rpms/dracut
7
0
Fork 0
Code Issues Pull Requests Releases Activity

dracut-057-79.git20241127

Browse Source 
Resolves: RHEL-55245,RHEL-55708,RHEL-56885,RHEL-64754,RHEL-65249,RHEL-66582
This commit is contained in:
Pavel Valena 2024-11-27 21:54:00 +01:00
parent 550e8d1e90
commit f8e78fc034
10 changed files with 859 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

250
0070.patch Normal file
View File

@ -0,0 +1,250 @@
From 29616c6a89437e138bb5abc55b42325d0d2b1394 Mon Sep 17 00:00:00 2001
From: Pavel Valena <pvalena@redhat.com>
Date: Tue, 22 Oct 2024 17:30:32 +0200
Subject: [PATCH] ci: fix CentOS-9-Stream container and ci config
- correct URL for dash
- add missing dependencies
- use centos9 instead of fedora
rhel-only
Resolves: RHEL-65249
---
.github/workflows/integration.yml | 4 +-
test/container/Dockerfile-Arch | 25 -------------
test/container/Dockerfile-CentOS-9-Stream | 5 ++-
test/container/Dockerfile-Debian | 61 -------------------------------
test/container/Dockerfile-Fedora-latest | 56 ----------------------------
test/container/Dockerfile-OpenSuse-latest | 23 ------------
6 files changed, 5 insertions(+), 169 deletions(-)
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
index c22bf916..c023ab16 100644
--- a/.github/workflows/integration.yml
+++ b/.github/workflows/integration.yml
@@ -14,7 +14,7 @@ jobs:
strategy:
matrix:
container: [
- "fedora:latest",
+ "centos:stream9",
]
test: [
"04",
@@ -40,7 +40,7 @@ jobs:
strategy:
matrix:
container: [
- "fedora:latest",
+ "centos:stream9",
]
test: [
"01",
diff --git a/test/container/Dockerfile-Arch b/test/container/Dockerfile-Arch
deleted file mode 100644
index 4112cc5b..00000000
--- a/test/container/Dockerfile-Arch
+++ /dev/null
@@ -1,25 +0,0 @@
-FROM docker.io/archlinux
-
-MAINTAINER https://github.com/dracutdevs/dracut
-
-ENV container docker
-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE"
-
-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
-
-# Install needed packages for the dracut CI container
-RUN pacman --noconfirm -Sy \
- linux dash strace dhclient asciidoc cpio pigz squashfs-tools \
- qemu btrfs-progs mdadm dmraid nfs-utils nfsidmap lvm2 nbd \
- dhcp networkmanager multipath-tools vi tcpdump open-iscsi \
- git shfmt shellcheck astyle which base-devel glibc parted && yes | pacman -Scc
-
-RUN useradd -m build
-RUN su build -c 'cd && git clone https://aur.archlinux.org/perl-config-general.git && cd perl-config-general && makepkg -s --noconfirm'
-RUN pacman -U --noconfirm ~build/perl-config-general/*.pkg.tar.*
-RUN su build -c 'cd && git clone https://aur.archlinux.org/tgt.git && cd tgt && echo "CFLAGS=-Wno-error=stringop-truncation" >> PKGBUILD && makepkg -s --noconfirm'
-RUN pacman -U --noconfirm ~build/tgt/*.pkg.tar.*
-RUN rm -fr ~build
-
-# Set default command
-CMD ["/usr/bin/bash"]
diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream
index abcc067e..26d308d2 100644
--- a/test/container/Dockerfile-CentOS-9-Stream
+++ b/test/container/Dockerfile-CentOS-9-Stream
@@ -8,9 +8,10 @@ LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=h
RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
# Install needed packages for the dracut CI container
-# FIXME: properly re-add dash once C9S EPEL is available
+# FIXME: add dmraid, scsi-target-utils (e.g. from COPR)
RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \
- http://mirrors.kernel.org/fedora/releases/34/Everything/x86_64/os/Packages/d/dash-0.5.10.2-8.fc34.x86_64.rpm \
+ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \
+ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \
qemu-kvm \
NetworkManager \
asciidoc \
