From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6874889650574458880 X-Received: by 2002:a2e:9b99:: with SMTP id z25mr383611lji.403.1600716350375; Mon, 21 Sep 2020 12:25:50 -0700 (PDT) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a19:554:: with SMTP id 81ls804703lff.1.gmail; Mon, 21 Sep 2020 12:25:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxXllmzpHrTYIXu8fvPjekqMMY0GGWBk7SH7bdslMMZZS/MxR1pQDtR4pDrMBNFeeGDBLz/ X-Received: by 2002:a19:8b56:: with SMTP id n83mr417075lfd.235.1600716349152; Mon, 21 Sep 2020 12:25:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1600716349; cv=none; d=google.com; s=arc-20160816; b=ESGfKbL+tKYBMXqnrLte0USjPIsjL33sqSs3zhnZTc/yj6LP22vYUKZloyuYsptpPy LIUBv4F8mXTW69SvPn6N/QgPKtyepx9tEE2HzfdpR+77LdRlJgq6b8ZQvBDW3jXkC9u8 psMkRkEXnGFB61wGGGdtoh/MCZIkr5DhqD9rIhX/jsW+ro/UXIzAl5uwiu6rv8y9/l1I 2e0oXCg1SbtPGS1nzKlMg6DeP2asvFEuAPd8z5Ph4GSFod0q6z6DB3lsUB8nVrHcoQYC b0oEQZX5pOX/saKCVS4vMXixhsNQQTAiK+xgYJF+JXf1jZbR0WDFlbvAhsNQEfiNvngf MBYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:content-language:in-reply-to:mime-version :user-agent:date:message-id:from:references:to:subject; bh=1Fg5Voqtvu8+SwmDbqg0JNPOcZ+xp0gjFvkpLmtjY8Y=; b=zzq3DvXIVaREtWpz9+Tjw9JwFwjjWq/T+u/nuorrC2rbB4IY0dqqbRni75o/mwpO0q 5CF/Zz8BDvknrBamDwnxveKZMtI9xWmT+bOEe7eKUl61mJv+HfI1cxu+8iblO08MfnPA 5e2Mv9dtI0EjulQ2RvxqW5KapsNDb+kcGtO1PdHqf9ItqWtTDj1oFLJ6sJZFs5J0Hdqs 0ImteabmBg4gglc7YJMODWnGmsfCF7b9jp9hn+HPdvOHffeod9KBmtqduKc8baWMFinR uLhhnOiw/6Ma7oF4arcCYjFugn4hXH/VFdEKgcT5qIjHnBAvjAXYzxABctOKJ7EDPvyV /JLA== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Return-Path: Received: from thoth.sbs.de (thoth.sbs.de. [192.35.17.2]) by gmr-mx.google.com with ESMTPS id z6si338320lfe.8.2020.09.21.12.25.49 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 21 Sep 2020 12:25:49 -0700 (PDT) Received-SPF: pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) client-ip=192.35.17.2; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of jan.kiszka@siemens.com designates 192.35.17.2 as permitted sender) smtp.mailfrom=jan.kiszka@siemens.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=siemens.com Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by thoth.sbs.de (8.15.2/8.15.2) with ESMTPS id 08LJPm0Y030902 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 21 Sep 2020 21:25:48 +0200 Received: from [167.87.129.190] ([167.87.129.190]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTP id 08LJPgB7030977; Mon, 21 Sep 2020 21:25:45 +0200 Subject: Re: [RFC PATCH] classes: Add initramfs class To: Harald Seiler , isar-users@googlegroups.com, Quirin Gylstorff References: <20200921104212.1387227-1-hws@denx.de> From: Jan Kiszka Message-ID: <433a8c30-796e-344f-35b7-0ce17a1fad7f@siemens.com> Date: Mon, 21 Sep 2020 21:25:42 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0 MIME-Version: 1.0 In-Reply-To: <20200921104212.1387227-1-hws@denx.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-TUID: 1vpY7hSg7yTc On 21.09.20 12:42, Harald Seiler wrote: > Add a new "image" class for generating a custom initramfs. It works > like this: A new minimal debian rootfs is bootstrapped and all > dependency packages for the new initramfs are installed. Then, an > initramfs is generated from this rootfs and deployed like usual. > > This new initramfs.bbclass "image" class should be pulled in by an > "initramfs image" recipe. Said recipe then specifies all dependencies > of the initramfs via INITRAMFS_INSTALL and INITRAMFS_PREINSTALL (which > are analogous to the respective IMAGE_* variables). > > initramfs.bbclass intentionally does _not_ expose a mechanism to change > /etc/initramfs-tools/initramfs.conf and /etc/initramfs-tools/modules. > Changes to their settings are better done via packages that deploy > conf-hooks to /usr/share/initramfs-tools/conf-hooks.d/ and module > fragment files to /usr/share/initramfs-tools/modules.d/. > > Signed-off-by: Harald Seiler > --- > > Notes: > I had this idea while searching for a way to build an initramfs that > uses