On Mon, 2023-01-02 at 15:42 +0100, Gerd Hoffmann wrote: > On Thu, Dec 22, 2022 at 04:53:47PM +0100, Jiri Konecny wrote: > > Hi all, > > > > > == Benefit to Fedora == > > > * Better secure boot support (specifically the initrd is covered > > > by > > > the signature). > > > * Better confidential computing support (measurements are much > > > more > > > useful if we know what hashes to expect for the initrd). > > > * More robust boot process (generating the initrd on the > > > installed > > > system is fragile, root cause for kernel bugs reported is simply > > > a > > > broken initrd sometimes). > > Just want to add Anaconda installation environment is also fighting > > with the > > second point. > > Third point I assume, i.e. initrd generation problems being reported > as > anaconda bugs? > > While being at it: anaconda seems to explicitly call dracut to > generate > the initrd (according to the messages it prints). What is the reason > for this? Shouldn't this already happen as part of the rpm > transaction, > when the kernel install scripts are running? IIRC the main reason is the esentially random package installation order during the RPM transaction.
Unlike on normal system during installation the RPM transaction basically puts files into an empty folder, so if the kernel RPM script that triggers dracut runs too early, some of the things it tries to grab from the system might not yet be there & will be missing from the initrd. On an already installed system, there would already be something in places, while possibly a bit outdated, that dracut could harvest and put to the initrd. One concrete issue this caused was that users would use specific characters in their LUKS password, Anaconda would make sure the given package containing the layout is installed, but it would come after the kernel package in the transaction & the layout would be missing from the initrd. As a result, the user would not be able to type their password. In any case, this situation is sub-optimal, as we currently run dracut at least twice - once via the kernel RPM script trigger and then again when Anaconda triggers it. We really need to finally reach out to the kernel package maintainers and device some mechanism that tells the kernel package to skip the dracut run during the installation. > > > Thanks to the PXE boot it's maybe even more fragile > > environment. > > Yep. I'd highly recommend to use uefi http boot whenever possible. > > Note that uefi http boot can also work with iso images, i.e. you can > have the dhcp server hand out URLs to the fedora netboot iso. The > firmware will fetch the iso, create a ramdisk, add a acpi table for > it so the OS finds it too, then go boot as it would be a physical > cdrom all the way up to anaconda. > > BTW: Having some way other than the kernel command line to pass > config > options to anaconda would make this much more useful. > > take care, > Gerd > _______________________________________________ > devel mailing list -- devel@lists.fedoraproject.org > To unsubscribe send an email to devel-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
