(Deferring to F37) |
(Change is withdrawn pending updates) |
||
Line 10: | Line 10: | ||
== Current status == | == Current status == | ||
[[Category: | [[Category:ChangePageIncomplete]] | ||
[[Category:SystemWideChange]] | [[Category:SystemWideChange]] |
Latest revision as of 17:41, 17 May 2022
Make Rescue Mode Work With Locked Root
Summary
Fedora defaults to locking the root account, which is needed by single-user mode. This Change uses sulogin --force
so the password request is bypassed under this circumstance.
Owner
- Name: Michel Alexandre Salim, Neal Gompa, David Duncan
- Email: michel@michel-slm.name, ngompa13@gmail.com, davdunc@amazon.com
Current status
- Targeted release: Fedora Linux 37
- Last updated: 2022-05-17
- devel thread
- FESCo issue: #2713
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Users typically only use single-user mode in case the normal boot is not working. In the unfortunate situation that it happens, under the current setup they cannot recover without booting from a Fedora live image or another image, or by overriding init=
, because our single-user mode requires a root password, and by default we lock the root account.
A more user-friendly setup is to allow the password to be bypassed in case it's not set.
This does not pose an increased security risk:
- you can already boot with init=/sysroot/bin/bash
anyway
- anyone with physical access to a machine can probably compromise it
- you can enforce the need for a root password in single-user mode by setting it
This change will be implemented by pre-installing an RPM containing systemd overrides for emergency.service
and rescue.service
, similar to the CoreOS implementation, so users and editions/variants can opt out by removing this or omitting it from their default installation.
Feedback
Benefit to Fedora
This Change provides a better out-of-the-box user experience in case they need to rescue their system, by making the rescue option presented in the bootloader actually work.
Scope
- Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making
systemd
Recommends: (systemd-rescue-defaults if dracut-config-rescue)
- Other developers: Test this and opt-out if necessary (eg cloud doesn't have a rescue initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
- Release engineering: #10422
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A
Upgrade/compatibility impact
Upgrades would pull in this automatically, see [1]
How To Test
- dnf install systemd-rescue-defaults
- reboot and verify rescue mode works
User Experience
Rescue mode works out of the box, without resorting to overriding init= or using a live media.
Dependencies
- most changes will be done in the systemd
package
- for variants that need to opt out we'll need to modify their kickstart files
Contingency Plan
- Contingency mechanism: if the
Recommends
have been added to systemd, remove it and potentially add anObsoletes:
to remove older known-bad versions ofrescue-defaults
- Contingency deadline: Beta freeze
- Blocks release? No
Documentation
The built-in rescue mode now works out of the box without needing to use a live image. For added security you can set a root password.