On 07/02/2009 04:18 PM, Seewer Philippe wrote:
Hans de Goede wrote:
Hi,
This morning I've been talking to Harald Hoyer about what sort
of commandline options dracut will be needing to find the /
filesystem beside root=UUID=1234567890 .
In most cases (normal disks, dmraid, mdraid, lvm, dmcrypt)
root=UUID=1234567890 should suffice.
However in certain cases for example dracut will need additional
info to find the disks.
We've come to the following plan for iscsi targets:
1) Extend the dhcp_root dhcp variable iscsi syntax to
be able include a username password, so:
iscsi:192.168.50.2::::iqn.2009-06.dracut:target66
Can become:
iscsi:user:pass@xxxxxxxxxxxx::::iqn.2009-06.dracut:target66
Or:
iscsi:user:pass:reverse_user:reverse_pass@xxxxxxxxxxxx::::iqn.2009-06.dracut:target66
2) Pass root-path=iscsi:... on the kernel cmdline, for each needed
iscsi target, so if
necessary this will be passed multiple times, dracut will be modified
to be able
handle multiple root-path arguments being passed in
3) chmod /proc/cmdline 400, so that it cannot be read by ordinary
users, plugging
the passwork leak problem
This does not really plug the leak. Just boot until initramfs is loaded,
pull the network plug and wait until dracut drops us to a (root-)shell.
If a user has physical access to the machine, and the passwords are not encrypted
with some key which has to be entered manually (which would be really awkward for
say a headless server in a datacenter booting from an iSCSI SAN LUN) you've already
lost.
Now the remaining question is how to implement the adding of the needed
cmdline options to grub.conf.
Question: Is it really necessary to provide username/password to dracut?
Yes, in the case of machines booting of iSCSI it is, this is not a passphrase
for encryption, this is authentication information to connect to an iSCSI target
(one or more disks).
Regards,
Hans
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list