replacing initramfs-tools with dracut

Patrick · February 6, 2023, 7:19pm

dracut support was implemented in grml-debootstrap.

Kicksecure will move to dracut with its next major release (when rebasing to Debian 12 / bookworm).
(required for ram-wipe - Wipe RAM on shutdown and reboot - Kicksecure)

Patrick · July 9, 2023, 9:32pm

dracut support was completed in git tag 17.0.2.5-developers-only.

Patrick · July 22, 2023, 10:12am

This is a major issue for Kicksecure hosts (currently cannot use dracut):

Debian bug report:
unbootable system after installing dracut on a standard Debian installation

Not an issue for Kicksecure VMs or Whonix VMs because there dracut works for some reason.

Patrick · July 22, 2023, 1:02pm

Might be a duplicate of Debian bug report dracut: generic initrd does not work with encrypted root FS without further configuration.

Thanks to Laszlo Gombos, this has been reported upstream.

github.com/dracutdevs/dracut

Generic initrd does not work with encrypted root FS without further configuration

opened 01:31PM - 20 Jul 23 UTC

LaszloGombos

bug crypt

Moving downstream discussion here upstream from https://bugs.debian.org/cgi-bin/…bugreport.cgi?bug=1029324 with an encrypted root fs, the system will end up with a configuration which looks something like this: ``` /etc/crypttab: <dev>_crypt UUID=<some_uuid> none luks,discard /etc/fstab: /dev/mapper/<some_LVM_LV> / ext4 <options> /boot/grub/grub.cfg: linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet ``` Now, after switching to dracut, the new initrd which is built will not contain the necessary configuration to actually setup the "<dev>_crypt" device, since autoconfiguration (rd.auto) is disabled and a hostonly initrd (which would include a custom /etc/crypttab in the initrd) is not built. The result is an initrd which will hang waiting for /dev/mapper/<some_LVM_LV> to show up, and which will eventually time out. A workaround for now is to change /etc/default/grub: GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1" This, however, means that the name of the crypt device will change from "<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>", which will result in ugly error messages during boot (that's mostly cosmetic though) since systemd will fail to setup the device "<dev>_crypt". That, in turn, can be fixed by changing /etc/crypttab from: <dev>_crypt UUID=<some_uuid> none luks,discard so that it reads: luks-<some_uuid> UUID=<some_uuid> none luks,discard A further problem with building the generic initrd is that custom crypt addons (like the fido2 support) won't be included in the initrd even if fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh ("fido2-device=auto"). CC @Alphix

Patrick · November 8, 2023, 7:46pm

github.com/grml/grml-debootstrap

INITRD_GENERATOR=dracut yet initramfs-tools is installed during the build process

opened 07:46PM - 08 Nov 23 UTC

adrelanos

Even with environment variable `INITRD_GENERATOR=dracut`, first initramfs-tools …is being installed. Later during grml-debootstrap's run, dracut is being installed The previous installation of initramfs-tools is unnecessary, takes time and might even cause issues in case there are any bugs. This happens during the function `kernel` because of installation of packages `linux-image-amd64 linux-headers-amd64 busybox firmware-linux-free`. This is because linux-image-amd64 depends on linux-image-6.1.0-13-amd64 which then depends on [linux-initramfs-tool](https://packages.debian.org/bookworm/linux-initramfs-tool) and the default is initramfs-tools. To fix this, the `kernel` function could be modified. currently: ``` DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES dracut ``` suggested: ``` if [ "$INITRD_GENERATOR" = 'dracut' ] ; then # install dracut here already to avoid needlessly pulling initramfs-tools # shellcheck disable=SC2086 DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES dracut else DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES fi ``` I will test this and send a PR if possible.

Patrick · November 8, 2023, 7:58pm

Patrick · November 22, 2023, 4:40am

Debian bug report:
missing dependency on init / systemd-sysv / libpam-systemd