diff --git a/SOURCES/0070.patch b/SOURCES/0070.patch new file mode 100644 index 0000000..edfdd77 --- /dev/null +++ b/SOURCES/0070.patch @@ -0,0 +1,250 @@ +From 29616c6a89437e138bb5abc55b42325d0d2b1394 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Tue, 22 Oct 2024 17:30:32 +0200 +Subject: [PATCH] ci: fix CentOS-9-Stream container and ci config + + - correct URL for dash + - add missing dependencies + - use centos9 instead of fedora + +rhel-only + +Resolves: RHEL-65249 +--- + .github/workflows/integration.yml | 4 +- + test/container/Dockerfile-Arch | 25 ------------- + test/container/Dockerfile-CentOS-9-Stream | 5 ++- + test/container/Dockerfile-Debian | 61 ------------------------------- + test/container/Dockerfile-Fedora-latest | 56 ---------------------------- + test/container/Dockerfile-OpenSuse-latest | 23 ------------ + 6 files changed, 5 insertions(+), 169 deletions(-) + +diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml +index c22bf916..c023ab16 100644 +--- a/.github/workflows/integration.yml ++++ b/.github/workflows/integration.yml +@@ -14,7 +14,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "04", +@@ -40,7 +40,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "01", +diff --git a/test/container/Dockerfile-Arch b/test/container/Dockerfile-Arch +deleted file mode 100644 +index 4112cc5b..00000000 +--- a/test/container/Dockerfile-Arch ++++ /dev/null +@@ -1,25 +0,0 @@ +-FROM docker.io/archlinux +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN pacman --noconfirm -Sy \ +- linux dash strace dhclient asciidoc cpio pigz squashfs-tools \ +- qemu btrfs-progs mdadm dmraid nfs-utils nfsidmap lvm2 nbd \ +- dhcp networkmanager multipath-tools vi tcpdump open-iscsi \ +- git shfmt shellcheck astyle which base-devel glibc parted && yes | pacman -Scc +- +-RUN useradd -m build +-RUN su build -c 'cd && git clone https://aur.archlinux.org/perl-config-general.git && cd perl-config-general && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/perl-config-general/*.pkg.tar.* +-RUN su build -c 'cd && git clone https://aur.archlinux.org/tgt.git && cd tgt && echo "CFLAGS=-Wno-error=stringop-truncation" >> PKGBUILD && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/tgt/*.pkg.tar.* +-RUN rm -fr ~build +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index abcc067e..26d308d2 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -8,9 +8,10 @@ LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=h + RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh + + # Install needed packages for the dracut CI container +-# FIXME: properly re-add dash once C9S EPEL is available ++# FIXME: add dmraid, scsi-target-utils (e.g. from COPR) + RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ +- http://mirrors.kernel.org/fedora/releases/34/Everything/x86_64/os/Packages/d/dash-0.5.10.2-8.fc34.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \ + qemu-kvm \ + NetworkManager \ + asciidoc \ +diff --git a/test/container/Dockerfile-Debian b/test/container/Dockerfile-Debian +deleted file mode 100644 +index 15eb9958..00000000 +--- a/test/container/Dockerfile-Debian ++++ /dev/null +@@ -1,61 +0,0 @@ +-FROM docker.io/debian:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN apt-get update -y -qq && apt-get upgrade -y -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends -o Dpkg::Use-Pty=0 \ +- asciidoc \ +- astyle \ +- btrfs-progs \ +- busybox-static \ +- bzip2 \ +- ca-certificates \ +- console-setup \ +- cpio \ +- cryptsetup \ +- curl \ +- dash \ +- debhelper \ +- debhelper-compat \ +- docbook \ +- docbook-xml \ +- docbook-xsl \ +- fdisk \ +- g++ \ +- git \ +- iputils-ping \ +- isc-dhcp-client \ +- kmod \ +- less \ +- libkmod-dev \ +- linux-image-generic \ +- lvm2 \ +- make \ +- mdadm \ +- multipath-tools \ +- nbd-client \ +- network-manager \ +- nfs-common \ +- open-iscsi \ +- parted \ +- pigz \ +- pkg-config \ +- procps \ +- qemu-system-x86 \ +- quilt \ +- shellcheck \ +- squashfs-tools \ +- strace \ +- sudo \ +- tcpdump \ +- vim \ +- wget \ +- && apt-get clean +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-Fedora-latest b/test/container/Dockerfile-Fedora-latest +deleted file mode 100644 +index a38a72ef..00000000 +--- a/test/container/Dockerfile-Fedora-latest ++++ /dev/null +@@ -1,56 +0,0 @@ +-FROM registry.fedoraproject.org/fedora:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash \ +- pigz \ +- asciidoc \ +- mdadm \ +- lvm2 \ +- dmraid \ +- cryptsetup \ +- nfs-utils \ +- nbd \ +- dhcp-server \ +- scsi-target-utils \ +- iscsi-initiator-utils \ +- strace \ +- btrfs-progs \ +- kmod-devel \ +- gcc \ +- bzip2 \ +- xz \ +- tar \ +- wget \ +- rpm-build \ +- make \ +- git \ +- bash-completion \ +- sudo \ +- kernel \ +- dhcp-client \ +- /usr/bin/qemu-kvm \ +- /usr/bin/qemu-system-$(uname -i) \ +- e2fsprogs \ +- tcpdump \ +- iproute \ +- iputils \ +- dbus-daemon \ +- kbd \ +- NetworkManager \ +- squashfs-tools \ +- which \ +- ShellCheck \ +- shfmt \ +- parted \ +- && dnf -y update && dnf clean all +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-OpenSuse-latest b/test/container/Dockerfile-OpenSuse-latest +deleted file mode 100644 +index 9aaf07b1..00000000 +--- a/test/container/Dockerfile-OpenSuse-latest ++++ /dev/null +@@ -1,23 +0,0 @@ +-FROM registry.opensuse.org/opensuse/tumbleweed-dnf:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash asciidoc mdadm lvm2 dmraid cryptsetup nfs-utils nbd dhcp-server \ +- strace libkmod-devel gcc bzip2 xz tar wget rpm-build make git bash-completion \ +- sudo kernel dhcp-client qemu-kvm /usr/bin/qemu-system-$(uname -m) e2fsprogs \ +- tcpdump iproute iputils kbd NetworkManager btrfsprogs tgt dbus-broker \ +- iscsiuio open-iscsi which ShellCheck procps pigz parted squashfs \ +- && dnf -y update && dnf clean all +- +-RUN shfmt_version=3.2.4; wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O /usr/local/bin/shfmt \ +- && chmod +x /usr/local/bin/shfmt +- +-# Set default command +-CMD ["/usr/bin/bash"] + diff --git a/SOURCES/0071.patch b/SOURCES/0071.patch index daaf643..4e9daec 100644 --- a/SOURCES/0071.patch +++ b/SOURCES/0071.patch @@ -1,52 +1,35 @@ -From 9946f5f3a5e8686a68c757973560da8f3949582b Mon Sep 17 00:00:00 2001 -From: Adrien Thierry -Date: Mon, 13 Feb 2023 10:43:32 -0500 -Subject: [PATCH] fix(kernel-modules): use modalias info in get_dev_module() +From 0a264651d148b543c0c5d6b0a07909cdcb1abfba Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Tue, 26 Nov 2024 11:27:54 +0100 +Subject: [PATCH] fix(35network-manager): install nftables kernel modules + needed -When calling dracut with '--hostonly-mode=strict', get_dev_module() gets -called on the system's block devices to find the required drivers. The -driver name is retrieved using udevadm. However, the driver name -returned by udevadm is not necessarily the same as the module name. -This is the case for the Qualcomm UFS driver: udevadm returns -'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is -not able to find the module afterwards. +NetworkManager requires nf_tables, nfnetlink and nft_fwd_netdev kernel +modules to operate balance-slb bonding mode. -To solve this, make get_dev_module() also return the module alias info -from the modalias files contained in the sysfs directories parsed by -udevadm. +Fixes a6264d1726d9 ("fix(35network-manager): install nft binary during module installation") -Signed-off-by: Adrien Thierry +(cherry picked from commit 037da383dd8d9d9d699f1430d6afc790b28b18f8) -(cherry picked from commit 87a76dbb578aff473e690857d1b714eacd92b9ec) - -Resolves: RHEL-79790 +Resolves: RHEL-64754 --- - dracut-functions.sh | 12 ++++++++++++ - 1 file changed, 12 insertions(+) + modules.d/35network-manager/module-setup.sh | 5 +++++ + 1 file changed, 5 insertions(+) -diff --git a/dracut-functions.sh b/dracut-functions.sh -index 3c475ca7..f2614308 100755 ---- a/dracut-functions.sh -+++ b/dracut-functions.sh -@@ -971,8 +971,20 @@ block_is_netdevice() { - get_dev_module() { - local dev_attr_walk - local dev_drivers -+ local dev_paths - dev_attr_walk=$(udevadm info -a "$1") - dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index c93c6a3c..6ed8c04e 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -19,6 +19,11 @@ installkernel() { + return 0 + } + ++# called by dracut ++installkernel() { ++ instmods nf_tables nfnetlink nft_fwd_netdev ++} + -+ # also return modalias info from sysfs paths parsed by udevadm -+ dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') -+ local dev_path -+ for dev_path in $dev_paths; do -+ local modalias_file="/sys$dev_path/modalias" -+ if [ -e "$modalias_file" ]; then -+ dev_drivers="$(printf "%s\n%s" "$dev_drivers" "$(cat "$modalias_file")")" -+ fi -+ done -+ - # if no kernel modules found and device is in a virtual subsystem, follow symlinks - if [[ -z $dev_drivers && $(udevadm info -q path "$1") == "/devices/virtual"* ]]; then - local dev_vkernel + # called by dracut + install() { + local _nm_version diff --git a/SOURCES/0072.patch b/SOURCES/0072.patch index ed3f561..95a48cc 100644 --- a/SOURCES/0072.patch +++ b/SOURCES/0072.patch @@ -1,84 +1,35 @@ -From 10999c66b7d7c375e24224b572f89dc60311ad67 Mon Sep 17 00:00:00 2001 -From: Tao Liu -Date: Wed, 12 Apr 2023 23:02:25 +0800 -Subject: [PATCH] fix(dracut-functions.sh): convert mmcblk to the real kernel - module name +From 3db62d5a16557941ef95ab0aa838f1012c20af9e Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Thu, 21 Nov 2024 00:40:27 +0100 +Subject: [PATCH] fix(35network-manager): install nft binary during module + installation -In some x86_64 platforms such as Intel Elkhartlake, an issue of missing -necessary modules due to udevadm drivers field unmatch the real kernel module -name is found: +NetworkManager has a new bonding mode called balance-slb. This mode is +used in environments where NICs are connected to switches without LACP. +In order to work, NetworkManager configures a set of nftables rules. - $ udevadm info -a /dev/block/179:1 +The 'nft' binary is required to work. - looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001': - KERNELS=="mmc0:0001" - SUBSYSTEMS=="mmc" - DRIVERS=="mmcblk" - .... +Signed-off-by: Fernando Fernandez Mancera -The DRIVERS field, aka mmcblk will be given to instmods to install the -corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be -selected by string mmcblk, as a result, mmc_block.ko cannot be installed -in hostonly-mode strict, which will fail to bootup the machine such as in -kdump cases: +(cherry picked from commit 37317b61fda5181aeb0604381e994e8181a53200) - $ /usr/lib/dracut/dracut-install -D /var/tmp --kerneldir /lib/modules/$(uname -r)/ -m mmcblk - dracut-install: Failed to find module 'mmcblk' - -In this patch, we will convert the string mmcblk to mmc_block, so the -kernel module can be successfully loaded. - -Signed-off-by: Tao Liu - -(cherry picked from commit a62e895db9510f0fc4c47ee81b1436096eca4d64) - -Resolves: RHEL-79790 +Resolves: RHEL-64754 --- - dracut-functions.sh | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) + modules.d/35network-manager/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/dracut-functions.sh b/dracut-functions.sh -index f2614308..2e582ebc 100755 ---- a/dracut-functions.sh -+++ b/dracut-functions.sh -@@ -967,13 +967,30 @@ block_is_netdevice() { - block_is_nbd "$1" || block_is_iscsi "$1" || block_is_fcoe "$1" - } +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index 6ed8c04e..4fd3d051 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -37,7 +37,7 @@ install() { + inst NetworkManager + inst_multiple -o /usr/{lib,libexec}/nm-initrd-generator + inst_multiple -o /usr/{lib,libexec}/nm-daemon-helper +- inst_multiple -o teamd dhclient ++ inst_multiple -o teamd dhclient nft + inst_hook cmdline 99 "$moddir/nm-config.sh" + if dracut_module_included "systemd"; then -+# convert the driver name given by udevadm to the corresponding kernel module name -+get_module_name() { -+ local dev_driver -+ while read -r dev_driver; do -+ case "$dev_driver" in -+ mmcblk) -+ echo "mmc_block" -+ ;; -+ *) -+ echo "$dev_driver" -+ ;; -+ esac -+ done -+} -+ - # get the corresponding kernel modules of a /sys/class/*/* or/dev/* device - get_dev_module() { - local dev_attr_walk - local dev_drivers - local dev_paths - dev_attr_walk=$(udevadm info -a "$1") -- dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') -+ dev_drivers=$(echo "$dev_attr_walk" \ -+ | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ -+ | get_module_name) - - # also return modalias info from sysfs paths parsed by udevadm - dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') -@@ -1001,6 +1018,7 @@ get_dev_module() { - [[ -n $dev_drivers && ${dev_drivers: -1} != $'\n' ]] && dev_drivers+=$'\n' - dev_drivers+=$(udevadm info -a "$dev_vpath/$dev_link" \ - | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ -+ | get_module_name \ - | grep -v -e pcieport) - done - fi diff --git a/SOURCES/0073.patch b/SOURCES/0073.patch new file mode 100644 index 0000000..0246d4d --- /dev/null +++ b/SOURCES/0073.patch @@ -0,0 +1,100 @@ +From e3bba58810038d0e7bc83988355e07eb30c1f5a7 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 20 Jun 2024 13:38:26 +0800 +Subject: [PATCH] fix(dracut-install): copy xattr when use clone ioctl + +When use clone ioctl to copy a file, the extended attributes of files are +missing, which is inconsistent with the result by using the cp command. +This commit add the process to copy extended attributes after clone_file(). + +Signed-off-by: Huaxin Lu + +(cherry picked from commit 1cf0db26e43fe4c6173acdb8047f16666ebf070a) + +Resolves: RHEL-55245 +--- + src/install/dracut-install.c | 56 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c +index 997d62d3..2ad783d3 100644 +--- a/src/install/dracut-install.c ++++ b/src/install/dracut-install.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "hashmap.h" +@@ -267,6 +268,56 @@ static inline int clone_file(int dest_fd, int src_fd) + return ioctl(dest_fd, BTRFS_IOC_CLONE, src_fd); + } + ++static int copy_xattr(int dest_fd, int src_fd) ++{ ++ int ret = 0; ++ ssize_t name_len = 0, value_len = 0; ++ char *name_buf = NULL, *name = NULL, *value = NULL, *value_save = NULL; ++ ++ name_len = flistxattr(src_fd, NULL, 0); ++ if (name_len < 0) ++ return -1; ++ ++ name_buf = calloc(1, name_len + 1); ++ if (name_buf == NULL) ++ return -1; ++ ++ name_len = flistxattr(src_fd, name_buf, name_len); ++ if (name_len < 0) ++ goto out; ++ ++ for (name = name_buf; name != name_buf + name_len; name = strchr(name, '\0') + 1) { ++ value_len = fgetxattr(src_fd, name, NULL, 0); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_save = value; ++ value = realloc(value, value_len); ++ if (value == NULL) { ++ value = value_save; ++ ret = -1; ++ goto out; ++ } ++ ++ value_len = fgetxattr(src_fd, name, value, value_len); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_len = fsetxattr(dest_fd, name, value, value_len, 0); ++ if (value_len < 0) ++ ret = -1; ++ } ++ ++out: ++ free(name_buf); ++ free(value); ++ return ret; ++} ++ + static bool use_clone = true; + + static int cp(const char *src, const char *dst) +@@ -308,6 +359,11 @@ static int cp(const char *src, const char *dst) + log_info("Failed to chown %s: %m", dst); + } + ++ if (geteuid() == 0 && no_xattr == false) { ++ if (copy_xattr(dest_desc, source_desc) != 0) ++ log_error("Failed to copy xattr %s: %m", dst); ++ } ++ + tv[0].tv_sec = sb.st_atime; + tv[0].tv_usec = 0; + tv[1].tv_sec = sb.st_mtime; + diff --git a/SOURCES/0074.patch b/SOURCES/0074.patch new file mode 100644 index 0000000..708a625 --- /dev/null +++ b/SOURCES/0074.patch @@ -0,0 +1,138 @@ +From 01e51a69c34b58ddb974a1489c2990bb77bf791e Mon Sep 17 00:00:00 2001 +From: Lichen Liu +Date: Wed, 7 Aug 2024 10:13:37 +0800 +Subject: [PATCH] feat(dracut.sh): add --add-confdir option + +When generating kdump's initrd, we want to keep [omit_]dracutmodules +empty and let kdump to handle the modules. And we don't want to +affect the first kernel's initrd, so we cannot place our conf file +to /etc/dracut.conf.d or /usr/lib/dracut/dracut.conf.d. + +This patch adds a new option to allow user to add an extra configuration +directory to use *.conf files from. If the dir not exists, will look for +confdir's subdir. + +After that, kdump can use "--add-confdir kdump" if +/usr/lib/dracut/dracut.conf.d/kdump exists, to apply its own dracut conf. + +See also: +https://github.com/rhkdump/kdump-utils/issues/11 +https://github.com/rhkdump/kdump-utils/pull/31 + +Suggested-by: Dave Young +Signed-off-by: Lichen Liu + +(cherry picked from commit ae81535037c42b716d8cbb9dc18942b5c6f16fed) + +Resolves: RHEL-66582 +--- + dracut.sh | 25 ++++++++++++++++++++++++- + man/dracut.8.asc | 8 ++++++++ + shell-completion/bash/dracut | 4 ++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 778eefd7..7e4b0602 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -156,6 +156,9 @@ Creates initial ramdisk images for preloading modules + Default: /etc/dracut.conf + --confdir [DIR] Specify configuration directory to use *.conf files + from. Default: /etc/dracut.conf.d ++ --add-confdir [DIR] Add an extra configuration directory to use *.conf ++ files from. If the directory is not existed, will ++ look for subdirectory under confdir. + --tmpdir [DIR] Temporary directory to be used instead of default + ${TMPDIR:-/var/tmp}. + -r, --sysroot [DIR] Specify sysroot directory to collect files from. +@@ -400,6 +403,7 @@ rearrange_params() { + --long kmoddir: \ + --long conf: \ + --long confdir: \ ++ --long add-confdir: \ + --long tmpdir: \ + --long sysroot: \ + --long stdlog: \ +@@ -676,6 +680,11 @@ while :; do + PARMS_TO_STORE+=" '$2'" + shift + ;; ++ --add-confdir) ++ add_confdir="$2" ++ PARMS_TO_STORE+=" '$2'" ++ shift ++ ;; + --tmpdir) + tmpdir_l="$2" + PARMS_TO_STORE+=" '$2'" +@@ -931,6 +940,20 @@ elif [[ ! -d $confdir ]]; then + exit 1 + fi + ++if [[ -n $add_confdir ]]; then ++ if [[ -d $add_confdir ]]; then ++ : ++ # Check if it exists under $confdir. ++ elif [[ -d $confdir/$add_confdir ]]; then ++ add_confdir="$confdir/$add_confdir" ++ elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ else ++ printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 ++ exit 1 ++ fi ++fi ++ + # source our config file + if [[ -f $conffile ]]; then + check_conf_file "$conffile" +@@ -939,7 +962,7 @@ if [[ -f $conffile ]]; then + fi + + # source our config dir +-for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do ++for f in $(dropindirs_sort ".conf" "$confdir" "$add_confdir" "$dracutbasedir/dracut.conf.d"); do + check_conf_file "$f" + # shellcheck disable=SC1090 + [[ -e $f ]] && . "$f" +diff --git a/man/dracut.8.asc b/man/dracut.8.asc +index 8339e8a9..15ae36e6 100644 +--- a/man/dracut.8.asc ++++ b/man/dracut.8.asc +@@ -311,6 +311,14 @@ Default: + Default: + _/etc/dracut.conf.d_ + ++**--add-confdir** __:: ++ Add an extra configuration directory to use *.conf files from. If the ++ directory is not existed, will look for subdirectory under confdir. +++ ++Default: ++ _empty_ ++ ++ + **--tmpdir** __:: + Specify temporary directory to use. + + +diff --git a/shell-completion/bash/dracut b/shell-completion/bash/dracut +index 9b51db01..bc14aa9a 100644 +--- a/shell-completion/bash/dracut ++++ b/shell-completion/bash/dracut +@@ -46,14 +46,14 @@ _dracut() { + --kernel-cmdline --sshkey --persistent-policy --install-optional + --loginstall --uefi-stub --kernel-image --squash-compressor + --sysroot --hostonly-mode --hostonly-nics --include --logfile +- --uefi-splash-image --sbat ++ --uefi-splash-image --sbat --add-confdir + ' + ) + + # shellcheck disable=SC2086 + if __contains_word "$prev" ${OPTS[ARG]}; then + case $prev in +- --kmoddir | -k | --fwdir | --confdir | --tmpdir | -r | --sysroot) ++ --kmoddir | -k | --fwdir | --confdir | --add-confdir | --tmpdir | -r | --sysroot) + comps=$(compgen -d -- "$cur") + compopt -o filenames + ;; + diff --git a/SOURCES/0075.patch b/SOURCES/0075.patch new file mode 100644 index 0000000..21ce11c --- /dev/null +++ b/SOURCES/0075.patch @@ -0,0 +1,28 @@ +From cb1c0c94322768dcdc8748b3623c0a4ba1afde71 Mon Sep 17 00:00:00 2001 +From: Jo Zzsi +Date: Wed, 11 Sep 2024 16:57:13 -0400 +Subject: [PATCH] fix: typo in variable name + +(cherry picked from commit 76b2f1a9b52afd4203c1d0e6afb57314bbfe8407) + +Resolves: RHEL-66582 +--- + dracut.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 7e4b0602..f748a073 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -946,8 +946,8 @@ if [[ -n $add_confdir ]]; then + # Check if it exists under $confdir. + elif [[ -d $confdir/$add_confdir ]]; then + add_confdir="$confdir/$add_confdir" +- elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then +- add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ elif [[ -d $dracutbasedir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasedir/dracut.conf.d/$add_confdir" + else + printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 + exit 1 + diff --git a/SOURCES/0076.patch b/SOURCES/0076.patch index 2244908..83d5f80 100644 --- a/SOURCES/0076.patch +++ b/SOURCES/0076.patch @@ -1,34 +1,118 @@ -From d1dabed5f534a64e87b9e1f528f1d5eee955f35f Mon Sep 17 00:00:00 2001 -From: Fernando Fernandez Mancera -Date: Tue, 26 Nov 2024 11:27:54 +0100 -Subject: [PATCH] fix(35network-manager): install nftables kernel modules - needed +From 492bc949e16f78fad9f274744c72bc2fd0161d84 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Fri, 9 Aug 2024 12:49:05 +0200 +Subject: [PATCH] feat(fips): add support for UKIs -NetworkManager requires nf_tables, nfnetlink and nft_fwd_netdev kernel -modules to operate balance-slb bonding mode. +Kernel integrity check in FIPS module is incompatible with UKIs as neither +/boot/vmlinuz-`uname-r` nor /boot/.vmlinuz-`uname-r`.hmac are present. UKI +is placed to $ESP\EFI\Linux\-.efi and if a .hmac file +is present next to it, it is possible to do similar check. -Fixes a6264d1726d9 ("fix(35network-manager): install nft binary during module installation") +Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected +to be set. Luckily, if the UKI is systemd-stub based then we can expect +'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount +it to /boot using the existing logic. -(cherry picked from commit 037da383dd8d9d9d699f1430d6afc790b28b18f8) +Signed-off-by: Vitaly Kuznetsov -Resolves: RHEL-69461 +(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be) -rhel-only +Resolves: RHEL-56885 --- - modules.d/35network-manager/module-setup.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + modules.d/01fips/fips.sh | 51 ++++++++++++++++++++++++++++++++++++++++ + modules.d/01fips/module-setup.sh | 2 +- + 2 files changed, 52 insertions(+), 1 deletion(-) -diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh -index c93c6a3c..2c1fe718 100755 ---- a/modules.d/35network-manager/module-setup.sh -+++ b/modules.d/35network-manager/module-setup.sh -@@ -16,7 +16,7 @@ depends() { +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 05631c8a..3889dc0c 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -14,9 +14,22 @@ else + } + fi - # called by dracut - installkernel() { -- return 0 -+ instmods nf_tables nfnetlink nft_fwd_netdev ++# Checks if a systemd-based UKI is running and ESP UUID is set ++is_uki() { ++ [ -f /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] \ ++ && [ -f /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] ++} ++ + mount_boot() { + boot=$(getarg boot=) + ++ if is_uki && [ -z "$boot" ]; then ++ # efivar file has 4 bytes header and contain UCS-2 data. Note, 'cat' is required ++ # as sys/firmware/efi/efivars/ files are 'special' and don't allow 'seeking'. ++ # shellcheck disable=SC2002 ++ boot="PARTUUID=$(cat /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f | tail -c +5 | tr -d '\0' | tr 'A-F' 'a-f')" ++ fi ++ + if [ -n "$boot" ]; then + if [ -d /boot ] && ismounted /boot; then + boot_dev= +@@ -81,6 +94,41 @@ do_rhevh_check() { + return 0 } - # called by dracut ++do_uki_check() { ++ local KVER ++ local uki_checked=0 ++ ++ KVER="$(uname -r)" ++ # UKI are placed in $ESP\EFI\Linux\-.efi ++ if ! [ "$FIPS_MOUNTED_BOOT" = 1 ]; then ++ warn "Failed to mount ESP for doing UKI integrity check" ++ return 1 ++ fi ++ ++ for UKIpath in /boot/EFI/Linux/*-"$KVER".efi; do ++ # UKIs are installed to $ESP/EFI/Linux/-.efi ++ # and in some cases (e.g. when the image is used as a template for creating new ++ # VMs) entry-token-or-machine-id can change. To make sure the running UKI is ++ # always checked, check all UKIs which match the 'uname -r' of the running kernel ++ # and fail the whole check if any of the matching UKIs are corrupted. ++ ++ [ -r "$UKIpath" ] || break ++ ++ local UKI="${UKIpath##*/}" ++ local UKIHMAC=."$UKI".hmac ++ ++ fips_info "checking $UKIHMAC" ++ (cd /boot/EFI/Linux/ && sha512hmac -c "$UKIHMAC") || return 1 ++ uki_checked=1 ++ done ++ ++ if [ "$uki_checked" = 0 ]; then ++ warn "Failed for find UKI for checking" ++ return 1 ++ fi ++ return 0 ++} ++ + nonfatal_modprobe() { + modprobe "$1" 2>&1 > /dev/stdout \ + | while read -r line || [ -n "$line" ]; do +@@ -133,6 +181,9 @@ do_fips() { + elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then + # This is a boot.iso with the .hmac inside the install.img + do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1 ++ elif is_uki; then ++ # This is a UKI ++ do_uki_check || return 1 + else + BOOT_IMAGE="$(getarg BOOT_IMAGE)" + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 91612ff3..a090bc88 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -67,7 +67,7 @@ install() { + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + +- inst_multiple sha512hmac rmmod insmod mount uname umount grep sed sort ++ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr + + inst_simple /etc/system-fips + diff --git a/SOURCES/0077.patch b/SOURCES/0077.patch index 49f8e24..b003fd9 100644 --- a/SOURCES/0077.patch +++ b/SOURCES/0077.patch @@ -1,35 +1,52 @@ -From 16842367048d0c61e6c84f7490589b6cfb8a0ad2 Mon Sep 17 00:00:00 2001 -From: Fernando Fernandez Mancera -Date: Thu, 21 Nov 2024 00:40:27 +0100 -Subject: [PATCH] fix(35network-manager): install nft binary during module - installation +From f4cda60fd9725d5aa6dd25ee67909339d6400af8 Mon Sep 17 00:00:00 2001 +From: Adrien Thierry +Date: Mon, 13 Feb 2023 10:43:32 -0500 +Subject: [PATCH] fix(kernel-modules): use modalias info in get_dev_module() -NetworkManager has a new bonding mode called balance-slb. This mode is -used in environments where NICs are connected to switches without LACP. -In order to work, NetworkManager configures a set of nftables rules. +When calling dracut with '--hostonly-mode=strict', get_dev_module() gets +called on the system's block devices to find the required drivers. The +driver name is retrieved using udevadm. However, the driver name +returned by udevadm is not necessarily the same as the module name. +This is the case for the Qualcomm UFS driver: udevadm returns +'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is +not able to find the module afterwards. -The 'nft' binary is required to work. +To solve this, make get_dev_module() also return the module alias info +from the modalias files contained in the sysfs directories parsed by +udevadm. -Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Adrien Thierry -(cherry picked from commit 37317b61fda5181aeb0604381e994e8181a53200) +(cherry picked from commit 87a76dbb578aff473e690857d1b714eacd92b9ec) -Resolves: RHEL-69461 +Resolves: RHEL-55708 --- - modules.d/35network-manager/module-setup.sh | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + dracut-functions.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) -diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh -index 2c1fe718..80ca21bd 100755 ---- a/modules.d/35network-manager/module-setup.sh -+++ b/modules.d/35network-manager/module-setup.sh -@@ -32,7 +32,7 @@ install() { - inst NetworkManager - inst_multiple -o /usr/{lib,libexec}/nm-initrd-generator - inst_multiple -o /usr/{lib,libexec}/nm-daemon-helper -- inst_multiple -o teamd dhclient -+ inst_multiple -o teamd dhclient nft - inst_hook cmdline 99 "$moddir/nm-config.sh" - if dracut_module_included "systemd"; then - +diff --git a/dracut-functions.sh b/dracut-functions.sh +index 3c475ca7..f2614308 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -971,8 +971,20 @@ block_is_netdevice() { + get_dev_module() { + local dev_attr_walk + local dev_drivers ++ local dev_paths + dev_attr_walk=$(udevadm info -a "$1") + dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ ++ # also return modalias info from sysfs paths parsed by udevadm ++ dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') ++ local dev_path ++ for dev_path in $dev_paths; do ++ local modalias_file="/sys$dev_path/modalias" ++ if [ -e "$modalias_file" ]; then ++ dev_drivers="$(printf "%s\n%s" "$dev_drivers" "$(cat "$modalias_file")")" ++ fi ++ done ++ + # if no kernel modules found and device is in a virtual subsystem, follow symlinks + if [[ -z $dev_drivers && $(udevadm info -q path "$1") == "/devices/virtual"* ]]; then + local dev_vkernel diff --git a/SOURCES/0078.patch b/SOURCES/0078.patch index 1cd045f..d763e13 100644 --- a/SOURCES/0078.patch +++ b/SOURCES/0078.patch @@ -1,138 +1,83 @@ -From 435761690260fbec6d6e3a315d9729d3eb98b5e0 Mon Sep 17 00:00:00 2001 -From: Lichen Liu -Date: Wed, 7 Aug 2024 10:13:37 +0800 -Subject: [PATCH] feat(dracut.sh): add --add-confdir option +From f194bd6ad64f7baae1a8fded967a198b1127cb64 Mon Sep 17 00:00:00 2001 +From: Tao Liu +Date: Wed, 12 Apr 2023 23:02:25 +0800 +Subject: [PATCH] fix(dracut-functions.sh): convert mmcblk to the real kernel + module name -When generating kdump's initrd, we want to keep [omit_]dracutmodules -empty and let kdump to handle the modules. And we don't want to -affect the first kernel's initrd, so we cannot place our conf file -to /etc/dracut.conf.d or /usr/lib/dracut/dracut.conf.d. +In some x86_64 platforms such as Intel Elkhartlake, an issue of missing +necessary modules due to udevadm drivers field unmatch the real kernel module +name is found: -This patch adds a new option to allow user to add an extra configuration -directory to use *.conf files from. If the dir not exists, will look for -confdir's subdir. + $ udevadm info -a /dev/block/179:1 -After that, kdump can use "--add-confdir kdump" if -/usr/lib/dracut/dracut.conf.d/kdump exists, to apply its own dracut conf. + looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001': + KERNELS=="mmc0:0001" + SUBSYSTEMS=="mmc" + DRIVERS=="mmcblk" + .... -See also: -https://github.com/rhkdump/kdump-utils/issues/11 -https://github.com/rhkdump/kdump-utils/pull/31 +The DRIVERS field, aka mmcblk will be given to instmods to install the +corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be +selected by string mmcblk, as a result, mmc_block.ko cannot be installed +in hostonly-mode strict, which will fail to bootup the machine such as in +kdump cases: -Suggested-by: Dave Young -Signed-off-by: Lichen Liu + $ /usr/lib/dracut/dracut-install -D /var/tmp --kerneldir /lib/modules/$(uname -r)/ -m mmcblk + dracut-install: Failed to find module 'mmcblk' -(cherry picked from commit ae81535037c42b716d8cbb9dc18942b5c6f16fed) +In this patch, we will convert the string mmcblk to mmc_block, so the +kernel module can be successfully loaded. -Resolves: RHEL-74399 +Signed-off-by: Tao Liu + +(cherry picked from commit a62e895db9510f0fc4c47ee81b1436096eca4d64) + +Resolves: RHEL-55708 --- - dracut.sh | 25 ++++++++++++++++++++++++- - man/dracut.8.asc | 8 ++++++++ - shell-completion/bash/dracut | 4 ++-- - 3 files changed, 34 insertions(+), 3 deletions(-) + dracut-functions.sh | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) -diff --git a/dracut.sh b/dracut.sh -index 778eefd7..7e4b0602 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -156,6 +156,9 @@ Creates initial ramdisk images for preloading modules - Default: /etc/dracut.conf - --confdir [DIR] Specify configuration directory to use *.conf files - from. Default: /etc/dracut.conf.d -+ --add-confdir [DIR] Add an extra configuration directory to use *.conf -+ files from. If the directory is not existed, will -+ look for subdirectory under confdir. - --tmpdir [DIR] Temporary directory to be used instead of default - ${TMPDIR:-/var/tmp}. - -r, --sysroot [DIR] Specify sysroot directory to collect files from. -@@ -400,6 +403,7 @@ rearrange_params() { - --long kmoddir: \ - --long conf: \ - --long confdir: \ -+ --long add-confdir: \ - --long tmpdir: \ - --long sysroot: \ - --long stdlog: \ -@@ -676,6 +680,11 @@ while :; do - PARMS_TO_STORE+=" '$2'" - shift - ;; -+ --add-confdir) -+ add_confdir="$2" -+ PARMS_TO_STORE+=" '$2'" -+ shift -+ ;; - --tmpdir) - tmpdir_l="$2" - PARMS_TO_STORE+=" '$2'" -@@ -931,6 +940,20 @@ elif [[ ! -d $confdir ]]; then - exit 1 - fi +diff --git a/dracut-functions.sh b/dracut-functions.sh +index f2614308..2e582ebc 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -967,13 +967,30 @@ block_is_netdevice() { + block_is_nbd "$1" || block_is_iscsi "$1" || block_is_fcoe "$1" + } -+if [[ -n $add_confdir ]]; then -+ if [[ -d $add_confdir ]]; then -+ : -+ # Check if it exists under $confdir. -+ elif [[ -d $confdir/$add_confdir ]]; then -+ add_confdir="$confdir/$add_confdir" -+ elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then -+ add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" -+ else -+ printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 -+ exit 1 -+ fi -+fi ++# convert the driver name given by udevadm to the corresponding kernel module name ++get_module_name() { ++ local dev_driver ++ while read -r dev_driver; do ++ case "$dev_driver" in ++ mmcblk) ++ echo "mmc_block" ++ ;; ++ *) ++ echo "$dev_driver" ++ ;; ++ esac ++ done ++} + - # source our config file - if [[ -f $conffile ]]; then - check_conf_file "$conffile" -@@ -939,7 +962,7 @@ if [[ -f $conffile ]]; then - fi + # get the corresponding kernel modules of a /sys/class/*/* or/dev/* device + get_dev_module() { + local dev_attr_walk + local dev_drivers + local dev_paths + dev_attr_walk=$(udevadm info -a "$1") +- dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ dev_drivers=$(echo "$dev_attr_walk" \ ++ | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name) - # source our config dir --for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do -+for f in $(dropindirs_sort ".conf" "$confdir" "$add_confdir" "$dracutbasedir/dracut.conf.d"); do - check_conf_file "$f" - # shellcheck disable=SC1090 - [[ -e $f ]] && . "$f" -diff --git a/man/dracut.8.asc b/man/dracut.8.asc -index 8339e8a9..15ae36e6 100644 ---- a/man/dracut.8.asc -+++ b/man/dracut.8.asc -@@ -311,6 +311,14 @@ Default: - Default: - _/etc/dracut.conf.d_ - -+**--add-confdir** __:: -+ Add an extra configuration directory to use *.conf files from. If the -+ directory is not existed, will look for subdirectory under confdir. -++ -+Default: -+ _empty_ -+ -+ - **--tmpdir** __:: - Specify temporary directory to use. - + -diff --git a/shell-completion/bash/dracut b/shell-completion/bash/dracut -index 9b51db01..bc14aa9a 100644 ---- a/shell-completion/bash/dracut -+++ b/shell-completion/bash/dracut -@@ -46,14 +46,14 @@ _dracut() { - --kernel-cmdline --sshkey --persistent-policy --install-optional - --loginstall --uefi-stub --kernel-image --squash-compressor - --sysroot --hostonly-mode --hostonly-nics --include --logfile -- --uefi-splash-image --sbat -+ --uefi-splash-image --sbat --add-confdir - ' - ) - - # shellcheck disable=SC2086 - if __contains_word "$prev" ${OPTS[ARG]}; then - case $prev in -- --kmoddir | -k | --fwdir | --confdir | --tmpdir | -r | --sysroot) -+ --kmoddir | -k | --fwdir | --confdir | --add-confdir | --tmpdir | -r | --sysroot) - comps=$(compgen -d -- "$cur") - compopt -o filenames - ;; - + # also return modalias info from sysfs paths parsed by udevadm + dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') +@@ -1001,6 +1018,7 @@ get_dev_module() { + [[ -n $dev_drivers && ${dev_drivers: -1} != $'\n' ]] && dev_drivers+=$'\n' + dev_drivers+=$(udevadm info -a "$dev_vpath/$dev_link" \ + | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name \ + | grep -v -e pcieport) + done + fi diff --git a/SOURCES/0079.patch b/SOURCES/0079.patch index 8fd09d4..78449da 100644 --- a/SOURCES/0079.patch +++ b/SOURCES/0079.patch @@ -1,27 +1,34 @@ -From 7a6b1ee67d25cd9c3c071387b8adf1d3dd6e3fcd Mon Sep 17 00:00:00 2001 -From: Jo Zzsi -Date: Wed, 11 Sep 2024 16:57:13 -0400 -Subject: [PATCH] fix: typo in variable name +From a5b07e49259b201374124ba1e23b931da6e741e0 Mon Sep 17 00:00:00 2001 +From: packit-public-repos-bot + <125959684+packit-public-repos-bot@users.noreply.github.com> +Date: Wed, 11 Dec 2024 11:47:15 +0100 +Subject: [PATCH] Fix configuration for Packit 1.0.0 -(cherry picked from commit 76b2f1a9b52afd4203c1d0e6afb57314bbfe8407) +This commit fixes the configuration for the forthcoming Packit 1.0.0. +See [our blog post](https://packit.dev/posts/packit_1_0_0_action_required) for more details. + - Job type `build` has been changed to `copr_build`. + - Job type `production_build` has been changed to `upstream_koji_build`. + - Key `upstream_project_name` has been changed to `upstream_package_name`. + - Key `synced_files` has been changed to `files_to_sync`. -Resolves: RHEL-74399 +Please review and merge me before January 2025 otherwise packit-service jobs will fail because of an invalid configuration. + +Resolves: RHEL-65249 --- - dracut.sh | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) + .packit.