diff --git a/dist b/dist index 9c0e36ec42a2d9bfefacb21ac6354c9ddd910533..1fe92cf0fdf9c2625d878a2ace258f64c1e8ca44 100644 --- a/dist +++ b/dist @@ -1 +1 @@ -an8 +an8_10 diff --git a/dracut-early-kdump.sh b/dracut-early-kdump.sh index 129841efcfc06a1eb44ff0eb8d10e7002f502109..0124564711d3be3b3c83974b2989071fdd3c3529 100755 --- a/dracut-early-kdump.sh +++ b/dracut-early-kdump.sh @@ -49,11 +49,6 @@ early_kdump_load() EARLY_KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - EARLY_KEXEC_ARGS="$EARLY_KEXEC_ARGS -s" - fi - # Here, only output the messages, but do not save these messages # to a file because the target disk may not be mounted yet, the # earlykdump is too early. diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index 1fa30113ffdf2c029ce616c31c216106207f8e8d..97be76f4e2b46d6c2968fb4d318b2969cc56908f 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -363,6 +363,14 @@ _get_nic_driver() { ethtool -i "$1" | sed -n -E "s/driver: (.*)/\1/p" } +_get_hpyerv_physical_driver() { + local _physical_nic + + _physical_nic=$(find /sys/class/net/"$1"/ -name 'lower_*' | sed -En "s/\/.*lower_(.*)/\1/p") + [[ -n $_physical_nic ]] || return + _get_nic_driver "$_physical_nic" +} + kdump_install_nic_driver() { local _netif _driver _drivers @@ -382,6 +390,11 @@ kdump_install_nic_driver() { elif [[ $_driver == "team" ]]; then # install the team mode drivers like team_mode_roundrobin.ko as well _driver='=drivers/net/team' + elif [[ $_driver == "hv_netvsc" ]]; then + # A Hyper-V VM may have accelerated networking + # https://learn.microsoft.com/en-us/azure/virtual-network/accelerated-networking-overview + # Install the driver of physical NIC as well + _drivers+=("$(_get_hpyerv_physical_driver "$_netif")") fi _drivers+=("$_driver") @@ -1127,6 +1140,15 @@ install() { 's/\(^[[:space:]]*reserved_memory[[:space:]]*=\)[[:space:]]*[[:digit:]]*/\1 1024/' \ ${initdir}/etc/lvm/lvm.conf &>/dev/null + # Skip initrd-cleanup.service and initrd-parse-etc.service becasue we don't + # need to switch root. Instead of removing them, we use ConditionPathExists + # to check if /proc/vmcore exists to determine if we are in kdump. + sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \ + "${initdir}/${systemdsystemunitdir}/initrd-cleanup.service" &> /dev/null + + sed -i '/\[Unit\]/a ConditionPathExists=!\/proc\/vmcore' \ + "${initdir}/${systemdsystemunitdir}/initrd-parse-etc.service" &> /dev/null + # Save more memory by dropping switch root capability dracut_no_switch_root } diff --git a/kdump-lib.sh b/kdump-lib.sh index 4abef85103bbac6df0e226b13df0c24ea93c965b..8dd63a635263646650739e446c1ec9d54452f727 100755 --- a/kdump-lib.sh +++ b/kdump-lib.sh @@ -529,11 +529,24 @@ get_dracut_args_target() echo $1 | grep "\-\-mount" | sed "s/.*--mount .\(.*\)/\1/" | cut -d' ' -f1 } +get_reserved_mem_size() +{ + local reserved_mem_size=0 + + if is_fadump_capable; then + reserved_mem_size=$(< /sys/kernel/fadump/mem_reserved) + else + reserved_mem_size=$(< /sys/kernel/kexec_crash_size) + fi + + echo "$reserved_mem_size" +} + check_crash_mem_reserved() { local mem_reserved - mem_reserved=$(cat /sys/kernel/kexec_crash_size) + mem_reserved=$(get_reserved_mem_size) if [ $mem_reserved -eq 0 ]; then derror "No memory reserved for crash kernel" return 1 @@ -700,6 +713,15 @@ prepare_kexec_args() fi fi fi + + # For secureboot enabled machines, use new kexec file based syscall. + # Old syscall will always fail as it does not have capability to do + # kernel signature verification. + if is_secure_boot_enforced; then + dinfo "Secure Boot is enabled. Using kexec file based syscall." + kexec_args="$kexec_args -s" + fi + echo $kexec_args } diff --git a/kdumpctl b/kdumpctl index 3d0824ca20844a186db0a28aced745936e9211b5..4779a658b5a0aea019b628fe05a5d10b5942c80f 100755 --- a/kdumpctl +++ b/kdumpctl @@ -539,28 +539,22 @@ check_fs_modified() check_system_modified() { local ret + local CONF_ERROR=2 + local CONF_MODIFY=1 + local CONF_NO_MODIFY=0 + local conf_status=$CONF_NO_MODIFY [[ -f $TARGET_INITRD ]] || return 1 - check_files_modified - ret=$? - if [ $ret -ne 0 ]; then - return $ret - fi - - check_fs_modified - ret=$? - if [ $ret -ne 0 ]; then - return $ret - fi - - check_drivers_modified - ret=$? - if [ $ret -ne 0 ]; then - return $ret - fi + for _func in check_files_modified check_fs_modified check_drivers_modified; do + $_func + ret=$? + # return immediately if an error occurred. + [[ $ret -eq "$CONF_ERROR" ]] && return "$ret" + [[ $ret -eq "$CONF_MODIFY" ]] && { conf_status="$CONF_MODIFY"; } + done - return 0 + return $conf_status } check_rebuild() @@ -654,20 +648,7 @@ function load_kdump_kernel_key() return fi - KDUMP_KEY_ID=$(cat /usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer | - keyctl padd asymmetric kernelkey-$RANDOM %:.ima) -} - -# remove a previously loaded key. There's no real security implication -# to leaving it around, we choose to do this because it makes it easier -# to be idempotent and so as to reduce the potential for confusion. -function remove_kdump_kernel_key() -{ - if [ -z "$KDUMP_KEY_ID" ]; then - return - fi - - keyctl unlink $KDUMP_KEY_ID %:.ima + keyctl padd asymmetric "" %:.ima < "/usr/share/doc/kernel-keys/$KDUMP_KERNELVER/kernel-signing-ppc.cer" } # Load the kdump kernel specified in /etc/sysconfig/kdump @@ -682,15 +663,6 @@ load_kdump() KEXEC_ARGS=$(prepare_kexec_args "${KEXEC_ARGS}") KDUMP_COMMANDLINE=$(prepare_cmdline "${KDUMP_COMMANDLINE}" "${KDUMP_COMMANDLINE_REMOVE}" "${KDUMP_COMMANDLINE_APPEND}") - # For secureboot enabled machines, use new kexec file based syscall. - # Old syscall will always fail as it does not have capability to - # to kernel signature verification. - if is_secure_boot_enforced; then - dinfo "Secure Boot is enabled. Using kexec file based syscall." - KEXEC_ARGS="$KEXEC_ARGS -s" - load_kdump_kernel_key - fi - ddebug "$KEXEC $KEXEC_ARGS $standard_kexec_args --command-line=$KDUMP_COMMANDLINE --initrd=$TARGET_INITRD $KDUMP_KERNEL" if [[ $(uname -m) == x86_64 ]]; then @@ -727,9 +699,7 @@ load_kdump() set +x exec 2>&12 12>&- - remove_kdump_kernel_key - - if [ $ret == 0 ]; then + if [[ $ret == 0 ]]; then dinfo "kexec: loaded kdump kernel" return 0 else @@ -867,7 +837,7 @@ propagate_ssh_key() show_reserved_mem() { - local mem=$(cat /sys/kernel/kexec_crash_size) + local mem=$(get_reserved_mem_size) local mem_mb=$(expr $mem / 1024 / 1024) dinfo "Reserved "$mem_mb"MB memory for crash kernel" @@ -1028,7 +998,13 @@ start_fadump() start_dump() { - if [ $DEFAULT_DUMP_MODE == "fadump" ]; then + # On secure boot enabled Power systems, load kernel signing key on .ima for signature + # verification using kexec file based syscall. + if [[ "$(uname -m)" == ppc64le ]] && is_secure_boot_enforced; then + load_kdump_kernel_key + fi + + if [[ $DEFAULT_DUMP_MODE == "fadump" ]]; then start_fadump else load_kdump @@ -1289,7 +1265,7 @@ do_estimate() { # The default value when using crashkernel=auto