tokiclover / mkinitramfs-ll Goto Github PK
View Code? Open in Web Editor NEWLightweight, modular and powerfull initramfs generating tool
License: Other
Lightweight, modular and powerfull initramfs generating tool
License: Other
hi,
/bin/sh doesn't like the new syntax in functions, only bash can interpret
function arg()
{
}
, sh only
arg(){
}
hi,
if a hibernate file isn't found the script dies die "failed to resume from hibernation"
- it should instead just carry on booting.
i changed that and also found that the major:minor of the resume device must be echoed into /sys/power/resume for it to work
I had commented some lines of file gnupg.bash
hi,
i always get a
install: cannot stat xcpio" no such file
when emerrging the 9999 ebuild, any hints?
Hello,
is there a way to let intramf's init tell that I want to use /usr/bin/systemd as init instead of /sbin/init ?
Would it be possible to implemet some cli switch to choose between systemd or classic init?
Thank you for your wonderful work
S
hi,
on line 386 in init
_i="$(cat /sys/power/tuxonice/image_exists | head -n 1)"
should read
_img="$(cat /sys/power/tuxonice/image_exists | head -n 1)"
also the logic up to line 392 is a bit wrong? 1 indicates a image present and i can't see what is actually tested there
I have an encrypted root set up on /dev/sda2
. To access the encrypted partition I use a key, which is a regular file called key
on the root of a usb drive with the label KEY
.
I've read the manual and this is what I came up with for the kernel arguments:
luks=reg:LABEL=KEY:/key root=root-sda2
When I boot (and the usb drive isn't connected) I am prompted to plug in the drive with LABEL=KEY
, so far so good. However, when I plug it in, I am prompted for a passphrase for /dev/sda2
. I am forced to press enter until I am dropped in a rescue shell where I can manually mount the thumb drive, use cryptsetup to open the root device with the key and mount it under /newroot
. Then pressing ctrl-D and the booting continues as expected.
Not sure if I'm doing something wrong here, but it looks like a bug to me.
I include i915 in my initramfs. However - although the building process correctly evaluates the dependencies and pulls in intel_gtt (and drm etc. if they are modular as well), I get several undefined symbol errors during the modprobe step of the initramfs.
I found (https://e2e.ti.com/support/embedded/linux/f/354/t/593147) that the "Simplified modutils - Build smaller (~1.5 kbytes), simplified module tools." option of busybox may cause errors like these. The menuconfig's help text indicates it should work nevertheless, but be slower. It does not here, however.
Gentoo's default busybox config sets
CONFIG_MODPROBE_SMALL=y
If I configure busybox to not build small modprobe, the undefined symbol errors are gone and everything works as expected. An existing /etc/portage/savedconfig/sys-apps/busybox-* may also affect this (e.g. it could work if this is configured locally/at your test setup)
Here is a patch that unconditionally disables this feature:
--- /usr/share/mkinitramfs-ll/scripts/busybox.sh.org 2018-02-16 23:19:35.321250918 +0100
+++ /usr/share/mkinitramfs-ll/scripts/busybox.sh 2018-02-16 23:20:54.626462712 +0100
@@ -59,7 +59,9 @@
cd ${PORTDIR:-/usr/portage}/sys-apps/busybox
mkdir -p "${usrdir}"/bin
USE=static ebuild ${pkg}.ebuild clean || die "clean failed"
-USE=static ebuild ${pkg}.ebuild unpack || die "unpack failed"
+USE=static ebuild ${pkg}.ebuild configure || die "configure failed"
+# Small modprobe is not able to properly resolve dependencies, though it should
+sed -i "s/CONFIG_MODPROBE_SMALL=y/# CONFIG_MODPROBE_SMALL is not set/" "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/.config
USE=static ebuild ${pkg}.ebuild compile || die "compile failed"
cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/busybox \
"${usrdir}"/bin/ || die
btw: The unpack step is unnecessary anyway.
`````` iraid=mdN+UUID=X```
results in
ARRAY /dev/mdN+UUID=X UUID=X```
output:```
mdadm: /dev/mdN+UUID=X is an invalid name for an md device - ignored.
mdadm: /dev/mdN+UUID=X is an invalid name for an md device. Try /dev/md/mdN+UUID=X```
Feature request: support for whole disk systems.
mkinitramfs-ll do not support case when LUKS encrypted whole disk have detached header.
I suspect some other whole disk systems (RAID on w.d.s., FS on w.d.s ) may also have problems.
Proposed solution:
diff -ur mkinitramfs-ll-master.old/usr/lib/mkinitramfs-ll/functions mkinitramfs-ll-master.new/usr/lib/mkinitramfs-ll/functions
--- mkinitramfs-ll-master.old/usr/lib/mkinitramfs-ll/functions 2017-07-02 12:24:08.000000000 +0300
+++ mkinitramfs-ll-master.new/usr/lib/mkinitramfs-ll/functions 2017-08-30 10:49:35.000000000 +0300
@@ -265,6 +265,11 @@
local _asw _blk
BLK() {
_blk=$(blkid | sed -nre "\|${1#*=}|s|(^/dev/.*):.*$|\1|p")
+ if [ -z "$_blk" ]; then
+ if grep -sqw "$1" /proc/partitions; then
+ _blk="/dev/$1"
+ fi
+ fi
}
BLK "$1"
Hi tokiclover,
first of all thank you for sharing your great script. I've been using version 0.5 for some time and now wanted to upgrade to the ebuild from your overlay. My setup is as follows:
Version 0.5 worked for this setup with the following kernel options:
kernel /boot/kernel-3.0.6-gentoo iroot=vg-root:c:ext4 iswap=swap:vg-swap ilvm=sda2_crypt-sda2,sda2_crypt-sda2 ikmap=de-latin1-nodeadkeys-x86_64.bin:
Back then I built the image as described in the DM-Crypt with LUKS article on the gentoo wiki:
find . | cpio --quiet -o -H newc | gzip -9 >/boot/initramfs-gentoo-crypt
So now after installing your ebuild (init version 0.10.0 2012/07/08 15:59:11) with useflags
bash bzip2 cryptsetup device-mapper e2fs symlink xz
from working directory /usr/local/share/mkinitramfs-ll/ I ran
/usr/local/sbin/mkinitramfs-ll.bash --luks --lvm --keymap
I moved '/usr/local/share/mkinitramfs-ll/usr' for it wouldn't start to build otherwise. The only thing I changed in grub.cfg was removing the colon at the end of the kernel line (I think it had to be added because of a bug in earlier versions). Then I tried to reboot and got a kernel panic.
When I built the image myself from the folder the script created I didn't get a kernel panic but for some reason init didn't run cryptsetup and then of course didn't find my volume group. It dropped me into a shell and I could run cryptsetup manually.
Do you have any idea what I'm doing wrong?
Helo,
I have this setup
/dev/sda1 /boot - unencrypted - latest init version build with your great work
/dev/sda2 LUKS container with malej VG on it which holds root LV
kernel cmd line is
iroot=malej-root:c:ext4 ikmap=cz-i686.bin ikroot=pwd ilvm=malej-sda2
but it faild in runlevel 3d with:
VG "malej" not found
Skipping VG
*insert malej-sda2 removable device
"output of cryptsetup --help"
*Type in valid cyphertext/header eg....
On any error mkinitramfs-ll.sh prints following useless error message:
error: not found
Reason: error function is not defined. May be it should be copied from mkinitramfs-ll.bash?
It's just FYI. I personally don't care about this bug.
I was a use of TrueCrypt myself and liked very much a few abilities of it. When I started using GNU Linux 24/7, not being able to boot from a TC volume dispaointed. Now I like pretty much the abilities of DM-Crypt LUKS. But hidden volumes, so hidden header make sense.
So any one on it?
Implemetation should be easy anyway?
I have a initramfs build with
mkinitramfs -Hbtrfs --all --usrdir=/usr/share/mkinitramfs-ll/usr/ --keymap=de -k4.0.5-gentoo
and the kernel is compiled with the initramfs embedded and called via EFI boot
efibootmgr -c -L Gentoo-4.0.5-2 -l vmlinuz-4.0.5-gentoo root=LABEL=croot rootfs=:Yes btrfs=root-sda5 luks=pwd
But it asks for the plain boot partition "init: Type in valid block device" (seemingly ignoring the luks=pwd) and bails into rescue shell when I enter sda5 e.g.
I can then use cryptsetup open /dev/sda5 root and mount the underlying btrfs filesystem to /newroot and then it boots after an exit command. So all works, but the script just does not handle the luks/btrfs correct I think.
This is the /run/init.log by the way:
0: umask 0077
0: mkdir -p dev/pts proc run sys /newroot /mnt/tok
0: mount -t proc proc /proc
0: mount -t sysfs sysfs /sys
0: mount -t devtmpfs devtmpfs /dev
0: /sbin/mdev -s
0: mount -t tmpfs -o mode=755,size=1% tmpfs /run
0: MODPROBE kms
0: ln -fns /proc/self/fd /dev/fd
0: ln -fns fd/2 /dev/stderr
0: ln -fns fd/0 /dev/stdin
0: ln -fns fd/1 /dev/stdout
[1]: test -f /etc/issue
0: test -n /dev/mapper/enc_root
0: blk /dev/mapper/enc_root DEV
0: get_dev /dev/mapper/enc_root ROOT 1
[255]: mount -o ro /dev/sda5 /newroot
There is no dev/mapper/enc_root created of course. I checked this.
Hi tokiclover,
I just upgraded from version 0.10.0 to 0.10.9. My setup is still the same one that I described in issue #6.
My kernel options are still:
kernel /boot/kernel-3.0.6-gentoo iroot=vg-root:c:ext4 iswap=swap:vg-swap ilvm=sda2_crypt-sda2,sda2_crypt-sda2 ikmap=de-latin1-nodeadkeys-x86_64.bin
I'm being dropped into a shell after this:
Switching to init shell run level: 2s
*[1]: ikswap = :: device field empty
If ikswap is required now, I don't know what to assign to it.
source
is a bash built-in.
/usr/local/sbin/mkinitramfs: 174: /usr/local/sbin/mkinitramfs: source: not found
/usr/local/sbin/mkinitramfs: 54: /usr/local/sbin/mkinitramfs: error: not found
On host without /dev/mem mkinitramfs fails with following errors:
/tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX /tmp/000/1
cp: cannot stat '/dev/mem': No such file or directory
/tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX/dev /tmp/.private/root/initramfs-5.1.21-gentoo-myrc02-XXXXXX /tmp/000/1
chmod: invalid mode: '0:9'
Try 'chmod --help' for more information.
ERROR: mkinitramfs-ll.bash: ```
Hi,
I'm trying to build initrd with your mkifs script (version 0.3.4_p20110907) clonned from git. Script called with --aufs -g -l arguments ends with ./mkifs:206: closing brace expected.
Am I doing something wrong?
Thank you for help in advance
S
I have lvm on luks with detached header and key on usb stick
/dev/sda - main disk luks
/dev/mapper/container - unlocked luks
/dev/mapper/vol-root - root on btrfs
/dev/sdb1 - usb stick [ header at /hdr and key at /key ]
I also read man but I cant understand how to setup config
Can you explain please?
hi,
tested latest git and swap on top of luks doesn't work anymore
old command line:
iresume=swap iswap=swap:sda3 ikswap=reg:sda2:/key
fails as ikswap has no dash in it ?
with
iresume=swap iswap=swap:sda3 ikswap=reg:test-sda2:/key
i get:
Insert test-sda2 block device and press Enter
,
with reg:sda2:/key i get
Insert block device and press Enter
and at last it prompts Type in a valid block device e.g. [sda5 ...
when i remove resume and all swap options from grub it boots (without swap)
any idea?
in init there is a typo in: (diff)
115c115
info "Removable device mounted."; }
/dev/ttyS0 doesn't work. I'm not sure if the init is stuck or what is going on but immediately after "Booting the kernel" I get no output on VGA or the ttyS0.
