replacing initramfs-tools with dracut

Patrick · February 6, 2023, 7:19pm

dracut support was implemented in grml-debootstrap.

Kicksecure will move to dracut with its next major release (when rebasing to Debian 12 / bookworm).
(required for ram-wipe - Wipe RAM on shutdown and reboot - Kicksecure)

Patrick · July 9, 2023, 9:32pm

dracut support was completed in git tag 17.0.2.5-developers-only.

Patrick · July 22, 2023, 10:12am

This is a major issue for Kicksecure hosts (currently cannot use dracut):

Debian bug report:
unbootable system after installing dracut on a standard Debian installation

Not an issue for Kicksecure VMs or Whonix VMs because there dracut works for some reason.

Patrick · July 22, 2023, 1:02pm

Might be a duplicate of Debian bug report dracut: generic initrd does not work with encrypted root FS without further configuration.

Thanks to Laszlo Gombos, this has been reported upstream.

github.com/dracutdevs/dracut

Generic initrd does not work with encrypted root FS without further configuration

opened 01:31PM - 20 Jul 23 UTC

LaszloGombos

bug crypt

Moving downstream discussion here upstream from https://bugs.debian.org/cgi-bin/…bugreport.cgi?bug=1029324 with an encrypted root fs, the system will end up with a configuration which looks something like this: ``` /etc/crypttab: <dev>_crypt UUID=<some_uuid> none luks,discard /etc/fstab: /dev/mapper/<some_LVM_LV> / ext4 <options> /boot/grub/grub.cfg: linux /vmlinuz-6.0.0-6-amd64 root=/dev/mapper/<some_LVM_LV> ro quiet ``` Now, after switching to dracut, the new initrd which is built will not contain the necessary configuration to actually setup the "<dev>_crypt" device, since autoconfiguration (rd.auto) is disabled and a hostonly initrd (which would include a custom /etc/crypttab in the initrd) is not built. The result is an initrd which will hang waiting for /dev/mapper/<some_LVM_LV> to show up, and which will eventually time out. A workaround for now is to change /etc/default/grub: GRUB_CMDLINE_LINUX_DEFAULT="quiet rd.auto=1" This, however, means that the name of the crypt device will change from "<dev>_crypt" (as specified in /etc/crypttab) to "luks-<some_uuid>", which will result in ugly error messages during boot (that's mostly cosmetic though) since systemd will fail to setup the device "<dev>_crypt". That, in turn, can be fixed by changing /etc/crypttab from: <dev>_crypt UUID=<some_uuid> none luks,discard so that it reads: luks-<some_uuid> UUID=<some_uuid> none luks,discard A further problem with building the generic initrd is that custom crypt addons (like the fido2 support) won't be included in the initrd even if fido2 is defined in /usr/lib/dracut/modules.d/90crypt/module-setup.sh ("fido2-device=auto"). CC @Alphix

Patrick · November 8, 2023, 7:46pm

github.com/grml/grml-debootstrap

INITRD_GENERATOR=dracut yet initramfs-tools is installed during the build process

opened 07:46PM - 08 Nov 23 UTC

adrelanos

Even with environment variable `INITRD_GENERATOR=dracut`, first initramfs-tools …is being installed. Later during grml-debootstrap's run, dracut is being installed The previous installation of initramfs-tools is unnecessary, takes time and might even cause issues in case there are any bugs. This happens during the function `kernel` because of installation of packages `linux-image-amd64 linux-headers-amd64 busybox firmware-linux-free`. This is because linux-image-amd64 depends on linux-image-6.1.0-13-amd64 which then depends on [linux-initramfs-tool](https://packages.debian.org/bookworm/linux-initramfs-tool) and the default is initramfs-tools. To fix this, the `kernel` function could be modified. currently: ``` DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES dracut ``` suggested: ``` if [ "$INITRD_GENERATOR" = 'dracut' ] ; then # install dracut here already to avoid needlessly pulling initramfs-tools # shellcheck disable=SC2086 DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES dracut else DEBIAN_FRONTEND=$DEBIAN_FRONTEND $APTINSTALL $KERNELPACKAGES fi ``` I will test this and send a PR if possible.

Patrick · November 8, 2023, 7:58pm

Patrick · November 22, 2023, 4:40am

Debian bug report:
missing dependency on init / systemd-sysv / libpam-systemd

Patrick · December 11, 2023, 3:42pm

dracut has many optional modules:
https://wiki.gentoo.org/wiki/Dracut

Patrick · December 15, 2023, 1:22pm

github.com/dracutdevs/dracut

auto-detect, prompt for potential root devices in case the `root=` device is misconfigured or missing

opened 01:22PM - 15 Dec 23 UTC

adrelanos

enhancement

It might not be possible to auto-detect the root device in very complex cases (c…ustom dual boot setups, network boot) but how about auto detection for the most common cases such as common environments set up by the Fedora or Debian installers? Maybe dracut developers think root device auto detection bad idea? Maybe it's considered insecure as it risks booting the wrong device? If so, they probably have a valid point. Then how about auto detection of potential root devices but prompt the user before booting from an auto detected root device? Or otherwise provide more guidance than a dracut rescue shell? That seems better to me than dropping to a dracut rescue shell. A situation most users will be stuck with.

Patrick · December 17, 2023, 5:41pm

Patrick · December 17, 2023, 6:17pm

github.com/dracutdevs/dracut

auto detect root device according to Discoverable Partitions Specification (DPS) (boot without `root=` and without `/etc/fstab`)

opened 06:16PM - 17 Dec 23 UTC

adrelanos

enhancement

By supporting the [Discoverable Partitions Specification (DPS)](https://uapi-gro…up.org/specifications/specs/discoverable_partitions_specification/) the following things would be possible: * booting without the root device (`root=`) on the kernel command line, and * without `/etc/fstab`. The benefit for the user would be that corner cases such as changed disk uuids after backup/restore no longer result in a broken boot with a dracut rescue shell. It could also simplify operating system build scripts and installers. DPS is also supported by systemd-boot. history: * https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/ * https://systemd.io/DISCOVERABLE_PARTITIONS/ related but non-duplicate: * https://github.com/dracutdevs/dracut/issues/2589 (because that would auto-detect legacy systems as well as prompt the user. This ticket however is about supporting DPS.)

Patrick · January 4, 2024, 6:06pm

Summary why Kicksecure was ported from initramfs-tools to dracut:

From the initrd generators I was aware of at the time, only dracut has an exitrd feature. Which means the system drops back into the initrd at shutdown time. It then (hopefully) cleanly unmounts encrypted devices. Then ram-wipe runs.

This couldn’t have been implemented with initramfs-tools unless contributing the exitrd functionality upstream first.

Switching to dracut was actually quite expensive. Specifically because nobody had shared in simple steps how to create a Debian based Live ISO using dracut.

Once dracut is running, writing initrd or exitrd modules is quite doable.

However, it’s best to not over invest into dracut as its days might be counted. One day it might get replaced by mkosi-initrd. On the other hand since Debian by default did not even move to dracut, it could take many Debian releases, years until that happens, if that ever happens.

Patrick · February 13, 2024, 7:52am

Issue happening with initramfs-tools only: pam-tmpdir-helper breaks certain initramfs-update actions on systems with noexec on the /tmp mount · Issue #198 · Kicksecure/security-misc · GitHub
Same issue is not happening with dracut.