From f8e78fc03427bbf3a86293d3ef37b9445276a913 Mon Sep 17 00:00:00 2001 From: Pavel Valena Date: Wed, 27 Nov 2024 21:54:00 +0100 Subject: [PATCH] dracut-057-79.git20241127 Resolves: RHEL-55245,RHEL-55708,RHEL-56885,RHEL-64754,RHEL-65249,RHEL-66582 --- 0070.patch | 250 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 0071.patch | 35 ++++++++ 0072.patch | 35 ++++++++ 0073.patch | 100 +++++++++++++++++++++ 0074.patch | 138 +++++++++++++++++++++++++++++ 0075.patch | 28 ++++++ 0076.patch | 118 +++++++++++++++++++++++++ 0077.patch | 52 +++++++++++ 0078.patch | 83 +++++++++++++++++ dracut.spec | 21 ++++- 10 files changed, 859 insertions(+), 1 deletion(-) create mode 100644 0070.patch create mode 100644 0071.patch create mode 100644 0072.patch create mode 100644 0073.patch create mode 100644 0074.patch create mode 100644 0075.patch create mode 100644 0076.patch create mode 100644 0077.patch create mode 100644 0078.patch diff --git a/0070.patch b/0070.patch new file mode 100644 index 0000000..edfdd77 --- /dev/null +++ b/0070.patch @@ -0,0 +1,250 @@ +From 29616c6a89437e138bb5abc55b42325d0d2b1394 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Tue, 22 Oct 2024 17:30:32 +0200 +Subject: [PATCH] ci: fix CentOS-9-Stream container and ci config + + - correct URL for dash + - add missing dependencies + - use centos9 instead of fedora + +rhel-only + +Resolves: RHEL-65249 +--- + .github/workflows/integration.yml | 4 +- + test/container/Dockerfile-Arch | 25 ------------- + test/container/Dockerfile-CentOS-9-Stream | 5 ++- + test/container/Dockerfile-Debian | 61 ------------------------------- + test/container/Dockerfile-Fedora-latest | 56 ---------------------------- + test/container/Dockerfile-OpenSuse-latest | 23 ------------ + 6 files changed, 5 insertions(+), 169 deletions(-) + +diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml +index c22bf916..c023ab16 100644 +--- a/.github/workflows/integration.yml ++++ b/.github/workflows/integration.yml +@@ -14,7 +14,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "04", +@@ -40,7 +40,7 @@ jobs: + strategy: + matrix: + container: [ +- "fedora:latest", ++ "centos:stream9", + ] + test: [ + "01", +diff --git a/test/container/Dockerfile-Arch b/test/container/Dockerfile-Arch +deleted file mode 100644 +index 4112cc5b..00000000 +--- a/test/container/Dockerfile-Arch ++++ /dev/null +@@ -1,25 +0,0 @@ +-FROM docker.io/archlinux +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN pacman --noconfirm -Sy \ +- linux dash strace dhclient asciidoc cpio pigz squashfs-tools \ +- qemu btrfs-progs mdadm dmraid nfs-utils nfsidmap lvm2 nbd \ +- dhcp networkmanager multipath-tools vi tcpdump open-iscsi \ +- git shfmt shellcheck astyle which base-devel glibc parted && yes | pacman -Scc +- +-RUN useradd -m build +-RUN su build -c 'cd && git clone https://aur.archlinux.org/perl-config-general.git && cd perl-config-general && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/perl-config-general/*.pkg.tar.* +-RUN su build -c 'cd && git clone https://aur.archlinux.org/tgt.git && cd tgt && echo "CFLAGS=-Wno-error=stringop-truncation" >> PKGBUILD && makepkg -s --noconfirm' +-RUN pacman -U --noconfirm ~build/tgt/*.pkg.tar.