baseline_size=$((baseline * size_mb)) # Current reserved crashkernel size - reserved_size=$(cat /sys/kernel/kexec_crash_size) + reserved_size=$(get_reserved_mem_size) # A pre-estimated value for userspace usage and kernel # runtime allocation, 64M should good for most cases runtime_size=$((64 * size_mb)) diff --git a/kexec-tools.spec b/kexec-tools.spec index 87b931ddffc7cf7240355ec710537213a529c32d..727ad0445457fbf9d8ceb419ddf7051bd8371380 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -1,8 +1,8 @@ -%define anolis_release .0.3 +%define anolis_release .0.1 Name: kexec-tools Version: 2.0.26 -Release: 8%{anolis_release}%{?dist} +Release: 14%{anolis_release}%{?dist}.1 License: GPLv2 Group: Applications/System Summary: The kexec/kdump userspace component @@ -432,7 +432,7 @@ done %doc live-image-kdump-howto.txt %changelog -* Tue Dec 05 2023 Youling Tang - 2.0.26-8.0.1 +* Fri Aug 30 2024 Youling Tang - 2.0.26-14.0.1.1 - Add LoongArch support - Add doc sub package (wb-zh951434@alibaba-inc.com) - Fix kexec error for kexec -s (xiangzao@linux.alibaba.com) @@ -441,6 +441,28 @@ done - Fix loongarch kexec issue cause by pstore segment. (wangming01@loongson.cn) - Fix loongarch build faild issue. (wangming01@loongson.cn) +* Tue Jun 18 2024 Pingfan Liu - 2.0.26-14.1 +- mkdumprd: Fix makedumpfile parameter check + +* Wed Feb 21 2024 Pingfan Liu - 2.0.26-14 +- dracut-module-setup: Skip initrd-cleanup and initrd-parse-etc in kdump + +* Fri Feb 2 2024 Pingfan Liu - 2.0.26-13 +- dracut-module-setup.sh: also install the driver of physical NIC for Hyper-V VM with accelerated networking + +* Wed Nov 22 2023 Pingfan Liu - 2.0.26-12 +- kdumpctl: Only returns immediately after an error occurs in check_*_modified + +* Thu Nov 9 2023 Pingfan Liu - 2.0.26-11 +- powerpc: update kdumpctl to load kernel signing key for fadump +- powerpc: update kdumpctl to remove deletion of kernel signing key once loaded + +* Tue Sep 26 2023 Pingfan Liu - 2.0.26-10 +- Introduce a function to get reserved memory size + +* Tue Sep 19 2023 Pingfan Liu - 2.0.26-9 +- Add lvm thin provision to kdump supported-kdump-targets.txt + * Thu Aug 10 2023 Pingfan Liu - 2.0.26-8 - mkdumprd: Use the correct syntax to redirect the stderr to null - mkdumprd: call dracut with --add-device to install the drivers needed by /boot partition automatically for FIPS diff --git a/mkdumprd b/mkdumprd index e5c6e063aaa217ec4befddf978319d9866a75578..6977d14ddc3410db55988ee0e6b0b8a192d8b8d8 100644 --- a/mkdumprd +++ b/mkdumprd @@ -240,7 +240,7 @@ check_user_configured_target() # $1: core_collector config value verify_core_collector() { local _cmd="${1%% *}" - local _params="${1#* }" + local _params="${1#${_cmd}}" if [ "$_cmd" != "makedumpfile" ]; then if is_raw_dump_target; then diff --git a/supported-kdump-targets.txt b/supported-kdump-targets.txt index f540f59fd3b9cc243265aa4a87441a0576687649..ba20250aa92998c136cf928d738a2ee041064a0f 100644 --- a/supported-kdump-targets.txt +++ b/supported-kdump-targets.txt @@ -35,7 +35,8 @@ updating lists accordingly. Supported Dump targets ---------------------- storage: - LVM volume (no thinp) + LVM volume + Thin provisioning volume FC disks (qla2xxx, lpfc, bnx2fc, bfa) software initiator based iSCSI software RAID (mdraid) @@ -79,7 +80,6 @@ Unsupported Dump targets ------------------------ storage: BIOS RAID - Thin provisioning volume Software iSCSI with iBFT (bnx2i, cxgb3i, cxgb4i) Software iSCSI with hybrid (be2iscsi) FCoE