| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Bug: https://bugs.gentoo.org/753617
Signed-off-by: FlyingWaffle <flyingwaffle@pm.me>
Signed-off-by: Sam James <sam@gentoo.org>
|
|
|
|
| |
Signed-off-by: FlyingWaffle <flyingwaffle@pm.me>
|
|
|
|
|
|
| |
...on a broader range of system configurations, including LVM and swapfiles.
Signed-off-by: FlyingWaffle <flyingwaffle@pm.me>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
cryptsetup LUKS2 format comes with an ability to automatically unlock
multiple devices (root, swap, etc.) sharing the same passphrase, without
retyping it for each of them, by loading it into the user keyring.
This commit adds such (optional) genkernel support for loading LUKS
passphrase into the user keyring on boot.
In the default mode of operation the newly added key is (possibly) used
only to unlock root and swap devices and is removed soon after that.
By providing appropriate kernel command line parameter the key can be left
in the keyring instead (with an optional timeout) for unlocking other LUKS
devices post-initramfs time.
Because one of the most common use cases of this functionality will be
having an encrypted swap for doing suspend to disk (hibernation) let's also
make sure that we don't unlock the root device when doing so is unnecessary
(when we are resuming the system from hibernation).
Since the security of a FDE passphrase is of paramount importance in this
solution significant care has been taken not to leak it accidentally:
* The passphrase is read directly by keyctl to avoid storing it in the
shell,
* If the passphrase is used only to unlock root and swap devices (which is
the default mode of operation) the init script will check whether its
removal from keyring has actually succeeded and, if not, reboot the system
rather than continue while leaving it exposed,
* keyutils includes a patch (already upstreamed) to wipe the passphrase
from memory when no longer needed.
Signed-off-by: Maciej S. Szmigiero <mail@maciej.szmigiero.name>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When trying to install a new kernel on catbus.sparc.dev.gentoo.org, the
newly built initrd consistently claimed that it could not find init, and
dropped to the rescue shell.
However, init was there just fine in /newroot (as before).
I dug out the command that is actually run inside linuxrc,
elif ! chroot "${CHROOT}" test -x /${init#/} 1>/dev/null 2>&1
and tried to run that manually, which led to a rather strange error message
rescueshell / # chroot /newroot test -x /lib/systemd/systemd
chroot: can't execute 'test': File name too long
Some more research led me to the busybox manpage (where here chroot comes
from):
https://busybox.net/downloads/BusyBox.html#chroot
chroot
chroot NEWROOT [PROG [ARGS]]
Run PROG with root directory set to NEWROOT
Note, the third argument is *not* a command (as with usual chroot, see the
manpage from coreutils chroot) but a program!
Bug: https://bugs.gentoo.org/842027
Signed-off-by: Andreas K. Hüttel <dilfridge@gentoo.org>
|
|
|
|
| |
Signed-off-by: Dmitry Baranov <reagentoo@gmail.com>
|
|
|
|
|
|
| |
Fixes: d5f7d79b ("linuxrc: Refactor handling of console log level")
Bug: https://bugs.gentoo.org/788970
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
| |
Fixes: 60ecb8b6d ("linuxrc: Move global variables to initrd.defaults")
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Use same messages we use for root device.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
| |
Closes: https://github.com/gentoo/genkernel/pull/24
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
| |
This commit will ensure that we really don't output anything
when running in QUIET mode -- only errors will be shown.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previous idea (commit 93bf318e5114233f3cacc4575ab2e58d60e785c7) never
worked: Exec will replace initramfs' init (PID 1) with specified command
so that any further line will never be reached. If that command will
fail now, init basically ended which will trigger a kernel panic:
!! A fatal error has occured since /sbin/openrc-init did not
!! boot correctly. Trying to open a shell ...
+ exec /bin/bash
/init: exec: line 1366: /bin/bash: not found
[ 55.060649] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00007f00
The new error handling will keep init running in loop which will
allow user to fix every detected problem until we are confident that
switch_root call has a chance to succeed.
In case the user cannot fix the problem (maybe because of
gk.userinteraction.disabled), we will call the newly added
gk.emergency action (reboot, poweroff or halt).
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
| |
It was never really used; Kernel's console handling
already did the work.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Not used anymore since we moved to (e)udev.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
It's not clear why this was ever added via commit c4e37560598d4dc59ef3619084f3822df71e8aef.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
There is no trigger/rule in UDEV/btrfs-progs to load btrfs module.
