Drop hard requirement on networking #211
Merged
Commits on Jul 2, 2020
-
systemd: drop hard requirement on networking
Whether we need networking or not for unlocking an encrypted block device is a property of the block device in question. This is expressed in `/etc/crypttab` via the `_netdev` option. For example, the systemd cryptsetup generator[1] picks up on this and correctly orders unlocking of devices that need networking after `remote-fs-pre.target`. Thus, we shouldn't need to unconditionally require and order ourselves after networking comes up. Let whatever interprets `/etc/crypttab` take care of this. Add `DefaultDependencies=no` because we need to be able to run well before `sysinit.target`. [1] https://www.freedesktop.org/software/systemd/man/systemd-cryptsetup-generator.html
-
dracut: drop rd.neednet=1 injection
By default, dracut builds generic initrds which by design shouldn't have any configuration specific to a host baked in (as opposed to so-called "hostonly" initrds). This property is leveraged with great success in immutable hosts like Fedora CoreOS and its downstream RHCOS where the initrd is created server-side. By unconditionally injecting `rd.neednet=1`, the clevis-pin-tang dracut module makes it impossible to be included into a truly generic initrd, where one cannot make assumptions about the network (or lack thereof, see latchset#54) of the target hosts. So with a generic initrd, how can we make sure that networking is up at initrd time on a host which has been configured with root-on-LUKS with a Tang pin? By also configuring it with `rd.neednet=1` specified on the kernel command-line, and possibly `ip=...` to configure the network interfaces. This is no different from root-on-{NFS,iSCSI,NBD,...}, where one must use explicit kernel arguments like `root=nfs:<server>:...` or `root=iscsi:<server>:...` or `root=nbd:<server>:...`, all of which imply `rd.neednet=1` (one could imagine then a `root=tang:<luks2_uuid>` type karg in the future which would be roughly equivalent to `root=UUID=<luks2_uuid> rd.neednet=1`). Dracut also allows one to build host-specific initrds using the `-H`/`--hostonly` option, and further the ability to bake the command-line arguments when `--hostonly-cmdline` is provided. So a supplementary approach here would be for `install()` to only inject `rd.neednet=1` if using `--hostonly-cmdline` *and* somewhere along the root block device hierarchy, there is a Tang-pinned LUKS device. This is also analogous to what other dracut modules like 95nfs and 95iscsi do. However, optimizations for host-only initrds should not come before getting correct support for generic initrds. Closes: latchset#54 Closes: latchset#206
-
systemd: add Documentation keys to units
To be nice to users who want to learn more about these units.
-
systemd: reword Description of units
Let's match the description style that systemd itself uses for their password agents (see e.g. `systemd-ask-password-wall.{path,service}`). Keeping it uniform makes it more obvious that it's the exact same setup without having to look inside it.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.