Re: [PATCH v5] init: Disable defaults if init= fails

[Frank Rowand <frowand.list@gmail.com>]

The earliest mention I find of this on lkml is v4.  Was there earlier
discussion of this elsewhere?  (Just so I have a clue as to the full
context and don't repeat previous discussion.)  The mention of names
in the change logs tells me I should be able to find the discussion
somewhere.


On 9/28/2014 7:40 PM, Andy Lutomirski wrote:
> If a user puts init=/whatever on the command line and /whatever
> can't be run, then the kernel will try a few default options before
> giving up.  If init=/whatever came from a bootloader prompt, then
> this is unexpected but probably harmless.  On the other hand, if it
> comes from a script (e.g. a tool like virtme or perhaps a future
> kselftest script), then the fallbacks are likely to exist, but
> they'll do the wrong thing.  For example, they might unexpectedly
> invoke systemd.
> 
> This makes a failure to run the specified init= process be fatal.
> 
> As a temporary measure, users can set CONFIG_INIT_FALLBACK=y to
> preserve the old behavior.  If no one speaks up, we can remove that
> option entirely after a release or two.

I'm speaking up already, no need to wait two releases.  I like the
current behavior where I can fall back into a shell without
recompiling the kernel and/or changing the boot command line to
debug an init failure.

I would suggest that the current behavior remain the
default and the choice to make a failure of the specified
init= process fatal should be an explicit choice.

Instead of using a config option, would adding another kernel
command line option, such as 'init_fail_is_fatal', work for
your needs?  I have a feeling this has already been proposed,
as the 'strictinit' option mentioned in the changes from v3
below might be the same concept?

Thanks,

Frank

> 
> Signed-off-by: Andy Lutomirski <luto@amacapital.net>
> ---
> 
> Changes from v4:
>  - Update the panic message (sorry for the noise)
> 
> Changes from v3:
>  - Get rid of the strictinit option.  Now the new behavior is the default
>    unless CONFIG_INIT_FALLBACK=y (Rob Landley)
> 
> Changes from v2:
>  - Improve docs further, to leave the door open to giving strictinit
>    some sensible semantics if init= is not set.
>  - Improve error output in the failure case (Shuah Khan).
> 
> Changes from v1:
>  - Add missing "if" to the docs (Randy Dunlap)
> 
>  init/Kconfig | 11 +++++++++++
>  init/main.c  |  7 ++++++-
>  2 files changed, 17 insertions(+), 1 deletion(-)
> 
> diff --git a/init/Kconfig b/init/Kconfig
> index e84c6423a2e5..063029a1556f 100644
> --- a/init/Kconfig
> +++ b/init/Kconfig
> @@ -1299,6 +1299,17 @@ source "usr/Kconfig"
>  
>  endif
>  
> +config INIT_FALLBACK
> +	bool "Fall back to defaults if init= parameter is bad"
> +	help
> +	  If enabled, the kernel will try the default init binaries if an
> +	  explicit request from the init= parameter fails.
> +
> +	  This is a temporary measure to allow broken configurations
> +	  to continue to boot.
> +
> +	  If unsure, say N.
> +
>  config CC_OPTIMIZE_FOR_SIZE
>  	bool "Optimize for size"
>  	help
> diff --git a/init/main.c b/init/main.c
> index bb1aed928f21..2bd6105e5dc5 100644
> --- a/init/main.c
> +++ b/init/main.c
> @@ -960,8 +960,13 @@ static int __ref kernel_init(void *unused)
>  		ret = run_init_process(execute_command);
>  		if (!ret)
>  			return 0;
> +#ifndef CONFIG_INIT_FALLBACK
> +		panic("Requested init %s failed (error %d).",
> +		      execute_command, ret);
> +#else
>  		pr_err("Failed to execute %s (error %d).  Attempting defaults...\n",
> -			execute_command, ret);
> +		       execute_command, ret);
> +#endif
>  	}
>  	if (!try_to_run_init_process("/sbin/init") ||
>  	    !try_to_run_init_process("/etc/init") ||
>