[PATCH] mkdumprd: allow spaces after 'path' config phrase when network dump
by Kazuhito Hagio
Without this patch, when there are two or more spaces after 'path'
configuration phrase with ssh or nfs setting, SAVE_PATH is set to
'/var/crash' in mkdumprd, and in most cases kdump service fails to
start.
ssh kdump(a)192.168.122.1
path /kdump
^^
This behavior would be too sensitive and different from the other
configurations. With this patch, mkdumprd allows such spaces.
Signed-off-by: Kazuhito Hagio <k-hagio(a)ab.jp.nec.com>
---
mkdumprd | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mkdumprd b/mkdumprd
index a6f7fe8..aa0abfd 100644
--- a/mkdumprd
+++ b/mkdumprd
@@ -13,7 +13,7 @@ export IN_KDUMP=1
conf_file="/etc/kdump.conf"
SSH_KEY_LOCATION="/root/.ssh/kdump_id_rsa"
-SAVE_PATH=$(grep ^path $conf_file| cut -d' ' -f2)
+SAVE_PATH=$(awk '/^path/ {print $2}' $conf_file)
[ -z "$SAVE_PATH" ] && SAVE_PATH=$DEFAULT_PATH
# strip the duplicated "/"
SAVE_PATH=$(echo $SAVE_PATH | tr -s /)
--
2.18.0
1 year
Re: [dm-crypt] Kdump with full-disk LUKS encryption
by Kairui Song
Hi,
Thanks a lot, these info are very helpful.
Better to keep it for debugging for now, and ask users to use it very carefully.
On Tue, Apr 20, 2021 at 3:54 PM Milan Broz <gmazyland(a)gmail.com> wrote:
>
> Hi,
>
> TL;DR what you are trying to do is to actually reverse many security measures
> we added. It is perhaps acceptable for debugging but hardly for real generic system.
>
> - using memory-hard function increases cost of dictionary and brute-force
> attacks
> You can always decrease amount of memory needed, but you should do it only
> if you know that security margin is ok (like password is randomly generated
> with enough entropy).
>
> - key is in keyring to remove possibility for normal userspace to receive
> the key from kernel. Moreover, there is no need to retain kernel in keyring once
> dm-crypt device is activated. (It is still in kernel memory but only in crypto
> functions context). (Systemd also uses keyring to cache passphrase but that's
> different thing.)
>
> You can still use old way for activation with --disable-keyring activation,
> but then you disable this possibility.
>
> More comments below.
>
> On 19/04/2021 12:00, Kairui Song wrote:
> > Hi all,
> >
> > I'm currently trying to add kdump support for systemd with full-disk
> > LUKS encryption. vmcores contain sensitive data so they should also be
> > protected, and network dumps sometimes are not available. So kdump has
> > to open the LUKS encrypted device in the kdump environment.
> >
> > I'm using systemd/dracut, my work machine is running Fedora 34, and
> > there are several problems I'm trying to solve:
> > 1. Users have to input the password in the kdump kernel environment.
> > But users often don't have shell access to the kdump environment.
> > (headless server, graphic card not working after kexec, both are very
> > common)
> > 2. LUKS2 prefers Argon2 as the key derivation function, designed to
> > use a lot of memory. kdump is expected to use a minimal amount of
> > memory. Users will have to reserve a huge amount of memory for kdump
> > to work (eg. 1G reserve for kdump with 4G total memory which is not
> > reasonable).
>
> When I added Argon2 to LUKS2, I actually expected such issues. Despite
> some people beats me that they cannot use arbitrary amount of memory,
> we have some hard limits that were selected that it should work on most recent
> systems. Maybe kdump can live with it.
>
> - maximum memory cost limit is 4GB, no LUKS2 device can use more for Argon2
> - we never use more than half of available physical memory
> (measured on the host where the device was formatted)
> - required amount of memory is visible in LUKS2 metadata (luksDump)
> for the particular keyslot (Memory: the value is in kB)
> - we use benchmark to calculate memory cost with prefered unlocking
> time 2 seconds (again, on the device where LUKS was formatted)
> Small systems (like RPi2) the uses much smaller acceptable values.
> You can configure all costs (time, memory, threads) during format
> or even set them to predefined values.
>
> I am sorry, but there is really no way around this - and the requeired
> memory must be physical memory (otherwise it slows down extremely).
> This is a feature, not a bug :-)
>
>
> > To fix these problems, I tried to pass the master key to the second
> > kernel directly via initramfs. Kdump will modify the initramfs in
> > ramfs to include the key, kexec_load it, and never write to any actual
> > back storage. This worked with old LUKS configurations.
>
> Well, passing volume key this way is quite insecure, but perhaps
> acceptable for debugging.
>
> >
> > But LUKS2/cryptsetup now stores the key in the kernel keyring by
> > default. The key is accessible from userspace.
>
> If you are talking about volume key (not passsphrase), it is not
> available from userspace. Only reference to it. But you can use
> this reference to construct in-kernel dm-crypt device.
> Please read https://gitlab.com/cryptsetup/cryptsetup/-/blob/master/docs/Keyring.txt
>
> > Users can enter the password to start kdump manually and then it will
> > work, but usually people expect kdump service to start automatically.
> >
> > (WIP patch series:
> > https://lists.fedoraproject.org/archives/list/kexec@lists.fedoraproject.o...)
> >
> > I've several ideas about how to improve it but not sure which one is
> > better, and if this is a good idea after all:
> > 1. Simply introduce a config to let systemd-cryptsetup disable kernel
> > keyring on setup, there is currently no such option.
>
> Well, that option could be useful anyway and we have support for it
> in cryptsetup (--disable-keyring CLI option) and libcryptsetup, so why not.
> Just this should not be a default option.
>
> This is should be patch for systemd-cryptsetup only as libcryptsetup supports it.
>
> ...
>
> > 2. If we can let the key stay in userspace for a little longer, eg.
> > for systems booted with dracut/systemd, when
> > systemd-cryptsetup(a)%s.service opens the crypt device, keep the key in
> > dm-crypt. And later when services like kdump have finished loading,
> > cryptsetup can refresh the device and store the key in the kernel
> > keyring again.
>
> We invalidate volume key in keyring after libceyposetup operation
> is finished (and kernel removes the reference once keyring garbage collection
> is run).
>
> I can imagine to add some option to keep key inside keyring even after
> call is finished, but as said above, this removes some security margin
> we intentionally introduced here.
I agree with your comments, thanks! These two approaches seem not a
good idea now.
>
> ...
>
> Milan
>
How about plan 3 and 4?
> 3. Let kdump use some custom helper/service to load all needed
> resources in the early initrd boot stage, prior to
> systemd-cryptsetup(a)%s.service. It will ask the password / parse the
> keyfile and load kdump, then provide info for systemd-cryptsetup or
> just do the setup. Or maybe let systemd-cryptsetup support some kind
> of "plugins" so other tools can use it.
Some details could be changed/improved, but
systemd-cryptsetup(a)%s.service will prompt for a password or use a
keyfile anyway.
So I think at this point, loading kdump with the volume key should be
safe? At least long as the kdump kernel/environment itself isn't
compromised. Loaded kdump resources can be restricted to be only
accessible from the kernel side.
After panic, kernel kexec jumps to kdump kernel, and that's an
minimized emergency environment that only lives for a very short
period.
> 4. A better and safer solution seems to keep a consistent key ring
> between kexec boots but also more complex and difficult as different
> arch implements kexec differently.
Maybe plan 4 will be a good idea if doable? Since that keeps the key
consistent in the kernel between kexec boots, and cryptsetup can just
reuse it.
--
Best Regards,
Kairui Song
1 year, 6 months
[RESEND PATCH V2] fadump: isolate fadump initramfs image within the
default one
by Hari Bathini
In case of fadump, the initramfs image has to be built to boot into
the production environment as well as to offload the active crash dump
to the specified dump target (for boot after crash). As the same image
would be used for both boot scenarios, it could not be built optimally
while accommodating both cases.
Since dracut commit 8f7c332e488f ("refactor(squash): structure in a
cleaner way"), the squash'ed image is a complete environment that can
be activated for a given boot scenario. Use --include to include the
squash'ed initramfs image built to offload active crash dump to the
specified dump target.
Also, introduce a new out-of-tree dracut module (99zz-fadumpinit) that
installs a customized init program while moving the default /init to
/init.dracut.
Thus, the customized init program is leveraged to isolate fadump image
within the default initramfs image by kicking off default boot process
(exec /init.dracut) for regular boot scenario and activating squash'ed
image only when an active crash dump would be available.
Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com>
---
* Resending the patch with '--quiet' option added to dracut while building the
initramfs image with capture image isolated.
Changes in V2:
* Moved kernel modules installation from install() to installkernel() for
zz-fadumpinit dracut module.
* Updated kexec-tools.spec to install zz-fadumpinit module files appropriately.
* Fixed error check for capture initramfs image isolation with dracut.
dracut-fadump-init-fadump.sh | 40 ++++++++++++++++++++++++++++++++++++++++
dracut-fadump-module-setup.sh | 23 +++++++++++++++++++++++
dracut-module-setup.sh | 2 +-
kdumpctl | 12 +++++++++++-
kexec-tools.spec | 11 +++++++++++
5 files changed, 86 insertions(+), 2 deletions(-)
create mode 100644 dracut-fadump-init-fadump.sh
create mode 100644 dracut-fadump-module-setup.sh
diff --git a/dracut-fadump-init-fadump.sh b/dracut-fadump-init-fadump.sh
new file mode 100644
index 0000000..5a81cbe
--- /dev/null
+++ b/dracut-fadump-init-fadump.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+PATH=/bin:/sbin
+
+[ -e /proc/self/mounts ] \
+ || (mkdir -p /proc && mount -t proc -o nosuid,noexec,nodev proc /proc)
+
+grep -q '^sysfs /sys sysfs' /proc/self/mounts \
+ || (mkdir -p /sys && mount -t sysfs -o nosuid,noexec,nodev sysfs /sys)
+
+grep -q '^devtmpfs /dev devtmpfs' /proc/self/mounts \
+ || (mkdir -p /dev && mount -t devtmpfs -o mode=755,noexec,nosuid,strictatime devtmpfs /dev)
+
+grep -q '^tmpfs /run tmpfs' /proc/self/mounts \
+ || (mkdir -p /run && mount -t tmpfs -o mode=755,noexec,nosuid,strictatime tmpfs /run)
+
+if [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ] && [ ! -f /proc/device-tree/ibm,opal/dump/mpipl-boot ]; then
+ exec /init.dracut
+ exit
+fi
+
+# Load required modules
+modprobe loop
+modprobe squashfs
+modprobe overlay
+
+# Mount the squash image
+mkdir -p /squash
+mount -t ramfs ramfs /squash
+mkdir -p /squash/root /squash/overlay/upper /squash/overlay/work
+mount -t squashfs -o ro,loop /fadump-squash.img /squash/root
+
+# Setup new root overlay
+mkdir -p /newroot
+mount -t overlay overlay -o lowerdir=/squash/root,upperdir=/squash/overlay/upper,workdir=/squash/overlay/work/ /newroot/
+
+# Move all mount points to new root to prepare chroot
+mount --move /squash /newroot/squash
+
+# Jump to new root and clean setup files
+SYSTEMD_IN_INITRD=lenient exec switch_root /newroot /init
diff --git a/dracut-fadump-module-setup.sh b/dracut-fadump-module-setup.sh
new file mode 100644
index 0000000..479154a
--- /dev/null
+++ b/dracut-fadump-module-setup.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+check() {
+ return 255
+}
+
+depends() {
+ return 0
+}
+
+installkernel() {
+ # Install required kernel modules for the init script (init-fadump.sh)
+ hostonly="" instmods "loop" "squashfs" "overlay"
+}
+
+install() {
+ mv -f "$initdir/init" "$initdir/init.dracut"
+ inst_simple "$moddir/init-fadump.sh" /init
+ chmod 0755 "$initdir/init"
+
+ # Install required binaries for the init script (init-fadump.sh)
+ inst_multiple sh mount modprobe mkdir switch_root grep
+}
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh
index a99a0ea..ab48e79 100755
--- a/dracut-module-setup.sh
+++ b/dracut-module-setup.sh
@@ -37,7 +37,7 @@ depends() {
done
}
- if is_squash_available && ! is_fadump_capable; then
+ if is_squash_available; then
add_opt_module squash
else
dwarning "Required modules to build a squashed kdump image is missing!"
diff --git a/kdumpctl b/kdumpctl
index 978dae5..7e617e8 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -18,6 +18,7 @@ DEFAULT_INITRD_BAK=""
KDUMP_INITRD=""
TARGET_INITRD=""
FADUMP_REGISTER_SYS_NODE="/sys/kernel/fadump_registered"
+FADUMP_SQUASH_IMG=fadump-squash.img
#kdump shall be the default dump mode
DEFAULT_DUMP_MODE="kdump"
image_time=0
@@ -105,6 +106,7 @@ save_core()
rebuild_fadump_initrd()
{
local target_initrd_tmp
+ local _dracut_isolate_args
# this file tells the initrd is fadump enabled
touch /tmp/fadump.initramfs
@@ -119,6 +121,14 @@ rebuild_fadump_initrd()
fi
rm -f /tmp/fadump.initramfs
+ lsinitrd $target_initrd_tmp /squash-root.img > /tmp/$FADUMP_SQUASH_IMG
+ _dracut_isolate_args=" --rebuild $DEFAULT_INITRD_BAK --add zz-fadumpinit -i /tmp/$FADUMP_SQUASH_IMG /$FADUMP_SQUASH_IMG"
+ if [ ! -s /tmp/$FADUMP_SQUASH_IMG ] \
+ || ! dracut --force --quiet $_dracut_isolate_args $target_initrd_tmp; then
+ dwarn "WARNING: Could not isolate the dump capture initramfs image."
+ fi
+ rm -f /tmp/$FADUMP_SQUASH_IMG
+
# updating fadump initrd
ddebug "updating fadump initrd: $target_initrd_tmp $TARGET_INITRD"
mv $target_initrd_tmp $TARGET_INITRD
@@ -612,7 +622,7 @@ check_rebuild()
#in case of fadump mode, check whether the default/target
#initrd is already built with dump capture capability
if [ "$DEFAULT_DUMP_MODE" == "fadump" ]; then
- capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep ^kdumpbase$ | wc -l)
+ capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep -e ^kdumpbase$ -e ^zz-fadumpinit$ | wc -l)
fi
fi
diff --git a/kexec-tools.spec b/kexec-tools.spec
index 11c64cb..a7cbf93 100644
--- a/kexec-tools.spec
+++ b/kexec-tools.spec
@@ -55,6 +55,9 @@ Source107: dracut-kdump-emergency.target
Source108: dracut-early-kdump.sh
Source109: dracut-early-kdump-module-setup.sh
+Source200: dracut-fadump-init-fadump.sh
+Source201: dracut-fadump-module-setup.sh
+
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -212,6 +215,7 @@ install -m 644 makedumpfile-%{mkdf_ver}/eppic_scripts/* $RPM_BUILD_ROOT/usr/shar
%define remove_dracut_prefix() %(echo -n %1|sed 's/.*dracut-//g')
%define remove_dracut_early_kdump_prefix() %(echo -n %1|sed 's/.*dracut-early-kdump-//g')
+%define remove_dracut_fadump_prefix() %(echo -n %1|sed 's/.*dracut-fadump-//g')
# deal with dracut modules
mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase
@@ -230,6 +234,13 @@ cp %{SOURCE108} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlyk
cp %{SOURCE109} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_prefix %{SOURCE108}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
+%ifarch ppc64 ppc64le
+mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit
+cp %{SOURCE200} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE200}}
+cp %{SOURCE201} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE201}}
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE200}}
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE201}}
+%endif
%define dracutlibdir %{_prefix}/lib/dracut
1 year, 11 months
[PATCH V2] fadump: isolate fadump initramfs image within the default
one
by Hari Bathini
In case of fadump, the initramfs image has to be built to boot into
the production environment as well as to offload the active crash dump
to the specified dump target (for boot after crash). As the same image
would be used for both boot scenarios, it could not be built optimally
while accommodating both cases.
Since dracut commit 8f7c332e488f ("refactor(squash): structure in a
cleaner way"), the squash'ed image is a complete environment that can
be activated for a given boot scenario. Use --include to include the
squash'ed initramfs image built to offload active crash dump to the
specified dump target.
Also, introduce a new out-of-tree dracut module (99zz-fadumpinit) that
installs a customized init program while moving the default /init to
/init.dracut.
Thus, the customized init program is leveraged to isolate fadump image
within the default initramfs image by kicking off default boot process
(exec /init.dracut) for regular boot scenario and activating squash'ed
image only when an active crash dump would be available.
Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com>
---
Changes in V2:
* Moved kernel modules installation from install() to installkernel() for
zz-fadumpinit dracut module.
* Updated kexec-tools.spec to install zz-fadumpinit module files appropriately.
* Fixed error check for capture initramfs image isolation with dracut.
dracut-fadump-init-fadump.sh | 40 ++++++++++++++++++++++++++++++++++++++++
dracut-fadump-module-setup.sh | 23 +++++++++++++++++++++++
dracut-module-setup.sh | 2 +-
kdumpctl | 11 ++++++++++-
kexec-tools.spec | 11 +++++++++++
5 files changed, 85 insertions(+), 2 deletions(-)
create mode 100644 dracut-fadump-init-fadump.sh
create mode 100644 dracut-fadump-module-setup.sh
diff --git a/dracut-fadump-init-fadump.sh b/dracut-fadump-init-fadump.sh
new file mode 100644
index 0000000..5a81cbe
--- /dev/null
+++ b/dracut-fadump-init-fadump.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+PATH=/bin:/sbin
+
+[ -e /proc/self/mounts ] \
+ || (mkdir -p /proc && mount -t proc -o nosuid,noexec,nodev proc /proc)
+
+grep -q '^sysfs /sys sysfs' /proc/self/mounts \
+ || (mkdir -p /sys && mount -t sysfs -o nosuid,noexec,nodev sysfs /sys)
+
+grep -q '^devtmpfs /dev devtmpfs' /proc/self/mounts \
+ || (mkdir -p /dev && mount -t devtmpfs -o mode=755,noexec,nosuid,strictatime devtmpfs /dev)
+
+grep -q '^tmpfs /run tmpfs' /proc/self/mounts \
+ || (mkdir -p /run && mount -t tmpfs -o mode=755,noexec,nosuid,strictatime tmpfs /run)
+
+if [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ] && [ ! -f /proc/device-tree/ibm,opal/dump/mpipl-boot ]; then
+ exec /init.dracut
+ exit
+fi
+
+# Load required modules
+modprobe loop
+modprobe squashfs
+modprobe overlay
+
+# Mount the squash image
+mkdir -p /squash
+mount -t ramfs ramfs /squash
+mkdir -p /squash/root /squash/overlay/upper /squash/overlay/work
+mount -t squashfs -o ro,loop /fadump-squash.img /squash/root
+
+# Setup new root overlay
+mkdir -p /newroot
+mount -t overlay overlay -o lowerdir=/squash/root,upperdir=/squash/overlay/upper,workdir=/squash/overlay/work/ /newroot/
+
+# Move all mount points to new root to prepare chroot
+mount --move /squash /newroot/squash
+
+# Jump to new root and clean setup files
+SYSTEMD_IN_INITRD=lenient exec switch_root /newroot /init
diff --git a/dracut-fadump-module-setup.sh b/dracut-fadump-module-setup.sh
new file mode 100644
index 0000000..479154a
--- /dev/null
+++ b/dracut-fadump-module-setup.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+
+check() {
+ return 255
+}
+
+depends() {
+ return 0
+}
+
+installkernel() {
+ # Install required kernel modules for the init script (init-fadump.sh)
+ hostonly="" instmods "loop" "squashfs" "overlay"
+}
+
+install() {
+ mv -f "$initdir/init" "$initdir/init.dracut"
+ inst_simple "$moddir/init-fadump.sh" /init
+ chmod 0755 "$initdir/init"
+
+ # Install required binaries for the init script (init-fadump.sh)
+ inst_multiple sh mount modprobe mkdir switch_root grep
+}
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh
index a99a0ea..ab48e79 100755
--- a/dracut-module-setup.sh
+++ b/dracut-module-setup.sh
@@ -37,7 +37,7 @@ depends() {
done
}
- if is_squash_available && ! is_fadump_capable; then
+ if is_squash_available; then
add_opt_module squash
else
dwarning "Required modules to build a squashed kdump image is missing!"
