Re: RFC: writing kernel cmdline options to grub.conf for dracut

[Seewer Philippe <philippe seewer bfh ch>]

Hans de Goede wrote:
> Hi,
>
> This morning I've been talking to Harald Hoyer about what sort
> of commandline options dracut will be needing to find the /
> filesystem beside root=UUID=1234567890 .
>
> In most cases (normal disks, dmraid, mdraid, lvm, dmcrypt)
> root=UUID=1234567890 should suffice.
>
> However in certain cases for example dracut will need additional
> info to find the disks.
>
> We've come to the following plan for iscsi targets:
> 1) Extend the dhcp_root dhcp variable iscsi syntax to
>    be able include a username password, so:
>    iscsi:192.168.50.2::::iqn.2009-06.dracut:target66
>    Can become:
>    iscsi:user:pass 192 168 50 2::::iqn.2009-06.dracut:target66
>    Or:
>    
> iscsi:user:pass:reverse_user:reverse_pass 192 168 50 2::::iqn.2009-06.dracut:target66 
>
>
> 2) Pass root-path=iscsi:... on the kernel cmdline, for each needed iscsi 
> target, so if
>    necessary this will be passed multiple times, dracut will be modified 
> to be able
>    handle multiple root-path arguments being passed in
>
> 3) chmod /proc/cmdline 400, so that it cannot be read by ordinary users, 
> plugging
>    the passwork leak problem

This does not really plug the leak. Just boot until initramfs is loaded, 
pull the network plug and wait until dracut drops us to a (root-)shell.

> Now the remaining question is how to implement the adding of the needed
> cmdline options to grub.conf.

Question: Is it really necessary to provide username/password to dracut? 
Wouldn't it be better to ask the user? I mean if a mount is password 
protected, be it cryptroot, nfs4 or whatever, shouldn't the user enter 
the data?

Regards,
Philippe