* +-RUN rm -fr ~build +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index abcc067e..26d308d2 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -8,9 +8,10 @@ LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=h + RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh + + # Install needed packages for the dracut CI container +-# FIXME: properly re-add dash once C9S EPEL is available ++# FIXME: add dmraid, scsi-target-utils (e.g. from COPR) + RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ +- http://mirrors.kernel.org/fedora/releases/34/Everything/x86_64/os/Packages/d/dash-0.5.10.2-8.fc34.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \ + qemu-kvm \ + NetworkManager \ + asciidoc \ +diff --git a/test/container/Dockerfile-Debian b/test/container/Dockerfile-Debian +deleted file mode 100644 +index 15eb9958..00000000 +--- a/test/container/Dockerfile-Debian ++++ /dev/null +@@ -1,61 +0,0 @@ +-FROM docker.io/debian:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN apt-get update -y -qq && apt-get upgrade -y -qq && DEBIAN_FRONTEND=noninteractive apt-get install -y -qq --no-install-recommends -o Dpkg::Use-Pty=0 \ +- asciidoc \ +- astyle \ +- btrfs-progs \ +- busybox-static \ +- bzip2 \ +- ca-certificates \ +- console-setup \ +- cpio \ +- cryptsetup \ +- curl \ +- dash \ +- debhelper \ +- debhelper-compat \ +- docbook \ +- docbook-xml \ +- docbook-xsl \ +- fdisk \ +- g++ \ +- git \ +- iputils-ping \ +- isc-dhcp-client \ +- kmod \ +- less \ +- libkmod-dev \ +- linux-image-generic \ +- lvm2 \ +- make \ +- mdadm \ +- multipath-tools \ +- nbd-client \ +- network-manager \ +- nfs-common \ +- open-iscsi \ +- parted \ +- pigz \ +- pkg-config \ +- procps \ +- qemu-system-x86 \ +- quilt \ +- shellcheck \ +- squashfs-tools \ +- strace \ +- sudo \ +- tcpdump \ +- vim \ +- wget \ +- && apt-get clean +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-Fedora-latest b/test/container/Dockerfile-Fedora-latest +deleted file mode 100644 +index a38a72ef..00000000 +--- a/test/container/Dockerfile-Fedora-latest ++++ /dev/null +@@ -1,56 +0,0 @@ +-FROM registry.fedoraproject.org/fedora:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash \ +- pigz \ +- asciidoc \ +- mdadm \ +- lvm2 \ +- dmraid \ +- cryptsetup \ +- nfs-utils \ +- nbd \ +- dhcp-server \ +- scsi-target-utils \ +- iscsi-initiator-utils \ +- strace \ +- btrfs-progs \ +- kmod-devel \ +- gcc \ +- bzip2 \ +- xz \ +- tar \ +- wget \ +- rpm-build \ +- make \ +- git \ +- bash-completion \ +- sudo \ +- kernel \ +- dhcp-client \ +- /usr/bin/qemu-kvm \ +- /usr/bin/qemu-system-$(uname -i) \ +- e2fsprogs \ +- tcpdump \ +- iproute \ +- iputils \ +- dbus-daemon \ +- kbd \ +- NetworkManager \ +- squashfs-tools \ +- which \ +- ShellCheck \ +- shfmt \ +- parted \ +- && dnf -y update && dnf clean all +- +-# Set default command +-CMD ["/usr/bin/bash"] +diff --git a/test/container/Dockerfile-OpenSuse-latest b/test/container/Dockerfile-OpenSuse-latest +deleted file mode 100644 +index 9aaf07b1..00000000 +--- a/test/container/Dockerfile-OpenSuse-latest ++++ /dev/null +@@ -1,23 +0,0 @@ +-FROM registry.opensuse.org/opensuse/tumbleweed-dnf:latest +- +-MAINTAINER https://github.com/dracutdevs/dracut +- +-ENV container docker +-LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" +- +-RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh +- +-# Install needed packages for the dracut CI container +-RUN dnf -y install --setopt=install_weak_deps=False \ +- dash asciidoc mdadm lvm2 dmraid cryptsetup nfs-utils nbd dhcp-server \ +- strace libkmod-devel gcc bzip2 xz tar wget rpm-build make git bash-completion \ +- sudo kernel dhcp-client qemu-kvm /usr/bin/qemu-system-$(uname -m) e2fsprogs \ +- tcpdump iproute iputils kbd NetworkManager btrfsprogs tgt dbus-broker \ +- iscsiuio open-iscsi which ShellCheck procps pigz parted squashfs \ +- && dnf -y update && dnf clean all +- +-RUN shfmt_version=3.2.4; wget "https://github.com/mvdan/sh/releases/download/v${shfmt_version}/shfmt_v${shfmt_version}_linux_amd64" -O /usr/local/bin/shfmt \ +- && chmod +x /usr/local/bin/shfmt +- +-# Set default command +-CMD ["/usr/bin/bash"] + diff --git a/0071.patch b/0071.patch new file mode 100644 index 0000000..4e9daec --- /dev/null +++ b/0071.patch @@ -0,0 +1,35 @@ +From 0a264651d148b543c0c5d6b0a07909cdcb1abfba Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Tue, 26 Nov 2024 11:27:54 +0100 +Subject: [PATCH] fix(35network-manager): install nftables kernel modules + needed + +NetworkManager requires nf_tables, nfnetlink and nft_fwd_netdev kernel +modules to operate balance-slb bonding mode. + +Fixes a6264d1726d9 ("fix(35network-manager): install nft binary during module installation") + +(cherry picked from commit 037da383dd8d9d9d699f1430d6afc790b28b18f8) + +Resolves: RHEL-64754 +--- + modules.d/35network-manager/module-setup.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index c93c6a3c..6ed8c04e 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -19,6 +19,11 @@ installkernel() { + return 0 + } + ++# called by dracut ++installkernel() { ++ instmods nf_tables nfnetlink nft_fwd_netdev ++} ++ + # called by dracut + install() { + local _nm_version + diff --git a/0072.patch b/0072.patch new file mode 100644 index 0000000..95a48cc --- /dev/null +++ b/0072.patch @@ -0,0 +1,35 @@ +From 3db62d5a16557941ef95ab0aa838f1012c20af9e Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Thu, 21 Nov 2024 00:40:27 +0100 +Subject: [PATCH] fix(35network-manager): install nft binary during module + installation + +NetworkManager has a new bonding mode called balance-slb. This mode is +used in environments where NICs are connected to switches without LACP. +In order to work, NetworkManager configures a set of nftables rules. + +The 'nft' binary is required to work. + +Signed-off-by: Fernando Fernandez Mancera + +(cherry picked from commit 37317b61fda5181aeb0604381e994e8181a53200) + +Resolves: RHEL-64754 +--- + modules.d/35network-manager/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index 6ed8c04e..4fd3d051 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -37,7 +37,7 @@ install() { + inst NetworkManager + inst_multiple -o /usr/{lib,libexec}/nm-initrd-generator + inst_multiple -o /usr/{lib,libexec}/nm-daemon-helper +- inst_multiple -o teamd dhclient ++ inst_multiple -o teamd dhclient nft + inst_hook cmdline 99 "$moddir/nm-config.sh" + if dracut_module_included "systemd"; then + + diff --git a/0073.patch b/0073.patch new file mode 100644 index 0000000..0246d4d --- /dev/null +++ b/0073.patch @@ -0,0 +1,100 @@ +From e3bba58810038d0e7bc83988355e07eb30c1f5a7 Mon Sep 17 00:00:00 2001 +From: Huaxin Lu +Date: Thu, 20 Jun 2024 13:38:26 +0800 +Subject: [PATCH] fix(dracut-install): copy xattr when use clone ioctl + +When use clone ioctl to copy a file, the extended attributes of files are +missing, which is inconsistent with the result by using the cp command. +This commit add the process to copy extended attributes after clone_file(). + +Signed-off-by: Huaxin Lu + +(cherry picked from commit 1cf0db26e43fe4c6173acdb8047f16666ebf070a) + +Resolves: RHEL-55245 +--- + src/install/dracut-install.c | 56 ++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 56 insertions(+) + +diff --git a/src/install/dracut-install.c