diff --git a/kdumpctl b/kdumpctl
index 978dae5..e406c7d 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -18,6 +18,7 @@ DEFAULT_INITRD_BAK=""
KDUMP_INITRD=""
TARGET_INITRD=""
FADUMP_REGISTER_SYS_NODE="/sys/kernel/fadump_registered"
+FADUMP_SQUASH_IMG=fadump-squash.img
#kdump shall be the default dump mode
DEFAULT_DUMP_MODE="kdump"
image_time=0
@@ -105,6 +106,7 @@ save_core()
rebuild_fadump_initrd()
{
local target_initrd_tmp
+ local _dracut_isolate_args
# this file tells the initrd is fadump enabled
touch /tmp/fadump.initramfs
@@ -119,6 +121,13 @@ rebuild_fadump_initrd()
fi
rm -f /tmp/fadump.initramfs
+ lsinitrd $target_initrd_tmp /squash-root.img > /tmp/$FADUMP_SQUASH_IMG
+ _dracut_isolate_args=" --rebuild $DEFAULT_INITRD_BAK --add zz-fadumpinit -i /tmp/$FADUMP_SQUASH_IMG /$FADUMP_SQUASH_IMG"
+ if [ ! -s /tmp/$FADUMP_SQUASH_IMG ] || ! dracut -f $_dracut_isolate_args $target_initrd_tmp; then
+ dwarn "WARNING: Could not isolate the dump capture initramfs image."
+ fi
+ rm -f /tmp/$FADUMP_SQUASH_IMG
+
# updating fadump initrd
ddebug "updating fadump initrd: $target_initrd_tmp $TARGET_INITRD"
mv $target_initrd_tmp $TARGET_INITRD
@@ -612,7 +621,7 @@ check_rebuild()
#in case of fadump mode, check whether the default/target
#initrd is already built with dump capture capability
if [ "$DEFAULT_DUMP_MODE" == "fadump" ]; then
- capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep ^kdumpbase$ | wc -l)
+ capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep -e ^kdumpbase$ -e ^zz-fadumpinit$ | wc -l)
fi
fi
diff --git a/kexec-tools.spec b/kexec-tools.spec
index 11c64cb..a7cbf93 100644
--- a/kexec-tools.spec
+++ b/kexec-tools.spec
@@ -55,6 +55,9 @@ Source107: dracut-kdump-emergency.target
Source108: dracut-early-kdump.sh
Source109: dracut-early-kdump-module-setup.sh
+Source200: dracut-fadump-init-fadump.sh
+Source201: dracut-fadump-module-setup.sh
+
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -212,6 +215,7 @@ install -m 644 makedumpfile-%{mkdf_ver}/eppic_scripts/* $RPM_BUILD_ROOT/usr/shar
%define remove_dracut_prefix() %(echo -n %1|sed 's/.*dracut-//g')
%define remove_dracut_early_kdump_prefix() %(echo -n %1|sed 's/.*dracut-early-kdump-//g')
+%define remove_dracut_fadump_prefix() %(echo -n %1|sed 's/.*dracut-fadump-//g')
# deal with dracut modules
mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase
@@ -230,6 +234,13 @@ cp %{SOURCE108} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlyk
cp %{SOURCE109} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_prefix %{SOURCE108}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
+%ifarch ppc64 ppc64le
+mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit
+cp %{SOURCE200} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE200}}
+cp %{SOURCE201} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE201}}
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE200}}
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE201}}
+%endif
%define dracutlibdir %{_prefix}/lib/dracut
2 years
[PATCH] kdump-lib.sh: fix the case if no enough total RAM for kdump in get_recommend_size()
by Pingfan Liu
For crashkernel=auto policy, if total RAM size is under a throttle,
there is no memory reserved for kdump.
Also correct a trivial bug by correcting the arch name.
Signed-off-by: Pingfan Liu <piliu(a)redhat.com>
---
kdump-lib.sh | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/kdump-lib.sh b/kdump-lib.sh
index 74072c5..ecf909e 100755
--- a/kdump-lib.sh
+++ b/kdump-lib.sh
@@ -913,6 +913,11 @@ get_recommend_size()
last_sz=""
last_unit=""
+ start=${_ck_cmdline: :1}
+ if [ $mem_size -lt $start ]; then
+ echo "0M"
+ return
+ fi
IFS=','
for i in $_ck_cmdline; do
end=$(echo $i | awk -F "-" '{ print $2 }' | awk -F ":" '{ print $1 }')
@@ -940,9 +945,9 @@ kdump_get_arch_recommend_size()
fi
arch=$(lscpu | grep Architecture | awk -F ":" '{ print $2 }' | tr [:lower:] [:upper:])
- if [ $arch == "X86_64" ] || [ $arch == "S390" ]; then
+ if [ $arch == "X86_64" ] || [ $arch == "S390X" ]; then
ck_cmdline="1G-4G:160M,4G-64G:192M,64G-1T:256M,1T-:512M"
- elif [ $arch == "ARM64" ]; then
+ elif [ $arch == "AARCH64" ]; then
ck_cmdline="2G-:448M"
elif [ $arch == "PPC64LE" ]; then
if is_fadump_capable; then
--
2.29.2
2 years
[PATCH] fadump: isolate fadump initramfs image within the default one
by Hari Bathini
In case of fadump, the initramfs image has to be built to boot into
the production environment as well as to offload the active crash dump
to the specified dump target (for boot after crash). As the same image
would be used for both boot scenarios, it could not be built optimally
while accommodating both cases.
Since dracut commit 8f7c332e488f ("refactor(squash): structure in a
cleaner way"), the squash'ed image is a complete environment that can
be activated for a given boot scenario. Use --include to include the
squash'ed initramfs image built to offload active crash dump to the
specified dump target.
Also, introduce a new out-of-tree dracut module (99zz-fadumpinit) that
installs a customized init program while moving the default /init to
/init.dracut.
Thus, the customized init program is leveraged to isolate fadump image
within the default initramfs image by kicking off default boot process
(exec /init.dracut) for regular boot scenario and activating squash'ed
image only when an active crash dump is to be available for capturing.
Signed-off-by: Hari Bathini <hbathini(a)linux.ibm.com>
---
dracut-fadump-init-fadump.sh | 40 ++++++++++++++++++++++++++++++++++++++++
dracut-fadump-module-setup.sh | 22 ++++++++++++++++++++++
dracut-module-setup.sh | 2 +-
kdumpctl | 11 ++++++++++-
kexec-tools.spec | 8 ++++++++
5 files changed, 81 insertions(+), 2 deletions(-)
create mode 100644 dracut-fadump-init-fadump.sh
create mode 100644 dracut-fadump-module-setup.sh
diff --git a/dracut-fadump-init-fadump.sh b/dracut-fadump-init-fadump.sh
new file mode 100644
index 0000000..d96a086
--- /dev/null
+++ b/dracut-fadump-init-fadump.sh
@@ -0,0 +1,40 @@
+#!/usr/bin/sh
+PATH=/bin:/sbin
+
+[ -e /proc/self/mounts ] \
+ || (mkdir -p /proc && mount -t proc -o nosuid,noexec,nodev proc /proc)
+
+grep -q '^sysfs /sys sysfs' /proc/self/mounts \
+ || (mkdir -p /sys && mount -t sysfs -o nosuid,noexec,nodev sysfs /sys)
+
+grep -q '^devtmpfs /dev devtmpfs' /proc/self/mounts \
+ || (mkdir -p /dev && mount -t devtmpfs -o mode=755,noexec,nosuid,strictatime devtmpfs /dev)
+
+grep -q '^tmpfs /run tmpfs' /proc/self/mounts \
+ || (mkdir -p /run && mount -t tmpfs -o mode=755,noexec,nosuid,strictatime tmpfs /run)
+
+if [ ! -f /proc/device-tree/rtas/ibm,kernel-dump ] && [ ! -f /proc/device-tree/ibm,opal/dump/mpipl-boot ]; then
+ exec /init.dracut
+ exit
+fi
+
+# Load required modules
+modprobe loop
+modprobe squashfs
+modprobe overlay
+
+# Mount the squash image
+mkdir -p /squash
+mount -t ramfs ramfs /squash
+mkdir -p /squash/root /squash/overlay/upper /squash/overlay/work
+mount -t squashfs -o ro,loop /fadump-squash.img /squash/root
+
+# Setup new root overlay
+mkdir -p /newroot
+mount -t overlay overlay -o lowerdir=/squash/root,upperdir=/squash/overlay/upper,workdir=/squash/overlay/work/ /newroot/
+
+# Move all mount points to new root to prepare chroot
+mount --move /squash /newroot/squash
+
+# Jump to new root and clean setup files
+SYSTEMD_IN_INITRD=lenient exec switch_root /newroot /init
diff --git a/dracut-fadump-module-setup.sh b/dracut-fadump-module-setup.sh
new file mode 100644
index 0000000..af621aa
--- /dev/null
+++ b/dracut-fadump-module-setup.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/bash
+
+# called by dracut
+check() {
+ return 255
+}
+
+# called by dracut
+depends() {
+ return 0
+}
+
+# called by dracut
+install() {
+ mv -f "$initdir/init" "$initdir/init.dracut"
+ inst_simple "$moddir/init-fadump.sh" /init
+ chmod 0755 "$initdir/init"
+
+ # Install required modules and binaries for the init script (init-fadump.sh)
+ inst_multiple sh mount modprobe mkdir switch_root grep
+ hostonly="" instmods "loop" "squashfs" "overlay"
+}
diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh
index a99a0ea..ab48e79 100755
--- a/dracut-module-setup.sh
+++ b/dracut-module-setup.sh
@@ -37,7 +37,7 @@ depends() {
done
}
- if is_squash_available && ! is_fadump_capable; then
+ if is_squash_available; then
add_opt_module squash
else
dwarning "Required modules to build a squashed kdump image is missing!"
