MSVSphere Packaging Team
3 months ago
parent
77b24ef483
commit
51cfed5156
GPG Key ID:
B2B0B9F29E528FE8
@ -1 +1 @@
|
|||||||
0e004ae0a4b910b1bd3e2f1d86dd0649f8f2addd SOURCES/102.tar.gz
|
6da4d27d768f049332b3b4f9ff36a4a494eda4fc SOURCES/103.tar.gz
|
||||||
|
|||||||
@ -1 +1 @@
|
|||||||
SOURCES/102.tar.gz
|
SOURCES/103.tar.gz
|
||||||
|
|||||||
@ -1,54 +0,0 @@
|
|||||||
From 3bcb0a9f06bac7fa62dc7241860deb8b671f17cd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
|
||||||
Date: Tue, 25 Apr 2023 14:56:59 +0200
|
|
||||||
Subject: [PATCH 01/24] feat(hwdb): add hwdb module to install hwdb.bin on
|
|
||||||
demand
|
|
||||||
|
|
||||||
Module to install hwdb.bin. Further extensions might make only selected
|
|
||||||
part of hwdb installable to save space. The module is not included by default.
|
|
||||||
|
|
||||||
Including the module adds 2MB of compressed data (on Fedora, the file has 12MB).
|
|
||||||
|
|
||||||
Installing hwdb.bin is needed in case of custom HW like a keyboard/mouse, or various interfaces.
|
|
||||||
|
|
||||||
Original PR: https://github.com/dracutdevs/dracut/pull/1681
|
|
||||||
---
|
|
||||||
modules.d/95hwdb/module-setup.sh | 26 ++++++++++++++++++++++++++
|
|
||||||
1 file changed, 26 insertions(+)
|
|
||||||
create mode 100755 modules.d/95hwdb/module-setup.sh
|
|
||||||
|
|
||||||
diff --git a/modules.d/95hwdb/module-setup.sh b/modules.d/95hwdb/module-setup.sh
|
|
||||||
new file mode 100755
|
|
||||||
index 00000000..5d3250f3
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/modules.d/95hwdb/module-setup.sh
|
|
||||||
@@ -0,0 +1,26 @@
|
|
||||||
+#!/bin/bash
|
|
||||||
+# This file is part of dracut.
|
|
||||||
+# SPDX-License-Identifier: GPL-2.0-or-later
|
|
||||||
+
|
|
||||||
+check() {
|
|
||||||
+ return 255
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# called by dracut
|
|
||||||
+install() {
|
|
||||||
+ local hwdb_bin
|
|
||||||
+
|
|
||||||
+ # Follow the same priority as `systemd-hwdb`; `/etc` is the default
|
|
||||||
+ # and `/usr/lib` an alternative location.
|
|
||||||
+ hwdb_bin="${udevconfdir}"/hwdb.bin
|
|
||||||
+
|
|
||||||
+ if [[ ! -r ${hwdb_bin} ]]; then
|
|
||||||
+ hwdb_bin="${udevdir}"/hwdb.bin
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [[ $hostonly ]]; then
|
|
||||||
+ inst_multiple -H "${hwdb_bin}"
|
|
||||||
+ else
|
|
||||||
+ inst_multiple "${hwdb_bin}"
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From d14d724620fe4810930d1c2f07d10fa6b8bc9557 Mon Sep 17 00:00:00 2001
|
From f75ae29afc829e19834c4cb99ca51b8ebe8481bf Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Sun, 23 Jul 2023 19:44:17 +0200
|
Date: Sun, 23 Jul 2023 19:44:17 +0200
|
||||||
Subject: [PATCH 02/24] fix(rngd): install system service file
|
Subject: [PATCH 01/32] fix(rngd): install system service file
|
||||||
|
|
||||||
as there's no reason to keep a copy; there shouldn't be any modifications.
|
as there's no reason to keep a copy; there shouldn't be any modifications.
