neil/rockylinux-ostree-config
1
0
Fork 0
Code Pull Requests Packages Projects Releases Activity

Compare commits

merge into: neil:master
Branches Tags
neil:master
neil:openshift-os
neil:rlcos8
neil:r8
...
pull from: neil:r8
Branches Tags
neil:master
neil:openshift-os
neil:rlcos8
neil:r8

No commits in common. "master" and "r8" have entirely different histories.
master ... r8

65 changed files with 231 additions and 820 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -2,4 +2,3 @@ build/
.direnv/
.envrc
ass
.idea

7
manifest.yaml
View File

@ -10,10 +10,3 @@ repos:
- extras
include: manifests/rocky-coreos.yaml
postprocess:
- |
#!/usr/bin/env bash
set -xeuo pipefail
# Remove rltype from repo urls
find /etc/yum.repos.d/ -type f -exec sed -i 's/\$rltype//g' {} \;

1
manifests/rocky-coreos-base.yaml
View File

@ -3,7 +3,6 @@
include:
- ignition-and-ostree.yaml
- shared-el9.yaml
- shared-workarounds.yaml
- system-configuration.yaml
- user-experience.yaml

5
overlay.d/05core/statoverride
View File

@ -1,7 +1,6 @@
# Config file for overriding permission bits on overlay files/dirs
# Format: =<file mode in decimal> <absolute path to a file or directory>
# sudo prefers its config files to be mode 440, and some security scanners
# complain if /etc/sudoers.d files are world-readable.
# Some security scanners complain if /etc/sudoers.d files have 0044 mode bits
# https://bugzilla.redhat.com/show_bug.cgi?id=1981979
=288 /etc/sudoers.d/coreos-sudo-group
=384 /etc/sudoers.d/coreos-sudo-group

2
overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-nohostonly.conf
View File

@ -1,2 +0,0 @@
# Default rpm-ostree model is server-side generated initramfs
hostonly=no

3
overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-nostrip.conf
View File

@ -1,3 +0,0 @@
# We don't ship `strip` or `eu-strip` today, and even if we did, it doesn't
# save much space. So let's disable it to avoid the error-looking message.
do_strip=no

15
overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-omits.conf
View File

@ -1,15 +0,0 @@
# We don't support root on NFS, so we don't need it in the initramfs. It also
# conflicts with /var mount support in ignition because NFS tries to mount stuff
# in /var/ and then ignition can't cleanly unmount it. For example:
# https://github.com/dracutdevs/dracut/blob/1856ae95c873a6fe855b3dccd0144f1a96b9e71c/modules.d/95nfs/nfs-start-rpc.sh#L7
# See also discussion in https://github.com/coreos/fedora-coreos-config/pull/60
# Further, we currently do not use LVM, iSCSI or dmraid
omit_dracutmodules+=" nfs lvm iscsi dmraid "
# More storage modules we don't use
omit_dracutmodules+=" fcoe fcoe-uefi nbd "
# We use NetworkManager
omit_dracutmodules+=" systemd-networkd network-legacy network-wicked "
# We use systemd network naming
omit_dracutmodules+=" biosdevname "
# Random stuff we don't want
omit_dracutmodules+=" rngd busybox dbus-daemon memstrack pcsc bluetooth "

18
overlay.d/05core/usr/lib/dracut/modules.d/25coreos-azure-udev/module-setup.sh Normal file
View File

@ -0,0 +1,18 @@
#!/bin/bash
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
# We want to provide Azure udev rules as part of the initrd, so that Ignition
# is able to detect disks and act on them.
#
# If the WALinuxAgent-udev package is changed to install the udev rules as
# part of the initramfs, we should drop this module.
#
# See https://bugzilla.redhat.com/show_bug.cgi?id=1909287
# See also https://bugzilla.redhat.com/show_bug.cgi?id=1756173
install() {
inst_multiple \
/usr/lib/udev/rules.d/66-azure-storage.rules \
/usr/lib/udev/rules.d/99-azure-product-uuid.rules
}

70
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign
View File

@ -1,70 +0,0 @@
{
"ignition": {
"version": "3.2.0"
},
"storage": {
"disks": [
{
"device": "${BOOTDEV}",
"partitions": [
{
"label": "boot",
"number": 3
},
{
"label": "root",
"number": 4,
"resize": true,
"sizeMiB": 0
},
{
"number": 5,
"shouldExist": false,
"wipePartitionEntry": true
},
{
"number": 6,
"shouldExist": false,
"wipePartitionEntry": true
}
]
}
],
"luks": [
{
"device": "/dev/disk/by-partlabel/boot",
"label": "crypt_bootfs",
"name": "boot",
"options": [
"--integrity",
"hmac-sha256"
],
"wipeVolume": true
},
{
"device": "/dev/disk/by-partlabel/root",
"label": "crypt_rootfs",
"name": "root",
"options": [
"--integrity",
"hmac-sha256"
],
"wipeVolume": true
}
],
"filesystems": [
{
"device": "/dev/mapper/boot",
"format": "ext4",
"label": "boot",
"wipeFilesystem": true
},
{
"device": "/dev/mapper/root",
"format": "xfs",
"label": "root",
"wipeFilesystem": true
}
]
}
}

10
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/80-coreos-boot-disk.rules
View File

@ -1,10 +0,0 @@
# CoreOS-specific symlink for boot disk
ACTION!="add|change", GOTO="stable_boot_end"
SUBSYSTEM!="block", GOTO="stable_boot_end"
ENV{DEVTYPE}=="disk" \
, PROGRAM=="coreos-disk-contains-fs $name boot" \
, SYMLINK+="disk/by-id/coreos-boot-disk"
LABEL="stable_boot_end"

6
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.service
View File

@ -16,12 +16,6 @@ After=dev-disk-by\x2dlabel-boot.device
After=ignition-files.service
# As above, this isn't strictly necessary, but on principle.
After=coreos-multipath-wait.target
# Finish before systemd starts tearing down services
Before=initrd.target
# initrd-parse-etc.service starts initrd-cleanup.service which will race
# with us completing before we get nuked. Need to get to the bottom of it,
# but for now we need this.
Before=initrd-parse-etc.service
[Service]
Type=oneshot

24
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh
View File

@ -34,12 +34,18 @@ if [ -z "${root}" ]; then
rdcore rootmap /sysroot --boot-mount ${bootmnt}
fi
# This does a few things:
# 1. it puts the boot UUID in /run/coreos/bootfs_uuid which is used by the real
# root for mounting the bootfs in this boot
# 2. it adds a boot=UUID= karg which is used by the real root for mounting the
# bootfs in subsequent boots
# 3. it create a .root_uuid stamp file on the bootfs or fails if one exists
# 4. it adds GRUB bootuuid.cfg dropins so that GRUB selects the boot filesystem
# by UUID
rdcore bind-boot /sysroot ${bootmnt}
# And similarly, only inject boot= if it's not already present.
boot=$(karg boot)
if [ -z "${boot}" ]; then
# XXX: `rdcore rootmap --inject-boot-karg` or maybe `rdcore bootmap`
eval $(blkid -o export "${bootdev}")
if [ -z "${UUID}" ]; then
# This should never happen
echo "Boot filesystem ${bootdev} has no UUID" >&2
exit 1
fi
rdcore kargs --boot-mount ${bootmnt} --append boot=UUID=${UUID}
# but also put it in /run for the first boot real root mount
mkdir -p /run/coreos
echo "${UUID}" > /run/coreos/bootfs_uuid
fi

