe595eb240cd529d669d21eadd510c) - -Related: RHEL-43460 ---- - dracut-init.sh | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/dracut-init.sh b/dracut-init.sh -index 8e943493..746362d1 100755 ---- a/dracut-init.sh -+++ b/dracut-init.sh -@@ -924,6 +924,9 @@ check_mount() { - fi - fi - -+ [[ " $mods_to_load " == *\ $_mod\ * ]] \ -+ || mods_to_load+=" $_mod " -+ - for _moddep in $(module_depends "$_mod" "$_moddir"); do - # handle deps as if they were manually added - [[ " $dracutmodules " == *\ $_mod\ * ]] \ -@@ -942,9 +945,6 @@ check_mount() { - fi - done - -- [[ " $mods_to_load " == *\ $_mod\ * ]] \ -- || mods_to_load+=" $_mod " -- - return 0 - } - -@@ -999,6 +999,9 @@ check_module() { - fi - fi - -+ [[ " $mods_to_load " == *\ $_mod\ * ]] \ -+ || mods_to_load+=" $_mod " -+ - for _moddep in $(module_depends "$_mod" "$_moddir"); do - # handle deps as if they were manually added - [[ " $dracutmodules " == *\ $_mod\ * ]] \ -@@ -1017,9 +1020,6 @@ check_module() { - fi - done - -- [[ " $mods_to_load " == *\ $_mod\ * ]] \ -- || mods_to_load+=" $_mod " -- - return 0 - } - --- -2.42.0 - diff --git a/0014-feat-squash-move-mksquashfs-to-99squash-modules-setu.patch b/0014-feat-squash-move-mksquashfs-to-99squash-modules-setu.patch deleted file mode 100644 index c008443..0000000 --- a/0014-feat-squash-move-mksquashfs-to-99squash-modules-setu.patch +++ /dev/null @@ -1,192 +0,0 @@ -From 2d851d7d1709f5a03d8dab847aa42770bff2644b Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Mon, 22 Jul 2024 16:30:50 +0200 -Subject: [PATCH 14/32] feat(squash): move mksquashfs to 99squash/modules-setup - -When using 99squash dracut actually builds two separat initrds. The -"normal" one, that gets squashed into a squashfs image, and a -"minimalistic" one, whose only task is to mount and switch_root to the -squashfs image. - -For that 99squash currently requires a lot of special handling in -dracut.sh. Move most of this special handling into 99squash itself. This -requires a new approach when building the "minimalistic" initrd. The new -approach works the following way - -1. During the installation phase install the "normal" initrd into - $initdir and the "minimalistic" initrd into $squashdir. -2. Strip the binaries in $initdir. -3. Trigger a special postinstall hook in 99squash that squashes the - content of $initdir (excluding $squashdir) into the squashfs image, - removes the content of $intidir (excluding $suqashdir) and, moves the - content of $squashdir into $initdir. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit 7a4dd89ca732329893628b886fe8e78337d896e8) - -Related: RHEL-43460 ---- - dracut.sh | 35 ++++-------------- - modules.d/99squash/module-setup.sh | 58 +++++++++++++++++++++--------- - 2 files changed, 49 insertions(+), 44 deletions(-) - -diff --git a/dracut.sh b/dracut.sh -index 856b884e..4d2e3df2 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -1260,6 +1260,7 @@ trap ' - trap 'exit 1;' SIGINT - - readonly initdir="${DRACUT_TMPDIR}/initramfs" -+readonly squashdir="$initdir/squash_root" - mkdir -p "$initdir" - - if [[ $early_microcode == yes ]] || { [[ $acpi_override == yes ]] && [[ -d $acpi_table_dir ]]; }; then -@@ -1787,7 +1788,8 @@ export initdir dracutbasedir \ - host_fs_types host_devs swap_devs sshkey add_fstab \ - DRACUT_VERSION \ - prefix filesystems drivers \ -- hostonly_cmdline loginstall -+ hostonly_cmdline loginstall \ -+ squashdir squash_compress - - mods_to_load="" - # check all our modules to see if they should be sourced. -@@ -1892,6 +1894,8 @@ if [[ $kernel_only != yes ]]; then - fi - fi - -+dracut_module_included "squash" && mkdir -p "$squashdir" -+ - _isize=0 #initramfs size - modules_loaded=" " - # source our modules. -@@ -2243,14 +2247,6 @@ if [[ $kernel_only != yes ]]; then - build_ld_cache - fi - --if dracut_module_included "squash"; then -- readonly squash_dir="$initdir/squash/root" -- readonly squash_img="$initdir/squash-root.img" -- mkdir -p "$squash_dir" -- dinfo "*** Install squash loader ***" -- DRACUT_SQUASH_POST_INST=1 module_install "squash" --fi -- - if [[ $do_strip == yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then - # stripping files negates (dedup) benefits of using reflink - [[ -n $enhanced_cpio ]] && ddebug "strip is enabled alongside cpio reflink" -@@ -2270,25 +2266,8 @@ fi - - if dracut_module_included "squash"; then - dinfo "*** Squashing the files inside the initramfs ***" -- declare squash_compress_arg -- # shellcheck disable=SC2086 -- if [[ $squash_compress ]]; then -- if ! mksquashfs /dev/null "$DRACUT_TMPDIR"/.squash-test.img -no-progress -comp $squash_compress &> /dev/null; then -- dwarn "mksquashfs doesn't support compressor '$squash_compress', failing back to default compressor." -- else -- squash_compress_arg="$squash_compress" -- fi -- fi -- -- # shellcheck disable=SC2086 -- if ! mksquashfs "$squash_dir" "$squash_img" \ -- -no-xattrs -no-exports -noappend -no-recovery -always-use-fragments \ -- -no-progress ${squash_compress_arg:+-comp $squash_compress_arg} 1> /dev/null; then -- dfatal "Failed making squash image" -- exit 1 -- fi -- -- rm -rf "$squash_dir" -+ DRACUT_SQUASH_POST_INST=1 module_install "squash" -+ rm -rf "$squashdir" - dinfo "*** Squashing the files inside the initramfs done ***" - - # Skip initramfs compress -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index dc2e0a20..96d097af 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -12,26 +12,13 @@ depends() { - return 0 - } - --installpost() { -+squash_install() { - local _busybox - _busybox=$(find_binary busybox) - -- # Move everything under $initdir except $squash_dir -- # itself into squash image -- for i in "$initdir"/*; do -- [[ $squash_dir == "$i"/* ]] || mv "$i" "$squash_dir"/ -- done -- - # Create mount points for squash loader - mkdir -p "$initdir"/squash/ -- mkdir -p "$squash_dir"/squash/ -- -- # Copy dracut spec files out side of the squash image -- # so dracut rebuild and lsinitrd can work -- for file in "$squash_dir"/usr/lib/dracut/*; do -- [[ -f $file ]] || continue -- DRACUT_RESOLVE_DEPS=1 dracutsysrootdir="$squash_dir" inst "${file#"$squash_dir"}" -- done -+ mkdir -p "$squashdir"/squash/ - - # Install required modules and binaries for the squash image init script. - if [[ $_busybox ]]; then -@@ -61,8 +48,47 @@ installpost() { - build_ld_cache - } - -+squash_installpost() { -+ local _img="$squashdir"/squash-root.img -+ local _comp _file -+ -+ # shellcheck disable=SC2086 -+ if [[ $squash_compress ]]; then -+ if ! mksquashfs /dev/null "$DRACUT_TMPDIR"/.squash-test.img -no-progress -comp $squash_compress &> /dev/null; then -+ dwarn "mksquashfs doesn't support compressor '$squash_compress', failing back to default compressor." -+ else -+ _comp="$squash_compress" -+ fi -+ fi -+ -+ # shellcheck disable=SC2086 -+ if ! mksquashfs "$initdir" "$_img" \ -+ -no-xattrs -no-exports -noappend -no-recovery -always-use-fragments \ -+ -no-progress ${_comp:+-comp $_comp} \ -+ -e "$squashdir" 1> /dev/null; then -+ dfatal "Failed making squash image" -+ exit 1 -+ fi -+ -+ # Rescue the dracut spec files so dracut rebuild and lsinitrd can work -+ for _file in "$initdir"/usr/lib/dracut/*; do -+ [[ -f $_file ]] || continue -+ DRACUT_RESOLVE_DEPS=1 dstdir=$squashdir inst "$_file" "${_file#"$initdir"}" -+ done -+ -+ # Remove everything that got squashed into the image -+ for _file in "$initdir"/*; do -+ [[ $_file == "$squashdir" ]] && continue -+ rm -rf "$_file" -+ done -+ mv "$squashdir"/* "$initdir" -+} -+ - install() { -+ - if [[ $DRACUT_SQUASH_POST_INST ]]; then -- installpost -+ squash_installpost -+ else -+ dstdir="$squashdir" squash_install - fi - } --- -2.42.0 - diff --git a/0015-feat-squash-split-95squash-squashfs-from-99squash.patch b/0015-feat-squash-split-95squash-squashfs-from-99squash.patch deleted file mode 100644 index aee2a4f..0000000 --- a/0015-feat-squash-split-95squash-squashfs-from-99squash.patch +++ /dev/null @@ -1,183 +0,0 @@ -From dd3daa0560e4e4f809b42a901cd79076d3577f96 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 23 Jul 2024 16:39:13 +0200 -Subject: [PATCH 15/32] feat(squash): split 95squash-squashfs from 99squash - -99squash only allows squashing the files using squashfs. In order to -make the implementation for different filesystems easier split out the -squashfs specific parts into 95squash-squashfs. - -While at it rename the root image contained in the initrd to -squashfs-root.img. This allows tools like lsinitrd to detect the -filesystem used later on. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit f281606f110be1549cd6b1cd34828653879a5f50) - -Related: RHEL-43460 ---- - modules.d/95squash-squashfs/module-setup.sh | 48 ++++++++++++++++++ - modules.d/99squash/init-squash.sh | 2 +- - modules.d/99squash/module-setup.sh | 54 ++++++++++++--------- - 3 files changed, 80 insertions(+), 24 deletions(-) - create mode 100755 modules.d/95squash-squashfs/module-setup.sh - -diff --git a/modules.d/95squash-squashfs/module-setup.sh b/modules.d/95squash-squashfs/module-setup.sh -new file mode 100755 -index 00000000..83973700 ---- /dev/null -+++ b/modules.d/95squash-squashfs/module-setup.sh -@@ -0,0 +1,48 @@ -+#!/bin/bash -+ -+check() { -+ require_binaries mksquashfs unsquashfs || return 1 -+ require_kernel_modules squashfs || return 1 -+ -+ return 255 -+} -+ -+depends() { -+ echo "squash" -+ return 0 -+} -+ -+squashfs_install() { -+ hostonly="" instmods "squashfs" -+} -+ -+squashfs_installpost() { -+ local _img="$squashdir/squashfs-root.img" -+ local _comp -+ -+ # shellcheck disable=SC2086 -+ if [[ $squash_compress ]]; then -+ if ! mksquashfs /dev/null "$DRACUT_TMPDIR"/.squash-test.img -no-progress -comp $squash_compress &> /dev/null; then -+ dwarn "mksquashfs doesn't support compressor '$squash_compress', failing back to default compressor." -+ else -+ _comp="$squash_compress" -+ fi -+ fi -+ -+ # shellcheck disable=SC2086 -+ if ! mksquashfs "$initdir" "$_img" \ -+ -no-xattrs -no-exports -noappend -no-recovery -always-use-fragments \ -+ -no-progress ${_comp:+-comp $_comp} \ -+ -e "$squashdir" 1> /dev/null; then -+ dfatal "Failed making squash image" -+ exit 1 -+ fi -+} -+ -+install() { -+ if [[ $DRACUT_SQUASH_POST_INST ]]; then -+ squashfs_installpost -+ else -+ dstdir="$squashdir" squashfs_install -+ fi -+} -diff --git a/modules.d/99squash/init-squash.sh b/modules.d/99squash/init-squash.sh -index 59769f62..42a9a86f 100755 ---- a/modules.d/99squash/init-squash.sh -+++ b/modules.d/99squash/init-squash.sh -@@ -21,7 +21,7 @@ modprobe overlay - # Mount the squash image - mount -t ramfs ramfs /squash - mkdir -p /squash/root /squash/overlay/upper /squash/overlay/work --mount -t squashfs -o ro,loop /squash-root.img /squash/root -+mount -t squashfs -o ro,loop /squashfs-root.img /squash/root - - # Setup new root overlay - mkdir /newroot -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index 96d097af..015944c2 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -1,17 +1,42 @@ - #!/bin/bash - - check() { -- require_binaries mksquashfs unsquashfs || return 1 -- require_kernel_modules squashfs loop overlay || return 1 -+ require_kernel_modules loop overlay || return 1 - - return 255 - } - - depends() { -- echo "systemd-initrd" -+ local _handler -+ -+ _handler=$(squash_get_handler) || return 1 -+ -+ echo "systemd-initrd $_handler" - return 0 - } - -+squash_get_handler() { -+ local _module _handler -+ -+ for _module in squash-squashfs; do -+ if dracut_module_included "$_module"; then -+ _handler="$_module" -+ break -+ fi -+ done -+ -+ if [ -z "$_handler" ]; then -+ if check_module "squash-squashfs"; then -+ _handler="squash-squashfs" -+ else -+ dfatal "No valid handler for found" -+ return 1 -+ fi -+ fi -+ -+ echo "$_handler" -+} -+ - squash_install() { - local _busybox - _busybox=$(find_binary busybox) -@@ -36,7 +61,7 @@ squash_install() { - [[ $DRACUT_FIPS_MODE ]] && inst_libdir_file -o "libssl.so*" - fi - -- hostonly="" instmods "loop" "squashfs" "overlay" -+ hostonly="" instmods "loop" "overlay" - dracut_kernel_post - - # Install squash image init script. -@@ -49,26 +74,9 @@ squash_install() { - } - - squash_installpost() { -- local _img="$squashdir"/squash-root.img -- local _comp _file -- -- # shellcheck disable=SC2086 -- if [[ $squash_compress ]]; then -- if ! mksquashfs /dev/null "$DRACUT_TMPDIR"/.squash-test.img -no-progress -comp $squash_compress &> /dev/null; then -- dwarn "mksquashfs doesn't support compressor '$squash_compress', failing back to default compressor." -- else -- _comp="$squash_compress" -- fi -- fi -+ local _file - -- # shellcheck disable=SC2086 -- if ! mksquashfs "$initdir" "$_img" \ -- -no-xattrs -no-exports -noappend -no-recovery -always-use-fragments \ -- -no-progress ${_comp:+-comp $_comp} \ -- -e "$squashdir" 1> /dev/null; then -- dfatal "Failed making squash image" -- exit 1 -- fi -+ DRACUT_SQUASH_POST_INST=1 module_install "$(squash_get_handler)" - - # Rescue the dracut spec files so dracut rebuild and lsinitrd can work - for _file in "$initdir"/usr/lib/dracut/*; do --- -2.42.0 - diff --git a/0016-feat-squash-add-module-95squash-erofs.patch b/0016-feat-squash-add-module-95squash-erofs.patch deleted file mode 100644 index 17e1eb7..0000000 --- a/0016-feat-squash-add-module-95squash-erofs.patch +++ /dev/null @@ -1,128 +0,0 @@ -From fcc73940a1e21fa79b7133e12ed0f8ed13645a54 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 23 Jul 2024 17:42:33 +0200 -Subject: [PATCH 16/32] feat(squash): add module 95squash-erofs - -Allow squashing the image in 99squash using erofs. Keep squashfs as -default to not change existing systems. I.e. only use erofs if the user -explicitly include 95squash-erofs or when the prereqs for squashfs are -missing. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit e185d6ae1cc38af90f741d3d6c677458d69a345f) - -Resolves: RHEL-43460 ---- - modules.d/95squash-erofs/module-setup.sh | 45 ++++++++++++++++++++++++ - modules.d/99squash/init-squash.sh | 12 +++++-- - modules.d/99squash/module-setup.sh | 4 ++- - 3 files changed, 58 insertions(+), 3 deletions(-) - create mode 100755 modules.d/95squash-erofs/module-setup.sh - -diff --git a/modules.d/95squash-erofs/module-setup.sh b/modules.d/95squash-erofs/module-setup.sh -new file mode 100755 -index 00000000..71c2b672 ---- /dev/null -+++ b/modules.d/95squash-erofs/module-setup.sh -@@ -0,0 +1,45 @@ -+#!/bin/bash -+ -+check() { -+ require_binaries mkfs.erofs || return 1 -+ require_kernel_modules erofs || return 1 -+ -+ return 255 -+} -+ -+depends() { -+ echo "squash" -+ return 0 -+} -+ -+erofs_install() { -+ hostonly="" instmods "erofs" -+} -+ -+erofs_installpost() { -+ local _img="$squashdir/erofs-root.img" -+ local -a _erofs_args -+ -+ _erofs_args+=("--exclude-path=$squashdir") -+ _erofs_args+=("-E" "fragments") -+ -+ if [[ -n $squash_compress ]]; then -+ if mkfs.erofs "${_erofs_args[@]}" -z "$squash_compress" "$_img" "$initdir" &> /dev/null; then -+ return -+ fi -+ dwarn "mkfs.erofs doesn't support compressor '$squash_compress', failing back to default compressor." -+ fi -+ -+ if ! mkfs.erofs "${_erofs_args[@]}" "$_img" "$initdir" &> /dev/null; then -+ dfatal "Failed making squash image" -+ exit 1 -+ fi -+} -+ -+install() { -+ if [[ $DRACUT_SQUASH_POST_INST ]]; then -+ erofs_installpost -+ else -+ dstdir="$squashdir" erofs_install -+ fi -+} -diff --git a/modules.d/99squash/init-squash.sh b/modules.d/99squash/init-squash.sh -index 42a9a86f..31a39cfd 100755 ---- a/modules.d/99squash/init-squash.sh -+++ b/modules.d/99squash/init-squash.sh -@@ -13,15 +13,23 @@ grep -q '^devtmpfs /dev devtmpfs' /proc/self/mounts \ - grep -q '^tmpfs /run tmpfs' /proc/self/mounts \ - || (mkdir -p /run && mount -t tmpfs -o mode=755,noexec,nosuid,strictatime tmpfs /run) - -+if [ -e /erofs-root.img ]; then -+ _fs=erofs -+ _img=erofs-root.img -+else -+ _fs=squashfs -+ _img=squashfs-root.img -+fi -+ - # Load required modules - modprobe loop --modprobe squashfs -+modprobe "$_fs" - modprobe overlay - - # Mount the squash image - mount -t ramfs ramfs /squash - mkdir -p /squash/root /squash/overlay/upper /squash/overlay/work --mount -t squashfs -o ro,loop /squashfs-root.img /squash/root -+mount -t "$_fs" -o ro,loop /"$_img" /squash/root - - # Setup new root overlay - mkdir /newroot -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index 015944c2..5cbbec63 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -18,7 +18,7 @@ depends() { - squash_get_handler() { - local _module _handler - -- for _module in squash-squashfs; do -+ for _module in squash-squashfs squash-erofs; do - if dracut_module_included "$_module"; then - _handler="$_module" - break -@@ -28,6 +28,8 @@ squash_get_handler() { - if [ -z "$_handler" ]; then - if check_module "squash-squashfs"; then - _handler="squash-squashfs" -+ elif check_module "squash-erofs"; then -+ _handler="squash-erofs" - else - dfatal "No valid handler for found" - return 1 --- -2.42.0 - diff --git a/0017-feat-lsinitrd-add-support-for-erofs-images.patch b/0017-feat-lsinitrd-add-support-for-erofs-images.patch deleted file mode 100644 index 39cd22e..0000000 --- a/0017-feat-lsinitrd-add-support-for-erofs-images.patch +++ /dev/null @@ -1,240 +0,0 @@ -From fc5efe96e0ffbfa447d27ba28245420f91b638dc Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 23 Jul 2024 18:33:37 +0200 -Subject: [PATCH 17/32] feat(lsinitrd): add support for erofs images - -Add support to handle erofs images in lsinitrd. Unfortunately the erofs -tooling is missing some functionality of unsquashfs, esp. the ability to -extract single files and list the content of the image. Work around this -deficiency by always extracting the full image and emulate the missing -functionality as close as possible. - -While at it also handle the rename of the squashfs image to -squashfs-root.img. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit 009b4ccc94fe3fcf129dddc5aca4f25b1e1b1862) - -Resolves: RHEL-43460 ---- - lsinitrd.sh | 167 +++++++++++++++++++++++++++++++++++----------------- - 1 file changed, 113 insertions(+), 54 deletions(-) - -diff --git a/lsinitrd.sh b/lsinitrd.sh -index b36d0e12..6799f938 100755 ---- a/lsinitrd.sh -+++ b/lsinitrd.sh -@@ -174,10 +174,47 @@ dracutlibdirs() { - done - } - -+SQUASH_TMPFILE="" -+SQUASH_EXTRACT="$TMPDIR/squash-extract" -+ -+extract_squash_img() { -+ local _img _tmp -+ -+ [[ $SQUASH_TMPDIR == none ]] && return 1 -+ [[ -s $SQUASH_TMPFILE ]] && return 0 -+ -+ # Before dracut 104 the image was named squash-root.img. Keep the old name -+ # so newer versions of lsinitrd can inspect initrds build with older dracut -+ # versions. -+ for _img in squash-root.img squashfs-root.img erofs-root.img; do -+ _tmp="$TMPDIR/$_img" -+ $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout -- \ -+ $_img > "$_tmp" 2> /dev/null -+ [[ -s $_tmp ]] || continue -+ -+ SQUASH_TMPFILE="$_tmp" -+ -+ # fsck.erofs doesn't allow extracting single files or listing the -+ # content of the image. So always extract the full image. -+ if [[ $_img == erofs-root.img ]]; then -+ mkdir -p "$SQUASH_EXTRACT" -+ fsck.erofs --extract="$SQUASH_EXTRACT/erofs-root" --overwrite "$SQUASH_TMPFILE" 2> /dev/null -+ ((ret += $?)) -+ fi -+ -+ break -+ done -+ -+ if [[ -z $SQUASH_TMPFILE ]]; then -+ SQUASH_TMPFILE=none -+ return 1 -+ fi -+ -+ return 0 -+} -+ - extract_files() { -- SQUASH_IMG="squash-root.img" -- SQUASH_TMPFILE="$TMPDIR/initrd.root.sqsh" -- SQUASH_EXTRACT="$TMPDIR/squash-extract" -+ local nofileinfo - - ((${#filenames[@]} == 1)) && nofileinfo=1 - for f in "${!filenames[@]}"; do -@@ -185,18 +222,24 @@ extract_files() { - [[ $nofileinfo ]] || echo "========================================================================" - # shellcheck disable=SC2001 - [[ $f == *"\\x"* ]] && f=$(echo "$f" | sed 's/\\x.\{2\}/????/g') -- $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout "$f" 2> /dev/null -- ((ret += $?)) -- if [[ -z ${f/#squashfs-root*/} ]]; then -- if [[ ! -s $SQUASH_TMPFILE ]]; then -- $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout -- \ -- $SQUASH_IMG > "$SQUASH_TMPFILE" 2> /dev/null -- fi -- unsquashfs -force -d "$SQUASH_EXTRACT" -no-progress "$SQUASH_TMPFILE" "${f#squashfs-root/}" > /dev/null 2>&1 -- ((ret += $?)) -- cat "$SQUASH_EXTRACT/${f#squashfs-root/}" 2> /dev/null -- rm "$SQUASH_EXTRACT/${f#squashfs-root/}" 2> /dev/null -- fi -+ -+ case $f in -+ squashfs-root/*) -+ extract_squash_img -+ unsquashfs -force -d "$SQUASH_EXTRACT" -no-progress "$SQUASH_TMPFILE" "${f#squashfs-root/}" &> /dev/null -+ ((ret += $?)) -+ cat "$SQUASH_EXTRACT/${f#squashfs-root/}" 2> /dev/null -+ ;; -+ erofs-root/*) -+ extract_squash_img -+ cat "$SQUASH_EXTRACT/$f" 2> /dev/null -+ ;; -+ *) -+ $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout "$f" 2> /dev/null -+ ((ret += $?)) -+ ;; -+ esac -+ - [[ $nofileinfo ]] || echo "========================================================================" - [[ $nofileinfo ]] || echo - done -@@ -222,66 +265,82 @@ list_files() { - } - - list_squash_content() { -- SQUASH_IMG="squash-root.img" -- SQUASH_TMPFILE="$TMPDIR/initrd.root.sqsh" -+ extract_squash_img || return 0 - -- $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout -- \ -- $SQUASH_IMG > "$SQUASH_TMPFILE" 2> /dev/null -- if [[ -s $SQUASH_TMPFILE ]]; then -- echo "Squashed content ($SQUASH_IMG):" -- echo "========================================================================" -- unsquashfs -d "squashfs-root" -ll "$SQUASH_TMPFILE" | tail -n +4 -- echo "========================================================================" -- fi -+ echo "Squashed content (${SQUASH_TMPFILE##*/}):" -+ echo "========================================================================" -+ case $SQUASH_TMPFILE in -+ */squash-root.img | */squashfs-root.img) -+ unsquashfs -ll "$SQUASH_TMPFILE" | tail -n +4 -+ ;; -+ */erofs-root.img) -+ ( -+ cd "$SQUASH_EXTRACT" || return 1 -+ find erofs-root/ -ls -+ ) -+ ;; -+ esac -+ echo "========================================================================" - } - - list_cmdline() { -- # depends on list_squash_content() having run before -- SQUASH_IMG="squash-root.img" -- SQUASH_TMPFILE="$TMPDIR/initrd.root.sqsh" -- SQUASH_EXTRACT="$TMPDIR/squash-extract" - - echo "dracut cmdline:" - # shellcheck disable=SC2046 - $CAT "$image" | cpio --extract --verbose --quiet --to-stdout -- \ - etc/cmdline.d/\*.conf 2> /dev/null - ((ret += $?)) -- if [[ -s $SQUASH_TMPFILE ]]; then -- unsquashfs -force -d "$SQUASH_EXTRACT" -no-progress "$SQUASH_TMPFILE" etc/cmdline.d/\*.conf > /dev/null 2>&1 -- ((ret += $?)) -- cat "$SQUASH_EXTRACT"/etc/cmdline.d/*.conf 2> /dev/null -- rm "$SQUASH_EXTRACT"/etc/cmdline.d/*.conf 2> /dev/null -- fi -+ -+ extract_squash_img || return 0 -+ case $SQUASH_TMPFILE in -+ */squash-root.img | */squashfs-root.img) -+ unsquashfs -force -d "$SQUASH_EXTRACT" -no-progress "$SQUASH_TMPFILE" etc/cmdline.d/\*.conf &> /dev/null -+ ((ret += $?)) -+ cat "$SQUASH_EXTRACT"/etc/cmdline.d/*.conf 2> /dev/null -+ ;; -+ */erofs-root.img) -+ cat "$SQUASH_EXTRACT"/erofs-root/etc/cmdline.d/*.conf 2> /dev/null -+ ;; -+ esac -+ - } - - unpack_files() { -- SQUASH_IMG="squash-root.img" -- SQUASH_TMPFILE="$TMPDIR/initrd.root.sqsh" -- - if ((${#filenames[@]} > 0)); then - for f in "${!filenames[@]}"; do - # shellcheck disable=SC2001 - [[ $f == *"\\x"* ]] && f=$(echo "$f" | sed 's/\\x.\{2\}/????/g') -- $CAT "$image" 2> /dev/null | cpio -id --quiet $verbose "$f" -- ((ret += $?)) -- if [[ -z ${f/#squashfs-root*/} ]]; then -- if [[ ! -s $SQUASH_TMPFILE ]]; then -- $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout -- \ -- $SQUASH_IMG > "$SQUASH_TMPFILE" 2> /dev/null -- fi -- unsquashfs -force -d "squashfs-root" -no-progress "$SQUASH_TMPFILE" "${f#squashfs-root/}" > /dev/null -- ((ret += $?)) -- fi -+ case $f in -+ squashfs-root/*) -+ extract_squash_img || continue -+ unsquashfs -force -d "squashfs-root" -no-progress "$SQUASH_TMPFILE" "${f#squashfs-root/}" > /dev/null -+ ((ret += $?)) -+ ;; -+ erofs-root/*) -+ extract_squash_img || continue -+ mkdir -p "${f%/*}" -+ cp -rf "$SQUASH_EXTRACT/$f" "$f" -+ ;; -+ *) -+ $CAT "$image" 2> /dev/null | cpio -id --quiet $verbose "$f" -+ ((ret += $?)) -+ ;; -+ esac - done - else - $CAT "$image" 2> /dev/null | cpio -id --quiet $verbose - ((ret += $?)) -- $CAT "$image" 2> /dev/null | cpio --extract --verbose --quiet --to-stdout -- \ -- $SQUASH_IMG > "$SQUASH_TMPFILE" 2> /dev/null -- if [[ -s $SQUASH_TMPFILE ]]; then -- unsquashfs -d "squashfs-root" -no-progress "$SQUASH_TMPFILE" > /dev/null -- ((ret += $?)) -- fi -+ -+ extract_squash_img || return 0 -+ case $SQUASH_TMPFILE in -+ */squash-root.img | */squashfs-root.img) -+ unsquashfs -d "squashfs-root" -no-progress "$SQUASH_TMPFILE" > /dev/null -+ ((ret += $?)) -+ ;; -+ */erofs-root.img) -+ cp -rf "$SQUASH_EXTRACT/erofs-root" . -+ ;; -+ esac - fi - } - --- -2.42.0 - diff --git a/0018-feat-dracut-initramfs-restore-unpack-erofs-images.patch b/0018-feat-dracut-initramfs-restore-unpack-erofs-images.patch deleted file mode 100644 index bb44c8e..0000000 --- a/0018-feat-dracut-initramfs-restore-unpack-erofs-images.patch +++ /dev/null @@ -1,59 +0,0 @@ -From ac4b18bf89bfa440ff741557fe9928cd2b19b66e Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 30 Jul 2024 17:24:28 +0200 -Subject: [PATCH 18/32] feat(dracut-initramfs-restore): unpack erofs images - -Follow the example for squashfs images and also unpack erofs images in -dracut-initramfs-restore. - -Signed-off-by: Philipp Rudo - -(cherry picked from commit b390e194911835e6bd24eeeb0946e374852b8ddc) - -Resolves: RHEL-43460 ---- - dracut-initramfs-restore.sh | 10 ++++++++-- - modules.d/95squash-erofs/module-setup.sh | 2 +- - 2 files changed, 9 insertions(+), 3 deletions(-) - -diff --git a/dracut-initramfs-restore.sh b/dracut-initramfs-restore.sh -index 74725308..98cfaed7 100755 ---- a/dracut-initramfs-restore.sh -+++ b/dracut-initramfs-restore.sh -@@ -81,12 +81,18 @@ else - exit 1 - fi - --if [[ -d squash ]]; then -- if ! unsquashfs -no-xattrs -f -d . squash-root.img > /dev/null; then -+if [[ -f squashfs-root.img ]]; then -+ if ! unsquashfs -no-xattrs -f -d . squashfs-root.img > /dev/null; then - echo "Squash module is enabled for this initramfs but failed to unpack squash-root.img" >&2 - rm -f -- /run/initramfs/shutdown - exit 1 - fi -+elif [[ -f erofs-root.img ]]; then -+ if ! fsck.erofs --extract=. --overwrite erofs-root.img > /dev/null; then -+ echo "Squash module is enabled for this initramfs but failed to unpack erofs-root.img" >&2 -+ rm -f -- /run/initramfs/shutdown -+ exit 1 -+ fi - fi - - if grep -q -w selinux /sys/kernel/security/lsm 2> /dev/null \ -diff --git a/modules.d/95squash-erofs/module-setup.sh b/modules.d/95squash-erofs/module-setup.sh -index 71c2b672..d763a902 100755 ---- a/modules.d/95squash-erofs/module-setup.sh -+++ b/modules.d/95squash-erofs/module-setup.sh -@@ -1,7 +1,7 @@ - #!/bin/bash - - check() { -- require_binaries mkfs.erofs || return 1 -+ require_binaries mkfs.erofs fsck.erofs || return 1 - require_kernel_modules erofs || return 1 - - return 255 --- -2.42.0 - diff --git a/0019-fix-squash-explicitly-create-required-directories.patch b/0019-fix-squash-explicitly-create-required-directories.patch deleted file mode 100644 index c6d6ed3..0000000 --- a/0019-fix-squash-explicitly-create-required-directories.patch +++ /dev/null @@ -1,55 +0,0 @@ -From c0bd2334708d9bfc6fbeb1c63eae0037eb4157b6 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 30 Jul 2024 13:35:17 +0200 -Subject: [PATCH 19/32] fix(squash): explicitly create required directories - -At the moment 99squash relies on dracut-install to create the required -directories it later links to. This approach is error prone and will -cause problems when switching to use 99busybox later on, which tries to -add a link to /usr/sbin that hasn't been created. Thus explicitly -create the expected directories before installing the minimal initrd. - -Signed-off-by: Philipp Rudo -(cherry picked from commit dde95b10ff6b28330370fd697350f8bc5da422da) - -Related: RHEL-43460 ---- - modules.d/99squash/module-setup.sh | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index 5cbbec63..6aa649b7 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -40,12 +40,15 @@ squash_get_handler() { - } - - squash_install() { -- local _busybox -+ local _busybox _dir - _busybox=$(find_binary busybox) - -- # Create mount points for squash loader -- mkdir -p "$initdir"/squash/ -- mkdir -p "$squashdir"/squash/ -+ # Create mount points for squash loader and basic directories -+ mkdir -p "$initdir"/squash -+ for _dir in squash usr/bin usr/sbin usr/lib; do -+ mkdir -p "$squashdir/$_dir" -+ [[ $_dir == usr/* ]] && ln_r "/$_dir" "${_dir#usr}" -+ done - - # Install required modules and binaries for the squash image init script. - if [[ $_busybox ]]; then -@@ -67,8 +70,6 @@ squash_install() { - dracut_kernel_post - - # Install squash image init script. -- ln_r /usr/bin /bin -- ln_r /usr/sbin /sbin - inst_simple "$moddir"/init-squash.sh /init - - # make sure that library links are correct and up to date for squash loader --- -2.42.0 - diff --git a/0020-fix-squash-use-99busybox-instead-of-installing-it-ma.patch b/0020-fix-squash-use-99busybox-instead-of-installing-it-ma.patch deleted file mode 100644 index cbff394..0000000 --- a/0020-fix-squash-use-99busybox-instead-of-installing-it-ma.patch +++ /dev/null @@ -1,64 +0,0 @@ -From eef65961330c8fb68493d9a3eab55171482984c1 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 30 Jul 2024 13:44:32 +0200 -Subject: [PATCH 20/32] fix(squash): use 99busybox instead of installing it - manually - -Make use of 99busybox in 99squash rather than installing it manually. -This not only removes duplicate code but allows mixing of busybox with -tools from coreutils. This requires a small change in 99busybox to -remove the hard coded use of $initdir. - -Suggested-by: Laszlo Gombos -Signed-off-by: Philipp Rudo - -(cherry picked from commit 395366278f473038badba239f76cac391428b149) - -Related: RHEL-43460 ---- - modules.d/05busybox/module-setup.sh | 5 +++++ - modules.d/99squash/module-setup.sh | 5 +---- - 2 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/modules.d/05busybox/module-setup.sh b/modules.d/05busybox/module-setup.sh -index 86b3761a..857145c9 100755 ---- a/modules.d/05busybox/module-setup.sh -+++ b/modules.d/05busybox/module-setup.sh -@@ -15,6 +15,7 @@ depends() { - # called by dracut - install() { - local _i _path _busybox -+ local _dstdir="${dstdir:-"$initdir"}" - local _progs=() - _busybox=$(find_binary busybox) - inst "$_busybox" /usr/bin/busybox -@@ -26,6 +27,10 @@ install() { - for _i in "${_progs[@]}"; do - _path=$(find_binary "$_i") - [ -z "$_path" ] && continue -+ -+ # do not remove existing destination files -+ [ -e "${_dstdir}/$_path" ] && continue -+ - ln_r /usr/bin/busybox "$_path" - done - } -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index 6aa649b7..56f70774 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -52,10 +52,7 @@ squash_install() { - - # Install required modules and binaries for the squash image init script. - if [[ $_busybox ]]; then -- inst "$_busybox" /usr/bin/busybox -- for _i in sh echo mount modprobe mkdir switch_root grep umount; do -- ln_r /usr/bin/busybox /usr/bin/$_i -- done -+ module_install "busybox" - else - DRACUT_RESOLVE_DEPS=1 inst_multiple sh mount modprobe mkdir switch_root grep umount - --- -2.42.0 - diff --git a/0026-fix-nfs-include-also-entries-from-usr-lib-passwd-gro.patch b/0026-fix-nfs-include-also-entries-from-usr-lib-passwd-gro.patch deleted file mode 100644 index c6a8033..0000000 --- a/0026-fix-nfs-include-also-entries-from-usr-lib-passwd-gro.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 4dfd0c8de071f074c813a87cc06335fa43e93a9d Mon Sep 17 00:00:00 2001 -From: Pavel Valena -Date: Thu, 8 Aug 2024 00:55:03 +0200 -Subject: [PATCH 26/32] fix(nfs): include also entries from - /usr/lib/{passwd,group} - -as those paths are used by bootc instead of the /etc ones. - -(cherry picked from commit 45cdf3c4f24f77f04b264a7747f115d1031b2e67) - -Resolves: RHEL-53431 ---- - modules.d/95nfs/module-setup.sh | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/modules.d/95nfs/module-setup.sh b/modules.d/95nfs/module-setup.sh -index fbaeeb00..df2d0e05 100755 ---- a/modules.d/95nfs/module-setup.sh -+++ b/modules.d/95nfs/module-setup.sh -@@ -130,8 +130,15 @@ install() { - - # Rather than copy the passwd file in, just set a user for rpcbind - # We'll save the state and restart the daemon from the root anyway -- grep -E '^(nfsnobody|_rpc|rpc|rpcuser):' "$dracutsysrootdir"/etc/passwd >> "$initdir/etc/passwd" -- grep -E '^nogroup:|^rpc:|^nobody:' "$dracutsysrootdir"/etc/group >> "$initdir/etc/group" -+ local _confdir -+ for _confdir in etc usr/lib; do -+ -+ grep -sE '^(nfsnobody|_rpc|rpc|rpcuser):' "${dracutsysrootdir}/${_confdir}/passwd" \ -+ >> "$initdir/${_confdir}/passwd" -+ -+ grep -sE '^(nogroup|rpc|nobody):' "${dracutsysrootdir}/${_confdir}/group" \ -+ >> "$initdir/${_confdir}/group" -+ done - - dracut_need_initqueue - } --- -2.42.0 - diff --git a/0027-revert-dracut-init.sh-add-module-to-mods_to_load-bef.patch b/0027-revert-dracut-init.sh-add-module-to-mods_to_load-bef.patch deleted file mode 100644 index 7b83a3d..0000000 --- a/0027-revert-dracut-init.sh-add-module-to-mods_to_load-bef.patch +++ /dev/null @@ -1,73 +0,0 @@ -From f26573ec709c7703863e8affdec990b100c25598 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Mon, 26 Aug 2024 15:58:54 +0200 -Subject: [PATCH 27/32] revert(dracut-init.sh): add module to mods_to_load - before checking dependencies - -Commit d0f8fde5 ("fix(dracut-init.sh): add module to mods_to_load before -checking dependencies") introduced a regression. When dracut is in -"auto" mode, i.e. '--modules auto' or no --modules is provided, the -expected behavior is that all modules that return 0 in their check() -function are included. Except for the ones where the dependencies cannot -be installed. The commit however, caused those modules to be included -without their dependencies. Thus revert the commit. - -This reverts commit d0f8fde5668cfd7fda1d15824e268b4949b4fd04. - -Reported-by: Jo Zzsi -Signed-off-by: Philipp Rudo - -(cherry picked from commit bddbb11bbbfc405317a6fbd53bb189b575d46da2) - -Resolves: RHEL-43460 ---- - dracut-init.sh | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/dracut-init.sh b/dracut-init.sh -index 3917bb0d..644825c9 100755 ---- a/dracut-init.sh -+++ b/dracut-init.sh -@@ -924,9 +924,6 @@ check_mount() { - fi - fi - -- [[ " $mods_to_load " == *\ $_mod\ * ]] \ -- || mods_to_load+=" $_mod " -- - for _moddep in $(module_depends "$_mod" "$_moddir"); do - # handle deps as if they were manually added - [[ " $dracutmodules " == *\ $_mod\ * ]] \ -@@ -945,6 +942,9 @@ check_mount() { - fi - done - -+ [[ " $mods_to_load " == *\ $_mod\ * ]] \ -+ || mods_to_load+=" $_mod " -+ - return 0 - } - -@@ -1001,9 +1001,6 @@ check_module() { - fi - fi - -- [[ " $mods_to_load " == *\ $_mod\ * ]] \ -- || mods_to_load+=" $_mod " -- - for _moddep in $(module_depends "$_mod" "$_moddir"); do - # handle deps as if they were manually added - [[ " $dracutmodules " == *\ $_mod\ * ]] \ -@@ -1022,6 +1019,9 @@ check_module() { - fi - done - -+ [[ " $mods_to_load " == *\ $_mod\ * ]] \ -+ || mods_to_load+=" $_mod " -+ - return 0 - } - --- -2.42.0 - diff --git a/0028-fix-squash-remove-cyclic-dependency.patch b/0028-fix-squash-remove-cyclic-dependency.patch deleted file mode 100644 index 44ea2c9..0000000 --- a/0028-fix-squash-remove-cyclic-dependency.patch +++ /dev/null @@ -1,313 +0,0 @@ -From 043aef3a9dee83818d67697fb6ad203dc3e87c39 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Mon, 26 Aug 2024 15:23:41 +0200 -Subject: [PATCH 28/32] fix(squash): remove cyclic dependency - -With commit d0f8fde5 ("fix(dracut-init.sh): add module to mods_to_load -before checking dependencies") reverted 99squash can no longer rely on -dracut_module_included working as expected in its check() and depends() -function. Solve this problem by breaking up the cyclic dependency -between 99squash and 95squash-{squashfs,erofs} as the commit was -originally introduced to allow this cyclic dependency. - -This requires to move all code shared by 95squash-{squashfs,erofs} from -99squash to a new 99squash-lib module and update the dependencies -accordingly. In addition update the checks in dracut.sh to check for -99squash-lib as 99squash is no longer guaranteed to be included. -Finally make sure that 99squash-lib isn't included without a back -end. - -While at it improve and align the error messages in 99squash and -99squash-lib. - -Signed-off-by: Philipp Rudo -(cherry picked from commit d5783635950e38cccf334e7163db79f280650fa2) - -Resolves: RHEL-43460 ---- - dracut.sh | 6 +- - modules.d/95squash-erofs/module-setup.sh | 2 +- - modules.d/95squash-squashfs/module-setup.sh | 2 +- - .../{99squash => 99squash-lib}/init-squash.sh | 0 - modules.d/99squash-lib/module-setup.sh | 101 ++++++++++++++++++ - modules.d/99squash/module-setup.sh | 80 +------------- - 6 files changed, 110 insertions(+), 81 deletions(-) - rename modules.d/{99squash => 99squash-lib}/init-squash.sh (100%) - create mode 100755 modules.d/99squash-lib/module-setup.sh - -diff --git a/dracut.sh b/dracut.sh -index 4d2e3df2..db6713a9 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -1894,7 +1894,7 @@ if [[ $kernel_only != yes ]]; then - fi - fi - --dracut_module_included "squash" && mkdir -p "$squashdir" -+dracut_module_included "squash-lib" && mkdir -p "$squashdir" - - _isize=0 #initramfs size - modules_loaded=" " -@@ -2264,9 +2264,9 @@ if [[ $do_strip == yes ]] && ! [[ $DRACUT_FIPS_MODE ]]; then - dinfo "*** Stripping files done ***" - fi - --if dracut_module_included "squash"; then -+if dracut_module_included "squash-lib"; then - dinfo "*** Squashing the files inside the initramfs ***" -- DRACUT_SQUASH_POST_INST=1 module_install "squash" -+ DRACUT_SQUASH_POST_INST=1 module_install "squash-lib" - rm -rf "$squashdir" - dinfo "*** Squashing the files inside the initramfs done ***" - -diff --git a/modules.d/95squash-erofs/module-setup.sh b/modules.d/95squash-erofs/module-setup.sh -index d763a902..a6e7ad0b 100755 ---- a/modules.d/95squash-erofs/module-setup.sh -+++ b/modules.d/95squash-erofs/module-setup.sh -@@ -8,7 +8,7 @@ check() { - } - - depends() { -- echo "squash" -+ echo "squash-lib" - return 0 - } - -diff --git a/modules.d/95squash-squashfs/module-setup.sh b/modules.d/95squash-squashfs/module-setup.sh -index 83973700..d15586da 100755 ---- a/modules.d/95squash-squashfs/module-setup.sh -+++ b/modules.d/95squash-squashfs/module-setup.sh -@@ -8,7 +8,7 @@ check() { - } - - depends() { -- echo "squash" -+ echo "squash-lib" - return 0 - } - -diff --git a/modules.d/99squash/init-squash.sh b/modules.d/99squash-lib/init-squash.sh -similarity index 100% -rename from modules.d/99squash/init-squash.sh -rename to modules.d/99squash-lib/init-squash.sh -diff --git a/modules.d/99squash-lib/module-setup.sh b/modules.d/99squash-lib/module-setup.sh -new file mode 100755 -index 00000000..6a0b6f85 ---- /dev/null -+++ b/modules.d/99squash-lib/module-setup.sh -@@ -0,0 +1,101 @@ -+#!/bin/bash -+ -+check() { -+ require_kernel_modules loop overlay || return 1 -+ -+ return 255 -+} -+ -+depends() { -+ echo "systemd-initrd" -+ -+ return 0 -+} -+ -+squash_get_handler() { -+ local _module _handler -+ local -a _modules=(squash-squashfs squash-erofs) -+ -+ for _module in "${_modules[@]}"; do -+ if dracut_module_included "$_module"; then -+ _handler="$_module" -+ break -+ fi -+ done -+ -+ if [[ -z $_handler ]]; then -+ dfatal "Cannot include squash-lib directly. It requires one of: ${_modules[*]}" -+ return 1 -+ fi -+ -+ echo "$_handler" -+} -+ -+squash_install() { -+ local _busybox _dir -+ -+ # verify that there is a valid handler before doing anything -+ squash_get_handler > /dev/null || return 1 -+ -+ _busybox=$(find_binary busybox) -+ -+ # Create mount points for squash loader and basic directories -+ mkdir -p "$initdir"/squash -+ for _dir in squash usr/bin usr/sbin usr/lib; do -+ mkdir -p "$squashdir/$_dir" -+ [[ $_dir == usr/* ]] && ln_r "/$_dir" "${_dir#usr}" -+ done -+ -+ # Install required modules and binaries for the squash image init script. -+ if [[ $_busybox ]]; then -+ module_install "busybox" -+ else -+ DRACUT_RESOLVE_DEPS=1 inst_multiple sh mount modprobe mkdir switch_root grep umount -+ -+ # libpthread workaround: pthread_cancel wants to dlopen libgcc_s.so -+ inst_libdir_file -o "libgcc_s.so*" -+ -+ # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled -+ [[ $DRACUT_FIPS_MODE ]] && inst_libdir_file -o "libssl.so*" -+ fi -+ -+ hostonly="" instmods "loop" "overlay" -+ dracut_kernel_post -+ -+ # Install squash image init script. -+ inst_simple "$moddir"/init-squash.sh /init -+ -+ # make sure that library links are correct and up to date for squash loader -+ build_ld_cache -+} -+ -+squash_installpost() { -+ local _file _handler -+ -+ _handler=$(squash_get_handler) -+ [[ -n $_handler ]] || return 1 -+ -+ DRACUT_SQUASH_POST_INST=1 module_install "$_handler" -+ -+ # Rescue the dracut spec files so dracut rebuild and lsinitrd can work -+ for _file in "$initdir"/usr/lib/dracut/*; do -+ [[ -f $_file ]] || continue -+ DRACUT_RESOLVE_DEPS=1 dstdir=$squashdir inst "$_file" "${_file#"$initdir"}" -+ done -+ -+ # Remove everything that got squashed into the image -+ for _file in "$initdir"/*; do -+ [[ $_file == "$squashdir" ]] && continue -+ rm -rf "$_file" -+ done -+ mv "$squashdir"/* "$initdir" -+} -+ -+install() { -+ -+ if [[ $DRACUT_SQUASH_POST_INST ]]; then -+ squash_installpost -+ else -+ dstdir="$squashdir" squash_install -+ fi -+} -diff --git a/modules.d/99squash/module-setup.sh b/modules.d/99squash/module-setup.sh -index 56f70774..c48ba2c5 100755 ---- a/modules.d/99squash/module-setup.sh -+++ b/modules.d/99squash/module-setup.sh -@@ -1,102 +1,30 @@ - #!/bin/bash - - check() { -- require_kernel_modules loop overlay || return 1 -- - return 255 - } - - depends() { -- local _handler -- -- _handler=$(squash_get_handler) || return 1 -- -- echo "systemd-initrd $_handler" -- return 0 --} -- --squash_get_handler() { - local _module _handler -+ local -a _modules=(squash-squashfs squash-erofs) - -- for _module in squash-squashfs squash-erofs; do -+ for _module in "${_modules[@]}"; do - if dracut_module_included "$_module"; then - _handler="$_module" - break - fi - done - -- if [ -z "$_handler" ]; then -+ if [[ -z $_handler ]]; then - if check_module "squash-squashfs"; then - _handler="squash-squashfs" - elif check_module "squash-erofs"; then - _handler="squash-erofs" - else -- dfatal "No valid handler for found" -+ dfatal "Cannot find valid handler for squash. It requires one of: ${_modules[*]}" - return 1 - fi - fi - - echo "$_handler" - } -- --squash_install() { -- local _busybox _dir -- _busybox=$(find_binary busybox) -- -- # Create mount points for squash loader and basic directories -- mkdir -p "$initdir"/squash -- for _dir in squash usr/bin usr/sbin usr/lib; do -- mkdir -p "$squashdir/$_dir" -- [[ $_dir == usr/* ]] && ln_r "/$_dir" "${_dir#usr}" -- done -- -- # Install required modules and binaries for the squash image init script. -- if [[ $_busybox ]]; then -- module_install "busybox" -- else -- DRACUT_RESOLVE_DEPS=1 inst_multiple sh mount modprobe mkdir switch_root grep umount -- -- # libpthread workaround: pthread_cancel wants to dlopen libgcc_s.so -- inst_libdir_file -o "libgcc_s.so*" -- -- # FIPS workaround for Fedora/RHEL: libcrypto needs libssl when FIPS is enabled -- [[ $DRACUT_FIPS_MODE ]] && inst_libdir_file -o "libssl.so*" -- fi -- -- hostonly="" instmods "loop" "overlay" -- dracut_kernel_post -- -- # Install squash image init script. -- inst_simple "$moddir"/init-squash.sh /init -- -- # make sure that library links are correct and up to date for squash loader -- build_ld_cache --} -- --squash_installpost() { -- local _file -- -- DRACUT_SQUASH_POST_INST=1 module_install "$(squash_get_handler)" -- -- # Rescue the dracut spec files so dracut rebuild and lsinitrd can work -- for _file in "$initdir"/usr/lib/dracut/*; do -- [[ -f $_file ]] || continue -- DRACUT_RESOLVE_DEPS=1 dstdir=$squashdir inst "$_file" "${_file#"$initdir"}" -- done -- -- # Remove everything that got squashed into the image -- for _file in "$initdir"/*; do -- [[ $_file == "$squashdir" ]] && continue -- rm -rf "$_file" -- done -- mv "$squashdir"/* "$initdir" --} -- --install() { -- -- if [[ $DRACUT_SQUASH_POST_INST ]]; then -- squash_installpost -- else -- dstdir="$squashdir" squash_install -- fi --} --- -2.42.0 - diff --git a/0029-fix-dracut.sh-exit-when-installing-the-squash-loader.patch b/0029-fix-dracut.sh-exit-when-installing-the-squash-loader.patch deleted file mode 100644 index 3ddcf42..0000000 --- a/0029-fix-dracut.sh-exit-when-installing-the-squash-loader.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2ce3f3ff72e608d7a3d42b566f9772393e313df4 Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Tue, 27 Aug 2024 12:14:40 +0200 -Subject: [PATCH 29/32] fix(dracut.sh): exit when installing the squash loader - fails - -The postinstall phase in 99squash-lib can fail, e.g. when 99squash-lib -is added without one of the required back ends. Usually this isn't fatal -and simply results in a "normal" initrd, i.e. one without squashed -image, being created. Nevertheless, a user needs to explicitly add one -of the required modules for the code to be triggered. So it is better -to fail with an error rather than giving the user something he didn't -ask for. - -Signed-off-by: Philipp Rudo -(cherry picked from commit 8909d892a7a055ae95be45416e6fbf1b833ff426) - -Resolves: RHEL-43460 ---- - dracut.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dracut.sh b/dracut.sh -index db6713a9..c5ef61ad 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -2266,7 +2266,7 @@ fi - - if dracut_module_included "squash-lib"; then - dinfo "*** Squashing the files inside the initramfs ***" -- DRACUT_SQUASH_POST_INST=1 module_install "squash-lib" -+ DRACUT_SQUASH_POST_INST=1 module_install "squash-lib" || exit 1 - rm -rf "$squashdir" - dinfo "*** Squashing the files inside the initramfs done ***" - --- -2.42.0 - diff --git a/0030-fix-squash-lib-harden-against-empty-initdir.patch b/0030-fix-squash-lib-harden-against-empty-initdir.patch deleted file mode 100644 index 405f109..0000000 --- a/0030-fix-squash-lib-harden-against-empty-initdir.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e391c64afd187a81861301c949db5ffd1f9a3e5d Mon Sep 17 00:00:00 2001 -From: Philipp Rudo -Date: Mon, 26 Aug 2024 15:29:01 +0200 -Subject: [PATCH 30/32] fix(squash-lib): harden against empty $initdir - -The postinstall phase of 99squash-lib has the potential to delete the -whole rootfs if $initdir is empty. This should(tm) never happen. -Nevertheless as the consequences are so devastating it is better to -double check. - -Signed-off-by: Philipp Rudo -(cherry picked from commit 6b089c70761c81a7b82a1bfba5f2c1faef7e972f) - -Resolves: RHEL-43460 ---- - modules.d/99squash-lib/module-setup.sh | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/modules.d/99squash-lib/module-setup.sh b/modules.d/99squash-lib/module-setup.sh -index 6a0b6f85..be3d3dc0 100755 ---- a/modules.d/99squash-lib/module-setup.sh -+++ b/modules.d/99squash-lib/module-setup.sh -@@ -72,6 +72,14 @@ squash_install() { - squash_installpost() { - local _file _handler - -+ # this shouldn't happen but... -+ # ...better safe than deleting your rootfs -+ if [[ -z $initdir ]]; then -+ #shellcheck disable=SC2016 -+ dfatal '$initdir not set. Something went terribly wrong.' -+ exit 1 -+ fi -+ - _handler=$(squash_get_handler) - [[ -n $_handler ]] || return 1 - --- -2.42.0 - diff --git a/0031-feat-fips-crypto-policies-make-c-p-follow-FIPS-mode-.patch b/0031-feat-fips-crypto-policies-make-c-p-follow-FIPS-mode-.patch deleted file mode 100644 index db954ba..0000000 --- a/0031-feat-fips-crypto-policies-make-c-p-follow-FIPS-mode-.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 626280f62a8f05e68e70b8db81eeffe196642bf3 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 8 Aug 2024 16:43:31 +0200 -Subject: [PATCH 31/32] feat(fips-crypto-policies): make c-p follow FIPS mode - automatically - -For a system that uses crypto-policies to be switched to FIPS mode -correctly, it needs to be - -- booted with `fips=1` on the kernel command line -- switched to the FIPS crypto-policy (or a policy derived from it) -- have the fips dracut module enabled - -On older systems, there were additional steps, for example, creating -`/etc/system-fips`. - -We have repeatedly seen inconsistencies between those different toggles, -either because the user space tooling to switch between those does not -(for reliability, maintainability, and compliance reasons) undo some of -the steps it does when disabling FIPS mode, or because other -installation methods (bootc, containers, image builder) independently do -some of those steps. Eventually, all of these ended with user confusion. - -We can avoid this situation by eliminating the difference by treating -the `fips=1` kernel command line switch as a single source of truth, and -making all others follow automatically. This module provides this for -crypto-policies, by adding bind-mounts before pivot if the system has -not already been switched to a FIPS-based crypto-policy. - -This requires some support from the crypto-policies package (because it -needs to deal with the bind mounts when a user calls -`update-crypto-policies --set`), so make it a no-op unless - - - `fips=1` is on the kernel command line - - crypto-policies is installed - - crypto-policies supports the bind-mounts (indicated by the presence - of the `default-fips-config` file) - - the policy isn't already FIPS - -These checks should make this safe to add to the initramfs on all -current systems. - -The bind-mounts also need to happen in the initramfs already, because -systemd links against OpenSSL, and doing them later means that systemd -will start with an OpenSSL configuration that isn't tailored for FIPS. - -See also [1], which adds the user space support to crypto-policies, -along with a systemd service that does the same steps in case dracut -hasn't already done them (which is useful for environments that don't -use an initramfs like containers). - - [1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/191 - -Signed-off-by: Clemens Lang -(cherry picked from commit bd3c1e1cc2f656f7ee4ff47e00ca716d52a86a3d) - -Resolves: RHEL-59678 ---- - .../fips-crypto-policies.sh | 52 +++++++++++++++++++ - .../01fips-crypto-policies/module-setup.sh | 27 ++++++++++ - 2 files changed, 79 insertions(+) - create mode 100755 modules.d/01fips-crypto-policies/fips-crypto-policies.sh - create mode 100755 modules.d/01fips-crypto-policies/module-setup.sh - -diff --git a/modules.d/01fips-crypto-policies/fips-crypto-policies.sh b/modules.d/01fips-crypto-policies/fips-crypto-policies.sh -new file mode 100755 -index 00000000..ff298298 ---- /dev/null -+++ b/modules.d/01fips-crypto-policies/fips-crypto-policies.sh -@@ -0,0 +1,52 @@ -+#!/usr/bin/sh -+ -+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh -+ -+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ] || [ -z "$fipsmode" ]; then -+ # Do nothing if not in FIPS mode -+ return 0 -+fi -+ -+policyfile=/etc/crypto-policies/config -+fipspolicyfile=/usr/share/crypto-policies/default-fips-config -+backends=/etc/crypto-policies/back-ends -+fipsbackends=/usr/share/crypto-policies/back-ends/FIPS -+ -+# When in FIPS mode, check the active crypto policy by reading the -+# $root/etc/crypto-policies/config file. If it is not "FIPS", or does not start -+# with "FIPS:", automatically switch to the FIPS policy by creating -+# bind-mounts. -+ -+if ! [ -r "${NEWROOT}${policyfile}" ]; then -+ # No crypto-policies configured, possibly not a system that uses -+ # crypto-policies? -+ return 0 -+fi -+ -+if ! [ -f "${NEWROOT}${fipspolicyfile}" ]; then -+ # crypto-policies is too old to deal with automatic bind-mounting of the -+ # FIPS policy over the normal policy, do not attempt to do the bind-mount. -+ return 0 -+fi -+ -+policy=$(cat "${NEWROOT}${policyfile}") -+ -+# Remove the largest suffix pattern matching ":*" from the string (i.e., the -+# complete list of active policy modules), then check for FIPS. This is part of -+# POSIX sh (https://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_06_02). -+if [ "${policy%%:*}" = "FIPS" ]; then -+ return 0 -+fi -+ -+# Current crypto policy is not FIPS or FIPS-based, but the system is in FIPS -+# mode; this is an inconsistent configuration. Automatically bind-mount a FIPS -+# configuration over this. -+if ! mount -o bind,ro "${NEWROOT}${fipsbackends}" "${NEWROOT}${backends}"; then -+ warn "Failed to bind-mount FIPS policy over ${backends} (the system is in FIPS mode, but the crypto-policy is not)." -+ # If this bind-mount failed, don't attempt to do the other one to avoid -+ # a system that seems to be in FIPS crypto-policy but actually is not. -+ return 0 -+fi -+ -+mount -o bind,ro "${NEWROOT}${fipspolicyfile}" "${NEWROOT}${policyfile}" \ -+ || warn "Failed to bind-mount FIPS crypto-policy state file over ${policyfile} (the system is in FIPS mode, but the crypto-policy is not)." -diff --git a/modules.d/01fips-crypto-policies/module-setup.sh b/modules.d/01fips-crypto-policies/module-setup.sh -new file mode 100755 -index 00000000..ee00452e ---- /dev/null -+++ b/modules.d/01fips-crypto-policies/module-setup.sh -@@ -0,0 +1,27 @@ -+#!/usr/bin/bash -+ -+# called by dracut -+check() { -+ # only enable on systems that use crypto-policies -+ [ -d "$dracutsysrootdir/etc/crypto-policies" ] && return 0 -+ -+ # include when something else depends on it or it is explicitly requested -+ return 255 -+} -+ -+# called by dracut -+depends() { -+ return 0 -+} -+ -+# called by dracut -+installkernel() { -+ return 0 -+} -+ -+# called by dracut -+install() { -+ inst_hook pre-pivot 01 "$moddir/fips-crypto-policies.sh" -+ -+ inst_multiple mount -+} --- -2.42.0 - diff --git a/0032-fix-fips-crypto-policies-make-it-depend-on-fips-drac.patch b/0032-fix-fips-crypto-policies-make-it-depend-on-fips-drac.patch deleted file mode 100644 index 7fb10a8..0000000 --- a/0032-fix-fips-crypto-policies-make-it-depend-on-fips-drac.patch +++ /dev/null @@ -1,34 +0,0 @@ -From cd5dbe004652d88b5d73418cba1e45c54ff9fd12 Mon Sep 17 00:00:00 2001 -From: Jo Zzsi -Date: Thu, 5 Sep 2024 09:09:36 -0400 -Subject: [PATCH 32/32] fix(fips-crypto-policies): make it depend on fips - dracut module - -(cherry picked from commit a2096dafdbfc88eed91ce34b1f4d27e7eb7ca839) - -Conflicts: - modules.d/01fips-crypto-policies/module-setup.sh - Due to upstream e6117b92fa0108dbaf9ea3ac0ec8f5a02487c812, which - was not cherry-picked. Resolved the conflict by keeping the - functions (i.e., undoing the cleanup of the upstream commit). - -Resolves: RHEL-59678 ---- - modules.d/01fips-crypto-policies/module-setup.sh | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/modules.d/01fips-crypto-policies/module-setup.sh b/modules.d/01fips-crypto-policies/module-setup.sh -index ee00452e..140eae00 100755 ---- a/modules.d/01fips-crypto-policies/module-setup.sh -+++ b/modules.d/01fips-crypto-policies/module-setup.sh -@@ -11,6 +11,7 @@ check() { - - # called by dracut - depends() { -+ echo fips - return 0 - } - --- -2.42.0 - diff --git a/dracut.spec b/dracut.spec index 9304aeb..c70fe13 100644 --- a/dracut.spec +++ b/dracut.spec @@ -7,7 +7,7 @@ %global __requires_exclude pkg-config Name: dracut -Version: 103 +Version: 105 Release: 1%{?dist} Summary: Initramfs generator using udev @@ -22,102 +22,45 @@ URL: https://github.com/dracut-ng/dracut-ng/wiki/ Source0: https://github.com/dracut-ng/dracut-ng/archive/refs/tags/%{version}.tar.gz Source1: https://www.gnu.org/licenses/lgpl-2.1.txt -# fix(rngd): install system service file -# Author: Pavel Valena -Patch1: 0001-fix-rngd-install-system-service-file.patch # revert: "fix(install.d): correctly install pre-genned image and die if no args" # Author: Pavel Valena -Patch2: 0002-revert-fix-install.d-correctly-install-pre-genned-im.patch +Patch1: 0001-revert-fix-install.d-correctly-install-pre-genned-im.patch # feat(kernel-install): do nothing when $KERNEL_INSTALL_INITRD_GENERATOR says so # Author: Zbigniew Jędrzejewski-Szmek -Patch3: 0003-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch +Patch2: 0002-feat-kernel-install-do-nothing-when-KERNEL_INSTALL_I.patch # fix(kernel-install): do not generate an initrd when one was specified # Author: Zbigniew Jędrzejewski-Szmek -Patch4: 0004-fix-kernel-install-do-not-generate-an-initrd-when-on.patch -# fix: incorrectly applied patch in commit c6d18c3c71597e78572378fc4dde391f1845b8 -# Author: Pavel Valena -Patch5: 0005-fix-incorrectly-applied-patch-in-commit-c6d18c3c7159.patch -# revert: "fix(crypt): unlock encrypted devices by default during boot" -# Author: Pavel Valena -Patch6: 0006-revert-fix-crypt-unlock-encrypted-devices-by-default.patch -# test: do not force include dash, let sh module make a selection -# Author: Laszlo Gombos -Patch7: 0007-test-do-not-force-include-dash-let-sh-module-make-a-.patch -# fix(dracut-functions): allow for \ in get_maj_min file path -# Author: Pavel Valena -Patch8: 0008-fix-dracut-functions-allow-for-in-get_maj_min-file-p.patch -# fix(dracut-functions.sh): only return block devices from get_persistent_dev -# Author: Fabian Vogt -Patch9: 0009-fix-dracut-functions.sh-only-return-block-devices-fr.patch -# feat(systemd*): include systemd config files from /usr/lib/systemd -# Author: Pavel Valena -Patch10: 0010-feat-systemd-include-systemd-config-files-from-usr-l.patch +Patch3: 0003-fix-kernel-install-do-not-generate-an-initrd-when-on.patch # fix(resume): always include the resume module # Author: Pavel Valena -Patch11: 0011-fix-resume-always-include-the-resume-module.patch -# feat(dracut-init.sh): allow changing the destination directory for inst et al -# Author: Philipp Rudo -Patch12: 0012-feat-dracut-init.sh-allow-changing-the-destination-d.patch -# fix(dracut-init.sh): add module to mods_to_load before checking dependencies -# Author: Philipp Rudo -Patch13: 0013-fix-dracut-init.sh-add-module-to-mods_to_load-before.patch -# feat(squash): move mksquashfs to 99squash/modules-setup -# Author: Philipp Rudo -Patch14: 0014-feat-squash-move-mksquashfs-to-99squash-modules-setu.patch -# feat(squash): split 95squash-squashfs from 99squash -# Author: Philipp Rudo -Patch15: 0015-feat-squash-split-95squash-squashfs-from-99squash.patch -# feat(squash): add module 95squash-erofs -# Author: Philipp Rudo -Patch16: 0016-feat-squash-add-module-95squash-erofs.patch -# feat(lsinitrd): add support for erofs images -# Author: Philipp Rudo -Patch17: 0017-feat-lsinitrd-add-support-for-erofs-images.patch -# feat(dracut-initramfs-restore): unpack erofs images -# Author: Philipp Rudo -Patch18: 0018-feat-dracut-initramfs-restore-unpack-erofs-images.patch -# fix(squash): explicitly create required directories -# Author: Philipp Rudo -Patch19: 0019-fix-squash-explicitly-create-required-directories.patch -# fix(squash): use 99busybox instead of installing it manually -# Author: Philipp Rudo -Patch20: 0020-fix-squash-use-99busybox-instead-of-installing-it-ma.patch +Patch4: 0004-fix-resume-always-include-the-resume-module.patch # fix(nfs): set correct ownership and permissions for statd directory # Author: Lukas Nykryn -Patch21: 0021-fix-nfs-set-correct-ownership-and-permissions-for-st.patch -# fix(resume): do not include resume if swap is on netdevice -# Author: Pavel Valena -Patch22: 0022-fix-resume-do-not-include-resume-if-swap-is-on-netde.patch +Patch5: 0005-fix-nfs-set-correct-ownership-and-permissions-for-st.patch # feat(dracut-init.sh): give --force-add precedence over --omit # Author: Pavel Valena -Patch23: 0023-feat-dracut-init.sh-give-force-add-precedence-over-o.patch +Patch6: 0006-feat-dracut-init.sh-give-force-add-precedence-over-o.patch # feat(lsinitrd.sh): look for initrd in /usr/lib/modules/ # Author: Pavel Valena -Patch24: 0024-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch +Patch7: 0007-feat-lsinitrd.sh-look-for-initrd-in-usr-lib-modules.patch # feat(fips): include fips module unconditionally # Author: Pavel Valena -Patch25: 0025-feat-fips-include-fips-module-unconditionally.patch -# fix(nfs): include also entries from /usr/lib/{passwd,group} -# Author: Pavel Valena -Patch26: 0026-fix-nfs-include-also-entries-from-usr-lib-passwd-gro.patch -# revert(dracut-init.sh): add module to mods_to_load before checking dependencies -# Author: Philipp Rudo -Patch27: 0027-revert-dracut-init.sh-add-module-to-mods_to_load-bef.patch -# fix(squash): remove cyclic dependency -# Author: Philipp Rudo -Patch28: 0028-fix-squash-remove-cyclic-dependency.patch -# fix(dracut.sh): exit when installing the squash loader fails -# Author: Philipp Rudo -Patch29: 0029-fix-dracut.sh-exit-when-installing-the-squash-loader.patch -# fix(squash-lib): harden against empty $initdir -# Author: Philipp Rudo -Patch30: 0030-fix-squash-lib-harden-against-empty-initdir.patch -# feat(fips-crypto-policies): make c-p follow FIPS mode automatically -# Author: Clemens Lang -Patch31: 0031-feat-fips-crypto-policies-make-c-p-follow-FIPS-mode-.patch -# fix(fips-crypto-policies): make it depend on fips dracut module +Patch8: 0008-feat-fips-include-fips-module-unconditionally.patch +# fix(systemd-ask-password): do not half-install systemd-ask-password-wall # Author: Jo Zzsi -Patch32: 0032-fix-fips-crypto-policies-make-it-depend-on-fips-drac.patch +Patch9: 0009-fix-systemd-ask-password-do-not-half-install-systemd.patch +# fix(pcsc): add libpcsclite_real.so.* +# Author: Manuel Fombuena +Patch10: 0010-fix-pcsc-add-libpcsclite_real.so.patch +# revert: "fix(rescue): make rescue always no-hostonly" +# Author: Pavel Valena +Patch11: 0011-revert-fix-rescue-make-rescue-always-no-hostonly.patch +# fix(dracut-install): initize fts pointer +# Author: Pavel Valena +Patch12: 0012-fix-dracut-install-initize-fts-pointer.patch +# feat: add openssl module +# Author: Pavel Valena +Patch13: 0013-feat-add-openssl-module.patch # Please use source-git to work with this spec file: # HowTo: https://packit.dev/source-git/work-with-source-git @@ -131,6 +74,7 @@ BuildRequires: gcc BuildRequires: pkgconfig BuildRequires: systemd BuildRequires: bash-completion +BuildRequires: openssl-devel %if %{with doc} BuildRequires: docbook-style-xsl docbook-dtds libxslt @@ -239,8 +183,8 @@ This package contains tools to assemble the local initrd and host configuration. %package squash Summary: dracut module to build an initramfs with most files in a squashfs image Requires: %{name} = %{version}-%{release} -Requires: squashfs-tools -Suggests: erofs-utils +Requires: erofs-utils +Suggests: squashfs-tools %description squash This package provides a dracut module to build an initramfs, but store most files @@ -291,11 +235,19 @@ rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/95znet rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/00warpclock %endif +# we don't want example configs +rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/dracut.conf.d + +# we don't ship tests +rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/test +rm -fr -- $RPM_BUILD_ROOT/%{dracutlibdir}/modules.d/80test* + mkdir -p $RPM_BUILD_ROOT/boot/dracut mkdir -p $RPM_BUILD_ROOT/var/lib/dracut/overlay mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/log touch $RPM_BUILD_ROOT%{_localstatedir}/log/dracut.log mkdir -p $RPM_BUILD_ROOT%{_sharedstatedir}/initramfs +mkdir -p $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d install -m 0644 dracut.conf.d/fedora.conf.example $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/01-dist.conf rm -f $RPM_BUILD_ROOT%{_mandir}/man?/*suse* @@ -322,6 +274,8 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/dracut-initramfs-restore %{dracutlibdir}/dracut-install %{dracutlibdir}/dracut-util +%{dracutlibdir}/ossl-config +%{dracutlibdir}/ossl-files %{dracutlibdir}/skipcpio %config(noreplace) %{_sysconfdir}/dracut.conf %{dracutlibdir}/dracut.conf.d/01-dist.conf @@ -342,6 +296,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %endif %{dracutlibdir}/modules.d/00bash +%{dracutlibdir}/modules.d/00shell-interpreter %{dracutlibdir}/modules.d/00systemd %{dracutlibdir}/modules.d/00systemd-network-management %ifnarch s390 s390x @@ -354,6 +309,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/01systemd-bsod %{dracutlibdir}/modules.d/01systemd-coredump %{dracutlibdir}/modules.d/01systemd-creds +%{dracutlibdir}/modules.d/01systemd-cryptsetup %{dracutlibdir}/modules.d/01systemd-hostnamed %{dracutlibdir}/modules.d/01systemd-initrd %{dracutlibdir}/modules.d/01systemd-integritysetup @@ -377,7 +333,6 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/03rescue %{dracutlibdir}/modules.d/04watchdog %{dracutlibdir}/modules.d/04watchdog-modules -%{dracutlibdir}/modules.d/05busybox %{dracutlibdir}/modules.d/06dbus-broker %{dracutlibdir}/modules.d/06dbus-daemon %{dracutlibdir}/modules.d/06rngd @@ -391,9 +346,6 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/62bluetooth %{dracutlibdir}/modules.d/80lvmmerge %{dracutlibdir}/modules.d/80lvmthinpool-monitor -%{dracutlibdir}/modules.d/80test -%{dracutlibdir}/modules.d/80test-makeroot -%{dracutlibdir}/modules.d/80test-root %{dracutlibdir}/modules.d/90btrfs %{dracutlibdir}/modules.d/90crypt %{dracutlibdir}/modules.d/90dm @@ -409,7 +361,6 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/90ppcmac %{dracutlibdir}/modules.d/90pcmcia %{dracutlibdir}/modules.d/90qemu -%{dracutlibdir}/modules.d/90systemd-cryptsetup %{dracutlibdir}/modules.d/91crypt-gpg %{dracutlibdir}/modules.d/91crypt-loop %{dracutlibdir}/modules.d/91fido2 @@ -446,8 +397,10 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/98syslog %{dracutlibdir}/modules.d/98usrmount %{dracutlibdir}/modules.d/99base +%{dracutlibdir}/modules.d/99busybox %{dracutlibdir}/modules.d/99memstrack %{dracutlibdir}/modules.d/99fs-lib +%{dracutlibdir}/modules.d/99openssl %{dracutlibdir}/modules.d/99shutdown %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log %dir %{_sharedstatedir}/initramfs @@ -477,7 +430,6 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/35connman %{dracutlibdir}/modules.d/35network-manager %{dracutlibdir}/modules.d/40network -%{dracutlibdir}/modules.d/45ifcfg %{dracutlibdir}/modules.d/90kernel-network-modules %{dracutlibdir}/modules.d/90qemu-net %{dracutlibdir}/modules.d/95cifs @@ -527,6 +479,16 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Mon Feb 17 2025 Pavel Valena - 105-1 +- build: upgrade to dracut 105 +- fix(systemd-ask-password): do not half-install systemd-ask-password-wall +- fix(pcsc): add libpcsclite_real.so.* +- revert: "fix(rescue): make rescue always no-hostonly" +- fix(dracut-install): initize fts pointer +- feat: add openssl module +- build: make erofs the default requirement for squash subpackage + Resolves: RHEL-65204,RHEL-68935,RHEL-76323 + * Fri Nov 01 2024 Pavel Valena - 103-1 - Update to dracut 103. - feat(fips-crypto-policies): make c-p follow FIPS mode automatically diff --git a/sources b/sources index 411e38d..bc9a127 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (103.tar.gz) = ba0dbefbcbecb09c44ce240664bc4f4ee25dfb8be7bc060028ae3b1ccf7d70410491c105e64fcef3d6f44d2794cb6162bcea9404125906be46bf3dff098e0277 +SHA512 (105.tar.gz) = 1608fb31d6a53905ea25a279586573db5fc7e084b4f6ff06e52065cbcb4ff503c2d51c0a282345844228232b1b590382b482a224183e0c4ee16c9c9e6932b275