diff --git a/0039-dracut.spec-add-dracut-init.sh.patch b/0039-dracut.spec-add-dracut-init.sh.patch deleted file mode 100644 index 96e40f3..0000000 --- a/0039-dracut.spec-add-dracut-init.sh.patch +++ /dev/null @@ -1,21 +0,0 @@ -From d63a455ffda280899bf9d3d7988789a74ac9ad8c Mon Sep 17 00:00:00 2001 -From: Harald Hoyer -Date: Fri, 10 Jul 2015 11:21:51 +0200 -Subject: [PATCH] dracut.spec: add dracut-init.sh - ---- - dracut.spec | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/dracut.spec b/dracut.spec -index 4775210..08b281d 100644 ---- a/dracut.spec -+++ b/dracut.spec -@@ -315,6 +315,7 @@ rm -rf -- $RPM_BUILD_ROOT - %dir %{dracutlibdir} - %dir %{dracutlibdir}/modules.d - %{dracutlibdir}/dracut-functions.sh -+%{dracutlibdir}/dracut-init.sh - %{dracutlibdir}/dracut-functions - %{dracutlibdir}/dracut-version.sh - %{dracutlibdir}/dracut-logger.sh diff --git a/0039-network-add-rd.peerdns-0-parameter.patch b/0039-network-add-rd.peerdns-0-parameter.patch new file mode 100644 index 0000000..7e9d160 --- /dev/null +++ b/0039-network-add-rd.peerdns-0-parameter.patch @@ -0,0 +1,72 @@ +From df0bdd5ae9094133afa48b84189822e26d7bfecf Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 13 Jul 2015 10:14:15 +0200 +Subject: [PATCH] network: add rd.peerdns=0 parameter + +Add rd.peerdns=0 parameter to disable DHCP nameserver setting +--- + dracut.cmdline.7.asc | 3 +++ + modules.d/40network/dhclient-script.sh | 29 ++++++++++++++++------------- + 2 files changed, 19 insertions(+), 13 deletions(-) + +diff --git a/dracut.cmdline.7.asc b/dracut.cmdline.7.asc +index 55e6f64..1a54377 100644 +--- a/dracut.cmdline.7.asc ++++ b/dracut.cmdline.7.asc +@@ -546,6 +546,9 @@ interface name. Better name it "bootnet" or "bluesocket". + **nameserver=**____ [**nameserver=**____ ...]:: + specify nameserver(s) to use + ++**rd.peerdns=0**:: ++ Disable DNS setting of DHCP parameters. ++ + **biosdevname=0**:: + boolean, turn off biosdevname network interface renaming + +diff --git a/modules.d/40network/dhclient-script.sh b/modules.d/40network/dhclient-script.sh +index c75ac89..1d891cd 100755 +--- a/modules.d/40network/dhclient-script.sh ++++ b/modules.d/40network/dhclient-script.sh +@@ -54,13 +54,14 @@ setup_interface() { + echo ip route replace default via $gw dev $netif >> /tmp/net.$netif.gw + fi + +- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf +- if [ -n "$namesrv" ] ; then +- for s in $namesrv; do +- echo nameserver $s +- done +- fi >> /tmp/net.$netif.resolv.conf +- ++ if getargbool 1 rd.peerdns; then ++ [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf ++ if [ -n "$namesrv" ] ; then ++ for s in $namesrv; do ++ echo nameserver $s ++ done ++ fi >> /tmp/net.$netif.resolv.conf ++ fi + # Note: hostname can be fqdn OR short hostname, so chop off any + # trailing domain name and explicity add any domain if set. + [ -n "$hostname" ] && echo "echo ${hostname%.$domain}${domain:+.$domain} > /proc/sys/kernel/hostname" > /tmp/net.$netif.hostname +@@ -83,12 +84,14 @@ setup_interface6() { + ${lease_time:+valid_lft $lease_time} \ + ${preferred_lft:+preferred_lft ${preferred_lft}} + +- [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf +- if [ -n "$namesrv" ] ; then +- for s in $namesrv; do +- echo nameserver $s +- done +- fi >> /tmp/net.$netif.resolv.conf ++ if getargbool 1 rd.peerdns; then ++ [ -n "${search}${domain}" ] && echo "search $search $domain" > /tmp/net.$netif.resolv.conf ++ if [ -n "$namesrv" ] ; then ++ for s in $namesrv; do ++ echo nameserver $s ++ done ++ fi >> /tmp/net.$netif.resolv.conf ++ fi + + # Note: hostname can be fqdn OR short hostname, so chop off any + # trailing domain name and explicity add any domain if set. diff --git a/0040-TODO-update.patch b/0040-TODO-update.patch new file mode 100644 index 0000000..06df789 --- /dev/null +++ b/0040-TODO-update.patch @@ -0,0 +1,21 @@ +From 8c7dc032f816d13d482bccebf2f7e56a81c207fd Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 13 Jul 2015 10:38:16 +0200 +Subject: [PATCH] TODO: update + +--- + TODO | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/TODO b/TODO +index 4a7d959..55fe13b 100644 +--- a/TODO ++++ b/TODO +@@ -7,7 +7,6 @@ Items are ordered in priority. + INITRAMFS TODO + + - search domain string +-- peerdns=no + - allow dual stack configuration (IPv4, IPv6) for the same interface + - "bind-mount" kernel drivers in real root for the rescue image, + if the real root does not have any kernel modules for this kernel diff --git a/0041-crypt-skip-crypttab-entries-with-the-same-device.patch b/0041-crypt-skip-crypttab-entries-with-the-same-device.patch new file mode 100644 index 0000000..bdc8f28 --- /dev/null +++ b/0041-crypt-skip-crypttab-entries-with-the-same-device.patch @@ -0,0 +1,47 @@ +From 968280e37053bceab47183e5aa9e7bfb34e73d37 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 13 Jul 2015 10:39:07 +0200 +Subject: [PATCH] crypt: skip crypttab entries with the same device + +It was only checked, if the name of the crypttab entry matched. +This patch adds checking, if the device matches. +--- + modules.d/90crypt/crypt-lib.sh | 6 ++++++ + modules.d/90crypt/crypt-run-generator.sh | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/modules.d/90crypt/crypt-lib.sh b/modules.d/90crypt/crypt-lib.sh +index 213003e..2e13da2 100755 +--- a/modules.d/90crypt/crypt-lib.sh ++++ b/modules.d/90crypt/crypt-lib.sh +@@ -5,11 +5,17 @@ command -v getarg >/dev/null || . /lib/dracut-lib.sh + # check if the crypttab contains an entry for a LUKS UUID + crypttab_contains() { + local luks="$1" ++ local dev="$2" + local l d rest + if [ -f /etc/crypttab ]; then + while read l d rest || [ -n "$l" ]; do + strstr "${l##luks-}" "${luks##luks-}" && return 0 + strstr "$d" "${luks##luks-}" && return 0 ++ if [ -n "$dev" ]; then ++ for _dev in "$(devnames $d)"; do ++ [ "$dev" -ef "$_dev" ] && return 0 ++ done ++ fi + done < /etc/crypttab + fi + return 1 +diff --git a/modules.d/90crypt/crypt-run-generator.sh