dracut not working with secure mode

[posch]

Steps to reproduce

Using a container that includes a dracut initramfs, built with:

dracut --force --no-hostonly --add wwinit --kver $(ls /lib/modules | head -n1)

and a node that was configured for dracut, with:

wwctl node set $node --tagadd GrubMenuEntry=dracut

and with "secure: true" in warewulf.conf, the node fails to boot. warewulfd.log shows:

DENIED : Non-privileged port: $ip:55810

Node boots fine with secure: false.

Error message

RECV   : hwaddr: XX:XX:XX:XX:XX:XX, ipaddr: A.B.C.D:55810, stage: runtime
DENIED : Non-privileged port: A.B.C.D:55810

Information on your system

Commit 18b99353bec1d21dd53761e110e4ced58ad07b60

wwctl version:   4.5.4-1
rpc version: apiPrefix:"rc1"  apiVersion:"1"  warewulfVersion:"4.5.4-1"

warewulf running on Rocky 8.9

General information

• [X] I have run wwctl version and reported the contents of /etc/os-release
• [X] I have searched the issues of this repo and believe this is not a duplicate
• [X] I have captured and reported relevant error messages and logs

[mslacken]

I guess you have to disable the download of the "runtime" overlay in grub stage. The secure flag just means, that you can download the "runtime" only under the following conditions:

• the download uses a privileged outgoing port, which is done by wwclient
• you provide the right asset tag As grub doesn't open a privileged port for download, you will have to disable this under /etc/warewulf/grub/grub.cfg.ww.
  So change the line in that file from

  wwinit_args="root=wwinit wwinit.container=${container} wwinit.system=${system} wwinit.runtime=${runtime} init=/init"

  to

  wwinit_args="root=wwinit wwinit.container=${container} wwinit.system=${system} init=/init"

  as work around.

[posch]

Yes, that seems to work. Thanks.

[anderbubble]

This isn't downloaded by grub, but by dracut; so it might be possible to get it to use a privileged port for download.

I'll have to look into it.

[anderbubble]

It's downloaded with curl at https://github.com/warewulf/warewulf/blob/main/dracut/modules.d/90wwinit/load-wwinit.sh#L11

And the curl docs say you can specify a local port.

https://everything.curl.dev/usingcurl/connections/local-port.html

So this should be feasible, as long as the curl in the initrd isn't some stripped-down curl without that functionality.