[pkg-cryptsetup-devel] initramfs-tools: Please provide an API or best practices for custom initramfs hook configuration

Jonas Meurer jonas at freesources.org
Thu Dec 10 11:15:33 UTC 2015 

Hi there,

On Thu, 10 Dec 2015 02:52:11 +0100 Guilhem Moulin <guilhem at guilhem.org>
wrote:
> AFAIK there is no documentation for where users should set variables to
> configure an initramfs hook.  There are a couple of workaround, all
> hacky and/or relying on undocumented properties of initramfs-tools(8):
> 
>   1/ Setting said variable in initramfs.conf(5).  (Since hook scripts
>      are executed is sub-shells the variable need to be exported.)  This
>      is somewhat ugly since initramfs.conf(5) is the configuration file
>      *for mkinitramfs*, not for the hook files.
> 
>   2/ Using /usr/share/initramfs-tools/conf-hooks.d/$hook.  This is an
>      undocumented (short of an entry in the changelog) hack.  Also
>      unless that file is marked as a conffile (which violates the
>      policy) user modifications are wiped upon upgrade.

If I got it right (didn't find documentation about it), the current
purpose of conf-hooks.d seems to be to configure *mkinitramfs* in a
proper way required by the hook scripts, not to set configuration
variables for the hook scripts themselves, no? At least, all that
mkinitramfs does for now, is to source the files from conf-hooks.d. No
export of variables, so the configured variables aren't available to the
hook scripts for now.

>   3/ Make /usr/share/initramfs-tools/conf-hooks.d/$hook a symlink to
>      /etc/initramfs-tools/conf-hooks.d/$hook.  But again, this uses an
>      undocumented property of mkinitramfs(8), and it might hijack your
>      /etc/initramfs-tools namespace.
> 
> There are packages that ship user configurable initramfs hooks
> (cryptsetup and dropbear-initramfs come to mind).  These package need
> documented instructions for where to drop user configuration
> (/etc/initramfs-tools/conf-hooks.d/$package comes to mind).
> 
> Alternatively, in a private discussion with Jonas Meurer of the Debian
> Cryptsetup Team (X-Debug-CC), I've been suggested that mkinitramfs(8)
> could instead source files in /etc/initramfs-tools/conf-hooks.d/ after
> sourcing /usr/share/initramfs-tools/conf-hooks.d/.  This way package
> maintainers would ship variables with their default in /usr while users
> would write their custom configuration in /etc.

Following up on that I think that a proper solution would be the following:

- redefine the purpose of files in conf-hooks.d to set variables that
  are made available to mkinitramfs *and* the hook scripts. In other
  words, parse the configure includes from conf-hooks.d in mkinitramfs
  and export all variables instead of just sourcing the files.
- add the change proposed by Guilhem and support user-defined configs
  from /etc/initramfs-tools/conf-hooks.d/, overwriting the configs from
  packages at /usr/share/initramfs-tools/conf-hooks.d/.

See attached patch which implements this.

Cheers,
 jonas

> -8<----------------------------------------------------->8-
> --- a/mkinitramfs
> +++ b/mkinitramfs
> @@ -87,6 +87,7 @@
>  		echo "Warning: ${i} is a directory instead of file, ignoring."
>  	elif [ -e "${i}" ]; then
>  		. "${i}"
> +		. [ ! -f "/etc/${i#/usr/share/}" ] || . "/etc/${i#/usr/share/}"
>  	fi
>  done
>  
> -8<----------------------------------------------------->8-
> 
> Either way, IMHO initramfs-tools(8) should include some instructions for
> custom initramfs hook configuration.
> 
> Cheers,
> -- 
> Guilhem.
> 
> PS. In fact I've implemented 3/ in dropbear-initramfs a couple of weeks
>     ago.  Oops…
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-mkinitramfs-export-variables-from-conf-hooks.d-direc.patch
Type: text/x-patch
Size: 3414 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151210/14655837/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151210/14655837/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list