1924587 – RFE: Harden the shutdown phase to avoid dropping into the emergency prompt

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1924587 - RFE: Harden the shutdown phase to avoid dropping into the emergency prompt

Summary: RFE: Harden the shutdown phase to avoid dropping into the emergency prompt

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dracut
Sub Component:
Version:	8.3
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	8.0
Assignee:	Pavel Valena
QA Contact:	Frantisek Sumsal
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1631740 1961659 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-02-03 09:18 UTC by Renaud Métrich
Modified:	2024-05-09 16:14 UTC (History)
CC List:	11 users (show)
Fixed In Version:	dracut-049-209.git20220815.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-11-08 10:48:46 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	dracutdevs dracut pull 1689	None	Merged	fix(dracut-shutdown): add cleanup handler on failure	2022-02-04 09:05:10 UTC
Github	dracutdevs dracut pull 1748	None	Merged	fix(98dracut-systemd): fix service dependencies	2022-05-31 09:00:35 UTC
Github	freedesktop plymouth pull 6	None	Draft	systemd: Make sure plymouth-switch-root-initramfs.service executes after dracut-shutdown-onfailure.service	2022-01-13 16:44:44 UTC
Red Hat Knowledge Base (Solution)	5783491	None	None	None	2021-02-08 08:51:38 UTC
Red Hat Product Errata	RHBA-2022:7725	None	None	None	2022-11-08 10:49:08 UTC

Description Renaud Métrich 2021-02-03 09:18:28 UTC

Description of problem:

Currently the shutdown phase executes dracut-shutdown.service which unpacks the initramfs into /run/initramfs. Then plymouth-switch-root-initramfs.service executes and switches root to /run/initramfs and final shutdown operations execute.

Sometimes, the initramfs couldn't be unpacked properly, which leads to dropping into the following prompt (executed by "shutdown" binary once switch-root happened):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
/shutdown: line 115: reboot: command not found
[  145.951127] dracut Warning: reboot failed!
dracut Warning: reboot failed!


[  145.953007] dracut Warning: 
dracut Warning: 


Generating "/run/initramfs/rdsosreport.txt"
You might want to save "/run/initramfs/rdsosreport.txt" to a USB stick or /boot
after mounting them and attach it to a bug report.

To get more debug information in the report,
reboot with "rd.debug" added to the kernel command line.

Dropping to debug shell.

shutdown:/# 
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

So far we got some customers hitting this or something similar (e.g. /usr/bin/multipath: command no found) in different scenarios:

1. Upon installation with a virtual DVD mounted on the iLO with low bandwidth between the ISO image and the iLO

  In this scenario, the issue is due to low bandwidth: dracut-shutdown has only 90 seconds to complete and this may not be enough, causing systemd to kill the cpio command executing and having missing binaries in /run/initramfs, causing the issue after switching root

2. Upon restarting VMWare guests: it's unclear which condition effectively happens here but it's very likely related to unpacking being killed as well on 90 seconds timeout


Version-Release number of selected component (if applicable):

dracut-049-95.git20200804.el8.x86_64 / plymouth-0.9.4-7.20200615git1e36e30.el8.x86_64


How reproducible:

ALWAYS with a "slow" DVD during installation
ALWAYS using the hack below

Steps to Reproduce:
1. Edit /usr/lib/dracut/dracut-initramfs-restore to delete "reboot" binary after extraction happens

Replace "exit 0" at the end of the script by this:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
rm /run/initramfs/usr/sbin/reboot
exit 1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

This mimics a timeout while cpio is running (binaries in /usr/sbin are the last ones being extracted).

2. Reboot the system

Actual results:

Emergency prompt

Expected results:

Automatic reboot if possible

Comment 1 Renaud Métrich 2021-02-03 09:27:03 UTC

Hardening can be easily implemented as shown  below:

1. dracut-shutdown failure needs to be detected (exit 1 is not sufficient) and cleanup must be really done, specially on timeout

  This can be achieve by a new "dracut-shutdown-onfailure.service" unit that will cleanup some extracted files (/run/initramfs/shutdown is sufficient, as already done when cpio fails in the script):

  dracut-shutdown-onfailure.service:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  [Unit]
  Description=Service executing upon dracut-shutdown failure to perform cleanup
  DefaultDependencies=no
  
  [Service]
  Type=oneshot
  ExecStart=/bin/sh -c '/bin/rm /run/initramfs/shutdown 2>/dev/null || true'
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  dracut-shutdown.service:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  [Unit]
  OnFailure=dracut-shutdown-onfailure.service
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. plymouth-switch-root-initramfs.service should have a After dependency on dracut-shutdown-onfailure.service to check for the new condition on "shutdown" script

  plymouth-switch-root-initramfs.service:
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  [Unit]
  After=dracut-shutdown-onfailure.service
  ConditionPathExists=/run/initramfs/shutdown
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  The After=dracut-shutdown-onfailure.service is required to make sure the cleanup of the initramfs extraction is performed before attempting to switch root.

With this in place, plymouth-switch-root-initramfs will *not* execute anymore if critical files in /run/initramfs are missing, indicating the initramfs extraction failed somehow.

Comment 2 David Tardon 2021-02-04 15:48:40 UTC

*** Bug 1631740 has been marked as a duplicate of this bug. ***

Comment 4 Renaud Métrich 2021-05-18 12:32:26 UTC

See also BZ #1961659.

Comment 5 Renaud Métrich 2022-01-13 15:57:47 UTC

See also BZ #2023665.

Comment 6 David Tardon 2022-07-14 08:52:23 UTC

*** Bug 1961659 has been marked as a duplicate of this bug. ***

Comment 10 errata-xmlrpc 2022-11-08 10:48:46 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (dracut bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7725

Comment 12 Maksym Domin 2024-05-09 16:14:40 UTC

(In reply to Renaud Métrich from comment #1)
> Hardening can be easily implemented as shown  below:
> 
> 1. dracut-shutdown failure needs to be detected (exit 1 is not sufficient)
> and cleanup must be really done, specially on timeout
> 
>   This can be achieve by a new "dracut-shutdown-onfailure.service" unit that
> will cleanup some extracted files (/run/initramfs/shutdown is sufficient, as
> already done when cpio fails in the script):
> 
>   dracut-shutdown-onfailure.service:
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
>   [Unit]
>   Description=Service executing upon dracut-shutdown failure to perform
> cleanup
>   DefaultDependencies=no
>   
>   [Service]
>   Type=oneshot
>   ExecStart=/bin/sh -c '/bin/rm /run/initramfs/shutdown 2>/dev/null || true'
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
> 
>   dracut-shutdown.service:
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
>   [Unit]
>   OnFailure=dracut-shutdown-onfailure.service
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
> 
> 2. plymouth-switch-root-initramfs.service should have a After dependency on
> dracut-shutdown-onfailure.service to check for the new condition on
> "shutdown" script
> 
>   plymouth-switch-root-initramfs.service:
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
>   [Unit]
>   After=dracut-shutdown-onfailure.service
>   ConditionPathExists=/run/initramfs/shutdown
>   -------- 8< ---------------- 8< ---------------- 8< ---------------- 8<
> --------
> 
>   The After=dracut-shutdown-onfailure.service is required to make sure the
> cleanup of the initramfs extraction is performed before attempting to switch
> root.
> 
> With this in place, plymouth-switch-root-initramfs will *not* execute
> anymore if critical files in /run/initramfs are missing, indicating the
> initramfs extraction failed somehow.

Is this a fix for the issue with /shutdown: line 162: reboot: command not found? I have the same symptoms after upgrade of Fedora 39 to 40.

Note You need to log in before you can comment on or make changes to this bug.