Re: F38 proposal: Unified Kernel Support Phase 1 (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2023-01-02 at 15:42 +0100, Gerd Hoffmann wrote:
> On Thu, Dec 22, 2022 at 04:53:47PM +0100, Jiri Konecny wrote:
> > Hi all,
> > 
> > > == Benefit to Fedora ==
> > > * Better secure boot support (specifically the initrd is covered
> > > by
> > > the signature).
> > > * Better confidential computing support (measurements are much
> > > more
> > > useful if we know what hashes to expect for the initrd).
> > > * More robust boot process (generating the initrd on the
> > > installed
> > > system is fragile, root cause for kernel bugs reported is simply
> > > a
> > > broken initrd sometimes).
> > Just want to add Anaconda installation environment is also fighting
> > with the
> > second point.
> 
> Third point I assume, i.e. initrd generation problems being reported
> as
> anaconda bugs?
> 
> While being at it: anaconda seems to explicitly call dracut to
> generate
> the initrd (according to the messages it prints).  What is the reason
> for this?  Shouldn't this already happen as part of the rpm
> transaction,
> when the kernel install scripts are running?
IIRC the main reason is the esentially random package installation
order during the RPM transaction.

Unlike on normal system during installation the RPM transaction
basically puts files into an empty folder, so if the kernel RPM script
that triggers dracut runs too early, some of the things it tries to
grab from the system might not yet be there & will be missing from the
initrd. On an already installed system, there would already be
something in places, while possibly a bit outdated, that dracut could
harvest and put to the initrd.

One concrete issue this caused was that users would use specific
characters in their LUKS password, Anaconda would make sure the given
package containing the layout is installed, but it would come after the
kernel package in the transaction & the layout would be missing from
the initrd. As a result, the user would not be able to type their
password.

In any case, this situation is sub-optimal, as we currently run dracut
at least twice - once via the kernel RPM script trigger and then again
when Anaconda triggers it. We really need to finally reach out to the
kernel package maintainers and device some mechanism that tells the
kernel package to skip the dracut run during the installation.



> 
> > Thanks to the PXE boot it's maybe even more fragile
> > environment.
> 
> Yep.  I'd highly recommend to use uefi http boot whenever possible.
> 
> Note that uefi http boot can also work with iso images, i.e. you can
> have the dhcp server hand out URLs to the fedora netboot iso.  The
> firmware will fetch the iso, create a ramdisk, add a acpi table for
> it so the OS finds it too, then go boot as it would be a physical
> cdrom all the way up to anaconda.
> 
> BTW: Having some way other than the kernel command line to pass
> config
> options to anaconda would make this much more useful.
> 
> take care,
>   Gerd
> _______________________________________________
> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux