Description of problem: New security feature in dracut changes the permissions to initrd.img, not to be world readable. This causes the installation to hang because of wrong permissions. When building new compose, lorax should create the file with right permissions. Version-Release number of selected component (if applicable): dracut-023-65.git20120927 lorax-18.20-1.fc18 How reproducible: always Actual results: initrd.img file has a wrong permissions -rw------- Expected results: initrd.img file should be readable by apache and other services.
This is the dracut patch: bd5b0179af91 commit e1b48995c26c4f06d1a718539cb1bd5b0179af91 Author: Harald Hoyer <harald> Date: Thu Sep 27 10:18:29 2012 +0200 dracut.sh: create the initramfs non-world readable diff --git a/dracut.sh b/dracut.sh index 7148d0f..96faa06 100755 --- a/dracut.sh +++ b/dracut.sh @@ -1033,8 +1033,9 @@ if [[ $do_hardlink = yes ]] ; then } fi +rm -f "$outfile" dinfo "*** Creating image file ***" -if ! ( cd "$initdir"; find . |cpio -R 0:0 -H newc -o --quiet| \ +if ! ( umask 077; cd "$initdir"; find . |cpio -R 0:0 -H newc -o --quiet| \ $compress > "$outfile"; ); then dfatal "dracut: creation of $outfile failed" exit 1
What do you mean by 'causes the installation to hang'? 0600 will not cause problems with the install. If other tools are copying the initrd, say to an apache server, they should set appropriate permissions for their needs. I don't think lorax should make any changes here.
I agree with Brian here. The tools should not rely on lorax creatinf the exact permissions as they need. What if some other tool needs different permissions, will we need to have a permission flag in lorax then?
The perms in dracut have changed due to strengthening security (e.g. embedded passwords in initrd), which doesn't apply to the installation images. I think we generally want these images to be readable by anyone. Keeping current state would mean changing all other tools using lorax. If someone wants to run lorax and share the images via http now, he has to explicitly fix the perms. Could you reconsider fixing it, please?
Ok, you got a point.
lorax-18.21-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/lorax-18.21-1.fc18
Package lorax-18.21-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing lorax-18.21-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-15993/lorax-18.21-1.fc18 then log in and leave karma (feedback).
proposing as a F18 Beta blocker, without this fixed we cant put together a working install tree as most install methods wont have access to the initrd.
Clear +1 blocker if it blocks compose.
+1 blocker. Breaks branched compose. ;)
The update has been pushed stable, so closing. We had +3 for blocker anyway.