dm-verity to assert integrity of the rootfs. To me, this feels > like a much cleaner solution than anything else I tried and I'm happy to > report that, using this approach, I got everything working nicely in the > original project. > > In my opinion, this design has a number of advantages over the previous > solutions we have seen so far: > > - It does not suffer any kind of initramfs pollution, caused by > packages installed into a rootfs. This is a big problem when trying > to generated an initramfs from e.g. `buildchroot-target` as many > unrelated packaged could be installed there which would all get > pulled into the initrd (if they install hooks/scripts). > > This also means, with this new approach, the integrator has maximum > control over the contents of the initramfs. > > - There are no needs to change the initramfs generation process in any > way, the debian tooling can be used exactly like its meant to. > > - As most isar-generated images will never regenerate the initramfs > from the running system, all initramfs related packages are dead-weight > to the image. This is a problem when trying to generate the initramfs > from the actual image rootfs. > > When it is necessary to rebuild the initramfs in a running system, > the packages designed for this new class could just be installed into > the rootfs, without any changes necessary. This means, any generic > initramfs module packages can be used both with the in-rootfs mechanism > and initramfs.bbclass. > > - Because of this complete isolation and independence, implementation > of complex logic is much easier: For example dm-verity needs > a root-hash that is only available after the rootfs has been cast into > a filesystem image. With this new approach, this can be modelled with > a simple task dependency. > > meta/classes/initramfs.bbclass | 41 ++++++++++++++++++++++++++++++++++ > 1 file changed, 41 insertions(+) > create mode 100644 meta/classes/initramfs.bbclass > > diff --git a/meta/classes/initramfs.bbclass b/meta/classes/initramfs.bbclass > new file mode 100644 > index 000000000000..8af9b4b379a5 > --- /dev/null > +++ b/meta/classes/initramfs.bbclass > @@ -0,0 +1,41 @@ > +# This software is a part of ISAR. > + > +# Make workdir and stamps machine-specific without changing common PN target > +WORKDIR = "${TMPDIR}/work/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/${PV}-${PR}" > +STAMP = "${STAMPS_DIR}/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/${PV}-${PR}" > +STAMPCLEAN = "${STAMPS_DIR}/${DISTRO}-${DISTRO_ARCH}/${PN}-${MACHINE}/*-*" > + > +INITRAMFS_INSTALL ?= "" > +INITRAMFS_PREINSTALL ?= "" > +INITRAMFS_ROOTFS ?= "${WORKDIR}/rootfs" > +INITRAMFS_IMAGE_FILE = "${DEPLOY_DIR_IMAGE}/${INITRAMFS_FULLNAME}.initrd.img" > + > +# Install proper kernel > +INITRAMFS_INSTALL += "${@ ("linux-image-" + d.getVar("KERNEL_NAME", True)) if d.getVar("KERNEL_NAME", True) else ""}" > + > +# Name of the initramfs including distro&machine names > +INITRAMFS_FULLNAME = "${PN}-${DISTRO}-${MACHINE}" > + > +DEPENDS += "${INITRAMFS_INSTALL}" > + > +ROOTFSDIR = "${INITRAMFS_ROOTFS}" > +ROOTFS_FEATURES = "" > +ROOTFS_PACKAGES = "initramfs-tools ${INITRAMFS_PREINSTALL} ${INITRAMFS_INSTALL}" > + > +inherit rootfs > + > +do_generate_initramfs() { > + rootfs_do_mounts > + rootfs_do_qemu > + > + sudo -E chroot "${INITRAMFS_ROOTFS}" \ > + update-initramfs -u -v > + > + if [ ! -e "${INITRAMFS_ROOTFS}/initrd.img" ]; then > + die "No initramfs was found after generation!" > + fi > + > + rm -rf "${INITRAMFS_IMAGE_FILE}" > + cp "${INITRAMFS_ROOTFS}/initrd.img" "${INITRAMFS_IMAGE_FILE}" > +} > +addtask generate_initramfs after do_rootfs before do_build > I think the public would also benefit from a use / test case, i.e. some recipe that inherits this and generates an own initramfs with extensions. For merging this, that will be mandatory anyway. Quirin, what is your impression of this approach? Jan -- Siemens AG, Corporate Technology, CT RDA IOT SES-DE Corporate Competence Center Embedded Linux