I've played around a bit with this and although I don't have anything that works yet, here's some ideas on how it could be implemented:
I assume that DHCP and ip config is already taken care of (as the nfs support has that code already). I also assume that most people will be using NFSv4 with Kerberos authentication (it seems to be the most common setup). The following files would need to be added to the initramfs: /usr/sbin/rpc.gssd /usr/sbin/rpc.idmapd Config files for kerberos and the two rpc daemons Kernel modules (nfs and rpcsec_gss_krb5) nfs4 capable mount program Since it would probably be a bad thing to store the kerberos keytab inside the initramfs image, my idea was to use kadmin to get the nfs principal (usually nfs/[EMAIL PROTECTED]) from the kdc, so /usr/sbin/kadmin would be added as well. A initramfs config file can hold the principal to use for nfs and the realm. Then the setup would be: 1. Setup networking 2. Use kadmin to get nfs/[EMAIL PROTECTED] and store to /etc/krb5.keytab: kadmin -r REALM -p userprincipal -q "ktadd -k /etc/krb5.keytab nfs/[EMAIL PROTECTED]" (note: userprincipal defaults to root/admin) 3. Mount rpc_pipefs on /var/lib/nfs/rpc_pipefs 4. Load kernel modules 5. Start rpc.gssd and rpc.idmapd 6. Mount NFS root When initramfs is done, it will nuke the contents of the initramfs (including the keytab) from memory. The keytab to use thereafter is expected to be found in /etc/krb5.keytab after pivot_root as usual. The main problems seem to be: o How and when should the rpc daemons be restarted so that the ones from the nfs-root-fs are used instead of the ones from initramfs? This is especially important if some of the hacks below are used... o All these programs make for a quite fat initramfs and little use of klibc (libc6 and a bunch of other libraries will be pulled in). A hacked version of idmapd could possibly be written (the real one is about 1k lines of code) which always maps everything to root (since we are running in the initramfs context anyway), but I'm not so sure about the other tools. Changes to the klibc nfsmount also seem doable, but that leaves rpc.gssd and the kerberos tools. rpc.gssd might be simplified by the fact that for the root user it uses the machine credentials, but there is still a lot of code... -- David Härdeman -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]