I have some questions about the the 'password' and 'restricted' keywords in yaboot.
Essentially, I want to have a normal unattended boot, but also want to prompt for a password if someone enters "linux single" on the yaboot prompt.
This is possible using 'password' and 'restricted'. The 'restricted' keyword causes it to only prompt if a boot parameter is set. Unfortunately, nowadays, lots of things are added by default to the 'append' line on both SLES and RHEL.
A SLES11 Example
# header section
partition = 3
timeout = 80
default = SLES11_SP1
# image section
image = /boot/vmlinux-188.8.131.52-0.7-ppc64
label = SLES11_SP1
root = /dev/disk/by-id/scsi-SAIX_VDASD_00c0002900004c0000000137756a5e7b.4-part3
append = "quiet sysrq=1 insmod=sym53c8xx insmod=ipr crashkernel=512M-:256M"
initrd = /boot/initrd-184.108.40.206-0.7-ppc64
So the above default config for SLES always prompts.
So the question is, is there a way to configure this so it works as desired?
Are those boot parameters that SLES appends on there critical?
I know 'crashkernel' and 'sysrq' are needed for KDUMP, which can be turned off.
'quiet' certainly isn't critical.
The 2 drivers, though, ipr and sym53c8xx: Are those really necessary to be added on the boot line like that? Those are SCSI controller drivers, I believe, so either they're really important, or not really.
My test machine still boots if I remove the append line (and works as desired with respect to the password behavior), but I'm using vSCSI drives via VIOS on this machine. My production machine isn't using a VIOS and the OS owns the HW, so it might be a different story there. I want to do the correct thing.
Can I lose the 'append' line and still boot ok? Or, if those drivers are needed, is it possible to bake them into the initrd instead?
Pinned topic yaboot, passwords, bootline questions
Answered question This question has been answered.
Unanswered question This question has not been answered yet.
Updated on 2012-07-31T01:05:36Z at 2012-07-31T01:05:36Z by t_breeds
ThinkOpenly 1000000S0Q54 Posts
Re: yaboot, passwords, bootline questions2012-07-27T16:31:31ZThis is the accepted answer. This is the accepted answer.Is GRUB2 an option, instead of yaboot?GRUB2 allows one to define a set of users, including "superusers", each with their own password. In addition, certain boot menu entries can be restricted to superusers only. The example on that page, (section 22, "Authentication and authorisation") shows a grub.cfg file with several stanzas for menu entries, including one for a normal boot and one for a superusers-only "linux single" boot.Updated on 2012-07-27T16:31:31Z at 2012-07-27T16:31:31Z by ThinkOpenly
JayFurmanek 060001WJQ2115 Posts
Re: yaboot, passwords, bootline questions2012-07-27T16:37:55ZThis is the accepted answer. This is the accepted answer.
That was a thought since I know grub2 is in the latest Fedora ppc release, but this is SLES11 SP1, so I'm not sure if you can retrofit grub2 here, and have it be supported.
- ThinkOpenly 1000000S0Q
ThinkOpenly 1000000S0Q54 Posts
Re: yaboot, passwords, bootline questions2012-07-27T17:02:01ZThis is the accepted answer. This is the accepted answer.
The bootloader should be independent of the OS, so it should work. Supported? Doubtful. (However, I doubt that building a new initrd is supported, either.)It's also possible that future updates to the system could attempt to overwrite the bootloader, so "independent" should be considered a relative term here. The existing bootloader should be disabled if going this route. (SLES still uses those "lilo" scripts, I think. I don't know how sensitive SLES would be to the removal of "lilo".)
- JayFurmanek 060001WJQ2
Brian_King 120000K4SY28 Posts
Re: yaboot, passwords, bootline questions2012-07-27T21:50:22ZThis is the accepted answer. This is the accepted answer.I don't think those insmod lines are necessary. The sym53c8xx driver is certainly not needed, since its not used on any currently shipping Power system. The ipr driver is most likely being used as the boot device if you are booting from internal SAS storage, but I'm pretty sure the mkinitrd script should do the right thing and load the driver without needing this.
t_breeds 0600016Y6W1 Post
Re: yaboot, passwords, bootline questions2012-07-31T01:05:36ZThis is the accepted answer. This is the accepted answer.
I have some questions about the the 'password' and 'restricted' keywords in yaboot. Essentially, I want to have a normal unattended boot, but also want to prompt for a password if someone enters "linux single" on the yaboot prompt. This is possible using 'password' and 'restricted'. The 'restricted' keyword causes it to only prompt if a boot parameter is set. Unfortunately, nowadays, lots of things are added by default to the 'append' line on both SLES and RHEL.Currently with yaboot there is no way to get the desired behaviour. I'll correct that. so that restricted ignores append="", and only triggers if someone adds additional args to the kernel command line.That doesn't really help you right now.You /might/ be able to build a zImage which combines the kernel+initrd and has a built in command line. I think the is a mkvmlinuz script in SLES somewhere.