[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: RFC: writing kernel cmdline options to grub.conf for dracut

From: Hans de Goede <hdegoede redhat com>
To: Seewer Philippe <philippe seewer bfh ch>
Cc: initramfs vger kernel org, Discussion of Development and Customization of the Red Hat Linux Installer <anaconda-devel-list redhat com>
Subject: Re: RFC: writing kernel cmdline options to grub.conf for dracut
Date: Thu, 02 Jul 2009 19:18:48 +0200



On 07/02/2009 04:18 PM, Seewer Philippe wrote:

Hans de Goede wrote:

Hi,

This morning I've been talking to Harald Hoyer about what sort
of commandline options dracut will be needing to find the /
filesystem beside root=UUID=1234567890 .

In most cases (normal disks, dmraid, mdraid, lvm, dmcrypt)
root=UUID=1234567890 should suffice.

However in certain cases for example dracut will need additional
info to find the disks.

We've come to the following plan for iscsi targets:
1) Extend the dhcp_root dhcp variable iscsi syntax to
be able include a username password, so:
iscsi:192.168.50.2::::iqn.2009-06.dracut:target66
Can become:
iscsi:user:pass 192 168 50 2::::iqn.2009-06.dracut:target66
Or:
iscsi:user:pass:reverse_user:reverse_pass 192 168 50 2::::iqn.2009-06.dracut:target66


2) Pass root-path=iscsi:... on the kernel cmdline, for each needed
iscsi target, so if
necessary this will be passed multiple times, dracut will be modified
to be able
handle multiple root-path arguments being passed in

3) chmod /proc/cmdline 400, so that it cannot be read by ordinary
users, plugging
the passwork leak problem


This does not really plug the leak. Just boot until initramfs is loaded,
pull the network plug and wait until dracut drops us to a (root-)shell.


If a user has physical access to the machine, and the passwords are not encrypted
with some key which has to be entered manually (which would be really awkward for
say a headless server in a datacenter booting from an iSCSI SAN LUN) you've already
lost.


Now the remaining question is how to implement the adding of the needed
cmdline options to grub.conf.


Question: Is it really necessary to provide username/password to dracut?


Yes, in the case of machines booting of iSCSI it is, this is not a passphrase
for encryption, this is authentication information to connect to an iSCSI target
(one or more disks).

Regards,

Hans

References:
- RFC: writing kernel cmdline options to grub.conf for dracut
  - From: Hans de Goede
- Re: RFC: writing kernel cmdline options to grub.conf for dracut
  - From: Seewer Philippe

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]