diff --git a/kdumpctl b/kdumpctl
index 978dae5..e3780a7 100755
--- a/kdumpctl
+++ b/kdumpctl
@@ -18,6 +18,7 @@ DEFAULT_INITRD_BAK=""
KDUMP_INITRD=""
TARGET_INITRD=""
FADUMP_REGISTER_SYS_NODE="/sys/kernel/fadump_registered"
+FADUMP_SQUASH_IMG=fadump-squash.img
#kdump shall be the default dump mode
DEFAULT_DUMP_MODE="kdump"
image_time=0
@@ -119,6 +120,14 @@ rebuild_fadump_initrd()
fi
rm -f /tmp/fadump.initramfs
+ lsinitrd $target_initrd_tmp squash-root.img > /tmp/$FADUMP_SQUASH_IMG
+ if [ ! -s /tmp/$FADUMP_SQUASH_IMG ] \
+ || [ $(dracut -f --rebuild $DEFAULT_INITRD_BAK --add "zz-fadumpinit" \
+ -i /tmp/$FADUMP_SQUASH_IMG /$FADUMP_SQUASH_IMG $target_initrd_tmp) -ne 0 ]; then
+ dwarn "WARNING: Could not isolate the dump capture initramfs image."
+ fi
+ rm -f /tmp/$FADUMP_SQUASH_IMG
+
# updating fadump initrd
ddebug "updating fadump initrd: $target_initrd_tmp $TARGET_INITRD"
mv $target_initrd_tmp $TARGET_INITRD
@@ -612,7 +621,7 @@ check_rebuild()
#in case of fadump mode, check whether the default/target
#initrd is already built with dump capture capability
if [ "$DEFAULT_DUMP_MODE" == "fadump" ]; then
- capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep ^kdumpbase$ | wc -l)
+ capture_capable_initrd=$(lsinitrd -f $DRACUT_MODULES_FILE $TARGET_INITRD | grep -e ^kdumpbase$ -e ^zz-fadumpinit$ | wc -l)
fi
fi
diff --git a/kexec-tools.spec b/kexec-tools.spec
index 11c64cb..e8272ca 100644
--- a/kexec-tools.spec
+++ b/kexec-tools.spec
@@ -55,6 +55,9 @@ Source107: dracut-kdump-emergency.target
Source108: dracut-early-kdump.sh
Source109: dracut-early-kdump-module-setup.sh
+Source200: dracut-fadump-init-fadump.sh
+Source201: dracut-fadump-module-setup.sh
+
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
@@ -212,6 +215,7 @@ install -m 644 makedumpfile-%{mkdf_ver}/eppic_scripts/* $RPM_BUILD_ROOT/usr/shar
%define remove_dracut_prefix() %(echo -n %1|sed 's/.*dracut-//g')
%define remove_dracut_early_kdump_prefix() %(echo -n %1|sed 's/.*dracut-early-kdump-//g')
+%define remove_dracut_fadump_prefix() %(echo -n %1|sed 's/.*dracut-fadump-//g')
# deal with dracut modules
mkdir -p -m755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99kdumpbase
@@ -230,6 +234,10 @@ cp %{SOURCE108} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlyk
cp %{SOURCE109} $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_prefix %{SOURCE108}}
chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99earlykdump/%{remove_dracut_early_kdump_prefix %{SOURCE109}}
+%ifarch ppc64 ppc64le
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE200}}
+chmod 755 $RPM_BUILD_ROOT/etc/kdump-adv-conf/kdump_dracut_modules/99zz-fadumpinit/%{remove_dracut_fadump_prefix %{SOURCE201}}
+%endif
%define dracutlibdir %{_prefix}/lib/dracut
2 years
[PATCH 0/3] Fix get_maj_min_cache_file error
by Kairui Song
Dracut upstream made some change that break kdump, just fix it by
move some dracut functions into kexec-tools.
