[pkg-cryptsetup-devel] initramfs-tools: Please provide an API or best practices for custom initramfs hook configuration
Guilhem Moulin
guilhem at guilhem.org
Thu Dec 10 14:18:48 UTC 2015
On Thu, 10 Dec 2015 at 12:15:33 +0100, Jonas Meurer wrote:
> - redefine the purpose of files in conf-hooks.d to set variables that
> are made available to mkinitramfs *and* the hook scripts.
On second thought it might not be ideal to use the same file for both,
as exporting all variable to the hooks can have unexpected side effects.
For instance the dropbear hook changes the default UMASK value to 0077
in order to protect the private key material (the SSH host keys). But
this variable is also used by other software to override the process's
umask(2); if it were to be set in the hooks, files within the initramfs
image might be created with the wrong permissions, which is certainly
not intended and might have unexpected side effects.
> # source package confs
> -for i in /usr/share/initramfs-tools/conf-hooks.d/*; do
> +for i in /usr/share/initramfs-tools/conf-hooks.d/* /etc/initramfs-tools/conf-hooks.d/*; do
> if [ -d "${i}" ]; then
> echo "Warning: ${i} is a directory instead of file, ignoring."
> elif [ -e "${i}" ]; then
> . "${i}"
> + hookvars="$(sed -e '/#.*$/d' -e '/^$/d' ${i} | cut -d= -f1)"
> + if [ -n "${hookvars}" ]; then
> + export ${hookvars}
> + fi
> fi
> done
If *all* variables are accessible in *all* hooks there must be some kind
of policy to prevents collisions. For instance packages a and b
shouldn't make use the same variable OPTIONS, since the assignment in
conf-hooks.d/b would override that in conf-hooks.d/a.
I should also add that Jonas and I would both like to avoid the easy &
dirty solution consisting of making the package ship a configuration
file for its hook in /etc/$package/initramfs-hook and source that file
in the hook. Some cleaner organization in the fashion of /etc/default
seems like the way to go.
--
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-cryptsetup-devel/attachments/20151210/4c6bf178/attachment.sig>
More information about the pkg-cryptsetup-devel
mailing list