diff --git a/test/container/Dockerfile-Debian b/test/container/Dockerfile-Debian
deleted file mode 100644
index 15eb9958..00000000
--- a/test/container/Dockerfile-Debian
+++ /dev/null
@@ -1,61 +0,0 @@
-FROM docker.io/debian:latest
-
-MAINTAINER https://github.com/dracutdevs/dracut
-
-ENV container docker
-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE"
-
-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
-
-# Install needed packages for the dracut CI container
-RUN apt-get update -y -qq && apt-get upgrade -y -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends -o Dpkg::Use-Pty=0 \
- asciidoc \
- astyle \
- btrfs-progs \
- busybox-static \
- bzip2 \
- ca-certificates \
- console-setup \
- cpio \
- cryptsetup \
- curl \
- dash \
- debhelper \
- debhelper-compat \
- docbook \
- docbook-xml \
- docbook-xsl \
- fdisk \
- g++ \
- git \
- iputils-ping \
- isc-dhcp-client \
- kmod \
- less \
- libkmod-dev \
- linux-image-generic \
- lvm2 \
- make \
- mdadm \
- multipath-tools \
- nbd-client \
- network-manager \
- nfs-common \
- open-iscsi \
- parted \
- pigz \
- pkg-config \
- procps \
- qemu-system-x86 \
- quilt \
- shellcheck \
- squashfs-tools \
- strace \
- sudo \
- tcpdump \
- vim \
- wget \
- && apt-get clean
-
-# Set default command
-CMD ["/usr/bin/bash"]
diff --git a/test/container/Dockerfile-Fedora-latest b/test/container/Dockerfile-Fedora-latest
deleted file mode 100644
index a38a72ef..00000000
--- a/test/container/Dockerfile-Fedora-latest
+++ /dev/null
@@ -1,56 +0,0 @@
-FROM registry.fedoraproject.org/fedora:latest
-
-MAINTAINER https://github.com/dracutdevs/dracut
-
-ENV container docker
-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE"
-
-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
-
-# Install needed packages for the dracut CI container
-RUN dnf -y install --setopt=install_weak_deps=False \
- dash \
- pigz \
- asciidoc \
- mdadm \
- lvm2 \
- dmraid \
- cryptsetup \
- nfs-utils \
- nbd \
- dhcp-server \
- scsi-target-utils \
- iscsi-initiator-utils \
- strace \
- btrfs-progs \
- kmod-devel \
- gcc \
- bzip2 \
- xz \
- tar \
- wget \
- rpm-build \
- make \
- git \
- bash-completion \
- sudo \
- kernel \
- dhcp-client \
- /usr/bin/qemu-kvm \
- /usr/bin/qemu-system-$(uname -i) \
- e2fsprogs \
- tcpdump \
- iproute \
- iputils \
- dbus-daemon \
- kbd \
- NetworkManager \
- squashfs-tools \
- which \
- ShellCheck \
- shfmt \
- parted \
- && dnf -y update && dnf clean all
-
-# Set default command
-CMD ["/usr/bin/bash"]
diff --git a/test/container/Dockerfile-OpenSuse-latest b/test/container/Dockerfile-OpenSuse-latest
deleted file mode 100644
index 9aaf07b1..00000000
--- a/test/container/Dockerfile-OpenSuse-latest
+++ /dev/null
@@ -1,23 +0,0 @@
-FROM registry.opensuse.org/opensuse/tumbleweed-dnf:latest
-
-MAINTAINER https://github.com/dracutdevs/dracut
-
-ENV container docker
-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE"
-
-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh
-
-# Install needed packages for the dracut CI container
-RUN dnf -y install --setopt=install_weak_deps=False \
- dash asciidoc mdadm lvm2 dmraid cryptsetup nfs-utils nbd dhcp-server \
- strace libkmod-devel gcc bzip2 xz tar wget rpm-build make git bash-completion \
- sudo kernel dhcp-client qemu-kvm /usr/bin/qemu-system-$(uname -m) e2fsprogs \
- tcpdump iproute iputils kbd NetworkManager btrfsprogs tgt dbus-broker \
- iscsiuio open-iscsi which ShellCheck procps pigz parted squashfs \
- && dnf -y update && dnf clean all
-
-RUN shfmt_version=3.2.4; wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O /usr/local/bin/shfmt \
- && chmod +x /usr/local/bin/shfmt
-
-# Set default command
-CMD ["/usr/bin/bash"]