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.packit.yml b/.packit.yml +index 86ba83d2..1439a44e 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -7,7 +7,7 @@ + # Docs: https://packit.dev/docs/ + + specfile_path: pkgbuild/dracut.spec +-synced_files: ++files_to_sync: + - .packit.yaml + upstream_package_name: dracut + downstream_package_name: dracut -diff --git a/dracut.sh b/dracut.sh -index 7e4b0602..f748a073 100755 ---- a/dracut.sh -+++ b/dracut.sh -@@ -946,8 +946,8 @@ if [[ -n $add_confdir ]]; then - # Check if it exists under $confdir. - elif [[ -d $confdir/$add_confdir ]]; then - add_confdir="$confdir/$add_confdir" -- elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then -- add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" -+ elif [[ -d $dracutbasedir/dracut.conf.d/$add_confdir ]]; then -+ add_confdir="$dracutbasedir/dracut.conf.d/$add_confdir" - else - printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 - exit 1 diff --git a/SOURCES/0080.patch b/SOURCES/0080.patch new file mode 100644 index 0000000..6a575ad --- /dev/null +++ b/SOURCES/0080.patch @@ -0,0 +1,24 @@ +From 78f56fa46b05409fb49f9c5ba776783aabb89d15 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Thu, 30 Jan 2025 12:43:01 +0100 +Subject: [PATCH] test: fix url for btrfs-progs + +Resolves: RHEL-65249 +--- + test/container/Dockerfile-CentOS-9-Stream | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index 26d308d2..3f0cdf6c 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -11,7 +11,7 @@ RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' + # FIXME: add dmraid, scsi-target-utils (e.g. from COPR) + RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ + https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \ +- https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.12-3.el9.x86_64.rpm \ + qemu-kvm \ + NetworkManager \ + asciidoc \ + diff --git a/SOURCES/0081.patch b/SOURCES/0081.patch new file mode 100644 index 0000000..869f32b --- /dev/null +++ b/SOURCES/0081.patch @@ -0,0 +1,32 @@ +From 4c327d4d5f3dd08bce7a704e2e4e45e2a838dc93 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 17 Feb 2025 02:50:26 +0100 +Subject: [PATCH] fix(35network-manager): remove duplicate installkernel + function + +Issue introduced in commit: 0a264651d148b543c0c5d6b0a07909cdcb1abfba + +Resolves: RHEL-64754 + +rhel-only +--- + modules.d/35network-manager/module-setup.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index 4fd3d051..80ca21bd 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -14,11 +14,6 @@ depends() { + return 0 + } + +-# called by dracut +-installkernel() { +- return 0 +-} +- + # called by dracut + installkernel() { + instmods nf_tables nfnetlink nft_fwd_netdev + diff --git a/SOURCES/0082.patch b/SOURCES/0082.patch new file mode 100644 index 0000000..4620410 --- /dev/null +++ b/SOURCES/0082.patch @@ -0,0 +1,28 @@ +From 31a612d5a1cc8c2f0fcc7db82a6f8c9106c8bb63 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 17 Feb 2025 09:15:11 +0100 +Subject: [PATCH] ci: bump actions/upload-artifact version to v4 + +as v3 is deprecated. + +https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/ + +rhel-only +--- + .github/workflows/gather-metadata.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/gather-metadata.yml b/.github/workflows/gather-metadata.yml +index e4cbc486..d11c90d1 100644 +--- a/.github/workflows/gather-metadata.yml ++++ b/.github/workflows/gather-metadata.yml +@@ -22,7 +22,7 @@ jobs: + uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1 + + - name: Upload artifact with gathered metadata +- uses: actions/upload-artifact@v3 ++ uses: actions/upload-artifact@v4 + with: + name: pr-metadata + path: ${{ steps.Metadata.outputs.metadata-file }} + diff --git a/SOURCES/0083.patch b/SOURCES/0083.patch new file mode 100644 index 0000000..c9a446d --- /dev/null +++ b/SOURCES/0083.patch @@ -0,0 +1,26 @@ +From 379b1eafcfb6b4e34b6689bc8f8eab5ecb27aac7 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 19 Aug 2024 09:41:27 +0200 +Subject: [PATCH] feat(fips): include fips module unconditionally + +rhel-only + +Resolves: RHEL-53364 +--- + modules.d/01fips/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index a090bc88..91bbe785 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -2,7 +2,7 @@ + + # called by dracut + check() { +- return 255 ++ return 0 + } + + # called by dracut + diff --git a/SOURCES/0084.patch b/SOURCES/0084.patch new file mode 100644 index 0000000..3d9f404 --- /dev/null +++ b/SOURCES/0084.patch @@ -0,0 +1,51 @@ +From acbb003a63809ed870598eee7171a5c188e80113 Mon Sep 17 00:00:00 2001 +From: Laszlo Gombos +Date: Wed, 24 Aug 2022 19:16:26 +0000 +Subject: [PATCH] fix(dracut.sh): make omit-drivers option do exact match for + names + +Modify the basic test case to use --omit-drivers and make it fail +without the PR and make it pass with the PR. + +The test would fail with the following error without the PR: +FATAL: iscsiroot requested but kernel/initrd does not support iscsi + +(cherry picked from commit a7f5cdbccbbd4d8c406ea7c4b3e6f25cd747e648) + +Resolves: RHEL-57094 +--- + dracut.sh | 2 +- + test/TEST-01-BASIC/test.sh | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dracut.sh b/dracut.sh +index f748a073..dcdeaf5f 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1379,7 +1379,7 @@ omit_drivers_corrected="" + for d in $omit_drivers; do + [[ " $drivers $add_drivers " == *\ $d\ * ]] && continue + [[ " $drivers $force_drivers " == *\ $d\ * ]] && continue +- omit_drivers_corrected+="$d|" ++ omit_drivers_corrected+="^$d$|" + done + omit_drivers="${omit_drivers_corrected%|}" + unset omit_drivers_corrected +diff --git a/test/TEST-01-BASIC/test.sh b/test/TEST-01-BASIC/test.sh +index 9f98af2c..877f6534 100755 +--- a/test/TEST-01-BASIC/test.sh ++++ b/test/TEST-01-BASIC/test.sh +@@ -110,9 +110,12 @@ test_setup() { + inst_hook shutdown-emergency 000 ./hard-off.sh + inst_hook emergency 000 ./hard-off.sh + ) ++ ++ # make sure --omit-drivers does not filter out drivers using regexp to test for an earlier regression (assuming there is no one letter linux kernel module needed to run the test) + "$basedir"/dracut.sh -l -i "$TESTDIR"/overlay / \ + -a "debug watchdog" \ + -d "piix ide-gd_mod ata_piix ext3 sd_mod i6300esb ib700wdt" \ ++ --omit-drivers 'a b c d e f g h i j k l m n o p q r s t u v w x y z' \ + --no-hostonly-cmdline -N \ + -f "$TESTDIR"/initramfs.testing "$KVERSION" || return 1 + } + diff --git a/SOURCES/0085.patch b/SOURCES/0085.patch new file mode 100644 index 0000000..5bc55a6 --- /dev/null +++ b/SOURCES/0085.patch @@ -0,0 +1,1079 @@ +From ecb3af0fddfcfe91d8ba8edd6d9fe9c4b1704842 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 20 Jan 2025 14:16:38 +0100 +Subject: [PATCH] feat: add openssl module + + + fix(openssl): harden ossl build CFLAGS + + + fix(ossl): copy executables for the test suite + + + and also fix CFLAGS in case of std=c99. + +Resolves: RHEL-79815 + +rhel-only +--- + Makefile | 25 +- + modules.d/01fips/module-setup.sh | 16 +- + modules.d/99openssl/module-setup.sh | 31 +++ + modules.d/99openssl/openssl-check.sh | 29 +++ + pkgbuild/dracut.spec | 4 + + src/ossl/Makefile | 35 +++ + src/ossl/src/ossl-config.c | 144 +++++++++++ + src/ossl/src/ossl-files.c | 280 +++++++++++++++++++++ + src/ossl/tests/config/escapes.cnf | 11 + + src/ossl/tests/config/escapes.cnf.expected | 12 + + src/ossl/tests/config/included-file.noncnf | 2 + + src/ossl/tests/config/includes.1.d/includes1.cnf | 2 + + src/ossl/tests/config/includes.1.d/includes1.conf | 2 + + src/ossl/tests/config/includes.1.d/nonconf.bak | 2 + + src/ossl/tests/config/includes.2.d/main.cnf | 4 + + .../config/includes.2.d/subincludes.d/subconf.cnf | 2 + + src/ossl/tests/config/includes.cnf | 6 + + src/ossl/tests/config/includes.cnf.expected | 12 + + .../config/leading-and-trailing-whitespace.cnf | 6 + + .../leading-and-trailing-whitespace.cnf.expected | 7 + + src/ossl/tests/config/order.cnf | 21 ++ + src/ossl/tests/config/order.cnf.expected | 16 ++ + src/ossl/tests/config/variables.cnf | 33 +++ + src/ossl/tests/config/variables.cnf.expected | 27 ++ + src/ossl/tests/files/engines.cnf | 22 ++ + src/ossl/tests/files/engines.cnf.expected | 4 + + src/ossl/tests/files/providers.cnf | 31 +++ + src/ossl/tests/files/providers.cnf.expected | 4 + + test/container/Dockerfile-CentOS-9-Stream | 1 + + 29 files changed, 772 insertions(+), 19 deletions(-) + +diff --git a/Makefile b/Makefile +index 97e189b4..bc26d7c7 100644 +--- a/Makefile ++++ b/Makefile +@@ -51,7 +51,7 @@ manpages = $(man1pages) $(man5pages) $(man7pages) $(man8pages) + + .PHONY: install clean archive rpm srpm testimage test all check AUTHORS CONTRIBUTORS doc dracut-version.sh + +-all: dracut-version.sh dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ++all: dracut-version.sh dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ossl-config ossl-files + + %.o : %.c + $(CC) -c $(CFLAGS) $(CPPFLAGS) $(KMOD_CFLAGS) $< -o $@ +@@ -92,6 +92,15 @@ util/util: $(UTIL_OBJECTS) + dracut-util: src/util/util + cp -a $< $@ + ++ossl: ++ $(MAKE) -C src/ossl ++ ++ossl-config: ossl ++ cp -a src/ossl/src/ossl-config $@ ++ ++ossl-files: ossl ++ cp -a src/ossl/src/ossl-files $@ ++ + .PHONY: indent-c + indent-c: + astyle -n --quiet --options=.astylerc $(wildcard *.[ch] */*.[ch] src/*/*.