Package: dracut-core Version: 106-6 Severity: important X-Debbugs-Cc: [email protected], [email protected]
I'm using a Debian Trixie system, with Dracut configuration options `hostonly="yes"` and `hostonly_mode="sloppy"`, and with a root password set on the host prior to generating an initramfs with `sudo dracut --force`. When attempting to drop to an emergency shell by appending `rd.break` to the end of the kernel command line, it is impossible to actually enter the emergency shell environment. Instead, an error message is displayed "Cannot open access to console, the root account is locked." Pressing Enter at this point results in Dracut attempting to finish the boot process. This is mostly annoying when trying to use `rd.break`, but I suspect this issue will entirely prevent access to the emergency shell when the boot process is actually broken. After unpacking the initramfs and inspecting it, I believe I see the problem - Dracut generates an /etc/shadow within the initramfs that actually has *two* password lines for root. There is one at the start of the file, which has a password hash of "!unprovisioned", and then there is one at the very end of the file, which has the true password hash of the root user. I believe systemd is seeing the first line and bailing out, ignoring the second line. The tip of Dracut's git master from upstream does not have this issue. I can reach the emergency shell if I provide the root password, and the /etc/shadow file in the initramfs only has one line for root, with the real root user's password hash. Dracut 107 still has the issue. I bisected to find the commit that fixed the bug and landed on https://github.com/dracut-ng/dracut-ng/commit/50285645e617a537e69d4eb8f22dbe83c9b22665 as the first fixed commit. I would love to see this (or part of this) backported into Trixie.
pgpsyAn8imkhf.pgp
Description: OpenPGP digital signature