b/modules.d/90crypt/crypt-run-generator.sh +index 3c5d7b1..5bf60ec 100755 +--- a/modules.d/90crypt/crypt-run-generator.sh ++++ b/modules.d/90crypt/crypt-run-generator.sh +@@ -6,7 +6,7 @@ type crypttab_contains >/dev/null 2>&1 || . /lib/dracut-crypt-lib.sh + dev=$1 + luks=$2 + +-crypttab_contains "$luks" && exit 0 ++crypttab_contains "$luks" "$dev" && exit 0 + + allowdiscards="-" + diff --git a/0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch b/0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch new file mode 100644 index 0000000..f4b7799 --- /dev/null +++ b/0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch @@ -0,0 +1,51 @@ +From e47907cc6b6eead2ab5ef4d5015445668822612a Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 13 Jul 2015 10:51:47 +0200 +Subject: [PATCH] dracut-systemd/dracut-initqueue: only start service if really + needed + +Only start the dracut-initqueue.service, if the dracut_need_initqueue +command was issued on creation or later on set. +--- + modules.d/90lvm/module-setup.sh | 2 ++ + modules.d/90mdraid/module-setup.sh | 1 + + modules.d/98dracut-systemd/dracut-initqueue.service | 5 ----- + 3 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/modules.d/90lvm/module-setup.sh b/modules.d/90lvm/module-setup.sh +index 8269078..42dda57 100755 +--- a/modules.d/90lvm/module-setup.sh ++++ b/modules.d/90lvm/module-setup.sh +@@ -140,4 +140,6 @@ install() { + cache_dump cache_restore cache_check cache_repair \ + era_check era_dump era_invalidate era_restore + fi ++ ++ dracut_need_initqueue + } +diff --git a/modules.d/90mdraid/module-setup.sh b/modules.d/90mdraid/module-setup.sh +index 621d0fb..cecf3bf 100755 +--- a/modules.d/90mdraid/module-setup.sh ++++ b/modules.d/90mdraid/module-setup.sh +@@ -132,4 +132,5 @@ install() { + fi + fi + inst_hook pre-shutdown 30 "$moddir/mdmon-pre-shutdown.sh" ++ dracut_need_initqueue + } +diff --git a/modules.d/98dracut-systemd/dracut-initqueue.service b/modules.d/98dracut-systemd/dracut-initqueue.service +index 5d772f7..fa5ca56 100644 +--- a/modules.d/98dracut-systemd/dracut-initqueue.service ++++ b/modules.d/98dracut-systemd/dracut-initqueue.service +@@ -17,11 +17,6 @@ After=systemd-udev-trigger.service + Wants=systemd-udev-trigger.service + ConditionPathExists=/usr/lib/initrd-release + ConditionPathExists=|/lib/dracut/need-initqueue +-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/*.sh +-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/settled/*.sh +-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/finished/*.sh +-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/online/*.sh +-ConditionPathExistsGlob=|/lib/dracut/hooks/initqueue/timeout/*.sh + ConditionKernelCommandLine=|rd.break=initqueue + + [Service] diff --git a/0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch b/0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch new file mode 100644 index 0000000..41f91b5 --- /dev/null +++ b/0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch @@ -0,0 +1,271 @@ +From 5899f2f5163de4d68fbb35831e1f2230c22c71b3 Mon Sep 17 00:00:00 2001 +From: Mike Gilbert +Date: Tue, 14 Jul 2015 22:22:14 -0400 +Subject: [PATCH] Replace echo -n with printf in code with a /bin/sh shebang + +POSIX does not mandate that echo support the -n parameter. +printf has more well-defined behavior. +--- + modules.d/04watchdog/watchdog-stop.sh | 2 +- + modules.d/40network/net-lib.sh | 2 +- + modules.d/45ifcfg/write-ifcfg.sh | 2 +- + modules.d/90lvm/lvm_scan.sh | 4 ++-- + modules.d/95fcoe/fcoe-up.sh | 2 +- + modules.d/98usrmount/mount-usr.sh | 2 +- + modules.d/99base/dracut-lib.sh | 6 +++--- + modules.d/99base/init.sh | 2 +- + test/TEST-10-RAID/create-root.sh | 2 +- + test/TEST-10-RAID/cryptroot-ask.sh | 2 +- + test/TEST-12-RAID-DEG/create-root.sh | 2 +- + test/TEST-12-RAID-DEG/cryptroot-ask.sh | 2 +- + test/TEST-13-ENC-RAID-LVM/create-root.sh | 2 +- + test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh | 2 +- + test/TEST-14-IMSM/cryptroot-ask.sh | 2 +- + test/TEST-20-NFS/client-init.sh | 2 +- + test/TEST-40-NBD/create-root.sh | 2 +- + test/TEST-40-NBD/cryptroot-ask.sh | 2 +- + 18 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/modules.d/04watchdog/watchdog-stop.sh b/modules.d/04watchdog/watchdog-stop.sh +index 91d45d6..921f969 100755 +--- a/modules.d/04watchdog/watchdog-stop.sh ++++ b/modules.d/04watchdog/watchdog-stop.sh +@@ -1,2 +1,2 @@ + #!/bin/sh +-[ -c /dev/watchdog ] && echo -n 'V' > /dev/watchdog ++[ -c /dev/watchdog ] && printf 'V' > /dev/watchdog +diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh +index a09cdaf..6c739e8 100755 +--- a/modules.d/40network/net-lib.sh ++++ b/modules.d/40network/net-lib.sh +@@ -189,7 +189,7 @@ set_ifname() { + fix_bootif() { + local macaddr=${1} + local IFS='-' +- macaddr=$(for i in ${macaddr} ; do echo -n $i:; done) ++ macaddr=$(printf '%s:' ${macaddr}) + macaddr=${macaddr%:} + # strip hardware type field from pxelinux + [ -n "${macaddr%??:??:??:??:??:??}" ] && macaddr=${macaddr#??:} +diff --git a/modules.d/45ifcfg/write-ifcfg.sh b/modules.d/45ifcfg/write-ifcfg.sh +index fa7db27..251d684 100755 +--- a/modules.d/45ifcfg/write-ifcfg.sh ++++ b/modules.d/45ifcfg/write-ifcfg.sh +@@ -48,7 +48,7 @@ print_s390() { + for i in /sys/class/net/$_netif/device/cdev[0-9]*; do + [ -e $i ] || continue + channel=$(readlink -f $i) +- echo -n "${channel##*/}," ++ printf '%s' "${channel##*/}," + done + }) + [ -n "$SUBCHANNELS" ] || return 1 +diff --git a/modules.d/90lvm/lvm_scan.sh b/modules.d/90lvm/lvm_scan.sh +index 7495644..ead28aa 100755 +--- a/modules.d/90lvm/lvm_scan.sh ++++ b/modules.d/90lvm/lvm_scan.sh +@@ -15,14 +15,14 @@ SNAPSIZE=$(getargs rd.lvm.snapsize -d rd_LVM_SNAPSIZE=) + lvmdevs=$( + for f in /tmp/.lvm_scan-*; do + [ -e "$f" ] || continue +- echo -n "${f##/tmp/.lvm_scan-} " ++ printf '%s' "${f##/tmp/.lvm_scan-} " + done + ) + + if [ ! -e /etc/lvm/lvm.conf ]; then + { + echo 'devices {'; +- echo -n ' filter = [ ' ++ printf ' filter = [ ' + for dev in $lvmdevs; do + printf '"a|^/dev/%s$|", ' $dev; + done; +diff --git a/modules.d/95fcoe/fcoe-up.sh b/modules.d/95fcoe/fcoe-up.sh +index 43a0ad5..950e4b6 100755 +--- a/modules.d/95fcoe/fcoe-up.sh ++++ b/modules.d/95fcoe/fcoe-up.sh +@@ -64,7 +64,7 @@ elif [ "$netdriver" = "bnx2x" ]; then + sleep 3 + fipvlan "$netif" -c -s + else +- echo -n "$netif" > /sys/module/fcoe/parameters/create ++ printf '%s' "$netif" > /sys/module/fcoe/parameters/create + fi + + need_shutdown +diff --git a/modules.d/98usrmount/mount-usr.sh b/modules.d/98usrmount/mount-usr.sh +index c29610f..d1a629c 100755 +--- a/modules.d/98usrmount/mount-usr.sh ++++ b/modules.d/98usrmount/mount-usr.sh +@@ -12,7 +12,7 @@ filtersubvol() { + while [ $# -gt 0 ]; do + case $1 in + subvol\=*) :;; +- *) echo -n "${1}," ;; ++ *) printf '%s' "${1}," ;; + esac + shift + done +diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh +index cd1f49f..5ec7b23 100755 +--- a/modules.d/99base/dracut-lib.sh ++++ b/modules.d/99base/dracut-lib.sh +@@ -298,7 +298,7 @@ _dogetargs() { + fi + done + if [ -n "$_found" ]; then +- [ $# -gt 0 ] && echo -n "$@" ++ [ $# -gt 0 ] && printf '%s' "$*" + return 0 + fi + return 1; +@@ -329,9 +329,9 @@ getargs() { + done + if [ -n "$_gfound" ]; then + if [ $# -gt 0 ]; then +- echo -n "$@" ++ printf '%s' "$*" + else +- echo -n 1 ++ printf 1 + fi + debug_on + return 0 +diff --git a/modules.d/99base/init.sh b/modules.d/99base/init.sh +index f96dbb5..a59e8ea 100755 +--- a/modules.d/99base/init.sh ++++ b/modules.d/99base/init.sh +@@ -253,7 +253,7 @@ while :; do + done + + { +- echo -n "Mounted root filesystem " ++ printf "Mounted root filesystem " + while read dev mp rest || [ -n "$dev" ]; do [ "$mp" = "$NEWROOT" ] && echo $dev; done < /proc/mounts + } | vinfo + +diff --git a/test/TEST-10-RAID/create-root.sh b/test/TEST-10-RAID/create-root.sh +index a7e56a5..7b5f2a7 100755 +--- a/test/TEST-10-RAID/create-root.sh ++++ b/test/TEST-10-RAID/create-root.sh +@@ -18,7 +18,7 @@ mdadm --create /dev/md0 --run --auto=yes --level=5 --raid-devices=3 /dev/sda2 /d + # randomly. + mdadm -W /dev/md0 + set -e +-echo -n test >keyfile ++printf test >keyfile + cryptsetup -q luksFormat /dev/md0 /keyfile + echo "The passphrase is test" + cryptsetup luksOpen /dev/md0 dracut_crypt_test /keyfile ++printf test >/keyfile + /sbin/cryptsetup luksOpen "$1" "$2" keyfile ++printf test >keyfile + cryptsetup -q luksFormat /dev/md0 /keyfile + echo "The passphrase is test" + set -e +diff --git a/test/TEST-12-RAID-DEG/cryptroot-ask.sh b/test/TEST-12-RAID-DEG/cryptroot-ask.sh +index db27c5b..78ed7f5 100755 +--- a/test/TEST-12-RAID-DEG/cryptroot-ask.sh ++++ b/test/TEST-12-RAID-DEG/cryptroot-ask.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + + [ -b /dev/mapper/$2 ] && exit 0 +-echo -n test >/keyfile ++printf test >/keyfile + /sbin/cryptsetup luksOpen $1 $2 keyfile ++printf test >keyfile + cryptsetup -q luksFormat /dev/sda2 /keyfile + cryptsetup -q luksFormat /dev/sda3 /keyfile + cryptsetup -q luksFormat /dev/sda4 /keyfile +diff --git a/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh b/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh +index db27c5b..78ed7f5 100755 +--- a/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh ++++ b/test/TEST-13-ENC-RAID-LVM/cryptroot-ask.sh +@@ -1,6 +1,6 @@ + #!/bin/sh + + [ -b /dev/mapper/$2 ] && exit 0 +-echo -n test >/keyfile ++printf test >/keyfile + /sbin/cryptsetup luksOpen $1 $2 /keyfile ++printf test >/keyfile + /sbin/cryptsetup luksOpen $1 $2 /dev/watchdog ++ [ -c /dev/watchdog ] && printf 'V' > /dev/watchdog + strstr "$(setsid --help)" "control" && CTTY="-c" + setsid $CTTY sh -i + fi +diff --git a/test/TEST-40-NBD/create-root.sh b/test/TEST-40-NBD/create-root.sh +index 391279e..20d0eff 100755 +--- a/test/TEST-40-NBD/create-root.sh ++++ b/test/TEST-40-NBD/create-root.sh +@@ -5,7 +5,7 @@ for x in 64-lvm.rules 70-mdadm.rules 99-mount-rules; do + done + rm -f -- /etc/lvm/lvm.conf + udevadm control --reload +-echo -n test >keyfile ++printf test >keyfile + cryptsetup -q luksFormat /dev/sdb /keyfile + echo "The passphrase is test" + cryptsetup luksOpen /dev/sdb dracut_crypt_test /keyfile ++printf test >/keyfile + /sbin/cryptsetup luksOpen $1 $2 +Date: Tue, 14 Jul 2015 11:12:16 -0400 +Subject: [PATCH] syncheck: Look for 'echo -n' usage in modules + +--- + Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/Makefile b/Makefile +index 98a2fbf..f3a5c07 100644 +--- a/Makefile ++++ b/Makefile +@@ -212,7 +212,8 @@ syncheck: + [ "$${i##*/}" = "module-setup.sh" ] && continue; \ + read line < "$$i"; [ "$${line#*bash*}" != "$$line" ] && continue; \ + [ $$V ] && echo "posix syntax check: $$i"; bash --posix -n "$$i" ; ret=$$(($$ret+$$?)); \ +- [ $$V ] && echo "checking for [[: $$i"; if grep -Fq '[[ ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains [["; fi \ ++ [ $$V ] && echo "checking for [[: $$i"; if grep -Fq '[[ ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains [["; fi; \ ++ [ $$V ] && echo "checking for echo -n: $$i"; if grep -Fq 'echo -n ' "$$i" ; then ret=$$(($$ret+1)); echo "$$i contains echo -n"; fi \ + done;exit $$ret + @ret=0;for i in *.sh mkinitrd-dracut.sh modules.d/*/*.sh \ + modules.d/*/module-setup.sh; do \ diff --git a/0045-dracut.spec-add-dracut-init.sh.patch b/0045-dracut.spec-add-dracut-init.sh.patch new file mode 100644 index 0000000..1ef1840 --- /dev/null +++ b/0045-dracut.spec-add-dracut-init.sh.patch @@ -0,0 +1,21 @@ +From 7f2ea02b4ad95f59abb73dd4690f6f5ca9191633 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Fri, 10 Jul 2015 11:21:51 +0200 +Subject: [PATCH] dracut.spec: add dracut-init.sh + +--- + dracut.spec | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dracut.spec b/dracut.spec +index 4775210..08b281d 100644 +--- a/dracut.spec ++++ b/dracut.spec +@@ -315,6 +315,7 @@ rm -rf -- $RPM_BUILD_ROOT + %dir %{dracutlibdir} + %dir %{dracutlibdir}/modules.d + %{dracutlibdir}/dracut-functions.sh ++%{dracutlibdir}/dracut-init.sh + %{dracutlibdir}/dracut-functions + %{dracutlibdir}/dracut-version.sh + %{dracutlibdir}/dracut-logger.sh diff --git a/0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch b/0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch new file mode 100644 index 0000000..826deda --- /dev/null +++ b/0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch @@ -0,0 +1,71 @@ +From e50f91e6004a523d745179eaa789e28a75ff06d4 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Tue, 14 Jul 2015 10:11:59 +0200 +Subject: [PATCH] use mktemp "-p" instead of "--tmpdir" for busybox + +--- + dracut-logger.sh | 2 +- + dracut.sh | 10 +++++----- + test/test-functions | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/dracut-logger.sh b/dracut-logger.sh +index 2a6019c..e5c9358 100755 +--- a/dracut-logger.sh ++++ b/dracut-logger.sh +@@ -148,7 +148,7 @@ dlog_init() { + && type -P systemd-cat &>/dev/null \ + && systemctl --quiet is-active systemd-journald.socket &>/dev/null \ + && { echo "dracut-$DRACUT_VERSION" | systemd-cat -t 'dracut' &>/dev/null; } ; then +- readonly _dlogdir="$(mktemp --tmpdir="$TMPDIR/" -d -t dracut-log.XXXXXX)" ++ readonly _dlogdir="$(mktemp -p "$TMPDIR/" -d -t dracut-log.XXXXXX)" + readonly _systemdcatfile="$_dlogdir/systemd-cat" + mkfifo "$_systemdcatfile" + readonly _dlogfd=15 +diff --git a/dracut.sh b/dracut.sh +index b7456dc..ee0a039 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -777,16 +777,16 @@ fi + [[ $reproducible == yes ]] && DRACUT_REPRODUCIBLE=1 + + readonly TMPDIR="$tmpdir" +-readonly initdir="$(mktemp --tmpdir="$TMPDIR/" -d -t initramfs.XXXXXX)" ++readonly initdir="$(mktemp -p "$TMPDIR/" -d -t initramfs.XXXXXX)" + [ -d "$initdir" ] || { +- printf "%s\n" "dracut: mktemp --tmpdir='$TMPDIR/' -d -t initramfs.XXXXXX failed." >&2 ++ printf "%s\n" "dracut: mktemp -p '$TMPDIR/' -d -t initramfs.XXXXXX failed." >&2 + exit 1 + } + + if [[ $early_microcode = yes ]] || ( [[ $acpi_override = yes ]] && [[ -d $acpi_table_dir ]] ); then +- readonly early_cpio_dir="$(mktemp --tmpdir="$TMPDIR/" -d -t early_cpio.XXXXXX)" ++ readonly early_cpio_dir="$(mktemp -p "$TMPDIR/" -d -t early_cpio.XXXXXX)" + [ -d "$early_cpio_dir" ] || { +- printf "%s\n" "dracut: mktemp --tmpdir='$TMPDIR/' -d -t early_cpio.XXXXXX failed." >&2 ++ printf "%s\n" "dracut: mktemp -p '$TMPDIR/' -d -t early_cpio.XXXXXX failed." >&2 + exit 1 + } + fi +@@ -1614,7 +1614,7 @@ dinfo "*** Creating image file '$outfile' ***" + + if [[ $uefi = yes ]]; then + uefi_outfile="$outfile" +- readonly uefi_outdir="$(mktemp --tmpdir="$TMPDIR/" -d -t initrd.XXXXXX)" ++ readonly uefi_outdir="$(mktemp -p "$TMPDIR/" -d -t initrd.XXXXXX)" + # redirect initrd output + outfile="$uefi_outdir/initrd" + fi +diff --git a/test/test-functions b/test/test-functions +index 1f5eed5..2b8a4d2 100644 +--- a/test/test-functions ++++ b/test/test-functions +@@ -4,7 +4,7 @@ export PATH + + [[ -e .testdir ]] && . .testdir + if [[ -z "$TESTDIR" ]] || [[ ! -d "$TESTDIR" ]]; then +- TESTDIR=$(mktemp -d --tmpdir="/var/tmp" -t dracut-test.XXXXXX) ++ TESTDIR=$(mktemp -d -p "/var/tmp" -t dracut-test.XXXXXX) + fi + echo "TESTDIR=\"$TESTDIR\"" > .testdir + export TESTDIR diff --git a/0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch b/0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch new file mode 100644 index 0000000..ae7b4cd --- /dev/null +++ b/0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch @@ -0,0 +1,25 @@ +From f4d64d55ea825ec0d05aaa76d58cddc37d44f719 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Sat, 18 Jul 2015 13:02:25 +0200 +Subject: [PATCH] dmsquash-generator.sh: increase timeout for checkisomd5 + +if the checkisomd5 takes longer than 3 minutes, the device timeout for +/dev/mapper/live-rw cancels the boot process. +--- + modules.d/90dmsquash-live/dmsquash-generator.sh | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/modules.d/90dmsquash-live/dmsquash-generator.sh b/modules.d/90dmsquash-live/dmsquash-generator.sh +index e386d81..85a3592 100755 +--- a/modules.d/90dmsquash-live/dmsquash-generator.sh ++++ b/modules.d/90dmsquash-live/dmsquash-generator.sh +@@ -64,3 +64,9 @@ ROOTFLAGS="$(getarg rootflags)" + echo "What=/dev/mapper/live-rw" + [ -n "$ROOTFLAGS" ] && echo "Options=${ROOTFLAGS}" + } > "$GENERATOR_DIR"/sysroot.mount ++ ++mkdir -p "$GENERATOR_DIR/dev-mapper-live\x2drw.device.d" ++{ ++ echo "[Unit]" ++ echo "JobTimeoutSec=3000" ++} > "$GENERATOR_DIR/dev-mapper-live\x2drw.device.d/timeout.conf" diff --git a/0048-Cleanup-compressor-handling.patch b/0048-Cleanup-compressor-handling.patch new file mode 100644 index 0000000..066384d --- /dev/null +++ b/0048-Cleanup-compressor-handling.patch @@ -0,0 +1,148 @@ +From 693b7a32833b7c141f03d802f6bc9a767bdb11f8 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Wed, 22 Jul 2015 11:34:08 +0200 +Subject: [PATCH] Cleanup compressor handling + +If no compressor is specified, try to find a suitable one. + +Check if kernel modules can be uncompressed. +--- + dracut.sh | 78 +++++++++++++++++++++++++++++++++++++++++++++++-------------- + dracut.spec | 7 +++--- + 2 files changed, 64 insertions(+), 21 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index ee0a039..27be54a 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -751,25 +751,53 @@ if [[ -n "$logfile" ]];then + fi + + # handle compression options. +-[[ $compress ]] || compress="gzip" ++if [[ $_no_compress_l = "cat" ]]; then ++ compress="cat" ++fi ++ ++if ! [[ $compress ]]; then ++ # check all known compressors, if none specified ++ for i in pigz gzip lz4 lzop lzma xz lbzip2 bzip2 cat; do ++ command -v "$i" &>/dev/null || continue ++ compress="$i" ++ break ++ done ++ if [[ $compress = cat ]]; then ++ printf "%s\n" "dracut: no compression tool available. Initramfs image is going to be big." >&2 ++ fi ++fi ++ ++# choose the right arguments for the compressor + case $compress in +- bzip2) compress="bzip2 -9"; +- command -v lbzip2 > /dev/null 2>&1 && compress="lbzip2 -9";; +- lzma) compress="lzma -9 -T0";; +- xz) compress="xz --check=crc32 --lzma2=dict=1MiB -T0";; +- gzip) compress="gzip -n -9"; +- if command -v pigz > /dev/null 2>&1; then ++ bzip2|lbzip2) ++ if [[ "$compress" = lbzip2 ]] || command -v lbzip2 &>/dev/null; then ++ compress="lbzip2 -9" ++ else ++ compress="bzip2 -9" ++ fi ++ ;; ++ lzma) ++ compress="lzma -9 -T0" ++ ;; ++ xz) ++ compress="xz --check=crc32 --lzma2=dict=1MiB -T0" ++ ;; ++ gzip|pigz) ++ if [[ "$compress" = pigz ]] || command -v pigz &>/dev/null; then + compress="pigz -9 -n -T -R" +- elif command -v gzip --help 2>&1 | grep -q rsyncable; then ++ elif command -v gzip &>/dev/null && gzip --help 2>&1 | grep -q rsyncable; then + compress="gzip -n -9 --rsyncable" ++ else ++ compress="gzip -n -9" + fi + ;; +- lzo) compress="lzop -9";; +- lz4) compress="lz4 -l -9";; ++ lzo|lzop) ++ compress="lzop -9" ++ ;; ++ lz4) ++ compress="lz4 -l -9" ++ ;; + esac +-if [[ $_no_compress_l = "cat" ]]; then +- compress="cat" +-fi + + [[ $hostonly = yes ]] && hostonly="-h" + [[ $hostonly != "-h" ]] && unset hostonly +@@ -887,10 +915,26 @@ esac + + abs_outfile=$(readlink -f "$outfile") && outfile="$abs_outfile" + +-if [[ -d $srcmods ]]; then +- [[ -f $srcmods/modules.dep ]] || { +- dwarn "$srcmods/modules.dep is missing. Did you run depmod?" +- } ++if [[ $no_kernel != yes ]] && [[ -d $srcmods ]]; then ++ if ! [[ -f $srcmods/modules.dep ]]; then ++ dwarn "$srcmods/modules.dep is missing. Did you run depmod?" ++ elif ! ( command -v gzip &>/dev/null && command -v xz &>/dev/null); then ++ read _mod < $srcmods/modules.dep ++ _mod=${_mod%%:*} ++ if [[ -f $srcmods/"$_mod" ]]; then ++ # Check, if kernel modules are compressed, and if we can uncompress them ++ case "$_mod" in ++ *.ko.gz) kcompress=gzip;; ++ *.ko.xz) kcompress=xz;; ++ esac ++ if [[ $kcompress ]]; then ++ if ! command -v "$kcompress" &>/dev/null; then ++ dfatal "Kernel modules are compressed with $kcompress, but $kcompress is not available." ++ exit 1 ++ fi ++ fi ++ fi ++ fi + fi + + if [[ ! $print_cmdline ]]; then +diff --git a/dracut.spec b/dracut.spec +index 08b281d..6ef5de7 100644 +--- a/dracut.spec ++++ b/dracut.spec +@@ -60,7 +60,6 @@ BuildRequires: docbook-style-xsl docbook-dtds libxslt + BuildRequires: asciidoc + %endif + +- + %if 0%{?fedora} > 12 || 0%{?rhel} + # no "provides", because dracut does not offer + # all functionality of the obsoleted packages +@@ -94,17 +93,17 @@ Requires: findutils + Requires: grep + Requires: kmod + Requires: sed ++Requires: xz ++Requires: gzip + + %if 0%{?fedora} > 22 + Recommends: grubby + Recommends: hardlink +-Recommends: gzip +-Recommends: xz ++Recommends: pigz + Recommends: kpartx + %else + Requires: hardlink + Requires: gzip +-Requires: xz + Requires: kpartx + %endif + diff --git a/0049-Add-missing-echo-to-output-the-result.patch b/0049-Add-missing-echo-to-output-the-result.patch new file mode 100644 index 0000000..8f94d0b --- /dev/null +++ b/0049-Add-missing-echo-to-output-the-result.patch @@ -0,0 +1,22 @@ +From c1c96f2c4780bdf8ddc363ded40439cba31afa56 Mon Sep 17 00:00:00 2001 +From: Stefan Reimer +Date: Sat, 25 Jul 2015 01:17:04 +0000 +Subject: [PATCH] Add missing echo to output the result. + +Only place this function is currently called seems from line 28 in modules.d/95nfs/nfs-lib.sh. Bug fix. +--- + modules.d/40network/net-lib.sh | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/modules.d/40network/net-lib.sh b/modules.d/40network/net-lib.sh +index 6c739e8..68bc095 100755 +--- a/modules.d/40network/net-lib.sh ++++ b/modules.d/40network/net-lib.sh +@@ -5,6 +5,7 @@ get_ip() { + ip=$(ip -o -f inet addr show $iface) + ip=${ip%%/*} + ip=${ip##* } ++ echo $ip + } + + iface_for_remote_addr() { diff --git a/0050-crypt-s-allow-discards-discard-for-crypttab.patch b/0050-crypt-s-allow-discards-discard-for-crypttab.patch new file mode 100644 index 0000000..f02df92 --- /dev/null +++ b/0050-crypt-s-allow-discards-discard-for-crypttab.patch @@ -0,0 +1,30 @@ +From 2082cdf230574fa7482903730b584445ed3a2a08 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 27 Jul 2015 13:30:22 +0200 +Subject: [PATCH] crypt: s/allow-discards/discard for crypttab + +actually the option in crypttab is named "discard" and not +"allow-discards" + +https://bugzilla.suse.com/show_bug.cgi?id=932972 +--- + modules.d/90crypt/crypt-run-generator.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules.d/90crypt/crypt-run-generator.sh b/modules.d/90crypt/crypt-run-generator.sh +index 5bf60ec..8dad76b 100755 +--- a/modules.d/90crypt/crypt-run-generator.sh ++++ b/modules.d/90crypt/crypt-run-generator.sh +@@ -15,10 +15,10 @@ if strstr "$(cryptsetup --help)" "allow-discards"; then + if discarduuids=$(getargs "rd.luks.allow-discards"); then + discarduuids=$(str_replace "$discarduuids" 'luks-' '') + if strstr " $discarduuids " " ${luks##luks-}"; then +- allowdiscards="allow-discards" ++ allowdiscards="discard" + fi + elif getargbool 0 rd.luks.allow-discards; then +- allowdiscards="allow-discards" ++ allowdiscards="discard" + fi + fi + diff --git a/0051-qemu-add-spapr-vscsi-kernel-module.patch b/0051-qemu-add-spapr-vscsi-kernel-module.patch new file mode 100644 index 0000000..83c7bd8 --- /dev/null +++ b/0051-qemu-add-spapr-vscsi-kernel-module.patch @@ -0,0 +1,21 @@ +From cce34acace5876d06946dfb1fe70004a0b5176b0 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Tue, 28 Jul 2015 11:55:04 +0200 +Subject: [PATCH] qemu: add spapr-vscsi kernel module + +--- + modules.d/90qemu/module-setup.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules.d/90qemu/module-setup.sh b/modules.d/90qemu/module-setup.sh +index 37972e4..66ef884 100755 +--- a/modules.d/90qemu/module-setup.sh ++++ b/modules.d/90qemu/module-setup.sh +@@ -25,5 +25,6 @@ installkernel() { + hostonly='' instmods \ + ata_piix ata_generic pata_acpi cdrom sr_mod ahci \ + virtio_blk virtio virtio_ring virtio_pci \ +- virtio_scsi virtio_console virtio_rng ++ virtio_scsi virtio_console virtio_rng \ ++ spapr-vscsi + } diff --git a/0052-dracut.sh-simplify-modalias-reading.patch b/0052-dracut.sh-simplify-modalias-reading.patch new file mode 100644 index 0000000..040a520 --- /dev/null +++ b/0052-dracut.sh-simplify-modalias-reading.patch @@ -0,0 +1,30 @@ +From 96d694c0b5949586dad8eab5491ad41521eec514 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Thu, 30 Jul 2015 12:11:42 +0200 +Subject: [PATCH] dracut.sh: simplify modalias reading + +--- + dracut.sh | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 27be54a..77874ba 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1179,13 +1179,9 @@ if [[ $hostonly ]]; then + + # record all host modaliases + declare -A host_modalias +- find /sys/devices/ -name uevent -print > "$initdir/.modalias" +- while read m || [ -n "$m" ]; do +- while read line || [ -n "$line" ]; do +- [[ "$line" != MODALIAS\=* ]] && continue +- modalias="${line##MODALIAS=}" && [[ $modalias ]] && host_modalias["$modalias"]=1 +- break +- done < "$m" ++ find /sys/devices -name modalias -exec cat '{}' \; > "$initdir/.modalias" ++ while read -r modalias || [ -n "$modalias" ]; do ++ [[ $modalias ]] && host_modalias["$modalias"]=1 + done < "$initdir/.modalias" + + rm -f -- "$initdir/.modalias" diff --git a/0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch b/0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch new file mode 100644 index 0000000..96de49e --- /dev/null +++ b/0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch @@ -0,0 +1,38 @@ +From 4135eea634b20c7f7285d134bd6dfe6b799fe226 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Fri, 31 Jul 2015 09:05:51 +0200 +Subject: [PATCH] 90qemu: fixed systemd-detect-virt output parsing + +redirecting systemd-detect-virt to /dev/null doesn't help with parsing +the output :-/ + +Also, add "Red Hat" as a vendor. +--- + modules.d/90qemu/module-setup.sh | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/modules.d/90qemu/module-setup.sh b/modules.d/90qemu/module-setup.sh +index 66ef884..8cae124 100755 +--- a/modules.d/90qemu/module-setup.sh ++++ b/modules.d/90qemu/module-setup.sh +@@ -3,7 +3,7 @@ + # called by dracut + check() { + if type -P systemd-detect-virt >/dev/null 2>&1; then +- vm=$(systemd-detect-virt --vm >/dev/null 2>&1) ++ vm=$(systemd-detect-virt --vm 2>/dev/null) + (($? != 0)) && return 255 + [[ $vm = "qemu" ]] && return 0 + [[ $vm = "kvm" ]] && return 0 +@@ -13,8 +13,9 @@ check() { + for i in /sys/class/dmi/id/*_vendor; do + [[ -f $i ]] || continue + read vendor < $i +- [[ "$vendor" == "QEMU" ]] && return 0 +- [[ "$vendor" == "Bochs" ]] && return 0 ++ [[ "$vendor" == "QEMU" ]] && return 0 ++ [[ "$vendor" == "Red Hat" ]] && return 0 ++ [[ "$vendor" == "Bochs" ]] && return 0 + done + return 255 + } diff --git a/0054-Remove-98integrity-s-dependency-on-selinux.patch b/0054-Remove-98integrity-s-dependency-on-selinux.patch new file mode 100644 index 0000000..20eb07f --- /dev/null +++ b/0054-Remove-98integrity-s-dependency-on-selinux.patch @@ -0,0 +1,24 @@ +From b05ad85b0c46d1001945bcb8c300a34eca2dd2da Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Mon, 27 Apr 2015 18:24:11 -0400 +Subject: [PATCH] Remove 98integrity's dependency on selinux + +Loading the EVM key(s) is not dependent on selinux. Remove +the dependency. +--- + modules.d/98integrity/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh +index a838664..2d4d2ed 100755 +--- a/modules.d/98integrity/module-setup.sh ++++ b/modules.d/98integrity/module-setup.sh +@@ -7,7 +7,7 @@ check() { + + # called by dracut + depends() { +- echo masterkey securityfs selinux ++ echo masterkey securityfs + return 0 + } + diff --git a/0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch b/0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch new file mode 100644 index 0000000..dd60426 --- /dev/null +++ b/0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch @@ -0,0 +1,70 @@ +From 396d3cc7ff39e54ce2de1fa9389348238b0ed92e Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Mon, 27 Apr 2015 18:24:12 -0400 +Subject: [PATCH] Extend evm-enable.sh to load the EVM public key + +Create the _evm keyring and load the EVM public key on it. +--- + modules.d/98integrity/evm-enable.sh | 42 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +diff --git a/modules.d/98integrity/evm-enable.sh b/modules.d/98integrity/evm-enable.sh +index dee1c6c..ec4f03b 100755 +--- a/modules.d/98integrity/evm-enable.sh ++++ b/modules.d/98integrity/evm-enable.sh +@@ -48,6 +48,45 @@ load_evm_key() + info "integrity: failed to load the EVM encrypted key: ${EVMKEYDESC}"; + return 1; + } ++ return 0 ++} ++ ++load_evm_x509() ++{ ++ info "Load EVM IMA X509" ++ ++ # override the EVM key path name from the 'evmx509=' parameter in ++ # the kernel command line ++ EVMX509ARG=$(getarg evmx509=) ++ [ $? -eq 0 ] && \ ++ EVMX509=${EVMX509ARG} ++ ++ # set the default value ++ [ -z "${EVMX509}" ] && \ ++ EVMX509="/etc/keys/x509_evm.der"; ++ ++ # set the EVM public key path name ++ EVMX509PATH="${NEWROOT}${EVMX509}" ++ ++ # check for EVM public key's existence ++ if [ ! -f "${EVMX509PATH}" ]; then ++ if [ "${RD_DEBUG}" = "yes" ]; then ++ info "integrity: EVM x509 cert file not found: ${EVMX509PATH}" ++ fi ++ return 1 ++ fi ++ ++ # load the EVM public key onto the EVM keyring ++ evm_pubid=`keyctl newring _evm @u` ++ EVMX509ID=$(evmctl import ${EVMX509PATH} ${evm_pubid}) ++ [ $? -eq 0 ] || { ++ info "integrity: failed to load the EVM X509 cert ${EVMX509PATH}"; ++ return 1; ++ } ++ ++ if [ "${RD_DEBUG}" = "yes" ]; then ++ keyctl show @u ++ fi + + return 0 + } +@@ -76,6 +115,9 @@ enable_evm() + # load the EVM encrypted key + load_evm_key || return 1 + ++ # load the EVM public key, if it exists ++ load_evm_x509 ++ + # initialize EVM + info "Enabling EVM" + echo 1 > ${EVMSECFILE} diff --git a/0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch b/0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch new file mode 100644 index 0000000..fdb2668 --- /dev/null +++ b/0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch @@ -0,0 +1,135 @@ +From 41ac16b26fe05c8291d3467b8a7bee1bc2445393 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Wed, 29 Apr 2015 11:05:25 -0400 +Subject: [PATCH] Define new script to load keys on the IMA keyring (update) + +This patch supports loading keys either on the _ima keyring or, as of +Linux 3.17, on the trusted .ima keyring. Only certificates signed by +a key on the system keyring can be loaded onto the trusted .ima keyring. + +Changelog: +- Update 98integrity/README +--- + modules.d/98integrity/README | 28 +++++++++++++++ + modules.d/98integrity/ima-keys-load.sh | 62 ++++++++++++++++++++++++++++++++++ + modules.d/98integrity/module-setup.sh | 2 ++ + 3 files changed, 92 insertions(+) + create mode 100755 modules.d/98integrity/ima-keys-load.sh + +diff --git a/modules.d/98integrity/README b/modules.d/98integrity/README +index d74e063..64de0ae 100644 +--- a/modules.d/98integrity/README ++++ b/modules.d/98integrity/README +@@ -38,3 +38,31 @@ line. + ------------- '/etc/sysconfig/ima' (with the default value) ------------- + IMAPOLICY="/etc/sysconfig/ima-policy" + ------------------------------------------------------------------------- ++ ++ ++# Information on loading distro, third party or local keys on the trusted IMA keyring ++ ++# Loading distro, third party or local keys on the trusted IMA keyring requires ++# creating a local certificate authority(local-CA), installing the local-CA's ++# public key on the system-keyring and signing the certificates with the local-CA ++# key. ++# ++# Many directions for creating a mini certificate authority exist on the web ++# (eg. openssl, yubikey). (Reminder: safely storing the private key offline is ++# really important, especially in the case of the local-CA's private key.) The ++# local-CA's public key can be loaded onto the system keyring either by building ++# the key into the kernel or, on Fedora, storing it in the UEFI/Mok keyring. (As ++# of writing, the patches for loading the UEFI/Mok keys on the system-keyring ++# have not been upstreamed.) ++# ++# To view the system keyring: keyctl show %keyring:.system_keyring ++# ++# Most on-line directions for signing certificates requires creating a Certificate ++# Signing Request (CSR). Creating such a request requires access to the private ++# key, which would not be available when signing distro or 3rd party certificates. ++# Openssl provides the "-ss_cert" option for directly signing certificates. ++ ++# 98integrity/ima-keys-load.sh script loads the signed certificates stored ++# in the $IMAKEYSDIR onto the trusted IMA keyring. The default $IMAKEYSDIR ++# directory is /etc/keys/ima, but can be specified in the /etc/sysconfig/ima ++# policy. +diff --git a/modules.d/98integrity/ima-keys-load.sh b/modules.d/98integrity/ima-keys-load.sh +new file mode 100755 +index 0000000..659b722 +--- /dev/null ++++ b/modules.d/98integrity/ima-keys-load.sh +@@ -0,0 +1,62 @@ ++#!/bin/sh ++ ++SECURITYFSDIR="/sys/kernel/security" ++IMASECDIR="${SECURITYFSDIR}/ima" ++IMACONFIG="${NEWROOT}/etc/sysconfig/ima" ++ ++load_x509_keys() ++{ ++ KEYRING_ID=$1 ++ ++ # override the default configuration ++ if [ -f "${IMACONFIG}" ]; then ++ . ${IMACONFIG} ++ fi ++ ++ if [ -z "${IMAKEYDIR}" ]; then ++ IMAKEYSDIR="/etc/keys/ima" ++ fi ++ ++ PUBKEY_LIST=`ls ${NEWROOT}${IMAKEYSDIR}/*` ++ for PUBKEY in ${PUBKEY_LIST}; do ++ # check for public key's existence ++ if [ ! -f "${PUBKEY}" ]; then ++ if [ "${RD_DEBUG}" = "yes" ]; then ++ info "integrity: IMA x509 cert file not found: ${PUBKEY}" ++ fi ++ continue ++ fi ++ ++ X509ID=$(evmctl import ${PUBKEY} ${KEYRING_ID}) ++ if [ $? -ne 0 ]; then ++ info "integrity: IMA x509 cert not loaded on keyring: ${PUBKEY}" ++ fi ++ done ++ ++ if [ "${RD_DEBUG}" = "yes" ]; then ++ keyctl show ${KEYRING_ID} ++ fi ++ return 0 ++} ++ ++# check kernel support for IMA ++if [ ! -e "${IMASECDIR}" ]; then ++ if [ "${RD_DEBUG}" = "yes" ]; then ++ info "integrity: IMA kernel support is disabled" ++ fi ++ return 0 ++fi ++ ++# get the IMA keyring id ++line=$(keyctl describe %keyring:.ima) ++if [ $? -eq 0 ]; then ++ _ima_id=${line%%:*} ++else ++ _ima_id=`keyctl search @u keyring _ima` ++ if [ -z "${_ima_id}" ]; then ++ _ima_id=`keyctl newring _ima @u` ++ fi ++fi ++ ++# load the IMA public key(s) ++load_x509_keys ${_ima_id} +diff --git a/modules.d/98integrity/module-setup.sh b/modules.d/98integrity/module-setup.sh +index 2d4d2ed..34b33cd 100755 +--- a/modules.d/98integrity/module-setup.sh ++++ b/modules.d/98integrity/module-setup.sh +@@ -13,6 +13,8 @@ depends() { + + # called by dracut + install() { ++ dracut_install evmctl keyctl ls + inst_hook pre-pivot 61 "$moddir/evm-enable.sh" ++ inst_hook pre-pivot 61 "$moddir/ima-keys-load.sh" + inst_hook pre-pivot 62 "$moddir/ima-policy-load.sh" + } diff --git a/0057-Revert-securitfs-change.patch b/0057-Revert-securitfs-change.patch new file mode 100644 index 0000000..08b1af0 --- /dev/null +++ b/0057-Revert-securitfs-change.patch @@ -0,0 +1,24 @@ +From 4f50a9bfb109f1705ca987db6301c3c66a00ea75 Mon Sep 17 00:00:00 2001 +From: Mimi Zohar +Date: Mon, 27 Apr 2015 18:24:14 -0400 +Subject: [PATCH] Revert securitfs change + +Commit 5e60145 use findmnt with "--source" or "--target" broke +mounting securityfs. This patch reverts only the securityfs +portion of the patch. +--- + modules.d/96securityfs/securityfs.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/96securityfs/securityfs.sh b/modules.d/96securityfs/securityfs.sh +index 8ccb151..8e57571 100755 +--- a/modules.d/96securityfs/securityfs.sh ++++ b/modules.d/96securityfs/securityfs.sh +@@ -3,6 +3,6 @@ + SECURITYFSDIR="/sys/kernel/security" + export SECURITYFSDIR + +-if ! findmnt --target "${SECURITYFSDIR}" >/dev/null 2>&1; then ++if ! findmnt "${SECURITYFSDIR}" >/dev/null 2>&1; then + mount -t securityfs -o nosuid,noexec,nodev securityfs ${SECURITYFSDIR} >/dev/null 2>&1 + fi diff --git a/0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch b/0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch new file mode 100644 index 0000000..89d7775 --- /dev/null +++ b/0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch @@ -0,0 +1,67 @@ +From e6a2555c7ddde2ed542b2aae01d78a5c9309bf80 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 10 Aug 2015 13:40:43 +0200 +Subject: [PATCH] base/dracut-lib.sh: Dup stdout and stderr + +Dup stdout and stderr, so that subshell redirection does not affect +logging. + +Also gets rid of systemd printing info() to the console on "quiet". +--- + modules.d/99base/dracut-lib.sh | 24 ++++++++++++++++++++---- + 1 file changed, 20 insertions(+), 4 deletions(-) + +diff --git a/modules.d/99base/dracut-lib.sh b/modules.d/99base/dracut-lib.sh +index 5ec7b23..200c263 100755 +--- a/modules.d/99base/dracut-lib.sh ++++ b/modules.d/99base/dracut-lib.sh +@@ -51,29 +51,45 @@ str_ends() { + [ "${1%*"$2"}" != "$1" ] + } + ++# Dup stdout and stderr, so that subshell redirection does not affect logging. ++if [ -z "$DRACUT_STDOUT" ]; then ++ if [ -n "$BASH" ]; then ++ readonly DRACUT_STDOUT=98 ++ readonly DRACUT_STDERR=98 ++ exec 98>&1 ++ exec 99>&2 ++ else ++ readonly DRACUT_STDOUT=8 ++ readonly DRACUT_STDERR=9 ++ exec 8>&1 ++ exec 9>&2 ++ fi ++fi ++ ++ + if [ -z "$DRACUT_SYSTEMD" ]; then + + warn() { + check_quiet + echo "<28>dracut Warning: $*" > /dev/kmsg +- echo "dracut Warning: $*" >&2 ++ echo "dracut Warning: $*" >&$DRACUT_STDERR + } + + info() { + check_quiet + echo "<30>dracut: $*" > /dev/kmsg + [ "$DRACUT_QUIET" != "yes" ] && \ +- echo "dracut: $*" >&2 ++ echo "dracut: $*" >&$DRACUT_STDERR + } + + else + + warn() { +- echo "Warning: $*" >&2 ++ echo "Warning: $*" >&$DRACUT_STDERR + } + + info() { +- echo "$*" >&2 ++ echo "$*" >&$DRACUT_STDOUT + } + + fi diff --git a/0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch b/0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch new file mode 100644 index 0000000..2fa85a1 --- /dev/null +++ b/0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch @@ -0,0 +1,26 @@ +From 3c00189988f6921c1affdd61a0f5025ee9b93bda Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Mon, 10 Aug 2015 14:05:15 +0200 +Subject: [PATCH] dracut.sh: remove quotes from install_items and + install_optional_items + +Unfortunately these are lists with whitespaces. +--- + dracut.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index 77874ba..f7d31a4 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1453,8 +1453,8 @@ if [[ $no_kernel != yes ]]; then + fi + + if [[ $kernel_only != yes ]]; then +- (( ${#install_items[@]} > 0 )) && inst_multiple "${install_items[@]}" +- (( ${#install_optional_items[@]} > 0 )) && inst_multiple -o "${install_optional_items[@]}" ++ (( ${#install_items[@]} > 0 )) && inst_multiple ${install_items[@]} ++ (( ${#install_optional_items[@]} > 0 )) && inst_multiple -o ${install_optional_items[@]} + + [[ $kernel_cmdline ]] && printf "%s\n" "$kernel_cmdline" >> "${initdir}/etc/cmdline.d/01-default.conf" + diff --git a/dracut.spec b/dracut.spec index d3e3e18..f287e79 100644 --- a/dracut.spec +++ b/dracut.spec @@ -11,7 +11,7 @@ Name: dracut Version: 043 -Release: 40.git20150710%{?dist}.2 +Release: 60.git20150811%{?dist} Summary: Initramfs generator using udev %if 0%{?fedora} || 0%{?rhel} @@ -68,7 +68,27 @@ Patch35: 0035-dracut-functions.sh-simplify-some-for-loops.patch Patch36: 0036-dracut.sh-reduce-code.patch Patch37: 0037-dracut.sh-remember-0-for-regenerate-all.patch Patch38: 0038-dracut.sh-early-check-for-bash-version.patch -Patch39: 0039-dracut.spec-add-dracut-init.sh.patch +Patch39: 0039-network-add-rd.peerdns-0-parameter.patch +Patch40: 0040-TODO-update.patch +Patch41: 0041-crypt-skip-crypttab-entries-with-the-same-device.patch +Patch42: 0042-dracut-systemd-dracut-initqueue-only-start-service-i.patch +Patch43: 0043-Replace-echo-n-with-printf-in-code-with-a-bin-sh-she.patch +Patch44: 0044-syncheck-Look-for-echo-n-usage-in-modules.patch +Patch45: 0045-dracut.spec-add-dracut-init.sh.patch +Patch46: 0046-use-mktemp-p-instead-of-tmpdir-for-busybox.patch +Patch47: 0047-dmsquash-generator.sh-increase-timeout-for-checkisom.patch +Patch48: 0048-Cleanup-compressor-handling.patch +Patch49: 0049-Add-missing-echo-to-output-the-result.patch +Patch50: 0050-crypt-s-allow-discards-discard-for-crypttab.patch +Patch51: 0051-qemu-add-spapr-vscsi-kernel-module.patch +Patch52: 0052-dracut.sh-simplify-modalias-reading.patch +Patch53: 0053-90qemu-fixed-systemd-detect-virt-output-parsing.patch +Patch54: 0054-Remove-98integrity-s-dependency-on-selinux.patch +Patch55: 0055-Extend-evm-enable.sh-to-load-the-EVM-public-key.patch +Patch56: 0056-Define-new-script-to-load-keys-on-the-IMA-keyring-up.patch +Patch57: 0057-Revert-securitfs-change.patch +Patch58: 0058-base-dracut-lib.sh-Dup-stdout-and-stderr.patch +Patch59: 0059-dracut.sh-remove-quotes-from-install_items-and-insta.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -100,7 +120,6 @@ BuildRequires: docbook-style-xsl docbook-dtds libxslt BuildRequires: asciidoc %endif - %if 0%{?fedora} > 12 || 0%{?rhel} # no "provides", because dracut does not offer # all functionality of the obsoleted packages @@ -135,16 +154,16 @@ Requires: grep Requires: kmod Requires: sed Requires: xz +Requires: gzip %if 0%{?fedora} > 22 Recommends: grubby Recommends: hardlink -Recommends: gzip +Recommends: pigz Recommends: kpartx %else Requires: hardlink Requires: gzip -Requires: xz Requires: kpartx %endif @@ -529,6 +548,12 @@ rm -rf -- $RPM_BUILD_ROOT %endif %changelog +* Tue Aug 11 2015 Harald Hoyer 043-60.git20150811 +- fixed checkiso timeout +- fixed log output although quiet is set +- fixed qemu detection +- cleanup compressor handling + * Wed Jul 22 2015 Harald Hoyer 043-40.git20150710.2 - require "xz" to handle the kernel modules