At line https://github.com/tokiclover/mkinitramfs-ll/blob/master/init#L332 the Out-variable _dev won't work as expected since mdopen declares _dev as local variable and therefore eval at https://github.com/tokiclover/mkinitramfs-ll/blob/master/init#L302 won't propagate into the dorootfs scope
hi,
since a long time the current git really just worked for me 👍
well, to be honest i had to add a / in mkinitramfs.bash, see comment for commit 73cf2df
Hello again,
today I've tried to update my initramfs so I got fresh pull of your great scripts...
But it ended in infinite loop on parsing arguments
error is following (showed up after adding -x to 1st line of script)
Hope this helps
S
hi,
-kXXX leads to building initramfs-:XXX breaking stuff, --kv=XXX works
the find call with -name xxx.ko -name xxx-*.ko
must be
find -name xxx.ko -or -name xxx-*.ko
The install works (no errors), but is not functional afterwards:
ERROR: mkinitramfs-ll.bash: no mkinitramfs-ll.conf found
When executed inside /etc, where the conf file resides:
ERROR: mkinitramfs-ll.bash: /usr/share//usr dir not found
/usr/share/mkinitramfs-ll/ has the hooks, scripts etc. installed.
It does work when manually untared into a directory and ./mkinitramfs-ll.bash is used...
Hi, i have a problem with busybox. I put the output that ends up on a kernel panic.
+ echo [134]: zpool import -R /newroot zfsforninja
+ [ ! 134 ]
+ return 134
+ [ 1=1 ]
+ zfs mount
+ grep -q zfsforninja
+ debug -d zfs mount -v0 -a
+ local _cmd _opt _ret
+ [ 5 -ge 1 ]
+ _opt=-d
+ shift
+ [ 4 -ge 1 ]
+ _cmd=zfs mount -v0 -a
+ break
+ eval zfs mount -v0 -a
+ zfs mount -v0 -a
+ _ret=0
+ echo [0]: zfs mount -v0 -a
+ [ ! 0 ]
+ return 0
+ rm /run/sh.pid
+ echo ROOT=zfsforninja
+ _ret=0
+ echo [0]: dozfs ROOT 1 zfsforninja
+ [ ! 0 ]
+ return 0
+ retval=0
+ exit 0[
>>> Switching to init shell run level 4s
>>> Switching Root
BusyBox v1.27.2 (2017-09-21 16:36:49 -00) multi-call binary.
Usage: switch_root [ -c /dev/console ] NEW_ROOT NEW_INIT [ARGS]
Free initramfs and switch to another root fs:
chroot to NEW_ROOT, delete all in /, move NEW_ROOT to /,
execute NEW_INIT. PID must be 1. NEW_ROOT must be a mountpoint.
-c DEV Reopen stdio to DEV after switch
[ 58.965964] Kernel panic - not syncing: Attemped to kill init exitcode=0x00000100
...
At least for debugging purposes
Hey,
Thank you for this project.
I'm trying to build a Gentoo install at the moment and hoping to use your script for the initramfs. I'm just having a hard time following the documentation and what precisely I need to do to get my setup to work.
I've got LVM on LUKS and using a detached header on a separate device, which is the boot device.
so /dev/sda1 is LUKS encrypted
and header.img is the detached header located on /dev/sdb1
then /dev/mapper/myvol-gentoo is the LVM volume I want to use as root
I'm using just a regular passphrase, no key file. Would you be able provide an example of what kernel parameters I should be using?
