Open suhancz opened 3 years ago
@suhancz thank for the report. If I'm reading this right, the dracut module is indeed installed and run, but this check here is failing.
If so, it sounds like the "test for file readability" is having some troubles.
Can you maybe quickly hack that module to also print the output of id
and ls -laZ /root/.ssh /root/.ssh/**
right before that check? Additionally, are there any SELinux denials in the journal, or does this work in permissive mode?
@lucab thanks for the response. I've added a few debug options to my branch of the module to see what's happening. SELinux doesn't seem to be enabled during the build. Apparently the initramfs build runs under a tmpfs called /newroot
that doesn't contain root's home directory, /root
. See the debug output below.
Nov 17 15:24:16 Tubingen rpm-ostree[13951]: root
Nov 17 15:24:16 Tubingen rpm-ostree[12911]: /
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: TARGET SOURCE FSTYPE OPTIONS
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: / tmpfs[/newroot] tmpfs rw,nosuid,nodev,relatime,seclabel,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/dev tmpfs tmpfs rw,nosuid,nodev,relatime,seclabel,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/null devtmpfs[/null] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/zero devtmpfs[/zero] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/full devtmpfs[/full] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/random devtmpfs[/random] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/urandom devtmpfs[/urandom] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/dev/tty devtmpfs[/tty] devtmpfs rw,nosuid,noexec,seclabel,size=4930676k,nr_inodes=1232669,mode=755,inode64
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | `-/dev/pts devpts devpts rw,nosuid,noexec,relatime,seclabel,mode=620,ptmxmode=666
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/proc proc proc rw,nosuid,nodev,noexec,relatime
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/proc/sysrq-trigger proc[/sysrq-trigger] proc ro,nosuid,nodev,noexec,relatime
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | |-/proc/irq proc[/irq] proc ro,nosuid,nodev,noexec,relatime
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: | `-/proc/bus proc[/bus] proc ro,nosuid,nodev,noexec,relatime
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/sys/block sysfs[/block] sysfs ro,nosuid,nodev,noexec,relatime,seclabel
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/sys/bus sysfs[/bus] sysfs ro,nosuid,nodev,noexec,relatime,seclabel
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/sys/class sysfs[/class] sysfs ro,nosuid,nodev,noexec,relatime,seclabel
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/sys/dev sysfs[/dev] sysfs ro,nosuid,nodev,noexec,relatime,seclabel
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/sys/devices sysfs[/devices] sysfs ro,nosuid,nodev,noexec,relatime,seclabel
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: |-/etc /dev/mapper/luks-989a2293-84bb-4c90-aba3-e818b7c52036[/root/ostree/deploy/fedora/deploy/8adcc75120d651f887c4993230459d7aad57a65d5f9e03e8898c940a2134ba71.0/etc] btrfs ro,nosuid,nodev,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root
Nov 17 15:24:16 Tubingen rpm-ostree[13952]: `-/usr /dev/mapper/luks-989a2293-84bb-4c90-aba3-e818b7c52036[/root/ostree/repo/extensions/rpmostree/private/commit/usr] btrfs ro,nosuid,nodev,relatime,seclabel,ssd,space_cache,subvolid=257,subvol=/root
Nov 17 15:24:16 Tubingen rpm-ostree[13953]: find: '/root': No such file or directory
Nov 17 15:24:16 Tubingen rpm-ostree[13954]: ls: cannot access '/root/.ssh/authorized_keys': No such file or directory
Nov 17 15:24:16 Tubingen rpm-ostree[13955]: id: --context (-Z) works only on an SELinux-enabled kernel
Yes, rpm-ostree runs dracut inside a container which doesn't have the local /var
mounted. This is by design (see https://bugzilla.redhat.com/show_bug.cgi?id=1352154).
Hmm, I guess we could mount it read-only and that would fix your use case?
Backing up though, are you trying to use dracut-sshd for automatic rootfs unlocking? In Fedora CoreOS (and RHCOS), we're using Clevis for this which should work fine in Fedora Silverblue too. I see you already have it layered, so you should be able to just enroll your LUKS device into a Tang or TPM2 pin, regenerate the initramfs, and add rd.neednet=1
if using Tang pinning.
Yes, I'd appreciate a read-only mount, I guess this would fix the issue.
For what I've read about Tang it needs an external service running, while I'm using this on some boxes without TPM, so that would neither be an option. My use case is about having an old server, which in any disasterous case reboots I can just open it (having my SSH public key on me).
Alternatively, I don' think it'd be too unreasonable to have dracut-sshd also check e.g. /etc/dracut-sshd/authorized_keys
. Then you could have separate authorized keys for the initrd vs the real root.
Agreed, though the original tool does check for alternative keys, unfortunately so far only in /root
. I've already suggested it to work around the issue in subject.
I found a similar issue when trying to install fido2luks. As this is also about the mount tree, I consider it worth to update this ticket instead of opening a new one. The mentioned Dracut module uses /dev/log
which apparently is a symlink pointing to /run/systemd/journal/dev-log
on Silverblue (and probably rpm-ostree at all). As /run
is neither mounted while generating initramfs, I'd appreciate to include that one, too. To test feel free to use my COPR repo. Please, let me know if I should rather open a new issue for this one in the tracker.
I found another issue related to dracut-sshd. It runs sshd with privilege separation by default, which on Fedora depends on /var/empty/sshd
. As /var
is not mounted initramfs setup time, this also causes sshd to fail starting up.
The /var/empty/sshd
issue should be fixed in F34 with https://src.fedoraproject.org/rpms/openssh/pull-request/14 and https://github.com/gsauthof/dracut-sshd/pull/38 is fixed so dracut-sshd support should be good.
I could not find where the fido2luks dracut module uses /dev/log. Could you point me to that?
Host system details
rpm-ostree status
:/root/.ssh/authorized_keys
permissions:Expected vs actual behavior
rpm-ostree doesn't install the
dracut-sshd
module, Journal shows the folowing:Expected:
rpm-ostree installs the
dracut-sshd
module, without the above error message in the journal Steps to reproduce itrpm-ostree install dracut-sshd
/var/roothome/.ssh/authorized_keys
rpm-ostree initramfs --enable --arg='-f' --arg="--debug"
b. In parallel on another terminal runjournalctl -faxe|grep rpm-ostree
to see the outputWould you like to work on the issue?
I'm happy to work on the issue in my free time, but I'd prefer to have someone who knows Silverblue better to handle it.