[pkg-cryptsetup-devel] initramfs-tools: Please provide an API or best practices for custom initramfs hook configuration

Thu Dec 10 15:15:26 UTC 2015

Am 10.12.2015 um 15:18 schrieb Guilhem Moulin:
> On Thu, 10 Dec 2015 at 12:15:33 +0100, Jonas Meurer wrote:
>> - redefine the purpose of files in conf-hooks.d to set variables that
>> are made available to mkinitramfs *and* the hook scripts.
> 
> On second thought it might not be ideal to use the same file for both,
> as exporting all variable to the hooks can have unexpected side effects.
> 
> For instance the dropbear hook changes the default UMASK value to 0077
> in order to protect the private key material (the SSH host keys).  But
> this variable is also used by other software to override the process's
> umask(2); if it were to be set in the hooks, files within the initramfs
> image might be created with the wrong permissions, which is certainly
> not intended and might have unexpected side effects.

Agreed. I updated the patch to do the following:

- source all files from conf-hooks.d/* at the beginning of mkinitramfs
  just as before (but adding the files from ${CONFDIR}/conf-hooks.d/*).
- export variables from conf-hooks.d/<hook> just before the hook script
  hooks/<hook> is executed.

This should mitigate the described side-effects.

See the updated patch attached to this mail.

>> # source package confs
>> -for i in /usr/share/initramfs-tools/conf-hooks.d/*; do
>> +for i in /usr/share/initramfs-tools/conf-hooks.d/* /etc/initramfs-tools/conf-hooks.d/*; do
>>  if [ -d "${i}" ]; then
>>      echo "Warning: ${i} is a directory instead of file, ignoring."
>>  elif [ -e "${i}" ]; then
>>      . "${i}"
>> +     hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${i} | cut -d= -f1)"
>> +     if [ -n "${hookvars}" ]; then
>> +         export ${hookvars}
>> +     fi
>>  fi
>> done
> 
> If *all* variables are accessible in *all* hooks there must be some kind
> of policy to prevents collisions.  For instance packages a and b
> shouldn't make use the same variable OPTIONS, since the assignment in
> conf-hooks.d/b would override that in conf-hooks.d/a.
> 
> 
> I should also add that Jonas and I would both like to avoid the easy &
> dirty solution consisting of making the package ship a configuration
> file for its hook in /etc/$package/initramfs-hook and source that file
> in the hook.  Some cleaner organization in the fashion of /etc/default
> seems like the way to go.

Yep :)

Cheers
 jonas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mkinitramfs-export-variables-from-conf-hooks.d-inclu.patch
Type: text/x-patch
Size: 4368 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151210/bf0c7491/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151210/bf0c7491/attachment.sig>