From Fedora Project Wiki
(new Change proposal)
 
Line 40: Line 40:
- you can enforce the need for a root password in single-user mode by setting it
- you can enforce the need for a root password in single-user mode by setting it


This change will be implemented by pre-installing an RPM containing systemd overrides for `emergency.service` and `rescue.service`, similar to the [CoreOS implementation](https://github.com/coreos/fedora-coreos-config/commit/eb74f2ea3e9b453902315539e4f327481162c4f8), so users and editions/variants can opt out by removing this or omitting it from their default installation.
This change will be implemented by pre-installing an RPM containing systemd overrides for `emergency.service` and `rescue.service`, similar to the [https://github.com/coreos/fedora-coreos-config/commit/eb74f2ea3e9b453902315539e4f327481162c4f8 CoreOS implementation], so users and editions/variants can opt out by removing this or omitting it from their default installation.


== Feedback ==
== Feedback ==

Revision as of 00:45, 4 December 2021

Make Rescue Mode Work With Locked Root

Summary

Fedora defaults to locking the root account, which is needed by single-user mode. This Change uses sulogin --force so the password request is bypassed under this circumstance.

Owner

Current status

  • Targeted release: Fedora Linux 36
  • Last updated: 2021-12-04
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

Users typically only use single-user mode in case the normal boot is not working. In the unfortunate situation that it happens, under the current setup they cannot recover without booting from a Fedora live image or another image, or by overriding init=, because our single-user mode requires a root password, and by default we lock the root account.

A more user-friendly setup is to allow the password to be bypassed in case it's not set.

This does not pose an increased security risk: - you can already boot with init=/sysroot/bin/bash anyway - anyone with physical access to a machine can probably compromise it - you can enforce the need for a root password in single-user mode by setting it

This change will be implemented by pre-installing an RPM containing systemd overrides for emergency.service and rescue.service, similar to the CoreOS implementation, so users and editions/variants can opt out by removing this or omitting it from their default installation.

Feedback

Benefit to Fedora

This Change provides a better out-of-the-box user experience in case they need to rescue their system, by making the rescue option presented in the bootloader actually work.

Scope

  • Proposal owners: Ship the needed configuration change in a systemd subpackage. Test and verify that it works, then work with editions and spins to test and enable this by default by making systemd Recommends: (systemd-rescue-defaults if dracut-config-rescue)
  • Other developers: Test this and opt-out if necessary (eg cloud doesn't have initramfs so the package is deadweight). On variants where dracut-config-rescue is installed but an opt out is desired, excluding the package from installation will prevent it being installed on systemd upgrades
  • Release engineering: #10422
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A

Upgrade/compatibility impact

Upgrades would pull in this automatically, see [1]

How To Test

- dnf install systemd-rescue-defaults - reboot and verify rescue mode works

User Experience

Rescue mode works out of the box, without resorting to overriding init= or using a live media.

Dependencies

- most changes will be done in the systemd package - for variants that need to opt out we'll need to modify their kickstart files

Contingency Plan

  • Contingency mechanism: if the Recommends have been added to systemd, remove it and potentially add an Obsoletes: to remove older known-bad versions of rescue-defaults
  • Contingency deadline: Beta freeze
  • Blocks release? No

Documentation

The built-in rescue mode now works out of the box without needing to use a live image. For added security you can set a root password.

Release Notes