Skip to content

WIP: Enable initramfs-etc.img as an appended initramfs #364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
darkmuggle wants to merge 1 commit into from
Closed

WIP: Enable initramfs-etc.img as an appended initramfs #364

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions overlay.d/05core/etc/grub.d/03_boot-etc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
#!/bin/sh
exec tail -n +3 $0

# NOTE: This is superfluous without setting a password on Grub.
# However, this makes it far more difficult for someone to
# load up a different initramfs-etc.
#
# This code-path is enabled by running as root:
# /usr/sbin/initramfs-etc --create
#
# Then, in the blsconfig add "$initramfs_etc" to the initrd line, i.e
# initrd /initrd $initramfs_etc

set initramfs_etc=""
if [ -f "/initramfs-etc.img" ]; then
set initramfs_etc="/initramfs-etc.img"
fi

if [ -f "/coreos.checksums" ]; then
insmod gcry_sha256
hashsum --hash sha256 --check "/coreos.checksums"
if [ "$?" != "0" ]; then
unset initramfs_etc
echo "Failed to checksum"
sleep 30
fi
fi

51 changes: 51 additions & 0 deletions overlay.d/05core/usr/sbin/initramfs-etc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
#!/bin/bash
#
# This creates a config-only initramfs that is signed for use by Grub2.
#

create() {
local archive="/boot/initramfs-etc.img"
local includes="${@}";

if [ ! -d "${key_path}" ]; then
key_gen
fi

echo "Generating new ${archive} using Dracut"
echo "${archive} will only contain configuration data, no logic"

local cur_d="${PWD}"
local work_d=$(mktemp -d)
trap "rm -rf ${work_d}" EXIT

# Generate a real initrd, but we'll throw it away later
# This ensures that we get a "filtered" config, plus the
# extra's that we need.
dracut "${work_d}/work.img" $(uname -r) \
Copy link
Copy Markdown
Contributor Author

@darkmuggle darkmuggle Apr 23, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cgwalters I specifically use Dracut here to limit the arbitrary logic and just get the configuration that was needed. We get a config cpio that's going to be compatible with the machine and the major series.

Notice, the rm -rf /etc/systemd to clean out the logic.

Copy link
Copy Markdown
Member

@cgwalters cgwalters Apr 27, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note, this will break if/when we enable coreos/rpm-ostree#1789 - would need to directly invoke /usr/libexec/rpm-ostree/wrapped/dracut.

--add "lvm dm multipath" \
--hostonly-i18n \
--lvmconf \
--mdadmconf \
--no-hostonly-cmdline \
--no-compress \
--no-early-microcode \
-o "clevis" >> /dev/null

pushd "${work_d}" >> /dev/null
cpio -ic "etc*" < "${work_d}/work.img"
for x in "${includes_cfg[@]}"; do
test -e "etc/${x}" && cp -auR -t etc "etc/${x}"
done

rm -rf etc/systemd
find etc -print | cpio -o -c > "${work_d}/new.img"
popd >>/dev/null

mv "${work_d}/new.img" "${archive}"
pushd /boot >> /dev/null
ls -1 initramfs* > /boot/coreos.checksums
popd >> /dev/null
cat /boot/coreos.checksums
}

create