[ch]) +@@ -198,15 +207,21 @@ endif + $(DESTDIR)$(systemdsystemunitdir)/initrd.target.wants/$$i; \ + done \ + fi +- if [ -f src/install/dracut-install ]; then \ ++ if [ -r src/install/dracut-install ]; then \ + install -m 0755 src/install/dracut-install $(DESTDIR)$(pkglibdir)/dracut-install; \ + fi +- if [ -f src/skipcpio/skipcpio ]; then \ ++ if [ -r src/skipcpio/skipcpio ]; then \ + install -m 0755 src/skipcpio/skipcpio $(DESTDIR)$(pkglibdir)/skipcpio; \ + fi +- if [ -f dracut-util ]; then \ ++ if [ -r dracut-util ]; then \ + install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \ + fi ++ if [ -r ossl-config ]; then \ ++ install -m 0755 ossl-config $(DESTDIR)$(pkglibdir)/ossl-config; \ ++ fi ++ if [ -r ossl-files ]; then \ ++ install -m 0755 ossl-files $(DESTDIR)$(pkglibdir)/ossl-files; \ ++ fi + ifeq ($(enable_dracut_cpio),yes) + install -m 0755 dracut-cpio $(DESTDIR)$(pkglibdir)/dracut-cpio + endif +@@ -237,7 +252,9 @@ clean: + $(RM) $(manpages) dracut.html + $(RM) dracut.pc + $(RM) dracut-cpio src/dracut-cpio/target/release/dracut-cpio* ++ $(RM) ossl-files ossl-config + $(MAKE) -C test clean ++ $(MAKE) -C src/ossl clean + + dist: dracut-$(DRACUT_MAIN_VERSION).tar.xz + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 91bbe785..0b6d3a27 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -5,9 +5,8 @@ check() { + return 0 + } + +-# called by dracut + depends() { +- return 0 ++ echo openssl + } + + # called by dracut +@@ -70,17 +69,4 @@ install() { + inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr + + inst_simple /etc/system-fips +- +- # if we have openssl we need to install their fips library and configuration +- [ -x /usr/bin/openssl ] && { +- read -r _ conf < <(openssl version -d) +- conf=${conf#\"} +- conf=${conf%\"} +- inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf" +- +- read -r _ mod < <(openssl version -m) +- mod=${mod#\"} +- mod=${mod%\"} +- inst_simple "$mod/fips.so" +- } + } +diff --git a/modules.d/99openssl/module-setup.sh b/modules.d/99openssl/module-setup.sh +new file mode 100755 +index 00000000..8614f254 +--- /dev/null ++++ b/modules.d/99openssl/module-setup.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++ ++check() { ++ return 255 ++} ++ ++install() { ++ ++ local ossl_files openssl_cnf initrd_openssl_cnf ++ ++ ossl_files="${dracutbasedir}/ossl-files" ++ ++ openssl_cnf="$($ossl_files --config)" ++ ++ initrd_openssl_cnf="${initdir}/${openssl_cnf}" ++ ++ if [[ ! -r $openssl_cnf ]]; then ++ dfatal "'$ossl_files --config' does not return a path!!" ++ exit 1 ++ fi ++ ++ # ossl-files gives us one line per file ++ # shellcheck disable=SC2046 ++ inst_multiple -o \ ++ /etc/crypto-policies/back-ends/opensslcnf.config \ ++ $($ossl_files --engines --providers) ++ ++ mkdir -p "${initrd_openssl_cnf%/*}" ++ ++ "${dracutbasedir}/ossl-config" > "${initrd_openssl_cnf}" ++} +diff --git a/modules.d/99openssl/openssl-check.sh b/modules.d/99openssl/openssl-check.sh +new file mode 100755 +index 00000000..67951f45 +--- /dev/null ++++ b/modules.d/99openssl/openssl-check.sh +@@ -0,0 +1,29 @@ ++#!/bin/sh ++ ++eok() { ++ ++ { ++ [ "$1" -eq 0 ] && echo OK || echo FAIL ++ ++ echo ++ ++ } 2> /dev/null ++} ++ ++echo ++ ++set -x ++ ++openssl list -providers ++ ++eok "$?" ++ ++#openssl s_client -connect “$dns_server_ip:$dns_server_port” -servername “$dns_server_name” $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ + %{dracutlibdir}/dracut-initramfs-restore + %{dracutlibdir}/dracut-install + %{dracutlibdir}/dracut-util ++%{dracutlibdir}/ossl-config ++%{dracutlibdir}/ossl-files + %{dracutlibdir}/skipcpio + %config(noreplace) %{_sysconfdir}/dracut.conf + %if 0%{?fedora} || 0%{?suse_version} || 0%{?rhel} +@@ -402,6 +405,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ + %{dracutlibdir}/modules.d/99base + %{dracutlibdir}/modules.d/99memstrack + %{dracutlibdir}/modules.d/99fs-lib ++%{dracutlibdir}/modules.d/99openssl + %{dracutlibdir}/modules.d/99shutdown + %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log + %dir %{_sharedstatedir}/initramfs +diff --git a/src/ossl/Makefile b/src/ossl/Makefile +new file mode 100644 +index 00000000..43e7b464 +--- /dev/null ++++ b/src/ossl/Makefile +@@ -0,0 +1,35 @@ ++.PHONY: all clean tests ++ ++CFLAGS ?= -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 ++CRYPTO_FLAGS = -lcrypto -Wl,-pie -Wl,-z,now -fPIE ++TARGETS = src/ossl-config src/ossl-files ++ ++TESTS_CONFIG = $(wildcard tests/config/*.cnf) ++TESTS_FILES = $(wildcard tests/files/*.cnf) ++ ++all: $(TARGETS) ++ ++clean: ++ $(RM) $(TARGETS) ++ $(RM) tests/config/*.1 tests/config/*.2 ++ $(RM) tests/files/*.1 ++ ++%: %.c ++ $(CC) $(CFLAGS) $(CRYPTO_FLAGS) -o $@ $< ++ ++test: $(TARGETS) ++ @for TEST in $(TESTS_CONFIG); do \ ++ echo "Test $$TEST..."; \ ++ OPENSSL_CONF="$$TEST" src/ossl-config >"$$TEST.1" && \ ++ OPENSSL_CONF="$$TEST.1" src/ossl-config >"$$TEST.2" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ diff -u <(sed 1d "$$TEST.1") <(sed 1d "$$TEST.2") && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done ++ ++ @for TEST in $(TESTS_FILES); do \ ++ echo "Test $$TEST..."; \ ++ OPENSSL_CONF="$$TEST" src/ossl-files --engines --providers >"$$TEST.1" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done +diff --git a/src/ossl/src/ossl-config.c b/src/ossl/src/ossl-config.c +new file mode 100644 +index 00000000..4324341c +--- /dev/null ++++ b/src/ossl/src/ossl-config.c +@@ -0,0 +1,144 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-config ossl-config.c -lcrypto ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 202311L ++# define FALLTHROUGH [[fallthrough]] ++#elif (defined(__GNUC__) && __GNUC__ >= 7) || (defined(__clang__) && __clang_major__ >= 12) ++# define FALLTHROUGH __attribute__((fallthrough)) ++#else ++# define FALLTHROUGH ((void) 0) ++#endif ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++cleanupfunc(ossl_sk_cstring_t, sk_OPENSSL_CSTRING_free) ++ ++/** ++ * Print the given value to stdout escaped for the OpenSSL configuration file ++ * format. ++ */ ++static void print_escaped_value(const char *value) { ++ for (const char *p = value; *p; p++) { ++ switch (*p) { ++ case '"': ++ case '\'': ++ case '#': ++ case '\\': ++ case '$': ++ putchar('\\'); ++ putchar(*p); ++ break; ++ case '\n': ++ fputs("\\n", stdout); ++ break; ++ case '\r': ++ fputs("\\r", stdout); ++ break; ++ case '\b': ++ fputs("\\b", stdout); ++ break; ++ case '\t': ++ fputs("\\t", stdout); ++ break; ++ case ' ': ++ if (p == value || p[1] == '\0') { ++ /* Quote spaces if they are the first or last char of the ++ * value. We could quote the entire string (and it would ++ * certainly produce nicer output), but in quoted strings ++ * the escape sequences for \n, \r, \t, and \b do not work. ++ * To make sure we're producing correct results we'd thus ++ * have to selectively not use those in quoted strings and ++ * close and re-open the quotes if they appear, which is ++ * more trouble than adding the quotes just around the ++ * first and last leading and trailing space. */ ++ fputs("\" \"", stdout); ++ break; ++ } ++ FALLTHROUGH; ++ default: ++ putchar(*p); ++ break; ++ } ++ } ++} ++ ++/** ++ * Print all values in in the configuration section identified by section_name to stdout. ++ */ ++static void print_section(const CONF *cnf, OPENSSL_CSTRING section_name) { ++ STACK_OF(CONF_VALUE) *values = NCONF_get_section(cnf, section_name); ++ for (int idx = 0; idx < sk_CONF_VALUE_num(values); idx++) { ++ CONF_VALUE *value = sk_CONF_VALUE_value(values, idx); ++ printf("%s = ", value->name); ++ print_escaped_value(value->value); ++ putchar('\n'); ++ } ++} ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ char *configfile cleanup(char) = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ STACK_OF(OPENSSL_CSTRING) *sections cleanup(ossl_sk_cstring_t) = NCONF_get_section_names(cnf); ++ if (sections == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ printf("# This configuration file was linarized and expanded from %s\n", configfile); ++ ++ int default_section_idx = sk_OPENSSL_CSTRING_find(sections, "default"); ++ if (default_section_idx != -1) { ++ print_section(cnf, "default"); ++ } ++ for (int idx = 0; idx < sk_OPENSSL_CSTRING_num(sections); idx++) { ++ if (idx == default_section_idx) { ++ continue; ++ } ++ OPENSSL_CSTRING section_name = sk_OPENSSL_CSTRING_value(sections, idx); ++ printf("\n[%s]\n", section_name); ++ print_section(cnf, section_name); ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/src/ossl-files.c b/src/ossl/src/ossl-files.c +new file mode 100644 +index 00000000..4f252800 +--- /dev/null ++++ b/src/ossl/src/ossl-files.c +@@ -0,0 +1,280 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-files ossl-files.c -lcrypto ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++ ++typedef enum flag { ++ CONFIG_FILE = 1, ++ ENGINES, ++ PROVIDERS, ++ PKCS11_MODULES, ++} flag_t; ++ ++static const OPENSSL_CSTRING get_option(STACK_OF(CONF_VALUE) *section, const OPENSSL_CSTRING name) { ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(section); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(section, idx); ++ if (strcmp(name, value->name) == 0) { ++ return value->value; ++ } ++ } ++ ++ return NULL; ++} ++ ++/** ++ * Locate a section in the OpenSSL configuration file given its path ++ * components, separated by dots. ++ * ++ * Returns the STACK_OF(CONF_VALUE) that represents the