b/src/install/dracut-install.c +index 997d62d3..2ad783d3 100644 +--- a/src/install/dracut-install.c ++++ b/src/install/dracut-install.c +@@ -43,6 +43,7 @@ + #include + #include + #include ++#include + + #include "log.h" + #include "hashmap.h" +@@ -267,6 +268,56 @@ static inline int clone_file(int dest_fd, int src_fd) + return ioctl(dest_fd, BTRFS_IOC_CLONE, src_fd); + } + ++static int copy_xattr(int dest_fd, int src_fd) ++{ ++ int ret = 0; ++ ssize_t name_len = 0, value_len = 0; ++ char *name_buf = NULL, *name = NULL, *value = NULL, *value_save = NULL; ++ ++ name_len = flistxattr(src_fd, NULL, 0); ++ if (name_len < 0) ++ return -1; ++ ++ name_buf = calloc(1, name_len + 1); ++ if (name_buf == NULL) ++ return -1; ++ ++ name_len = flistxattr(src_fd, name_buf, name_len); ++ if (name_len < 0) ++ goto out; ++ ++ for (name = name_buf; name != name_buf + name_len; name = strchr(name, '\0') + 1) { ++ value_len = fgetxattr(src_fd, name, NULL, 0); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_save = value; ++ value = realloc(value, value_len); ++ if (value == NULL) { ++ value = value_save; ++ ret = -1; ++ goto out; ++ } ++ ++ value_len = fgetxattr(src_fd, name, value, value_len); ++ if (value_len < 0) { ++ ret = -1; ++ continue; ++ } ++ ++ value_len = fsetxattr(dest_fd, name, value, value_len, 0); ++ if (value_len < 0) ++ ret = -1; ++ } ++ ++out: ++ free(name_buf); ++ free(value); ++ return ret; ++} ++ + static bool use_clone = true; + + static int cp(const char *src, const char *dst) +@@ -308,6 +359,11 @@ static int cp(const char *src, const char *dst) + log_info("Failed to chown %s: %m", dst); + } + ++ if (geteuid() == 0 && no_xattr == false) { ++ if (copy_xattr(dest_desc, source_desc) != 0) ++ log_error("Failed to copy xattr %s: %m", dst); ++ } ++ + tv[0].tv_sec = sb.st_atime; + tv[0].tv_usec = 0; + tv[1].tv_sec = sb.st_mtime; + diff --git a/0074.patch b/0074.patch new file mode 100644 index 0000000..708a625 --- /dev/null +++ b/0074.patch @@ -0,0 +1,138 @@ +From 01e51a69c34b58ddb974a1489c2990bb77bf791e Mon Sep 17 00:00:00 2001 +From: Lichen Liu +Date: Wed, 7 Aug 2024 10:13:37 +0800 +Subject: [PATCH] feat(dracut.sh): add --add-confdir option + +When generating kdump's initrd, we want to keep [omit_]dracutmodules +empty and let kdump to handle the modules. And we don't want to +affect the first kernel's initrd, so we cannot place our conf file +to /etc/dracut.conf.d or /usr/lib/dracut/dracut.conf.d. + +This patch adds a new option to allow user to add an extra configuration +directory to use *.conf files from. If the dir not exists, will look for +confdir's subdir. + +After that, kdump can use "--add-confdir kdump" if +/usr/lib/dracut/dracut.conf.d/kdump exists, to apply its own dracut conf. + +See also: +https://github.com/rhkdump/kdump-utils/issues/11 +https://github.com/rhkdump/kdump-utils/pull/31 + +Suggested-by: Dave Young +Signed-off-by: Lichen Liu + +(cherry picked from commit ae81535037c42b716d8cbb9dc18942b5c6f16fed) + +Resolves: RHEL-66582 +--- + dracut.sh | 25 ++++++++++++++++++++++++- + man/dracut.8.asc | 8 ++++++++ + shell-completion/bash/dracut | 4 ++-- + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 778eefd7..7e4b0602 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -156,6 +156,9 @@ Creates initial ramdisk images for preloading modules + Default: /etc/dracut.conf + --confdir [DIR] Specify configuration directory to use *.conf files + from. Default: /etc/dracut.conf.d ++ --add-confdir [DIR] Add an extra configuration directory to use *.conf ++ files from. If the directory is not existed, will ++ look for subdirectory under confdir. + --tmpdir [DIR] Temporary directory to be used instead of default + ${TMPDIR:-/var/tmp}. + -r, --sysroot [DIR] Specify sysroot directory to collect files from. +@@ -400,6 +403,7 @@ rearrange_params() { + --long kmoddir: \ + --long conf: \ + --long confdir: \ ++ --long add-confdir: \ + --long tmpdir: \ + --long sysroot: \ + --long stdlog: \ +@@ -676,6 +680,11 @@ while :; do + PARMS_TO_STORE+=" '$2'" + shift + ;; ++ --add-confdir) ++ add_confdir="$2" ++ PARMS_TO_STORE+=" '$2'" ++ shift ++ ;; + --tmpdir) + tmpdir_l="$2" + PARMS_TO_STORE+=" '$2'" +@@ -931,6 +940,20 @@ elif [[ ! -d $confdir ]]; then + exit 1 + fi + ++if [[ -n $add_confdir ]]; then ++ if [[ -d $add_confdir ]]; then ++ : ++ # Check if it exists under $confdir. ++ elif [[ -d $confdir/$add_confdir ]]; then ++ add_confdir="$confdir/$add_confdir" ++ elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ else ++ printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 ++ exit 1 ++ fi ++fi ++ + # source our config file + if [[ -f $conffile ]]; then + check_conf_file "$conffile" +@@ -939,7 +962,7 @@ if [[ -f $conffile ]]; then + fi + + # source our config dir +-for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do ++for f in $(dropindirs_sort ".conf" "$confdir" "$add_confdir" "$dracutbasedir/dracut.conf.d"); do + check_conf_file "$f" + # shellcheck disable=SC1090 + [[ -e $f ]] && . "$f" +diff --git a/man/dracut.8.asc b/man/dracut.8.asc +index 8339e8a9..15ae36e6 100644 +--- a/man/dracut.8.asc ++++ b/man/dracut.8.asc +@@ -311,6 +311,14 @@ Default: + Default: + _/etc/dracut.conf.d_ + ++**--add-confdir** __:: ++ Add an extra configuration directory to use *.conf files from. If the ++ directory is not existed, will look for subdirectory under confdir. +++ ++Default: ++ _empty_ ++ ++ + **--tmpdir** __:: + Specify temporary directory to use. + + +diff --git a/shell-completion/bash/dracut b/shell-completion/bash/dracut +index 9b51db01..bc14aa9a 100644 +--- a/shell-completion/bash/dracut ++++ b/shell-completion/bash/dracut +@@ -46,14 +46,14 @@ _dracut() { + --kernel-cmdline --sshkey --persistent-policy --install-optional + --loginstall --uefi-stub --kernel-image --squash-compressor + --sysroot --hostonly-mode --hostonly-nics --include --logfile +- --uefi-splash-image --sbat ++ --uefi-splash-image --sbat --add-confdir + ' + ) + + # shellcheck disable=SC2086 + if __contains_word "$prev" ${OPTS[ARG]}; then + case $prev in +- --kmoddir | -k | --fwdir | --confdir | --tmpdir | -r | --sysroot) ++ --kmoddir | -k | --fwdir | --confdir | --add-confdir | --tmpdir | -r | --sysroot) + comps=$(compgen -d -- "$cur") + compopt -o filenames + ;; + diff --git a/0075.patch b/0075.patch new file mode 100644 index 0000000..21ce11c --- /dev/null +++ b/0075.patch @@ -0,0 +1,28 @@ +From cb1c0c94322768dcdc8748b3623c0a4ba1afde71 Mon Sep 17 00:00:00 2001 +From: Jo Zzsi +Date: Wed, 11 Sep 2024 16:57:13 -0400 +Subject: [PATCH] fix: typo in variable name + +(cherry picked from commit 76b2f1a9b52afd4203c1d0e6afb57314bbfe8407) + +Resolves: RHEL-66582 +--- + dracut.