rpms/dracut
7
0
Fork 0
Code Issues Pull Requests Releases Activity

dracut-043-60.git20150811

Browse Source 
- fixed checkiso timeout
- fixed log output although quiet is set
- fixed qemu detection
- cleanup compressor handling
This commit is contained in:
Harald Hoyer 2015-08-11 11:51:20 +02:00
parent db50c246e2
commit 368a0cb66f
22 changed files with 1247 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

72
0039-network-add-rd.peerdns-0-parameter.patch Normal file
View File

@ -0,0 +1,72 @@
From df0bdd5ae9094133afa48b84189822e26d7bfecf Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 13 Jul 2015 10:14:15 +0200
Subject: [PATCH] network: add rd.peerdns=0 parameter
Add rd.peerdns=0 parameter to disable DHCP nameserver setting
---
dracut.cmdline.7.asc | 3 +++
modules.d/40network/dhclient-script.sh | 29 ++++++++++++++++-------------
2 files changed, 19 insertions(+), 13 deletions(-)
diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc
index 55e6f64..1a54377 100644
--- a/dracut.cmdline.7.asc
+++ b/dracut.cmdline.7.asc
@@ -546,6 +546,9 @@ interface name. Better name it "bootnet" or "bluesocket".
**nameserver=**__<IP>__ [**nameserver=**__<IP>__ ...]::
specify nameserver(s) to use
+**rd.peerdns=0**::
+ Disable DNS setting of DHCP parameters.
+
**biosdevname=0**::
boolean, turn off biosdevname network interface renaming
diff --git a/modules.d/40network/dhclient-script.sh b/modules.d/40network/dhclient-script.sh
index c75ac89..1d891cd 100755
--- a/modules.d/40network/dhclient-script.sh
+++ b/modules.d/40network/dhclient-script.sh
@@ -54,13 +54,14 @@ setup_interface() {
echo ip route replace default via $gw dev $netif >> /tmp/net.$netif.gw
fi
- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
- if [ -n "$namesrv" ] ; then
- for s in $namesrv; do
- echo nameserver $s
- done
- fi >> /tmp/net.$netif.resolv.conf
-
+ if getargbool 1 rd.peerdns; then
+ [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
+ if [ -n "$namesrv" ] ; then
+ for s in $namesrv; do
+ echo nameserver $s
+ done
+ fi >> /tmp/net.$netif.resolv.conf
+ fi
# Note: hostname can be fqdn OR short hostname, so chop off any
# trailing domain name and explicity add any domain if set.
[ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname
@@ -83,12 +84,14 @@ setup_interface6() {
${lease_time:+valid_lft $lease_time} \
${preferred_lft:+preferred_lft ${preferred_lft}}
- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
- if [ -n "$namesrv" ] ; then
- for s in $namesrv; do
- echo nameserver $s
- done
- fi >> /tmp/net.$netif.resolv.conf
+ if getargbool 1 rd.peerdns; then
+ [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf
+ if [ -n "$namesrv" ] ; then
+ for s in $namesrv; do
+ echo nameserver $s
+ done
+ fi >> /tmp/net.$netif.resolv.conf
+ fi
# Note: hostname can be fqdn OR short hostname, so chop off any
# trailing domain name and explicity add any domain if set.

21
0040-TODO-update.patch Normal file
View File

@ -0,0 +1,21 @@
From 8c7dc032f816d13d482bccebf2f7e56a81c207fd Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 13 Jul 2015 10:38:16 +0200
Subject: [PATCH] TODO: update
---
TODO | 1 -
1 file changed, 1 deletion(-)
diff --git a/TODO b/TODO
index 4a7d959..55fe13b 100644
--- a/TODO
+++ b/TODO
@@ -7,7 +7,6 @@ Items are ordered in priority.
INITRAMFS TODO
- search domain string
-- peerdns=no
- allow dual stack configuration (IPv4, IPv6) for the same interface
- "bind-mount" kernel drivers in real root for the rescue image,
if the real root does not have any kernel modules for this kernel

47
0041-crypt-skip-crypttab-entries-with-the-same-device.patch Normal file
View File

@ -0,0 +1,47 @@
From 968280e37053bceab47183e5aa9e7bfb34e73d37 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 13 Jul 2015 10:39:07 +0200
Subject: [PATCH] crypt: skip crypttab entries with the same device
It was only checked, if the name of the crypttab entry matched.
This patch adds checking, if the device matches.
---
modules.d/90crypt/crypt-lib.sh | 6 ++++++
modules.d/90crypt/crypt-run-generator.sh | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh
index 213003e..2e13da2 100755
--- a/modules.d/90crypt/crypt-lib.sh
+++ b/modules.d/90crypt/crypt-lib.sh
@@ -5,11 +5,17 @@ command -v getarg >/dev/null || . /lib/dracut-lib.sh
# check if the crypttab contains an entry for a LUKS UUID
crypttab_contains() {
local luks="$1"
+ local dev="$2"
local l d rest
if [ -f /etc/crypttab ]; then
while read l d rest || [ -n "$l" ]; do
strstr "${l##luks-}" "${luks##luks-}" && return 0
strstr "$d" "${luks##luks-}" && return 0
+ if [ -n "$dev" ]; then
+ for _dev in "$(devnames $d)"; do
+ [ "$dev" -ef "$_dev" ] && return 0
+ done
+ fi
done < /etc/crypttab
fi
return 1
diff --git a/modules.d/90crypt/crypt-run-generator.sh b/modules.d/90crypt/crypt-run-generator.sh
index 3c5d7b1..5bf60ec 100755
--- a/modules.d/90crypt/crypt-run-generator.sh
+++ b/modules.d/90crypt/crypt-run-generator.sh
@@ -6,7 +6,7 @@ type crypttab_contains >/dev/null 2>&1 || . /lib/dracut-crypt-lib.sh
dev=$1
luks=$2
-crypttab_contains "$luks" && exit 0
+crypttab_contains "$luks" "$dev" && exit 0
allowdiscards="-"

51
0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch Normal file
View File

@ -0,0 +1,51 @@
From e47907cc6b6eead2ab5ef4d5015445668822612a Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 13 Jul 2015 10:51:47 +0200
Subject: [PATCH] dracut-systemd/dracut-initqueue: only start service if really
needed
Only start the dracut-initqueue.service, if the dracut_need_initqueue
command was issued on creation or later on set.
---
modules.d/90lvm/module-setup.sh | 2 ++
modules.d/90mdraid/module-setup.sh | 1 +
modules.d/98dracut-systemd/dracut-initqueue.service | 5 -----
3 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/modules.d/90lvm/module-setup.sh b/modules.d/90lvm/module-setup.sh
index 8269078..42dda57 100755
--- a/modules.d/90lvm/module-setup.sh
+++ b/modules.d/90lvm/module-setup.sh
@@ -140,4 +140,6 @@ install() {
cache_dump cache_restore cache_check cache_repair \
era_check era_dump era_invalidate era_restore
fi
+
+ dracut_need_initqueue
}
diff --git a/modules.d/90mdraid/module-setup.sh b/modules.d/90mdraid/module-setup.sh
index 621d0fb..cecf3bf 100755
--- a/modules.d/90mdraid/module-setup.sh
+++ b/modules.d/90mdraid/module-setup.sh
@@ -132,4 +132,5 @@ install() {
fi
fi
inst_hook pre-shutdown 30 "$moddir/mdmon-pre-shutdown.sh"
+ dracut_need_initqueue
}
diff --git a/modules.d/98dracut-systemd/dracut-initqueue.service b/modules.d/98dracut-systemd/dracut-initqueue.service
index 5d772f7..fa5ca56 100644
--- a/modules.d/98dracut-systemd/dracut-initqueue.service
+++ b/modules.d/98dracut-systemd/dracut-initqueue.service
@@ -17,11 +17,6 @@ After=systemd-udev-trigger.service
Wants=systemd-udev-trigger.service
ConditionPathExists=/usr/lib/initrd-release
ConditionPathExists=|/lib/dracut/need-initqueue
-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/*.sh
-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/settled/*.sh
-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/finished/*.sh
-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/online/*.sh
-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/timeout/*.sh
ConditionKernelCommandLine=|rd.break=initqueue
[Service]

271
0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch Normal file
View File

@ -0,0 +1,271 @@
From 5899f2f5163de4d68fbb35831e1f2230c22c71b3 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Tue, 14 Jul 2015 22:22:14 -0400
Subject: [PATCH] Replace echo -n with printf in code with a /bin/sh shebang
POSIX does not mandate that echo support the -n parameter.
printf has more well-defined behavior.
---
modules.d/04watchdog/watchdog-stop.sh | 2 +-
modules.d/40network/net-lib.sh | 2 +-
modules.d/45ifcfg/write-ifcfg.sh | 2 +-
modules.d/90lvm/lvm_scan.sh | 4 ++--
modules.d/95fcoe/fcoe-up.sh | 2 +-
modules.d/98usrmount/mount-usr.sh | 2 +-
modules.d/99base/dracut-lib.sh | 6 +++---
modules.d/99base/init.sh | 2 +-
test/TEST-10-RAID/create-root.sh | 2 +-
test/TEST-10-RAID/cryptroot-ask.sh | 2 +-
test/TEST-12-RAID-DEG/create-root.sh | 2 +-
test/TEST-12-RAID-DEG/cryptroot-ask.sh | 2 +-
test/TEST-13-ENC-RAID-LVM/create-root.sh | 2 +-
test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh | 2 +-
test/TEST-14-IMSM/cryptroot-ask.sh | 2 +-
test/TEST-20-NFS/client-init.sh | 2 +-
test/TEST-40-NBD/create-root.sh | 2 +-
test/TEST-40-NBD/cryptroot-ask.sh | 2 +-
18 files changed, 21 insertions(+), 21 deletions(-)
diff --git a/modules.d/04watchdog/watchdog-stop.sh b/modules.d/04watchdog/watchdog-stop.sh
index 91d45d6..921f969 100755
--- a/modules.d/04watchdog/watchdog-stop.sh
+++ b/modules.d/04watchdog/watchdog-stop.sh
@@ -1,2 +1,2 @@
#!/bin/sh
-[ -c /dev/watchdog ] && echo -n 'V' > /dev/watchdog
+[ -c /dev/watchdog ] && printf 'V' > /dev/watchdog
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index a09cdaf..6c739e8 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -189,7 +189,7 @@ set_ifname() {
fix_bootif() {
local macaddr=${1}
local IFS='-'
- macaddr=$(for i in ${macaddr} ; do echo -n $i:; done)
+ macaddr=$(printf '%s:' ${macaddr})
macaddr=${macaddr%:}
# strip hardware type field from pxelinux
[ -n "${macaddr%??:??:??:??:??:??}" ] && macaddr=${macaddr#??:}
diff --git a/modules.d/45ifcfg/write-ifcfg.sh b/modules.d/45ifcfg/write-ifcfg.sh
index fa7db27..251d684 100755
--- a/modules.d/45ifcfg/write-ifcfg.sh
+++ b/modules.d/45ifcfg/write-ifcfg.sh
@@ -48,7 +48,7 @@ print_s390() {
for i in /sys/class/net/$_netif/device/cdev[0-9]*; do
[ -e $i ] || continue
channel=$(readlink -f $i)
- echo -n "${channel##*/},"
+ printf '%s' "${channel##*/},"
done
})
[ -n "$SUBCHANNELS" ] || return 1
diff --git a/modules.d/90lvm/lvm_scan.sh b/modules.d/90lvm/lvm_scan.sh
index 7495644..ead28aa 100755
--- a/modules.d/90lvm/lvm_scan.sh
+++ b/modules.d/90lvm/lvm_scan.sh
@@ -15,14 +15,14 @@ SNAPSIZE=$(getargs rd.lvm.snapsize -d rd_LVM_SNAPSIZE=)
lvmdevs=$(
for f in /tmp/.lvm_scan-*; do
[ -e "$f" ] || continue
- echo -n "${f##/tmp/.lvm_scan-} "
+ printf '%s' "${f##/tmp/.lvm_scan-} "
done
)
if [ ! -e /etc/lvm/lvm.conf ]; then
{
echo 'devices {';
- echo -n ' filter = [ '
+ printf ' filter = [ '
for dev in $lvmdevs; do
printf '"a|^/dev/%s$|", ' $dev;
done;
diff --git a/modules.d/95fcoe/fcoe-up.sh b/modules.d/95fcoe/fcoe-up.sh
index 43a0ad5..950e4b6 100755
--- a/modules.d/95fcoe/fcoe-up.sh
+++ b/modules.d/95fcoe/fcoe-up.sh
@@ -64,7 +64,7 @@ elif [ "$netdriver" = "bnx2x" ]; then
sleep 3
fipvlan "$netif" -c -s
else
- echo -n "$netif" > /sys/module/fcoe/parameters/create
+ printf '%s' "$netif" > /sys/module/fcoe/parameters/create
fi
need_shutdown
diff --git a/modules.d/98usrmount/mount-usr.sh b/modules.d/98usrmount/mount-usr.sh
index c29610f..d1a629c 100755
--- a/modules.d/98usrmount/mount-usr.sh
+++ b/modules.d/98usrmount/mount-usr.sh
@@ -12,7 +12,7 @@ filtersubvol() {
while [ $# -gt 0 ]; do
case $1 in
subvol\=*) :;;
- *) echo -n "${1}," ;;
+ *) printf '%s' "${1}," ;;
esac
shift
done
diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh
index cd1f49f..5ec7b23 100755
--- a/modules.d/99base/dracut-lib.sh
+++ b/modules.d/99base/dracut-lib.sh
@@ -298,7 +298,7 @@ _dogetargs() {
fi
done
if [ -n "$_found" ]; then
- [ $# -gt 0 ] && echo -n "$@"
+ [ $# -gt 0 ] && printf '%s' "$*"
return 0
fi
return 1;
@@ -329,9 +329,9 @@ getargs() {
done
if [ -n "$_gfound" ]; then
if [ $# -gt 0 ]; then
- echo -n "$@"
+ printf '%s' "$*"
else
- echo -n 1
+ printf 1
fi
debug_on
return 0
diff --git a/modules.d/99base/init.sh b/modules.d/99base/init.sh
index f96dbb5..a59e8ea 100755
--- a/modules.d/99base/init.sh
+++ b/modules.d/99base/init.sh
@@ -253,7 +253,7 @@ while :; do
done
{
- echo -n "Mounted root filesystem "
+ printf "Mounted root filesystem "
while read dev mp rest || [ -n "$dev" ]; do [ "$mp" = "$NEWROOT" ] && echo $dev; done < /proc/mounts
} | vinfo
diff --git a/test/TEST-10-RAID/create-root.sh b/test/TEST-10-RAID/create-root.sh
index a7e56a5..7b5f2a7 100755
--- a/test/TEST-10-RAID/create-root.sh
+++ b/test/TEST-10-RAID/create-root.sh
@@ -18,7 +18,7 @@ mdadm --create /dev/md0 --run --auto=yes --level=5 --raid-devices=3 /dev/sda2 /d
# randomly.
mdadm -W /dev/md0
set -e
-echo -n test >keyfile
+printf test >keyfile
cryptsetup -q luksFormat /dev/md0 /keyfile
echo "The passphrase is test"
cryptsetup luksOpen /dev/md0 dracut_crypt_test </keyfile
diff --git a/test/TEST-10-RAID/cryptroot-ask.sh b/test/TEST-10-RAID/cryptroot-ask.sh
index 407d067..c39eff6 100755
--- a/test/TEST-10-RAID/cryptroot-ask.sh
+++ b/test/TEST-10-RAID/cryptroot-ask.sh
@@ -1,5 +1,5 @@
#!/bin/sh
[ -b "/dev/mapper/$2" ] && exit 0
-echo -n test >/keyfile
+printf test >/keyfile
/sbin/cryptsetup luksOpen "$1" "$2" </keyfile
diff --git a/test/TEST-12-RAID-DEG/create-root.sh b/test/TEST-12-RAID-DEG/create-root.sh
index 7b9a171..3299aa6 100755
--- a/test/TEST-12-RAID-DEG/create-root.sh
+++ b/test/TEST-12-RAID-DEG/create-root.sh
@@ -20,7 +20,7 @@ mdadm --create /dev/md0 --run --auto=yes --level=5 --raid-devices=3 /dev/sdb /de
# wait for the array to finish initailizing, otherwise this sometimes fails
# randomly.
mdadm -W /dev/md0
-echo -n test >keyfile
+printf test >keyfile
cryptsetup -q luksFormat /dev/md0 /keyfile
echo "The passphrase is test"
set -e
diff --git a/test/TEST-12-RAID-DEG/cryptroot-ask.sh b/test/TEST-12-RAID-DEG/cryptroot-ask.sh
index db27c5b..78ed7f5 100755
--- a/test/TEST-12-RAID-DEG/cryptroot-ask.sh
+++ b/test/TEST-12-RAID-DEG/cryptroot-ask.sh
@@ -1,6 +1,6 @@
#!/bin/sh
[ -b /dev/mapper/$2 ] && exit 0
-echo -n test >/keyfile
+printf test >/keyfile
/sbin/cryptsetup luksOpen $1 $2 </keyfile
diff --git a/test/TEST-13-ENC-RAID-LVM/create-root.sh b/test/TEST-13-ENC-RAID-LVM/create-root.sh
index e74fe7f..72bc765 100755
--- a/test/TEST-13-ENC-RAID-LVM/create-root.sh
+++ b/test/TEST-13-ENC-RAID-LVM/create-root.sh
@@ -14,7 +14,7 @@ sfdisk /dev/sda <<EOF
,25M
EOF
udevadm settle
-echo -n test >keyfile
+printf test >keyfile
cryptsetup -q luksFormat /dev/sda2 /keyfile
cryptsetup -q luksFormat /dev/sda3 /keyfile
cryptsetup -q luksFormat /dev/sda4 /keyfile
diff --git a/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh b/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh
index db27c5b..78ed7f5 100755
--- a/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh
+++ b/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh
@@ -1,6 +1,6 @@
#!/bin/sh
[ -b /dev/mapper/$2 ] && exit 0
-echo -n test >/keyfile
+printf test >/keyfile
/sbin/cryptsetup luksOpen $1 $2 </keyfile
diff --git a/test/TEST-14-IMSM/cryptroot-ask.sh b/test/TEST-14-IMSM/cryptroot-ask.sh
index db27c5b..78ed7f5 100755
--- a/test/TEST-14-IMSM/cryptroot-ask.sh
+++ b/test/TEST-14-IMSM/cryptroot-ask.sh
@@ -1,6 +1,6 @@
#!/bin/sh
[ -b /dev/mapper/$2 ] && exit 0
-echo -n test >/keyfile
+printf test >/keyfile
/sbin/cryptsetup luksOpen $1 $2 </keyfile
diff --git a/test/TEST-20-NFS/client-init.sh b/test/TEST-20-NFS/client-init.sh
index 2311981..a443289 100755
--- a/test/TEST-20-NFS/client-init.sh
+++ b/test/TEST-20-NFS/client-init.sh
@@ -8,7 +8,7 @@ strstr() { [ "${1##*"$2"*}" != "$1" ]; }
stty sane
if strstr "$CMDLINE" "rd.shell"; then
- [ -c /dev/watchdog ] && echo -n 'V' > /dev/watchdog
+ [ -c /dev/watchdog ] && printf 'V' > /dev/watchdog
strstr "$(setsid --help)" "control" && CTTY="-c"
setsid $CTTY sh -i
fi
diff --git a/test/TEST-40-NBD/create-root.sh b/test/TEST-40-NBD/create-root.sh
index 391279e..20d0eff 100755
--- a/test/TEST-40-NBD/create-root.sh
+++ b/test/TEST-40-NBD/create-root.sh
@@ -5,7 +5,7 @@ for x in 64-lvm.rules 70-mdadm.rules 99-mount-rules; do
done
rm -f -- /etc/lvm/lvm.conf
udevadm control --reload
-echo -n test >keyfile
+printf test >keyfile
cryptsetup -q luksFormat /dev/sdb /keyfile
echo "The passphrase is test"
cryptsetup luksOpen /dev/sdb dracut_crypt_test </keyfile && \
diff --git a/test/TEST-40-NBD/cryptroot-ask.sh b/test/TEST-40-NBD/cryptroot-ask.sh
index db27c5b..78ed7f5 100755
--- a/test/TEST-40-NBD/cryptroot-ask.sh
+++ b/test/TEST-40-NBD/cryptroot-ask.sh
@@ -1,6 +1,6 @@
#!/bin/sh
[ -b /dev/mapper/$2 ] && exit 0
-echo -n test >/keyfile
+printf test >/keyfile
/sbin/cryptsetup luksOpen $1 $2 </keyfile

23
0044-syncheck-Look-for-echo-n-usage-in-modules.patch Normal file
View File

@ -0,0 +1,23 @@
From 24f32511fc8ae616aa967446ce33ab0a7fc27077 Mon Sep 17 00:00:00 2001
From: Mike Gilbert <floppym@gentoo.org>
Date: Tue, 14 Jul 2015 11:12:16 -0400
Subject: [PATCH] syncheck: Look for 'echo -n' usage in modules
---
Makefile | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Makefile b/Makefile
index 98a2fbf..f3a5c07 100644
--- a/Makefile
+++ b/Makefile
@@ -212,7 +212,8 @@ syncheck:
[ "$${i##*/}" = "module-setup.sh" ] && continue; \
read line < "$$i"; [ "$${line#*bash*}" != "$$line" ] && continue; \
[ $$V ] && echo "posix syntax check: $$i"; bash --posix -n "$$i" ; ret=$$(($$ret+$$?)); \
- [ $$V ] && echo "checking for [[: $$i"; if grep -Fq '[[ ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains [["; fi \
+ [ $$V ] && echo "checking for [[: $$i"; if grep -Fq '[[ ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains [["; fi; \
+ [ $$V ] && echo "checking for echo -n: $$i"; if grep -Fq 'echo -n ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains echo -n"; fi \
done;exit $$ret
@ret=0;for i in *.sh mkinitrd-dracut.sh modules.d/*/*.sh \
modules.d/*/module-setup.sh; do \

2
0039-dracut.spec-add-dracut-init.sh.patch → 0045-dracut.spec-add-dracut-init.sh.patch
View File

@ -1,4 +1,4 @@
From d63a455ffda280899bf9d3d7988789a74ac9ad8c Mon Sep 17 00:00:00 2001
From 7f2ea02b4ad95f59abb73dd4690f6f5ca9191633 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 10 Jul 2015 11:21:51 +0200
Subject: [PATCH] dracut.spec: add dracut-init.sh

71
0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch Normal file
View File

@ -0,0 +1,71 @@
From e50f91e6004a523d745179eaa789e28a75ff06d4 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Tue, 14 Jul 2015 10:11:59 +0200
Subject: [PATCH] use mktemp "-p" instead of "--tmpdir" for busybox
---
dracut-logger.sh | 2 +-
dracut.sh | 10 +++++-----
test/test-functions | 2 +-
3 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/dracut-logger.sh b/dracut-logger.sh
index 2a6019c..e5c9358 100755
--- a/dracut-logger.sh
+++ b/dracut-logger.sh
@@ -148,7 +148,7 @@ dlog_init() {
&& type -P systemd-cat &>/dev/null \
&& systemctl --quiet is-active systemd-journald.socket &>/dev/null \
&& { echo "dracut-$DRACUT_VERSION" | systemd-cat -t 'dracut' &>/dev/null; } ; then
- readonly _dlogdir="$(mktemp --tmpdir="$TMPDIR/" -d -t dracut-log.XXXXXX)"
+ readonly _dlogdir="$(mktemp -p "$TMPDIR/" -d -t dracut-log.XXXXXX)"
readonly _systemdcatfile="$_dlogdir/systemd-cat"
mkfifo "$_systemdcatfile"
readonly _dlogfd=15
diff --git a/dracut.sh b/dracut.sh
index b7456dc..ee0a039 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -777,16 +777,16 @@ fi
[[ $reproducible == yes ]] && DRACUT_REPRODUCIBLE=1
readonly TMPDIR="$tmpdir"
-readonly initdir="$(mktemp --tmpdir="$TMPDIR/" -d -t initramfs.XXXXXX)"
+readonly initdir="$(mktemp -p "$TMPDIR/" -d -t initramfs.XXXXXX)"
[ -d "$initdir" ] || {
- printf "%s\n" "dracut: mktemp --tmpdir='$TMPDIR/' -d -t initramfs.XXXXXX failed." >&2
+ printf "%s\n" "dracut: mktemp -p '$TMPDIR/' -d -t initramfs.XXXXXX failed." >&2
exit 1
}
if [[ $early_microcode = yes ]] || ( [[ $acpi_override = yes ]] && [[ -d $acpi_table_dir ]] ); then
- readonly early_cpio_dir="$(mktemp --tmpdir="$TMPDIR/" -d -t early_cpio.XXXXXX)"
+ readonly early_cpio_dir="$(mktemp -p "$TMPDIR/" -d -t early_cpio.XXXXXX)"
[ -d "$early_cpio_dir" ] || {
- printf "%s\n" "dracut: mktemp --tmpdir='$TMPDIR/' -d -t early_cpio.XXXXXX failed." >&2
+ printf "%s\n" "dracut: mktemp -p '$TMPDIR/' -d -t early_cpio.XXXXXX failed." >&2
exit 1
}
fi
@@ -1614,7 +1614,7 @@ dinfo "*** Creating image file '$outfile' ***"
if [[ $uefi = yes ]]; then
uefi_outfile="$outfile"
- readonly uefi_outdir="$(mktemp --tmpdir="$TMPDIR/" -d -t initrd.XXXXXX)"
+ readonly uefi_outdir="$(mktemp -p "$TMPDIR/" -d -t initrd.XXXXXX)"
# redirect initrd output
outfile="$uefi_outdir/initrd"
fi
diff --git a/test/test-functions b/test/test-functions
index 1f5eed5..2b8a4d2 100644
--- a/test/test-functions
+++ b/test/test-functions
@@ -4,7 +4,7 @@ export PATH
[[ -e .testdir ]] && . .testdir
if [[ -z "$TESTDIR" ]] || [[ ! -d "$TESTDIR" ]]; then
- TESTDIR=$(mktemp -d --tmpdir="/var/tmp" -t dracut-test.XXXXXX)
+ TESTDIR=$(mktemp -d -p "/var/tmp" -t dracut-test.XXXXXX)
fi
echo "TESTDIR=\"$TESTDIR\"" > .testdir
export TESTDIR

25
0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch Normal file
View File

@ -0,0 +1,25 @@
From f4d64d55ea825ec0d05aaa76d58cddc37d44f719 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Sat, 18 Jul 2015 13:02:25 +0200
Subject: [PATCH] dmsquash-generator.sh: increase timeout for checkisomd5
if the checkisomd5 takes longer than 3 minutes, the device timeout for
/dev/mapper/live-rw cancels the boot process.
---
modules.d/90dmsquash-live/dmsquash-generator.sh | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/modules.d/90dmsquash-live/dmsquash-generator.sh b/modules.d/90dmsquash-live/dmsquash-generator.sh
index e386d81..85a3592 100755
--- a/modules.d/90dmsquash-live/dmsquash-generator.sh
+++ b/modules.d/90dmsquash-live/dmsquash-generator.sh
@@ -64,3 +64,9 @@ ROOTFLAGS="$(getarg rootflags)"
echo "What=/dev/mapper/live-rw"
[ -n "$ROOTFLAGS" ] && echo "Options=${ROOTFLAGS}"
} > "$GENERATOR_DIR"/sysroot.mount
+
+mkdir -p "$GENERATOR_DIR/dev-mapper-live\x2drw.device.d"
+{
+ echo "[Unit]"
+ echo "JobTimeoutSec=3000"
+} > "$GENERATOR_DIR/dev-mapper-live\x2drw.device.d/timeout.conf"

148
0048-Cleanup-compressor-handling.patch Normal file
View File

@ -0,0 +1,148 @@
From 693b7a32833b7c141f03d802f6bc9a767bdb11f8 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Wed, 22 Jul 2015 11:34:08 +0200
Subject: [PATCH] Cleanup compressor handling
If no compressor is specified, try to find a suitable one.
Check if kernel modules can be uncompressed.
---
dracut.sh | 78 +++++++++++++++++++++++++++++++++++++++++++++++--------------
dracut.spec | 7 +++---
2 files changed, 64 insertions(+), 21 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index ee0a039..27be54a 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -751,25 +751,53 @@ if [[ -n "$logfile" ]];then
fi
# handle compression options.
-[[ $compress ]] || compress="gzip"
+if [[ $_no_compress_l = "cat" ]]; then
+ compress="cat"
+fi
+
+if ! [[ $compress ]]; then
+ # check all known compressors, if none specified
+ for i in pigz gzip lz4 lzop lzma xz lbzip2 bzip2 cat; do
+ command -v "$i" &>/dev/null || continue
+ compress="$i"
+ break
+ done
+ if [[ $compress = cat ]]; then
+ printf "%s\n" "dracut: no compression tool available. Initramfs image is going to be big." >&2
+ fi
+fi
+
+# choose the right arguments for the compressor
case $compress in
- bzip2) compress="bzip2 -9";
- command -v lbzip2 > /dev/null 2>&1 && compress="lbzip2 -9";;
- lzma) compress="lzma -9 -T0";;
- xz) compress="xz --check=crc32 --lzma2=dict=1MiB -T0";;
- gzip) compress="gzip -n -9";
- if command -v pigz > /dev/null 2>&1; then
+ bzip2|lbzip2)
+ if [[ "$compress" = lbzip2 ]] || command -v lbzip2 &>/dev/null; then
+ compress="lbzip2 -9"
+ else
+ compress="bzip2 -9"
+ fi
+ ;;
+ lzma)
+ compress="lzma -9 -T0"
+ ;;
+ xz)
+ compress="xz --check=crc32 --lzma2=dict=1MiB -T0"
+ ;;
+ gzip|pigz)
+ if [[ "$compress" = pigz ]] || command -v pigz &>/dev/null; then
compress="pigz -9 -n -T -R"
- elif command -v gzip --help 2>&1 | grep -q rsyncable; then
+ elif command -v gzip &>/dev/null && gzip --help 2>&1 | grep -q rsyncable; then
compress="gzip -n -9 --rsyncable"
+ else
+ compress="gzip -n -9"
fi
;;
- lzo) compress="lzop -9";;
- lz4) compress="lz4 -l -9";;
+ lzo|lzop)
+ compress="lzop -9"
+ ;;
+ lz4)
+ compress="lz4 -l -9"
+ ;;
esac
-if [[ $_no_compress_l = "cat" ]]; then
- compress="cat"
-fi
[[ $hostonly = yes ]] && hostonly="-h"
[[ $hostonly != "-h" ]] && unset hostonly
@@ -887,10 +915,26 @@ esac
abs_outfile=$(readlink -f "$outfile") && outfile="$abs_outfile"
-if [[ -d $srcmods ]]; then
- [[ -f $srcmods/modules.dep ]] || {
- dwarn "$srcmods/modules.dep is missing. Did you run depmod?"
- }
+if [[ $no_kernel != yes ]] && [[ -d $srcmods ]]; then
+ if ! [[ -f $srcmods/modules.dep ]]; then
+ dwarn "$srcmods/modules.dep is missing. Did you run depmod?"
+ elif ! ( command -v gzip &>/dev/null && command -v xz &>/dev/null); then
+ read _mod < $srcmods/modules.dep
+ _mod=${_mod%%:*}
+ if [[ -f $srcmods/"$_mod" ]]; then
+ # Check, if kernel modules are compressed, and if we can uncompress them
+ case "$_mod" in
+ *.ko.gz) kcompress=gzip;;
+ *.ko.xz) kcompress=xz;;
+ esac
+ if [[ $kcompress ]]; then
+ if ! command -v "$kcompress" &>/dev/null; then
+ dfatal "Kernel modules are compressed with $kcompress, but $kcompress is not available."
+ exit 1
+ fi
+ fi
+ fi
+ fi
fi
if [[ ! $print_cmdline ]]; then
diff --git a/dracut.spec b/dracut.spec
index 08b281d..6ef5de7 100644
--- a/dracut.spec
+++ b/dracut.spec
@@ -60,7 +60,6 @@ BuildRequires: docbook-style-xsl docbook-dtds libxslt
BuildRequires: asciidoc
%endif
-
%if 0%{?fedora} > 12 || 0%{?rhel}
# no "provides", because dracut does not offer
# all functionality of the obsoleted packages
@@ -94,17 +93,17 @@ Requires: findutils
Requires: grep
Requires: kmod
Requires: sed
+Requires: xz
+Requires: gzip
%if 0%{?fedora} > 22
Recommends: grubby
Recommends: hardlink
-Recommends: gzip
-Recommends: xz
+Recommends: pigz
Recommends: kpartx
%else
Requires: hardlink
Requires: gzip
-Requires: xz
Requires: kpartx
%endif

22
0049-Add-missing-echo-to-output-the-result.patch Normal file
View File

@ -0,0 +1,22 @@
From c1c96f2c4780bdf8ddc363ded40439cba31afa56 Mon Sep 17 00:00:00 2001
From: Stefan Reimer <it@startux.de>
Date: Sat, 25 Jul 2015 01:17:04 +0000
Subject: [PATCH] Add missing echo to output the result.
Only place this function is currently called seems from line 28 in modules.d/95nfs/nfs-lib.sh. Bug fix.
---
modules.d/40network/net-lib.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh
index 6c739e8..68bc095 100755
--- a/modules.d/40network/net-lib.sh
+++ b/modules.d/40network/net-lib.sh
@@ -5,6 +5,7 @@ get_ip() {
ip=$(ip -o -f inet addr show $iface)
ip=${ip%%/*}
ip=${ip##* }
+ echo $ip
}
iface_for_remote_addr() {

30
0050-crypt-s-allow-discards-discard-for-crypttab.patch Normal file
View File

@ -0,0 +1,30 @@
From 2082cdf230574fa7482903730b584445ed3a2a08 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 27 Jul 2015 13:30:22 +0200
Subject: [PATCH] crypt: s/allow-discards/discard for crypttab
actually the option in crypttab is named "discard" and not
"allow-discards"
https://bugzilla.suse.com/show_bug.cgi?id=932972
---
modules.d/90crypt/crypt-run-generator.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/modules.d/90crypt/crypt-run-generator.sh b/modules.d/90crypt/crypt-run-generator.sh
index 5bf60ec..8dad76b 100755
--- a/modules.d/90crypt/crypt-run-generator.sh
+++ b/modules.d/90crypt/crypt-run-generator.sh
@@ -15,10 +15,10 @@ if strstr "$(cryptsetup --help)" "allow-discards"; then
if discarduuids=$(getargs "rd.luks.allow-discards"); then
discarduuids=$(str_replace "$discarduuids" 'luks-' '')
if strstr " $discarduuids " " ${luks##luks-}"; then
- allowdiscards="allow-discards"
+ allowdiscards="discard"
fi
elif getargbool 0 rd.luks.allow-discards; then
- allowdiscards="allow-discards"
+ allowdiscards="discard"
fi
fi

21
0051-qemu-add-spapr-vscsi-kernel-module.patch Normal file
View File

@ -0,0 +1,21 @@
From cce34acace5876d06946dfb1fe70004a0b5176b0 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Tue, 28 Jul 2015 11:55:04 +0200
Subject: [PATCH] qemu: add spapr-vscsi kernel module
---
modules.d/90qemu/module-setup.sh | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/modules.d/90qemu/module-setup.sh b/modules.d/90qemu/module-setup.sh
index 37972e4..66ef884 100755
--- a/modules.d/90qemu/module-setup.sh
+++ b/modules.d/90qemu/module-setup.sh
@@ -25,5 +25,6 @@ installkernel() {
hostonly='' instmods \
ata_piix ata_generic pata_acpi cdrom sr_mod ahci \
virtio_blk virtio virtio_ring virtio_pci \
- virtio_scsi virtio_console virtio_rng
+ virtio_scsi virtio_console virtio_rng \
+ spapr-vscsi
}

30
0052-dracut.sh-simplify-modalias-reading.patch Normal file
View File

@ -0,0 +1,30 @@
From 96d694c0b5949586dad8eab5491ad41521eec514 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Thu, 30 Jul 2015 12:11:42 +0200
Subject: [PATCH] dracut.sh: simplify modalias reading
---
dracut.sh | 10 +++-------
1 file changed, 3 insertions(+), 7 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index 27be54a..77874ba 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1179,13 +1179,9 @@ if [[ $hostonly ]]; then
# record all host modaliases
declare -A host_modalias
- find /sys/devices/ -name uevent -print > "$initdir/.modalias"
- while read m || [ -n "$m" ]; do
- while read line || [ -n "$line" ]; do
- [[ "$line" != MODALIAS\=* ]] && continue
- modalias="${line##MODALIAS=}" && [[ $modalias ]] && host_modalias["$modalias"]=1
- break
- done < "$m"
+ find /sys/devices -name modalias -exec cat '{}' \; > "$initdir/.modalias"
+ while read -r modalias || [ -n "$modalias" ]; do
+ [[ $modalias ]] && host_modalias["$modalias"]=1
done < "$initdir/.modalias"
rm -f -- "$initdir/.modalias"

38
0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch Normal file
View File

@ -0,0 +1,38 @@
From 4135eea634b20c7f7285d134bd6dfe6b799fe226 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Fri, 31 Jul 2015 09:05:51 +0200
Subject: [PATCH] 90qemu: fixed systemd-detect-virt output parsing
redirecting systemd-detect-virt to /dev/null doesn't help with parsing
the output :-/
Also, add "Red Hat" as a vendor.
---
modules.d/90qemu/module-setup.sh | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/modules.d/90qemu/module-setup.sh b/modules.d/90qemu/module-setup.sh
index 66ef884..8cae124 100755
--- a/modules.d/90qemu/module-setup.sh
+++ b/modules.d/90qemu/module-setup.sh
@@ -3,7 +3,7 @@
# called by dracut
check() {
if type -P systemd-detect-virt >/dev/null 2>&1; then
- vm=$(systemd-detect-virt --vm >/dev/null 2>&1)
+ vm=$(systemd-detect-virt --vm 2>/dev/null)
(($? != 0)) && return 255
[[ $vm = "qemu" ]] && return 0
[[ $vm = "kvm" ]] && return 0
@@ -13,8 +13,9 @@ check() {
for i in /sys/class/dmi/id/*_vendor; do
[[ -f $i ]] || continue
read vendor < $i
- [[ "$vendor" == "QEMU" ]] && return 0
- [[ "$vendor" == "Bochs" ]] && return 0
+ [[ "$vendor" == "QEMU" ]] && return 0
+ [[ "$vendor" == "Red Hat" ]] && return 0
+ [[ "$vendor" == "Bochs" ]] && return 0
done
return 255
}

24
0054-Remove-98integrity-s-dependency-on-selinux.patch Normal file
View File

@ -0,0 +1,24 @@
From b05ad85b0c46d1001945bcb8c300a34eca2dd2da Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Mon, 27 Apr 2015 18:24:11 -0400
Subject: [PATCH] Remove 98integrity's dependency on selinux
Loading the EVM key(s) is not dependent on selinux. Remove
the dependency.
---
modules.d/98integrity/module-setup.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index a838664..2d4d2ed 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -7,7 +7,7 @@ check() {
# called by dracut
depends() {
- echo masterkey securityfs selinux
+ echo masterkey securityfs
return 0
}

70
0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch Normal file
View File

@ -0,0 +1,70 @@
From 396d3cc7ff39e54ce2de1fa9389348238b0ed92e Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Mon, 27 Apr 2015 18:24:12 -0400
Subject: [PATCH] Extend evm-enable.sh to load the EVM public key
Create the _evm keyring and load the EVM public key on it.
---
modules.d/98integrity/evm-enable.sh | 42 +++++++++++++++++++++++++++++++++++++
1 file changed, 42 insertions(+)
diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh
index dee1c6c..ec4f03b 100755
--- a/modules.d/98integrity/evm-enable.sh
+++ b/modules.d/98integrity/evm-enable.sh
@@ -48,6 +48,45 @@ load_evm_key()
info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}";
return 1;
}
+ return 0
+}
+
+load_evm_x509()
+{
+ info "Load EVM IMA X509"
+
+ # override the EVM key path name from the 'evmx509=' parameter in
+ # the kernel command line
+ EVMX509ARG=$(getarg evmx509=)
+ [ $? -eq 0 ] && \
+ EVMX509=${EVMX509ARG}
+
+ # set the default value
+ [ -z "${EVMX509}" ] && \
+ EVMX509="/etc/keys/x509_evm.der";
+
+ # set the EVM public key path name
+ EVMX509PATH="${NEWROOT}${EVMX509}"
+
+ # check for EVM public key's existence
+ if [ ! -f "${EVMX509PATH}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "integrity: EVM x509 cert file not found: ${EVMX509PATH}"
+ fi
+ return 1
+ fi
+
+ # load the EVM public key onto the EVM keyring
+ evm_pubid=`keyctl newring _evm @u`
+ EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid})
+ [ $? -eq 0 ] || {
+ info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}";
+ return 1;
+ }
+
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ keyctl show @u
+ fi
return 0
}
@@ -76,6 +115,9 @@ enable_evm()
# load the EVM encrypted key
load_evm_key || return 1
+ # load the EVM public key, if it exists
+ load_evm_x509
+
# initialize EVM
info "Enabling EVM"
echo 1 > ${EVMSECFILE}

135
0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch Normal file
View File

@ -0,0 +1,135 @@
From 41ac16b26fe05c8291d3467b8a7bee1bc2445393 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Wed, 29 Apr 2015 11:05:25 -0400
Subject: [PATCH] Define new script to load keys on the IMA keyring (update)
This patch supports loading keys either on the _ima keyring or, as of
Linux 3.17, on the trusted .ima keyring. Only certificates signed by
a key on the system keyring can be loaded onto the trusted .ima keyring.
Changelog:
- Update 98integrity/README
---
modules.d/98integrity/README | 28 +++++++++++++++
modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++
modules.d/98integrity/module-setup.sh | 2 ++
3 files changed, 92 insertions(+)
create mode 100755 modules.d/98integrity/ima-keys-load.sh
diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README
index d74e063..64de0ae 100644
--- a/modules.d/98integrity/README
+++ b/modules.d/98integrity/README
@@ -38,3 +38,31 @@ line.
------------- '/etc/sysconfig/ima' (with the default value) -------------
IMAPOLICY="/etc/sysconfig/ima-policy"
-------------------------------------------------------------------------
+
+
+# Information on loading distro, third party or local keys on the trusted IMA keyring
+
+# Loading distro, third party or local keys on the trusted IMA keyring requires
+# creating a local certificate authority(local-CA), installing the local-CA's
+# public key on the system-keyring and signing the certificates with the local-CA
+# key.
+#
+# Many directions for creating a mini certificate authority exist on the web
+# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is
+# really important, especially in the case of the local-CA's private key.) The
+# local-CA's public key can be loaded onto the system keyring either by building
+# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As
+# of writing, the patches for loading the UEFI/Mok keys on the system-keyring
+# have not been upstreamed.)
+#
+# To view the system keyring: keyctl show %keyring:.system_keyring
+#
+# Most on-line directions for signing certificates requires creating a Certificate
+# Signing Request (CSR). Creating such a request requires access to the private
+# key, which would not be available when signing distro or 3rd party certificates.
+# Openssl provides the "-ss_cert" option for directly signing certificates.
+
+# 98integrity/ima-keys-load.sh script loads the signed certificates stored
+# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR
+# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima
+# policy.
diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh
new file mode 100755
index 0000000..659b722
--- /dev/null
+++ b/modules.d/98integrity/ima-keys-load.sh
@@ -0,0 +1,62 @@
+#!/bin/sh
+
+SECURITYFSDIR="/sys/kernel/security"
+IMASECDIR="${SECURITYFSDIR}/ima"
+IMACONFIG="${NEWROOT}/etc/sysconfig/ima"
+
+load_x509_keys()
+{
+ KEYRING_ID=$1
+
+ # override the default configuration
+ if [ -f "${IMACONFIG}" ]; then
+ . ${IMACONFIG}
+ fi
+
+ if [ -z "${IMAKEYDIR}" ]; then
+ IMAKEYSDIR="/etc/keys/ima"
+ fi
+
+ PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*`
+ for PUBKEY in ${PUBKEY_LIST}; do
+ # check for public key's existence
+ if [ ! -f "${PUBKEY}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "integrity: IMA x509 cert file not found: ${PUBKEY}"
+ fi
+ continue
+ fi
+
+ X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID})
+ if [ $? -ne 0 ]; then
+ info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}"
+ fi
+ done
+
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ keyctl show ${KEYRING_ID}
+ fi
+ return 0
+}
+
+# check kernel support for IMA
+if [ ! -e "${IMASECDIR}" ]; then
+ if [ "${RD_DEBUG}" = "yes" ]; then
+ info "integrity: IMA kernel support is disabled"
+ fi
+ return 0
+fi
+
+# get the IMA keyring id
+line=$(keyctl describe %keyring:.ima)
+if [ $? -eq 0 ]; then
+ _ima_id=${line%%:*}
+else
+ _ima_id=`keyctl search @u keyring _ima`
+ if [ -z "${_ima_id}" ]; then
+ _ima_id=`keyctl newring _ima @u`
+ fi
+fi
+
+# load the IMA public key(s)
+load_x509_keys ${_ima_id}
diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh
index 2d4d2ed..34b33cd 100755
--- a/modules.d/98integrity/module-setup.sh
+++ b/modules.d/98integrity/module-setup.sh
@@ -13,6 +13,8 @@ depends() {
# called by dracut
install() {
+ dracut_install evmctl keyctl ls
inst_hook pre-pivot 61 "$moddir/evm-enable.sh"
+ inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh"
inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh"
}

24
0057-Revert-securitfs-change.patch Normal file
View File

@ -0,0 +1,24 @@
From 4f50a9bfb109f1705ca987db6301c3c66a00ea75 Mon Sep 17 00:00:00 2001
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
Date: Mon, 27 Apr 2015 18:24:14 -0400
Subject: [PATCH] Revert securitfs change
Commit 5e60145 use findmnt with "--source" or "--target" broke
mounting securityfs. This patch reverts only the securityfs
portion of the patch.
---
modules.d/96securityfs/securityfs.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/96securityfs/securityfs.sh b/modules.d/96securityfs/securityfs.sh
index 8ccb151..8e57571 100755
--- a/modules.d/96securityfs/securityfs.sh
+++ b/modules.d/96securityfs/securityfs.sh
@@ -3,6 +3,6 @@
SECURITYFSDIR="/sys/kernel/security"
export SECURITYFSDIR
-if ! findmnt --target "${SECURITYFSDIR}" >/dev/null 2>&1; then
+if ! findmnt "${SECURITYFSDIR}" >/dev/null 2>&1; then
mount -t securityfs -o nosuid,noexec,nodev securityfs ${SECURITYFSDIR} >/dev/null 2>&1
fi

67
0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch Normal file
View File

@ -0,0 +1,67 @@
From e6a2555c7ddde2ed542b2aae01d78a5c9309bf80 Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 10 Aug 2015 13:40:43 +0200
Subject: [PATCH] base/dracut-lib.sh: Dup stdout and stderr
Dup stdout and stderr, so that subshell redirection does not affect
logging.
Also gets rid of systemd printing info() to the console on "quiet".
---
modules.d/99base/dracut-lib.sh | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh
index 5ec7b23..200c263 100755
--- a/modules.d/99base/dracut-lib.sh
+++ b/modules.d/99base/dracut-lib.sh
@@ -51,29 +51,45 @@ str_ends() {
[ "${1%*"$2"}" != "$1" ]
}
+# Dup stdout and stderr, so that subshell redirection does not affect logging.
+if [ -z "$DRACUT_STDOUT" ]; then
+ if [ -n "$BASH" ]; then
+ readonly DRACUT_STDOUT=98
+ readonly DRACUT_STDERR=98
+ exec 98>&1
+ exec 99>&2
+ else
+ readonly DRACUT_STDOUT=8
+ readonly DRACUT_STDERR=9
+ exec 8>&1
+ exec 9>&2
+ fi
+fi
+
+
if [ -z "$DRACUT_SYSTEMD" ]; then
warn() {
check_quiet
echo "<28>dracut Warning: $*" > /dev/kmsg
- echo "dracut Warning: $*" >&2
+ echo "dracut Warning: $*" >&$DRACUT_STDERR
}
info() {
check_quiet
echo "<30>dracut: $*" > /dev/kmsg
[ "$DRACUT_QUIET" != "yes" ] && \
- echo "dracut: $*" >&2
+ echo "dracut: $*" >&$DRACUT_STDERR
}
else
warn() {
- echo "Warning: $*" >&2
+ echo "Warning: $*" >&$DRACUT_STDERR
}
info() {
- echo "$*" >&2
+ echo "$*" >&$DRACUT_STDOUT
}
fi

26
0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch Normal file
View File

@ -0,0 +1,26 @@
From 3c00189988f6921c1affdd61a0f5025ee9b93bda Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@redhat.com>
Date: Mon, 10 Aug 2015 14:05:15 +0200
Subject: [PATCH] dracut.sh: remove quotes from install_items and
install_optional_items
Unfortunately these are lists with whitespaces.
---
dracut.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index 77874ba..f7d31a4 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -1453,8 +1453,8 @@ if [[ $no_kernel != yes ]]; then
fi
if [[ $kernel_only != yes ]]; then
- (( ${#install_items[@]} > 0 )) && inst_multiple "${install_items[@]}"
- (( ${#install_optional_items[@]} > 0 )) && inst_multiple -o "${install_optional_items[@]}"
+ (( ${#install_items[@]} > 0 )) && inst_multiple ${install_items[@]}
+ (( ${#install_optional_items[@]} > 0 )) && inst_multiple -o ${install_optional_items[@]}
[[ $kernel_cmdline ]] && printf "%s\n" "$kernel_cmdline" >> "${initdir}/etc/cmdline.d/01-default.conf"

35
dracut.spec
View File

@ -11,7 +11,7 @@
Name: dracut
Version: 043
Release: 40.git20150710%{?dist}.2
Release: 60.git20150811%{?dist}
Summary: Initramfs generator using udev
%if 0%{?fedora} || 0%{?rhel}
@ -68,7 +68,27 @@ Patch35: 0035-dracut-functions.sh-simplify-some-for-loops.patch
Patch36: 0036-dracut.sh-reduce-code.patch
Patch37: 0037-dracut.sh-remember-0-for-regenerate-all.patch
Patch38: 0038-dracut.sh-early-check-for-bash-version.patch
Patch39: 0039-dracut.spec-add-dracut-init.sh.patch
Patch39: 0039-network-add-rd.peerdns-0-parameter.patch
Patch40: 0040-TODO-update.patch
Patch41: 0041-crypt-skip-crypttab-entries-with-the-same-device.patch
Patch42: 0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch
Patch43: 0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch
Patch44: 0044-syncheck-Look-for-echo-n-usage-in-modules.patch
Patch45: 0045-dracut.spec-add-dracut-init.sh.patch
Patch46: 0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch
Patch47: 0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch
Patch48: 0048-Cleanup-compressor-handling.patch
Patch49: 0049-Add-missing-echo-to-output-the-result.patch
Patch50: 0050-crypt-s-allow-discards-discard-for-crypttab.patch
Patch51: 0051-qemu-add-spapr-vscsi-kernel-module.patch
Patch52: 0052-dracut.sh-simplify-modalias-reading.patch
Patch53: 0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch
Patch54: 0054-Remove-98integrity-s-dependency-on-selinux.patch
Patch55: 0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch
Patch56: 0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch
Patch57: 0057-Revert-securitfs-change.patch
Patch58: 0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch
Patch59: 0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
@ -100,7 +120,6 @@ BuildRequires: docbook-style-xsl docbook-dtds libxslt
BuildRequires: asciidoc
%endif
%if 0%{?fedora} > 12 || 0%{?rhel}
# no "provides", because dracut does not offer
# all functionality of the obsoleted packages
@ -135,16 +154,16 @@ Requires: grep
Requires: kmod
Requires: sed
Requires: xz
Requires: gzip
%if 0%{?fedora} > 22
Recommends: grubby
Recommends: hardlink
Recommends: gzip
Recommends: pigz
Recommends: kpartx
%else
Requires: hardlink
Requires: gzip
Requires: xz
Requires: kpartx
%endif
@ -529,6 +548,12 @@ rm -rf -- $RPM_BUILD_ROOT
%endif
%changelog
* Tue Aug 11 2015 Harald Hoyer <harald@redhat.com> 043-60.git20150811
- fixed checkiso timeout
- fixed log output although quiet is set
- fixed qemu detection
- cleanup compressor handling
* Wed Jul 22 2015 Harald Hoyer <harald@redhat.com> 043-40.git20150710.2
- require "xz" to handle the kernel modules