Re: Ignore or blacklist a disk from being brought up on boot

[Harald Hoyer <harald-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>]

[-- Attachment #1: Type: text/plain, Size: 1631 bytes --]

On 08/29/2013 10:35 AM, Benjamin Kingston wrote:
> I'm playing around with fips at the moment and currently have kernel
> fips off, to my knowledge the fips dracut module does nothing unless
> kernel fips is on. Essentially I'm trying to get dracut to ignore the
> boot partition device since all needed information to boot and unlock
> (/etc/cryptab and the keyfile) are embedded in the initramfs. It
> appears that upon dracut generating the initramfs image, it assumes
> that the volume that boot is on is required to boot the system.
> 
> I know the system unlocks the drive because if I allow systemd to
> timeout while waiting for the volume UUID to appear, I can see the
> LUKS volume in /dev/mapper in the dracut shell. Essentially the only
> thing preventing the system from booting is the fact that there is a
> systemd target that is requiring the boot partition to be made active
> (not mounted, as far as I can tell by interrupting dracut pre-pivot
> after unlocking the flash volume the 2nd time).
> 
> I also had it working smoothly in fedora 17 at one point, where it
> would unlock the luks disk according to the embedded crypttab with the
> embedded keyfile and boot the system with out having to unlock the
> flash drive just so systemd can see it. I'm not sure what could have
> changed since fedora 18 since my experience is in systems
> administration rather than software development, so I really
> appreciate you sharing some of your time.
> 


Attached patch for /usr/bin/dracut should help to boot without the /boot device.

The fips module on the other hand _requires_ having /boot and checking vmlinuz.

[-- Attachment #2: dracut-noboot.patch --]
[-- Type: text/x-patch, Size: 381 bytes --]

diff --git a/dracut.sh b/dracut.sh
index 7481ac0..8ee40a3 100755
--- a/dracut.sh
+++ b/dracut.sh
@@ -838,7 +838,7 @@ if [[ $hostonly ]]; then
         "/usr/sbin" \
         "/usr/lib" \
         "/usr/lib64" \
-        "/boot";
+        ;
     do
         mountpoint "$mp" >/dev/null 2>&1 || continue
         push host_devs $(readlink -f "/dev/block/$(find_block_device "$mp")")