Talk:mkinitcpio

From ArchWiki
Latest comment: 30 April by Flippantwalrus in topic qat_420xx FW missing

Talking about other hooks and a more generic view of the early userspace

I am the current maintainer of the the dropbear_initrd_encryptAUR, and, I've also developed some other mkinitcpio hooks, such as: mkinitcpio-pppAUR and mkinitcpio-ddnsAUR. I will write some wiki pages describing them, but I would also like to talk more about the early userspace. So, my question is, should I make an early userspace page, should I write a page just for the hooks? Should I write it and make it related to the mkinitcpio page? Thanks in advance.

Grazzolini (talk) 01:03, 11 February 2015 (UTC)Reply

It depends a lot on how much content you're actually going to write. I suggest starting by expanding on the early userspace in Arch boot process; then, if what you write gets too long, we can always consider splitting the page. About custom/additional hooks you might create a section below Mkinitcpio#Common hooks, following the same principle: if the content gets too long/detailed to stay in the page, we can split it later. In any case, it's very important that you try your best to avoid duplicating existing information in other articles, and instead either add links to them, or move that information to your new content, if it fits best there, and add links to the new location from the articles where the info was removed. — Kynikos (talk) 4:32, 12 February 2015 (UTC)
Thank you for your information Kynikos. I'll be contributing these changes very soon. Grazzolini (talk) 12:54, 12 February 2015 (UTC)Reply

Mark /usr with a passno of 2, not 0

mkinitcpio#/usr as a separate partition firmly suggests to mark /usr with a passno of 0 in /etc/fstab. The way I understand man fstab, 2 is the correct number for the task. Am I wrong? Regid (talk) 19:09, 6 April 2017 (UTC)Reply

It also suggests adding the fsck hook to your config. Seeing as the regular fsck binaries reside on the /usr partition, this is needed to actually make it possible to fsck it at startup. The entry in /etc/fstab should thus be 0. Koneu (talk) 07:27, 7 April 2017 (UTC)Reply
I see your point about the binaries residing on /usr. Still, with a passno of 0 you set no automatic fsck at all, don't you? Would you set passno for / to 0 when usr is an integral part of /?
Indeed the fsck hook copies fsck binaries to the initramfs, and possibly ignores passno for / and /usr at runtime. As an aside, its help text should mention usr, not just /.
Regid (talk) 10:12, 7 April 2017 (UTC)Reply
It seems the passno needs to be 2 instead, as otherwise I only get the message about / being clean at boot time. After changing passno to 2 I get the additional message that /usr is also clean. The only error in the logs is in regard to / (/dev/sda2 is mounted. e2fsck: Cannot continue, aborting.) which could indicate that the passno for / needs to be 0 instead. Maklor (talk) 22:27, 19 April 2020 (UTC)Reply

Talking about LUKS/LVM with sd-encrypt example

Formerly there was a link to the forum that was ambiguous about where the UUID were generated from. enckse documented clearly the same use case within this page, which was reverted by Lahwaacz in this change. The current edit of the page removes a reference to the forum post entirely. Where should the writeup from enckse be placed? - storrgie 22:05, 23 October 2017 (UTC)Reply