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 7e4b0602..f748a073 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -946,8 +946,8 @@ if [[ -n $add_confdir ]]; then + # Check if it exists under $confdir. + elif [[ -d $confdir/$add_confdir ]]; then + add_confdir="$confdir/$add_confdir" +- elif [[ -d $dracutbasdir/dracut.conf.d/$add_confdir ]]; then +- add_confdir="$dracutbasdir/dracut.conf.d/$add_confdir" ++ elif [[ -d $dracutbasedir/dracut.conf.d/$add_confdir ]]; then ++ add_confdir="$dracutbasedir/dracut.conf.d/$add_confdir" + else + printf "%s\n" "dracut[F]: Configuration directory '$add_confdir' not found." >&2 + exit 1 + diff --git a/0076.patch b/0076.patch new file mode 100644 index 0000000..83d5f80 --- /dev/null +++ b/0076.patch @@ -0,0 +1,118 @@ +From 492bc949e16f78fad9f274744c72bc2fd0161d84 Mon Sep 17 00:00:00 2001 +From: Vitaly Kuznetsov +Date: Fri, 9 Aug 2024 12:49:05 +0200 +Subject: [PATCH] feat(fips): add support for UKIs + +Kernel integrity check in FIPS module is incompatible with UKIs as neither +/boot/vmlinuz-`uname-r` nor /boot/.vmlinuz-`uname-r`.hmac are present. UKI +is placed to $ESP\EFI\Linux\-.efi and if a .hmac file +is present next to it, it is possible to do similar check. + +Note, UKIs have a 'one size fits all' command line and 'boot=' is not expected +to be set. Luckily, if the UKI is systemd-stub based then we can expect +'LoaderDevicePartUUID' variable containing PARTUUID of the ESP to be set. Mount +it to /boot using the existing logic. + +Signed-off-by: Vitaly Kuznetsov + +(cherry picked from commit 72684ff519be4f29c45cbb0f84759e645b0ac4be) + +Resolves: RHEL-56885 +--- + modules.d/01fips/fips.sh | 51 ++++++++++++++++++++++++++++++++++++++++ + modules.d/01fips/module-setup.sh | 2 +- + 2 files changed, 52 insertions(+), 1 deletion(-) + +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 05631c8a..3889dc0c 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -14,9 +14,22 @@ else + } + fi + ++# Checks if a systemd-based UKI is running and ESP UUID is set ++is_uki() { ++ [ -f /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] \ ++ && [ -f /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f ] ++} ++ + mount_boot() { + boot=$(getarg boot=) + ++ if is_uki && [ -z "$boot" ]; then ++ # efivar file has 4 bytes header and contain UCS-2 data. Note, 'cat' is required ++ # as sys/firmware/efi/efivars/ files are 'special' and don't allow 'seeking'. ++ # shellcheck disable=SC2002 ++ boot="PARTUUID=$(cat /sys/firmware/efi/efivars/LoaderDevicePartUUID-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f | tail -c +5 | tr -d '\0' | tr 'A-F' 'a-f')" ++ fi ++ + if [ -n "$boot" ]; then + if [ -d /boot ] && ismounted /boot; then + boot_dev= +@@ -81,6 +94,41 @@ do_rhevh_check() { + return 0 + } + ++do_uki_check() { ++ local KVER ++ local uki_checked=0 ++ ++ KVER="$(uname -r)" ++ # UKI are placed in $ESP\EFI\Linux\-.efi ++ if ! [ "$FIPS_MOUNTED_BOOT" = 1 ]; then ++ warn "Failed to mount ESP for doing UKI integrity check" ++ return 1 ++ fi ++ ++ for UKIpath in /boot/EFI/Linux/*-"$KVER".efi; do ++ # UKIs are installed to $ESP/EFI/Linux/-.efi ++ # and in some cases (e.g. when the image is used as a template for creating new ++ # VMs) entry-token-or-machine-id can change. To make sure the running UKI is ++ # always checked, check all UKIs which match the 'uname -r' of the running kernel ++ # and fail the whole check if any of the matching UKIs are corrupted. ++ ++ [ -r "$UKIpath" ] || break ++ ++ local UKI="${UKIpath##*/}" ++ local UKIHMAC=."