.gitignore

@@ -2,4 +2,3 @@ build/
 .direnv/
 .envrc
 ass
-.idea

manifest.yaml

@@ -10,10 +10,3 @@ repos:
   - extras
 
 include: manifests/rocky-coreos.yaml
-
-postprocess:
-  - |
-    #!/usr/bin/env bash
-    set -xeuo pipefail
-    # Remove rltype from repo urls
-    find /etc/yum.repos.d/ -type f -exec sed -i 's/\$rltype//g' {} \;

manifests/rocky-coreos-base.yaml

@@ -3,7 +3,6 @@
 
 include:
   - ignition-and-ostree.yaml
-  - shared-el9.yaml
   - shared-workarounds.yaml
   - system-configuration.yaml
   - user-experience.yaml

overlay.d/05core/statoverride

@@ -1,7 +1,6 @@
 # Config file for overriding permission bits on overlay files/dirs
 # Format: =<file mode in decimal> <absolute path to a file or directory>
 
-# sudo prefers its config files to be mode 440, and some security scanners
+# Some security scanners complain if /etc/sudoers.d files have 0044 mode bits
-# complain if /etc/sudoers.d files are world-readable.
 # https://bugzilla.redhat.com/show_bug.cgi?id=1981979
-=288 /etc/sudoers.d/coreos-sudo-group
+=384 /etc/sudoers.d/coreos-sudo-group

overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-nohostonly.conf

@@ -1,2 +0,0 @@
-# Default rpm-ostree model is server-side generated initramfs
-hostonly=no

overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-nostrip.conf

@@ -1,3 +0,0 @@
-# We don't ship `strip` or `eu-strip` today, and even if we did, it doesn't
-# save much space. So let's disable it to avoid the error-looking message.
-do_strip=no

overlay.d/05core/usr/lib/dracut/dracut.conf.d/coreos-omits.conf

@@ -1,15 +0,0 @@
-# We don't support root on NFS, so we don't need it in the initramfs. It also
-# conflicts with /var mount support in ignition because NFS tries to mount stuff
-# in /var/ and then ignition can't cleanly unmount it. For example:
-# https://github.com/dracutdevs/dracut/blob/1856ae95c873a6fe855b3dccd0144f1a96b9e71c/modules.d/95nfs/nfs-start-rpc.sh#L7
-# See also discussion in https://github.com/coreos/fedora-coreos-config/pull/60
-# Further, we currently do not use LVM, iSCSI or dmraid
-omit_dracutmodules+=" nfs lvm iscsi dmraid "
-# More storage modules we don't use
-omit_dracutmodules+=" fcoe fcoe-uefi nbd "
-# We use NetworkManager
-omit_dracutmodules+=" systemd-networkd network-legacy network-wicked "
-# We use systemd network naming
-omit_dracutmodules+=" biosdevname "
-# Random stuff we don't want
-omit_dracutmodules+=" rngd busybox dbus-daemon memstrack pcsc bluetooth "

overlay.d/05core/usr/lib/dracut/modules.d/25coreos-azure-udev/module-setup.sh

@@ -0,0 +1,18 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+# We want to provide Azure udev rules as part of the initrd, so that Ignition
+# is able to detect disks and act on them.
+#
+# If the WALinuxAgent-udev package is changed to install the udev rules as
+# part of the initramfs, we should drop this module.
+#
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1909287
+# See also https://bugzilla.redhat.com/show_bug.cgi?id=1756173
+
+install() {
+    inst_multiple \
+        /usr/lib/udev/rules.d/66-azure-storage.rules \
+        /usr/lib/udev/rules.d/99-azure-product-uuid.rules
+}

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign

@@ -1,70 +0,0 @@
-{
-  "ignition": {
-    "version": "3.2.0"
-  },
-  "storage": {
-    "disks": [
-      {
-        "device": "${BOOTDEV}",
-        "partitions": [
-          {
-            "label": "boot",
-            "number": 3
-          },
-          {
-            "label": "root",
-            "number": 4,
-            "resize": true,
-            "sizeMiB": 0
-          },
-          {
-            "number": 5,
-            "shouldExist": false,
-            "wipePartitionEntry": true
-          },
-          {
-            "number": 6,
-            "shouldExist": false,
-            "wipePartitionEntry": true
-          }
-        ]
-      }
-    ],
-    "luks": [
-      {
-        "device": "/dev/disk/by-partlabel/boot",
-        "label": "crypt_bootfs",
-        "name": "boot",
-        "options": [
-          "--integrity",
-          "hmac-sha256"
-        ],
-        "wipeVolume": true
-      },
-      {
-        "device": "/dev/disk/by-partlabel/root",
-        "label": "crypt_rootfs",
-        "name": "root",
-        "options": [
-          "--integrity",
-          "hmac-sha256"
-        ],
-        "wipeVolume": true
-      }
-    ],
-    "filesystems": [
-      {
-        "device": "/dev/mapper/boot",
-        "format": "ext4",
-        "label": "boot",
-        "wipeFilesystem": true
-      },
-      {
-        "device": "/dev/mapper/root",
-        "format": "xfs",
-        "label": "root",
-        "wipeFilesystem": true
-      }
-    ]
-  }
-}

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/80-coreos-boot-disk.rules

@@ -1,10 +0,0 @@
-# CoreOS-specific symlink for boot disk
-
-ACTION!="add|change", GOTO="stable_boot_end"
-SUBSYSTEM!="block", GOTO="stable_boot_end"
-
-ENV{DEVTYPE}=="disk" \
-  , PROGRAM=="coreos-disk-contains-fs $name boot" \
-  , SYMLINK+="disk/by-id/coreos-boot-disk"
-
-LABEL="stable_boot_end"

