When installing/upgrading packages (e. g. a kernel and initramfs-tools),
the same initrd is generated twice:
```
$ apt-get install --no-install-recommends -y zstd initramfs-tools linux-image-generic
[...]
Setting up initramfs-tools-core (0.146) ...
Setting up initramfs-tools (0.146) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-6.12.20-amd64 (6.12.20-1) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-6.12.20-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-6.12.20-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-6.12.20-amd64
I: /initrd.img is now a symlink to boot/initrd.img-6.12.20-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.12.20-amd64
Setting up linux-image-amd64 (6.12.20-1) ...
Processing triggers for initramfs-tools (0.146) ...
update-initramfs: Generating /boot/initrd.img-6.12.20-amd64
```
Remember the timestamp when the dpkg trigger is set in the file
`/run/update-initramfs.dpkg-trigger`. Then only update the initramfs if
it is not newer than the time the trigger was created.
This will solve the example given above:
```
$ apt-get install --no-install-recommends -y zstd initramfs-tools linux-image-generic
[...]
Setting up initramfs-tools-core (0.146) ...
Setting up initramfs-tools (0.146) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-6.12.20-amd64 (6.12.20-1) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-6.12.20-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-6.12.20-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-6.12.20-amd64
I: /initrd.img is now a symlink to boot/initrd.img-6.12.20-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.12.20-amd64
Setting up linux-image-amd64 (6.12.20-1) ...
Processing triggers for libc-bin (2.41-6) ...
Processing triggers for initramfs-tools (0.146) ...
update-initramfs: /boot/initrd.img-6.12.20-amd64 has already been updated since Tue Mar 25 11:48:49 2025.
```
This approach will not help, when the update-initramfs trigger is set by
another package (e. g. clevis-initramfs). That would need support from
the dpkg trigger (see Debian bug #1099136).
LP: #1466965
When installing/upgrading packages (e. g. a kernel and initramfs-tools),
the same initrd is generated twice:
```
$ apt-get install --no-install-recommends -y zstd initramfs-tools linux-image-generic
[...]
Setting up initramfs-tools-core (0.145) ...
Setting up initramfs-tools (0.145) ...
update-initramfs: deferring update (trigger activated)
Setting up linux-image-6.12.16-amd64 (6.12.16-1) ...
I: /vmlinuz.old is now a symlink to boot/vmlinuz-6.12.16-amd64
I: /initrd.img.old is now a symlink to boot/initrd.img-6.12.16-amd64
I: /vmlinuz is now a symlink to boot/vmlinuz-6.12.16-amd64
I: /initrd.img is now a symlink to boot/initrd.img-6.12.16-amd64
/etc/kernel/postinst.d/initramfs-tools:
update-initramfs: Generating /boot/initrd.img-6.12.16-amd64
Setting up linux-image-amd64 (6.12.16-1) ...
Processing triggers for libc-bin (2.40-7) ...
Processing triggers for initramfs-tools (0.145) ...
update-initramfs: Generating /boot/initrd.img-6.12.16-amd64
```
Add a `-s` parameter to `update-initramfs` to set a Unix time stamp
(seconds since 1970) for the update mode. An existing initramfs will
only be updated if it is not newer than the specified Unix time stamp.
This feature is the first step to avoid generating the initrd twice.
LP: #1466965
dracut-install can filter modules by symbol (`--mod-filter-symbol`) to
select modules more fine-grain. Harmonize the set of modules that
initramfs-tools and dracut install.
The modules mptfc, mptsas, mptscsih, mptspi, and zfcp are covered by
including `=drivers/message/fusion` to the block devices.
LP: #2031841
Signed-off-by: Benjamin Drung <benjamin.drung@canonical.com>
Including only UFS storage drivers that match the symbol regexp
`${blockfuncs}|iscsi_register_transport` is not enough.
Move UFS storage drivers to the `block` class instead of the more
specific `scsi`.
LP: #2081020
Ubuntu's dracut package ships an `update-initramfs` command with the
same interface as initramfs-tools'. The difference is that it calls
dracut instead of mkinitramfs.
When installing dracut without purging initramfs-tools,
`/etc/kernel/postinst.d/initramfs-tools` will still execute
`update-initramfs` (in addition to dracut's kernel postinst hook).
So query the newly add `--version` parameter to determine which package
provided the `update-initramfs` script. Only run the kernel postinst
hook when the provider matches.