The only known trigger via mount command could be too late or
is maybe insufficient depending on used BTRFS {meta,}data profile.
Bug: https://bugs.gentoo.org/739892
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
When this boolean option is set and enabled, genkernel initramfs will unmount /run
before calling switch_root.
This can help in SELinux context for example where labeling is required which is
not supported by genkernel.
Bug: https://bugs.gentoo.org/739424
Bug: https://bugs.gentoo.org/740576
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
options to cryptsetup
Cryptsetup supports additional options like "--perf-no_read_workqueue" or
"--perf-no_write_workqueue". While it is recommended to use LUKS2 format
and make these activiation flags permanent, you can also make use of
the new kernel command-line arguments "crypt_root_options" for root device
or "crypt_swap_options" for swap device to pass additional options
to cryptsetup.
These arguments can be specified multiple times or separate multiple
options with a comma.
Bug: https://bugs.gentoo.org/755587
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
| |
This is no longer necessary with the switch to UDEV.
Bug: https://bugs.gentoo.org/739892
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
{root,swap}_keydev
We need to do the same we do for rootfs since commit 05f968fda2c6839744b36c442b3feaa6de974e63
also for {root,swap}_keydev.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Signed-off-by: Karlson2k (Evgeny Grin) <k2k@narod.ru>
Closes: https://github.com/gentoo/genkernel/pull/19
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
To help debugging, 'gksosreport' was added (idea was borrowed from dracut):
Whenever a user run into a problem and get to a rescue shell, running "gksosreport"
will generate /run/initramfs/gksosreport.txt containing useful debug information
suitable to attach to bug reports.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
'mount -t auto' will not trigger module loading for filesystem kernel modules.
Therefore we try to determine filesystem to trigger module loading in case
filesystem isn't built into the kernel.
Bug: https://bugs.gentoo.org/739250
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
| |
When gk.udev.debug=yes is set (boolean option), udevd will run in
debug mode. Output will be written to /run/initramfs/udevd.log.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Now that we are using UDEV and have to preserve /run, we can also
use /run to always store log from initramfs.
This will make debugging easier because user don't have to explicit
enable logging (disabling is still possible).
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
switch_root from busybox does not move /dev, /sys, /proc and /run.
If we do that manually there is a small window for a race condition
when /dev, /sys or /proc is still needed but already moved. switch_root
from util-linux will move these mounts on its own and will therefore
avoid any potential problems.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Don't use absolute paths. Use 'hash' to test if command is available.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Follow up for commit 0048f44c081dce2e296b48c71a208abf2a815c84.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Now that we are using (e)udev with kmod support, we can rely on UDEV to
load required kernel modules.
Old module loading based on modules_load file can still be enabled via
boolean "gk.hw.use-modules_load" kernel command-line option which is inverting
and replacing previous "nodetect" kernel command-line option.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
| |
This will make us honor QUIET kernel command-line argument and allow
full silent boot.
Link: https://forums.gentoo.org/viewtopic-t-1117988.html
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to mount mountpoints listed in /etc/initramfs.mounts
before validating REAL_INIT in case init is located on seperate
mount.
In addition the code was moved to a dedicated function named
process_initramfs_mounts() to allow to run it multiple times
which is needed if REAL_INIT wasn't verified (in case system
was booted from livecd).
Link: https://forums.gentoo.org/viewtopic-t-1117762.html
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
We need to switch from using MDEV to UDEV to avoid boot problems
due to timeouts caused by some UDEV rules from real system when
real system is using systemd.
Bug: https://bugs.gentoo.org/706434
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Don't use absolute paths. Use 'hash' to test if command is available.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
| |
/dev/vg/foo can be a symlink to ../dm-1. This commit will allow
to use such a value for devices, i.e. ROOT=/dev/vg/foo.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
| |
When this option is set and enabled, genkernel initramfs will not prompt
on errors, i.e. this will disable any user interaction, e.g. for a kiosk system.
Bug: https://bugs.gentoo.org/730966
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
| |
Cannot use `run` before root was mounted writable.
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a regression that was introduced in sys-fs/zfs-kmod-0.7.0.
It was originally fixed by 2eb1d04cfbfa397b58a0b388f8ed28688fd114d8, but
this neglected to handle the case where booting is done via arguments
such as "root=ZFS" or "root=ZFS=rpool/ROOT/gentoo" on the kernel
commandline. This handles it.
Signed-off-by: Richard Yao <ryao@gentoo.org>
Closes: https://github.com/gentoo/genkernel/pull/16
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|
|
|
|
| |
Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>
|