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 6fa596ca039300e5f4bb3cca14768976efe95eac Mon Sep 17 00:00:00 2001
|
From 9b7740eaf33357cc087c83d95d089bdf8ead07dd Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Wed, 12 Jun 2024 06:30:42 +0200
|
Date: Wed, 12 Jun 2024 06:30:42 +0200
|
||||||
Subject: [PATCH 03/24] revert: "fix(install.d): correctly install pre-genned
|
Subject: [PATCH 02/32] revert: "fix(install.d): correctly install pre-genned
|
||||||
image and die if no args"
|
image and die if no args"
|
||||||
|
|
||||||
revert: "fix(install.d): simplify and use what kernel-install gives us"
|
revert: "fix(install.d): simplify and use what kernel-install gives us"
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From c6d18c3c71597e78572378fc4dde391f1845b8bd Mon Sep 17 00:00:00 2001
|
From 0d2983f7dbc1f5fbaa60735c839ea111d3f5d4e0 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||||
Date: Tue, 18 Jan 2022 18:08:42 +0100
|
Date: Tue, 18 Jan 2022 18:08:42 +0100
|
||||||
Subject: [PATCH 04/24] feat(kernel-install): do nothing when
|
Subject: [PATCH 03/32] feat(kernel-install): do nothing when
|
||||||
$KERNEL_INSTALL_INITRD_GENERATOR says so
|
$KERNEL_INSTALL_INITRD_GENERATOR says so
|
||||||
|
|
||||||
dracut may be installed without being actually used. This is very common in
|
dracut may be installed without being actually used. This is very common in
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 1bd81956dc050db071c5885cfbcde393370468ae Mon Sep 17 00:00:00 2001
|
From 65d5bd785458da98b0388ddf3f8e67e569af67c1 Mon Sep 17 00:00:00 2001
|
||||||
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
||||||
Date: Tue, 18 Jan 2022 18:58:58 +0100
|
Date: Tue, 18 Jan 2022 18:58:58 +0100
|
||||||
Subject: [PATCH 05/24] fix(kernel-install): do not generate an initrd when one
|
Subject: [PATCH 04/32] fix(kernel-install): do not generate an initrd when one
|
||||||
was specified
|
was specified
|
||||||
|
|
||||||
According to the synopsis, kernel-install can be called with an
|
According to the synopsis, kernel-install can be called with an
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 30e7870504d09183bb9d99ed04f148c7dfb0c645 Mon Sep 17 00:00:00 2001
|
From 35326479721f8b439f291bf8ff35354107144012 Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Thu, 11 Jul 2024 07:33:05 +0200
|
Date: Thu, 11 Jul 2024 07:33:05 +0200
|
||||||
Subject: [PATCH 07/24] fix: incorrectly applied patch in commit
|
Subject: [PATCH 05/32] fix: incorrectly applied patch in commit
|
||||||
c6d18c3c71597e78572378fc4dde391f1845b8
|
c6d18c3c71597e78572378fc4dde391f1845b8
|
||||||
|
|
||||||
named: "feat(kernel-install): do nothing when $KERNEL_INSTALL_INITRD_GENERATOR says so"
|
named: "feat(kernel-install): do nothing when $KERNEL_INSTALL_INITRD_GENERATOR says so"
|
||||||
@ -1,25 +0,0 @@
|
|||||||
From 6cb58e86ae65cf9922023b12e889446323a89080 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Laszlo Gombos <laszlo.gombos@gmail.com>
|
|
||||||
Date: Sat, 15 Jun 2024 15:21:44 -0400
|
|
||||||
Subject: [PATCH 06/24] fix(crypt): decryption when rd.luks.name is set
|
|
||||||
|
|
||||||
---
|
|
||||||
modules.d/90crypt/parse-crypt.sh | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules.d/90crypt/parse-crypt.sh b/modules.d/90crypt/parse-crypt.sh
|
|
||||||
index 39fc6d21..9567a4a9 100755
|
|
||||||
--- a/modules.d/90crypt/parse-crypt.sh
|
|
||||||
+++ b/modules.d/90crypt/parse-crypt.sh
|
|
||||||
@@ -174,7 +174,7 @@ else
|
|
||||||
} >> "$hookdir/emergency/90-crypt.sh"
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
- elif getargbool 1 rd.auto; then
|
|
||||||
+ elif getargbool 1 rd.auto && [ -z "$(getargs rd.luks.name)" ]; then
|
|
||||||
if [ -z "$DRACUT_SYSTEMD" ]; then
|
|
||||||
{
|
|
||||||
printf -- 'ENV{ID_FS_TYPE}=="crypto_LUKS", RUN+="%s ' "$(command -v initqueue)"
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 93937d805f8166d9f708f9163fc93839fc1437d3 Mon Sep 17 00:00:00 2001
|
From afcfd7378110969cce445d7613d9e81c9d85cac0 Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Thu, 11 Jul 2024 16:24:14 +0200
|
Date: Thu, 11 Jul 2024 16:24:14 +0200
|
||||||
Subject: [PATCH 08/24] revert: "fix(crypt): unlock encrypted devices by
|
Subject: [PATCH 06/32] revert: "fix(crypt): unlock encrypted devices by
|
||||||
default during boot"
|
default during boot"
|
||||||
|
|
||||||
This reverts commit 2339acfaeee60d6bb26a1103db2e53bc8f9cb2d1.
|
This reverts commit 2339acfaeee60d6bb26a1103db2e53bc8f9cb2d1.