The current behaviour of creating sub-directories for multi-archive
initramfs images was never documented. Document what we do now, with
a note that we may stop creating sub-directories in future.
Signed-off-by: Ben Hutchings <benh@debian.org>
unmkinitramfs used to assume that any uncompressed cpio archives at
the beginning of an initramfs image belonged to the early initramfs
and only a final compressed archive belonged to the the main
initramfs. If it found any uncompressed archives it extracted them
into "early", "early2", etc. subdirectories and the compressed archive
into a "main" subdirectory.
The reason for using a separate subdirectory for each archive is to
guard against a symlink traversal attack from an untrusted initramfs,
e.g. the extraction of "link" as a symlink to "/etc" followed by
"link/shadow" which overwrites "/etc/shadow". cpio itself protects
against this if we extract a single archive into an empty directory,
but not if we extract multiple archives successively into the same
directory.
mkinitramfs now splits the main initramfs files between uncompressed
and compressed archives. unmkinitramfs was changed to use
subdirectory names "cpio1", "cpio2", etc. since the previous
distinction was no longer valid.
Several packages that integrate with initramfs-tools have autopkgtests
that run unmkinitramfs and were broken by this new behaviour. It's
also quite possible that there are also user scripts that would also
be broken.
Therefore, try to restore the old behaviour in unmkinitramfs:
1. Distinguish whether uncompressed archives are "early" or "main"
by checking for a kernel/ subdirectory. Currently all filenames
the kernel looks for in an early initramfs are in this
subdirectory, but we should never create this in the main
initramfs.
2. Extract early archives as before, but concatenate any "main"
uncompressed archives to a temporary file. Exclude the trailer
from them so that cpio won't stop early when reading them.
3. Pass both the "main" uncompressed archives and the compressed
archive to xcpio, and make it concatenate the uncompressed and
decompressed archives as input to cpio.
The concatenation in steps 2 and 3 is done to preserve the protection
against symlink traversal.
Fixes: 81fd41f72dd8 ("Put compressed kernel modules and firmware in an uncompressed cpio")
Fixes: cb0618177b26 ("unmkinitramfs: use directory names 'cpio1', 'cpio2', etc.")
Closes: #1100008
Signed-off-by: Ben Hutchings <benh@debian.org>
We currently split the initramfs when we see zero padding after an
file rather than a new file header. However, the real EOF marker in a
cpio archive is a file header with the name "TRAILER!!!". Look for
that first, then skip zero padding after it.
Signed-off-by: Ben Hutchings <benh@debian.org>
Currently we extract the compressed archive from the initramfs to a
temporary file, but in future we will need to extract multiple
archives. Create a temporary directory at the top level of the
script, and put the compressed archive inside that.
Signed-off-by: Ben Hutchings <benh@debian.org>
chroots and other build environments often do not have /sys mounted.
Nevertheless they want to build initrds. As a complication, live-boot
calls these functions from a hook that has "set -e" turned on, turning
the ignored error from "read" into an abort of update-initramfs.
Fixes: b3e8cc4011334b6f39ba915149d5518b1644f87b
Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099461
Signed-off-by: Chris Hofstaedtler <zeha@debian.org>
Reset drivers are currently included when MODULES=most but not when
MODULES=dep. Since they are outside the device model, match them by
module name not by driver class.
Closes: #1027458
Signed-off-by: Ben Hutchings <benh@debian.org>
shellcheck correctly complains:
```
In debian/tests/qemu-klibc line 13:
! lsinitramfs "${INITRAMFS}" | grep -qw busybox
^-- SC2251 (info): This ! is not on a condition and skips errexit. Use `&& exit 1` instead, or make sure $? is checked.
Did you mean:
lsinitramfs "${INITRAMFS}" | grep -qw busybox && exit 1
In debian/tests/qemu-panic-shell line 30:
! grep -qF "(initramfs) " "${OUTPUT}"
^-- SC2251 (info): This ! is not on a condition and skips errexit. Use `&& exit 1` instead, or make sure $? is checked.
Did you mean:
grep -qF "(initramfs) " "${OUTPUT}" && exit 1
For more information:
https://www.shellcheck.net/wiki/SC2251 -- This ! is not on a condition and ...
```
So the result oft those checks were just ignored. Fix that and add error
messages for the failure case. Otherwise there would be no output
explaining the exit code.