35
0071.patch Normal file
View File

@ -0,0 +1,35 @@
From 0a264651d148b543c0c5d6b0a07909cdcb1abfba Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Tue, 26 Nov 2024 11:27:54 +0100
Subject: [PATCH] fix(35network-manager): install nftables kernel modules
needed
NetworkManager requires nf_tables, nfnetlink and nft_fwd_netdev kernel
modules to operate balance-slb bonding mode.
Fixes a6264d1726d9 ("fix(35network-manager): install nft binary during module installation")
(cherry picked from commit 037da383dd8d9d9d699f1430d6afc790b28b18f8)
Resolves: RHEL-64754
---
modules.d/35network-manager/module-setup.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh
index c93c6a3c..6ed8c04e 100755
--- a/modules.d/35network-manager/module-setup.sh
+++ b/modules.d/35network-manager/module-setup.sh
@@ -19,6 +19,11 @@ installkernel() {
return 0
}
+# called by dracut
+installkernel() {
+ instmods nf_tables nfnetlink nft_fwd_netdev
+}
+
# called by dracut
install() {
local _nm_version

35
0072.patch Normal file
View File

@ -0,0 +1,35 @@
From 3db62d5a16557941ef95ab0aa838f1012c20af9e Mon Sep 17 00:00:00 2001
From: Fernando Fernandez Mancera <ffmancera@riseup.net>
Date: Thu, 21 Nov 2024 00:40:27 +0100
Subject: [PATCH] fix(35network-manager): install nft binary during module
installation
NetworkManager has a new bonding mode called balance-slb. This mode is
used in environments where NICs are connected to switches without LACP.
In order to work, NetworkManager configures a set of nftables rules.
The 'nft' binary is required to work.
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
(cherry picked from commit 37317b61fda5181aeb0604381e994e8181a53200)
Resolves: RHEL-64754
---
modules.d/35network-manager/module-setup.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh
index 6ed8c04e..4fd3d051 100755
--- a/modules.d/35network-manager/module-setup.sh
+++ b/modules.d/35network-manager/module-setup.sh
@@ -37,7 +37,7 @@ install() {
inst NetworkManager
inst_multiple -o /usr/{lib,libexec}/nm-initrd-generator
inst_multiple -o /usr/{lib,libexec}/nm-daemon-helper
- inst_multiple -o teamd dhclient
+ inst_multiple -o teamd dhclient nft
inst_hook cmdline 99 "$moddir/nm-config.sh"
if dracut_module_included "systemd"; then

