replacing initramfs-tools with dracut

If we want to implement a live boot option for Whonix we maybe need to change the default tool for generating the initramfs from the current initramfs-tools to dracut. Therefore, also some minor changes to the build scripts are required.

Dracut is mostly used by everything Fedora based (RedHat, CentOS, Qubes) and OpenSuse. Initramfs-tools is used by Debian and derivatives by default.
I couldn’t find any important differences between both, which doesn’t mean they don’t exist. Dracut is also in the Debian repos and seems to be well maintained.

The current patches for live boot are based on the dracut version in testing. Compared to the version from stable/stretch the major difference for us is the lack of overlayfs support which is present in testing. However, live systems are still possible with device mapper which should be the default imho.
For differences between overlayfs and devicemapper see here .
In contrast, initramfs-tools from debian supports overlayfs but not device-mapper. But in principle it should also be possible to have such a live system with initramfs-tools.

I currently don’t expect any major issues from changing initramfs-tools to dracut though including the patches it might be more tricky.
We have several options:

Use the version from stable/stretch and patch it so we can use live systems with device mapper.
Pro: Would have the lowest risk of breaking something.
Con: Somewhat lower functionality/flexibility since no overlayfs.

Wait for the testing package to be backported and then use this + our patches.
Pro: Would have overlayfs support. Low risk of breaking something.
Con: There is a backport from the current version for jessie. Not sure if there will be one for the version we need. Maybe ask the maintainer of the package.

Use the package from testing + add our patches.
Pro: Would have overlayfs support. We don’t have to wait for a backport.
Con: We need to watch out for upstream changes. Need to ensure the right version is used or adapt the patch. Higher risk that something might break.
I’m not sure if it is possible to install a package from testing during an upgrade where the testing package is an exact version and is listed as “Depends” in the control file. This is relevant if we want to go from Whonix 13 to Whonix 14 + dracut.

Maintain our own dracut from testing with patches already included
Pro: Would have overlayfs support. We don’t have to wait for a backport.
We don’t need an extra live patch package.
Con: We probably still need to look out for changes when some package which dracut depends on gets changed. Maybe higher maintenence burden.

Take a look at initramfs-tools again and try to implement our live mode there.
Pro: Fewer changes. Initramfs-tools is debian default.
Con: Only overlayfs support. Probably also some patches required.

The patches deal only with the live system. If something breaks due to a new upstream package then only the live system should break. Normal boot should still work.
At the moment I mostly dealt with option 3 and 1 going to look at 5 again. Dracut itself depends only on a few packages and I don’t know if anything would break if it suddenly would pull in dependencies with a higher version number than currently installed.

Any reasons against moving to dracut? @HulaHoop

Thumbs up to Dracut. Its the modern, standardized successor to intramfs-tools

Alright, please change the Whonix default to dracut by submitting a pull request. @Algernon

In Kernel Hardening - security-misc - #360 by Patrick I was wondering:

Or pass on dracut too and wait until minitrd is available from packages.debian.org?

I wouldn’t hold my breath for minitrd unless the author tells you he’s going to put it in Debian for sure.

Quote:

Oh, and one last question before closing: instead of implementing these features in your own distro’s initrd, may I suggest just using Dracut instead? It’s all already implemented there!

Source:
https://www.freedesktop.org/wiki/Software/systemd/InitrdInterface/

I haven’t found out that dpkg trigger:

activate dracut

exists. We can likely keep:

activate update-initramfs

/etc/dracut.conf.d/10-debian.conf as suggested by @Algernon

do_prelink=no
hostonly=no
add_dracutmodules+=" dmsquash-live pollcdrom crypt crypt-loop "

apt-file list dracut-config-rescue
dracut-config-rescue: /etc/dracut.conf.d/20-rescue.conf

cat /etc/dracut.conf.d/20-rescue.conf
dracut_rescue_image="yes"

apt-file list dracut-config-generic 
dracut-config-generic: /etc/dracut.conf.d/20-generic-image.conf

cat /etc/dracut.conf.d/20-generic-image.conf
hostonly="no"

grml-debootstrap will probably need (calls update-initramfs):

export INITRD='no'

This was sent to me:

hostonly="yes"
kernel_cmdline="rootovl"
filesystems+=overlay

sudo dracut /boot/nonp.img

Here is the boot entry I added to grub.cfg, which is just the regular boot entry with a different initrd.

menuentry 'Debian GNU/Linux Non-Persistent Live Mode' --class debian
--class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-simple-845ea599-84cb-40c4-b556-f999fa4d389a' {

load_video

insmod gzio

if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi

insmod part_msdos

insmod ext2

set root='hd0,msdos1'

if [ x$feature_platform_search_hint = xy ]; then

  search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1
--hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1
e04cb268-48ff-46ef-8335-e7a954f6a9bd

else

  search --no-floppy --fs-uuid --set=root
e04cb268-48ff-46ef-8335-e7a954f6a9bd

fi

echo 'Loading Linux 5.10.0-8-amd64 ...'

linux /vmlinuz-5.10.0-8-amd64 root=/dev/mapper/magian--vg-root ro  quiet ro
rd.live.image

echo 'Loading initial ramdisk ...'

initrd /nonp.img #MY NEW IMAGE CREATED WITH sudo dracut /boot/nonp.img
--force

}

Untested.

https://gitlab.com/whonix/grub-live/-/commit/1989d6e12ac4e5eec03ed3b492c4c84fd6695fd9

https://gitlab.com/whonix/grub-live/-/commit/3bded2153eb311ee6f8571bf67483d3514d97ed0

https://gitlab.com/whonix/grub-live/-/commit/cb94f18bd47a56d0427e9ae822f966f32fd55f2e

https://gitlab.com/whonix/kicksecure-meta-packages/-/commit/3b67c5c18981c7a3072ece594f94f98e9537cb1f

Whonix has now dracut support.
grub-live has now dracut support as well.
Available in all Whonix 16 repositories.
To test:

sudo apt install --no-install-recommends dracut

--no-install-recommends is mandatory. Otherwise some package Recommends: exim (or MTA) which results in a dependency mess.

Whonix 16 might come with dracut by default.

tested on whonix kvm (with live mode/read only)= working good.

but in qubes it gonna remove more/important packages:

root@host:~# apt install dracut
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
  dctrl-tools dkms gettext-base grub-common grub2-common initramfs-tools-core
  klibc-utils libefiboot1 libefivar1 libklibc linux-base os-prober
  python3-distro python3-jinja2 python3-markupsafe python3-msgpack
  python3-pycryptodome python3-zmq qubes-core-agent-thunar
  qubes-input-proxy-sender qubes-kernel-vm-support
  qubes-mgmt-salt-vm-connector qubes-usb-proxy salt-common salt-ssh usbutils
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
  console-setup console-setup-linux cryptsetup cryptsetup-bin
  cryptsetup-initramfs cryptsetup-run dmeventd dmraid dracut-core exim4-base
  exim4-config exim4-daemon-light gsasl-common guile-2.2-libs kbd kpartx
  libaio1 libdevmapper-event1.02.1 libdmraid1.0.0.rc16 libgnutls-dane0
  libgsasl7 liblvm2cmd2.03 libmailutils7 libmariadb3 libntlm0 libunbound8 lvm2
  mailutils mailutils-common mariadb-common mdadm mysql-common pigz pkg-config
  thin-provisioning-tools
Suggested packages:
  dosfstools keyutils dracut-network exim4-doc-html | exim4-doc-info eximon4
  spf-tools-perl swaks dns-root-data mailutils-mh mailutils-doc
The following packages will be REMOVED:
  initramfs-tools qubes-whonix-gateway
  qubes-whonix-shared-packages-recommended
The following NEW packages will be installed:
  console-setup console-setup-linux cryptsetup cryptsetup-bin
  cryptsetup-initramfs cryptsetup-run dmeventd dmraid dracut dracut-core
  exim4-base exim4-config exim4-daemon-light gsasl-common guile-2.2-libs kbd
  kpartx libaio1 libdevmapper-event1.02.1 libdmraid1.0.0.rc16 libgnutls-dane0
  libgsasl7 liblvm2cmd2.03 libmailutils7 libmariadb3 libntlm0 libunbound8 lvm2
  mailutils mailutils-common mariadb-common mdadm mysql-common pigz pkg-config
  thin-provisioning-tools
0 upgraded, 36 newly installed, 3 to remove and 0 not upgraded.
Need to get 17.4 MB of archives.
After this operation, 77.3 MB of additional disk space will be used.
Do you want to continue? [Y/n]

This post is Qubes specific only:

Trying to fix the Qubes-Whonix side:

That fix was useful but not sure is sufficient. Qubes-Whonix side of fixing this should be complete. But I don’t know if Qubes Debian templates support dracut. If the answer is yes, it would be sufficient for Qubes-Whonix too. Otherwise still not.

Without using Qubes VM kernel initramfs-tools vs dracut is meaningless.

Maybe not mandatory but --no-install-recommends highly recommended here.

dracut advantages:

• early sysctl settings by default (Kernel Hardening - security-misc - #459 by Patrick)
• InitrdInterface
• arm64 initramfs build issues experienced by @HulaHoop might not be happening with dracut
• easier to implement Wipe RAM on shutdown (Is RAM Wipe possible inside Whonix? Cold Boot Attack Defense)
• maybe easier to implement (re-)mount home [and other?] with noexec (and nosuid [among other useful mount options]) for better security?
• maybe faster since dracut is using systemd at initramfs stage already

dracut is kinda a “pre operating system” (“preOS”) as well as a “post operating system” (“postOS”). Similar to initramfs-tools but with an easier to use interface. initramfs-tools as far as I know also lacks a “postOS” feature.

https://wiki.gentoo.org/wiki/Dracut#List_of_modules

https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_description_6

Having made many initramfs … by hand, update-initramfs seems the fastest (but of course).

I remember the days of Kconfig trimming until got it to work without modules yet still does PGP signing (mostly for WiFi country code frequency database.

Is this what you meant by “live mode” in this thread? Where on directly boots into kernel and stays in there the first time?

Could you help please getting Whonix build process compatible with dracut?

Currently the issue is that it won’t boot. Won’t find root device. This is because dracut even with dracut-config-generic installed fails to create a generic initramfs. Got the issue that either drivers used on the build host system are leaked into the VMs initramfs or that the VMs initramfs is lacking essential drivers such as ext4.ko and whatnot.

Didn’t manage to write a full bug report for dracut yet since it’s really complex.

Dracut would need to create a generic + reproducible (deterministic) initramfs inside the build chroot.

Simplified, desired output is: grml-debootstrap + grub + dracut → Whonix VirtualBox bootable VM image.

Good progress.

• document how to install dracut in a chroot · Issue #1596 · dracutdevs/dracut · GitHub

• dracut support · Issue #186 · grml/grml-debootstrap · GitHub