Always ensure /dev/{u,random} are in initramfs #2331
Conversation
In some scenarios, such as running `dracut` inside a podman/docker container, we may not have the capabilities necessary to create devices. But we don't need the ability to make devices; instead, just carry a static copy of a small cpio archive with that content pre-created, and ensure it's the first thing in the generated initramfs image.
github-actions
bot
added
fips
|
(draft since this could use a bit more testing) |
|
I hope to learn more about the use cases for dracut used (not just installed) inside a podman/docker container. Is this any way related - https://bugzilla.redhat.com/show_bug.cgi?id=1906633 ? |
|
The originating bug here is https://issues.redhat.com/browse/OCPBUGS-13207 The rationale for this is basically "server side" initramfs image builds in derived images. |
Do you mean that the goal is to generate initramfs inside a container and then use that generated initramfs elsewhere outside of the container that was generated in ? |
|
Yes. For more information, see https://fedoraproject.org/wiki/Changes/OstreeNativeContainer and https://coreos.github.io/rpm-ostree/container/ - we use containers as a build tool to generate bootable host systems. (As of recently there's also https://github.com/containers/bootc which streamlines this) |
|
Perhaps to move this forward try to keep dracut-random.cpio.gz out of upstream and make only the necessary changes that would allow you to carry dracut-random.cpio.gz for your own needs. Would you see this as a good compromise ? Just trying to find a way to avoid this issue being stalled. |
It'd help for sure, but I wouldn't call it a good compromise. What is the compromise here - i.e. what do you see as bad? Just having additional code? The opacity of the pre-generated file (that's definitely fixable)? Something else? |
|
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions. |
LaszloGombos
added
enhancement
|
This keeps coming up (e.g. coreos/rpm-ostree#4499 ), and if we don't agree to merge this, what I'll probably end up doing is adding a wrapper around |
|
I am glad there is still interest in this PR. I personally support this use-case.
This - the opacity of the pre-generated file. Also, if this PR is up for review, then please remove the "Draft" as that indicates that this PR is still work in progress and review comments are not yet welcome. Thanks @cgwalters . |
|
We could try making the cpio file at build time, but that's going to have a potentially larger blast radius - it's quite likely some build systems may actually be using container runtimes with similar device cgroup restrictions. Another possibility is to try to land a patch in upstream Yet another possibility is to generate a cpio blob in |
|
Is this "cpio blob" portable across architectures (x86, x86_64, arm, arm64, etc) or they they need to be generated separate for each architecture ? As I understand cpio format can be easily concatenated (outside of dracut), so perhaps as first step we could focus on the changes that needs to be made inside dracut and can not be easily maintained (e.g. the change in the fips module). FWIW, dracut projects has its own implementation of cpio - https://github.com/dracutdevs/dracut/tree/master/src/dracut-cpio. |
|
Hello, yes, I did a brief investigation into this PR & the cpio archive is the main obstackle in bringing this to RHEL-9 as well. Unfortunately, I didn't have spare cycles yet to look into what's the archive content and whether it can be recreated at dracut runtime (apart from copied from the system). |
If the archive blob is just the I agree that it'd be nice to avoid carrying the blob in dracut. There are a couple of other options which could be considered here: Still, the underlying problem here is the source-directory-tree-defines-archive-contents interface for GNU cpio (copied for dracut-cpio), which breaks unprivileged archive creation. My plan is to address this with #1662 , which will add a Linux |
| @@ -207,6 +207,7 @@ endif | |||
| if [ -f dracut-util ]; then \ | |||
| install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \ | |||
| fi | |||
| install -m 0644 -Dt $(DESTDIR)$(pkglibdir) dracut-random.cpio.gz | |||
There was a problem hiding this comment.
I don't think compression makes much sense for a two (or three with /dev) item cpio archive.
There was a problem hiding this comment.
One thing I forgot to mention: GNU cpio unnecessarily zero-pads archives out to the next "block-size" (default=512) alignment, while the newc / SVR4 spec only requires 4-byte alignment, so any bundled archive with GNU cpio padding could be trimmed down.
In matching GNU cpio quirks, dracut-cpio does the same:
https://github.com/dracutdevs/dracut/blob/master/src/dracut-cpio/src/main.rs#L644
| # Next, in order to avoid requiring privilege at initramfs generation time, which we may not have | ||
| # in a container image, append a pre-generated cpio blob with /dev/{u,random}. | ||
| zcat ${dracutsysrootdir}/${dracutbasedir}/dracut-random.cpio.gz > ${DRACUT_TMPDIR}/random.fifo | ||
| wait |
There was a problem hiding this comment.
Asynchronous append here also seems like overkill given the size of the trailing archive.
| @@ -70,16 +70,4 @@ install() { | |||
| inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort | |||
|
|
|||
| inst_simple /etc/system-fips | |||
There was a problem hiding this comment.
Given the simplicity of cpio and what's needed here, it's tempting to propose just using printf to generate the trailing archive entries... That said, my preference would still be to embed those nodes in the kernel archive, or wait for #1662 to be implemented.
There was a problem hiding this comment.
Hmm yes, I think the cpio format may be sufficiently simple that we could do it via printf in a not terribly ugly way.
Oh wow, I was unaware of this. Yes...let me try sending a kernel patch! |
|
Closing since we're in agreement this exact patch isn't the way to go |
Note, it's important that the solution is also portable across compressors/decompressors (gzip, lz4, zstd, etc.) Encountered an issue where part of the initramfs was lz4 and another part gzip and the kernel decompressor got confused and panicked on boot. |
In some scenarios, such as running
dracutinside a podman/docker container, we may not have the capabilities necessary to create devices.But we don't need the ability to make devices; instead, just carry a static copy of a small cpio archive with that content pre-created, and ensure it's the first thing in the generated initramfs image.
EDIT: Downstream in RHEL this is https://bugzilla.redhat.com/show_bug.cgi?id=2208040