search

linux-system-roles / nbde_client

Ansible role for configuring Network Bound Disk Encryption clients (e.g. clevis)
https://linux-system-roles.github.io/nbde_client/
MIT License
14 stars 24 forks source link

Fix dracut not enabling network in initramfs #49

Closed Freakygnome closed 2 years ago

Freakygnome commented 3 years ago

RHEL 8 dracut is no longer adding rd.neednet=1 to initramfs by default. Updated to match Red Hat's recommendation. Refer Section 10.9 of the RHEL 8 security hardening manual.

sergio-correia commented 3 years ago

I think it would be better to use a dracut configuration file for this, so it would be more "permanent". Passing the extra configuration directly in the dracut invocation will work for this particular call performed by the role, but the next time the initramfs is updated -- e.g. during a kernel update --, dracut will not be executed with these extra parameters .

Freakygnome commented 3 years ago

Good point would adding a step to the main-clevis.yml to check and modify the dracut config be suitable?

richm commented 3 years ago

[citest commit:a3f9f5d653cdbc9467eb3f89d91f30c00efe5081]

richm commented 3 years ago

I fixed the black errors - if you rebase on top of the latest, those will go away. However, the yamllint and ansible-lint issues need to be fixed.

richm commented 3 years ago

ping - can you rebase?

richm commented 3 years ago

[citest commit:1a0300a592d9eac9a06d5bc772a494b0d78a7d91]

richm commented 3 years ago

ping - ready for review?

Freakygnome commented 3 years ago

Not yet hoping to get this ready in the next few days

richm commented 3 years ago

[citest commit:912106cb5c79b770c0beab7e0e71066b4f777c37]

richm commented 3 years ago

@ukulekek the statuses are stuck in pending - will this be fixed by using tft-bot?

richm commented 3 years ago

[citest commit:912106cb5c79b770c0beab7e0e71066b4f777c37]

richm commented 3 years ago

[citest commit:c84a41bf2e92158f94d9082244e87f52794c1e78]

sergio-correia commented 2 years ago

Looks good to me, thanks. @richm, could you take another look as well, please?

richm commented 2 years ago

[citest commit:108e28f6981107bd28ab116b2390955d9e2a9464]

richm commented 2 years ago

[citest commit:f70235e757120fa54c9109eb9b848594de30c9d2]

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

how does this PR relate to https://github.com/linux-system-roles/nbde_client/pull/58 ?

richm commented 2 years ago

[citest pending]

richm commented 2 years ago

[citest bad]

sergio-correia commented 2 years ago

how does this PR relate to #58 ?

how does this PR relate to #58 ?

That other PR would be a superset of this, as it also enables network in the initramfs. This one could be closed, if the other one gets merged.

richm commented 2 years ago

how does this PR relate to #58 ?

how does this PR relate to #58 ?

That other PR would be a superset of this, as it also enables network in the initramfs. This one could be closed, if the other one gets merged.

ok - closing