[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFH: dropbear initramfs support

Thanks for your quick reply!

On 06/27/2015 05:01 PM, Guilhem Moulin wrote:
> On Sat, 27 Jun 2015 at 16:20:56 +0200, Christian Seiler wrote:
>> On 06/27/2015 02:19 PM, Guilhem Moulin wrote:
>>> Alright, that's it :-)  The changelog is pretty heavy because I also
>>> lintian-cleaned and modernized (using dh_* tools) the packages, as well as
>>> fixed most bugs:
>>> [...]
>>>    + Bring down interfaces and flush network configuration before existing
>>>      the ramdisk, to avoid misconfigured network in the regular kernel.
>>>      (Closes: #715048, #720987, #720988.)
>> Having just read the debian-devel thread: isn't it dangerous to do
>> that unconditionally?
>> Sure, if you have a normal system then you want to down your network
>> configuration for the aforementioned reasons, but if you additionally
>> also have root on NFS or iSCSI or something similar, then this would
>> break that. Also, dropbear didn't do that in the past, so this could
>> be seen as a regression for those kinds of systems.
> Sorry the changelog didn't mention that, but the ifdown script is
> installed to ‘initramfs-tools/scripts/local-bottom’ hence, according to
> initramfs-tools(8), is not run on NFS mounts.

That will work for NFS, but won't work for iSCSI or NBD, because those
kinds of devices are just regular block devices that depend on the
network being available. So both packages (open-iscsi and nbd-client)
hook into local-top in the initramfs to make the devices available, but
the initramfs will use the regular "let's look for the block device
containing the root filesystem" logic it also uses for local devices to
mount the root filesystem. So on systems with root on NBD or iSCSI
local-bottom is still executed - if you then enable dropbear initramfs
support on those systems, they won't boot anymore.

(Don't know if there are more candidates, those are the two I know of.)

As I said: the majority use case for dropbear in initramfs will not be
these kinds of setups, so I think the new behavior should be the
default setting - but it should be overridable, and there should be a
debian/NEWS entry so that people don't accidentally break their


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: