[kdump] Fix OOM events in crashkernel

files/Aboot/boot0.j2

@@ -86,7 +86,7 @@ installer_image_path="$image_path/$installer_image"
 
 boot_config="$target_path/boot-config"
 
-cmdline_allowlist='crashkernel'
+cmdline_allowlist="crashkernel hwaddr_ma1"
 
 # for backward compatibility with the sonic_upgrade= behavior
 install="${install:-${sonic_upgrade:-}}"
@@ -392,7 +392,8 @@ extract_image() {
 
 extract_image_secureboot() {
     info "Extracting necessary swi content"
-    unzip -oq "$swipath" platform/firsttime .imagehash -d "$image_path"
+    # NOTE: boot/ is not used by the boot process but only extracted for kdump
+    unzip -oq "$swipath" 'boot/*' platform/firsttime .imagehash -d "$image_path"
 
     info "Installing image as $installer_image_path"
     mv "$swipath" "$installer_image_path"
@@ -650,6 +651,27 @@ write_default_cmdline() {
     cmdline_add "$delimiter"
 }
 
+write_cmdline() {
+    # use extra parameters from kernel-params hook if the file exists
+    if [ -f "$target_path/$kernel_params" ] && ! $secureboot; then
+        info "Loading extra kernel parameters from $kernel_params"
+        cat "$target_path/$kernel_params" | cmdline_append
+    fi
+
+    # FIXME: sonic sometimes adds extra kernel parameters from user space
+    #        this is unsafe but some will be kept as part of the regular boot
+    if [ -f "$image_path/kernel-cmdline" ]; then
+        for field in $cmdline_allowlist; do
+           cat "$image_path/kernel-cmdline" | tr ' ' '\n' | grep -E "$field" | tail -n 1 | cmdline_append
+        done
+    fi
+
+    # FIXME: legacy configuration files used by fast-reboot and eos2sonic
+    #        these should be deprecated over time.
+    cmdline_echo > "$image_path/kernel-cmdline"
+    cmdline_echo | sed 's/ cmdline-aboot-end.*$//' > "$target_path/kernel-params-base"
+}
+
 write_common_configs() {
     write_default_cmdline
     write_platform_specific_cmdline
@@ -667,28 +689,14 @@ write_secureboot_configs() {
     cmdline_add aboot.secureboot=enabled
     # setting panic= has the side effect of disabling the initrd shell on error
     cmdline_add panic=0
+    write_cmdline
 }
 
 write_regular_configs() {
     write_common_configs
     cmdline_add "loop=$image_name/fs.squashfs"
     cmdline_add loopfstype=squashfs
-
-    # use extra parameters from kernel-params hook if the file exists
-    if [ -f "$target_path/$kernel_params" ]; then
-        cat "$target_path/$kernel_params" | cmdline_append
-    fi
-
-    # FIXME: sonic sometimes adds extra kernel parameters from user space
-    #        this is unsafe but some will be kept as part of the regular boot
-    if [ -f "$image_path/kernel-cmdline" ]; then
-        cat "$image_path/kernel-cmdline" | tr ' ' '\n' | grep -E "$cmdline_allowlist" | cmdline_append
-    fi
-
-    # FIXME: legacy configuration files used by fast-reboot and eos2sonic
-    #        these should be deprecated over time.
-    cmdline_echo > "$image_path/kernel-cmdline"
-    cmdline_echo | sed 's/ cmdline-aboot-end.*$//' > "$target_path/kernel-params-base"
+    write_cmdline
 }
 
 run_kexec() {
@@ -753,8 +761,8 @@ secureboot_boot() {
 
 regular_boot() {
     # boot uses the image installed on the flash
-    run_hooks pre-kexec
     write_regular_configs "$image_path"
+    run_hooks pre-kexec
     update_next_boot
     run_kexec
 }

files/image_config/secureboot/allowlist_paths.conf

@@ -1,5 +1,6 @@
 home/.*
 var/core/.*
+var/crash/.*
 var/log/.*
 etc/adjtime
 etc/default/ntp

files/initramfs-tools/arista-convertfs.j2

@@ -19,7 +19,8 @@ block_flash=''
 aboot_flag=''
 backup_file=''
 prev_os=''
-sonic_fast_reboot=''
+sonic_fast_reboot=false
+in_kdump=false
 
 # Wait until get the fullpath of flash device, e.g., /dev/sda
 wait_get_flash_dev() {
@@ -141,14 +142,20 @@ for x in "$@"; do
         SONIC_BOOT_TYPE=warm*|SONIC_BOOT_TYPE=fast*)
             sonic_fast_reboot=true
             ;;
+        systemd.unit=kdump-tools.service)
+            in_kdump=true
+            ;;
     esac
 done
 
 # Check aboot
 [ -z "$aboot_flag" ] && exit 0
 
+# Check kdump
+[ "$in_kdump" = true ] && exit 0
+
 # Skip this script for warm-reboot/fast-reboot from sonic
-[ "$sonic_fast_reboot" == true ] && [ "$prev_os" != eos ] && exit 0
+[ "$sonic_fast_reboot" = true ] && [ "$prev_os" != eos ] && exit 0
 
 # Get flash dev name
 if [ -z "$block_flash" ]; then

files/initramfs-tools/arista-hook

@@ -45,6 +45,10 @@ for x in "$@"; do
             # Skip this script for warm-reboot and fast-reboot
             exit 0
             ;;
+        systemd.unit=kdump-tools.service)
+            # In kdump environment, skip hooks
+            exit 0
+            ;;
     esac
 done
 

files/initramfs-tools/union-mount.j2

@@ -15,6 +15,7 @@ docker_inram=false
 logs_inram=false
 secureboot=false
 bootloader=generic
+in_kdump=false
 
 # Extract kernel parameters
 for x in $(cat /proc/cmdline); do
@@ -35,6 +36,9 @@ for x in $(cat /proc/cmdline); do
         platform=*)
             platform_flag="${x#platform=}"
             ;;
+        systemd.unit=kdump-tools.service)
+            in_kdump=true
+            ;;
     esac
 done
 
@@ -86,7 +90,7 @@ mkdir -p "$rw_dir"
 mkdir -p "$work_dir"
 
 ## Remove the files not in allowlist in the rw folder
-if $secureboot; then
+if [ "$secureboot" = true ] && [ "$in_kdump" = false ]; then
     if [ "$bootloader" = "aboot" ]; then
         swi_path="${rootmnt}/host/$(sed -E 's/.*loop=([^ ]+).*/\1/' /proc/cmdline)"
         unzip -q "$swi_path" allowlist_paths.conf -d /tmp
@@ -120,23 +124,25 @@ case "${ROOT}" in
 esac
 
 mkdir -p ${rootmnt}/var/lib/docker
-if $secureboot; then
-    mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
-    if [ "$bootloader" = "aboot" ]; then
-        unzip -qp "$swi_path" dockerfs.tar.gz | tar xz --numeric-owner -C ${rootmnt}/var/lib/docker
-        ## Boot folder is not extracted during secureboot since content would inherently become unsafe
-        mkdir -p ${rootmnt}/host/$image_dir/boot
+if [ "$in_kdump" = false ]; then
+    if [ "$secureboot" = true ]; then
+        mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
+        if [ "$bootloader" = "aboot" ]; then
+            unzip -qp "$swi_path" dockerfs.tar.gz | tar xz --numeric-owner -C ${rootmnt}/var/lib/docker
+            ## Boot folder is not extracted during secureboot since content would inherently become unsafe
+            mkdir -p ${rootmnt}/host/$image_dir/boot
+        else
+            echo "secureboot unsupported for bootloader $bootloader" 1>&2
+            exit 1
+        fi
+    elif [ -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} ]; then
+        ## mount tmpfs and extract docker into it
+        mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
+        tar xz --numeric-owner -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} -C ${rootmnt}/var/lib/docker
     else
-        echo "secureboot unsupported for bootloader $bootloader" 1>&2
-        exit 1
+        ## Mount the working directory of docker engine in the raw partition, bypass the overlay
+        mount --bind ${rootmnt}/host/$image_dir/{{ DOCKERFS_DIR }} ${rootmnt}/var/lib/docker
     fi
-elif [ -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} ]; then
-    ## mount tmpfs and extract docker into it
-    mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
-    tar xz --numeric-owner -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} -C ${rootmnt}/var/lib/docker
-else
-    ## Mount the working directory of docker engine in the raw partition, bypass the overlay
-    mount --bind ${rootmnt}/host/$image_dir/{{ DOCKERFS_DIR }} ${rootmnt}/var/lib/docker
 fi
 
 ## Mount the boot directory in the raw partition, bypass the overlay