New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/grub: support initrd secrets #85418
Conversation
I always get an failed to move initrd secrets into place error. This even happens if I have no initrd secrets on that host. |
99513bf
to
a7fd90b
Compare
@Kloenk That should be fixed now. I also fixed another issue that would happen when I also removed |
It still fails. I don't know what the problem is, and I don't have an clue on where to start debugging. The /boot/kernels directory contians an The log output I get from the
The non initrd-secrets machine is still building, will post if it also fails tomorrow. |
Are you sure you aren't using a module that uses the initrd secrets functionality under the hood (e.g. the initrd SSH module)? |
Oh, I see now. The current code assumes that all generations either do or don't have initrd secrets enabled, which obviously isn't the case when you first enable the option. |
One disadvantage of removing support for |
The initrd ssh module is the only secret I use. On my local PC (at the moment building krita) I don't have initrd ssh. On my server I have ssh, and there it is failing |
The existing implementation already has that problem. The current generation's |
334e9b9
to
694494b
Compare
I rewrote the implementation to be more similar to how systemd-boot does it. It should now work correctly when only some of the generations have secrets. |
694494b
to
45a6f1a
Compare
I have fixed all the known issues, but I think it still needs more testing, particularly on systems with the a single boot/root partition. |
I finaly got around to deploy it on my initrd-ssh-server machines. It works there, but only after I did a |
Seems like an instance of #85563. Was the error just that the |
As far as i understood it, it tried to create an initrd for a previos generation. The config of this generation looked for the initrd secret on another path, and so it failed |
a8ed5bf
to
c9c5682
Compare
Like @emilazy said, that sounds like an issue with the current initrd secrets implementation, not specific to GRUB.
The documentation doesn't currently suggest that users delete the initrd file. I think rollbacks (ie. |
So it seems like everything is working as intendet. Maybe write something about old profiles in the release note, so nobody runs into the same problem as me? |
c9c5682
to
1dd6900
Compare
I added some clarification to the changelog, describing the issue I mentioned in my previous comment. It doesn't really talk about the issue @Kloenk ran into, because that isn't related to GRUB or this PR specifically. |
1dd6900
to
14eceb5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Still works on my servers. So I think it is good to go
initrd from the specified files, rather than using a manually created | ||
initrd file. | ||
|
||
Due to an existing bug with <option>boot.loader.grub.extraInitrd</option>, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is enough so if somebody has an error like mine they have a point to start searching
Tested on my server as well. |
it doesn't seem to rebuild the secrets file if the contents of the secrets change |
I'm not sure how that could happen. The initrds for all generations should be generated each time you activate a new configuration. Could you provide more details? Did you change the path to the secret file between the generations, or just its contents? |
The second commit also causes the
|
I'm not totally sure yet, but I think this is a bug in the test. Before this PR, GRUB did not support initrd secrets, so the secrets were copied to the Nix store. Now, they need to be copied by the bootloader install script, which does not run because the test does not use a bootloader. Setting |
See #91744 |
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: |
Motivation for this change
Long delayed second try at #38263.
I have been running this for a long time and it has worked well for me. @emilazy and @Kloenk could you try and see if this works for you? @mdorman If you can clarify the issues you ran into, I'll try to address them.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)