From 86c8a5a7c2573645e67537fb9975efab808d42c9 Mon Sep 17 00:00:00 2001 From: Antonio Alvarez Feijoo Date: Wed, 8 Mar 2023 08:25:38 +0100 Subject: [PATCH] fix(dracut-systemd): rootfs-generator cannot write outside of generator dir Although it was already documented in systemd.generator(7) that generators must not write to locations other than those passed as arguments, since https://github.com/systemd/systemd/commit/ca6ce62d systemd executes generators in a mount namespace "sandbox", so now the hooks created by the rootfs-generator are lost. These hooks are created using the root= cmdline argument, so this patch moves the creation of these hooks to a cmdline hook. Fixes issue #2211 Fixes issue #2225 --- modules.d/98dracut-systemd/module-setup.sh | 2 + modules.d/98dracut-systemd/parse-root.sh | 38 +++++++++++++++++++ .../98dracut-systemd/rootfs-generator.sh | 20 +--------- 3 files changed, 41 insertions(+), 19 deletions(-) create mode 100755 modules.d/98dracut-systemd/parse-root.sh diff --git a/modules.d/98dracut-systemd/module-setup.sh b/modules.d/98dracut-systemd/module-setup.sh index b7da86dba4..31953773df 100755 --- a/modules.d/98dracut-systemd/module-setup.sh +++ b/modules.d/98dracut-systemd/module-setup.sh @@ -37,6 +37,8 @@ install() { inst_script "$moddir/rootfs-generator.sh" "$systemdutildir"/system-generators/dracut-rootfs-generator + inst_hook cmdline 00 "$moddir/parse-root.sh" + for i in \ dracut-cmdline.service \ dracut-cmdline-ask.service \ diff --git a/modules.d/98dracut-systemd/parse-root.sh b/modules.d/98dracut-systemd/parse-root.sh new file mode 100755 index 0000000000..90f145afa8 --- /dev/null +++ b/modules.d/98dracut-systemd/parse-root.sh @@ -0,0 +1,38 @@ +#!/bin/sh + +type getarg > /dev/null 2>&1 || . /lib/dracut-lib.sh + +root=$(getarg root=) +case "${root#block:}" in + LABEL=* | UUID=* | PARTUUID=* | PARTLABEL=*) + root="block:$(label_uuid_to_dev "$root")" + rootok=1 + ;; + /dev/nfs | /dev/root) # ignore legacy + ;; + /dev/*) + root="block:${root}" + rootok=1 + ;; +esac + +if [ "$rootok" = "1" ]; then + root_dev="${root#block:}" + root_name="$(str_replace "$root_dev" '/' '\x2f')" + if ! [ -e "$hookdir/initqueue/finished/devexists-${root_name}.sh" ]; then + + # If a LUKS device needs unlocking via systemd in the initrd, assume + # it's for the root device. In that case, don't block on it if it's + # after remote-fs-pre.target since the initqueue is ordered before it so + # it will never actually show up (think Tang-pinned rootfs). + cat > "$hookdir/initqueue/finished/devexists-${root_name}.sh" << EOF +if ! grep -q After=remote-fs-pre.target /run/systemd/generator/systemd-cryptsetup@*.service 2>/dev/null; then + [ -e "$root_dev" ] +fi +EOF + { + printf '[ -e "%s" ] || ' "$root_dev" + printf 'warn "\"%s\" does not exist"\n' "$root_dev" + } >> "$hookdir/emergency/80-${root_name}.sh" + fi +fi diff --git a/modules.d/98dracut-systemd/rootfs-generator.sh b/modules.d/98dracut-systemd/rootfs-generator.sh index 0ba1709ba3..cef3f49054 100755 --- a/modules.d/98dracut-systemd/rootfs-generator.sh +++ b/modules.d/98dracut-systemd/rootfs-generator.sh @@ -6,28 +6,10 @@ generator_wait_for_dev() { local _name local _timeout - _name="$(str_replace "$1" '/' '\x2f')" + _name=$(dev_unit_name "$1") _timeout=$(getarg rd.timeout) _timeout=${_timeout:-0} - if ! [ -e "$hookdir/initqueue/finished/devexists-${_name}.sh" ]; then - - # If a LUKS device needs unlocking via systemd in the initrd, assume - # it's for the root device. In that case, don't block on it if it's - # after remote-fs-pre.target since the initqueue is ordered before it so - # it will never actually show up (think Tang-pinned rootfs). - cat > "$hookdir/initqueue/finished/devexists-${_name}.sh" << EOF -if ! grep -q After=remote-fs-pre.target "$GENERATOR_DIR"/systemd-cryptsetup@*.service 2>/dev/null; then - [ -e "$1" ] -fi -EOF - { - printf '[ -e "%s" ] || ' "$1" - printf 'warn "\"%s\" does not exist"\n' "$1" - } >> "$hookdir/emergency/80-${_name}.sh" - fi - - _name=$(dev_unit_name "$1") if ! [ -L "$GENERATOR_DIR"/initrd.target.wants/"${_name}".device ]; then [ -d "$GENERATOR_DIR"/initrd.target.wants ] || mkdir -p "$GENERATOR_DIR"/initrd.target.wants ln -s ../"${_name}".device "$GENERATOR_DIR"/initrd.target.wants/"${_name}".device