Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kernel: Append /dev/{u,}random to initrd instead of dracut caps #1951

Merged
merged 1 commit into from
Dec 10, 2019
Merged

kernel: Append /dev/{u,}random to initrd instead of dracut caps #1951

merged 1 commit into from
Dec 10, 2019

Conversation

cgwalters
Copy link
Member

Rather than giving dracut cap_mknod which won't work in
unprivileged scenarios, append a tiny static pre-generated CPIO
blob with /dev/random and /dev/urandom to the output of
dracut.

This is a hack until dracut does this itself. But the problem
is patches to dracut will take eleven billion years to ship
in RHCOS.

Closes: #1950

@cgwalters
Copy link
Member Author

One surprising thing is lsinitrd doesn't do what the kernel does and follow the chain, but I did test this successfully with RHCOS 4.3.

jlebon
jlebon reviewed Dec 10, 2019
View reviewed changes
src/libpriv/rpmostree-kernel.c Show resolved Hide resolved
src/libpriv/rpmostree-kernel.c Show resolved Hide resolved
src/libpriv/rpmostree-kernel.c Show resolved Hide resolved
@cgwalters
kernel: Append /dev/{u,}random to initrd instead of dracut caps
1846aed 
Rather than giving dracut `cap_mknod` which won't work in
unprivileged scenarios, append a tiny static pre-generated CPIO
blob with `/dev/random` and `/dev/urandom` to the output of
dracut.

This is a hack until dracut does this itself.  But the problem
is patches to dracut will take eleven billion years to ship
in RHCOS.

Closes: coreos#1950
@cgwalters cgwalters force-pushed the unpriv-dracut-random branch from 5911d82 to 1846aed Compare December 10, 2019 18:00
@cgwalters
Copy link
Member Author

Updated 🆕

ashcrow
ashcrow approved these changes Dec 10, 2019
View reviewed changes
Copy link
Member

@ashcrow ashcrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't fully grok the reasoning but the code itself looks good and the cpio archive was what it said it was :-)

@jlebon
Copy link
Member

jlebon commented Dec 10, 2019

/lgtm

@openshift-ci-robot
Copy link
Collaborator

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ashcrow, cgwalters, jlebon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [ashcrow,cgwalters,jlebon]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cgwalters
Copy link
Member Author

/override f29-compose1
/override f29-compose2
/override f29-primary

@openshift-ci-robot
Copy link
Collaborator

@cgwalters: Overrode contexts on behalf of cgwalters: f29-compose1, f29-compose2, f29-primary

In response to this:

/override f29-compose1
/override f29-compose2
/override f29-primary

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-merge-robot openshift-merge-robot merged commit 4e3c41b into coreos:master Dec 10, 2019
@jlebon jlebon mentioned this pull request May 5, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlebon jlebon jlebon left review comments

@ashcrow ashcrow ashcrow approved these changes

Assignees

@jlebon jlebon

Labels
approved lgtm size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Rootless rpm-ostree can't mknod; causes broken RHCOS
5 participants
@cgwalters @jlebon @openshift-ci-robot @ashcrow @openshift-merge-robot