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From aded658821983ba7d92def26793813c1b3a83475 Mon Sep 17 00:00:00 2001
|
From 02bc9391cfdf7f3b16c49cde9d881642c13fc8c0 Mon Sep 17 00:00:00 2001
|
||||||
From: Laszlo Gombos <laszlo.gombos@gmail.com>
|
From: Laszlo Gombos <laszlo.gombos@gmail.com>
|
||||||
Date: Sat, 20 Jul 2024 18:49:38 -0400
|
Date: Sat, 20 Jul 2024 18:49:38 -0400
|
||||||
Subject: [PATCH 10/24] test: do not force include dash, let sh module make a
|
Subject: [PATCH 07/32] test: do not force include dash, let sh module make a
|
||||||
selection
|
selection
|
||||||
|
|
||||||
This is important for alpine, so that it does not install both
|
This is important for alpine, so that it does not install both
|
||||||
@ -1,33 +0,0 @@
|
|||||||
From e02ef9afa1ede698623f25d5694949e9b4fedb4e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
|
||||||
Date: Tue, 6 Dec 2022 21:46:01 +0100
|
|
||||||
Subject: [PATCH 09/24] fix(90kernel-modules): install blk modules using symbol
|
|
||||||
blk_alloc_disk
|
|
||||||
|
|
||||||
Corresponding kernel symbol blk_cleanup_disk is no longer used in the nvdimm
|
|
||||||
driver and calls are made directly instead.
|
|
||||||
|
|
||||||
blk_alloc_disk is used:
|
|
||||||
https://elixir.bootlin.com/linux/v6.1-rc8/source/drivers/nvdimm/pmem.c#L522
|
|
||||||
|
|
||||||
Resolves: RHEL-32237
|
|
||||||
---
|
|
||||||
modules.d/90kernel-modules/module-setup.sh | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/modules.d/90kernel-modules/module-setup.sh b/modules.d/90kernel-modules/module-setup.sh
|
|
||||||
index ec60f393..89f33231 100755
|
|
||||||
--- a/modules.d/90kernel-modules/module-setup.sh
|
|
||||||
+++ b/modules.d/90kernel-modules/module-setup.sh
|
|
||||||
@@ -2,7 +2,7 @@
|
|
||||||
|
|
||||||
# called by dracut
|
|
||||||
installkernel() {
|
|
||||||
- local _blockfuncs='ahci_platform_get_resources|ata_scsi_ioctl|scsi_add_host|blk_cleanup_queue|register_mtd_blktrans|scsi_esp_register|register_virtio_device|usb_stor_disconnect|mmc_add_host|sdhci_add_host|scsi_add_host_with_dma|blk_mq_alloc_disk|blk_mq_alloc_request|blk_mq_destroy_queue|blk_cleanup_disk'
|
|
||||||
+ local _blockfuncs='ahci_platform_get_resources|ata_scsi_ioctl|scsi_add_host|blk_cleanup_queue|register_mtd_blktrans|scsi_esp_register|register_virtio_device|usb_stor_disconnect|mmc_add_host|sdhci_add_host|scsi_add_host_with_dma|blk_alloc_disk|blk_mq_alloc_disk|blk_mq_alloc_request|blk_mq_destroy_queue|blk_cleanup_disk'
|
|
||||||
local -A _hostonly_drvs
|
|
||||||
|
|
||||||
record_block_dev_drv() {
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 53d78f4eb236500465279c424c296ff576421c7c Mon Sep 17 00:00:00 2001
|
From 91f878a4fe4ed694baad59cdb1c7366b002cf1da Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Thu, 8 Aug 2024 00:21:12 +0200
|
Date: Thu, 8 Aug 2024 00:21:12 +0200
|
||||||
Subject: [PATCH 14/24] fix(resume): always include the resume module
|
Subject: [PATCH 11/32] fix(resume): always include the resume module
|
||||||
|
|
||||||
as we can't determine with certainity that it won't be needed.
|
as we can't determine with certainity that it won't be needed.
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 1ef53f9d5ea7f74730b27b8016304c58b2d31871 Mon Sep 17 00:00:00 2001
|
From dd3daa0560e4e4f809b42a901cd79076d3577f96 Mon Sep 17 00:00:00 2001
|
||||||
From: Philipp Rudo <prudo@redhat.com>
|
From: Philipp Rudo <prudo@redhat.com>
|
||||||
Date: Tue, 23 Jul 2024 16:39:13 +0200
|
Date: Tue, 23 Jul 2024 16:39:13 +0200
|
||||||
Subject: [PATCH 18/24] feat(squash): split 95squash-squashfs from 99squash
|
Subject: [PATCH 15/32] feat(squash): split 95squash-squashfs from 99squash
|
||||||
|
|
||||||
99squash only allows squashing the files using squashfs. In order to
|
99squash only allows squashing the files using squashfs. In order to
|
||||||
make the implementation for different filesystems easier split out the
|
make the implementation for different filesystems easier split out the
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 4e8ea763cb10ab4f3b65e865d2ad03c8a5393e04 Mon Sep 17 00:00:00 2001
|
From fcc73940a1e21fa79b7133e12ed0f8ed13645a54 Mon Sep 17 00:00:00 2001
|
||||||
From: Philipp Rudo <prudo@redhat.com>
|
From: Philipp Rudo <prudo@redhat.com>
|
||||||
Date: Tue, 23 Jul 2024 17:42:33 +0200
|
Date: Tue, 23 Jul 2024 17:42:33 +0200
|
||||||
Subject: [PATCH 19/24] feat(squash): add module 95squash-erofs
|
Subject: [PATCH 16/32] feat(squash): add module 95squash-erofs
|
||||||
|
|
||||||
Allow squashing the image in 99squash using erofs. Keep squashfs as
|
Allow squashing the image in 99squash using erofs. Keep squashfs as
|
||||||
default to not change existing systems. I.e. only use erofs if the user
|
default to not change existing systems. I.e. only use erofs if the user
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From a3ca60929c50f1a1d41cf4567e3a4a8231a92642 Mon Sep 17 00:00:00 2001
|
From c0bd2334708d9bfc6fbeb1c63eae0037eb4157b6 Mon Sep 17 00:00:00 2001
|
||||||
From: Philipp Rudo <prudo@redhat.com>
|
From: Philipp Rudo <prudo@redhat.com>
|
||||||
Date: Tue, 30 Jul 2024 13:35:17 +0200
|
Date: Tue, 30 Jul 2024 13:35:17 +0200
|
||||||
Subject: [PATCH 22/24] fix(squash): explicitly create required directories
|
Subject: [PATCH 19/32] fix(squash): explicitly create required directories
|
||||||
|
|
||||||
At the moment 99squash relies on dracut-install to create the required
|
At the moment 99squash relies on dracut-install to create the required
|
||||||
directories it later links to. This approach is error prone and will
|
directories it later links to. This approach is error prone and will
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From a6e8e41cd1d67bb4ee64b2bf107e98c18bf8afdf Mon Sep 17 00:00:00 2001
|
From eef65961330c8fb68493d9a3eab55171482984c1 Mon Sep 17 00:00:00 2001
|
||||||
From: Philipp Rudo <prudo@redhat.com>
|
From: Philipp Rudo <prudo@redhat.com>
|
||||||
Date: Tue, 30 Jul 2024 13:44:32 +0200
|
Date: Tue, 30 Jul 2024 13:44:32 +0200
|
||||||
Subject: [PATCH 23/24] fix(squash): use 99busybox instead of installing it
|
Subject: [PATCH 20/32] fix(squash): use 99busybox instead of installing it
|
||||||
manually
|
manually
|
||||||
|
|
||||||
Make use of 99busybox in 99squash rather than installing it manually.
|
Make use of 99busybox in 99squash rather than installing it manually.
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 23a7d5d4752dd4273f406cf1729b2d98f39d0aa5 Mon Sep 17 00:00:00 2001
|
From 4a6806efae05b453bb9b93efe961fb1033bb562b Mon Sep 17 00:00:00 2001
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
Date: Sat, 17 Aug 2024 00:39:17 +0200
|
Date: Sat, 17 Aug 2024 00:39:17 +0200
|
||||||
Subject: [PATCH 26/31] fix(resume): do not include resume if swap is on
|
Subject: [PATCH 22/32] fix(resume): do not include resume if swap is on
|
||||||
netdevice
|
netdevice
|
||||||
|
|
||||||
Additional fix, restoring previous behavior identical to RHEL-9.
|
Additional fix, restoring previous behavior identical to RHEL-9.
|
||||||
@ -1,69 +0,0 @@
|
|||||||
From 3b4fe88a4259ec576a41d98b6aaee324a6b48b0f Mon Sep 17 00:00:00 2001
|
|
||||||
From: "Brian C. Lane" <bcl@redhat.com>
|
|
||||||
Date: Wed, 10 Jul 2024 16:30:09 -0700
|
|
||||||
Subject: [PATCH 24/24] feat(dmdquash-live): add support for using erofs
|
|
||||||
|
|
||||||
This adds support for rootfs compressed with erofs. Either as a plain
|
|
||||||
erofs image or a LiveOS/rootfs.img ext4 filesystem compressed with
|
|
||||||
erofs.
|
|
||||||
|
|
||||||
This patch does not make any attempt to change the squashfs directory
|
|
||||||
naming (or variable names) in order to make these changes as small as
|
|
||||||
possible and easy to review. It also does not make any attempt to
|
|
||||||
support the multitude of available options other than what is needed by
|
|
||||||
anaconda-dracut calling this script to setup the boot.iso root
|
|
||||||
filesystem.
|
|
||||||
|
|
||||||
(which isn't to say it doesn't work, it just hasn't been tested and is
|
|
||||||
outside the scope of this change).
|
|
||||||
|
|
||||||
(cherry picked commit ca5ae5d3466eec40d118fc96d450478aa6faebb6)
|
|
||||||
|
|
||||||
Resolves: RHEL-43460
|
|
||||||
---
|
|
||||||
modules.d/90dmsquash-live/dmsquash-live-root.sh | 10 +++++-----
|
|
||||||
1 file changed, 5 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/modules.d/90dmsquash-live/dmsquash-live-root.sh b/modules.d/90dmsquash-live/dmsquash-live-root.sh
|
|
||||||
index 4518852b..a376185e 100755
|
|
||||||
--- a/modules.d/90dmsquash-live/dmsquash-live-root.sh
|
|
||||||
+++ b/modules.d/90dmsquash-live/dmsquash-live-root.sh
|
|
||||||
@@ -97,7 +97,6 @@ det_img_fs() {
|
|
||||||
blkid -s TYPE -u noraid -o value "$1"
|
|
||||||
}
|
|
||||||
|
|
||||||
-load_fstype squashfs
|
|
||||||
CMDLINE=$(getcmdline)
|
|
||||||
for arg in $CMDLINE; do
|
|
||||||
case $arg in
|
|
||||||
@@ -112,14 +111,15 @@ if [ -f "$livedev" ]; then
|
|
||||||
# check filesystem type and handle accordingly
|
|
||||||
fstype=$(det_img_fs "$livedev")
|
|
||||||
case $fstype in
|
|
||||||
- squashfs) SQUASHED=$livedev ;;
|
|
||||||
- auto) die "cannot mount live image (unknown filesystem type)" ;;
|
|
||||||
+ squashfs | erofs) SQUASHED=$livedev ;;
|
|
||||||
+ auto) die "cannot mount live image (unknown filesystem type $fstype)" ;;
|
|
||||||
*) FSIMG=$livedev ;;
|
|
||||||
esac
|
|
||||||
load_fstype "$fstype"
|
|
||||||
else
|
|
||||||
livedev_fstype=$(det_fs "$livedev")
|
|
||||||
- if [ "$livedev_fstype" = "squashfs" ]; then
|
|
||||||
+ load_fstype "$livedev_fstype"
|
|
||||||
+ if [ "$livedev_fstype" = "squashfs" ] || [ "$livedev_fstype" = "erofs" ]; then
|
|
||||||
# no mount needed - we've already got the LiveOS image in $livedev
|
|
||||||
SQUASHED=$livedev
|
|
||||||
elif [ "$livedev_fstype" != "ntfs" ]; then
|
|
||||||
@@ -336,7 +336,7 @@ if [ -e "$SQUASHED" ]; then
|
|
||||||
SQUASHED_LOOPDEV=$(losetup -f)
|
|
||||||
losetup -r "$SQUASHED_LOOPDEV" $SQUASHED
|
|
||||||
mkdir -m 0755 -p /run/initramfs/squashfs
|
|
||||||
- mount -n -t squashfs -o ro "$SQUASHED_LOOPDEV" /run/initramfs/squashfs
|
|
||||||
+ mount -n -o ro "$SQUASHED_LOOPDEV" /run/initramfs/squashfs
|
|
||||||
|
|
||||||
if [ -d /run/initramfs/squashfs/LiveOS ]; then
|
|
||||||
if [ -f /run/initramfs/squashfs/LiveOS/rootfs.img ]; then
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -0,0 +1,38 @@
|
|||||||
|
From 226de396c97d483380bd0604bfe2ff7f6a2ef48c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Pavel Valena <pvalena@redhat.com>
|
||||||
|
Date: Fri, 16 Aug 2024 20:40:15 +0200
|
||||||
|
Subject: [PATCH 24/32] feat(lsinitrd.sh): look for initrd in /usr/lib/modules/
|
||||||
|
|
||||||
|
Introduce new path for lsinitrd.sh to look into:
|
||||||
|
|
||||||
|
/usr/lib/modules/$kver/initramfs.img
|
||||||
|
|
||||||
|
Which is valid on all ostree-based systems, and also other image based
|
||||||
|
systems with pre-generated initramfs.
|
||||||
|
|
||||||
|
Ref: https://issues.redhat.com/browse/RHEL-35890
|
||||||
|
(cherry picked from commit 22ae6ecaf9ecdb9db3e79aa9a72d527e7436c282)
|
||||||
|
|
||||||
|
Resolves: RHEL-54650
|
||||||
|
---
|
||||||
|
lsinitrd.sh | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/lsinitrd.sh b/lsinitrd.sh
|
||||||
|
index 6799f938..35314b78 100755
|
||||||
|
--- a/lsinitrd.sh
|
||||||
|
+++ b/lsinitrd.sh
|
||||||
|
@@ -125,6 +125,10 @@ find_initrd_for_kernel_version() {
|
||||||
|
echo "/lib/modules/${kernel_version}/initrd"
|
||||||
|
elif [[ -f /lib/modules/${kernel_version}/initramfs.img ]]; then
|
||||||
|
echo "/lib/modules/${kernel_version}/initramfs.img"
|
||||||
|
+ elif [[ -f /usr/lib/modules/${kernel_version}/initrd ]]; then
|
||||||
|
+ echo "/usr/lib/modules/${kernel_version}/initrd"
|
||||||
|
+ elif [[ -f /usr/lib/modules/${kernel_version}/initramfs.img ]]; then
|
||||||
|
+ echo "/usr/lib/modules/${kernel_version}/initramfs.img"
|
||||||
|
elif [[ -f /boot/initramfs-${kernel_version}.img ]]; then
|
||||||
|
echo "/boot/initramfs-${kernel_version}.img"
|
||||||
|
else
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
||||||
@ -1,36 +0,0 @@
|
|||||||
From afd17820980728f18a5cc96e794d4c56a8694698 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Pavel Valena <pvalena@redhat.com>
|
|
||||||
Date: Fri, 16 Aug 2024 20:40:15 +0200
|
|
||||||
Subject: [PATCH 28/31] feat(lsinitrd.sh): look for initrd in /usr/lib/modules/
|
|
||||||
|
|
||||||
Introduce new path for lsinitrd.sh to look into:
|
|
||||||
|
|
||||||
/usr/lib/modules/$kver/initramfs.img
|
|
||||||
|
|
||||||
Which is valid on all ostree-based systems, and also other image based
|
|
||||||
systems with pre-generated initramfs.
|
|
||||||
|
|
||||||
Ref: https://issues.redhat.com/browse/RHEL-35890
|
|
||||||
(cherry picked from commit 22ae6ecaf9ecdb9db3e79aa9a72d527e7436c282)
|
|
||||||
|
|
||||||
Resolves: RHEL-54650
|
|
||||||
---
|
|
||||||
lsinitrd.sh | 2 ++
|
|
||||||
1 file changed, 2 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/lsinitrd.sh b/lsinitrd.sh
|
|
||||||
index 952dbc9f..429cce7e 100755
|
|
||||||
--- a/lsinitrd.sh
|
|
||||||
+++ b/lsinitrd.sh
|
|
||||||
@@ -136,6 +136,8 @@ else
|
|
||||||
image="/lib/modules/${KERNEL_VERSION}/initramfs.img"
|
|
||||||
elif [[ -f /boot/initramfs-${KERNEL_VERSION}.img ]]; then
|
|
||||||
image="/boot/initramfs-${KERNEL_VERSION}.img"
|
|
||||||
+ elif [[ -f /usr/lib/modules/${KERNEL_VERSION}/initramfs.img ]]; then
|
|
||||||
+ image="/usr/lib/modules/${KERNEL_VERSION}/initramfs.img"
|
|
||||||
elif [[ $MACHINE_ID ]] \
|
|
||||||
&& mountpoint -q /efi; then
|
|
||||||
image="/efi/${MACHINE_ID}/${KERNEL_VERSION}/initrd"
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -1,7 +1,7 @@
|
|||||||
From 85235ab58df8343a1a0314333b360648a5d0f452 Mon Sep 17 00:00:00 2001
|
From e391c64afd187a81861301c949db5ffd1f9a3e5d Mon Sep 17 00:00:00 2001
|
||||||
From: Philipp Rudo <prudo@redhat.com>
|
From: Philipp Rudo <prudo@redhat.com>
|
||||||
Date: Mon, 26 Aug 2024 15:29:01 +0200
|
Date: Mon, 26 Aug 2024 15:29:01 +0200
|
||||||
Subject: [PATCH 35/35] fix(squash-lib): harden against empty $initdir
|
Subject: [PATCH 30/32] fix(squash-lib): harden against empty $initdir
|
||||||
|
|
||||||
The postinstall phase of 99squash-lib has the potential to delete the
|
The postinstall phase of 99squash-lib has the potential to delete the
|
||||||
whole rootfs if $initdir is empty. This should(tm) never happen.
|
whole rootfs if $initdir is empty. This should(tm) never happen.
|
||||||
@ -0,0 +1,158 @@
|
|||||||
|
From 626280f62a8f05e68e70b8db81eeffe196642bf3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Clemens Lang <cllang@redhat.com>
|
||||||
|
Date: Thu, 8 Aug 2024 16:43:31 +0200
|
||||||
|
Subject: [PATCH 31/32] feat(fips-crypto-policies): make c-p follow FIPS mode
|
||||||
|
automatically
|
||||||
|
|
||||||
|
For a system that uses crypto-policies to be switched to FIPS mode
|
||||||
|
correctly, it needs to be
|
||||||
|
|
||||||
|
- booted with `fips=1` on the kernel command line
|
||||||
|
- switched to the FIPS crypto-policy (or a policy derived from it)
|
||||||
|
- have the fips dracut module enabled
|
||||||
|
|
||||||
|
On older systems, there were additional steps, for example, creating
|
||||||
|
`/etc/system-fips`.
|
||||||
|
|
||||||
|
We have repeatedly seen inconsistencies between those different toggles,
|
||||||
|
either because the user space tooling to switch between those does not
|
||||||
|
(for reliability, maintainability, and compliance reasons) undo some of
|
||||||
|
the steps it does when disabling FIPS mode, or because other
|
||||||
|
installation methods (bootc, containers, image builder) independently do
|
||||||
|
some of those steps. Eventually, all of these ended with user confusion.
|
||||||
|
|
||||||
|
We can avoid this situation by eliminating the difference by treating
|
||||||
|
the `fips=1` kernel command line switch as a single source of truth, and
|
||||||
|
making all others follow automatically. This module provides this for
|
||||||
|
crypto-policies, by adding bind-mounts before pivot if the system has
|
||||||
|
not already been switched to a FIPS-based crypto-policy.
|
||||||
|
|
||||||
|
This requires some support from the crypto-policies package (because it
|
||||||
|
needs to deal with the bind mounts when a user calls
|
||||||
|
`update-crypto-policies --set`), so make it a no-op unless
|
||||||
|
|
||||||
|
- `fips=1` is on the kernel command line
|
||||||
|
- crypto-policies is installed
|
||||||
|
- crypto-policies supports the bind-mounts (indicated by the presence
|
||||||
|
of the `default-fips-config` file)
|
||||||
|
- the policy isn't already FIPS
|
||||||
|
|
||||||
|
These checks should make this safe to add to the initramfs on all
|
||||||
|
current systems.
|
||||||
|
|
||||||
|
The bind-mounts also need to happen in the initramfs already, because
|
||||||
|
systemd links against OpenSSL, and doing them later means that systemd
|
||||||
|
will start with an OpenSSL configuration that isn't tailored for FIPS.
|
||||||
|
|
||||||
|
See also [1], which adds the user space support to crypto-policies,
|
||||||
|
along with a systemd service that does the same steps in case dracut
|
||||||
|
hasn't already done them (which is useful for environments that don't
|
||||||
|
use an initramfs like containers).
|
||||||
|
|
||||||
|
[1]: https://gitlab.com/redhat-crypto/fedora-crypto-policies/-/merge_requests/191
|
||||||
|
|
||||||
|
Signed-off-by: Clemens Lang <cllang@redhat.com>
|
||||||
|
(cherry picked from commit bd3c1e1cc2f656f7ee4ff47e00ca716d52a86a3d)
|
||||||
|
|
||||||
|
Resolves: RHEL-59678
|
||||||
|
---
|
||||||
|
.../fips-crypto-policies.sh | 52 +++++++++++++++++++
|
||||||
|
.../01fips-crypto-policies/module-setup.sh | 27 ++++++++++
|
||||||
|
2 files changed, 79 insertions(+)
|
||||||
|
create mode 100755 modules.d/01fips-crypto-policies/fips-crypto-policies.sh
|
||||||
|
create mode 100755 modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
|
||||||
|
diff --git a/modules.d/01fips-crypto-policies/fips-crypto-policies.sh b/modules.d/01fips-crypto-policies/fips-crypto-policies.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..ff298298
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/modules.d/01fips-crypto-policies/fips-crypto-policies.sh
|
||||||
|
@@ -0,0 +1,52 @@
|
||||||
|
+#!/usr/bin/sh
|
||||||
|
+
|
||||||
|
+type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh
|
||||||
|
+
|
||||||
|
+if ! fipsmode=$(getarg fips) || [ "$fipsmode" = "0" ] || [ -z "$fipsmode" ]; then
|
||||||
|
+ # Do nothing if not in FIPS mode
|
||||||
|
+ return 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+policyfile=/etc/crypto-policies/config
|
||||||
|
+fipspolicyfile=/usr/share/crypto-policies/default-fips-config
|
||||||
|
+backends=/etc/crypto-policies/back-ends
|
||||||
|
+fipsbackends=/usr/share/crypto-policies/back-ends/FIPS
|
||||||
|
+
|
||||||
|
+# When in FIPS mode, check the active crypto policy by reading the
|
||||||
|
+# $root/etc/crypto-policies/config file. If it is not "FIPS", or does not start
|
||||||
|
+# with "FIPS:", automatically switch to the FIPS policy by creating
|
||||||
|
+# bind-mounts.
|
||||||
|
+
|
||||||
|
+if ! [ -r "${NEWROOT}${policyfile}" ]; then
|
||||||
|
+ # No crypto-policies configured, possibly not a system that uses
|
||||||
|
+ # crypto-policies?
|
||||||
|
+ return 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+if ! [ -f "${NEWROOT}${fipspolicyfile}" ]; then
|
||||||
|
+ # crypto-policies is too old to deal with automatic bind-mounting of the
|
||||||
|
+ # FIPS policy over the normal policy, do not attempt to do the bind-mount.
|
||||||
|
+ return 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+policy=$(cat "${NEWROOT}${policyfile}")
|
||||||
|
+
|
||||||
|
+# Remove the largest suffix pattern matching ":*" from the string (i.e., the
|
||||||
|
+# complete list of active policy modules), then check for FIPS. This is part of
|
||||||
|
+# POSIX sh (https://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_06_02).
|
||||||
|
+if [ "${policy%%:*}" = "FIPS" ]; then
|
||||||
|
+ return 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+# Current crypto policy is not FIPS or FIPS-based, but the system is in FIPS
|
||||||
|
+# mode; this is an inconsistent configuration. Automatically bind-mount a FIPS
|
||||||
|
+# configuration over this.
|
||||||
|
+if ! mount -o bind,ro "${NEWROOT}${fipsbackends}" "${NEWROOT}${backends}"; then
|
||||||
|
+ warn "Failed to bind-mount FIPS policy over ${backends} (the system is in FIPS mode, but the crypto-policy is not)."
|
||||||
|
+ # If this bind-mount failed, don't attempt to do the other one to avoid
|
||||||
|
+ # a system that seems to be in FIPS crypto-policy but actually is not.
|
||||||
|
+ return 0
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
+mount -o bind,ro "${NEWROOT}${fipspolicyfile}" "${NEWROOT}${policyfile}" \
|
||||||
|
+ || warn "Failed to bind-mount FIPS crypto-policy state file over ${policyfile} (the system is in FIPS mode, but the crypto-policy is not)."
|
||||||
|
diff --git a/modules.d/01fips-crypto-policies/module-setup.sh b/modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
new file mode 100755
|
||||||
|
index 00000000..ee00452e
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
|
+#!/usr/bin/bash
|
||||||
|
+
|
||||||
|
+# called by dracut
|
||||||
|
+check() {
|
||||||
|
+ # only enable on systems that use crypto-policies
|
||||||
|
+ [ -d "$dracutsysrootdir/etc/crypto-policies" ] && return 0
|
||||||
|
+
|
||||||
|
+ # include when something else depends on it or it is explicitly requested
|
||||||
|
+ return 255
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# called by dracut
|
||||||
|
+depends() {
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# called by dracut
|
||||||
|
+installkernel() {
|
||||||
|
+ return 0
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# called by dracut
|
||||||
|
+install() {
|
||||||
|
+ inst_hook pre-pivot 01 "$moddir/fips-crypto-policies.sh"
|
||||||
|
+
|
||||||
|
+ inst_multiple mount
|
||||||
|
+}
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
||||||
@ -1,39 +0,0 @@
|
|||||||
From d18bbc304e838ecf3b888ce4d70f1d96d21821f5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Daniel McIlvaney <damcilva@microsoft.com>
|
|
||||||
Date: Fri, 7 Jun 2024 11:38:54 -0700
|
|
||||||
Subject: [PATCH 31/31] fix(dracut-functions): avoid awk in get_maj_min()
|
|
||||||
|
|
||||||
The `get_maj_min()` cache lookup is commonly used
|
|
||||||
across many flows. While `awk` should be available,
|
|
||||||
some highly constrained environments may not have it.
|
|
||||||
A second call to `grep` can provide the same behaviour
|
|
||||||
without adding a dependnecy.
|
|
||||||
|
|
||||||
Lines in the cache will be of the form "/dev/sda2 8:2".
|
|
||||||
`awk '{print $NF}'` returns the last word of a matching line. Since
|
|
||||||
the initial matching regex is so specific a second call to grep can
|
|
||||||
easily extract the last word.
|
|
||||||
|
|
||||||
(cherry picked commit ec7efd5701e9a1b24f2e85666d625fb1fe46ce86)
|
|
||||||
|
|
||||||
Related: RHEL-47145
|
|
||||||
---
|
|
||||||
dracut-functions.sh | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/dracut-functions.sh b/dracut-functions.sh
|
|
||||||
index 43d905e3..b4d57454 100755
|
|
||||||
--- a/dracut-functions.sh
|
|
||||||
+++ b/dracut-functions.sh
|
|
||||||
@@ -243,7 +243,7 @@ get_maj_min() {
|
|
||||||
local _out
|
|
||||||
|
|
||||||
if [[ $get_maj_min_cache_file ]]; then
|
|
||||||
- _out="$(grep -m1 -oE "^${1//\\/\\\\} \S+$" "$get_maj_min_cache_file" | awk '{print $NF}')"
|
|
||||||
+ _out="$(grep -m1 -oE "^${1//\\/\\\\} \S+$" "$get_maj_min_cache_file" | grep -oE "\S+$")"
|
|
||||||
fi
|
|
||||||
|
|
||||||
if ! [[ "$_out" ]]; then
|
|
||||||
--
|
|
||||||
2.42.0
|
|
||||||
|
|
||||||
@ -0,0 +1,34 @@
|
|||||||
|
From cd5dbe004652d88b5d73418cba1e45c54ff9fd12 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jo Zzsi <jozzsicsataban@gmail.com>
|
||||||
|
Date: Thu, 5 Sep 2024 09:09:36 -0400
|
||||||
|
Subject: [PATCH 32/32] fix(fips-crypto-policies): make it depend on fips
|
||||||
|
dracut module
|
||||||
|
|
||||||
|
(cherry picked from commit a2096dafdbfc88eed91ce34b1f4d27e7eb7ca839)
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
Due to upstream e6117b92fa0108dbaf9ea3ac0ec8f5a02487c812, which
|
||||||
|
was not cherry-picked. Resolved the conflict by keeping the
|
||||||
|
functions (i.e., undoing the cleanup of the upstream commit).
|
||||||
|
|
||||||
|
Resolves: RHEL-59678
|
||||||
|
---
|
||||||
|
modules.d/01fips-crypto-policies/module-setup.sh | 1 +
|
||||||
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
|
diff --git a/modules.d/01fips-crypto-policies/module-setup.sh b/modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
index ee00452e..140eae00 100755
|
||||||
|
--- a/modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
+++ b/modules.d/01fips-crypto-policies/module-setup.sh
|
||||||
|
@@ -11,6 +11,7 @@ check() {
|
||||||
|
|
||||||
|
# called by dracut
|
||||||
|
depends() {
|
||||||
|
+ echo fips
|
||||||
|
return 0
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.42.0
|
||||||
|
|
||||||
Loading…
Reference in new issue