import CS kexec-tools-2.0.26-14.el8

This commit is contained in:
eabdullin 2024-03-27 19:54:38 +00:00
parent 4e334b5cd7
commit 02fbb13546
6 changed files with 90 additions and 56 deletions

View File

@ -49,11 +49,6 @@ early_kdump_load()
EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s"
fi
# Here, only output the messages, but do not save these messages # Here, only output the messages, but do not save these messages
# to a file because the target disk may not be mounted yet, the # to a file because the target disk may not be mounted yet, the
# earlykdump is too early. # earlykdump is too early.

View File

@ -363,6 +363,14 @@ _get_nic_driver() {
ethtool -i "$1" | sed -n -E "s/driver: (.*)/\1/p" ethtool -i "$1" | sed -n -E "s/driver: (.*)/\1/p"
} }
_get_hpyerv_physical_driver() {
local _physical_nic
_physical_nic=$(find /sys/class/net/"$1"/ -name 'lower_*' | sed -En "s/\/.*lower_(.*)/\1/p")
[[ -n $_physical_nic ]] || return
_get_nic_driver "$_physical_nic"
}
kdump_install_nic_driver() { kdump_install_nic_driver() {
local _netif _driver _drivers local _netif _driver _drivers
@ -382,6 +390,11 @@ kdump_install_nic_driver() {
elif [[ $_driver == "team" ]]; then elif [[ $_driver == "team" ]]; then
# install the team mode drivers like team_mode_roundrobin.ko as well # install the team mode drivers like team_mode_roundrobin.ko as well
_driver='=drivers/net/team' _driver='=drivers/net/team'
elif [[ $_driver == "hv_netvsc" ]]; then
# A Hyper-V VM may have accelerated networking
# https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview
# Install the driver of physical NIC as well
_drivers+=("$(_get_hpyerv_physical_driver "$_netif")")
fi fi
_drivers+=("$_driver") _drivers+=("$_driver")
@ -1127,6 +1140,15 @@ install() {
's/\(^[[:space:]]*reserved_memory[[:space:]]*=\)[[:space:]]*[[:digit:]]*/\1 1024/' \ 's/\(^[[:space:]]*reserved_memory[[:space:]]*=\)[[:space:]]*[[:digit:]]*/\1 1024/' \
${initdir}/etc/lvm/lvm.conf &>/dev/null ${initdir}/etc/lvm/lvm.conf &>/dev/null
# Skip initrd-cleanup.service and initrd-parse-etc.service becasue we don't
# need to switch root. Instead of removing them, we use ConditionPathExists
# to check if /proc/vmcore exists to determine if we are in kdump.
sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \
"${initdir}/${systemdsystemunitdir}/initrd-cleanup.service" &> /dev/null
sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \
"${initdir}/${systemdsystemunitdir}/initrd-parse-etc.service" &> /dev/null
# Save more memory by dropping switch root capability # Save more memory by dropping switch root capability
dracut_no_switch_root dracut_no_switch_root
} }

View File

@ -529,11 +529,24 @@ get_dracut_args_target()
echo $1 | grep "\-\-mount" | sed "s/.*--mount .\(.*\)/\1/" | cut -d' ' -f1 echo $1 | grep "\-\-mount" | sed "s/.*--mount .\(.*\)/\1/" | cut -d' ' -f1
} }
get_reserved_mem_size()
{
local reserved_mem_size=0
if is_fadump_capable; then
reserved_mem_size=$(< /sys/kernel/fadump/mem_reserved)
else
reserved_mem_size=$(< /sys/kernel/kexec_crash_size)
fi
echo "$reserved_mem_size"
}
check_crash_mem_reserved() check_crash_mem_reserved()
{ {
local mem_reserved local mem_reserved
mem_reserved=$(cat /sys/kernel/kexec_crash_size) mem_reserved=$(get_reserved_mem_size)
if [ $mem_reserved -eq 0 ]; then if [ $mem_reserved -eq 0 ]; then
derror "No memory reserved for crash kernel" derror "No memory reserved for crash kernel"
return 1 return 1
@ -700,6 +713,15 @@ prepare_kexec_args()
fi fi
fi fi
fi fi
# For secureboot enabled machines, use new kexec file based syscall.
# Old syscall will always fail as it does not have capability to do
# kernel signature verification.
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
kexec_args="$kexec_args -s"
fi
echo $kexec_args echo $kexec_args
} }

View File

@ -538,28 +538,22 @@ check_fs_modified()
check_system_modified() check_system_modified()
{ {
local ret local ret
local CONF_ERROR=2
local CONF_MODIFY=1
local CONF_NO_MODIFY=0
local conf_status=$CONF_NO_MODIFY
[[ -f $TARGET_INITRD ]] || return 1 [[ -f $TARGET_INITRD ]] || return 1
check_files_modified for _func in check_files_modified check_fs_modified check_drivers_modified; do
$_func
ret=$? ret=$?
if [ $ret -ne 0 ]; then # return immediately if an error occurred.
return $ret [[ $ret -eq "$CONF_ERROR" ]] && return "$ret"
fi [[ $ret -eq "$CONF_MODIFY" ]] && { conf_status="$CONF_MODIFY"; }
done
check_fs_modified return $conf_status
ret=$?
if [ $ret -ne 0 ]; then
return $ret
fi
check_drivers_modified
ret=$?
if [ $ret -ne 0 ]; then
return $ret
fi
return 0
} }
check_rebuild() check_rebuild()
@ -653,20 +647,7 @@ function load_kdump_kernel_key()
return return
fi fi
KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer | keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer"
keyctl padd asymmetric kernelkey-$RANDOM %:.ima)
}
# remove a previously loaded key. There's no real security implication
# to leaving it around, we choose to do this because it makes it easier
# to be idempotent and so as to reduce the potential for confusion.
function remove_kdump_kernel_key()
{
if [ -z "$KDUMP_KEY_ID" ]; then
return
fi
keyctl unlink $KDUMP_KEY_ID %:.ima
} }
# Load the kdump kernel specified in /etc/sysconfig/kdump # Load the kdump kernel specified in /etc/sysconfig/kdump
@ -679,15 +660,6 @@ load_kdump()
KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}")
KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}")
# For secureboot enabled machines, use new kexec file based syscall.
# Old syscall will always fail as it does not have capability to
# to kernel signature verification.
if is_secure_boot_enforced; then
dinfo "Secure Boot is enabled. Using kexec file based syscall."
KEXEC_ARGS="$KEXEC_ARGS -s"
load_kdump_kernel_key
fi
ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL"
# The '12' represents an intermediate temporary file descriptor # The '12' represents an intermediate temporary file descriptor
@ -708,9 +680,7 @@ load_kdump()
set +x set +x
exec 2>&12 12>&- exec 2>&12 12>&-
remove_kdump_kernel_key if [[ $ret == 0 ]]; then
if [ $ret == 0 ]; then
dinfo "kexec: loaded kdump kernel" dinfo "kexec: loaded kdump kernel"
return 0 return 0
else else
@ -848,7 +818,7 @@ propagate_ssh_key()
show_reserved_mem() show_reserved_mem()
{ {
local mem=$(cat /sys/kernel/kexec_crash_size) local mem=$(get_reserved_mem_size)
local mem_mb=$(expr $mem / 1024 / 1024) local mem_mb=$(expr $mem / 1024 / 1024)
dinfo "Reserved "$mem_mb"MB memory for crash kernel" dinfo "Reserved "$mem_mb"MB memory for crash kernel"
@ -1009,7 +979,13 @@ start_fadump()
start_dump() start_dump()
{ {
if [ $DEFAULT_DUMP_MODE == "fadump" ]; then # On secure boot enabled Power systems, load kernel signing key on .ima for signature
# verification using kexec file based syscall.
if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then
load_kdump_kernel_key
fi
if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then
start_fadump start_fadump
else else
load_kdump load_kdump
@ -1270,7 +1246,7 @@ do_estimate() {
# The default value when using crashkernel=auto # The default value when using crashkernel=auto
baseline_size=$((baseline * size_mb)) baseline_size=$((baseline * size_mb))
# Current reserved crashkernel size # Current reserved crashkernel size
reserved_size=$(cat /sys/kernel/kexec_crash_size) reserved_size=$(get_reserved_mem_size)
# A pre-estimated value for userspace usage and kernel # A pre-estimated value for userspace usage and kernel
# runtime allocation, 64M should good for most cases # runtime allocation, 64M should good for most cases
runtime_size=$((64 * size_mb)) runtime_size=$((64 * size_mb))

View File

@ -35,7 +35,8 @@ updating lists accordingly.
Supported Dump targets Supported Dump targets
---------------------- ----------------------
storage: storage:
LVM volume (no thinp) LVM volume
Thin provisioning volume
FC disks (qla2xxx, lpfc, bnx2fc, bfa) FC disks (qla2xxx, lpfc, bnx2fc, bfa)
software initiator based iSCSI software initiator based iSCSI
software RAID (mdraid) software RAID (mdraid)
@ -79,7 +80,6 @@ Unsupported Dump targets
------------------------ ------------------------
storage: storage:
BIOS RAID BIOS RAID
Thin provisioning volume
Software iSCSI with iBFT (bnx2i, cxgb3i, cxgb4i) Software iSCSI with iBFT (bnx2i, cxgb3i, cxgb4i)
Software iSCSI with hybrid (be2iscsi) Software iSCSI with hybrid (be2iscsi)
FCoE FCoE

View File

@ -1,6 +1,6 @@
Name: kexec-tools Name: kexec-tools
Version: 2.0.26 Version: 2.0.26
Release: 8%{?dist} Release: 14%{?dist}
License: GPLv2 License: GPLv2
Group: Applications/System Group: Applications/System
Summary: The kexec/kdump userspace component Summary: The kexec/kdump userspace component
@ -396,6 +396,25 @@ done
%endif %endif
%changelog %changelog
* Wed Feb 21 2024 Pingfan Liu <piliu@redhat.com> - 2.0.26-14
- dracut-module-setup: Skip initrd-cleanup and initrd-parse-etc in kdump
* Fri Feb 2 2024 Pingfan Liu <piliu@redhat.com> - 2.0.26-13
- dracut-module-setup.sh: also install the driver of physical NIC for Hyper-V VM with accelerated networking
* Wed Nov 22 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-12
- kdumpctl: Only returns immediately after an error occurs in check_*_modified
* Thu Nov 9 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-11
- powerpc: update kdumpctl to load kernel signing key for fadump
- powerpc: update kdumpctl to remove deletion of kernel signing key once loaded
* Tue Sep 26 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-10
- Introduce a function to get reserved memory size
* Tue Sep 19 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-9
- Add lvm thin provision to kdump supported-kdump-targets.txt
* Thu Aug 10 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-8 * Thu Aug 10 2023 Pingfan Liu <piliu@redhat.com> - 2.0.26-8
- mkdumprd: Use the correct syntax to redirect the stderr to null - mkdumprd: Use the correct syntax to redirect the stderr to null
- mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS - mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS