From Fedora Project Wiki
(new Change proposal)
 
(Change is withdrawn pending updates)
 
(5 intermediate revisions by 3 users not shown)
Line 6: Line 6:


== Owner ==
== Owner ==
* Name: [[User:Salimma|Michel Alexandre Salim]]
* Name: [[User:Salimma|Michel Alexandre Salim]], [[User:Ngompa|Neal Gompa]], [[User:Davdunc|David Duncan]]
* Email: michel@michel-slm.name
* Email: michel@michel-slm.name, ngompa13@gmail.com, davdunc@amazon.com
* Name: [[User:Ngompa|Neal Gompa]]
* Email: ngompa13@gmail.com
* Name: [[User:Davdunc|David Duncan]]
* Email: davdunc@amazon.com


== Current status ==
== Current status ==
[[Category:ChangeReadyForWrangler]]
[[Category:ChangePageIncomplete]]


[[Category:SystemWideChange]]
[[Category:SystemWideChange]]


* Targeted release: [[Releases/36 | Fedora Linux 36 ]]  
* Targeted release: [[Releases/37 | Fedora Linux 37 ]]  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 26: Line 22:
ON_QA -> change is fully code complete
ON_QA -> change is fully code complete
-->
-->
* FESCo issue: <will be assigned by the Wrangler>
* [https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/3UCY6GLDPSWEUSUQ7MJXHJYMG42ZHQBO/ devel thread]
* FESCo issue: [https://pagure.io/fesco/issue/2713 #2713]
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
* Release notes tracker: <will be assigned by the Wrangler>
Line 40: Line 37:
- you can enforce the need for a root password in single-user mode by setting it
- you can enforce the need for a root password in single-user mode by setting it


This change will be implemented by pre-installing an RPM containing systemd overrides for `emergency.service` and `rescue.service`, similar to the [CoreOS implementation](https://github.com/coreos/fedora-coreos-config/commit/eb74f2ea3e9b453902315539e4f327481162c4f8), so users and editions/variants can opt out by removing this or omitting it from their default installation.
This change will be implemented by pre-installing an RPM containing systemd overrides for `emergency.service` and `rescue.service`, similar to the [https://github.com/coreos/fedora-coreos-config/commit/eb74f2ea3e9b453902315539e4f327481162c4f8 CoreOS implementation], so users and editions/variants can opt out by removing this or omitting it from their default installation.


== Feedback ==
== Feedback ==
Line 50: Line 47:
== Scope ==
== Scope ==
* Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making `systemd` `Recommends: (systemd-rescue-defaults if dracut-config-rescue)`
* Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making `systemd` `Recommends: (systemd-rescue-defaults if dracut-config-rescue)`
* Other developers: Test this and opt-out if necessary (eg cloud doesn't have initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
* Other developers: Test this and opt-out if necessary (eg cloud doesn't have a rescue initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
* Release engineering: [https://pagure.io/releng/issue/10422 #10422]
* Release engineering: [https://pagure.io/releng/issue/10422 #10422]
* Policies and guidelines: N/A (not needed for this Change)
* Policies and guidelines: N/A (not needed for this Change)

Latest revision as of 17:41, 17 May 2022

Make Rescue Mode Work With Locked Root

Summary

Fedora defaults to locking the root account, which is needed by single-user mode. This Change uses sulogin --force so the password request is bypassed under this circumstance.

Owner

Current status

  • Targeted release: Fedora Linux 37
  • Last updated: 2022-05-17
  • devel thread
  • FESCo issue: #2713
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Users typically only use single-user mode in case the normal boot is not working. In the unfortunate situation that it happens, under the current setup they cannot recover without booting from a Fedora live image or another image, or by overriding init=, because our single-user mode requires a root password, and by default we lock the root account.

A more user-friendly setup is to allow the password to be bypassed in case it's not set.

This does not pose an increased security risk: - you can already boot with init=/sysroot/bin/bash anyway - anyone with physical access to a machine can probably compromise it - you can enforce the need for a root password in single-user mode by setting it

This change will be implemented by pre-installing an RPM containing systemd overrides for emergency.service and rescue.service, similar to the CoreOS implementation, so users and editions/variants can opt out by removing this or omitting it from their default installation.

Feedback

Benefit to Fedora

This Change provides a better out-of-the-box user experience in case they need to rescue their system, by making the rescue option presented in the bootloader actually work.

Scope

  • Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making systemd Recommends: (systemd-rescue-defaults if dracut-config-rescue)
  • Other developers: Test this and opt-out if necessary (eg cloud doesn't have a rescue initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
  • Release engineering: #10422
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Upgrades would pull in this automatically, see [1]

How To Test

- dnf install systemd-rescue-defaults - reboot and verify rescue mode works

User Experience

Rescue mode works out of the box, without resorting to overriding init= or using a live media.

Dependencies

- most changes will be done in the systemd package - for variants that need to opt out we'll need to modify their kickstart files

Contingency Plan

  • Contingency mechanism: if the Recommends have been added to systemd, remove it and potentially add an Obsoletes: to remove older known-bad versions of rescue-defaults
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

The built-in rescue mode now works out of the box without needing to use a live image. For added security you can set a root password.

Release Notes