Cheers
CK
Why not just split the /init.sh into helpers?
hi,
i can set the ishrl to whatever i want (e.g. ishrl=2s) but it doesn't drop into a shell
When using SSDs/NVMs, --allow-discards can prove to be useful during the cryptsetup step.
There are security implications, so the man page excerpt is provided here. This should probably also be noted in the man page of mkinitramfs-ll
--allow-discards
Allow the use of discard (TRIM) requests for device. This option is only relevant
for open action.
WARNING: This command can have a negative security impact because it can make
filesystem-level operations visible on the physical device. For example, information
leaking filesystem type, used space, etc. may be extractable from the physical device
if the discarded blocks can be located later. If in doubt, do not use it.
A kernel version of 3.1 or later is needed. For earlier kernels this option is
ignored.
The user should be able to pass this parameter to cryptsetup.
I solved it by providing an environment variable/cmdline parameter discards=yes|true|whatever in the config file like so (using LVM on LUKS with password here):
env=(
${MIR_EXTRA_ENV}
# Disable applets/binaries checking
'CHECK_ENV=false'
'root=vg00-root'
'lvm=vg00-nvme0n1p5'
'rootflags=user_xattr'
'luks=pwd'
'discards=yes'
)
and the following patch:
--- /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions.org 2018-01-01 23:25:38.443257852 +0100
+++ /usr/share/mkinitramfs-ll/usr/lib/mkinitramfs-ll/functions 2018-02-09 23:10:11.252510811 +0100
@@ -293,7 +293,7 @@
debug -d losetup "$_ld" "$1"
loopback_dev="$_ld $loopback_dev"
fi
- debug cryptsetup luksOpen "$_ld" "$_fn" && loopback_key="$_fn $loopback_key"
+ debug cryptsetup luksOpen "$_ld" "$_fn" "$(get_discards)" && loopback_key="$_fn $loopback_key"
}
# @FUNCTION: Key[file/mode] handler
@@ -359,6 +359,11 @@
eval "${_name:-REPLY}='${_typ:+$_typ:}$DEV${_sig:+:$_sig}'"
}
+# @FUNCTION: Determine if discards should be allowed
+get_discards() {
+ yesno ${discards:-no} && echo "--allow-discards"
+}
+
# @FUNCTION: Close dm-crypt mapping
# @ARG: <map>
dmclose() {
@@ -412,7 +417,7 @@
fi
;;
esac
- _arg="open $_dev $_map ${_header:+--header} $_header"
+ _arg="open $_dev $_map ${_header:+--header} $_header $(get_discards)"
case "$keymode" in
(gpg)
As I don't use the detached header function (nor any other scenario) I cannot say whether this works for all use cases. I am however able to issue "fstrim" after doing the above.
Please adapt to your coding standards.
This could most likely be generalized into allowing arbitrary options to cryptsetup with cryptsetup=--allow-discards:--some-option:--some-other-option but I have no test setup here to develop and test this efficiently, the above is more or less a quick hack on my one and only production system ;-)
I hope you can include this into the master branch!
Thanks a lot in advance!
hi,
somehow the generation is faulty, used with bash
I have been having some trouble getting your helpful script to work properly on my system. First off I am building a initramfs with gpg, luks and lvm and the keys are on a removable device.
mkifs-ll --gpg --lvm
this command seems to complete successfully. Upon restart of my system the script recognizes the removable device. The script then outputs this:
It then drops into the minimal shell.
I have never setup or opened luks with the detached header option. Is it possible that the script that generates the initramfs is adding in this option?
Or perhaps there is an issue with my configuration? I have been looking through the scripts created for the initramfs and have found nothing that hints of a detached header....
Let me know what information or logs you need to further diagnose, thank you.
Considering switching using your project for my setup. Does mkinitramfs-ll support multiple luks containers? I have two hard drives in my laptop. Also, does it support detached headers for both of them?
To me it looks like it only makes code less readable (and the output of shell tracing) and doesn't provide any value.
Hi again,
I'm procrastinating this for a while (at the moment still using version 0.10.0):
[...]
