-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
switch-root: preserve the whole cred mount tree (/run/credentials/) #32800
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
Could you add a simple testcase? |
b730faa
to
d1a74aa
Compare
hmm, so i think passing over the creds mounts that are associated with services that shall also survive the soft reboot is fine. But within the same hierarchy we also maintain a dir with the per-system creds, and I am not convinced we should pass that over always and unconditionally. i.e. I think it might be OK to pass over already acquired creds by default, but not unconditionally. It should be possible to pass a different set of creds to the next soft-reboot than we got on the current boot. Specifically So, let's say we define (i think these two dirs should be different from |
But why? This just makes it harder and harder to use. What's the point of jumping through those hoops? What advantage does it provide? |
Well, if you look a bit closer, these aren't introduced by this PR, but in your original PR that introduced soft-reboot... And there's even an accompanying comment: credentials passed to the system should survive. Hence I'm not convinced. It seems like a completely different topic, and that contradicts your idea a year ago. |
our basic concepts should be generic, and cover more than one usecase. I think being able to correctly parameterize a subsequent soft-reboot is essential, just like we want to parameterize a subsequent regular reboot or any other boot. As I already wrote: I am entirely fine if we by default copy the current creds into the future creds, I just don't think we should do so unconditionally, because that would severely restrict the flexibility on being able to parameterize boots, regardless if soft or other. hence, i don't see your point regarding "harder to use", because it could by default feel the same. |
I've been contemplating the "soft-reboot-fresh" mode I mentioned last year (#28545 (comment)). In particular, it shall ignore But still, that's a different topic, which has nothing to do with this PR. |
In that mode, going with a fresh set of credentials make a ton of sense, but not really for usual soft-reboots, where you're just doing image-based updates or a fast reboot with the same |
Exactly, and as you noted already, it's how it currently works and is documented. A flag to clear state can be discussed separately, but the usefulness here is to transition state across, adding breaking changes there now, after it has already shipped, doesn't seem desirable to me. |
Currently, during soft-reboot, some services may survive, but their associated credential mounts are dropped. Let's instead preserve them, as discussed.
d1a74aa
to
8582635
Compare
As discussed, let's move the discussion on |
i still think we should allow to parameterize soft-reboot iterations properly, and thus differently from the current invocation. Consider this usecase: a mechanism for doing classic package based system upgrades in a clean way: we soft reboot with some parameterization that ensures that we issue something like "dnf distro-sync", and then when done it either soft reboots back into the system, or (if it detects that the kernel got upgraded) does a hard reboot. Hence, I think soft-reboot is great if you have an image based system, but we shouldn't limit ourselves to that usecase, and instead keep other scenarios in mind as well: parameterizing soft reboots so that they can have slightly different execution environments does make sense to me. |
Or another example: allow me to parameterize a soft-reboot of the system so that we only do storagetm to expose local disks with everything else shut down. and then do another soft-reboot to get back a working system. this would also require some for of parameterization. |
I don't disagree. The main argument is that it does not belong to this specific PR, though. But now that we're targeting v257 anyway, I can probably start working on the |
Don't we need this bug fix for 256? |
In that case we really should merge this as-is. But it's up to @poettering I guess. |
Right now it's broken and we need a fix. We might want to add other modes as you have said, with new options and so on, but that would be material for the next release. But this bugfix should go in. |
CI is still unhappy. In ci (fedora, rawhide), TEST-82-SOFTREBOOT fails. |
The failure should be #32834, and looking at the journal it happens after the |
It seems that the patch is straightforward and fixes the issue that needs to be fixed. We might want to have additional mode where some credentials are cleared, but that's a much more complicated issue and needs to be discussed separately. Let's merge this. |
I still think this is a mistake to do like this because in particular with encrypted creds we want to re-encrypt during the soft reboot transition, since otherwise the keys are not going to be accessible (under the assumption they are locked to boot phase) |
Well, I still think you misread this PR - the |
Currently, during soft-reboot, some services may survive, but their associated credential mounts are dropped. Let's instead preserve them, as discussed.