100
0073.patch Normal file
View File

@ -0,0 +1,100 @@
From e3bba58810038d0e7bc83988355e07eb30c1f5a7 Mon Sep 17 00:00:00 2001
From: Huaxin Lu <luhuaxin1@huawei.com>
Date: Thu, 20 Jun 2024 13:38:26 +0800
Subject: [PATCH] fix(dracut-install): copy xattr when use clone ioctl
When use clone ioctl to copy a file, the extended attributes of files are
missing, which is inconsistent with the result by using the cp command.
This commit add the process to copy extended attributes after clone_file().
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
(cherry picked from commit 1cf0db26e43fe4c6173acdb8047f16666ebf070a)
Resolves: RHEL-55245
---
src/install/dracut-install.c | 56 ++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c
index 997d62d3..2ad783d3 100644
--- a/src/install/dracut-install.c
+++ b/src/install/dracut-install.c
@@ -43,6 +43,7 @@
#include <fts.h>
#include <regex.h>
#include <sys/utsname.h>
+#include <sys/xattr.h>
#include "log.h"
#include "hashmap.h"
@@ -267,6 +268,56 @@ static inline int clone_file(int dest_fd, int src_fd)
return ioctl(dest_fd, BTRFS_IOC_CLONE, src_fd);
}
+static int copy_xattr(int dest_fd, int src_fd)
+{
+ int ret = 0;
+ ssize_t name_len = 0, value_len = 0;
+ char *name_buf = NULL, *name = NULL, *value = NULL, *value_save = NULL;
+
+ name_len = flistxattr(src_fd, NULL, 0);
+ if (name_len < 0)
+ return -1;
+
+ name_buf = calloc(1, name_len + 1);
+ if (name_buf == NULL)
+ return -1;
+
+ name_len = flistxattr(src_fd, name_buf, name_len);
+ if (name_len < 0)
+ goto out;
+
+ for (name = name_buf; name != name_buf + name_len; name = strchr(name, '\0') + 1) {
+ value_len = fgetxattr(src_fd, name, NULL, 0);
+ if (value_len < 0) {
+ ret = -1;
+ continue;
+ }
+
+ value_save = value;
+ value = realloc(value, value_len);
+ if (value == NULL) {
+ value = value_save;
+ ret = -1;
+ goto out;
+ }
+
+ value_len = fgetxattr(src_fd, name, value, value_len);
+ if (value_len < 0) {
+ ret = -1;
+ continue;
+ }
+
+ value_len = fsetxattr(dest_fd, name, value, value_len, 0);
+ if (value_len < 0)
+ ret = -1;
+ }
+
+out:
+ free(name_buf);
+ free(value);
+ return ret;
+}
+
static bool use_clone = true;
static int cp(const char *src, const char *dst)
@@ -308,6 +359,11 @@ static int cp(const char *src, const char *dst)
log_info("Failed to chown %s: %m", dst);
}
+ if (geteuid() == 0 && no_xattr == false) {
+ if (copy_xattr(dest_desc, source_desc) != 0)
+ log_error("Failed to copy xattr %s: %m", dst);
+ }
+
tv[0].tv_sec = sb.st_atime;
tv[0].tv_usec = 0;
tv[1].tv_sec = sb.st_mtime;

