Patrick
August 28, 2021, 10:22am
10
This was sent to me:
hostonly="yes"
kernel_cmdline="rootovl"
filesystems+=overlay
sudo dracut /boot/nonp.img
Here is the boot entry I added to grub.cfg, which is just the regular boot entry with a different initrd.
menuentry 'Debian GNU/Linux Non-Persistent Live Mode' --class debian
--class gnu-linux --class gnu --class os $menuentry_id_option
'gnulinux-simple-845ea599-84cb-40c4-b556-f999fa4d389a' {
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1
--hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1
e04cb268-48ff-46ef-8335-e7a954f6a9bd
else
search --no-floppy --fs-uuid --set=root
e04cb268-48ff-46ef-8335-e7a954f6a9bd
fi
echo 'Loading Linux 5.10.0-8-amd64 ...'
linux /vmlinuz-5.10.0-8-amd64 root=/dev/mapper/magian--vg-root ro quiet ro
rd.live.image
echo 'Loading initial ramdisk ...'
initrd /nonp.img #MY NEW IMAGE CREATED WITH sudo dracut /boot/nonp.img
--force
}
Untested.
1 Like
Whonix has now dracut support.
grub-live has now dracut support as well.
Available in all Whonix 16 repositories.
To test:
sudo apt install --no-install-recommends dracut
--no-install-recommends
is mandatory. Otherwise some package Recommends:
exim
(or MTA) which results in a dependency mess.
Whonix 16 might come with dracut by default.
tested on whonix kvm (with live mode/read only)= working good.
but in qubes it gonna remove more/important packages:
root@host:~# apt install dracut
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following packages were automatically installed and are no longer required:
dctrl-tools dkms gettext-base grub-common grub2-common initramfs-tools-core
klibc-utils libefiboot1 libefivar1 libklibc linux-base os-prober
python3-distro python3-jinja2 python3-markupsafe python3-msgpack
python3-pycryptodome python3-zmq qubes-core-agent-thunar
qubes-input-proxy-sender qubes-kernel-vm-support
qubes-mgmt-salt-vm-connector qubes-usb-proxy salt-common salt-ssh usbutils
Use 'apt autoremove' to remove them.
The following additional packages will be installed:
console-setup console-setup-linux cryptsetup cryptsetup-bin
cryptsetup-initramfs cryptsetup-run dmeventd dmraid dracut-core exim4-base
exim4-config exim4-daemon-light gsasl-common guile-2.2-libs kbd kpartx
libaio1 libdevmapper-event1.02.1 libdmraid1.0.0.rc16 libgnutls-dane0
libgsasl7 liblvm2cmd2.03 libmailutils7 libmariadb3 libntlm0 libunbound8 lvm2
mailutils mailutils-common mariadb-common mdadm mysql-common pigz pkg-config
thin-provisioning-tools
Suggested packages:
dosfstools keyutils dracut-network exim4-doc-html | exim4-doc-info eximon4
spf-tools-perl swaks dns-root-data mailutils-mh mailutils-doc
The following packages will be REMOVED:
initramfs-tools qubes-whonix-gateway
qubes-whonix-shared-packages-recommended
The following NEW packages will be installed:
console-setup console-setup-linux cryptsetup cryptsetup-bin
cryptsetup-initramfs cryptsetup-run dmeventd dmraid dracut dracut-core
exim4-base exim4-config exim4-daemon-light gsasl-common guile-2.2-libs kbd
kpartx libaio1 libdevmapper-event1.02.1 libdmraid1.0.0.rc16 libgnutls-dane0
libgsasl7 liblvm2cmd2.03 libmailutils7 libmariadb3 libntlm0 libunbound8 lvm2
mailutils mailutils-common mariadb-common mdadm mysql-common pigz pkg-config
thin-provisioning-tools
0 upgraded, 36 newly installed, 3 to remove and 0 not upgraded.
Need to get 17.4 MB of archives.
After this operation, 77.3 MB of additional disk space will be used.
Do you want to continue? [Y/n]
1 Like
Patrick
September 1, 2021, 3:48pm
14
This post is Qubes specific only:
Trying to fix the Qubes-Whonix side:
committed 03:16PM - 01 Sep 21 UTC
leave that to Qubes
for dracut support
https://forums.whonix.org/t/replacing-i… nitramfs-tools-with-dracut/4487/13
That fix was useful but not sure is sufficient. Qubes-Whonix side of fixing this should be complete. But I don’t know if Qubes Debian templates support dracut. If the answer is yes, it would be sufficient for Qubes-Whonix too. Otherwise still not.
Without using Qubes VM kernel initramfs-tools vs dracut is meaningless.
Maybe not mandatory but --no-install-recommends
highly recommended here.
1 Like
Patrick
September 1, 2021, 5:16pm
15
dracut advantages:
dracut is kinda a “pre operating system” (“preOS”) as well as a “post operating system” (“postOS”). Similar to initramfs-tools but with an easier to use interface. initramfs-tools as far as I know also lacks a “postOS” feature.
https://wiki.gentoo.org/wiki/Dracut#List_of_modules
https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html#_description_6
1 Like
Having made many initramfs … by hand, update-initramfs
seems the fastest (but of course).
I remember the days of Kconfig trimming until got it to work without modules yet still does PGP signing (mostly for WiFi country code frequency database.
Is this what you meant by “live mode” in this thread? Where on directly boots into kernel and stays in there the first time?
Dark_Coder:
Having made many initramfs … by hand, update-initramfs
seems the fastest (but of course).
I remember the days of Kconfig trimming until got it to work without modules yet still does PGP signing (mostly for WiFi country code frequency database.
Could you help please getting Whonix build process compatible with dracut?
Currently the issue is that it won’t boot. Won’t find root device. This is because dracut even with dracut-config-generic
installed fails to create a generic initramfs. Got the issue that either drivers used on the build host system are leaked into the VMs initramfs or that the VMs initramfs is lacking essential drivers such as ext4.ko
and whatnot.
Didn’t manage to write a full bug report for dracut yet since it’s really complex.
Dracut would need to create a generic + reproducible (deterministic) initramfs inside the build chroot.
Simplified, desired output is: grml-debootstrap + grub + dracut → Whonix VirtualBox bootable VM image.
Patrick
February 6, 2023, 7:19pm
21
dracut support was implemented in grml-debootstrap.
Kicksecure will move to dracut with its next major release (when rebasing to Debian 12 / bookworm).
(required for ram-wipe - Wipe RAM on shutdown and reboot - Kicksecure )
1 Like
dracut support was completed in git tag 17.0.2.5-developers-only
.
This is a major issue for Kicksecure hosts (currently cannot use dracut):
Debian bug report:
unbootable system after installing dracut on a standard Debian installation
Not an issue for Kicksecure VMs or Whonix VMs because there dracut works for some reason.
Might be a duplicate of Debian bug report dracut: generic initrd does not work with encrypted root FS without further configuration .
Thanks to Laszlo Gombos, this has been reported upstream.
opened 01:31PM - 20 Jul 23 UTC
bug
crypt
Moving downstream discussion here upstream from https://bugs.debian.org/cgi-bin/… bugreport.cgi?bug=1029324
with an encrypted root fs, the system will end up with a configuration which
looks something like this:
```
/etc/crypttab:
<dev>_crypt UUID=<some_uuid> none luks,discard
/etc/fstab:
/dev/mapper/<some_LVM_LV> / ext4 <options>
/boot/grub/grub.cfg:
linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet
```
Now, after switching to dracut, the new initrd which is built will not
contain the necessary configuration to actually setup the "<dev>_crypt"
device, since autoconfiguration (rd.auto) is disabled and a hostonly
initrd (which would include a custom /etc/crypttab in the initrd) is not
built.
The result is an initrd which will hang waiting for
/dev/mapper/<some_LVM_LV> to show up, and which will eventually time
out.
A workaround for now is to change /etc/default/grub:
GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1"
This, however, means that the name of the crypt device will change from
"<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>",
which will result in ugly error messages during boot (that's mostly
cosmetic though) since systemd will fail to setup the device
"<dev>_crypt".
That, in turn, can be fixed by changing /etc/crypttab from:
<dev>_crypt UUID=<some_uuid> none luks,discard
so that it reads:
luks-<some_uuid> UUID=<some_uuid> none luks,discard
A further problem with building the generic initrd is that custom crypt
addons (like the fido2 support) won't be included in the initrd even if
fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh
("fido2-device=auto").
CC @Alphix
Patrick
November 22, 2023, 4:40am
27
Patrick
December 11, 2023, 3:42pm
28