Fix dracut not enabling network in initramfs #49
Conversation
RHEL 8 dracut is no longer adding rd.neednet=1 to initramfs by default. Updated to match Red Hat's recommendation. Refer Section 10.9 of the RHEL 8 security hardening manual.
|
I think it would be better to use a dracut configuration file for this, so it would be more "permanent". Passing the extra configuration directly in the dracut invocation will work for this particular call performed by the role, but the next time the initramfs is updated -- e.g. during a kernel update --, dracut will not be executed with these extra parameters . |
|
Good point would adding a step to the main-clevis.yml to check and modify the dracut config be suitable? |
tasks/main-clevis.yml
Outdated
| @@ -4,9 +4,9 @@ | |||
| name: "{{ __nbde_client_packages }}" | |||
| state: present | |||
|
|
|||
| - name: Update clevis dracut config to enable networking if Tang binding is found | |||
| - name: Create/Update nbde_client dracut config to enable networking if Tang binding is found | |||
| lineinfile: | |||
There was a problem hiding this comment.
We don't recommend the use of lineinfile - https://github.com/redhat-cop/automation-good-practices/tree/main/coding_style
I would suggest using the file module, creating a role files/ subdirectory, and adding nbde_client.conf to the files/ subdirectory. If you think there will be other parameters to add to this config in the future, and the values of those configs will come from role variables, or be conditional, etc. then I suggest creating a template and using the templates/ subdirectory.
There was a problem hiding this comment.
Thanks for the tip I'll go with templates since this may also assist with #22
|
[citest commit:a3f9f5d653cdbc9467eb3f89d91f30c00efe5081] |
|
I fixed the |
|
ping - can you rebase? |
|
[citest commit:1a0300a592d9eac9a06d5bc772a494b0d78a7d91] |
|
ping - ready for review? |
|
Not yet hoping to get this ready in the next few days |
remove trailing space
templates/nbde_client.conf
Outdated
| @@ -0,0 +1 @@ | |||
| hostonly_cmdline=yes | |||
There was a problem hiding this comment.
Looking at this again, it may make sense to have kernel_cmdline="rd.neednet=1" here instead of hostonly_cmdline=yes, to have network enabled in the initrd unconditionally.
@Freakygnome: are you planning on updating this PR and marking it as ready to review?
There was a problem hiding this comment.
Yes would details on the template need to be added to the readme?
There was a problem hiding this comment.
Yes would details on the template need to be added to the readme?
No - the README is only for documenting the public api, not implementation details.
| - name: Generate nbde_client dracut config | ||
| template: | ||
| src: nbde_client.conf | ||
| dest: /etc/dracut.conf.d/nbde_client.conf |
There was a problem hiding this comment.
what ownership/permissions should this file have?
owner: root
mode: u=rw
?
There was a problem hiding this comment.
That would work; u=rw,g=r,o=r would be okay as well.
Using `u=rw` with no `g` or `o` - prefer less access by default unless more access is needed
|
[citest commit:912106cb5c79b770c0beab7e0e71066b4f777c37] |
remove trailing space
use curly braces instead of parentheses
|
@ukulekek the statuses are stuck in pending - will this be fixed by using tft-bot? |
|
[citest commit:912106cb5c79b770c0beab7e0e71066b4f777c37] |
|
[citest commit:c84a41bf2e92158f94d9082244e87f52794c1e78] |
defaults/main.yml
Outdated
| # Settings used configuring dracut | ||
| nbde_client_dracut_settings: | ||
| - kernel_cmdline="rd.neednet=1" | ||
| - ip="dhcp" |
There was a problem hiding this comment.
I don't think it's a good idea to pass ip="dhcp" explicitly, as it may cause problems for people setting up network manually.
There was a problem hiding this comment.
Should this be added as an example but commented out or just removed I don't believe at actually required.
In which case should the rd.neednet be set to on by default?
There was a problem hiding this comment.
Set rd.neednet=1 by default, since the role requires networking in the initramfs, but remove ip=dhcp as it may cause issues for configurations that already pass ip= to e.g. specify a static IP.
Removed ip config line as this may cause issues with existing configurationsthat already use the.
|
Looks good to me, thanks. @richm, could you take another look as well, please? |
| @@ -19,4 +19,8 @@ nbde_client_provider: clevis | |||
| # - http://server2.example.com | |||
| nbde_client_bindings: [] | |||
|
|
|||
| # Settings used configuring dracut | |||
| nbde_client_dracut_settings: | |||
| - kernel_cmdline="rd.neednet=1" | |||
There was a problem hiding this comment.
Does this mean that this role needs to reboot the machine in order for the changes to take effect? If so, we have a few roles that have to do something similar. See https://github.com/linux-system-roles/kernel_settings#role-variables kernel_settings_reboot_ok and https://github.com/linux-system-roles/kernel_settings#variables-exported-by-the-role kernel_settings_reboot_required
There was a problem hiding this comment.
This role sets up the machine so that next time it reboots, it will be able to use the configured tang servers for auto unlocking of its LUKS devices. To do that, it will need networking enabled in the initramfs during early boot, so that is what this change is doing.
I think the case here is different than the one you quoted, in terms of needing a reboot in order for the changes to take effect, although in practice the machine will have to be rebooted eventually if we want to see auto-unlocking on boot in action.
There was a problem hiding this comment.
ah - right - this is only for when the machine is actually rebooted and needs to unlock LUKS at boot time
lgtm
|
[citest commit:108e28f6981107bd28ab116b2390955d9e2a9464] |
|
[citest commit:f70235e757120fa54c9109eb9b848594de30c9d2] |
|
[citest pending] |
2 similar comments
|
[citest pending] |
|
[citest pending] |
| @@ -19,4 +19,8 @@ nbde_client_provider: clevis | |||
| # - http://server2.example.com | |||
| nbde_client_bindings: [] | |||
|
|
|||
| # Settings used configuring dracut | |||
| nbde_client_dracut_settings: | |||
| - kernel_cmdline="rd.neednet=1" | |||
There was a problem hiding this comment.
The presence of nbde_client_dracut_settings with a value means that this is a public variable which is intended to be set to a possibly different value by a user. Is this desirable? Or is the intention that kernel_cmdline="rd.neednet=1" is always set? Is it always needed? Is there any situation where the user would need to change this value, or prevent it from being added? Because an alternative is to just hardcode this value in the nbde_client.conf below.
There was a problem hiding this comment.
If it is intended that the user can set this value, then it should be documented in the README.md, and there should be a test which sets this value to a non-default value, and verifies that the value was set.
|
[citest pending] |
1 similar comment
|
[citest pending] |
|
how does this PR relate to #58 ? |
|
[citest pending] |
|
[citest bad] |
RHEL 8 dracut is no longer adding rd.neednet=1 to initramfs by default.
Updated to match Red Hat's recommendation.
Refer Section 10.9 of the RHEL 8 security hardening manual.