In the previous form, ie., as a tutorial, it would belong in someone's namespace. If you just want to capture the bit about determining UUIDs, then that is already documented on the relevant page. Jasonwryan (talk) 22:19, 23 October 2017 (UTC)Reply
If you review the forum post mentioned it isn't that I'm saying users don't know how to capture UUID. I'm saying that in the case of LUKS/LVM the rd.luks.uuid requires the block device UUID and the root=UUID= requires the UUID of the root volume group. This is what is ambiguous in the original forum post. Let's be clear, this is a commonly followed install pathway (LUKS/LVM), so why let users be confused when we've got a documented use case? - storrgie 22:25, 23 October 2017 (UTC)Reply
Then that relevant factoid belongs on the dm-crypt page page. Jasonwryan (talk) 22:39, 23 October 2017 (UTC)Reply
I've tried to place it in an appropriate place on that page, please advise. - storrgie 22:50, 23 October 2017 (UTC)Reply
I said *not* the entire tutorial, just the relevant snippet about locating the correct uuids. Jasonwryan (talk) 23:20, 23 October 2017 (UTC)Reply
It'd be nice to have a proposed modification rather than just slapping the revert button. - storrgie 23:41, 23 October 2017 (UTC)Reply
enckse's writeup is really no better than the forum post, it just describes how to do one specific thing without explaining the steps. That's not the wiki way, the wiki should explain the steps in some organized way and let users combine them as they want.
That said, I think that everything discussed here is already on the dm-crypt/System configuration page:
Though I must admit, that I can't find the rd.lvm.lv kernel parameter anywhere on the wiki. I have no idea what it's for and the forum post does not explain it either. Is it necessary for resume? Or for LVM? Or the LUKS/LVM combo? If you find out, feel free to explain it here so we can find an appropriate place on the wiki for it.
-- Lahwaacz (talk) 07:25, 24 October 2017 (UTC)Reply
rd.lvm.lv seems to be a dracut specific thing. -- nl6720 (talk) 13:26, 29 October 2017 (UTC)Reply
[1] confuses me. Is /etc/crypttab meant to be /etc/crypttab on real root or /etc/crypttab in initramfs (i.e. /etc/crypttab.initramfs on real root)? -- nl6720 (talk) 13:39, 29 October 2017 (UTC)Reply
Since the snippet is from the systemd-cryptsetup-generator(8) man page, I'd say it's the root where systemd-cryptsetup-generator is run. -- Lahwaacz (talk) 13:56, 29 October 2017 (UTC)Reply
mkinitcpio#Non-root drives are not decrypted by sd-lvm2 hook doesn't make the distinction, which makes the whole section nonsense. Why would you expect sd-lvm2 to have access to block devices that are decrypted after boot (those listed in /etc/crypttab on real root)? Using /etc/crypttab.initramfs is far simpler than messing around with all those rd.luks. and luks. parameters. -- nl6720 (talk) 14:06, 29 October 2017 (UTC)Reply
I have no idea, I just moved the section from systemd-boot. See also Talk:Systemd-boot#Move_section_.22Non-root_drives_are_not_decrypted_by_sd-lvm2_mkinitcpio_hook.22. -- Lahwaacz (talk) 14:31, 29 October 2017 (UTC)Reply

Improvements for the Common hooks table and section about systemd hook

I find the Common hooks table extremely useful on getting some information about the mkinitcpio hooks, especially when it comes to systemd hook compatibility, so I started to improving it, especially as some info seemed to be missing or incomplete. So far I added the note about the modules missing from the table that are included in initramfs package and noted the btrfs-progs for btrfs hook (it was noted only in Runtime, even if package hosts files for both) and what it seems mkinitcpio-nfs-utils requirement for net hook – although I'm not 100% sure about the last one, as the package wasn't installed on any of my Arch machines, so I just took a quick look at the repository in browser.

Next thing that got me confused was the Installation and Runtime tables. I realized that Installation must actually mean the Build as that's how the hooks are separated and took a look at what is included in /usr/lib/initcpio/install/ and /usr/lib/initcpio/hooks/ respectively. I found out that while most of the info is accurate (and despite resume hook being present in install/ it indeed seems it only calls for runtime hook) there are some discrepancies – in hooks/ there seems to be no mdadm_udev hook, nor fsck hook. Also, while some busybox (base) hooks have their Runtime equivalents, this is not in case for sd- equivalents or systemd's equivalent for the udev, usr and resume (see below).

Which brings me to the final point: using systemd in place of default udev and base. It is barely documented on wiki, a bit better on it's help entry, but have been covered in other places. I have been doing that on my machine for a while but are not sure of the explicit benefits of this. I haven't noticed major changes and default mkinitcpio.conf doesn't even mention it. The table covers the systemd equivalents, but I think a separate section explaining this could be helpful – maybe I just haven't found it yet and it is documented somewhere on wiki, but IMO it should at least be noted near that table, as it's not mentioned anywhere prior it on that page, other the Related articles and the expansion note. Also, it took me a while to figure the busybox/systemd meanings as they are confusing. Busybox is not mentioned anywhere in the page prior the table, so it either needs prior knowledge or looking at external sources, like /dev/brain0 » Blog Archive » Early Userspace in Arch Linux linked at the beginning. The note for base to "Always keep this hook as the first hook unless you know what you are doing." on the wiki and mkinitcpio -H base doesn't explain that it is safe to remove it and systemd's doesn't span towards base in the table. The only clue is "Provides a busybox recovery shell when using systemd hook." note and only mkinitcpio -H systemd clears the situation – i.e. the fact that the base can be safely removed, if one doesn't need the recovery shell. It would be nice to explain systemd's hook meaning a little in this wiki page, and would be great if someone more knowledgeable help with that, as I'm only inexperienced tinkerer :).

Faalagorn (talk) 03:26, 28 January 2018 (UTC)Reply

Thanks for improving. I have slightly different question. Does base hook really provide rescue shell for systemd? Last time I tried to switch to systemd I noticed there is no way to get into rescue shell if something goes wrong. That's why I reverted back to busybox. --Mxfm (talk) 06:58, 28 January 2018 (UTC)Reply
Rescue shell should work since systemd-230-5, see FS#36265. If it does not work file a new bug report. -- nl6720 (talk) 09:28, 28 January 2018 (UTC)Reply
I actually couldn't make it work by any mean using systemd hook and `rd.rescue` kernel parameter.
The only way for me to enter rescue/emergency shell with systemd (also having base hook in `mkinitcpio.conf`) was using `--force` flag for `sulogin` by editing the `rescue.service`.
It shows me an error that root user is locked… which is because it can't access any shadow file (I guess) Arash (talk) 02:25, 5 January 2024 (UTC)Reply
I removed shutdown and sd-shutdown from the expansion template. shutdown is deprecated[2] and sd-shutdown should not be added to mkinitcpio.conf, it's used only by mkinitcpio-generate-shutdown-ramfs.service.
As you found out Installation means stuff in /usr/lib/initcpio/install/ and Runtime - /usr/lib/initcpio/hooks/. The Runtime stuff is custom busybox shell scripts made by Arch devs. systemd-based hooks don't use any hacky scripts, they uses unit files to start the services so the Runtime doesn't really apply to systemd-based hooks. -- nl6720 (talk) 09:44, 28 January 2018 (UTC)Reply
systemd doesn't span towards base in the table because it's not a direct replacement for it, it doesn't provide a recovery shell. There's no need to use systemd hooks unless you have a problem with the busybox hooks, or need functionality that busybox hooks don't provide (e.g. FS#23182, FS#42851). -- nl6720 (talk) 09:58, 28 January 2018 (UTC)Reply
Thanks for replying! Since you clarified some of my doubts, I have updated the table to use the Build instead Installation notations, since that's what they were referred to previously, and linked to the appropriate sections. I also noted that runtime hooks are only used with busybox init and hopefully clarified the part about inits in the first two columns (maybe that should be rather explained in the sections above though?) – feel free to improve that further though! There's also some standing uncertainess about the mdadm_udev and fsck I mentioned, as their are missing their runtime files and are still described in the table? I still think that the systemd section would be worthwhile and a bit clarification on the table – I also found another benefit of systemd hook – additional initrd breakup in systemd-analyze, see this post and the post it refers to. Since i was fiddling with things improving the boot time, the extra info is quite helpful for me. There may be some more nuances, too – I was also after silent boot and while my current systemd initramfs is quiet with just the quiet and loglevel kernel parameters, the base + udev hooks are not and probably require more tinkering.Faalagorn / 16:19, 28 January 2018 (UTC)Reply
EDIT: There's also issue/question about the mdadm hook and systemd – according to this, mdadm hook doesn't work and only mdadm_udev works with systemd hook. If that still stand, shouldn't mdadm be marked as not implemented, similar to the net hook for systemd-based init? Also, technically systemd hook should also have entry in the table I guess, similar how base (plus udev, usr and resume) have. Faalagorn / 16:25, 28 January 2018 (UTC)Reply
I did some testing with minimal initramfs with no (cat) compression comparing base with systemd hooks boot times. Here are my results from 20 boot times – it's not professional and done mainly for my own curiosity, but what I found out that while boot time were similar, I spotted the differences – with base hook EFISTUB loader was constantly 20-21ms faster, which is understandable since the base hook initramfs is physically smaller. However, when using systemd hook, time spent in userspace was constantly being less for at least a couple ms, averaging at around 27ms less. My boot times with that setup were extremely fast in the first place, running minimal system from an M.2 SSD and hindered mostly by firmware, so the difference may vary by systems, but it seems there's some possible boot time improvements with systemd other than the benefit of splitting initrd from kernel in systemd-analyze. Also, when using systemd hook, systemd-analyze blame now lists more services. initrd-* services are unsurprising, but there were also new systemd-fsck-root.service, systemd-modules-load.service and systemd-tmpfile-clean.service – and still time spent in userspace boot process is less. Unfortunately, the F2FS on that system broke with can't find valid checkpoint error when I uncleanly shut the system down, which according to sources found online is irreparable and relatively common lately, so I won't test it further with F2FS, especially as I'm not gonna trust my partition to F2FS anyime soon, but I'll see how it'll be with regular ext4. I may also get to writing a section about systemd-based initramfs unless there's some opposition or someone else is working on it and probably update the Minimal initramfs page as well. Faalagorn / 13:11, 30 January 2018 (UTC)Reply

Files automatically sourced by mkinitcpio

Some files are automatically sourced by mkinitcpio, they should be referenced here. For example, mkinitcpio will use /etc/crypttab.initramfs but this is only mentioned in Dm-crypt/System configuration, and is nowhere to be found in mkinitcpio(8) or on this page. Are there others like this?

--Cvlc (talk) 13:24, 15 October 2021 (UTC)Reply

AFAIK, mkinitcpio itself won't use crypttab.initramfs. The sd-encrypt hook will, but that's separate from mkinitcpio. Scimmia (talk) 13:48, 15 October 2021 (UTC)Reply

base vs systemd, and the recovery shell

First, I would be strongly in favour of extending the systemd section in the table up one cell to include the base hook, because it really does provide the same functionality.

The only thing it's lacking is a recovery shell, but that's not an integral part of the boot process, it's an additional feature, and not even a very useful one. As long as you stick a big fat warning on it saying "put the base hook before or you'll lose your recovery shell", it should be fine.

Second, the Wiki should mention that you can enable the locked recovery shell if you really need to by editing

/usr/lib/systemd/system/emergency.service

to include

Environment=HOME=/root SYSTEMD_SULOGIN_FORCE=1

The only problem is I'm not sure if its persistent. If you take care of this, please delete my comment.

PBS (talk) 16:34, 12 November 2021 (UTC)Reply

The fact that the systemd hook doesn't provide a shell means that it doesn't provide same functionality as base. So, I'm against extending the cell.
As for editing emergency.service, I don't think that's a good idea. The unit is used not just in the initramfs (emergency.target can run in both the intramfs and after switch root).
-- nl6720 (talk) 06:45, 14 November 2021 (UTC)Reply
  • In that case, I think I would like to emphasize somewhere else on the page that base and systemd both provide init, and are interchangeable modulo recovery shells. The page in its current state confused me for a while as to their roles until I read the implementation.
  • Emphasis on if you really need to. For example, this might be necessary for debugging problems in early userspace. I wouldn't recommend it in real life for this very reason, and would put a big warning saying so on the Wiki if I added it. I suppose the answer anyway is just to copy the unit file to /etc... PBS (talk) 15:09, 14 November 2021 (UTC)Reply
I agree. I had to come here to see that I can remove base if I don't use the recovery shell. Afader (talk) 02:59, 22 January 2022 (UTC)Reply
I adjusted the text to make it clear that it's optional. As for the workaround for the locked shell, IMHO it can be added (with proper warnings) to mkinitcpio#Troubleshooting. -- nl6720 (talk) 07:42, 22 January 2022 (UTC)Reply
I wonder if the recovery shell being locked shouldn't just be considered a bug since it doesn't function without some workaround. I have occasionally had an error in boot that dropped me to the non-working root shell where I vainly attempted to use it to correct the error. Inevitably in these cases I simply have to use the arch install media to arch-chroot to my installation. Afader (talk) 08:08, 22 January 2022 (UTC)Reply
Unfortunately it's not a bug, but a security feature 🙄. See [3], [4] and FS#70408. -- nl6720 (talk) 08:13, 22 January 2022 (UTC)Reply
Reading that makes me think the workaround should be including a separate shadow file in the initramfs as the comments say. However don't care to break my system to reproduce the failure scenario and see if that helps. Afader (talk) 08:20, 22 January 2022 (UTC)Reply

It will be persistent if you add it in a separate `.d` file in `/etc/` directory. Like this:

   `/etc/systemd/system/rescue.service.d/sulogin-force.conf`

And not editing `/usr/lib` files directly. Arash (talk) 02:29, 5 January 2024 (UTC)Reply

Hooks ordering

I don't see explicit mention of recommended ordering of hooks in [section], but the table below seems to implicitly recommend the ordering.

Further, I'm inferring that fsck must go last, based on that table and [entry].

I recommend these be specified for the benefit of the reader.

ThinkPad (talk) 01:25, 20 December 2022 (UTC)Reply

sd-vconsole can not set the font

HOOK sd-vconsole can not find out font in the /etc/vconsole.conf

but the font exists in the /usr/share/kbd/consolefonts/ter-v32n.psf.gz.

vconsole can not set the font .

