diff --git a/SOURCES/0190.patch b/SOURCES/0190.patch index 7e63eb0..395305c 100644 --- a/SOURCES/0190.patch +++ b/SOURCES/0190.patch @@ -56,3 +56,4 @@ index baf6dcff..4962316d 100644 if (dracut_install(clib, clib, false, false, true) == 0) log_debug("Lib install: '%s'", clib); /* also install lib.so for lib.so.* files */ + diff --git a/SOURCES/0191.patch b/SOURCES/0191.patch new file mode 100644 index 0000000..2368589 --- /dev/null +++ b/SOURCES/0191.patch @@ -0,0 +1,243 @@ +From e2c7b61f97465b26c598d655c8717403c0a73726 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 13 Nov 2021 16:35:23 +0100 +Subject: [PATCH] ci: introduce C8S based GHA CI + +Loosely based on the upstream dracut CI to make things simpler. + +rhel-only +--- + .github/workflows/container.yml | 52 +++++++++++++++++++++++++++++ + .github/workflows/integration.yml | 48 +++++++++++++++++++++++++++ + test/container/Dockerfile-CentOS-8-Stream | 54 +++++++++++++++++++++++++++++++ + tools/test-github.sh | 49 ++++++++++++++++++++++++++++ + 4 files changed, 203 insertions(+) + +diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml +new file mode 100644 +index 00000000..0a4c000f +--- /dev/null ++++ b/.github/workflows/container.yml +@@ -0,0 +1,52 @@ ++name: Container ++on: ++ schedule: ++ - cron: '30 11 * * *' ++ push: ++ branches: [ main ] ++ paths: ++ - 'test/container/**' ++ - '.github/workflows/container.yml' ++ pull_request: ++ branches: [ main ] ++ paths: ++ - 'test/container/**' ++ - '.github/workflows/container.yml' ++ ++permissions: ++ packages: write ++ contents: read ++ ++jobs: ++ push_to_registry: ++ name: Build and push containers image to GitHub Packages ++ runs-on: ubuntu-latest ++ concurrency: ++ group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.config.dockerfile }} ++ cancel-in-progress: true ++ strategy: ++ fail-fast: false ++ matrix: ++ config: ++ # Use a prefixed image name to not conflict with the "centos" ++ # image from redhat-plumbers/dracut-rhel9 ++ - { dockerfile: 'Dockerfile-CentOS-8-Stream', tag: 'rhel8_centos:stream8' } ++ steps: ++ - name: Check out the repo ++ uses: actions/checkout@v2 ++ - name: Set up Docker Buildx ++ uses: docker/setup-buildx-action@v1 ++# with: ++# buildkitd-flags: --debug ++ - name: Login to GitHub Container Registry ++ uses: docker/login-action@v1 ++ with: ++ registry: ghcr.io ++ username: ${{ github.repository_owner }} ++ password: ${{ secrets.GITHUB_TOKEN }} ++ - name: Build and Push Container ++ uses: docker/build-push-action@v2 ++ with: ++ file: test/container/${{ matrix.config.dockerfile }} ++ tags: ghcr.io/${{ github.repository_owner }}/${{ matrix.config.tag }} ++ push: ${{ github.event_name == 'push' || github.event_name == 'schedule' }} +diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml +new file mode 100644 +index 00000000..80a856a2 +--- /dev/null ++++ b/.github/workflows/integration.yml +@@ -0,0 +1,48 @@ ++name: Integration Test ++ ++on: ++ pull_request: ++ branches: [ main ] ++ ++jobs: ++ centos-8-stream: ++ runs-on: ubuntu-latest ++ timeout-minutes: 45 ++ concurrency: ++ group: ${{ github.workflow }}-${{ github.ref }}-${{ matrix.container }}-${{ matrix.test }} ++ cancel-in-progress: true ++ strategy: ++ matrix: ++ container: [ ++ "rhel8_centos:stream8", ++ ] ++ # Disabled tests (due to dropped packages in RHEL/CentOS): ++ # 03, 04, 15: requires btrfs ++ # 14: requires dmraid ++ # 30, 31, 35, 36: requires scsi-target-utils ++ test: [ ++ "01", ++ "02", ++ "10", ++ "11", ++ "12", ++ "13", ++ "17", ++ "20", ++ #"21", needs backport (NFS + NM) ++ "40", ++ #"41", needws backport (NBD + NM) ++ "98", ++ ] ++ fail-fast: false ++ container: ++ image: ghcr.io/${{ github.repository_owner }}/${{ matrix.container }} ++ options: "--privileged -v /dev:/dev" ++ steps: ++ - name: "Checkout Repository" ++ uses: actions/checkout@v2 ++ with: ++ fetch-depth: 0 ++ ++ - name: "${{ matrix.container }} TEST-${{ matrix.test }}" ++ run: ./tools/test-github.sh "TEST-${{ matrix.test }}" ${{ matrix.test }} +diff --git a/test/container/Dockerfile-CentOS-8-Stream b/test/container/Dockerfile-CentOS-8-Stream +new file mode 100644 +index 00000000..0eda4a7e +--- /dev/null ++++ b/test/container/Dockerfile-CentOS-8-Stream +@@ -0,0 +1,54 @@ ++FROM quay.io/centos/centos:stream8 ++ ++MAINTAINER https://github.com/dracutdevs/dracut ++ ++ENV container docker ++LABEL RUN="docker run -it --name NAME --privileged --ipc=host --net=host --pid=host -e NAME=NAME -e IMAGE=IMAGE IMAGE" ++ ++RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' > /etc/profile.d/dracut-test.sh ++ ++# Install needed packages for the dracut CI container ++RUN dnf -y install epel-release && \ ++ dnf -y install --enablerepo powertools --enablerepo epel --setopt=install_weak_deps=False \ ++ qemu-kvm \ ++ NetworkManager \ ++ asciidoc \ ++ bash-completion \ ++ bzip2 \ ++ cryptsetup \ ++ dash \ ++ dbus-daemon \ ++ dhcp-client \ ++ dhcp-server \ ++ e2fsprogs \ ++ gcc \ ++ git \ ++ iproute \ ++ iputils \ ++ iscsi-initiator-utils \ ++ kbd \ ++ kernel \ ++ kmod-devel \ ++ lvm2 \ ++ make \ ++ mdadm \ ++ nfs-utils \ ++ pigz \ ++ python3-imgcreate \ ++ rpm-build \ ++ strace \ ++ sudo \ ++ tar \ ++ tcpdump \ ++ wget \ ++ which \ ++ xz \ ++ && dnf -y update && dnf clean all ++ ++# CentOS 8 ships only qemu-kvm, but it disables the KVM accel when it's not ++# available ++RUN ln -sv /usr/libexec/qemu-kvm /usr/bin/qemu-kvm && \ ++ ln -sv /usr/libexec/qemu-kvm /usr/bin/qemu-system-$(uname -m) ++ ++# Set default command ++CMD ["/usr/bin/bash"] +diff --git a/tools/test-github.sh b/tools/test-github.sh +new file mode 100755 +index 00000000..eab59dcc +--- /dev/null ++++ b/tools/test-github.sh +@@ -0,0 +1,49 @@ ++#!/bin/bash ++ ++set -ex ++ ++[[ -d ${0%/*} ]] && cd "${0%/*}"/../ ++ ++RUN_ID="$1" ++TESTS=$2 ++ ++./configure ++ ++NCPU=$(getconf _NPROCESSORS_ONLN) ++ ++if ! [[ $TESTS ]]; then ++ # GitHub workflows fetch a clone of the dracut repository which doesn't ++ # contain git tags, thus "breaking" the RPM build in certain situations ++ # i.e.: ++ # DRACUT_MAIN_VERSION in Makefile is defined as an output of `git describe`, ++ # which in full git clone returns a tag with a numeric version. However, ++ # without tags it returns SHA of the last commit, which