Note: The recommendation from https://www.shellcheck.net/wiki/SC2251
would cause qemu-panic-shell to always fail:
https://github.com/koalaman/shellcheck/issues/3121
shellcheck complains:
```
In debian/tests/qemu-klibc line 17:
run_qemu
^------^ SC2119 (info): Use run_qemu "$@" if function's $1 should mean script's $1.
In debian/tests/qemu-separate-usr line 32:
run_qemu
^------^ SC2119 (info): Use run_qemu "$@" if function's $1 should mean script's $1.
In debian/tests/qemu-ata-only line 23:
run_qemu
^------^ SC2119 (info): Use run_qemu "$@" if function's $1 should mean script's $1.
In debian/tests/qemu-virtio-only line 22:
run_qemu
^------^ SC2119 (info): Use run_qemu "$@" if function's $1 should mean script's $1.
In debian/tests/qemu-busybox line 17:
run_qemu
^------^ SC2119 (info): Use run_qemu "$@" if function's $1 should mean script's $1.
For more information:
https://www.shellcheck.net/wiki/SC2119 -- Use prepare_network_dumping_rootf...
```
To silence this shellcheck info since `run_qemu` should be called
without arguments in those cases.
```
In debian/tests/qemu-net line 39:
prepare_network_dumping_rootfs
^----------------------------^ SC2119 (info): Use prepare_network_dumping_rootfs "$@" if function's $1 should mean script's $1.
For more information:
https://www.shellcheck.net/wiki/SC2119 -- Use prepare_network_dumping_rootf...
```
`prepare_network_dumping_rootfs` is never called with a parameter.
```
In debian/tests/test-common line 21:
| while read fw_file; do
^--^ SC2162 (info): read without -r will mangle backslashes.
For more information:
https://www.shellcheck.net/wiki/SC2162 -- read without -r will mangle backs...
```
```
In debian/tests/test-common line 137:
verbose=y
^-----^ SC2034 (warning): verbose appears unused. Verify use (or export if used externally).
In debian/tests/test-common line 138:
DESTDIR="$root_dir"
^-----^ SC2034 (warning): DESTDIR appears unused. Verify use (or export if used externally).
```
```
In debian/tests/copy-file line 9:
echo -n 1 >"${SOURCEDIR}/dir1/file1"
^-- SC3037 (warning): In POSIX sh, echo flags are undefined.
In debian/tests/copy-file line 11:
echo -n 22 >"${SOURCEDIR}/file2"
^-- SC3037 (warning): In POSIX sh, echo flags are undefined.
In debian/tests/copy-file line 12:
echo -n 333 >"${SOURCEDIR}/file3"
^-- SC3037 (warning): In POSIX sh, echo flags are undefined.
```
```
In debian/tests/test-common line 154:
local blocks="$(du --summarize "${dir}" | cut -f 1)"
^----^ SC2155 (warning): Declare and assign separately to avoid masking return values.
In debian/tests/test-common line 155:
local inodes="$(du --summarize --inodes "${dir}" | cut -f 1)"
^----^ SC2155 (warning): Declare and assign separately to avoid masking return values.
For more information:
https://www.shellcheck.net/wiki/SC2155 -- Declare and assign separately to ...
```
Until recently, e2fsprogs was installed by default in autopkgtest
testbeds on both ci.debian.net and Salsa CI. This is no longer
the case in Salsa CI, so we need to explicitly depend on it.
Signed-off-by: Ben Hutchings <benh@debian.org>
The initramfs-tools hook from multipath-tools 0.9.4-9 and newer calls
`copy_libgcc` without any arguments. This will fail:
```
mkinitramfs: copy_file: binary '/libgcc_s.so.[1-9]' not found
```
Instead of relying on multipath-tools to figure out the correct library
path, make `copy_libgcc` to not take any parameters.
LP: #2085157
The function `netinfo_to_resolv_conf` does not clear the variables
between reading multiples files. This can lead to duplicate entries in
the resolv.conf in case the files do not specify the same variables.
Distilled problem:
```sh
#!/bin/sh
sourcing() {
for file in "$@"; do
local A B C
. "./$file"
echo "A: ${A-}"
echo "B: ${B-}"
echo "C: ${C-}"
echo
done
}
printf "A=1\nB=2\n" > first
printf "A=a\nC=c\n" > second
sourcing first second
```
`B` is only defined in the first file and will still contain this value
after sourcing the second file:
```
A: 1
B: 2
C:
A: a
B: 2
C: c
```
So set the local variables to empty strings to clear them before
sourcing the next configuration file.
