Am 10.12.2015 um 15:18 schrieb Guilhem Moulin:
> On Thu, 10 Dec 2015 at 12:15:33 +0100, Jonas Meurer wrote:
>> - redefine the purpose of files in conf-hooks.d to set variables that
>> are made available to mkinitramfs *and* the hook scripts.
>
> On second thought it might not be ideal to use the same file for both,
> as exporting all variable to the hooks can have unexpected side effects.
>
> For instance the dropbear hook changes the default UMASK value to 0077
> in order to protect the private key material (the SSH host keys). But
> this variable is also used by other software to override the process's
> umask(2); if it were to be set in the hooks, files within the initramfs
> image might be created with the wrong permissions, which is certainly
> not intended and might have unexpected side effects.
Agreed. I updated the patch to do the following:
- source all files from conf-hooks.d/* at the beginning of mkinitramfs
just as before (but adding the files from ${CONFDIR}/conf-hooks.d/*).
- export variables from conf-hooks.d/<hook> just before the hook script
hooks/<hook> is executed.
This should mitigate the described side-effects.
See the updated patch attached to this mail.
>> # source package confs
>> -for i in /usr/share/initramfs-tools/conf-hooks.d/*; do
>> +for i in /usr/share/initramfs-tools/conf-hooks.d/* /etc/initramfs-tools/conf-hooks.d/*; do
>> if [ -d "${i}" ]; then
>> echo "Warning: ${i} is a directory instead of file, ignoring."
>> elif [ -e "${i}" ]; then
>> . "${i}"
>> + hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${i} | cut -d= -f1)"
>> + if [ -n "${hookvars}" ]; then
>> + export ${hookvars}
>> + fi
>> fi
>> done
>
> If *all* variables are accessible in *all* hooks there must be some kind
> of policy to prevents collisions. For instance packages a and b
> shouldn't make use the same variable OPTIONS, since the assignment in
> conf-hooks.d/b would override that in conf-hooks.d/a.
>
>
> I should also add that Jonas and I would both like to avoid the easy &
> dirty solution consisting of making the package ship a configuration
> file for its hook in /etc/$package/initramfs-hook and source that file
> in the hook. Some cleaner organization in the fashion of /etc/default
> seems like the way to go.
Yep :)
Cheers
jonas
From af1881f4f93de499e99f37a566a79f1dee973269 Mon Sep 17 00:00:00 2001
From: Jonas Meurer <jonas@freesources.org>
Date: Thu, 10 Dec 2015 16:09:54 +0100
Subject: [PATCH] mkinitramfs: export variables from conf-hooks.d includes
Up to now, there was no clear api in initramfs-tools to make initramfs
hook scripts configurable. Variables from conf-hooks.d include files were
not available to the hook scripts due to the hooks beeing executed in
sub-shells. This lead to ugly workarounds in packages that tried (and
most of them: failed) to make their hook scripts configurable to the user.
Now, additionally to sourcing the conf-hooks.d configuration includes,
mkinitramfs exports all variables from conf-hooks.d/<hook> just before
invoking the respective <hook> script. This leads to the variables from
conf-hooks.d/<hook> being available to the respective <hook> script,
thus providing a clear api to configure initramfs hook scripts.
Additionally, the directory /etc/initramfs-tools/conf-hooks.d is introduced,
meant as a place to overwrite package-provided hook configuration by local
settings.
Close: #807527
Signed-off-by: Jonas Meurer <jonas@freesources.org>
---
debian/changelog | 13 ++++++++++++-
debian/initramfs-tools-core.dirs | 1 +
hook-functions | 11 +++++++++++
mkinitramfs | 2 +-
4 files changed, 25 insertions(+), 2 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 16e4e5f..d8adccb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,5 +1,6 @@
initramfs-tools (0.120) unstable; urgency=medium
+ [ Ben Hutchings ]
* [23ee5f9] Add '.log' to fsck log output file, and document its existence
(Closes: #780352)
* [b87e34b] Remove old comment about running shell on failure of fsck
@@ -10,7 +11,17 @@ initramfs-tools (0.120) unstable; urgency=medium
* [25ab961] NEWS: Add entries about other ways of mounting /usr that won't
work
- -- Ben Hutchings <ben@decadent.org.uk> Mon, 13 Apr 2015 01:18:06 +0100
+ [ Jonas Meurer ]
+ * Redefine the purpose of conf-hooks.d include files (closes: #807527):
+ - Additional to these files beeing sourced, variables from
+ conf-hooks.d/<hook> are now exported before <hook> is invoked. As a
+ result, variables from conf-hooks.d/<hook> are now available to the
+ hook script hooks/<hook>.
+ - Add /etc/initramfs-tools/conf-hooks.d as user-configurable place
+ for conf-hooks.d, potentially overwriting settings from
+ /usr/share/initramfs-tools/conf-hooks.d.
+
+ -- Jonas Meurer <mejo@debian.org> Thu, 10 Dec 2015 15:57:12 +0100
initramfs-tools (0.119) unstable; urgency=medium
diff --git a/debian/initramfs-tools-core.dirs b/debian/initramfs-tools-core.dirs
index bcb978b..3098260 100644
--- a/debian/initramfs-tools-core.dirs
+++ b/debian/initramfs-tools-core.dirs
@@ -10,6 +10,7 @@ etc/initramfs-tools/scripts/nfs-top
etc/initramfs-tools/scripts/panic
etc/initramfs-tools/hooks
etc/initramfs-tools/conf.d
+etc/initramfs-tools/conf-hooks.d
usr/share/initramfs-tools/conf.d
usr/share/initramfs-tools/conf-hooks.d
usr/share/initramfs-tools/modules.d
diff --git a/hook-functions b/hook-functions
index 93973bb..411f132 100644
--- a/hook-functions
+++ b/hook-functions
@@ -729,6 +729,17 @@ call_scripts()
set -e
for cs_x in ${runlist}; do
[ -f ${initdir}/${cs_x} ] || continue
+ # read config file conf-hooks.d/${cs_x} if it exists
+ for hookconf in /usr/share/initramfs-tools/conf-hooks.d/${cs_x} ${CONFDIR}/conf-hooks.d/${cs_x}; do
+ [ -f ${hookconf} ] || continue
+ if [ "${verbose}" = "y" ]; then
+ echo "Reading config file conf-hooks.d/${cs_x}"
+ fi
+ hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${hookconf})"
+ for hookvar in ${hookvars}; do
+ export ${hookvar}
+ fi
+ done
# mkinitramfs verbose output
if [ "${verbose}" = "y" ]; then
echo "Calling hook ${cs_x}"
diff --git a/mkinitramfs b/mkinitramfs
index b64c7fb..14c3cf7 100755
--- a/mkinitramfs
+++ b/mkinitramfs
@@ -82,7 +82,7 @@ for i in ${EXTRA_CONF}; do
done
# source package confs
-for i in /usr/share/initramfs-tools/conf-hooks.d/*; do
+for i in /usr/share/initramfs-tools/conf-hooks.d/* /etc/initramfs-tools/conf-hooks.d/*; do
if [ -d "${i}" ]; then
echo "Warning: ${i} is a directory instead of file, ignoring."
elif [ -e "${i}" ]; then
--
2.5.0
Attachment:
signature.asc
Description: OpenPGP digital signature