138
0074.patch Normal file
View File

@ -0,0 +1,138 @@
From 01e51a69c34b58ddb974a1489c2990bb77bf791e Mon Sep 17 00:00:00 2001
From: Lichen Liu <lichliu@redhat.com>
Date: Wed, 7 Aug 2024 10:13:37 +0800
Subject: [PATCH] feat(dracut.sh): add --add-confdir option
When generating kdump's initrd, we want to keep [omit_]dracutmodules
empty and let kdump to handle the modules. And we don't want to
affect the first kernel's initrd, so we cannot place our conf file
to /etc/dracut.conf.d or /usr/lib/dracut/dracut.conf.d.
This patch adds a new option to allow user to add an extra configuration
directory to use *.conf files from. If the dir not exists, will look for
confdir's subdir.
After that, kdump can use "--add-confdir kdump" if
/usr/lib/dracut/dracut.conf.d/kdump exists, to apply its own dracut conf.
See also:
https://github.com/rhkdump/kdump-utils/issues/11
https://github.com/rhkdump/kdump-utils/pull/31
Suggested-by: Dave Young <dyoung@redhat.com>
Signed-off-by: Lichen Liu <lichliu@redhat.com>
(cherry picked from commit ae81535037c42b716d8cbb9dc18942b5c6f16fed)
Resolves: RHEL-66582
---
dracut.sh | 25 ++++++++++++++++++++++++-
man/dracut.8.asc | 8 ++++++++
shell-completion/bash/dracut | 4 ++--
3 files changed, 34 insertions(+), 3 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index 778eefd7..7e4b0602 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -156,6 +156,9 @@ Creates initial ramdisk images for preloading modules
Default: /etc/dracut.conf
--confdir [DIR] Specify configuration directory to use *.conf files
from. Default: /etc/dracut.conf.d
+ --add-confdir [DIR] Add an extra configuration directory to use *.conf
+ files from. If the directory is not existed, will
+ look for subdirectory under confdir.
--tmpdir [DIR] Temporary directory to be used instead of default
${TMPDIR:-/var/tmp}.
-r, --sysroot [DIR] Specify sysroot directory to collect files from.
@@ -400,6 +403,7 @@ rearrange_params() {
--long kmoddir: \
--long conf: \
--long confdir: \
+ --long add-confdir: \
--long tmpdir: \
--long sysroot: \
--long stdlog: \
@@ -676,6 +680,11 @@ while :; do
PARMS_TO_STORE+=" '$2'"
shift
;;
+ --add-confdir)
+ add_confdir="$2"
+ PARMS_TO_STORE+=" '$2'"
+ shift
+ ;;
--tmpdir)
tmpdir_l="$2"
PARMS_TO_STORE+=" '$2'"
@@ -931,6 +940,20 @@ elif [[ ! -d $confdir ]]; then
exit 1
fi
+if [[ -n $add_confdir ]]; then
+ if [[ -d $add_confdir ]]; then
+ :
+ # Check if it exists under $confdir.
+ elif [[ -d $confdir/$add_confdir ]]; then
+ add_confdir="$confdir/$add_confdir"
+ elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then
+ add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir"
+ else
+ printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2
+ exit 1
+ fi
+fi
+
# source our config file
if [[ -f $conffile ]]; then
check_conf_file "$conffile"
@@ -939,7 +962,7 @@ if [[ -f $conffile ]]; then
fi
# source our config dir
-for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do
+for f in $(dropindirs_sort ".conf" "$confdir" "$add_confdir" "$dracutbasedir/dracut.conf.d"); do
check_conf_file "$f"
# shellcheck disable=SC1090
[[ -e $f ]] && . "$f"
diff --git a/man/dracut.8.asc b/man/dracut.8.asc
index 8339e8a9..15ae36e6 100644
--- a/man/dracut.8.asc
+++ b/man/dracut.8.asc
@@ -311,6 +311,14 @@ Default:
Default:
_/etc/dracut.conf.d_
+**--add-confdir** _<configuration directory>_::
+ Add an extra configuration directory to use *.conf files from. If the
+ directory is not existed, will look for subdirectory under confdir.
++
+Default:
+ _empty_
+
+
**--tmpdir** _<temporary directory>_::
Specify temporary directory to use.
+
diff --git a/shell-completion/bash/dracut b/shell-completion/bash/dracut
index 9b51db01..bc14aa9a 100644
--- a/shell-completion/bash/dracut
+++ b/shell-completion/bash/dracut
@@ -46,14 +46,14 @@ _dracut() {
--kernel-cmdline --sshkey --persistent-policy --install-optional
--loginstall --uefi-stub --kernel-image --squash-compressor
--sysroot --hostonly-mode --hostonly-nics --include --logfile
- --uefi-splash-image --sbat
+ --uefi-splash-image --sbat --add-confdir
'
)
# shellcheck disable=SC2086
if __contains_word "$prev" ${OPTS[ARG]}; then
case $prev in
- --kmoddir | -k | --fwdir | --confdir | --tmpdir | -r | --sysroot)
+ --kmoddir | -k | --fwdir | --confdir | --add-confdir | --tmpdir | -r | --sysroot)
comps=$(compgen -d -- "$cur")
compopt -o filenames
;;

28
0075.patch Normal file
View File

@ -0,0 +1,28 @@
From cb1c0c94322768dcdc8748b3623c0a4ba1afde71 Mon Sep 17 00:00:00 2001
From: Jo Zzsi <jozzsicsataban@gmail.com>
Date: Wed, 11 Sep 2024 16:57:13 -0400
Subject: [PATCH] fix: typo in variable name
(cherry picked from commit 76b2f1a9b52afd4203c1d0e6afb57314bbfe8407)
Resolves: RHEL-66582
---
dracut.sh | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/dracut.sh b/dracut.sh
index 7e4b0602..f748a073 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -946,8 +946,8 @@ if [[ -n $add_confdir ]]; then
# Check if it exists under $confdir.
elif [[ -d $confdir/$add_confdir ]]; then
add_confdir="$confdir/$add_confdir"
- elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then
- add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir"
+ elif [[ -d $dracutbasedir/dracut.conf.d/$add_confdir ]]; then
+ add_confdir="$dracutbasedir/dracut.conf.d/$add_confdir"
else
printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2
exit 1

118
0076.patch Normal file
View File

@ -0,0 +1,118 @@
From 492bc949e16f78fad9f274744c72bc2fd0161d84 Mon Sep 17 00:00:00 2001
From: Vitaly Kuznetsov <vkuznets@redhat.com>
Date: Fri, 9 Aug 2024 12:49:05 +0200
Subject: [PATCH] feat(fips): add support for UKIs
Kernel integrity check in FIPS module is incompatible with UKIs as neither
/boot/vmlinuz-`uname-r` nor /boot/.vmlinuz-`uname-r`.hmac are present. UKI
is placed to $ESP\EFI\Linux\<install-tag>-<uname-r>.efi and if a .hmac file
is present next to it, it is possible to do similar check.
Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected
to be set. Luckily, if the UKI is systemd-stub based then we can expect
'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount
it to /boot using the existing logic.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be)
Resolves: RHEL-56885
---
modules.d/01fips/fips.sh | 51 ++++++++++++++++++++++++++++++++++++++++
modules.d/01fips/module-setup.sh | 2 +-
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh
index 05631c8a..3889dc0c 100755
--- a/modules.d/01fips/fips.sh
+++ b/modules.d/01fips/fips.sh
@@ -14,9 +14,22 @@ else
}
fi
+# Checks if a systemd-based UKI is running and ESP UUID is set
+is_uki() {
+ [ -f /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] \
+ && [ -f /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ]
+}
+
mount_boot() {
boot=$(getarg boot=)
+ if is_uki && [ -z "$boot" ]; then
+ # efivar file has 4 bytes header and contain UCS-2 data. Note, 'cat' is required
+ # as sys/firmware/efi/efivars/ files are 'special' and don't allow 'seeking'.
+ # shellcheck disable=SC2002
+ boot="PARTUUID=$(cat /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f | tail -c +5 | tr -d '\0' | tr 'A-F' 'a-f')"
+ fi
+
if [ -n "$boot" ]; then
if [ -d /boot ] && ismounted /boot; then
boot_dev=
@@ -81,6 +94,41 @@ do_rhevh_check() {
return 0
}
+do_uki_check() {
+ local KVER
+ local uki_checked=0
+
+ KVER="$(uname -r)"
+ # UKI are placed in $ESP\EFI\Linux\<intall-tag>-<uname-r>.efi
+ if ! [ "$FIPS_MOUNTED_BOOT" = 1 ]; then
+ warn "Failed to mount ESP for doing UKI integrity check"
+ return 1
+ fi
+
+ for UKIpath in /boot/EFI/Linux/*-"$KVER".efi; do
+ # UKIs are installed to $ESP/EFI/Linux/<entry-token-or-machine-id>-<uname-r>.efi
+ # and in some cases (e.g. when the image is used as a template for creating new
+ # VMs) entry-token-or-machine-id can change. To make sure the running UKI is
+ # always checked, check all UKIs which match the 'uname -r' of the running kernel
+ # and fail the whole check if any of the matching UKIs are corrupted.
+
+ [ -r "$UKIpath" ] || break
+
+ local UKI="${UKIpath##*/}"
+ local UKIHMAC=."$UKI".hmac
+
+ fips_info "checking $UKIHMAC"
+ (cd /boot/EFI/Linux/ && sha512hmac -c "$UKIHMAC") || return 1
+ uki_checked=1
+ done
+
+ if [ "$uki_checked" = 0 ]; then
+ warn "Failed for find UKI for checking"
+ return 1
+ fi
+ return 0
+}
+
nonfatal_modprobe() {
modprobe "$1" 2>&1 > /dev/stdout \
| while read -r line || [ -n "$line" ]; do
@@ -133,6 +181,9 @@ do_fips() {
elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then
# This is a boot.iso with the .hmac inside the install.img
do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1
+ elif is_uki; then
+ # This is a UKI
+ do_uki_check || return 1
else
BOOT_IMAGE="$(getarg BOOT_IMAGE)"
diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh
index 91612ff3..a090bc88 100755
--- a/modules.d/01fips/module-setup.sh
+++ b/modules.d/01fips/module-setup.sh
@@ -67,7 +67,7 @@ install() {
inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh"
inst_script "$moddir/fips.sh" /sbin/fips.sh
- inst_multiple sha512hmac rmmod insmod mount uname umount grep sed sort
+ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr
inst_simple /etc/system-fips

52
0077.patch Normal file
View File

@ -0,0 +1,52 @@
From f4cda60fd9725d5aa6dd25ee67909339d6400af8 Mon Sep 17 00:00:00 2001
From: Adrien Thierry <athierry@redhat.com>
Date: Mon, 13 Feb 2023 10:43:32 -0500
Subject: [PATCH] fix(kernel-modules): use modalias info in get_dev_module()
When calling dracut with '--hostonly-mode=strict', get_dev_module() gets
called on the system's block devices to find the required drivers. The
driver name is retrieved using udevadm. However, the driver name
returned by udevadm is not necessarily the same as the module name.
This is the case for the Qualcomm UFS driver: udevadm returns
'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is
not able to find the module afterwards.
To solve this, make get_dev_module() also return the module alias info
from the modalias files contained in the sysfs directories parsed by
udevadm.
Signed-off-by: Adrien Thierry <athierry@redhat.com>
(cherry picked from commit 87a76dbb578aff473e690857d1b714eacd92b9ec)
Resolves: RHEL-55708
---
dracut-functions.sh | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/dracut-functions.sh b/dracut-functions.sh
index 3c475ca7..f2614308 100755
--- a/dracut-functions.sh
+++ b/dracut-functions.sh
@@ -971,8 +971,20 @@ block_is_netdevice() {
get_dev_module() {
local dev_attr_walk
local dev_drivers
+ local dev_paths
dev_attr_walk=$(udevadm info -a "$1")
dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p')
+
+ # also return modalias info from sysfs paths parsed by udevadm
+ dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p')
+ local dev_path
+ for dev_path in $dev_paths; do
+ local modalias_file="/sys$dev_path/modalias"
+ if [ -e "$modalias_file" ]; then
+ dev_drivers="$(printf "%s\n%s" "$dev_drivers" "$(cat "$modalias_file")")"
+ fi
+ done
+
# if no kernel modules found and device is in a virtual subsystem, follow symlinks
if [[ -z $dev_drivers && $(udevadm info -q path "$1") == "/devices/virtual"* ]]; then
local dev_vkernel