20
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-disk-contains-fs.sh
View File

@ -1,20 +0,0 @@
#!/bin/bash
# checks whether `disk` contains filesystem labeled `label`
set -euo pipefail
disk=$1
label=$2
# during execution of udev rules on disks 'lsblk' returns empty fields
for pt in /sys/block/$disk/*; do
name=$(basename $pt)
if [[ "$name" =~ ${disk}p?[[:digit:]] ]] && [[ -e "/sys/block/$disk/$name/start" ]];
then
eval $(udevadm info --query=property -n /dev/$name | grep -e ID_FS_LABEL -e PARTNAME)
if [[ "${ID_FS_LABEL:-}" == "$label" ]] || [[ "${PARTNAME:-}" == "$label" ]]; then
exit 0
fi
fi
done
exit 1

17
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
View File

@ -57,21 +57,4 @@ After=dev-disk-by\x2dlabel-boot.device
Requires=coreos-gpt-setup.service
After=coreos-gpt-setup.service
EOF
# create symlink for udev rule
mkdir -p /run/udev/rules.d/
ln -sf /usr/lib/coreos/80-coreos-boot-disk.rules \
/run/udev/rules.d/80-coreos-boot-disk.rules
# IBM Secure Execution case
# During firstboot we have to reencrypt '/boot' and '/', to do that an Ignition config
# is injected. 'coreos-boot-disk' is required for this
secure_execution=0
if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
fi
if [[ "${secure_execution}" = "1" ]]; then
mkdir -p /run/coreos/
touch /run/coreos/secure-execution
fi
fi

19
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-unique-boot.service
View File

@ -1,19 +0,0 @@
[Unit]
Description=CoreOS Ensure Unique Boot Filesystem
ConditionPathExists=/etc/initrd-release
OnFailure=emergency.target
OnFailureJobMode=isolate
# That's a weak dependency, so service won't fail if boot dissaperears
Wants=dev-disk-by\x2dlabel-boot.device
After=dev-disk-by\x2dlabel-boot.device
# Start after ignition has finished with disks but before mounting them
After=ignition-disks.service
Before=ignition-mount.service
Before=ignition-ostree-uuid-root.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rdcore verify-unique-fs-label boot

6
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-kargs-reboot.service
View File

@ -4,17 +4,17 @@ ConditionPathExists=/etc/initrd-release
ConditionPathExists=/run/coreos-kargs-reboot
DefaultDependencies=false
Before=ignition-complete.target
# This runs after ignition-kargs & before ignition-disks so that it can optionally reboot
# if kargs were modified via Ignition. This is done in a two-stage fashion so that other
# mechanisms which may want to reboot (e.x. FIPS) can also hook in here and only reboot
# once from the initrd.
After=ignition-kargs.service
Before=ignition-disks.service
OnFailure=emergency.target
OnFailureJobMode=isolate
[Service]
Type=oneshot
RemainAfterExit=yes

17
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-post-ignition-checks.service
View File

@ -1,17 +0,0 @@
# This unit will run late in the initrd process after the Ignition files
# stage has completed successfully so that we may validate ignition changes
[Unit]
Description=CoreOS Post Ignition Checks
ConditionPathExists=/usr/lib/initrd-release
OnFailure=emergency.target
OnFailureJobMode=isolate
# Start after Ignition has finished creating files and before ignition umount
After=ignition-files.service
Before=ignition-complete.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/coreos-post-ignition-checks
RemainAfterExit=yes

18
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-post-ignition-checks.sh
View File

@ -1,18 +0,0 @@
#!/bin/bash
# See coreos-post-ignition-checks.service for more information about this script
set -euo pipefail
# Verify that GRUB password directives are only used when GRUB is being used
arch=$(uname -p)
# Butane sugar will tell ignition to mount /boot to /sysroot/boot. We can simply check if
# the file exists to see whether the check needs to be performed.
# It is possible that the user creates a config, which will mount /boot at a different path
# but that case is not officially supported.
if [ -f /sysroot/boot/grub2/user.cfg ]; then
# s390x does not use GRUB, ppcle64 uses petitboot with a GRUB config parser which does not support passwords
# So in both these cases, GRUB password is not supported
if grep -q password_pbkdf2 /sysroot/boot/grub2/user.cfg && [[ "$arch" =~ ^(s390x|ppc64le)$ ]]; then
echo "Ignition config provisioned a GRUB password, which is not supported on $arch"
exit 1
fi
fi

30
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh
View File

@ -22,21 +22,6 @@ dracut_func() {
return $rc
}
# Get the BOOTIF and rd.bootif kernel arguments from
# the kernel command line.
get_bootif_kargs() {
bootif_kargs=""
bootif_karg=$(dracut_func getarg BOOTIF)
if [ ! -z "$bootif_karg" ]; then
bootif_kargs+="BOOTIF=${bootif_karg}"
fi
rdbootif_karg=$(dracut_func getarg rd.bootif)
if [ ! -z "$rdbootif_karg" ]; then
bootif_kargs+=" rd.bootif=${rdbootif_karg}"
fi
echo $bootif_kargs
}
# Determine if the generated NM connection profiles match the default
# that would be given to us if the user had provided no additional
# configuration. i.e. did the user give us any network configuration
@ -48,9 +33,6 @@ are_default_NM_configs() {
# pick up our CoreOS default networking kargs from the afterburn dropin
DEFAULT_KARGS_FILE=/usr/lib/systemd/system/afterburn-network-kargs.service.d/50-afterburn-network-kargs-default.conf
source <(grep -o 'AFTERBURN_NETWORK_KARGS_DEFAULT=.*' $DEFAULT_KARGS_FILE)
# Also pick up BOOTIF/rd.bootif kargs and apply them here.
# See https://github.com/coreos/fedora-coreos-tracker/issues/1048
BOOTIF_KARGS=$(get_bootif_kargs)
# Make two dirs for storing files to use in the comparison
mkdir -p /run/coreos-teardown-initramfs/connections-compare-{1,2}
# Make another that's just a throwaway for the initrd-data-dir
@ -61,8 +43,7 @@ are_default_NM_configs() {
# Do a new run with the default input
/usr/libexec/nm-initrd-generator \
-c /run/coreos-teardown-initramfs/connections-compare-2 \
-i /run/coreos-teardown-initramfs/initrd-data-dir \
-- $AFTERBURN_NETWORK_KARGS_DEFAULT $BOOTIF_KARGS
-i /run/coreos-teardown-initramfs/initrd-data-dir -- $AFTERBURN_NETWORK_KARGS_DEFAULT
# remove unique identifiers from the files (so our diff can work)
sed -i '/^uuid=/d' /run/coreos-teardown-initramfs/connections-compare-{1,2}/*
# currently the output will differ based on whether rd.neednet=1
@ -94,11 +75,9 @@ are_default_NM_configs() {
propagate_initramfs_networking() {
# Check for any real root config in the two locations where a user could have
# provided network configuration. On FCOS we only support keyfiles, but on RHCOS
# we support keyfiles and ifcfg. We also need to ignore readme-ifcfg-rh.txt
# which is a cosmetic file added in
# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/96d7362
# we support keyfiles and ifcfg
if [ -n "$(ls -A /sysroot/etc/NetworkManager/system-connections/)" -o \
-n "$(ls -A -I readme-ifcfg-rh.txt /sysroot/etc/sysconfig/network-scripts/)" ]; then
-n "$(ls -A /sysroot/etc/sysconfig/network-scripts/)" ]; then
echo "info: networking config is defined in the real root"
realrootconfig=1
else
@ -232,9 +211,6 @@ main() {
# clean it up so that no information from outside of the
# real root is passed on to NetworkManager in the real root
rm -rf /run/NetworkManager/
rm -f /run/udev/rules.d/80-coreos-boot-disk.rules
rm -f /dev/disk/by-id/coreos-boot-disk
}
main

22
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-unique-boot.service
View File

@ -1,22 +0,0 @@
[Unit]
Description=Ensure filesystem labeled `boot` is unique
ConditionPathExists=/etc/initrd-release
DefaultDependencies=no
Before=ignition-diskful.target
Wants=systemd-udevd.service
After=systemd-udevd.service
# And since the boot device may be on multipath; optionally wait for it to
# appear via the dynamic target.
After=coreos-multipath-wait.target
Requires=dev-disk-by\x2dlabel-boot.device
After=dev-disk-by\x2dlabel-boot.device
# Run before services that modify/use `boot` partition
Before=coreos-gpt-setup.service coreos-boot-edit.service
OnFailure=emergency.target
OnFailureJobMode=isolate
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/rdcore verify-unique-fs-label boot

22
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
View File

@ -22,9 +22,7 @@ install() {
diff \
lsblk \
sed \
grep \
sgdisk \
uname
sgdisk
inst_simple "$moddir/coreos-diskful-generator" \
"$systemdutildir/system-generators/coreos-diskful-generator"
@ -32,22 +30,9 @@ install() {
inst_script "$moddir/coreos-gpt-setup.sh" \
"/usr/sbin/coreos-gpt-setup"
# This has to work only on diskful systems during firstboot.
# coreos-diskful-generator will create a symlink
inst_simple "$moddir/80-coreos-boot-disk.rules" \
"/usr/lib/coreos/80-coreos-boot-disk.rules"
inst_script "$moddir/coreos-disk-contains-fs.sh" \
"/usr/lib/udev/coreos-disk-contains-fs"
inst_script "$moddir/coreos-ignition-setup-user.sh" \
"/usr/sbin/coreos-ignition-setup-user"
inst_script "$moddir/coreos-post-ignition-checks.sh" \
"/usr/sbin/coreos-post-ignition-checks"
install_ignition_unit coreos-post-ignition-checks.service
# For consistency tear down the network and persist multipath between the initramfs and
# real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763
inst_script "$moddir/coreos-teardown-initramfs.sh" \
@ -70,10 +55,5 @@ install() {
install_ignition_unit "coreos-boot-edit.service" \
"ignition-diskful.target"
install_ignition_unit coreos-ignition-unique-boot.service ignition-diskful.target
install_ignition_unit coreos-unique-boot.service ignition-diskful.target
install_ignition_unit coreos-ignition-setup-user.service
# IBM Secure Execution. Ignition config for reencryption of / and /boot
inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
}

4
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh
View File

@ -23,12 +23,12 @@ elif [[ -n "${rootfs_url}" ]]; then
# rootfs URL was provided as karg. Fetch image, check its hash, and
# unpack it.
echo "Fetching rootfs image from ${rootfs_url}..."
if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* && ${rootfs_url} != tftp:* ]]; then
if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* ]]; then
# Don't commit to supporting protocols we might not want to expose in
# the long term.
echo "Unsupported scheme for image specified by:" >&2
echo "coreos.live.rootfs_url=${rootfs_url}" >&2
echo "Only HTTP, HTTPS, and TFTP are supported. Please fix your PXE configuration." >&2
echo "Only HTTP and HTTPS are supported. Please fix your PXE configuration." >&2
exit 1
fi

14
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/live-generator
View File

@ -152,20 +152,6 @@ Type=squashfs
# is checked by coreos-assembler cmd-buildextend-live at build time.
Options=loop,offset=124
EOF
# And one more unit to workaround what we think is a systemd bug.
# We've found the system can stall waiting for run-media-iso.mount
# and apparently any operation seems to be effective at reviving
# the system.
# https://github.com/coreos/fedora-coreos-tracker/issues/1233#issuecomment-1238814171
cat >"${UNIT_DIR}/workaround-stalled-media-iso-mount.service" <<EOF
[Service]
Type=simple
StandardOutput=journal
StandardError=journal
ExecStart=bash -c "sleep 10; echo 'warn: tracker issue workaround engaged for https://github.com/coreos/fedora-coreos-tracker/issues/1233'"
EOF
add_requires workaround-stalled-media-iso-mount.service basic.target
fi
# It turns out that `tmpfs` currently munches all SELinux labels

3
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-propagate-multipath-conf.service
View File

@ -5,9 +5,6 @@ Before=initrd.target
# we write to the rootfs, so run after it's ready
After=initrd-root-fs.target
# we only propagate if multipath wasn't configured via Ignition
After=ignition-files.service
# That service starts initrd-cleanup.service which will race with us completing
# before we get nuked. Need to get to the bottom of it, but for now we need
# this (XXX: add link to systemd issue here).

24
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-propagate-multipath-conf.sh
View File

@ -4,20 +4,14 @@ set -euo pipefail
# Persist automatic multipath configuration, if any.
# When booting with `rd.multipath=default`, the default multipath
# configuration is written. We need to ensure that the multipath configuration
# is persisted to the rootfs.
# is persisted to the final target.
if [ ! -f /etc/multipath.conf ]; then
echo "info: initrd file /etc/multipath.conf does not exist"
echo "info: no initrd multipath configuration to propagate"
exit 0
if [ ! -f /sysroot/etc/multipath.conf ] && [ -f /etc/multipath.conf ]; then
echo "info: propagating automatic multipath configuration"
cp -v /etc/multipath.conf /sysroot/etc/
mkdir -p /sysroot/etc/multipath/multipath.conf.d
coreos-relabel /etc/multipath.conf
coreos-relabel /etc/multipath/multipath.conf.d
else
echo "info: no initramfs automatic multipath configuration to propagate"
fi
if [ -f /sysroot/etc/multipath.conf ]; then
echo "info: real root file /etc/multipath.conf exists"
echo "info: not propagating initrd multipath configuration"
exit 0
fi
echo "info: propagating initrd multipath configuration"
cp -v /etc/multipath.conf /sysroot/etc/
coreos-relabel /etc/multipath.conf

8
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh
View File

@ -2,20 +2,20 @@
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
# ex: ts=8 sw=4 sts=4 et filetype=sh
install_unit() {
install_ignition_unit() {
local unit=$1; shift
local target=${1:-initrd}
local target=${1:-complete}
inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit"
# note we `|| exit 1` here so we error out if e.g. the units are missing
# see https://github.com/coreos/fedora-coreos-config/issues/799
systemctl -q --root="$initdir" add-requires "${target}.target" "$unit" || exit 1
systemctl -q --root="$initdir" add-requires "ignition-${target}.target" "$unit" || exit 1
}
install() {
inst_script "$moddir/coreos-propagate-multipath-conf.sh" \
"/usr/sbin/coreos-propagate-multipath-conf"
install_unit coreos-propagate-multipath-conf.service
install_ignition_unit coreos-propagate-multipath-conf.service subsequent
inst_simple "$moddir/coreos-multipath-generator" \
"$systemdutildir/system-generators/coreos-multipath-generator"

2
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-check-rootfs-size.service
View File

@ -6,8 +6,6 @@ ConditionKernelCommandLine=ostree
ConditionPathExists=!/run/ostree-live
After=ignition-ostree-growfs.service
After=ostree-prepare-root.service
# Allow Ignition config to blank out the warning
Before=ignition-files.service
[Service]
Type=oneshot

6
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh
View File

@ -17,12 +17,6 @@ path=/sysroot
# this shouldn't happen for us but we're being conservative.
src=$(findmnt -nvr -o SOURCE "$path" | tail -n1)
# In the IBM Secure Execution case we use Ignition to grow and reencrypt rootfs
# see overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
if [[ -f /run/coreos/secure-execution ]]; then
exit 0
fi
if [ ! -f "${saved_partstate}" ]; then
partition=$(realpath /dev/disk/by-label/root)
else

18
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.service
View File

@ -1,18 +0,0 @@
# RHOCS 4.12.s390x has an old kernel with a known issue: https://bugzilla.redhat.com/show_bug.cgi?id=2075085
# Once we have kernel >= 4.18.0-387.el8.s390x we should drop this unit and copy config in coreos-diskful-generator
[Unit]
Description=Ignition OSTree: Inject Secure Execution Config
DefaultDependencies=false
ConditionArchitecture=s390x
ConditionKernelCommandLine=ostree
ConditionPathExists=/run/coreos/secure-execution
OnFailure=emergency.target
OnFailureJobMode=isolate
After=coreos-gpt-setup.service
Before=ignition-fetch-offline.service
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/libexec/ignition-ostree-secex-config

5
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.sh
View File

@ -1,5 +0,0 @@
#!/bin/bash
set -euo pipefail
bootdev=$(blkid --list-one --output device --match-token PARTLABEL=boot | sed 's,[0-9]\+$,,')
sed "s,\${BOOTDEV},$bootdev," < /usr/lib/coreos/01-secex.ign > /usr/lib/ignition/base.d/01-secex.ign

77
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh
View File

@ -43,10 +43,9 @@ get_partlabels_for_parttype() {
mount_verbose() {
local srcdev=$1; shift
local destdir=$1; shift
local mode=${1:-ro}
echo "Mounting ${srcdev} ${mode} ($(realpath "$srcdev")) to $destdir"
echo "Mounting ${srcdev} ($(realpath "$srcdev")) to $destdir"
mkdir -p "${destdir}"
mount -o "${mode}" "${srcdev}" "${destdir}"
mount "${srcdev}" "${destdir}"
}
# Sometimes, for some reason the by-label symlinks aren't updated. Detect these
@ -57,10 +56,7 @@ udev_trigger_on_label_mismatch() {
local expected_dev=$1; shift
local actual_dev
expected_dev=$(realpath "${expected_dev}")
# We `|| :` here because sometimes /dev/disk/by-label/$label is missing.
# We've seen this on Fedora kernels with debug enabled (common in `rawhide`).
# See https://github.com/coreos/fedora-coreos-tracker/issues/1092
actual_dev=$(realpath "/dev/disk/by-label/$label" || :)
actual_dev=$(realpath "/dev/disk/by-label/$label")
if [ "$actual_dev" != "$expected_dev" ]; then
echo "Expected /dev/disk/by-label/$label to point to $expected_dev, but points to $actual_dev; triggering udev"
udevadm trigger --settle "$expected_dev"
@ -73,18 +69,6 @@ get_partition_offset() {
cat "/sys${devpath}/start"
}
# copied from generator-lib.sh
karg() {
local name="$1" value="${2:-}"
local cmdline=( $(</proc/cmdline) )
for arg in "${cmdline[@]}"; do
if [[ "${arg%%=*}" == "${name}" ]]; then
value="${arg#*=}"
fi
done
echo "${value}"
}
mount_and_restore_filesystem_by_label() {
local label=$1; shift
local mountpoint=$1; shift
@ -92,51 +76,10 @@ mount_and_restore_filesystem_by_label() {
local new_dev
new_dev=$(jq -r "$(query_fslabel "${label}") | .[0].device" "${ignition_cfg}")
udev_trigger_on_label_mismatch "${label}" "${new_dev}"
mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}" rw
find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} +
mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}"
find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} \;
}
mount_and_save_filesystem_by_label() {
local label=$1; shift
local saved_fs=$1; shift
local fs=/dev/disk/by-label/${label}
if [[ -f /run/coreos/secure-execution ]]; then
local roothash_karg=${label}fs.roothash
local roothash=$(karg "${roothash_karg}")
if [ -z "${roothash}" ]; then
echo "Missing kernel argument ${roothash_karg}; aborting"
exit 1
fi
local roothash_part=/dev/disk/by-partlabel/${label}hash
veritysetup open "${fs}" "${label}" "${roothash_part}" "${roothash}"
fs=/dev/mapper/${label}
fi
mount_verbose "${fs}" /var/tmp/mnt
cp -aT /var/tmp/mnt "${saved_fs}"
umount /var/tmp/mnt
if [[ -f /run/coreos/secure-execution ]]; then
veritysetup close "${label}"
fi
}
# In Secure Execution case user is not allowed to modify partition table
check_and_set_secex_config() {
if [[ -f /run/coreos/secure-execution ]]; then
local wr=$(jq "$(query_fslabel root) | length" "${ignition_cfg}")
local wb=$(jq "$(query_fslabel boot) | length" "${ignition_cfg}")
if [ "${wr}${wb}" != "00" ]; then
echo "Modifying bootfs and rootfs is not supported in Secure Execution mode"
exit 1
fi
# Cached config isn't merged, so reset it and recheck again, just to make sure
ignition_cfg=/usr/lib/ignition/base.d/01-secex.ign
fi
}
# We could have done this during 'detect' below, but other cases also request
# info from config, so just check cached one and reset to secex.ign now
check_and_set_secex_config
case "${1:-}" in
detect)
# Mounts are not in a private namespace so we can mount ${saved_data}
@ -201,13 +144,15 @@ case "${1:-}" in
# Mounts happen in a private mount namespace since we're not "offically" mounting
if [ -d "${saved_root}" ]; then
echo "Moving rootfs to RAM..."
mount_and_save_filesystem_by_label root "${saved_root}"
mount_verbose "${root_part}" /sysroot
cp -aT /sysroot "${saved_root}"
# also store the state of the partition
lsblk "${root_part}" --nodeps --pairs -b --paths -o NAME,TYPE,SIZE > "${partstate_root}"
fi
if [ -d "${saved_boot}" ]; then
echo "Moving bootfs to RAM..."
mount_and_save_filesystem_by_label boot "${saved_boot}"
mount_verbose "${boot_part}" /sysroot/boot
cp -aT /sysroot/boot "${saved_boot}"
fi
if [ -d "${saved_esp}" ]; then
echo "Moving EFI System Partition to RAM..."
@ -255,8 +200,8 @@ case "${1:-}" in
# 3. We don't need the by-label symlink to be correct and
# nothing later in boot will be mounting the filesystem
mountpoint="/mnt/esp-${label}"
mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}" rw
find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -at "${mountpoint}" {} +
mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}"
find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -a {} "${mountpoint}" \;
done
fi
if [ -d "${saved_bios}" ]; then

2
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service
View File

@ -11,8 +11,6 @@ Before=ignition-fetch-offline.service
# Any services looking at mounts need to order after this
# because it causes device re-probing.
After=coreos-gpt-setup.service
# If we're going to reprovision the bootfs, then there's no need to restamp
ConditionKernelCommandLine=!bootfs.roothash
Before=systemd-fsck@dev-disk-by\x2dlabel-boot.service
Requires=dev-disk-by\x2dlabel-boot.device

1
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-root.service
View File

@ -8,7 +8,6 @@ Before=sysroot.mount initrd-root-fs.target
After=ignition-disks.service
# If we've reprovisioned the rootfs, then there's no need to restamp
ConditionPathExists=!/run/ignition-ostree-transposefs
ConditionKernelCommandLine=!rootfs.roothash
After=dev-disk-by\x2dlabel-root.device
# Avoid racing with fsck

11
overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
View File

@ -30,12 +30,6 @@ install() {
sort \
uniq
if [[ $(uname -m) = s390x ]]; then
# for Secure Execution
inst_multiple \
veritysetup
fi
# ignition-ostree-growfs deps
inst_multiple \
basename \
@ -107,9 +101,4 @@ install() {
/usr/libexec/coreos-check-rootfs-size
inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2075085
install_ignition_unit ignition-ostree-secex-config.service
inst_script "$moddir/ignition-ostree-secex-config.sh" \
/usr/libexec/ignition-ostree-secex-config
}

1
overlay.d/05core/usr/lib/dracut/modules.d/60coreos-agetty-workaround/coreos-touch-run-agetty.service
View File

@ -5,7 +5,6 @@
Description=CoreOS: Touch /run/agetty.reload
Documentation=https://bugzilla.redhat.com/show_bug.cgi?id=1932053
DefaultDependencies=false
Before=initrd.target
[Service]
Type=oneshot

78
overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh
View File

@ -1,78 +0,0 @@
# Display relevant errors then enter emergency shell
# _wait_for_journalctl_to_stop will block until either:
# - no messages have appeared in journalctl for the past 5 seconds
# - 15 seconds have elapsed
_wait_for_journalctl_to_stop() {
local time_since_last_log=0
local time_started="$(date '+%s')"
local now="$(date '+%s')"
while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
sleep 1
local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
local now="$(date '+%s')"
local time_since_last_log=$((now-last_log_timestamp))
done
}
_display_relevant_errors() {
failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
if [ -n "${failed}" ]; then
# Something failed, suppress kernel logs so that it's more likely
# the useful bits from the journal are available.
dmesg --console-off
# There's a couple straggler systemd messages. Wait until it's been 5
# seconds since something was written to the journal.
_wait_for_journalctl_to_stop
# Print Ignition logs
if echo ${failed} | grep -qFe 'ignition-'; then
cat <<EOF
------
Ignition has failed. Please ensure your config is valid. Note that only
Ignition spec v3.0.0+ configs are accepted.
A CLI validation tool to check this called ignition-validate can be
downloaded from GitHub:
https://github.com/coreos/ignition/releases
------
EOF
fi
# If this is a live boot, check for ENOSPC in initramfs filesystem
# Try creating a 64 KiB file, in case a small file was deleted on
# service failure
# https://github.com/coreos/fedora-coreos-tracker/issues/1055
if [ -f /etc/coreos-live-initramfs ] && \
! dd if=/dev/zero of=/tmp/check-space bs=4K count=16 2>/dev/null; then
cat <<EOF
------
Ran out of memory when unpacking initrd filesystem. Ensure your system has
at least 2 GiB RAM if booting with coreos.live.rootfs_url, or 4 GiB otherwise.
------
EOF
# Don't show logs from failed units, since they'll just be
# random misleading errors.
else
echo "Displaying logs from failed units: ${failed}"
for unit in ${failed}; do
# 10 lines should be enough for everyone
SYSTEMD_COLORS=true journalctl -b --no-pager --no-hostname -u ${unit} -n 10
done
fi
fi
}
# Print warnings/informational messages to all configured consoles on the
# machine. Code inspired by https://github.com/dracutdevs/dracut/commit/32f68c1
MESSAGE="$(_display_relevant_errors)"
while read -r _tty rest; do
echo -e "$MESSAGE" > /dev/"$_tty"
done < /proc/consoles

1
overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.service → overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/ignition-virtio-dump-journal.service
View File

@ -7,7 +7,6 @@ ConditionVirtualization=|qemu
Requires=systemd-journald.service
After=systemd-journald.service
After=basic.target
Before=initrd.target
[Service]
Type=oneshot

0
overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/ignition-virtio-dump-journal.sh → overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/ignition-virtio-dump-journal.sh
View File

5
overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/module-setup.sh → overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/module-setup.sh
View File

@ -15,10 +15,9 @@ install_unit_wants() {
install() {
inst_multiple \
cut \
date \
dd
date
inst_hook emergency 99 "${moddir}/emergency-shell.sh"
inst_hook emergency 99 "${moddir}/timeout.sh"
inst_script "$moddir/ignition-virtio-dump-journal.sh" "/usr/bin/ignition-virtio-dump-journal"
install_unit_wants ignition-virtio-dump-journal.service emergency.target

99
overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/timeout.sh Normal file
View File

@ -0,0 +1,99 @@
# Before starting the emergency shell, prompt the user to press Enter.
# If they don't, reboot the system.
#
# Assumes /bin/sh is bash.
# _wait_for_journalctl_to_stop will block until either:
# - no messages have appeared in journalctl for the past 5 seconds
# - 15 seconds have elapsed
_wait_for_journalctl_to_stop() {
local time_since_last_log=0
local time_started="$(date '+%s')"
local now="$(date '+%s')"
while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
sleep 1
local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
local now="$(date '+%s')"
local time_since_last_log=$((now-last_log_timestamp))
done
}
_prompt_for_timeout() {
local timeout=300
local interval=15
if [[ -e /.emergency-shell-confirmed ]]; then
return
fi
failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
if [ -n "${failed}" ]; then
# Something failed, suppress kernel logs so that it's more likely
# the useful bits from the journal are available.
dmesg --console-off
# There's a couple straggler systemd messages. Wait until it's been 5
# seconds since something was written to the journal.
_wait_for_journalctl_to_stop
# Print Ignition logs
if echo ${failed} | grep -qFe 'ignition-'; then
cat <<EOF
------
Ignition has failed. Please ensure your config is valid. Note that only
Ignition spec v3.0.0+ configs are accepted.
A CLI validation tool to check this called ignition-validate can be
downloaded from GitHub:
https://github.com/coreos/ignition/releases
------
EOF
fi
echo "Displaying logs from failed units: ${failed}"
for unit in ${failed}; do
# 10 lines should be enough for everyone
journalctl -b --no-pager --no-hostname -u ${unit} -n 10
done
fi
# Regularly prompt with time remaining. This ensures the prompt doesn't
# get lost among kernel and systemd messages, and makes it clear what's
# going on if the user just connected a serial console.
while [[ $timeout > 0 ]]; do
local m=$(( $timeout / 60 ))
local s=$(( $timeout % 60 ))
local m_label="minutes"
if [[ $m = 1 ]]; then
m_label="minute"
fi
if [[ $s != 0 ]]; then
echo -n -e "Press Enter for emergency shell or wait $m $m_label $s seconds for reboot. \r"
else
echo -n -e "Press Enter for emergency shell or wait $m $m_label for reboot. \r"
fi
local anything
if read -t $interval anything; then
> /.emergency-shell-confirmed
return
fi
timeout=$(( $timeout - $interval ))
done
echo -e "\nRebooting."
# This is not very nice, but since reboot.target likely conflicts with
# the existing goal target wrt the desired state of shutdown.target,
# there doesn't seem to be a better option.
systemctl reboot --force
exit 0
}
# If we're invoked from a dracut breakpoint rather than
# dracut-emergency.service, we won't have a controlling terminal and stdio
# won't be connected to it. Explicitly read/write /dev/console.
_prompt_for_timeout < /dev/console > /dev/console

4
overlay.d/05core/usr/lib/dracut/modules.d/99journal-conf/00-journal-log-forwarding.conf
View File

@ -1,12 +1,12 @@
[Journal]
# For now we are using kmsg for multiplexing output to
# multiple console devices during early boot.
#
#
# We do not want to use kmsg in the future as there may be sensitive
# ignition data that leaks to non-root users (by reading the kernel
# ring buffer using `dmesg`). In the future we will rely on kernel
# console multiplexing (link below) for this and will not use kmsg.
#
#
# https://github.com/coreos/fedora-coreos-tracker/issues/136
ForwardToKMsg=yes
MaxLevelKMsg=info

11
overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset
View File

@ -5,15 +5,8 @@ enable console-login-helper-messages-gensnippet-os-release.service
enable console-login-helper-messages-gensnippet-ssh-keys.service
# CA certs (probably to add to base fedora eventually)
enable coreos-update-ca-trust.service
# Set kernel console log level
enable coreos-printk-quiet.service
# https://github.com/coreos/ignition/issues/1125
enable coreos-ignition-firstboot-complete.service
# Delete Ignition config from provider on platforms where it's possible
# https://github.com/coreos/ignition/pull/1350
enable ignition-delete-config.service
# Delete Ignition config from provider when upgrading existing nodes
enable coreos-ignition-delete-config.service
# Boot checkin services for cloud providers.
enable afterburn-checkin.service
enable afterburn-firstboot-checkin.service
@ -30,5 +23,5 @@ enable bootupd.socket
# Ideally it should have been added as part of base Fedora - but since it was arch specific, it was not added: https://bugzilla.redhat.com/show_bug.cgi?id=1433859
enable rtas_errd.service
enable clevis-luks-askpass.path
# Provide status information about the Ignition run
enable coreos-ignition-write-issues.service
# Provide information if no ignition is provided
enable coreos-check-ignition-config.service

14
overlay.d/05core/usr/lib/systemd/system/coreos-check-ignition-config.service Normal file
View File

@ -0,0 +1,14 @@
# This service is used for printing a message if
# no Ignition config is provided.
[Unit]
Description=Check if Ignition config is provided
Before=systemd-user-sessions.service
ConditionPathExists=/etc/.ignition-result.json
[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-check-ignition-config
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

28
overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service
View File

@ -1,28 +0,0 @@
# Can be removed from FCOS in Fedora 37 or after the next barrier release,
# whichever comes first. Can be removed from RHCOS in the first release
# after every node is guaranteed to have booted at least once with 4.11 or
# higher.
[Unit]
Description=CoreOS Delete Ignition Config From Hypervisor
Documentation=https://coreos.github.io/ignition/
ConditionKernelCommandLine=|ignition.platform.id=virtualbox
ConditionKernelCommandLine=|ignition.platform.id=vmware
ConditionPathExists=!/var/lib/coreos-ignition-delete-config.stamp
# Hack: if the user masked ignition-delete-config.service, we shouldn't run
# either.
ConditionPathIsSymbolicLink=!/etc/systemd/system/ignition-delete-config.service
# We check a stamp file written by ignition-delete-config.service. That
# service runs Before=sysinit.target, on which we have a default dependency,
# so this is really just documentation.
After=ignition-delete-config.service
[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-ignition-delete-config
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

16
overlay.d/05core/usr/lib/systemd/system/coreos-ignition-write-issues.service
View File

@ -1,16 +0,0 @@
# This service writes issue files describing status
# information about the Ignition run, which includes
# Ignition warnings and information if no Ignition
# config is provided.
[Unit]
Description=Create Ignition Status Issue Files
Before=systemd-user-sessions.service
ConditionPathExists=/etc/.ignition-result.json
[Service]
Type=oneshot
ExecStart=/usr/libexec/coreos-ignition-write-issues
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

27
overlay.d/05core/usr/lib/systemd/system/coreos-printk-quiet.service
View File

@ -1,27 +0,0 @@
[Unit]
Description=CoreOS: Set printk To Level 4 (warn)
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1244
# We can run right after `/proc` being mounted at least
DefaultDependencies=no
# We run as early as possible; the only dependency we have really
# is the implicit After=systemd-journald.socket injected by the
# default of our stdout writing to the journal.
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
# We want this service to read what we wrote
Before=systemd-sysctl.service
# Relatedly, we don't want to override an explicitly specified kernel argument
ConditionKernelCommandLine=!debug
ConditionKernelCommandLine=!quiet
ConditionKernelCommandLine=!loglevel
[Service]
Type=oneshot
RemainAfterExit=yes
# We need to make /run/sysctl.d if it doesn't exist and also
# ensure it has a SELinux label that works for systemd-sysctl.service.
# Then we just generate a sysctl file which is read by systemd-sysctl.service.
ExecStart=/bin/bash -euo pipefail -c 'mkdir -p /run/sysctl.d && chcon --reference=/etc/sysctl.d /run/sysctl.d && echo "kernel.printk = 4" > /run/sysctl.d/01-coreos-printk.conf'
[Install]
WantedBy=sysinit.target

2
overlay.d/05core/usr/lib/systemd/system/emergency.service.d/coreos-sulogin-force.conf
View File

@ -1,6 +1,6 @@
# https://github.com/coreos/coreos-installer/commit/15a79263d0bd5d72056a6080f6687dc10cba2dda
# https://github.com/systemd/systemd/pull/10397
# We want things like `systemd.unit=emergency.target` and `single` on the
# We want things like `systemd.unit=emergency.target` and `single` on the
# kernel command line to just work even with our locked root account.
# This file is used as an override for both emergency.target and rescue.target.
[Service]

7
overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf
View File

@ -1,7 +0,0 @@
# Create a flag file to notify coreos-ignition-delete-config.service that
# we've run, and put it in /run because /var isn't mounted yet.
# coreos-ignition-delete-config.service will then avoid trying to delete
# the config again, and will create a persistent stamp file in /var/lib.
[Service]
ExecStart=/bin/touch /run/coreos-ignition-delete-config.stamp

26
overlay.d/05core/usr/libexec/coreos-ignition-write-issues → overlay.d/05core/usr/libexec/coreos-check-ignition-config
View File

@ -21,36 +21,12 @@ if [ $(cat /proc/sys/kernel/random/boot_id) = "${ignitionBoot}" ]; then
cat << EOF > /etc/issue.d/30_coreos_ignition_run_more_than_once.issue
${WARN}
############################################################################
WARNING: Ignition previously ran on ${prevdate}. Unexpected
WARNING: Ignition previously ran on ${prevdate}. Unexpected
behavior may occur. Ignition is not designed to run more than once per system.
############################################################################
${RESET}
EOF
fi
# In Ignition, we've two config validation checks, the one after
# fetching a config and the second after merging configs. Sometimes,
# a warning goes away after merging, however, it's possible that a
# warning appears in case merging creates a contradiction between
# two fields. So this workflow eventually sends duplicate warnings
# in journal entries. Hence, we need to avoid displaying duplicate
# Ignition warnings on the console.
# For e.g. In the journal entries, we might see the following logs:
#
# warning at $.systemd.units.0.contents, line 1 col 997: unit "echo@.service" is enabled, but has no install section so enable does nothing
# warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
#
# In order to normalize these logs, we'd need to get rid of the line
# and column numbers entirely using the sed command, and then use
# `sort -u` to remove duplicate content. After this, we'd see the
# following warning on the console:
#
# warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
#
# TODO: find a way to query journal entries recorded before the
# system switches to real root
journalctl -t ignition -o cat -p warning | sed -r 's/, line [0-9]+ col [0-9]+//g' | sort -u | while read line; do
echo -e "${WARN}Ignition: $line${RESET}" >> /etc/issue.d/30_coreos_ignition_warnings.issue
done
else
nreboots=$(($(journalctl --list-boots | wc -l) - 1))
[ "${nreboots}" -eq 1 ] && boot="boot" || boot="boots"

23
overlay.d/05core/usr/libexec/coreos-ignition-delete-config
View File

@ -1,23 +0,0 @@
#!/bin/bash
set -euo pipefail
cmdline=( $(</proc/cmdline) )
cmdline_arg() {
local name="$1" value
for arg in "${cmdline[@]}"; do
if [[ "${arg%%=*}" == "${name}" ]]; then
value="${arg#*=}"
fi
done
echo "${value}"
}
# Avoid running again if ignition-delete-config.service has run, but still
# create our own stamp file now that /var is mounted.
if [ ! -e /run/coreos-ignition-delete-config.stamp ]; then
PLATFORM_ID=$(cmdline_arg ignition.platform.id)
/usr/libexec/ignition-rmcfg --platform=${PLATFORM_ID}
fi
touch /var/lib/coreos-ignition-delete-config.stamp

9
overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete
View File

@ -3,6 +3,10 @@ set -euo pipefail
mount -o remount,rw /boot
if [[ $(uname -m) = s390x ]]; then
zipl
fi
# We're done provisioning. Remove the whole /boot/ignition directory if present,
# which may include a baked Ignition config. See
# https://github.com/coreos/fedora-coreos-tracker/issues/889.
@ -12,8 +16,3 @@ rm -rf /boot/ignition
# this file. Fail if we are unable to remove it, rather than risking rerunning
# Ignition at next boot.
rm /boot/ignition.firstboot
# rdcore zipl checks for /boot/ignition.firstboot
if [[ $(uname -m) = s390x ]]; then
/usr/lib/dracut/modules.d/50rdcore/rdcore zipl --boot-mount=/boot
fi

8
overlay.d/06el9/usr/lib/dracut/dracut.conf.d/coreos-zstd.conf
View File

@ -1,8 +0,0 @@
# Compress initrd with zstd. dracut defaults to -15, but we want the
# maximum reasonable compression, so override the command line to use
# dracut's defaults along with -19.
#
# We can't use this in RHCOS 8 because the kernel doesn't enable
# CONFIG_RD_ZSTD.
compress="zstd -19 -q -T0"

0
overlay.d/06el9/statoverride → overlay.d/14NetworkManager-plugins/statoverride
View File

9
overlay.d/14NetworkManager-plugins/usr/lib/NetworkManager/conf.d/10-disable-default-plugins.conf Normal file
View File

@ -0,0 +1,9 @@
# Stop NetworkManager from trying to load the ifcfg-rh plugin by default,
# which we don't ship. This actually disables all default plugins, of which
# ifcfg-rh is currently the only one.
#
# Note that we must do this for now because `-=` syntax doesn't work
# with compiled-in defaults. Proposed upstream fix:
# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/491
[main]
plugins=

2
overlay.d/15fcos/usr/lib/motd.d/tracker.motd
View File

@ -1,3 +1,3 @@
Tracker: https://github.com/coreos/fedora-coreos-tracker
Discuss: https://discussion.fedoraproject.org/tag/coreos
Discuss: https://discussion.fedoraproject.org/c/server/coreos/

2
overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset
View File

@ -1,3 +1,5 @@
# User metrics client
enable fedora-coreos-pinger.service
enable coreos-check-ssh-keys.service
# Check if cgroupsv1 is still being used
enable coreos-check-cgroups.service

2
overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ssh-keys.service
View File

@ -1,4 +1,4 @@
# This service is used for printing a message if no ssh keys were added
# This service is used for printing a message if no ssh keys were added
# by Ignition/Afterburn
[Unit]
Description=Check that ssh-keys are added by Afterburn/Ignition

9
overlay.d/15fcos/usr/lib/sysusers.d/00-coreos-nobody.conf
View File

@ -1,9 +0,0 @@
# Legacy IDs for 'nobody' user/group. This is a CoreOS mismatched entry
# which will need to be migrated:
# https://github.com/coreos/fedora-coreos-tracker/issues/1201
# g nobody 65534
# u nobody 65534:65534 "Kernel Overflow User" - -
g nobody 99
u nobody 99:99 "Kernel Overflow User" - -

32
overlay.d/15fcos/usr/lib/sysusers.d/00-coreos-static.conf
View File

@ -1,32 +0,0 @@
# These are pinned users/groups whose static IDs are only used
# this way on CoreOS nodes.
g cgred 996
g chrony 992
g cockpit-ws 987
g dockerroot 986
g etcd 997
g input 104
g kube 994
g nfsnobody 65534
g polkitd 998
g ssh_keys 999
g sssd 993
g sudo 16
g systemd-bus-proxy 988
g systemd-network 990
g systemd-resolve 989
g systemd-timesync 991
u chrony 994:992 - /var/lib/chrony -
u cockpit-ws 988:987 "User for cockpit-ws" - -
u dockerroot 997:986 "Docker User" /var/lib/docker -
u etcd 998:997 "etcd user" /var/lib/etcd -
u kube 996:994 "Kubernetes user" - -
u nfsnobody 65534:65534 "Anonymous NFS User" /var/lib/nfs -
u polkitd 999:998 "User for polkitd" - -
u sssd 995:993 "User for sssd" - -
u systemd-bus-proxy 989:988 "systemd Bus Proxy" - -
u systemd-network 991:990 "systemd Network Management" - -
u systemd-resolve 990:989 "systemd Resolver" - -
u systemd-timesync 993:991 "systemd Time Synchronization" - -

43
overlay.d/15fcos/usr/lib/sysusers.d/10-setup-basic.conf
View File

@ -1,43 +0,0 @@
# These are basic users/groups coming from the default entries
# in the 'setup' package. They can be dropped once that package
# starts shipping its own sysusers.d entries.
g adm 4
g audio 63
g bin 1
g cdrom 11
g daemon 2
g dialout 18
g disk 6
g floppy 19
g ftp 50
g games 20
g kmem 9
g lock 54
g lp 7
g mail 12
g man 15
g mem 8
g root 0
g sys 3
g tape 33
g tty 5
g users 100
g video 39
g wheel 10
u adm 3:4 "adm" /var/adm -
u bin 1:1 "bin" /bin -
u daemon 2:2 "daemon" /sbin -
u ftp 14:50 "FTP User" /var/ftp -
# Workaround for systemd-sysusers bug, will be fixed in v252:
# https://github.com/systemd/systemd/issues/24217
# u games 12:100 "games" /usr/games -
u games 12:users "games" /usr/games -
u halt 7:0 "halt" /sbin /sbin/halt
u lp 4:7 "lp" /var/spool/lpd -
u mail 8:12 "mail" /var/spool/mail -
u operator 11:0 "operator" /root -
u root 0:0 "root" /root /bin/bash
u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
u sync 5:0 "sync" /sbin /bin/sync

24
overlay.d/15fcos/usr/lib/sysusers.d/10-static-extra.conf
View File

@ -1,24 +0,0 @@
# These are users/groups with static IDs which follow usual Fedora-wide
# allocation. They are usually coming from relevant packages, but we also
# pre-populate them on CoreOS.
g avahi-autoipd 170
g ceph 167
g dbus 81
g dip 40
g rpc 32
g rpcuser 29
g sshd 74
g systemd-journal 190
g tcpdump 72
g utempter 35
g utmp 22
u avahi-autoipd 170:170 "Avahi IPv4LL Stack" /var/lib/avahi-autoipd -
u ceph 167:167 "Ceph daemons" /var/lib/ceph -
u dbus 81:81 "System Message Bus" - -
u nfsnobody 65534:65534 "Anonymous NFS User" /var/lib/nfs -
u rpc 32:32 "Rpcbind Daemon" /var/lib/rpcbind -
u rpcuser 29:29 "RPC Service User" /var/lib/nfs -
u sshd 74:74 "Privilege-separated SSH" /var/empty/sshd -
u tcpdump 72:72 - - -

21
overlay.d/15fcos/usr/libexec/coreos-check-ssh-keys
View File

@ -1,5 +1,5 @@
#!/usr/bin/bash
# This script will print a message in the serial console
# This script will print a message in the serial console
# if no ssh keys were added by Ignition/Afterburn.
main() {
# Change the output color to yellow
@ -7,22 +7,19 @@ main() {
# No color
nc='\033[0m'
# See https://github.com/coreos/ignition/pull/964 for the MESSAGE_ID
# source. It will track the authorized-ssh-keys entries in journald
# provided via Ignition. Limit journal output to the most recent boot
# so we don't get output from re-used /var/ partitions.
# See https://github.com/coreos/ignition/pull/964 for the MESSAGE_ID
# source. It will track the authorized-ssh-keys entries in journald
# provided via Ignition.
ignitionusers=$(
journalctl -b 0 -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
journalctl -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
jq -r '.MESSAGE' | \
xargs -I{} echo "Ignition: {}")
# See https://github.com/coreos/afterburn/pull/397 for the MESSAGE_ID
# source. It will track the authorized-ssh-keys entries in journald
# provided via Afterburn.Limit journal output to the most recent boot
# so we don't get output from re-used /var/ partitions.
# See https://github.com/coreos/afterburn/pull/397 for the MESSAGE_ID
# source. It will track the authorized-ssh-keys entries in journald
# provided via Afterburn.
afterburnusers=$(
journalctl -b 0 -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
journalctl -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
jq -r '.MESSAGE' | \
xargs -I{} echo "Afterburn: {}")

8
overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony
View File

@ -11,12 +11,16 @@ set -euo pipefail
#
# Originally spawned from discussion in https://github.com/openshift/installer/pull/3513
. /usr/lib/coreos/generator-lib.sh
# Generators don't have logging right now
# https://github.com/systemd/systemd/issues/15638
exec 1>/dev/kmsg; exec 2>&1
self=$(basename $0)
confpath=/run/coreos-platform-chrony.conf
platform=$(karg ignition.platform.id)
# Yeah this isn't a completely accurate kernel argument parser but
# we don't have one shared across shell services at the moment.
platform="$(grep -Eo ' ignition.platform.id=[a-z]+' /proc/cmdline | cut -f 2 -d =)"
case "${platform}" in
azure|azurestack|aws|gcp) ;; # OK, this is a platform we know how to support
*) exit 0 ;;

26
overlay.d/README.md
View File

@ -1,18 +1,7 @@
These overlay directories are automatically committed to the build OSTree repo
by coreos-assembler. They are then explicitly included in our various manifest
files via `ostree-layers` (this used to be done automatically, but that's no
longer the case).
05core
------
This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
06el9
-----
This overlay includes content shared between FCOS and RHCOS/SCOS 9, but not
RHCOS 8.
This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
08nouveau
---------
@ -28,6 +17,11 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1700056
Warning about `/etc/sysconfig`.
14NetworkManager-plugins
------------------------
Disables the Red Hat Linux legacy `ifcfg` format.
15fcos
------
@ -36,16 +30,10 @@ Things that are more closely "Fedora CoreOS":
* disable password logins by default over SSH
* enable SSH keys written by Ignition and Afterburn
* branding (MOTD)
* enable FCOS-specific services by default
* enable services by default (fedora-coreos-pinger)
* display warnings on the console if no ignition config was provided or no ssh
key found.
16disable-zincati
-----------------
Disable Zincati on non-production streams:
https://github.com/coreos/fedora-coreos-tracker/issues/163
20platform-chrony
-----------------

6
rocky.repo
View File

@ -5,7 +5,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStre
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
[baseos]
name=Rocky Linux $releasever - BaseOS
@ -14,7 +14,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
[extras]
name=Rocky Linux $releasever - Extras
@ -23,4 +23,4 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-
gpgcheck=1
enabled=1
countme=1
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever