Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

libpriv/kernel: add cap_mknod to dracut run #1946

Merged
merged 1 commit into from
Dec 5, 2019
Merged

libpriv/kernel: add cap_mknod to dracut run #1946

merged 1 commit into from
Dec 5, 2019

Conversation

jlebon
Copy link
Member

@jlebon jlebon commented Dec 4, 2019

A lot of history with this. But essentially, dracut tries to mknod a
few character devices like /dev/random and /dev/urandom and fails.

We originally blocked cap_mknod because, well, %post scripts don't
really need to do that, and it would get wiped anyway. But there is a
use case for dracut's CPIO: we want /dev/*random to be available in
early boot before systemd even mounts devtmpfs because libgcrypt as
part of its constructor-time selftests in FIPS mode wants to read from
there.

For more fun, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1778940
https://bugzilla.redhat.com/show_bug.cgi?id=1401444
https://bugzilla.redhat.com/show_bug.cgi?id=1380866

@jlebon
libpriv/kernel: add cap_mknod to dracut run
99e0f2d 
A lot of history with this. But essentially, dracut tries to `mknod` a
few character devices like `/dev/random` and `/dev/urandom` and fails.

We originally blocked `cap_mknod` because, well, `%post` scripts don't
really need to do that, and it would get wiped anyway. But there is a
use case for dracut's CPIO: we want `/dev/*random` to be available in
early boot *before* systemd even mounts `devtmpfs` because libgcrypt as
part of its constructor-time selftests in FIPS mode wants to read from
there.

For more fun, see:
https://bugzilla.redhat.com/show_bug.cgi?id=1778940
https://bugzilla.redhat.com/show_bug.cgi?id=1401444
https://bugzilla.redhat.com/show_bug.cgi?id=1380866
@cgwalters
Copy link
Member

This is OK by me, but I think it would be better to have dracut instead directly write the device files to the CPIO archive. Then no additional privileges are required.

@jlebon
Copy link
Member Author

jlebon commented Dec 4, 2019

This is OK by me, but I think it would be better to have dracut instead directly write the device files to the CPIO archive. Then no additional privileges are required.

So... I briefly considered pulling out libarchive to do just this. But yeah, would be much nicer if we could bake that into dracut itself.

@miabbott
Copy link
Member

miabbott commented Dec 4, 2019

/approve

Seems like the easiest way forward

@jlebon
Copy link
Member Author

jlebon commented Dec 4, 2019

bot, retest this please

2 similar comments
@jlebon
Copy link
Member Author

jlebon commented Dec 4, 2019

bot, retest this please

@jlebon
Copy link
Member Author

jlebon commented Dec 5, 2019

bot, retest this please

@jlebon
Copy link
Member Author

jlebon commented Dec 5, 2019

The Jenkins one is due to coreos/fedora-coreos-config#248.

@jlebon
Copy link
Member Author

jlebon commented Dec 5, 2019
edited
Loading

OK, jenkins is happy now. Edit: well, it's passed where it died before, but it's not quite done yet!

I'm thinking... let's just override the failures and get this in? Something is up with OpenStack giving slow I/O but f29-primary has definitely passed before, and the compose tests that did finish passed. I also tested this locally.

@cgwalters
Copy link
Member

/override f29-compose1
/override f29-compose2
/override f29-primary

@cgwalters
Copy link
Member

/lgtm

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cgwalters, jlebon, miabbott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [cgwalters,jlebon,miabbott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot
Copy link
Collaborator

@cgwalters: Overrode contexts on behalf of cgwalters: f29-compose1, f29-compose2, f29-primary

In response to this:

/override f29-compose1
/override f29-compose2
/override f29-primary

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 3b8a1ec into coreos:master Dec 5, 2019
@cgwalters
Copy link
Member

I'm getting failing-to-boot RHCOS images built from my toolbox env running rootless because dracut still can't mknod; and neither can I do so manually. I haven't fully traced through but I'm pretty sure there's just no way to make device nodes in rootless. The only way this is working for RHCOS today is because we run with full privileges in the build.

IOW I think we really do need to teach dracut to synthesize the cpio bits directly. Or we hack it in here.

@jlebon jlebon mentioned this pull request Dec 10, 2019
Closed
@jlebon
Copy link
Member Author

jlebon commented Dec 10, 2019

OK yup, let's track this in an issue: #1950

@jlebon jlebon deleted the pr/dracut-mknod branch April 23, 2023 23:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cgwalters cgwalters Awaiting requested review from cgwalters

@miabbott miabbott Awaiting requested review from miabbott

Assignees

@cgwalters cgwalters

Labels
approved lgtm size/XS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@jlebon @cgwalters @miabbott @openshift-ci-robot @openshift-merge-robot