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.service

@@ -16,12 +16,6 @@ After=dev-disk-by\x2dlabel-boot.device
 After=ignition-files.service
 # As above, this isn't strictly necessary, but on principle.
 After=coreos-multipath-wait.target
-# Finish before systemd starts tearing down services
-Before=initrd.target
-# initrd-parse-etc.service starts initrd-cleanup.service which will race
-# with us completing before we get nuked.  Need to get to the bottom of it,
-# but for now we need this.
-Before=initrd-parse-etc.service
 
 [Service]
 Type=oneshot

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh

@@ -34,12 +34,18 @@ if [ -z "${root}" ]; then
     rdcore rootmap /sysroot --boot-mount ${bootmnt}
 fi
 
-# This does a few things:
+# And similarly, only inject boot= if it's not already present.
-# 1. it puts the boot UUID in /run/coreos/bootfs_uuid which is used by the real
+boot=$(karg boot)
-#    root for mounting the bootfs in this boot
+if [ -z "${boot}" ]; then
-# 2. it adds a boot=UUID= karg which is used by the real root for mounting the
+    # XXX: `rdcore rootmap --inject-boot-karg` or maybe `rdcore bootmap`
-#    bootfs in subsequent boots
+    eval $(blkid -o export "${bootdev}")
-# 3. it create a .root_uuid stamp file on the bootfs or fails if one exists
+    if [ -z "${UUID}" ]; then
-# 4. it adds GRUB bootuuid.cfg dropins so that GRUB selects the boot filesystem
+        # This should never happen
-#    by UUID
+        echo "Boot filesystem ${bootdev} has no UUID" >&2
-rdcore bind-boot /sysroot ${bootmnt}
+        exit 1
+    fi
+    rdcore kargs --boot-mount ${bootmnt} --append boot=UUID=${UUID}
+    # but also put it in /run for the first boot real root mount
+    mkdir -p /run/coreos
+    echo "${UUID}" > /run/coreos/bootfs_uuid
+fi

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-disk-contains-fs.sh

@@ -1,20 +0,0 @@
-#!/bin/bash
-# checks whether `disk` contains filesystem labeled `label`
-set -euo pipefail
-
-disk=$1
-label=$2
-
-# during execution of udev rules on disks 'lsblk' returns empty fields
-for pt in /sys/block/$disk/*; do
-    name=$(basename $pt)
-    if [[ "$name" =~ ${disk}p?[[:digit:]] ]] && [[ -e "/sys/block/$disk/$name/start" ]];
-    then
-        eval $(udevadm info --query=property -n /dev/$name | grep -e ID_FS_LABEL -e PARTNAME)
-        if [[ "${ID_FS_LABEL:-}" == "$label" ]] || [[ "${PARTNAME:-}" == "$label" ]]; then
-            exit 0
-        fi
-    fi
-done
-
-exit 1

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator

@@ -57,21 +57,4 @@ After=dev-disk-by\x2dlabel-boot.device
 Requires=coreos-gpt-setup.service
 After=coreos-gpt-setup.service
 EOF
-
-    # create symlink for udev rule
-    mkdir -p /run/udev/rules.d/
-    ln -sf /usr/lib/coreos/80-coreos-boot-disk.rules \
-          /run/udev/rules.d/80-coreos-boot-disk.rules
-
-    # IBM Secure Execution case
-    # During firstboot we have to reencrypt '/boot' and '/', to do that an Ignition config
-    # is injected. 'coreos-boot-disk' is required for this
-    secure_execution=0
-    if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
-        secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
-    fi
-    if [[ "${secure_execution}" = "1" ]]; then
-        mkdir -p /run/coreos/
-        touch /run/coreos/secure-execution
-    fi
 fi

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-unique-boot.service

@@ -1,19 +0,0 @@
-[Unit]
-Description=CoreOS Ensure Unique Boot Filesystem
-ConditionPathExists=/etc/initrd-release
-OnFailure=emergency.target
-OnFailureJobMode=isolate
-
-# That's a weak dependency, so service won't fail if boot dissaperears
-Wants=dev-disk-by\x2dlabel-boot.device
-After=dev-disk-by\x2dlabel-boot.device
-
-# Start after ignition has finished with disks but before mounting them
-After=ignition-disks.service
-Before=ignition-mount.service
-Before=ignition-ostree-uuid-root.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/rdcore verify-unique-fs-label boot

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-kargs-reboot.service

@@ -4,17 +4,17 @@ ConditionPathExists=/etc/initrd-release
 ConditionPathExists=/run/coreos-kargs-reboot
 DefaultDependencies=false
 Before=ignition-complete.target
-
+ 
 # This runs after ignition-kargs & before ignition-disks so that it can optionally reboot
 # if kargs were modified via Ignition. This is done in a two-stage fashion so that other
 # mechanisms which may want to reboot (e.x. FIPS) can also hook in here and only reboot
 # once from the initrd.
 After=ignition-kargs.service
 Before=ignition-disks.service
-
+ 
 OnFailure=emergency.target
 OnFailureJobMode=isolate
-
+ 
 [Service]
 Type=oneshot
 RemainAfterExit=yes

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-post-ignition-checks.service

