`initramfs` discussion

initramfs discussion
139 Replies
Kyle Gospo
Kyle GospoOP9mo ago
Alright, starting to look into how we can do initramfs better this interests you @j0rge since you get your rainbow dinosaur for free Basically, we need a way to grab the initramfs.img file and modify it as an action or as part of the containerfile Looking into a few ways to do this, one concept I have is to mount the .img file and modify it directly
Noel
Noel9mo ago
are we thinking this would be easier to do as part of the ISO build process? or in the container itself?
Kyle Gospo
Kyle GospoOP9mo ago
container itself this saves the 20+ minutes on bazzite and will help nvidia users if we can load the nvidia driver into initramfs without the 20 minute wait also useful for branding (since we can load our watermark in without rebuilding initramfs) and useful for encryption (Since we can add the tpm/other modules)
Noel
Noel9mo ago
would that get rid of the need for using mokutil to load the key?
Kyle Gospo
Kyle GospoOP9mo ago
that would not, that's motherboard -> loaded image outside of initramfs but it would mean functional encryption with just initramfs-etc and not the full 20+ minute initramfs feature of ostree lsinitrd is handy for this, it's able to list everything in the initramfs.img file uses cpio to do it, so it shouldn't be too hard to copy from that, extract with cpio, and recreate when done making changes
M2
M29mo ago
you think unpack, inject, repack would be easier than running dracut as part of the build process?
Kyle Gospo
Kyle GospoOP9mo ago
that already happens in bazzite when we install the kernel, but it doesn't pick up our changes worth trying a manual run
M2
M29mo ago
Where do you all do the kernel stuff right now?
Kyle Gospo
Kyle GospoOP9mo ago
near top of our containerfile, installing a new kernel does initramfs
Kyle Gospo
Kyle GospoOP9mo ago
so it does, haven't bothered w/ it due to us always rebuilding so if we can fix that to write to the proper location and manual-execute that may be enough
M2
M29mo ago
https://github.com/ublue-os/bazzite/actions/runs/8641069139/job/23690555718#step:11:758 Seems to have a write location in /tmp while building that tmp location is where it's doing the copy for microcode in as well. I'm unsure why boot isn't writeable
Kyle Gospo
Kyle GospoOP9mo ago
that initramfs file should live in /usr/lib/modules so we could copy it there
M2
M29mo ago
also complaining about /root (might need to do a bind mount of /var/root to /root. But I think that is just build log of dracut yepp you got it. We need to force the location to /lib/modules/$kver/initramfs.img sha256sum matches on boot and that found inside of ostree deploy as wel looks like it would need a manual run since when called as dracut, it will immediately drop privileges to prevent overwriting
Kyle Gospo
Kyle GospoOP9mo ago
yeah that's fine, we'd have to manual run anyway for nvidia builds and it looks like adding the modules we need is trivial now that we use dracut nice, this is a W
M2
M29mo ago
Looks like we just use a specified /tmp/dracut for build location. If we manually call as root it will still autocopy to the correct to kernel version as well! so here is my quick idea:
#!/usr/bin/bash

set -oue pipefail

if [[ "${AKMODS_FLAVOR}" == "surface" ]]; then
KERNEL_NAME=kernel-surface
else
KERNEL_NAME=kernel
fi

KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{FEDORA_VERSION}-%{RELEASE}.%{ARCH}')"
/usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "${KERNEL}" --reproducible -v --add ostree -f /tmp/dracut
#!/usr/bin/bash

set -oue pipefail

if [[ "${AKMODS_FLAVOR}" == "surface" ]]; then
KERNEL_NAME=kernel-surface
else
KERNEL_NAME=kernel
fi

KERNEL="$(rpm -q "${KERNEL_NAME}" --queryformat '%{FEDORA_VERSION}-%{RELEASE}.%{ARCH}')"
/usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "${KERNEL}" --reproducible -v --add ostree -f /tmp/dracut
Kyle Gospo
Kyle GospoOP9mo ago
could probably even toss this in libexec in main so everything that builds from it has it available to use
M2
M29mo ago
well we won't have AKMODS variable....
Kyle Gospo
Kyle GospoOP9mo ago
ah true, in that case as a file in main that can be grabbed I do that for nvidia drivers by pulling the script from HWE or also in HWE
M2
M29mo ago
only reason I wouldn't want to put this into libexec is that clients should be using rpm-ostree initramfs at that point or initramfs-etc since we are going around ostree here maybe? would definitely be curious on what happens in a VM Uhmm rpm-ostree wrapped is not default..... So guess that needs to be added to bluefin Oh it's that cliwrap rpm-ostree cliwrap install-to-root / is needed... which then gives us real dracut while bluefin has real dracut already
Noel
Noel9mo ago
@Kyle Gospo would we want to figure this out before spinning new ISOs for Bazzite? or is flatpak support enough to justify new ISOs? would be awfully nice to have this in to make the install experience that much better.
Kyle Gospo
Kyle GospoOP9mo ago
GitHub
kernel-signer/sign-kernel.sh at main · EyeCantCU/kernel-signer
Contribute to EyeCantCU/kernel-signer development by creating an account on GitHub.
Kyle Gospo
Kyle GospoOP9mo ago
this has a good generic way to get the current kernel and then I think we just make it so --add can have additional params passed into it, and toss this into HWE then anyone can grab it & execute it bazzite would need to run it 2x, once in the base build and then again at the end of the nvidia build
M2
M29mo ago
for us, I think we should use /usr/lib/dracut.conf.d files or /etc/dracut.conf.d since we control the image.
Kyle Gospo
Kyle GospoOP9mo ago
that's fair Okay, once I'm done with my lunch walk here I'm going to go ahead and give this a try Did you spend any more time on this after this convo @M2 ? Just want to make sure we're not wasting effort doing the same thing
M2
M29mo ago
nope doing work work just made the script and saw that the sha256sums matched in /tmp/dracut and /lib/modules/$kver/initramfs.img and then on my machine that matched what I had in /boot/
Kyle Gospo
Kyle GospoOP9mo ago
Awesome, I'll play with it then Ty! @M2 @j0rge Bazzite testing built w/ that script 🙂 initramfs generation was successful just need to verify it made it to the right place That also means you can have your branding now without the headache @j0rge
j0rge
j0rge9mo ago
yeah, raven bird ftw are we sure we wanna do this for F40? Please don't say "but we have an extra week"
Kyle Gospo
Kyle GospoOP9mo ago
we can add at any time, it's just part of the image no rush
j0rge
j0rge9mo ago
k
Kyle Gospo
Kyle GospoOP9mo ago
I'm doing it tho, the old shit took way too long and makes a lot of tickets
j0rge
j0rge9mo ago
I agree people think it's broken yeah I'm down, just saying, you know what work needs to be done, don't crush yourself
p5
p59mo ago
For the people who don't know what initramfs is, what will this allow us to do?
Kyle Gospo
Kyle GospoOP9mo ago
add modules loaded at boot time (nvidia drivers, tpm, etc) brand plymouth
Noel
Noel9mo ago
Are you gonna test with an ISO? I can help @Kyle Gospo
p5
p59mo ago
Oh cool! So no just script to setup Nvidia?
Kyle Gospo
Kyle GospoOP9mo ago
yep
Noel
Noel9mo ago
I wanna see how much faster it really is >:)
M2
M29mo ago
You basically won't need to use a locally built initramfs. Enable support for tpm/fido so only need to do cryptenroll. Nvidia can do early KMS and not fallback to text mode on boot. And no wait for initramfs setup on boot.
Kyle Gospo
Kyle GospoOP9mo ago
@M2 dracut: Creating initramfs image file '/tmp/dracut' done Did you say we didn't need to move that file? Or we did?