$UKI".hmac ++ ++ fips_info "checking $UKIHMAC" ++ (cd /boot/EFI/Linux/ && sha512hmac -c "$UKIHMAC") || return 1 ++ uki_checked=1 ++ done ++ ++ if [ "$uki_checked" = 0 ]; then ++ warn "Failed for find UKI for checking" ++ return 1 ++ fi ++ return 0 ++} ++ + nonfatal_modprobe() { + modprobe "$1" 2>&1 > /dev/stdout \ + | while read -r line || [ -n "$line" ]; do +@@ -133,6 +181,9 @@ do_fips() { + elif [ -e "/run/install/repo/images/pxeboot/vmlinuz" ]; then + # This is a boot.iso with the .hmac inside the install.img + do_rhevh_check /run/install/repo/images/pxeboot/vmlinuz || return 1 ++ elif is_uki; then ++ # This is a UKI ++ do_uki_check || return 1 + else + BOOT_IMAGE="$(getarg BOOT_IMAGE)" + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 91612ff3..a090bc88 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -67,7 +67,7 @@ install() { + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + +- inst_multiple sha512hmac rmmod insmod mount uname umount grep sed sort ++ inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr + + inst_simple /etc/system-fips + + diff --git a/0077.patch b/0077.patch new file mode 100644 index 0000000..b003fd9 --- /dev/null +++ b/0077.patch @@ -0,0 +1,52 @@ +From f4cda60fd9725d5aa6dd25ee67909339d6400af8 Mon Sep 17 00:00:00 2001 +From: Adrien Thierry +Date: Mon, 13 Feb 2023 10:43:32 -0500 +Subject: [PATCH] fix(kernel-modules): use modalias info in get_dev_module() + +When calling dracut with '--hostonly-mode=strict', get_dev_module() gets +called on the system's block devices to find the required drivers. The +driver name is retrieved using udevadm. However, the driver name +returned by udevadm is not necessarily the same as the module name. +This is the case for the Qualcomm UFS driver: udevadm returns +'ufshcd-qcom' while the module name is 'ufs-qcom', so dracut-install is +not able to find the module afterwards. + +To solve this, make get_dev_module() also return the module alias info +from the modalias files contained in the sysfs directories parsed by +udevadm. + +Signed-off-by: Adrien Thierry + +(cherry picked from commit 87a76dbb578aff473e690857d1b714eacd92b9ec) + +Resolves: RHEL-55708 +--- + dracut-functions.sh | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/dracut-functions.sh b/dracut-functions.sh +index 3c475ca7..f2614308 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -971,8 +971,20 @@ block_is_netdevice() { + get_dev_module() { + local dev_attr_walk + local dev_drivers ++ local dev_paths + dev_attr_walk=$(udevadm info -a "$1") + dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ ++ # also return modalias info from sysfs paths parsed by udevadm ++ dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') ++ local dev_path ++ for dev_path in $dev_paths; do ++ local modalias_file="/sys$dev_path/modalias" ++ if [ -e "$modalias_file" ]; then ++ dev_drivers="$(printf "%s\n%s" "$dev_drivers" "$(cat "$modalias_file")")" ++ fi ++ done ++ + # if no kernel modules found and device is in a virtual subsystem, follow symlinks + if [[ -z $dev_drivers && $(udevadm info -q path "$1") == "/devices/virtual"* ]]; then + local dev_vkernel + diff --git a/0078.patch b/0078.patch new file mode 100644 index 0000000..d763e13 --- /dev/null +++ b/0078.patch @@ -0,0 +1,83 @@ +From f194bd6ad64f7baae1a8fded967a198b1127cb64 Mon Sep 17 00:00:00 2001 +From: Tao Liu +Date: Wed, 12 Apr 2023 23:02:25 +0800 +Subject: [PATCH] fix(dracut-functions.sh): convert mmcblk to the real kernel + module name + +In some x86_64 platforms such as Intel Elkhartlake, an issue of missing +necessary modules due to udevadm drivers field unmatch the real kernel module +name is found: + + $ udevadm info -a /dev/block/179:1 + + looking at parent device '/devices/pci0000:00/0000:00:1a.0/mmc_host/mmc0/mmc0:0001': + KERNELS=="mmc0:0001" + SUBSYSTEMS=="mmc" + DRIVERS=="mmcblk" + .... + +The DRIVERS field, aka mmcblk will be given to instmods to install the +corresponding mmc_block.ko kernel module. However mmc_block.ko cannot be +selected by string mmcblk, as a result, mmc_block.ko cannot be installed +in hostonly-mode strict, which will fail to bootup the machine such as in +kdump cases: + + $ /usr/lib/dracut/dracut-install -D /var/tmp --kerneldir /lib/modules/$(uname -r)/ -m mmcblk + dracut-install: Failed to find module 'mmcblk' + +In this patch, we will convert the string mmcblk to mmc_block, so the +kernel module can be successfully loaded. + +Signed-off-by: Tao Liu + +(cherry picked from commit a62e895db9510f0fc4c47ee81b1436096eca4d64) + +Resolves: RHEL-55708 +--- + dracut-functions.sh | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/dracut-functions.sh b/dracut-functions.sh +index f2614308..2e582ebc 100755 +--- a/dracut-functions.sh ++++ b/dracut-functions.sh +@@ -967,13 +967,30 @@ block_is_netdevice() { + block_is_nbd "$1" || block_is_iscsi "$1" || block_is_fcoe "$1" + } + ++# convert the driver name given by udevadm to the corresponding kernel module name ++get_module_name() { ++ local dev_driver ++ while read -r dev_driver; do ++ case "$dev_driver" in ++ mmcblk) ++ echo "mmc_block" ++ ;; ++ *) ++ echo "$dev_driver" ++ ;; ++ esac ++ done ++} ++ + # get the corresponding kernel modules of a /sys/class/*/* or/dev/* device + get_dev_module() { + local dev_attr_walk + local dev_drivers + local dev_paths + dev_attr_walk=$(udevadm info -a "$1") +- dev_drivers=$(echo "$dev_attr_walk" | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p') ++ dev_drivers=$(echo "$dev_attr_walk" \ ++ | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name) + + # also return modalias info from sysfs paths parsed by udevadm + dev_paths=$(echo "$dev_attr_walk" | sed -n 's/.*\(\/devices\/.*\)'\'':/\1/p') +@@ -1001,6 +1018,7 @@ get_dev_module() { + [[ -n $dev_drivers && ${dev_drivers: -1} != $'\n' ]] && dev_drivers+=$'\n' + dev_drivers+=$(udevadm info -a "$dev_vpath/$dev_link" \ + | sed -n 's/\s*DRIVERS=="\(\S\+\)"/\1/p' \ ++ | get_module_name \ + | grep -v -e pcieport) + done + fi diff --git a/dracut.spec b/dracut.spec index c238655..aa29476 100644 --- a/dracut.spec +++ b/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 70.git20240819 +%define dist_free_release 79.git20241127 Name: dracut Version: 057 @@ -98,6 +98,15 @@ Patch66: 0066.patch Patch67: 0067.patch Patch68: 0068.patch Patch69: 0069.patch +Patch70: 0070.patch +Patch71: 0071.patch +Patch72: 0072.patch +Patch73: 0073.patch +Patch74: 0074.patch +Patch75: 0075.patch +Patch76: 0076.patch +Patch77: 0077.patch +Patch78: 0078.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -550,6 +559,16 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Wed Nov 27 2024 Pavel Valena - 057-79.git20241127 +- fix(35network-manager): install nftables kernel modules +- fix(35network-manager): install nft binary during module +- fix(dracut-install): copy xattr when use clone ioctl +- feat(dracut.sh): add --add-confdir option +- fix: typo in variable name +- feat(fips): add support for UKIs +- fix(kernel-modules): use modalias info in get_dev_module() +- fix(dracut-functions.sh): convert mmcblk to the real kernel + * Mon Aug 19 2024 Pavel Valena - 057-70.git20240819 - fix(systemd): set right permissions for the machine-id file - feat(lsinitrd.sh): look for initrd in /usr/lib/modules/