From 021f5a146e738d4641e90cd42ea2ccb0fc31ce5a Mon Sep 17 00:00:00 2001 From: Philipp Rudo Date: Tue, 9 Jul 2024 15:17:35 +0200 Subject: [PATCH] kdumpctl: Drop default kexec '-d' option Resolves: RHEL-46773 commit 3028529915d3026e62b59d8f3faadddd410baa75 Author: Philipp Rudo Date: Fri Jun 14 11:48:24 2024 +0200 kdumpctl: Drop default kexec '-d' option Kernel commits cbc2fe9d9cb2 ("kexec_file: add kexec_file flag to control debug printing") and a85ee18c7900 ("kexec_file: print out debugging message if required") added debug messages to the kexec_file_load system call when option -d is provided to the kexec user space tool. As kexec_file_load is the default and option -d is set by default these messages are always printed when a crash kernel is loaded. This not only clutters the kernel log but also potentially leaks confidential kernel information to users. As the messages are printed to the kernel log, not stderr, the redirection to /var/log/kdump.log won't catch them. This will become even more problematic as for RHEL10 the kernel will be built without support for the kexec_load system call. So kexec_file_load will be the only choice in the future. The redirection also caused confusion in a recent bug report. There a user moved a working /etc/sysconfig/kdump from ppc to s390 with KEXEC_ARGS containing the --dt-no-old-root option. This option is arch specific and does not exist on s390. Thus the kexec-tools failed with an 'unrecognized option' error followed by the usage(). The problem was that the 'unrecognized option' error is printed to stderr, which got redirected to /var/log/kdump.log, while the usage() is printed to stdout, which ended up in the systemd journal. This caused confusion as the user only checked the journal and found the usage() without any error message. Thus remove the default -d option and the redirection of stderr to /var/log/kdump.log for the kexec-tools user space tool. This commit ultimately reverts 88a8b94 ("kdumpctl: add the '-d' option to enable the kexec loading debugging messages"). Signed-off-by: Philipp Rudo Signed-off-by: Philipp Rudo --- ...kdumpctl-Drop-default-kexec-d-option.patch | 120 ++++++++++++++++++ kexec-tools.spec | 2 + 2 files changed, 122 insertions(+) create mode 100644 0001-kdumpctl-Drop-default-kexec-d-option.patch diff --git a/0001-kdumpctl-Drop-default-kexec-d-option.patch b/0001-kdumpctl-Drop-default-kexec-d-option.patch new file mode 100644 index 0000000..9934784 --- /dev/null +++ b/0001-kdumpctl-Drop-default-kexec-d-option.patch @@ -0,0 +1,120 @@ +From 32f9ada4bfa9f9690bdcdb21de40568c81a5ea80 Mon Sep 17 00:00:00 2001 +From: Philipp Rudo +Date: Fri, 14 Jun 2024 11:48:24 +0200 +Subject: [PATCH 1/7] kdumpctl: Drop default kexec '-d' option + +Kernel commits cbc2fe9d9cb2 ("kexec_file: add kexec_file flag to control +debug printing") and a85ee18c7900 ("kexec_file: print out debugging +message if required") added debug messages to the kexec_file_load system +call when option -d is provided to the kexec user space tool. As +kexec_file_load is the default and option -d is set by default these +messages are always printed when a crash kernel is loaded. This not only +clutters the kernel log but also potentially leaks confidential kernel +information to users. As the messages are printed to the kernel log, not +stderr, the redirection to /var/log/kdump.log won't catch them. This +will become even more problematic as for RHEL10 the kernel will be built +without support for the kexec_load system call. So kexec_file_load will +be the only choice in the future. + +The redirection also caused confusion in a recent bug report. There a +user moved a working /etc/sysconfig/kdump from ppc to s390 with +KEXEC_ARGS containing the --dt-no-old-root option. This option is arch +specific and does not exist on s390. Thus the kexec-tools failed with an +'unrecognized option' error followed by the usage(). The problem was +that the 'unrecognized option' error is printed to stderr, which got +redirected to /var/log/kdump.log, while the usage() is printed to +stdout, which ended up in the systemd journal. This caused confusion as +the user only checked the journal and found the usage() without any +error message. + +Thus remove the default -d option and the redirection of stderr to +/var/log/kdump.log for the kexec-tools user space tool. + +This commit ultimately reverts 88a8b94 ("kdumpctl: add the '-d' option to +enable the kexec loading debugging messages"). + +Signed-off-by: Philipp Rudo +--- + kdumpctl | 21 +++------------------ + kexec-kdump-howto.txt | 7 +------ + 2 files changed, 4 insertions(+), 24 deletions(-) + +diff --git a/kdumpctl b/kdumpctl +index 30eb27d..8dc56e5 100755 +--- a/kdumpctl ++++ b/kdumpctl +@@ -5,7 +5,6 @@ KDUMP_KERNELVER="" + KDUMP_KERNEL="" + KDUMP_COMMANDLINE="" + KEXEC_ARGS="" +-KDUMP_LOG_PATH="/var/log" + MKDUMPRD="/sbin/mkdumprd -f" + MKFADUMPRD="/sbin/mkfadumprd" + DRACUT_MODULES_FILE="/usr/lib/dracut/modules.txt" +@@ -17,7 +16,7 @@ TARGET_INITRD="" + #kdump shall be the default dump mode + DEFAULT_DUMP_MODE="kdump" + +-standard_kexec_args="-d -p" ++standard_kexec_args="-p" + + # Some default values in case /etc/sysconfig/kdump doesn't include + KDUMP_COMMANDLINE_REMOVE="hugepages hugepagesz slub_debug" +@@ -696,7 +695,7 @@ function load_kdump_kernel_key() + # as the currently running kernel. + load_kdump() + { +- local ret uki ++ local uki + + KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") + KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") +@@ -713,26 +712,12 @@ load_kdump() + + ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" + +- # The '12' represents an intermediate temporary file descriptor +- # to store the standard error file descriptor '2', and later +- # restore the error file descriptor with the file descriptor '12' +- # and release it. +- exec 12>&2 +- exec 2>> $KDUMP_LOG_PATH/kdump.log +- chmod 600 $KDUMP_LOG_PATH/kdump.log +- PS4='+ $(date "+%Y-%m-%d %H:%M:%S") ${BASH_SOURCE}@${LINENO}: ' +- set -x +- + # shellcheck disable=SC2086 + $KEXEC $KEXEC_ARGS $standard_kexec_args \ + --command-line="$KDUMP_COMMANDLINE" \ + --initrd="$TARGET_INITRD" "$KDUMP_KERNEL" + +- ret=$? +- set +x +- exec 2>&12 12>&- +- +- if [[ $ret == 0 ]]; then ++ if [[ $? == 0 ]]; then + dinfo "kexec: loaded kdump kernel" + return 0 + else +diff --git a/kexec-kdump-howto.txt b/kexec-kdump-howto.txt +index 6741faf..c65d45a 100644 +--- a/kexec-kdump-howto.txt ++++ b/kexec-kdump-howto.txt +@@ -1016,12 +1016,7 @@ Debugging Tips + and the second kernel. + + In the first kernel, you can find the historical logs with the journalctl +- command and check kdump service debugging information. In addition, the +- 'kexec -d' debugging messages are also saved to /var/log/kdump.log in the +- first kernel. For example: +- +- [root@ibm-z-109 ~]# ls -al /var/log/kdump.log +- -rw-r--r--. 1 root root 63238 Oct 28 06:40 /var/log/kdump.log ++ command and check kdump service debugging information. + + If you want to get the debugging information of building kdump initramfs, you + can enable the '--debug' option for the dracut_args in the /etc/kdump.conf, and +-- +2.45.2 + diff --git a/kexec-tools.spec b/kexec-tools.spec index 7851dd5..00d0ca7 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -65,6 +65,7 @@ Patch609: 0007-fadump-udev-do-not-re-register-fadump-if-kernel-hotp.patch Patch610: kexec-tools-2.0.28-makedumpfile-0002-PATCH-Fix-failure-of-hugetlb-pages-exclusion-on-Linu.patch Patch611: kexec-tools-2.0.28-makedumpfile-0003-PATCH-Fix-wrong-exclusion-of-Slab-pages-on-Linux-6.1.patch Patch612: 0001-Use-grep-q-cmd-instead-of-cmd-grep-q.patch +Patch613: 0001-kdumpctl-Drop-default-kexec-d-option.patch %description kexec-tools provides /sbin/kexec binary that facilitates a new @@ -160,6 +161,7 @@ tar -z -x -v -f %{SOURCE19} %patch 610 -p1 %patch 611 -p1 %patch 612 -p1 -d kdump-utils-%{kdump_utils_ver} +%patch 613 -p1 -d kdump-utils-%{kdump_utils_ver} %ifarch ppc %define archdef ARCH=ppc