later propagates into ++ # `Provides:` attribute of the built RPM and can break dependency tree when ++ # installed ++ [[ -d .git ]] && git fetch --tags && git describe --tags ++ make -j "$NCPU" all syncheck rpm logtee ++else ++ if [[ $TESTS == "99" ]]; then ++ [[ -d .git ]] && git fetch --tags && git describe --tags ++ make_docs=yes ++ else ++ make_docs=no ++ fi ++ ++ make -j "$NCPU" enable_documentation=$make_docs all logtee ++ ++ cd test ++ ++ # shellcheck disable=SC2012 ++ time LOGTEE_TIMEOUT_MS=590000 make \ ++ enable_documentation=$make_docs \ ++ KVERSION="$( ++ cd /lib/modules ++ ls -1 | tail -1 ++ )" \ ++ DRACUT_NO_XATTR=1 \ ++ TEST_RUN_ID="$RUN_ID" \ ++ ${TESTS:+TESTS="$TESTS"} \ ++ -k V=1 \ ++ check ++fi + diff --git a/SOURCES/0192.patch b/SOURCES/0192.patch new file mode 100644 index 0000000..d4f31aa --- /dev/null +++ b/SOURCES/0192.patch @@ -0,0 +1,78 @@ +From 436135496469ec24be1fc6fbc03a39d2575c8686 Mon Sep 17 00:00:00 2001 +From: Frantisek Sumsal +Date: Sat, 13 Nov 2021 17:55:45 +0100 +Subject: [PATCH] ci: backport TEST-21-NFS-NM + +Loosely cherry-picked from a3f73298f287e75810d6784efa52e80af15da2bd. + +rhel-only +--- + .github/workflows/integration.yml | 3 +-- + test/TEST-20-NFS/test.sh | 14 +++++++++++--- + test/TEST-21-NFS-NM/Makefile | 12 ++++++++++++ + 3 files changed, 24 insertions(+), 5 deletions(-) + +diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml +index 80a856a2..9c7c8486 100644 +--- a/.github/workflows/integration.yml ++++ b/.github/workflows/integration.yml +@@ -29,9 +29,8 @@ jobs: + "13", + "17", + "20", +- #"21", needs backport (NFS + NM) ++ "21", + "40", +- #"41", needws backport (NBD + NM) + "98", + ] + fail-fast: false +diff --git a/test/TEST-20-NFS/test.sh b/test/TEST-20-NFS/test.sh +index 4ad7fd77..320f9c3e 100755 +--- a/test/TEST-20-NFS/test.sh ++++ b/test/TEST-20-NFS/test.sh +@@ -1,5 +1,13 @@ + #!/bin/bash +-TEST_DESCRIPTION="root filesystem on NFS" ++if [[ $NM ]]; then ++ USE_NETWORK="network-manager" ++ OMIT_NETWORK="network-legacy" ++else ++ USE_NETWORK="network-legacy" ++ OMIT_NETWORK="network-manager" ++fi ++ ++TEST_DESCRIPTION="root filesystem on NFS with $USE_NETWORK" + + KVERSION=${KVERSION-$(uname -r)} + +@@ -353,8 +361,8 @@ test_setup() { + + # Make client's dracut image + $basedir/dracut.sh -l -i $TESTDIR/overlay / \ +- -o "plymouth dash" \ +- -a "debug watchdog" \ ++ -o "plymouth dash ${OMIT_NETWORK}" \ ++ -a "debug watchdog ${USE_NETWORK}" \ + -d "af_packet piix ide-gd_mod ata_piix sd_mod e1000 nfs sunrpc i6300esb" \ + --no-hostonly-cmdline -N \ + -f $TESTDIR/initramfs.testing $KVERSION || return 1 +diff --git a/test/TEST-21-NFS-NM/Makefile b/test/TEST-21-NFS-NM/Makefile +new file mode 100644 +index 00000000..b19122a1 +--- /dev/null ++++ b/test/TEST-21-NFS-NM/Makefile +@@ -0,0 +1,12 @@ ++.PHONY: all setup clean run ++ ++BASETEST=../TEST-20-NFS ++ ++all: ++ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) all ++setup: ++ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) setup ++clean: ++ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) clean ++run: ++ @$(MAKE) NM=1 -s --no-print-directory -C $(BASETEST) run + diff --git a/SOURCES/0193.patch b/SOURCES/0193.patch new file mode 100644 index 0000000..7137d69 --- /dev/null +++ b/SOURCES/0193.patch @@ -0,0 +1,57 @@ +From fd907a1b2b1f087afa2eccfa1686043e4dbb5ff6 Mon Sep 17 00:00:00 2001 +From: q66 +Date: Sat, 25 Jul 2020 17:28:16 +0200 +Subject: [PATCH] dracut.sh: fix early microcode detection logic + +This fixes two issues: + +1) on non-x86 systems in non-hostonly config this would cause + an annoying warning on every initramfs generation +2) on non-x86 systems in hostonly config this would result in + early microcode not getting disabled + +Resolves: rhbz#2022414 +--- + dracut.sh | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/dracut.sh b/dracut.sh +index e559bb96..952c57c8 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1070,19 +1070,26 @@ fi + + if [[ $early_microcode = yes ]]; then + if [[ $hostonly ]]; then +- [[ $(get_cpu_vendor) == "AMD" ]] \ +- && ! check_kernel_config CONFIG_MICROCODE_AMD \ +- && unset early_microcode +- [[ $(get_cpu_vendor) == "Intel" ]] \ +- && ! check_kernel_config CONFIG_MICROCODE_INTEL \ +- && unset early_microcode ++ if [[ $(get_cpu_vendor) == "AMD" ]]; then ++ check_kernel_config CONFIG_MICROCODE_AMD || unset early_microcode ++ elif [[ $(get_cpu_vendor) == "Intel" ]]; then ++ check_kernel_config CONFIG_MICROCODE_INTEL || unset early_microcode ++ else ++ unset early_microcode ++ fi + else + ! check_kernel_config CONFIG_MICROCODE_AMD \ + && ! check_kernel_config CONFIG_MICROCODE_INTEL \ + && unset early_microcode + fi +- [[ $early_microcode != yes ]] \ +- && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE_[AMD|INTEL]!=y" ++ # Do not complain on non-x86 architectures as it makes no sense ++ case $(uname -m) in ++ x86_64|i?86) ++ [[ $early_microcode != yes ]] \ ++ && dwarn "Disabling early microcode, because kernel does not support it. CONFIG_MICROCODE_[AMD|INTEL]!=y" ++ ;; ++ *) ;; ++ esac + fi + + # Need to be able to have non-root users read stuff (rpcbind etc) + diff --git a/SOURCES/0194.patch b/SOURCES/0194.patch new file mode 100644 index 0000000..563777a --- /dev/null +++ b/SOURCES/0194.patch @@ -0,0 +1,24 @@ +From ccd2823f5b75273445c7de36ff306fd23163f955 Mon Sep 17 00:00:00 2001 +From: Masahiro Matsuya +Date: Fri, 11 Jun 2021 10:40:04 +0900 +Subject: [PATCH] fix(url-lib): make pre-pivot hook separetely per nfs mount + +Resolves: rhbz#1967802 +--- + modules.d/45url-lib/url-lib.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/45url-lib/url-lib.sh b/modules.d/45url-lib/url-lib.sh +index 08c3ebb4..56d0d683 100755 +--- a/modules.d/45url-lib/url-lib.sh ++++ b/modules.d/45url-lib/url-lib.sh +@@ -143,7 +143,7 @@ nfs_fetch_url() { + local mntdir="$(mkuniqdir /run nfs_mnt)" + mount_nfs "$nfs:$server:$filepath${options:+:$options}" "$mntdir" + # lazy unmount during pre-pivot hook +- inst_hook --hook pre-pivot --name 99url-lib-umount-nfs umount -l -- "$mntdir" ++ inst_hook --hook pre-pivot --name 99url-lib-umount-nfs-"$(basename "$mntdir")" umount -l -- "$mntdir" + fi + + if [ -z "$outloc" ]; then + diff --git a/SOURCES/0195.patch b/SOURCES/0195.patch