section, if it exists ++ * and NULL otherwise. ++ */ ++static STACK_OF(CONF_VALUE) *locate_section(const CONF* cnf, const OPENSSL_CSTRING path) { ++ STACK_OF(CONF_VALUE) *sect = NCONF_get_section(cnf, "default"); ++ if (sect == NULL) ++ return NULL; ++ ++ char *pathbuf cleanup(char) = OPENSSL_strdup(path); ++ char *curpath = pathbuf; ++ while (curpath) { ++ char *split = strchr(curpath, '.'); ++ char *nextpath = NULL; ++ ++ if (split != NULL) { ++ *split = '\0'; ++ nextpath = split + 1; ++ } ++ ++ const OPENSSL_CSTRING next_section_name = get_option(sect, curpath); ++ if (next_section_name == NULL) ++ return NULL; ++ ++ sect = NCONF_get_section(cnf, next_section_name); ++ if (sect == NULL) ++ return NULL; ++ ++ curpath = nextpath; ++ } ++ ++ return sect; ++} ++ ++static void list_providers(const CONF *cnf) { ++ const char *modulesdir = OPENSSL_info(OPENSSL_INFO_MODULES_DIR); ++ ++ { ++ struct stat st; ++ size_t pathlen = strlen(modulesdir) + 1 /* "/" */ + strlen("fips.so") + 1; ++ char pathbuf[pathlen]; ++ ++ snprintf(pathbuf, pathlen, "%s/fips.so", modulesdir); ++ pathbuf[pathlen - 1] = '\0'; ++ ++ if (stat(pathbuf, &st) == 0) { ++ /* Print the path to the FIPS provider if it exists on disk, ++ * regardless of whether it is enabled or not. This is because some ++ * distributions (like Fedora and RHEL) auto-enable the FIPS ++ * provider if the kernel command line contains fips=1. */ ++ puts(pathbuf); ++ } ++ } ++ ++ STACK_OF(CONF_VALUE) *providers_sect = locate_section(cnf, "openssl_conf.providers"); ++ if (providers_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(providers_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(providers_sect, idx); ++ /* The section name in the providers section is typically the basename ++ * of the loadable module, unless the section for this provider ++ * contains a 'module' option. */ ++ const OPENSSL_CSTRING provider_name = value->name; ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ if (strcmp(provider_name, "default") == 0 ++ || strcmp(provider_name, "base") == 0 ++ || strcmp(provider_name, "fips") == 0) { ++ /* This is either a builtin provider, which does not exist on disk, ++ * or it was handled earlier. */ ++ continue; ++ } ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } else { ++ OPENSSL_CSTRING module_path = get_option(section, "module"); ++ if (module_path) { ++ if (*module_path == '/') { ++ puts(module_path); ++ } else { ++ printf("%s/%s\n", modulesdir, module_path); ++ } ++ } else { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } ++ } ++ } ++} ++ ++static void list_engines(const CONF *cnf) { ++ const char *enginesdir = OPENSSL_info(OPENSSL_INFO_ENGINES_DIR); ++ ++ STACK_OF(CONF_VALUE) *engines_sect = locate_section(cnf, "openssl_conf.engines"); ++ if (engines_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(engines_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(engines_sect, idx); ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) ++ continue; ++ OPENSSL_CSTRING dynamic_path = get_option(section, "dynamic_path"); ++ if (dynamic_path == NULL) ++ continue; ++ ++ if (*dynamic_path == '/') { ++ puts(dynamic_path); ++ } else { ++ printf("%s/%s\n", enginesdir, dynamic_path); ++ } ++ } ++} ++ ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ struct option long_options[] = { ++ {"config", no_argument, NULL, CONFIG_FILE}, ++ {"engines", no_argument, NULL, ENGINES}, ++ {"providers", no_argument, NULL, PROVIDERS}, ++ {"help", no_argument, NULL, 'h'}, ++ {NULL, 0, NULL, 0}, ++ }; ++ int chosen_options[sizeof(long_options) / sizeof(*long_options) - 2] = {0}; ++ ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ long_options[idx].flag = &chosen_options[idx]; ++ } ++ ++ int c; ++ char *configfile cleanup(char) = NULL; ++ while (1) { ++ c = getopt_long(argc, argv, "", long_options, NULL); ++ switch (c) { ++ case -1: ++ // end of options ++ goto options_parsed; ++ break; ++ case 0: ++ /* option detected, we use flags to react, so no need for ++ * custom code here. */ ++ break; ++ case 'h': ++ // --help output requested ++ fprintf(stderr, "Usage: %s OPTIONS\n\n", argv[0]); ++ fputs( ++ "OPTIONS are:\n" ++ " --config\n" ++ " Print the path of the OpenSSL configuration file on\n" ++ " this system\n" ++ " --engines\n" ++ " Print the path of any OpenSSL ENGINEs configured in\n" ++ " the configuration file\n" ++ " --providers\n" ++ " Print the path of any OpenSSL providers configured in\n" ++ " the configuration file\n" ++ " --help\n" ++ " Print this help output\n", ++ stderr ++ ); ++ return EXIT_FAILURE; ++ break; ++ case '?': ++ case ':': ++ // error, getopt(3) already printed a message ++ return EXIT_FAILURE; ++ break; ++ default: ++ fprintf(stderr, "getopt(3) returned unexpected character code 0%o\n", c); ++ return EXIT_FAILURE; ++ break; ++ } ++ } ++options_parsed: ++ ++ configfile = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ bool any_chosen = false; ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ if (chosen_options[idx] != 0) { ++ any_chosen = true; ++ } ++ switch (chosen_options[idx]) { ++ case CONFIG_FILE: ++ puts(configfile); ++ break; ++ case ENGINES: ++ list_engines(cnf); ++ break; ++ case PROVIDERS: ++ list_providers(cnf); ++ break; ++ case PKCS11_MODULES: ++ break; ++ } ++ } ++ ++ if (!any_chosen) { ++ fprintf(stderr, "No options were provided, so no output was produced. See --help for instructions.\n"); ++ return EXIT_FAILURE; ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/tests/config/escapes.cnf b/src/ossl/tests/config/escapes.cnf +new file mode 100644 +index 00000000..9fe2fbc8 +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf +@@ -0,0 +1,11 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = "/C=FI/O=Insta # Demo/CN=Insta Demo CA" ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = "/C=FI/O=Insta ' Demo/CN=Insta Demo CA" ++6.recipient = '/C=FI/O=Insta " Demo/CN=Insta Demo CA' ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/escapes.cnf.expected b/src/ossl/tests/config/escapes.cnf.expected +new file mode 100644 +index 00000000..eff959fc +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/escapes.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = /C=FI/O=Insta \# Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = /C=FI/O=Insta \' Demo/CN=Insta Demo CA ++6.recipient = /C=FI/O=Insta \" Demo/CN=Insta Demo CA ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/included-file.noncnf b/src/ossl/tests/config/included-file.noncnf +new file mode 100644 +index 00000000..51089f51 +--- /dev/null ++++ b/src/ossl/tests/config/included-file.noncnf +@@ -0,0 +1,2 @@ ++[included-file] ++present = true +diff --git a/src/ossl/tests/config/includes.1.d/includes1.cnf b/src/ossl/tests/config/includes.1.d/includes1.cnf +new file mode 100644 +index 00000000..44c17ecd +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.cnf +@@ -0,0 +1,2 @@ ++[includes1] ++cnf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/includes1.conf b/src/ossl/tests/config/includes.1.d/includes1.conf +new file mode 100644 +index 00000000..c6e3c0c6 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.conf +@@ -0,0 +1,2 @@ ++[includes1] ++conf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/nonconf.bak b/src/ossl/tests/config/includes.1.d/nonconf.bak +new file mode 100644 +index 00000000..f5835c63 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/nonconf.bak +@@ -0,0 +1,2 @@ ++[includes1] ++nonconf = not present +diff --git a/src/ossl/tests/config/includes.2.d/main.cnf b/src/ossl/tests/config/includes.2.d/main.cnf +new file mode 100644 +index 00000000..a9141010 +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/main.cnf +@@ -0,0 +1,4 @@ ++[includes2] ++main = present ++ ++.include tests/config/include.2.d/subincludes.d +diff --git a/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +new file mode 100644 +index 00000000..9cbf6c7e +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +@@ -0,0 +1,2 @@ ++[includes2] ++subconf = absent +diff --git a/src/ossl/tests/config/includes.cnf b/src/ossl/tests/config/includes.cnf +new file mode 100644 +index 00000000..fd243487 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++.include = tests/config/includes.1.d ++.include tests/config/includes.2.d ++.include tests/config/nonexistant.d ++.include tests/config/included-file.noncnf +diff --git a/src/ossl/tests/config/includes.cnf.expected b/src/ossl/tests/config/includes.cnf.expected +new file mode 100644 +index 00000000..519729f1 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/includes.cnf ++openssl_conf = openssl_init ++ ++[included-file] ++present = true ++ ++[includes1] ++cnf-file = present ++conf-file = present ++ ++[includes2] ++main = present +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +new file mode 100644 +index 00000000..2801bd72 +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA" ++1.recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA " ++2.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA " +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +new file mode 100644 +index 00000000..3dd985cc +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +@@ -0,0 +1,7 @@ ++# This configuration file was linarized and expanded from tests/config/leading-and-trailing-whitespace.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta Demo/CN=Insta Demo CA" " ++2.