Bfdddp (talk) 06:59, 20 March 2024 (UTC)Reply

ERROR: sd-vconsole: requested font not found: '/usr/share/kbd/consolefonts/ter-v32n.psf.gz'
but the font exists in the /usr/share/kbd/consolefonts/ter-v32n.psf.gz.
vconsole can not set the font . Bfdddp (talk) 07:02, 20 March 2024 (UTC)Reply
This is not the place for tech support. Use forums or support channels for help. Use bugtrackers for reporting bugs.
Hanabishi (talk) 09:48, 20 March 2024 (UTC)Reply

qat_420xx FW missing

linux 6.8.2 (I can't remember if older linux versions as well) brought:

```

==> WARNING: Possibly missing firmware for module: 'qat_420xx'

```

Not sure if a note about it could be added, since there doesn't seem to be any available AUR FW package, neither any official package.


This seems like a variant of the `qat_4xxx` missing FW which went away by itself some time back. je-vv (talk) 22:59, 29 March 2024 (UTC)Reply

Currently Intel lists as pending:
https://intel.github.io/quickassist/RN/In-Tree/in_tree_firmware_RN.html#qat-firmware-available
qat_4xxx got included in back in 20230404 update of linux-firmware Flippantwalrus (talk) 00:37, 30 April 2024 (UTC)Reply

xz backdoor and security vulnerabilities

Because of the backdoors and security vulnerabilities introduced into xz over multiple years by a malicious actor (known as "Jia Tan", "Hans Jansen", "Dennis Ens" or "Jigar Kumar"; see https://www.openwall.com/lists/oss-security/2024/03/29/4 and https://tukaani.org/xz-backdoor/ ); it is probably best not to use xz as compression algorithm for the initramfs (at least until everything has been rolled back to the state before this malicious actor became involved).


That's why I

- added warnings about that

- deleted all sentences and configuration suggestions about xz.

If you are not ok with that, you can roll it back. DasMenschy (talk) 20:20, 31 March 2024 (UTC)Reply

The warnings sound like the the xz package is still vulnerable, which is false. Since this is the Arch wiki, it would be best to reference the Arch statement instead. Also it does not make sense to disregard xz completely on one page only when it may be used in many other places on the wiki as well as real user systems. So I will roll back your changes until we agree that a coordinated effort to update the wiki is necessary. — Lahwaacz (talk) 08:26, 1 April 2024 (UTC)Reply
In my humble opinion, at least a warning should be displayed/kept on the page. DasMenschy (talk) 08:49, 1 April 2024 (UTC)Reply
Sounds kinda pointless. There are lots of other things in the system using it, 144 packages currently depend on xz, including essential ones like systemd. Putting such warning is a drop in the sea.
Also, Arch maintainers consider it safe atm. No other malicious functionality have been found yet. If something will turn up, it will require much more serious measures, e.g. reverting to much older version or disabling it completely.
Hanabishi (talk) 10:35, 1 April 2024 (UTC)Reply
"Putting such warning is a drop in the sea." But it's still better than nothing. You have to start somewhere. In Wikipedia, they have the motto: "Be Bold!" / "Fix it!" (WP:BOLD). Perfect is the enemy of the good!
That's why I thought I could practice the same in the Arch Wiki and be bold. Anyway, if you don't want any warning about xz in the Arch Wiki, so be it.
DasMenschy (talk) 10:52, 1 April 2024 (UTC)Reply
I mean, we have top headline on the matter literally at the main page. If that's not enough for someone, I doubt anything else is.
Hanabishi (talk) 11:08, 1 April 2024 (UTC)Reply
We have no reason to recommend against using xz unless some authoritative statement against its use gets published. -- nl6720 (talk) 11:20, 1 April 2024 (UTC)Reply
And there has also been lots of criticism against xz even *before* the backdoor attack happened: https://www.nongnu.org/lzip/xz_inadequate.html . DasMenschy (talk) 08:52, 1 April 2024 (UTC)Reply
It's criticism by the author of a competing compressor, so it's best to take it with a grain of salt. -- nl6720 (talk) 11:08, 1 April 2024 (UTC)Reply
Btw, that rant has nothing to do with initramfs application anyway. Boot images are not "long-term archiving", nor contain any valuable data you could be afraid to lose.
Hanabishi (talk) 11:12, 1 April 2024 (UTC)Reply
The article is not just about "long-term archiving". Please do not only read headlines, read the whole text. It's also about error correction. If there's an error in the initramfs, Arch Linux probably can't boot. So that's relevant. DasMenschy (talk) 11:17, 1 April 2024 (UTC)Reply
So what? Zstd has no error correction too iirc and won't boot in case of corruption. And if you use UKI with Secure Boot, any tampered image will be rejected intentionally.
You simply regenerate the image, you don't lose anything here.
Hanabishi (talk) 11:36, 1 April 2024 (UTC)Reply