M2
M29mo ago
I didn't move it. And that file and /usr/lib/modules/$kver/initramfs.img had same sha256sum
Kyle Gospo
Kyle GospoOP9mo ago
Sweet
M2
M29mo ago
You can do a sanity check with lsinitrd in a container to make sure dracutmodules are there and the Nvidia libs
Kyle Gospo
Kyle GospoOP9mo ago
No description
Kyle Gospo
Kyle GospoOP9mo ago
Logos worked, no go on the modules though nvm might have found what I did wrong there
HikariKnight
HikariKnight9mo ago
since i havent used initramfs-etc, will that still require some kind of rebuild whenever a dracut.conf file is added to /etc/dracut.conf.d/? asking since both vfio and kvmfr will be adding configs 🙂
Kyle Gospo
Kyle GospoOP9mo ago
yes, same as before only much, much faster also existing installs aren't getting touched so if you use initramfs today, you'll keep doing so unless you explicitly turn it off yourself and we can easily add new modules to initramfs in the future
HikariKnight
HikariKnight9mo ago
ok so we just need to adjust bazzite-hardware-setup then so touching rebuild will account for it maybe write a migration guide to move people over to initramfs-etc too (or an ujust if possible)
M2
M29mo ago
Somethings seem to work fine with initramfs-etc. Modprobe works. Install items inside of /etc worked. But dracutmodules misbehaved. For dracut modules there is a force add as well.
HikariKnight
HikariKnight9mo ago
well that is problematic as i know i need dracut modules working for my stuff 😅
M2
M29mo ago
Vfio/kvmfr are both modprobes. Which dracutmodules do you still need?
HikariKnight
HikariKnight9mo ago
ah nvm then i mixed up dracut modules and modprobes 😅
M2
M29mo ago
@Kyle Gospo you have the conf file in the wrong spot. Maybe it's corrected. But it should be in /usr/lib/dracut/dracut.conf.d/ Additionally, we don't have dracut-clevis installed so clevis module will fail the build. finally, we can specify a different compression scheme as well. By default it is using pigz for some reason I see that you got the location fixed. Just removed clevis. Will probably consider including that on bluefin if it isn't already
Kyle Gospo
Kyle GospoOP9mo ago
Is it worth installing it or should we not bother? I will look into zstd
M2
M29mo ago
I don't think we should bother. We don't have the networking modules enabled either so tang decryption wouldn't work. Fido2/TPM2 would be hardware enablement. pkcs11 and pcscd could also work for smartcard decryption (but seriously, who is doing that?) For compression: it means the initramfs needs to be decompressed by the kernel. Arch defaults to zstd, Debian defaults to xz. The atomic images defaults to 1 GB in /boot. With 3 deployments, I'm only using 158 MB so, defaults might be fine. Personally just find it weird that it defaults to pigz. To improve boot times, we could look at not compressing the initramfs Uncompressed the thing is 169 MB. Nvidia would be an issue zstd is 127 MB Default is about 130 MB. Zstd compresses faster, Uncompressed is 39 MB more but should be quicker to boot YubiKeys can do pkcs11
Kyle Gospo
Kyle GospoOP9mo ago
we have a winner!
No description
M2
M29mo ago
Want to add pkcs11 and pcscd as well for YubiKey smartcard functionality?
Kyle Gospo
Kyle GospoOP9mo ago
please
M2
M29mo ago
Done
Kyle Gospo
Kyle GospoOP9mo ago
beautiful
bsherman
bsherman9mo ago
👀🍿
Kyle Gospo
Kyle GospoOP9mo ago
This can be done in the HWE images so Nvidia gets it's modules loaded during boot
M2
M29mo ago
That would mean having cliwrap for all of our images But honestly would resolve the majority case for when people need to do initramfs @Kyle Gospo have you tried these or just building?
Kyle Gospo
Kyle GospoOP9mo ago
pic is me actively running bazzite:testing on my desktop
Kyle Gospo
Kyle GospoOP9mo ago
look ma, no more rpm-ostree initramfs
No description
M2
M29mo ago
yepp, we'll need cliwrap. The dracut that is on bluefin isn't copying over to the right place compared to bazzite
bsherman
bsherman9mo ago
so this is an added step in the build_image job after building the image but before pushing? or... a new final step in the Containerfile? i haven't read any commits about this yet, just asking for clarity
Kyle Gospo
Kyle GospoOP9mo ago
One additional script you run in your container file at any point
p5
p59mo ago
Was having a look at this. How does the built file go from /tmp/dracut to the live system? Tmp is cleared out, so this is confusing me a bit https://github.com/ublue-os/bazzite/blob/main/scripts%2Finitramfs.sh#L11
GitHub
bazzite/scripts/initramfs.sh at main · ublue-os/bazzite
Bazzite is a custom image built upon Fedora Atomic Desktops that brings the best of Linux gaming to all of your devices - including your favorite handheld. - ublue-os/bazzite
Kyle Gospo
Kyle GospoOP9mo ago
I need to look at the code generating this, but what appears to be happening is it tries to put it into a folder that doesn't exist at container build time, so tossing it into temp means it's successful, and then it also places it into the system folders where ostree actually makes use of it Granted this could change, but either way we have what we need here
M2
M29mo ago
We also would need to enable CLI wrap for the other images. It is definitely interesting that this works though. Without clip wrap, I didn't see the initramfs getting copied correctly.
Kyle Gospo
Kyle GospoOP9mo ago
@M2 This may be safer QUALIFIED_KERNEL="$(rpm -qa | grep -P 'kernel-(|'"$KERNEL_SUFFIX"'-)(\d+\.\d+\.\d+)' | sed -E 's/kernel-(|'"$KERNEL_SUFFIX"'-)//')" /usr/libexec/rpm-ostree/wrapped/dracut --no-hostonly --kver "$QUALIFIED_KERNEL" --reproducible -v --add ostree -f "/lib/modules/$QUALIFIED_KERNEL/initramfs.img" assuming it builds
M2
M29mo ago
if that seems to work, maybe we don't have to enable cliwrap and can use dracut directly on everything else.
Kyle Gospo
Kyle GospoOP9mo ago
dracut: *** Creating image file '/usr/lib/modules/6.8.5-201.fsync.fc39.x86_64/initramfs.img' ***
dracut: *** Creating initramfs image file '/usr/lib/modules/6.8.5-201.fsync.fc39.x86_64/initramfs.img' done ***
dracut: *** Creating image file '/usr/lib/modules/6.8.5-201.fsync.fc39.x86_64/initramfs.img' ***
dracut: *** Creating initramfs image file '/usr/lib/modules/6.8.5-201.fsync.fc39.x86_64/initramfs.img' done ***
didn't complain about it 🙂
p5
p59mo ago
If you run this once (e.g. in an upstream image), are you then able to drop in the configuration in dracut.conf.d in downstream images, or would you need to rerun the dracut in every image that touches the config?
Kyle Gospo
Kyle GospoOP9mo ago
re-run in anything that touches a config but with the exception of Nvidia HWE all that really could use this are downstream to begin with IE: Bazzite & Bluefin Nvidia HWE is just nice to have because you want your Nvidia drivers at boot time
Noel
Noel9mo ago
@Kyle Gospo Are we thinking that these changes (and ISO changes) will be merged into main by middle of week next week? I'm just trying to plan my presentation next weekend.
Kyle Gospo
Kyle GospoOP9mo ago
hope so
Kyle Gospo
Kyle GospoOP9mo ago
GitHub
feat: Add initramfs generation by KyleGospo · Pull Request #1127 · ...