2 logical volume(s) in volume group "vg" now active
/init: eval: line 1: iswap:vg-swap=: not found
* Switching to init shell runlevel: 3d
* Switching to init shell runlevel: 3f
/init: line 1: -text4: not found
* Switching to init shell runlevel: 3m
EXT4-fs (dm-2): warning: maximal mount count reached, running e2fsck is recommended
EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
[...]
I described my setup in issue #6. I'm not sure if the init script is able to run e2fsck at all. The corresponding entry in /etc/mkinitramfs-ll looks like this:
opts[-bin]+=:cryptsetup:e2fsck:v86d
By default it was:
opts[-bin]+=:cryptsetup:fsck.ext4:fsck.jfs:fsck.reiserfs:fsck.xfs:v86d
I build my initramfs using '/usr/sbin/mkinitramfs-ll.bash --luks --lvm --keymap'. In both cases the wished binaries are put into /sbin and can be executed from the rescue shell but init doesn't run any of them.
In the first case mkinitramfs-ll.bash tells me '* /sbin/e2fsck is not a static binary.' but the config file says it can handle this by copying library dependancies over.
So what can I do to make init run a file system check?
I have this thought for quite some times now... and cannot help but... keep getting back to it:
The cmdline option will be longer and still keep incompatibilities with what the kernel support for plaindevice. (Canonical device name is sweet to keep around... and this avoid to have a monstruously long cmdline. Just imagine an LVM/ZFS/BTRFS with two crypted devices... it's already too long to write down the cmdline!)
The short and compact variant was intended to avoid to bear such a useless pain of writing very long cmdline. Because, after all, there are quite some options I'd rather keep around rather than threwing them away for compatibility reasons... because there is no such compatibility concerns to begin with when using LVM/LUKS/ZFS...
But this does confuse some users, especially new users. And this clean up would only benefit to them.
Having long cmdline is not an issue because a default cmdline can be bundled into the initramfs, and then can be disabled at runtime if necessary. However, it's still painfull to write such a long thing to begin with.
So what to do?
hi,
as there is a missing return 0
the doresume() and domount() functions get never called as they are in a &&
chain
This is just a hint that specifying a custom keymap on current Gentoo systems will resulted in broken keyboard maps (which made my system unbootable as I cannot enter the LUKS key).
tl;dr:
emerge ~sys-apps/kbd-2.3.0-r1
to fix it.
Hello again,
After successful test of your marvelous work I decided to put it on other machine:
When I tried to boot for first time I get this error
/init:line 177: syntax error: bad substitution
first i tried to figure out it myself (trying to find my mistakes) but no luck
system is Gentoo 64 - fresh install and with your latest scripts (cloned around 9:00 GMT)
S.
idebug=x shall enable shell tracing
On Gentoo, the following line in scripts/busybox.sh fails for busybox version with a revision, e.g. the current
sys-apps/busybox-1.31.1-r2:
cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg}/busybox \
because the work directory does not contain revision suffixes.
The following fixes it
cp "${PORTAGE_TMPDIR:-/var/tmp}"/portage/sys-apps/${pkg}/work/${pkg%-r[0-9]*}/busybox \
Hello,
I have two ideas which I thing would be worthwhile in some way for enhancing security of this nice init generator:
would in be possible to implement (on user request when building initrd image) some hash checking of boot directory (at least initrd and kernel images).
I magine it in this way: kernel boots form initrd, decrypts rootfs and looks for script to check integrity (eg. in /etc which could be in some way customizable to user - eg. custom message to know that script was run from init - which in turn would check kernel, initrd and possibly whole /boot (or whatever) against known set of pre-generated hashes also stored on encrypted part of system and on successful finishing it would hand system to systems own init (otherwise it would ask if continue in booting or not)
second idea is the one of destroing key/header when user types in predefined password (stored as hash initrd image) - some way to add deniability "Ups its broken - I cant open it for you
Have nice day S
To me it looks like it only clutters the repository and duplicates code.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.