83
0078.patch Normal file
View File

@ -0,0 +1,83 @@
From f194bd6ad64f7baae1a8fded967a198b1127cb64 Mon Sep 17 00:00:00 2001
From: Tao Liu <ltao@redhat.com>
Date: Wed, 12 Apr 2023 23:02:25 +0800
Subject: [PATCH] fix(dracut-functions.sh): convert mmcblk to the real kernel
module name
In some x86_64 platforms such as Intel Elkhartlake, an issue of missing
necessary modules due to udevadm drivers field unmatch the real kernel module
name is found:
$ udevadm info -a /dev/block/179:1
looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001':
KERNELS=="mmc0:0001"
SUBSYSTEMS=="mmc"
DRIVERS=="mmcblk"
....
The DRIVERS field, aka mmcblk will be given to instmods to install the
corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be
selected by string mmcblk, as a result, mmc_block.ko cannot be installed
in hostonly-mode strict, which will fail to bootup the machine such as in
kdump cases:
$ /usr/lib/dracut/dracut-install -D /var/tmp --kerneldir /lib/modules/$(uname -r)/ -m mmcblk
dracut-install: Failed to find module 'mmcblk'
In this patch, we will convert the string mmcblk to mmc_block, so the
kernel module can be successfully loaded.
Signed-off-by: Tao Liu <ltao@redhat.com>
(cherry picked from commit a62e895db9510f0fc4c47ee81b1436096eca4d64)
Resolves: RHEL-55708
---
dracut-functions.sh | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/dracut-functions.sh b/dracut-functions.sh
index f2614308..2e582ebc 100755
--- a/dracut-functions.sh
+++ b/dracut-functions.sh
@@ -967,13 +967,30 @@ block_is_netdevice() {
block_is_nbd "$1" || block_is_iscsi "$1" || block_is_fcoe "$1"
}
+# convert the driver name given by udevadm to the corresponding kernel module name
+get_module_name() {
+ local dev_driver
+ while read -r dev_driver; do
+ case "$dev_driver" in
+ mmcblk)
+ echo "mmc_block"
+ ;;
+ *)
+ echo "$dev_driver"
+ ;;
+ esac
+ done
+}
+
# get the corresponding kernel modules of a /sys/class/*/* or/dev/* device
get_dev_module() {
local dev_attr_walk
local dev_drivers
local dev_paths
dev_attr_walk=$(udevadm info -a "$1")
- dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p')
+ dev_drivers=$(echo "$dev_attr_walk" \
+ | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \
+ | get_module_name)
# also return modalias info from sysfs paths parsed by udevadm
dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p')
@@ -1001,6 +1018,7 @@ get_dev_module() {
[[ -n $dev_drivers && ${dev_drivers: -1} != $'\n' ]] && dev_drivers+=$'\n'
dev_drivers+=$(udevadm info -a "$dev_vpath/$dev_link" \
| sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \
+ | get_module_name \
| grep -v -e pcieport)
done
fi

21
dracut.spec
View File

@ -5,7 +5,7 @@
# strip the automatically generated dep here and instead co-own the
# directory.
%global __requires_exclude pkg-config
%define dist_free_release 70.git20240819
%define dist_free_release 79.git20241127
Name: dracut
Version: 057
@ -98,6 +98,15 @@ Patch66: 0066.patch
Patch67: 0067.patch
Patch68: 0068.patch
Patch69: 0069.patch
Patch70: 0070.patch
Patch71: 0071.patch
Patch72: 0072.patch
Patch73: 0073.patch
Patch74: 0074.patch
Patch75: 0075.patch
Patch76: 0076.patch
Patch77: 0077.patch
Patch78: 0078.patch
Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
@ -550,6 +559,16 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
%{_prefix}/lib/kernel/install.d/51-dracut-rescue.install
%changelog
* Wed Nov 27 2024 Pavel Valena <pvalena@redhat.com> - 057-79.git20241127
- fix(35network-manager): install nftables kernel modules
- fix(35network-manager): install nft binary during module
- fix(dracut-install): copy xattr when use clone ioctl
- feat(dracut.sh): add --add-confdir option
- fix: typo in variable name
- feat(fips): add support for UKIs
- fix(kernel-modules): use modalias info in get_dev_module()
- fix(dracut-functions.sh): convert mmcblk to the real kernel
* Mon Aug 19 2024 Pavel Valena <pvalena@redhat.com> - 057-70.git20240819
- fix(systemd): set right permissions for the machine-id file
- feat(lsinitrd.sh): look for initrd in /usr/lib/modules/