TODO: Copy files from system_files/nvidia/shared/* into the image only for Nvidia builds
M2
M29mo ago
If this was in config we would enable decryption methods and Nvidia. Bluefin/Aurora/Bazzite would then be rebuilding for branding the initramfs
Kyle Gospo
Kyle GospoOP9mo ago
@j0rge ^
j0rge
j0rge9mo ago
what's the tldr on this? I don't know much about initramfs
Kyle Gospo
Kyle GospoOP9mo ago
Can you send me that dark dinosaur you wanted @ boot? tldr is now nvidia can load drivers at boot, and we can support unlock methods like TPM & Yubi Keys
j0rge
j0rge9mo ago
sec
Kyle Gospo
Kyle GospoOP9mo ago
and you can have your branding without the downsides no 20 minute wait on first boot
j0rge
j0rge9mo ago
No description
j0rge
j0rge9mo ago
is the only purpose branding? what else does it do?
HikariKnight
HikariKnight9mo ago
whenever something needs to be modprobed at boot it doesnt take a full rebuild of initramfs to enable it
j0rge
j0rge9mo ago
k is it supposed to still be draft?
Kyle Gospo
Kyle GospoOP9mo ago
yeah, there's a todo in there for nvidia
j0rge
j0rge9mo ago
oh I see it
Kyle Gospo
Kyle GospoOP9mo ago
since those images need extra files added to them so they try to load the driver
Noel
Noel9mo ago
priorities!
j0rge
j0rge9mo ago
don't make it too big, smaller is better, subtle.
Kyle Gospo
Kyle GospoOP9mo ago
it's quite tiny
Kyle Gospo
Kyle GospoOP9mo ago
No description
j0rge
j0rge9mo ago
baby murder chicken
Kyle Gospo
Kyle GospoOP9mo ago
Bluefin
Kyle Gospo
Kyle GospoOP9mo ago
No description
No description
M2
M29mo ago
That's looking good. We can probably just put a cleanup of Nvidia stuff inside the initramfs script. Just delete the files then run
Kyle Gospo
Kyle GospoOP9mo ago
Sounds great
j0rge
j0rge9mo ago
Oh I see, it builds it as part of the image instead on boot
Kyle Gospo
Kyle GospoOP9mo ago
Yep, no more 20 minute wait Now we get our branding and novideo users get a better experience for free
j0rge
j0rge9mo ago
do you have this in bazzite already?
HikariKnight
HikariKnight9mo ago
and enables us to use initramfs-etc which is way faster when we need to tack on other things (ex: vfio and kvmfr and other stuff)
Kyle Gospo
Kyle GospoOP9mo ago
In testing
M2
M29mo ago
Yeah this kinda was figured out over the past 48 hours @Kyle Gospo before merging in the initramfs on bluefin I want to make sure that I think we need to look at the bluefin hardware setup script as well. Make sure kargs aren't being set since Nvidia modprobe arguments are now handled by initramfs @Kyle Gospo if you can check that using modprobe for amd legacy gpu devices works (I believe this is how it is setup in Bazzite) I think initramfs is good for merging
M2
M29mo ago
I just added it to the hardware setup. I've not noticed needing that with my Nvidia Machine
Kyle Gospo
Kyle GospoOP9mo ago
@M2 looks great to me, approving or wait I can't, it's mine lol
M2
M29mo ago
I will approve, I just want a double check on all the stuff I did
Kyle Gospo
Kyle GospoOP9mo ago
yup, looks great to me nothing stands out as wrong
M2
M29mo ago
okay did you see the simple drm stuff being talked about? It has a very different karg. One that is actually for the kernel and not being passed to modprobe
j0rge
j0rge9mo ago
@Kyle Gospo @M2 thank you for making the goth chicken a reality.
