Topic
5 replies Latest Post - ‏2012-07-31T01:05:36Z by t_breeds
JayFurmanek
JayFurmanek
59 Posts
ACCEPTED ANSWER

Pinned topic yaboot, passwords, bootline questions

‏2012-07-27T14:46:58Z |
 Hi guys,

I have some questions about the the 'password' and 'restricted' keywords in yaboot.
Essentially, I want to have a normal unattended boot, but also want to prompt for a password if someone enters "linux single" on the yaboot prompt.

This is possible using 'password' and 'restricted'. The 'restricted' keyword causes it to only prompt if a boot parameter is set. Unfortunately, nowadays, lots of things are added by default to the 'append' line on both SLES and RHEL.

A SLES11 Example
================

# header section
partition = 3
timeout = 80
password=$1$OAeK4UoX$d7H./NAk7EXITsqFN/W5o1
restricted
default = SLES11_SP1
# image section
image = /boot/vmlinux-2.6.32.12-0.7-ppc64
        label = SLES11_SP1        
        root = /dev/disk/by-id/scsi-SAIX_VDASD_00c0002900004c0000000137756a5e7b.4-part3
        append = "quiet sysrq=1 insmod=sym53c8xx insmod=ipr crashkernel=512M-:256M"
        initrd = /boot/initrd-2.6.32.12-0.7-ppc64
.
.

So the above default config for SLES always prompts.


So the question is, is there a way to configure this so it works as desired?
Are those boot parameters that SLES appends on there critical?
I know 'crashkernel' and 'sysrq' are needed for KDUMP, which can be turned off.
'quiet' certainly isn't critical.
The 2 drivers, though, ipr and sym53c8xx: Are those really necessary to be added on the boot line like that? Those are SCSI controller drivers, I believe, so either they're really important, or not really.

My test machine still boots if I remove the append line (and works as desired with respect to the password behavior), but I'm using vSCSI drives via VIOS on this machine. My production machine isn't using a VIOS and the OS owns the HW, so it might be a different story there. I want to do the correct thing.

Can I lose the 'append' line and still boot ok? Or, if those drivers are needed, is it possible to bake them into the initrd instead?

Thanks!
Updated on 2012-07-31T01:05:36Z at 2012-07-31T01:05:36Z by t_breeds
  • ThinkOpenly
    ThinkOpenly
    27 Posts
    ACCEPTED ANSWER

    Re: yaboot, passwords, bootline questions

    ‏2012-07-27T16:31:31Z  in response to JayFurmanek
    Is GRUB2 an option, instead of yaboot?
     
     
    GRUB2 allows one to define a set of users, including "superusers", each with their own password.  In addition, certain boot menu entries can be restricted to superusers only.  The example on that page, (section 22, "Authentication and authorisation") shows a grub.cfg file with several stanzas for menu entries, including one for a normal boot and one for a superusers-only "linux single" boot.
    Updated on 2012-07-27T16:31:31Z at 2012-07-27T16:31:31Z by ThinkOpenly
    • JayFurmanek
      JayFurmanek
      59 Posts
      ACCEPTED ANSWER

      Re: yaboot, passwords, bootline questions

      ‏2012-07-27T16:37:55Z  in response to ThinkOpenly
      That was a thought since I know grub2 is in the latest Fedora ppc release, but this is SLES11 SP1, so I'm not sure if you can retrofit grub2 here, and have it be supported.
      • ThinkOpenly
        ThinkOpenly
        27 Posts
        ACCEPTED ANSWER

        Re: yaboot, passwords, bootline questions

        ‏2012-07-27T17:02:01Z  in response to JayFurmanek
        The bootloader should be independent of the OS, so it should work.  Supported?  Doubtful.  (However, I doubt that building a new initrd is supported, either.)
         
        It's also possible that future updates to the system could attempt to overwrite the bootloader, so "independent" should be considered a relative term here.  The existing bootloader should be disabled if going this route. (SLES still uses those "lilo" scripts, I think.  I don't know how sensitive SLES would be to the removal of "lilo".)
  • Brian_King
    Brian_King
    14 Posts
    ACCEPTED ANSWER

    Re: yaboot, passwords, bootline questions

    ‏2012-07-27T21:50:22Z  in response to JayFurmanek
    I don't think those insmod lines are necessary. The sym53c8xx driver is certainly not needed, since its not used on any currently shipping Power system. The ipr driver is most likely being used as the boot device if you are booting from internal SAS storage, but I'm pretty sure the mkinitrd script should do the right thing and load the driver without needing this.
  • t_breeds
    t_breeds
    1 Post
    ACCEPTED ANSWER

    Re: yaboot, passwords, bootline questions

    ‏2012-07-31T01:05:36Z  in response to JayFurmanek

    I have some questions about the the 'password' and 'restricted' keywords in yaboot. Essentially, I want to have a normal unattended boot, but also want to prompt for a password if someone enters "linux single" on the yaboot prompt. This is possible using 'password' and 'restricted'. The 'restricted' keyword causes it to only prompt if a boot parameter is set. Unfortunately, nowadays, lots of things are added by default to the 'append' line on both SLES and RHEL.
     
    Currently with yaboot there is no way to get the desired behaviour.  I'll correct that.  so that restricted ignores append="", and only triggers if someone adds additional args to the kernel command line.
    That doesn't really help you right now.
     
    You /might/ be able to build a zImage which combines the kernel+initrd and has a built in command line. I think the is a mkvmlinuz script in SLES somewhere.