new file mode 100644 index 0000000..d9e6084 --- /dev/null +++ b/SOURCES/0195.patch @@ -0,0 +1,27 @@ +From 8a4e5b5988d716259ad5b684dc2814d265007cb5 Mon Sep 17 00:00:00 2001 +From: Peter Levine +Date: Mon, 1 Feb 2021 22:17:06 -0500 +Subject: [PATCH] fix(watchdog): replace return with echo + +(cherry picked from commit c35cbd2e561714207388af69820cee2743dbcbc3) + +Resolves: #1890039 +--- + modules.d/04watchdog/module-setup.sh | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/modules.d/04watchdog/module-setup.sh b/modules.d/04watchdog/module-setup.sh +index 15bcd897..fdc62986 100755 +--- a/modules.d/04watchdog/module-setup.sh ++++ b/modules.d/04watchdog/module-setup.sh +@@ -7,7 +7,8 @@ check() { + + # called by dracut + depends() { +- return "watchdog-modules" ++ echo watchdog-modules ++ return 0 + } + + # called by dracut + diff --git a/SOURCES/0196.patch b/SOURCES/0196.patch new file mode 100644 index 0000000..481d6f5 --- /dev/null +++ b/SOURCES/0196.patch @@ -0,0 +1,68 @@ +From c7b21c88d27aace097ce9bc1fc36f4b742858737 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 22 Nov 2021 16:40:39 +0100 +Subject: [PATCH] fix(network): add errors and warnings when network interface + does not exist + +End with error, or show a warning when nonexistent device is specified for network setup like +`ip=10.12.8.12::10.12.255.254:255.255.0.0:xk12:eth0:off`. + +I've added the error only for `write-ifcfg.sh`, as I think no such setup should be written. + +Resolves: #1712424 +--- + modules.d/35network-legacy/ifup.sh | 6 +++++- + modules.d/35network-legacy/parse-ip-opts.sh | 5 +++++ + modules.d/45ifcfg/write-ifcfg.sh | 5 +++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/modules.d/35network-legacy/ifup.sh b/modules.d/35network-legacy/ifup.sh +index bd560379..0e9a6928 100755 +--- a/modules.d/35network-legacy/ifup.sh ++++ b/modules.d/35network-legacy/ifup.sh +@@ -413,7 +413,11 @@ for p in $(getargs ip=); do + + # If this option isn't directed at our interface, skip it + if [ -n "$dev" ]; then +- [ "$dev" != "$netif" ] && continue ++ if [ "$dev" != "$netif" ]; then ++ [ ! -e "/sys/class/net/$dev" ] \ ++ && warn "Network interface '$dev' does not exist!" ++ continue ++ fi + else + iface_is_enslaved "$netif" && continue + fi +diff --git a/modules.d/35network-legacy/parse-ip-opts.sh b/modules.d/35network-legacy/parse-ip-opts.sh +index 10a2d19b..eea0988c 100755 +--- a/modules.d/35network-legacy/parse-ip-opts.sh ++++ b/modules.d/35network-legacy/parse-ip-opts.sh +@@ -96,6 +96,11 @@ for p in $(getargs ip=); do + fi + # IFACES list for later use + IFACES="$IFACES $dev" ++ ++ # Interface should exist ++ if [ ! -e "/sys/class/net/$dev" ]; then ++ warn "Network interface '$dev' does not exist" ++ fi + fi + + # Do we need to check for specific options? +diff --git a/modules.d/45ifcfg/write-ifcfg.sh b/modules.d/45ifcfg/write-ifcfg.sh +index abd111fc..7e767f15 100755 +--- a/modules.d/45ifcfg/write-ifcfg.sh ++++ b/modules.d/45ifcfg/write-ifcfg.sh +@@ -100,6 +100,11 @@ interface_bind() { + local _netif="$1" + local _macaddr="$2" + ++ if [ ! -e "/sys/class/net/$_netif" ]; then ++ derror "Cannot find network interface '$_netif'!" ++ return 1 ++ fi ++ + # see, if we can bind it to some hw parms + if hw_bind "$_netif" "$_macaddr"; then + # only print out DEVICE, if it's user assigned + diff --git a/SOURCES/0197.patch b/SOURCES/0197.patch new file mode 100644 index 0000000..7781b40 --- /dev/null +++ b/SOURCES/0197.patch @@ -0,0 +1,54 @@ +From 0a6125bf834c5a1808e4898f46093bc2ab2fed05 Mon Sep 17 00:00:00 2001 +From: Harald Hoyer +Date: Wed, 23 Oct 2019 14:16:56 +0200 +Subject: [PATCH] dracut.sh: add check for invalid configuration files + +Emit a warning about possible misconfigured configuration files, where +the spaces around values are missing for +="" + +Better report a possible source of problems. We can fix annoying false +positives later. + +(cherry picked from commit dfe2247a43d6a216d9af533825c9a103e3b056cd) + +Resolves: #1946245 +--- + dracut.sh | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/dracut.sh b/dracut.sh +index 952c57c8..702b2f78 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -277,6 +277,14 @@ read_arg() { + fi + } + ++check_conf_file() ++{ ++ if grep -H -e '^[^#]*[+]=\("[^ ]\|.*[^ ]"\)' "$@"; then ++ printf '\ndracut: WARNING: +=" ": should have surrounding white spaces!\n' >&2 ++ printf 'dracut: WARNING: This will lead to unwanted side effects! Please fix the configuration file.\n\n' >&2 ++ fi ++} ++ + dropindirs_sort() + { + local suffix=$1; shift +@@ -697,10 +705,14 @@ if [[ ! -d $confdir ]]; then + fi + + # source our config file +-[[ -f $conffile ]] && . "$conffile" ++if [[ -f $conffile ]]; then ++ check_conf_file "$conffile" ++ . "$conffile" ++fi + + # source our config dir + for f in $(dropindirs_sort ".conf" "$confdir" "$dracutbasedir/dracut.conf.d"); do ++ check_conf_file "$f" + [[ -e $f ]] && . "$f" + done + + diff --git a/SOURCES/0198.patch b/SOURCES/0198.patch new file mode 100644 index 0000000..4231fb1 --- /dev/null +++ b/SOURCES/0198.patch @@ -0,0 +1,34 @@ +From c99f396a5d456520b34c60f43c589ca39a301955 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Wed, 14 Nov 2018 13:19:27 +0100 +Subject: [PATCH] fips: removed false-positive 'FATAL: Module xxx not found' + error message when kernel provides a generic algo for module + +Resolves: rhbz#1996019 +--- + modules.d/01fips/fips.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 03da6861..1d57a889 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -77,7 +77,7 @@ fips_load_crypto() + mv /etc/modprobe.d/fips.conf /etc/modprobe.d/fips.conf.bak + for _module in $FIPSMODULES; do + if [ "$_module" != "tcrypt" ]; then +- if ! modprobe "${_module}"; then ++ if ! modprobe "${_module}" 2>/tmp/fips.modprobe_err; then + # check if kernel provides generic algo + _found=0 + while read _k _s _v || [ -n "$_k" ]; do +@@ -86,7 +86,7 @@ fips_load_crypto() + _found=1 + break + done &2 && return 1 + fi + fi + done + diff --git a/SOURCES/0199.patch b/SOURCES/0199.patch new file mode 100644 index 0000000..5863d26 --- /dev/null +++ b/SOURCES/0199.patch @@ -0,0 +1,37 @@ +From 876196e809f4ffac055737921cfe273d8399b6e4 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Renaud=20M=C3=A9trich?= +Date: Tue, 16 Nov 2021 11:15:52 +0100 +Subject: [PATCH] fix(shutdown): be robust against forced shutdown + +When a forced shutdown is issued through sending a burst of Ctrl-Alt-Del +keys, systemd sends SIGTERM to all processes. This ends up killing +dracut-initramfs-restore as well, preventing the script from detecting +that the unpack of the initramfs is incomplete, which later causes a +crash to happen when "shutdown" tries to execute from the unpacked +initramfs. + +This fix makes sure dracut-initramfs-restore remains alive to detect +the unpack failed (because cpio was killed by systemd too). + +Resolves: rhbz#2023665 +--- + dracut-initramfs-restore.sh | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dracut-initramfs-restore.sh b/dracut-initramfs-restore.sh +index 74a952c4..708f98d7 100644 +--- a/dracut-initramfs-restore.sh ++++ b/dracut-initramfs-restore.sh +@@ -6,6 +6,11 @@ set -e + [ -e /run/initramfs/bin/sh ] && exit 0 + [ -e /run/initramfs/.need_shutdown ] || exit 0 + ++# SIGTERM signal is received upon forced shutdown: ignore the signal ++# We want to remain alive to be able to trap unpacking errors to avoid ++# switching root to an incompletely unpacked initramfs ++trap 'echo "Received SIGTERM signal, ignoring!" >&2' TERM ++ + KERNEL_VERSION="$(uname -r)" + + [[ $dracutbasedir ]] || dracutbasedir=/usr/lib/dracut + diff --git a/SOURCES/0200.patch b/SOURCES/0200.patch new file mode 100644 index 0000000..32ea347 --- /dev/null +++ b/SOURCES/0200.patch @@ -0,0 +1,84 @@ +From f5ffe8bc95ee989ef39b7c149d268b5988f952a0 Mon Sep 17 00:00:00 2001 +From: Jonathan Lebon +Date: Thu, 17 Jun 2021 10:47:33 -0400 +Subject: [PATCH] fix(fips): handle s390x OSTree systems + +On s390x, the `BOOT_IMAGE` karg injected by the bootloader is not a path +to the kernel image, but rather an integer describing the index of the +menu entry selected. Because of the way the s390x bootloader works, +there is no information retained about e.g. the path of the kernel that +was loaded. + +This causes issues for the FIPS code which assumes that `BOOT_IMAGE` is +a path to the kernel image to derive the HMAC path. In non-OSTree +systems, this ends up working anyway, because the kernel is located at +the root of the boot partition. In OSTree systems, this is not the +case. However, OSTree systems use BLS configs, and they are named in +reverse order of precedence (i.e. menu ordering). So from the +`BOOT_IMAGE` integer, we can figure out which BLS entry was selected. + +Add some code to do just this on s390x. This isn't completely foolproof, +because it presumes that (1) BLS configs were used to populate the +bootloader (and that they were exactly in the same state they currently +are when `zipl` was run), and (2) there are no other menu entries +originating from outside the BLS configs. However, if these assumptions +are wrong we would simply fail the boot, which is currently what is +happening anyway. + +See also: +https://github.com/openshift/os/pull/546 +https://github.com/ibm-s390-linux/s390-tools/issues/78 + +Tested-by: Muhammad Adeel + +Resolves: rhbz#2007586 +--- + modules.d/01fips/fips.sh | 21 +++++++++++++++++++++ + modules.d/01fips/module-setup.sh | 2 +- + 2 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/modules.d/01fips/fips.sh b/modules.d/01fips/fips.sh +index 1d57a889..c57fd426 100755 +--- a/modules.d/01fips/fips.sh ++++ b/modules.d/01fips/fips.sh +@@ -114,6 +114,27 @@ do_fips() + else + BOOT_IMAGE="$(getarg BOOT_IMAGE)" + ++ # On s390x, BOOT_IMAGE isn't a path but an integer representing the ++ # entry number selected. Let's try the root of /boot first, and ++ # otherwise fallback to trying to parse the BLS entries if it's a ++ # BLS-based system. ++ if [ "$(uname -m)" = s390x ]; then ++ if [ -e "/boot/vmlinuz-${KERNEL}" ]; then ++ BOOT_IMAGE="vmlinuz-${KERNEL}" ++ elif [ -d /boot/loader/entries ]; then ++ i=0 ++ for bls in $(ls -d /boot/loader/entries/*.conf | sort -rV); do ++ ((i++)) ++ ++ if [ $i -eq ${BOOT_IMAGE:-0} ] && [ -r "$bls" ]; then ++ BOOT_IMAGE="$(grep -e '^linux' "$bls" | grep -o ' .*$')" ++ BOOT_IMAGE=${BOOT_IMAGE:1} ++ break ++ fi ++ done ++ fi ++ fi ++ + # Trim off any leading GRUB boot device (e.g. ($root) ) + BOOT_IMAGE="$(echo "${BOOT_IMAGE}" | sed 's/^(.*)//')" + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 8800a49e..71bea53a 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -67,7 +67,7 @@ install() { + inst_hook pre-udev 01 "$moddir/fips-load-crypto.sh" + inst_script "$moddir/fips.sh" /sbin/fips.sh + +- inst_multiple sha512hmac rmmod insmod mount uname umount ++ inst_multiple sha512hmac rmmod insmod mount uname umount grep sort + + inst_simple /etc/system-fips + [ -c ${initdir}/dev/random ] || mknod ${initdir}/dev/random c 1 8 \ diff --git a/SPECS/dracut.spec b/SPECS/dracut.spec index 30a1521..9da2ef9 100644 --- a/SPECS/dracut.spec +++ b/SPECS/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 191.git20210920 +%define dist_free_release 201.git20220131 Name: dracut Version: 049 @@ -218,6 +218,16 @@ Patch187: 0187.patch Patch188: 0188.patch Patch189: 0189.patch Patch190: 0190.patch +Patch191: 0191.patch +Patch192: 0192.patch +Patch193: 0193.patch +Patch194: 0194.patch +Patch195: 0195.patch +Patch196: 0196.patch +Patch197: 0197.patch +Patch198: 0198.patch +Patch199: 0199.patch +Patch200: 0200.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -670,6 +680,18 @@ echo '# Since rhel-8.3 dracut moved to use NetworkManager add_dracutmodules+=" network-legacy "' > /etc/dracut.conf.d/50-network-legacy.conf %changelog +* Mon Jan 31 2022 Pavel Valena - 049-201.git20220131 +- ci: introduce C8S based GHA CI +- ci: backport TEST-21-NFS-NM +- dracut.sh: fix early microcode detection logic +- fix(url-lib): make pre-pivot hook separetely per nfs mount +- fix(watchdog): replace return with echo +- fix(network): add errors and warnings when network interface +- dracut.sh: add check for invalid configuration files +- fips: removed false-positive 'FATAL: Module xxx not found' +- fix(shutdown): be robust against forced shutdown +- fix(fips): handle s390x OSTree systems + * Mon Sep 20 2021 Lukas Nykryn - 049-191.git20210920 - fix(install): extend hwcaps library handling to libraries