M2
M29mo ago
@j0rge you'll need to approve.... Apparently github is smart enough to recognize I've added a ton of stuff to it weirldy, the button came back after you hit approve..... So 3 approves
j0rge
j0rge9mo ago
we had a required check for aurora even though I was only modding bluefin files so it never passed, will investigate later merged it for now and then this one will autorebuild everything anyway
M2
M29mo ago
Yeah, we need to improve the logic on these automerge checks. I have it so workflows will not run if the file changes are only in the other one's file path. Aurora changes don't effect Bluefin changes.
p5
p59mo ago
Might simply need a step in Aurora and Bluefin to exit (and skip future steps) when an unrelated change is made, rather than having the logic via triggers. The workflow will then run (and satisfy the required workflows) but not waste time building the wrong image.
M2
M29mo ago
That might effect build badges
p5
p59mo ago
I would expect the badges to only look at runs on main? These workflows are ran on PRs, so I don't think it would change badges. Builds on main are all scheduled (and manual) ones, so this logic to skip builds will not be used. After the initramfs change, I finally have my LUKS graphical prompt screen back! 🎉 Once rolled out to Bazzite, it should resolve this issue https://github.com/ublue-os/bazzite/issues/831
M2
M29mo ago
And reduce setting kargs. And we can steer people to using cryptenroll for luks decryption with tpm2, fido, or pkcs11 With no local initramfs, I have a branded Plymouth and tpm2 unlock works
M2
M29mo ago
No description
HikariKnight
HikariKnight9mo ago
ok so since i never used initramfs-etc, is it all automatic when we add conf files to /etc/dracut.conf.d/ or do we have to issue a rpm-ostree initramfs-etc --track="/etc/dracut.conf.d/foo.conf"? or would it just be easier to do rpm-ostree initramfs-etc --track="/etc/dracut.conf.d" in bazzite-hardware-setup and just issue a rpm-ostree initramfs-etc --force-sync whenever a conf file has been added? since i have some guides i will have to update/rewrite now 🙂
M2
M29mo ago
need to manually specify tracking for the folder /etc/dracut.conf.d and /etc/modprobe.d
HikariKnight
HikariKnight9mo ago
yeah so we should really do that by default then so the user just need to think about rpm-ostree initramfs-etc --force-sync for simplicity will play a bit around with it next week
M2
M29mo ago
while it's fast, unless a person needs it, nothing actually gets added
HikariKnight
HikariKnight9mo ago
vfio and kvmfr will need it if someone needs to add a modprobe file they need it (which is the more likely scenario)
M2
M29mo ago
If they have their own initramfs initramfs-etc is not compatible Only downside for turning on by default
HikariKnight
HikariKnight9mo ago
atm they are 100% dracut files but they touch the now obsolete rebuild file the documentation on discourse about initramfs is also a bit outdated referencing the same file too (but i edited it beforehand to remove all the custom stuff and only describe how to add dracut configs and modprobe)
M2
M29mo ago
That's good, but if a user is using clevis that won't work with etc Probably should just add it We should add it in config or main i just opened a PR
fiftydinar
fiftydinar9mo ago
Very nice work on this one! I think that .conf files must be specified that folders are ignored but I could be wrong
M2
M29mo ago
Yeah, I hesitate to recommend a default. initramfs can do things that initramfs-etc cannot do.
fiftydinar
fiftydinar9mo ago
correction: only files are supported, extension doesn't matter for initramfs-etc --track
HikariKnight
HikariKnight9mo ago
thats all i need to know then, just have to set the commands to track the files, force sync, untrack files and force sync again
fiftydinar
fiftydinar9mo ago
Mine does that automatically, if you wish to look Although, I use force sync only when rebuild file is "touched" I'm not sure if force sync is needed for tracking & untracking files But my script can be easily modified to include force sync there if needed
HikariKnight
HikariKnight9mo ago
ok if force sync is only needed when rebuilding then even better 😄
fiftydinar
fiftydinar9mo ago
@M2 Are you sure that this modprobe for NVK is working? options nouveau config=NvGspRm=1 Format looks odd to me. Based on modprobe docs, something like this is more correct: options driver option=value
Kyle Gospo
Kyle GospoOP9mo ago
that line is from me and it's correct as odd as it looks
Want results from more Discord servers?
Add your server