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA" " +diff --git a/src/ossl/tests/config/order.cnf b/src/ossl/tests/config/order.cnf +new file mode 100644 +index 00000000..89662a1a +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf +@@ -0,0 +1,21 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++[def] ++# Sections are alphabetically ordered ++0.recipient = 0 ++ ++[abc] ++# Order within sections is preserved, even if it isn't sorted ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[default] ++# The default section is consolidated and always printed first ++aaatest = value +diff --git a/src/ossl/tests/config/order.cnf.expected b/src/ossl/tests/config/order.cnf.expected +new file mode 100644 +index 00000000..50a62c90 +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf.expected +@@ -0,0 +1,16 @@ ++# This configuration file was linarized and expanded from tests/config/order.cnf ++openssl_conf = openssl_init ++aaatest = value ++ ++[abc] ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[def] ++0.recipient = 0 +diff --git a/src/ossl/tests/config/variables.cnf b/src/ossl/tests/config/variables.cnf +new file mode 100644 +index 00000000..04916116 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf +@@ -0,0 +1,33 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++default_var = ABC ++nested = "\${default_var}" ++ ++[othersection] ++ ++[test] ++# These should expand to ABC read from the default section ++0.recipient = ${default_var} ++1.recipient = $default_var ++2.recipient = $(default_var) ++# These should expand to DEF as the other section was explicitly referenced ++3.recipient = ${othersection::default_var} ++4.recipient = $othersection::default_var ++5.recipient = $(othersection::default_var) ++ ++[test2] ++default_var = GHI ++# These should expand to GHI since the local section is always searched first ++0.recipient = ${default_var} ++1.recipient = $default_var ++ ++[test3] ++.pragma dollarid:on ++# Out of these, the first should contain the literal "$default_var", the others should expand ++0.recipient = literal$default_var ++1.recipient = expanded${default_var} ++2.recipient = expanded$(default_var) ++ ++[test4] ++recipient = literal$nested +diff --git a/src/ossl/tests/config/variables.cnf.expected b/src/ossl/tests/config/variables.cnf.expected +new file mode 100644 +index 00000000..a2bccf23 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf.expected +@@ -0,0 +1,27 @@ ++# This configuration file was linarized and expanded from tests/config/variables.cnf ++openssl_conf = openssl_init ++default_var = ABC ++nested = \${default_var} ++ ++[othersection] ++ ++[test] ++0.recipient = ABC ++1.recipient = ABC ++2.recipient = ABC ++3.recipient = ABC ++4.recipient = ABC ++5.recipient = ABC ++ ++[test2] ++default_var = GHI ++0.recipient = GHI ++1.recipient = GHI ++ ++[test3] ++0.recipient = literal\$default_var ++1.recipient = expandedABC ++2.recipient = expandedABC ++ ++[test4] ++recipient = literal\$nested +diff --git a/src/ossl/tests/files/engines.cnf b/src/ossl/tests/files/engines.cnf +new file mode 100644 +index 00000000..5ca8be01 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf +@@ -0,0 +1,22 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++engines = engines_sect ++ ++[engines_sect] ++afalg = afalg_sect ++loader_attic = loader_attic_sect ++pkcs11 = pkcs11_sect ++ ++[afalg_sect] ++dynamic_path = afalg.so ++ ++[loader_attic_sect] ++dynamic_path = /usr/lib64/engines-3/loader_attic.so ++init = 1 ++ ++[pkcs11_sect] ++engine_id = pkcs11 ++dynamic_path = /usr/lib64/engines-3/libpkcs11.so ++MODULE_PATH = opensc-pkcs11.so ++init = 1 +diff --git a/src/ossl/tests/files/engines.cnf.expected b/src/ossl/tests/files/engines.cnf.expected +new file mode 100644 +index 00000000..2d60cc52 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/engines-3/afalg.so ++/usr/lib64/engines-3/loader_attic.so ++/usr/lib64/engines-3/libpkcs11.so ++/usr/lib64/ossl-modules/fips.so +diff --git a/src/ossl/tests/files/providers.cnf b/src/ossl/tests/files/providers.cnf +new file mode 100644 +index 00000000..fee4c826 +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf +@@ -0,0 +1,31 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++providers = providers_sect ++ ++[providers_sect] ++default = default_sect ++fips = fips_sect ++legacy = legacy_sect ++base = base_sect ++pkcs11 = pkcs11_sect ++oqs = oqs_sect ++ ++[default_sect] ++activate = 1 ++ ++[fips_sect] ++activate = 1 ++ ++[legacy_sect] ++activate = 1 ++ ++[base_sect] ++activate = 1 ++ ++[pkcs11_sect] ++activate = 1 ++ ++[oqs_sect] ++activate = 1 ++module = /usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +diff --git a/src/ossl/tests/files/providers.cnf.expected b/src/ossl/tests/files/providers.cnf.expected +new file mode 100644 +index 00000000..23b1b7de +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/ossl-modules/fips.so ++/usr/lib64/ossl-modules/legacy.so ++/usr/lib64/ossl-modules/pkcs11.so ++/usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index 3f0cdf6c..337a38ef 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -45,6 +45,7 @@ RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ + wget \ + which \ + xz \ ++ openssl-devel \ + && dnf -y update && dnf clean all + + # C9S ships only qemu-kvm, but it disables the KVM accel when it's not diff --git a/SOURCES/0086.patch b/SOURCES/0086.patch new file mode 100644 index 0000000..ea7ee99 --- /dev/null +++ b/SOURCES/0086.patch @@ -0,0 +1,32 @@ +From 94969152cfa4ac9dd87f7a25133638935a5cd4d5 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Thu, 6 Mar 2025 14:30:26 +0100 +Subject: [PATCH] fix(rescue): create hmac file for rescue kernel + +Resolves: RHEL-53364 +--- + install.d/51-dracut-rescue.install | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/install.d/51-dracut-rescue.install b/install.d/51-dracut-rescue.install +index 8bf9a6d9..e27f72ba 100755 +--- a/install.d/51-dracut-rescue.install ++++ b/install.d/51-dracut-rescue.install +@@ -95,6 +95,17 @@ case "$COMMAND" in + echo "Can't copy '$KERNEL_IMAGE to '$BOOT_DIR_ABS/$KERNEL'!" >&2 + fi + ++ HMAC=".${KERNEL}.hmac" ++ ++ KERNEL_DIR="${KERNEL_IMAGE%/*}" ++ KERNEL_FILE="${KERNEL_IMAGE##*/}" ++ ++ HMAC_FILE="${KERNEL_DIR}/.${KERNEL_FILE}.hmac" ++ ++ if ! sed -E "s/([0-9a-f]+)(\s+).*$/\1\2${KERNEL}/" "$HMAC_FILE" > "$BOOT_DIR_ABS/$HMAC"; then ++ echo "Can't create '$BOOT_DIR_ABS/$HMAC' from '$HMAC_FILE'!" >&2 ++ fi ++ + if [[ ! -f "$BOOT_DIR_ABS/$INITRD" ]]; then + dracut -f --no-hostonly -a "rescue" "$BOOT_DIR_ABS/$INITRD" "$KERNEL_VERSION" + ((ret+=$?)) diff --git a/SPECS/dracut.spec b/SPECS/dracut.spec index 51c3e98..709b869 100644 --- a/SPECS/dracut.spec +++ b/SPECS/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 80.git20250411 +%define dist_free_release 87.git20250311 Name: dracut Version: 057 @@ -98,12 +98,23 @@ Patch66: 0066.patch Patch67: 0067.patch Patch68: 0068.patch Patch69: 0069.patch +Patch70: 0070.patch Patch71: 0071.patch Patch72: 0072.patch +Patch73: 0073.patch +Patch74: 0074.patch +Patch75: 0075.patch Patch76: 0076.patch Patch77: 0077.patch Patch78: 0078.patch Patch79: 0079.patch +Patch80: 0080.patch +Patch81: 0081.patch +Patch82: 0082.patch +Patch83: 0083.patch +Patch84: 0084.patch +Patch85: 0085.patch +Patch86: 0086.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -115,6 +126,7 @@ BuildRequires: gcc %if 0%{?fedora} || 0%{?rhel} BuildRequires: pkgconfig BuildRequires: systemd +BuildRequires: openssl-devel %endif %if 0%{?fedora} BuildRequires: bash-completion @@ -353,6 +365,8 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/dracut-initramfs-restore %{dracutlibdir}/dracut-install %{dracutlibdir}/dracut-util +%{dracutlibdir}/ossl-config +%{dracutlibdir}/ossl-files %{dracutlibdir}/skipcpio %config(noreplace) %{_sysconfdir}/dracut.conf %if 0%{?fedora} || 0%{?suse_version} || 0%{?rhel} @@ -478,6 +492,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/99base %{dracutlibdir}/modules.d/99memstrack %{dracutlibdir}/modules.d/99fs-lib +%{dracutlibdir}/modules.d/99openssl %{dracutlibdir}/modules.d/99shutdown %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log %dir %{_sharedstatedir}/initramfs @@ -556,12 +571,24 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog -* Fri Apr 11 2025 Pavel Valena - 057-80.git20250411 -- fix(kernel-modules): use modalias info in get_dev_module() -- fix(dracut-functions.sh): convert mmcblk to the real kernel +* Tue Mar 11 2025 Pavel Valena - 057-87.git20250311 +- fix(rescue): create hmac file for rescue kernel + +* Mon Feb 17 2025 Pavel Valena - 057-86.git20250217 +- fix(35network-manager): remove duplicate installkernel +- feat(fips): include fips module unconditionally +- fix(dracut.sh): make omit-drivers option do exact match for +- feat: add openssl module + +* Wed Nov 27 2024 Pavel Valena - 057-79.git20241127 - fix(35network-manager): install nftables kernel modules - fix(35network-manager): install nft binary during module +- fix(dracut-install): copy xattr when use clone ioctl - feat(dracut.sh): add --add-confdir option +- fix: typo in variable name +- feat(fips): add support for UKIs +- fix(kernel-modules): use modalias info in get_dev_module() +- fix(dracut-functions.sh): convert mmcblk to the real kernel * Mon Aug 19 2024 Pavel Valena - 057-70.git20240819 - fix(systemd): set right permissions for the machine-id file