Kairui Song (3):
Change all get_maj_min call to kdump_get_maj_min
kdump-lib.sh: simplify kdump_get_persistent_dev
kdump-lib.sh: make kdump_get_persistent_dev no longer depend on dracut
kdump-lib.sh | 41 +++++++++++++++++++++++++++++++----------
kdumpctl | 2 +-
mkdumprd | 4 ++--
3 files changed, 34 insertions(+), 13 deletions(-)
--
2.31.1
2 years
[PATCH v2 0/3] Several improvements on selftest
by Coiby Xu
v1 -> v2:
1. selftest: kill VM reliably
- use $_jobs instead of `echo $_jobs` to iterate jobs
- fix format issue
2. selftest: Make test_base_image depends on EXTRA_RPMS (new)
Coiby Xu (3):
selftest: fix the error of misplacing double quotes
selftest: kill VM reliably
selftest: Make test_base_image depends on EXTRA_RPMS
tests/Makefile | 2 +-
tests/scripts/run-test.sh | 14 ++++++++++----
tests/scripts/test-lib.sh | 3 +--
tests/scripts/testcases/nfs-kdump/0-server.sh | 2 +-
4 files changed, 13 insertions(+), 8 deletions(-)
--
2.31.1
2 years
[PATCH 1/2] selftest: fix the error of misplacing double quotes
by Coiby Xu
Signed-off-by: Coiby Xu <coxu(a)redhat.com>
---
tests/scripts/testcases/nfs-kdump/0-server.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/scripts/testcases/nfs-kdump/0-server.sh b/tests/scripts/testcases/nfs-kdump/0-server.sh
index 41a0212..cf54e70 100755
--- a/tests/scripts/testcases/nfs-kdump/0-server.sh
+++ b/tests/scripts/testcases/nfs-kdump/0-server.sh
@@ -17,7 +17,7 @@ on_build() {
img_run_cmd "systemctl enable dnsmasq"
img_run_cmd 'echo DEVICE="eth0" > /etc/sysconfig/network-scripts/ifcfg-eth0'
- img_run_cmd 'echo BOOTPROTO="none >> /etc/sysconfig/network-scripts/ifcfg-eth0"'
+ img_run_cmd 'echo BOOTPROTO="none" >> /etc/sysconfig/network-scripts/ifcfg-eth0'
img_run_cmd 'echo ONBOOT="yes" >> /etc/sysconfig/network-scripts/ifcfg-eth0'
img_run_cmd 'echo PREFIX="24" >> /etc/sysconfig/network-scripts/ifcfg-eth0'
img_run_cmd 'echo IPADDR="192.168.77.1" >> /etc/sysconfig/network-scripts/ifcfg-eth0'
--
2.31.1
2 years
[PATCH v4 0/4] Add a kdump memory usage estimate helper
by Kairui Song
Patch 1, 2 add a helper to detect and list crypt devices.
Patch 3 simplify some existing code with the helper.
Patch 4 adds kdumpctl estimate command and updates man page.
Following contents are copied from Patch 4:
Add a rough esitimation support, currently, following memory usage are
checked by this sub command:
- System RAM
- Kdump Initramfs size
- Kdump Kernel image size
- Kdump Kernel module size
- Kdump userspace user and other runtime allocated memory (currently
simply using a fixed value: 64M)
- LUKS encryption memory usage
The output of kdumpctl estimate looks like this:
# kdumpctl estimate
Reserved crashkernel: 256M
Recommanded crashkernel: 160M
Kernel image size: 47M
Kernel modules size: 12M
Initramfs size: 19M
Runtime reservation: 64M
Large modules:
xfs: 1892352
nouveau: 2318336
And if the kdump target is encrypted:
# kdumpctl estimate
Encrypted kdump target requires extra memory, assuming using the keyslot with minimun memory requirement
Reserved crashkernel: 256M
Recommanded crashkernel: 655M
Kernel image size: 47M
Kernel modules size: 12M
Initramfs size: 19M
Runtime reservation: 64M
LUKS required size: 512M
Large modules:
xfs: 1892352
nouveau: 2318336
WARNING: Current crashkernel size is lower than recommanded size 655M.
The "Recommanded" value is calculated based on memory usages mentioned
above, and will be adjusted accodingly to be no less than the value provided
by kdump_get_arch_recommend_size.
--
Update from v3:
- Simplify the code, and rebase.
- Also simpify the output to make it easier to understand.
Update from v2:
- If binutils or kernel decompression tools are not installed, will
get kernel size from iomem.
- Add support for detecting LUKS memory requirement.
Update from v1:
- Fix typos
- Remove "Baseline crashkernel:" from output
Kairui Song (4):
kdump-lib.sh: introduce a helper to get underlying crypt device
kdump-lib.sh: introduce a helper to get all crypt dev used by kdump
mkdumprd: make use of the new get_luks_crypt_dev helper
kdumpctl: Add kdumpctl estimate
kdump-lib.sh | 109 +++++++++++++++++++++++++++++++++++++++++++++++++++
kdumpctl | 96 ++++++++++++++++++++++++++++++++++++++++++++-
kdumpctl.8 | 7 ++++
mkdumprd | 32 +++------------
4 files changed, 217 insertions(+), 27 deletions(-)
--
2.31.1
2 years