@@ -1,17 +0,0 @@
-# This unit will run late in the initrd process after the Ignition files
-# stage has completed successfully so that we may validate ignition changes
-
-[Unit]
-Description=CoreOS Post Ignition Checks
-ConditionPathExists=/usr/lib/initrd-release
-OnFailure=emergency.target
-OnFailureJobMode=isolate
-
-# Start after Ignition has finished creating files and before ignition umount
-After=ignition-files.service
-Before=ignition-complete.target
-
-[Service]
-Type=oneshot
-ExecStart=/usr/sbin/coreos-post-ignition-checks
-RemainAfterExit=yes

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-post-ignition-checks.sh

@@ -1,18 +0,0 @@
-#!/bin/bash
-# See coreos-post-ignition-checks.service for more information about this script
-set -euo pipefail
-
-# Verify that GRUB password directives are only used when GRUB is being used
-arch=$(uname -p)
-# Butane sugar will tell ignition to mount /boot to /sysroot/boot. We can simply check if
-# the file exists to see whether the check needs to be performed.
-# It is possible that the user creates a config, which will mount /boot at a different path
-# but that case is not officially supported.
-if [ -f /sysroot/boot/grub2/user.cfg ]; then
-    # s390x does not use GRUB, ppcle64 uses petitboot with a GRUB config parser which does not support passwords
-    # So in both these cases, GRUB password is not supported
-    if grep -q password_pbkdf2 /sysroot/boot/grub2/user.cfg && [[ "$arch" =~ ^(s390x|ppc64le)$ ]]; then
-        echo "Ignition config provisioned a GRUB password, which is not supported on $arch"
-        exit 1
-    fi
-fi

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh

@@ -22,21 +22,6 @@ dracut_func() {
     return $rc
 }
 
-# Get the BOOTIF and rd.bootif kernel arguments from
-# the kernel command line.
-get_bootif_kargs() {
-    bootif_kargs=""
-    bootif_karg=$(dracut_func getarg BOOTIF)
-    if [ ! -z "$bootif_karg" ]; then
-        bootif_kargs+="BOOTIF=${bootif_karg}"
-    fi
-    rdbootif_karg=$(dracut_func getarg rd.bootif)
-    if [ ! -z "$rdbootif_karg" ]; then
-        bootif_kargs+=" rd.bootif=${rdbootif_karg}"
-    fi
-    echo $bootif_kargs
-}
-
 # Determine if the generated NM connection profiles match the default
 # that would be given to us if the user had provided no additional
 # configuration. i.e. did the user give us any network configuration
@@ -48,9 +33,6 @@ are_default_NM_configs() {
     # pick up our CoreOS default networking kargs from the afterburn dropin
     DEFAULT_KARGS_FILE=/usr/lib/systemd/system/afterburn-network-kargs.service.d/50-afterburn-network-kargs-default.conf
     source <(grep -o 'AFTERBURN_NETWORK_KARGS_DEFAULT=.*' $DEFAULT_KARGS_FILE)
-    # Also pick up BOOTIF/rd.bootif kargs and apply them here.
-    # See https://github.com/coreos/fedora-coreos-tracker/issues/1048
-    BOOTIF_KARGS=$(get_bootif_kargs)
     # Make two dirs for storing files to use in the comparison
     mkdir -p /run/coreos-teardown-initramfs/connections-compare-{1,2}
     # Make another that's just a throwaway for the initrd-data-dir
@@ -61,8 +43,7 @@ are_default_NM_configs() {
     # Do a new run with the default input
     /usr/libexec/nm-initrd-generator \
         -c /run/coreos-teardown-initramfs/connections-compare-2 \
-        -i /run/coreos-teardown-initramfs/initrd-data-dir \
+        -i /run/coreos-teardown-initramfs/initrd-data-dir -- $AFTERBURN_NETWORK_KARGS_DEFAULT
-        -- $AFTERBURN_NETWORK_KARGS_DEFAULT $BOOTIF_KARGS
     # remove unique identifiers from the files (so our diff can work)
     sed -i '/^uuid=/d' /run/coreos-teardown-initramfs/connections-compare-{1,2}/*
     # currently the output will differ based on whether rd.neednet=1
@@ -94,11 +75,9 @@ are_default_NM_configs() {
 propagate_initramfs_networking() {
     # Check for any real root config in the two locations where a user could have
     # provided network configuration. On FCOS we only support keyfiles, but on RHCOS
-    # we support keyfiles and ifcfg. We also need to ignore readme-ifcfg-rh.txt
+    # we support keyfiles and ifcfg
-    # which is a cosmetic file added in
-    # https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/96d7362
     if [ -n "$(ls -A /sysroot/etc/NetworkManager/system-connections/)" -o \
-         -n "$(ls -A -I readme-ifcfg-rh.txt /sysroot/etc/sysconfig/network-scripts/)" ]; then
+         -n "$(ls -A /sysroot/etc/sysconfig/network-scripts/)" ]; then
         echo "info: networking config is defined in the real root"
         realrootconfig=1
     else
@@ -232,9 +211,6 @@ main() {
     # clean it up so that no information from outside of the
     # real root is passed on to NetworkManager in the real root
     rm -rf /run/NetworkManager/
-
-    rm -f /run/udev/rules.d/80-coreos-boot-disk.rules
-    rm -f /dev/disk/by-id/coreos-boot-disk
 }
 
 main

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-unique-boot.service

@@ -1,22 +0,0 @@
-[Unit]
-Description=Ensure filesystem labeled `boot` is unique
-ConditionPathExists=/etc/initrd-release
-DefaultDependencies=no
-Before=ignition-diskful.target
-Wants=systemd-udevd.service
-After=systemd-udevd.service
-# And since the boot device may be on multipath; optionally wait for it to
-# appear via the dynamic target.
-After=coreos-multipath-wait.target
-Requires=dev-disk-by\x2dlabel-boot.device
-After=dev-disk-by\x2dlabel-boot.device
-# Run before services that modify/use `boot` partition
-Before=coreos-gpt-setup.service coreos-boot-edit.service
-
-OnFailure=emergency.target
-OnFailureJobMode=isolate
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/bin/rdcore verify-unique-fs-label boot

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh

@@ -22,9 +22,7 @@ install() {
         diff \
         lsblk \
         sed \
-        grep \
+        sgdisk
-        sgdisk \
-        uname
 
     inst_simple "$moddir/coreos-diskful-generator" \
         "$systemdutildir/system-generators/coreos-diskful-generator"
@@ -32,22 +30,9 @@ install() {
     inst_script "$moddir/coreos-gpt-setup.sh" \
         "/usr/sbin/coreos-gpt-setup"
 
-    # This has to work only on diskful systems during firstboot.
-    # coreos-diskful-generator will create a symlink
-    inst_simple "$moddir/80-coreos-boot-disk.rules" \
-        "/usr/lib/coreos/80-coreos-boot-disk.rules"
-
-    inst_script "$moddir/coreos-disk-contains-fs.sh" \
-        "/usr/lib/udev/coreos-disk-contains-fs"
-
     inst_script "$moddir/coreos-ignition-setup-user.sh" \
         "/usr/sbin/coreos-ignition-setup-user"
 
-    inst_script "$moddir/coreos-post-ignition-checks.sh" \
-        "/usr/sbin/coreos-post-ignition-checks"
-
-    install_ignition_unit coreos-post-ignition-checks.service
-
     # For consistency tear down the network and persist multipath between the initramfs and
     # real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763
     inst_script "$moddir/coreos-teardown-initramfs.sh" \
@@ -70,10 +55,5 @@ install() {
     install_ignition_unit "coreos-boot-edit.service" \
         "ignition-diskful.target"
 
-    install_ignition_unit coreos-ignition-unique-boot.service ignition-diskful.target
-    install_ignition_unit coreos-unique-boot.service ignition-diskful.target
     install_ignition_unit coreos-ignition-setup-user.service
-
-    # IBM Secure Execution. Ignition config for reencryption of / and /boot
-    inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
 }

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/coreos-livepxe-rootfs.sh

@@ -23,12 +23,12 @@ elif [[ -n "${rootfs_url}" ]]; then
     # rootfs URL was provided as karg.  Fetch image, check its hash, and
     # unpack it.
     echo "Fetching rootfs image from ${rootfs_url}..."
-    if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* && ${rootfs_url} != tftp:* ]]; then
+    if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* ]]; then
         # Don't commit to supporting protocols we might not want to expose in
         # the long term.
         echo "Unsupported scheme for image specified by:" >&2
         echo "coreos.live.rootfs_url=${rootfs_url}" >&2
-        echo "Only HTTP, HTTPS, and TFTP are supported. Please fix your PXE configuration." >&2
+        echo "Only HTTP and HTTPS are supported. Please fix your PXE configuration." >&2
         exit 1
     fi
 

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-live/live-generator

@@ -152,20 +152,6 @@ Type=squashfs
 # is checked by coreos-assembler cmd-buildextend-live at build time.
 Options=loop,offset=124
 EOF
-
-    # And one more unit to workaround what we think is a systemd bug.
-    # We've found the system can stall waiting for run-media-iso.mount
-    # and apparently any operation seems to be effective at reviving
-    # the system.
-    # https://github.com/coreos/fedora-coreos-tracker/issues/1233#issuecomment-1238814171
-    cat >"${UNIT_DIR}/workaround-stalled-media-iso-mount.service" <<EOF
-[Service]
-Type=simple
-StandardOutput=journal
-StandardError=journal
-ExecStart=bash -c "sleep 10; echo 'warn: tracker issue workaround engaged for https://github.com/coreos/fedora-coreos-tracker/issues/1233'"
-EOF
-    add_requires workaround-stalled-media-iso-mount.service basic.target
 fi
 
 # It turns out that `tmpfs` currently munches all SELinux labels

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-propagate-multipath-conf.service

@@ -5,9 +5,6 @@ Before=initrd.target
 # we write to the rootfs, so run after it's ready
 After=initrd-root-fs.target
 
-# we only propagate if multipath wasn't configured via Ignition
-After=ignition-files.service
-
 # That service starts initrd-cleanup.service which will race with us completing
 # before we get nuked. Need to get to the bottom of it, but for now we need
 # this (XXX: add link to systemd issue here).

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-propagate-multipath-conf.sh

@@ -4,20 +4,14 @@ set -euo pipefail
 # Persist automatic multipath configuration, if any.
 # When booting with `rd.multipath=default`, the default multipath
 # configuration is written. We need to ensure that the multipath configuration
-# is persisted to the rootfs.
+# is persisted to the final target.
 
-if [ ! -f /etc/multipath.conf ]; then
+if [ ! -f /sysroot/etc/multipath.conf ] && [ -f /etc/multipath.conf ]; then
-    echo "info: initrd file /etc/multipath.conf does not exist"
+    echo "info: propagating automatic multipath configuration"
-    echo "info: no initrd multipath configuration to propagate"
+    cp -v /etc/multipath.conf /sysroot/etc/
-    exit 0
+    mkdir -p /sysroot/etc/multipath/multipath.conf.d
+    coreos-relabel /etc/multipath.conf
+    coreos-relabel /etc/multipath/multipath.conf.d
+else
+    echo "info: no initramfs automatic multipath configuration to propagate"
 fi
-
-if [ -f /sysroot/etc/multipath.conf ]; then
-    echo "info: real root file /etc/multipath.conf exists"
-    echo "info: not propagating initrd multipath configuration"
-    exit 0
-fi
-
-echo "info: propagating initrd multipath configuration"
-cp -v /etc/multipath.conf /sysroot/etc/
-coreos-relabel /etc/multipath.conf

overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/module-setup.sh

@@ -2,20 +2,20 @@
 # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
 # ex: ts=8 sw=4 sts=4 et filetype=sh
 
-install_unit() {
+install_ignition_unit() {
     local unit=$1; shift
-    local target=${1:-initrd}
+    local target=${1:-complete}
     inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit"
     # note we `|| exit 1` here so we error out if e.g. the units are missing
     # see https://github.com/coreos/fedora-coreos-config/issues/799
-    systemctl -q --root="$initdir" add-requires "${target}.target" "$unit" || exit 1
+    systemctl -q --root="$initdir" add-requires "ignition-${target}.target" "$unit" || exit 1
 }
 
 install() {
     inst_script "$moddir/coreos-propagate-multipath-conf.sh" \
         "/usr/sbin/coreos-propagate-multipath-conf"
 
-    install_unit coreos-propagate-multipath-conf.service
+    install_ignition_unit coreos-propagate-multipath-conf.service subsequent
 
     inst_simple "$moddir/coreos-multipath-generator" \
         "$systemdutildir/system-generators/coreos-multipath-generator"

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-check-rootfs-size.service

@@ -6,8 +6,6 @@ ConditionKernelCommandLine=ostree
 ConditionPathExists=!/run/ostree-live
 After=ignition-ostree-growfs.service
 After=ostree-prepare-root.service
-# Allow Ignition config to blank out the warning
-Before=ignition-files.service
 
 [Service]
 Type=oneshot

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh

@@ -17,12 +17,6 @@ path=/sysroot
 # this shouldn't happen for us but we're being conservative.
 src=$(findmnt -nvr -o SOURCE "$path" | tail -n1)
 
-# In the IBM Secure Execution case we use Ignition to grow and reencrypt rootfs
-# see overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
-if [[ -f /run/coreos/secure-execution ]]; then
-    exit 0
-fi
-
 if [ ! -f "${saved_partstate}" ]; then
     partition=$(realpath /dev/disk/by-label/root)
 else

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.service

@@ -1,18 +0,0 @@
-# RHOCS 4.12.s390x has an old kernel with a known issue: https://bugzilla.redhat.com/show_bug.cgi?id=2075085
-# Once we have kernel >= 4.18.0-387.el8.s390x we should drop this unit and copy config in coreos-diskful-generator
-[Unit]
-Description=Ignition OSTree: Inject Secure Execution Config
-DefaultDependencies=false
-ConditionArchitecture=s390x
-ConditionKernelCommandLine=ostree
-ConditionPathExists=/run/coreos/secure-execution
-OnFailure=emergency.target
-OnFailureJobMode=isolate
-
-After=coreos-gpt-setup.service
-Before=ignition-fetch-offline.service
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-ExecStart=/usr/libexec/ignition-ostree-secex-config

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.sh

@@ -1,5 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-bootdev=$(blkid --list-one --output device --match-token PARTLABEL=boot | sed 's,[0-9]\+$,,')
-sed "s,\${BOOTDEV},$bootdev," < /usr/lib/coreos/01-secex.ign > /usr/lib/ignition/base.d/01-secex.ign

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-transposefs.sh

@@ -43,10 +43,9 @@ get_partlabels_for_parttype() {
 mount_verbose() {
     local srcdev=$1; shift
     local destdir=$1; shift
-    local mode=${1:-ro}
+    echo "Mounting ${srcdev} ($(realpath "$srcdev")) to $destdir"
-    echo "Mounting ${srcdev} ${mode} ($(realpath "$srcdev")) to $destdir"
     mkdir -p "${destdir}"
-    mount -o "${mode}" "${srcdev}" "${destdir}"
+    mount "${srcdev}" "${destdir}"
 }
 
 # Sometimes, for some reason the by-label symlinks aren't updated. Detect these
@@ -57,10 +56,7 @@ udev_trigger_on_label_mismatch() {
     local expected_dev=$1; shift
     local actual_dev
     expected_dev=$(realpath "${expected_dev}")
-    # We `|| :` here because sometimes /dev/disk/by-label/$label is missing.
+    actual_dev=$(realpath "/dev/disk/by-label/$label")
-    # We've seen this on Fedora kernels with debug enabled (common in `rawhide`).
-    # See https://github.com/coreos/fedora-coreos-tracker/issues/1092
-    actual_dev=$(realpath "/dev/disk/by-label/$label" || :)
     if [ "$actual_dev" != "$expected_dev" ]; then
         echo "Expected /dev/disk/by-label/$label to point to $expected_dev, but points to $actual_dev; triggering udev"
         udevadm trigger --settle "$expected_dev"
@@ -73,18 +69,6 @@ get_partition_offset() {
     cat "/sys${devpath}/start"
 }
 
-# copied from generator-lib.sh
-karg() {
-    local name="$1" value="${2:-}"
-    local cmdline=( $(</proc/cmdline) )
-    for arg in "${cmdline[@]}"; do
-        if [[ "${arg%%=*}" == "${name}" ]]; then
-            value="${arg#*=}"
-        fi
-    done
-    echo "${value}"
-}
-
 mount_and_restore_filesystem_by_label() {
     local label=$1; shift
     local mountpoint=$1; shift
@@ -92,51 +76,10 @@ mount_and_restore_filesystem_by_label() {
     local new_dev
     new_dev=$(jq -r "$(query_fslabel "${label}") | .[0].device" "${ignition_cfg}")
     udev_trigger_on_label_mismatch "${label}" "${new_dev}"
-    mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}" rw
+    mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}"
-    find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} +
+    find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} \;
 }
 
-mount_and_save_filesystem_by_label() {
-    local label=$1; shift
-    local saved_fs=$1; shift
-    local fs=/dev/disk/by-label/${label}
-    if [[ -f /run/coreos/secure-execution ]]; then
-        local roothash_karg=${label}fs.roothash
-        local roothash=$(karg "${roothash_karg}")
-        if [ -z "${roothash}" ]; then
-          echo "Missing kernel argument ${roothash_karg}; aborting"
-          exit 1
-        fi
-        local roothash_part=/dev/disk/by-partlabel/${label}hash
-        veritysetup open "${fs}" "${label}" "${roothash_part}" "${roothash}"
-        fs=/dev/mapper/${label}
-    fi
-    mount_verbose "${fs}" /var/tmp/mnt
-    cp -aT /var/tmp/mnt "${saved_fs}"
-    umount /var/tmp/mnt
-    if [[ -f /run/coreos/secure-execution ]]; then
-        veritysetup close "${label}"
-    fi
-}
-
-# In Secure Execution case user is not allowed to modify partition table
-check_and_set_secex_config() {
-    if [[ -f /run/coreos/secure-execution ]]; then
-        local wr=$(jq "$(query_fslabel root) | length" "${ignition_cfg}")
-        local wb=$(jq "$(query_fslabel boot) | length" "${ignition_cfg}")
-        if [ "${wr}${wb}" != "00" ]; then
-            echo "Modifying bootfs and rootfs is not supported in Secure Execution mode"
-            exit 1
-        fi
-        # Cached config isn't merged, so reset it and recheck again, just to make sure
-        ignition_cfg=/usr/lib/ignition/base.d/01-secex.ign
-    fi
-}
-
-# We could have done this during 'detect' below, but other cases also request
-# info from config, so just check cached one and reset to secex.ign now
-check_and_set_secex_config
-
 case "${1:-}" in
     detect)
         # Mounts are not in a private namespace so we can mount ${saved_data}
@@ -201,13 +144,15 @@ case "${1:-}" in
         # Mounts happen in a private mount namespace since we're not "offically" mounting
         if [ -d "${saved_root}" ]; then
             echo "Moving rootfs to RAM..."
-            mount_and_save_filesystem_by_label root "${saved_root}"
+            mount_verbose "${root_part}" /sysroot
+            cp -aT /sysroot "${saved_root}"
             # also store the state of the partition
             lsblk "${root_part}" --nodeps --pairs -b --paths -o NAME,TYPE,SIZE > "${partstate_root}"
         fi
         if [ -d "${saved_boot}" ]; then
             echo "Moving bootfs to RAM..."
-            mount_and_save_filesystem_by_label boot "${saved_boot}"
+            mount_verbose "${boot_part}" /sysroot/boot
+            cp -aT /sysroot/boot "${saved_boot}"
         fi
         if [ -d "${saved_esp}" ]; then
             echo "Moving EFI System Partition to RAM..."
@@ -255,8 +200,8 @@ case "${1:-}" in
                 # 3. We don't need the by-label symlink to be correct and
                 #    nothing later in boot will be mounting the filesystem
                 mountpoint="/mnt/esp-${label}"
-                mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}" rw
+                mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}"
-                find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -at "${mountpoint}" {} +
+                find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -a {} "${mountpoint}" \;
             done
         fi
         if [ -d "${saved_bios}" ]; then

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service

@@ -11,8 +11,6 @@ Before=ignition-fetch-offline.service
 # Any services looking at mounts need to order after this
 # because it causes device re-probing.
 After=coreos-gpt-setup.service
-# If we're going to reprovision the bootfs, then there's no need to restamp
-ConditionKernelCommandLine=!bootfs.roothash
 
 Before=systemd-fsck@dev-disk-by\x2dlabel-boot.service
 Requires=dev-disk-by\x2dlabel-boot.device

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-root.service

@@ -8,7 +8,6 @@ Before=sysroot.mount initrd-root-fs.target
 After=ignition-disks.service
 # If we've reprovisioned the rootfs, then there's no need to restamp
 ConditionPathExists=!/run/ignition-ostree-transposefs
-ConditionKernelCommandLine=!rootfs.roothash
 
 After=dev-disk-by\x2dlabel-root.device
 # Avoid racing with fsck

overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh

@@ -30,12 +30,6 @@ install() {
         sort \
         uniq
 
-    if [[ $(uname -m) = s390x ]]; then
-        # for Secure Execution
-        inst_multiple \
-            veritysetup
-    fi
-
     # ignition-ostree-growfs deps
     inst_multiple  \
         basename   \
@@ -107,9 +101,4 @@ install() {
         /usr/libexec/coreos-check-rootfs-size
 
     inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel
-
-    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2075085
-    install_ignition_unit ignition-ostree-secex-config.service
-    inst_script "$moddir/ignition-ostree-secex-config.sh" \
-        /usr/libexec/ignition-ostree-secex-config
 }

overlay.d/05core/usr/lib/dracut/modules.d/60coreos-agetty-workaround/coreos-touch-run-agetty.service

@@ -5,7 +5,6 @@
 Description=CoreOS: Touch /run/agetty.reload
 Documentation=https://bugzilla.redhat.com/show_bug.cgi?id=1932053
 DefaultDependencies=false
-Before=initrd.target
 
 [Service]
 Type=oneshot

overlay.d/05core/usr/lib/dracut/modules.d/99emergency-shell-setup/emergency-shell.sh

@@ -1,78 +0,0 @@
-# Display relevant errors then enter emergency shell
-
-# _wait_for_journalctl_to_stop will block until either:
-# - no messages have appeared in journalctl for the past 5 seconds
-# - 15 seconds have elapsed
-_wait_for_journalctl_to_stop() {
-    local time_since_last_log=0
-
-    local time_started="$(date '+%s')"
-    local now="$(date '+%s')"
-
-    while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
-        sleep 1
-
-        local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
-        local now="$(date '+%s')"
-
-        local time_since_last_log=$((now-last_log_timestamp))
-    done
-}
-
-_display_relevant_errors() {
-    failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
-    if [ -n "${failed}" ]; then
-        # Something failed, suppress kernel logs so that it's more likely
-        # the useful bits from the journal are available.
-        dmesg --console-off
-
-        # There's a couple straggler systemd messages. Wait until it's been 5
-        # seconds since something was written to the journal.
-        _wait_for_journalctl_to_stop
-
-        # Print Ignition logs
-        if echo ${failed} | grep -qFe 'ignition-'; then
-        cat <<EOF
-------
-Ignition has failed. Please ensure your config is valid. Note that only
-Ignition spec v3.0.0+ configs are accepted.
-
-A CLI validation tool to check this called ignition-validate can be
-downloaded from GitHub:
-    https://github.com/coreos/ignition/releases
-------
-
-EOF
-        fi
-
-        # If this is a live boot, check for ENOSPC in initramfs filesystem
-        # Try creating a 64 KiB file, in case a small file was deleted on
-        # service failure
-        # https://github.com/coreos/fedora-coreos-tracker/issues/1055
-        if [ -f /etc/coreos-live-initramfs ] && \
-            ! dd if=/dev/zero of=/tmp/check-space bs=4K count=16 2>/dev/null; then
-            cat <<EOF
-------
-Ran out of memory when unpacking initrd filesystem.  Ensure your system has
-at least 2 GiB RAM if booting with coreos.live.rootfs_url, or 4 GiB otherwise.
-------
-
-EOF
-            # Don't show logs from failed units, since they'll just be
-            # random misleading errors.
-        else
-            echo "Displaying logs from failed units: ${failed}"
-            for unit in ${failed}; do
-                # 10 lines should be enough for everyone
-                SYSTEMD_COLORS=true journalctl -b --no-pager --no-hostname -u ${unit} -n 10
-            done
-        fi
-    fi
-}
-
-# Print warnings/informational messages to all configured consoles on the
-# machine. Code inspired by https://github.com/dracutdevs/dracut/commit/32f68c1
-MESSAGE="$(_display_relevant_errors)"
-while read -r _tty rest; do
-    echo -e "$MESSAGE" > /dev/"$_tty"
-done < /proc/consoles

overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/ignition-virtio-dump-journal.service

@@ -7,7 +7,6 @@ ConditionVirtualization=|qemu
 Requires=systemd-journald.service
 After=systemd-journald.service
 After=basic.target
-Before=initrd.target
 
 [Service]
 Type=oneshot

overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/module-setup.sh

@@ -15,10 +15,9 @@ install_unit_wants() {
 install() {
     inst_multiple \
         cut \
-        date \
+        date
-        dd
 
-    inst_hook emergency 99 "${moddir}/emergency-shell.sh"
+    inst_hook emergency 99 "${moddir}/timeout.sh"
 
     inst_script "$moddir/ignition-virtio-dump-journal.sh" "/usr/bin/ignition-virtio-dump-journal"
     install_unit_wants ignition-virtio-dump-journal.service emergency.target

overlay.d/05core/usr/lib/dracut/modules.d/99emergency-timeout/timeout.sh

@@ -0,0 +1,99 @@
+# Before starting the emergency shell, prompt the user to press Enter.
+# If they don't, reboot the system.
+#
+# Assumes /bin/sh is bash.
+
+# _wait_for_journalctl_to_stop will block until either:
+# - no messages have appeared in journalctl for the past 5 seconds
+# - 15 seconds have elapsed
+_wait_for_journalctl_to_stop() {
+    local time_since_last_log=0
+
+    local time_started="$(date '+%s')"
+    local now="$(date '+%s')"
+
+    while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
+        sleep 1
+
+        local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
+        local now="$(date '+%s')"
+
+        local time_since_last_log=$((now-last_log_timestamp))
+    done
+}
+
+_prompt_for_timeout() {
+    local timeout=300
+    local interval=15
+
+    if [[ -e /.emergency-shell-confirmed ]]; then
+        return
+    fi
+    failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
+    if [ -n "${failed}" ]; then
+        # Something failed, suppress kernel logs so that it's more likely
+        # the useful bits from the journal are available.
+        dmesg --console-off
+
+        # There's a couple straggler systemd messages. Wait until it's been 5
+        # seconds since something was written to the journal.
+        _wait_for_journalctl_to_stop
+
+        # Print Ignition logs
+        if echo ${failed} | grep -qFe 'ignition-'; then
+        cat <<EOF
+------
+Ignition has failed. Please ensure your config is valid. Note that only
+Ignition spec v3.0.0+ configs are accepted.
+
+A CLI validation tool to check this called ignition-validate can be
+downloaded from GitHub:
+    https://github.com/coreos/ignition/releases
+------
+
+EOF
+        fi
+        echo "Displaying logs from failed units: ${failed}"
+        for unit in ${failed}; do
+            # 10 lines should be enough for everyone
+            journalctl -b --no-pager --no-hostname -u ${unit} -n 10
+        done
+    fi
+
+    # Regularly prompt with time remaining.  This ensures the prompt doesn't
+    # get lost among kernel and systemd messages, and makes it clear what's
+    # going on if the user just connected a serial console.
+    while [[ $timeout > 0 ]]; do
+        local m=$(( $timeout / 60 ))
+        local s=$(( $timeout % 60 ))
+        local m_label="minutes"
+        if [[ $m = 1 ]]; then
+            m_label="minute"
+        fi
+
+        if [[ $s != 0 ]]; then
+            echo -n -e "Press Enter for emergency shell or wait $m $m_label $s seconds for reboot.      \r"
+        else
+            echo -n -e "Press Enter for emergency shell or wait $m $m_label for reboot.                 \r"
+        fi
+
+        local anything
+        if read -t $interval anything; then
+            > /.emergency-shell-confirmed
+            return
+        fi
+        timeout=$(( $timeout - $interval ))
+    done
+
+    echo -e "\nRebooting."
+    # This is not very nice, but since reboot.target likely conflicts with
+    # the existing goal target wrt the desired state of shutdown.target,
+    # there doesn't seem to be a better option.
+    systemctl reboot --force
+    exit 0
+}
+
+# If we're invoked from a dracut breakpoint rather than
+# dracut-emergency.service, we won't have a controlling terminal and stdio
+# won't be connected to it. Explicitly read/write /dev/console.
+_prompt_for_timeout < /dev/console > /dev/console

overlay.d/05core/usr/lib/dracut/modules.d/99journal-conf/00-journal-log-forwarding.conf

@@ -1,12 +1,12 @@
 [Journal]
 # For now we are using kmsg for multiplexing output to
 # multiple console devices during early boot.
-#
+# 
 # We do not want to use kmsg in the future as there may be sensitive
 # ignition data that leaks to non-root users (by reading the kernel
 # ring buffer using `dmesg`). In the future we will rely on kernel
 # console multiplexing (link below) for this and will not use kmsg.
-#
+# 
 # https://github.com/coreos/fedora-coreos-tracker/issues/136
 ForwardToKMsg=yes
 MaxLevelKMsg=info

overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset

@@ -5,15 +5,8 @@ enable console-login-helper-messages-gensnippet-os-release.service
 enable console-login-helper-messages-gensnippet-ssh-keys.service
 # CA certs (probably to add to base fedora eventually)
 enable coreos-update-ca-trust.service
-# Set kernel console log level
-enable coreos-printk-quiet.service
 # https://github.com/coreos/ignition/issues/1125
 enable coreos-ignition-firstboot-complete.service
-# Delete Ignition config from provider on platforms where it's possible
-# https://github.com/coreos/ignition/pull/1350
-enable ignition-delete-config.service
-# Delete Ignition config from provider when upgrading existing nodes
-enable coreos-ignition-delete-config.service
 # Boot checkin services for cloud providers.
 enable afterburn-checkin.service
 enable afterburn-firstboot-checkin.service
@@ -30,5 +23,5 @@ enable bootupd.socket
 # Ideally it should have been added as part of base Fedora - but since it was arch specific, it was not added: https://bugzilla.redhat.com/show_bug.cgi?id=1433859
 enable rtas_errd.service
 enable clevis-luks-askpass.path
-# Provide status information about the Ignition run
+# Provide information if no ignition is provided
-enable coreos-ignition-write-issues.service
+enable coreos-check-ignition-config.service

overlay.d/05core/usr/lib/systemd/system/coreos-check-ignition-config.service

@@ -0,0 +1,14 @@
+# This service is used for printing a message if 
+# no Ignition config is provided.
+[Unit]
+Description=Check if Ignition config is provided
+Before=systemd-user-sessions.service
+ConditionPathExists=/etc/.ignition-result.json
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-check-ignition-config
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service

@@ -1,28 +0,0 @@
-# Can be removed from FCOS in Fedora 37 or after the next barrier release,
-# whichever comes first.  Can be removed from RHCOS in the first release
-# after every node is guaranteed to have booted at least once with 4.11 or
-# higher.
-
-[Unit]
-Description=CoreOS Delete Ignition Config From Hypervisor
-Documentation=https://coreos.github.io/ignition/
-
-ConditionKernelCommandLine=|ignition.platform.id=virtualbox
-ConditionKernelCommandLine=|ignition.platform.id=vmware
-ConditionPathExists=!/var/lib/coreos-ignition-delete-config.stamp
-# Hack: if the user masked ignition-delete-config.service, we shouldn't run
-# either.
-ConditionPathIsSymbolicLink=!/etc/systemd/system/ignition-delete-config.service
-
-# We check a stamp file written by ignition-delete-config.service.  That
-# service runs Before=sysinit.target, on which we have a default dependency,
-# so this is really just documentation.
-After=ignition-delete-config.service
-
-[Service]
-Type=oneshot
-ExecStart=/usr/libexec/coreos-ignition-delete-config
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target

overlay.d/05core/usr/lib/systemd/system/coreos-ignition-write-issues.service

@@ -1,16 +0,0 @@
-# This service writes issue files describing status
-# information about the Ignition run, which includes
-# Ignition warnings and information if no Ignition
-# config is provided.
-[Unit]
-Description=Create Ignition Status Issue Files
-Before=systemd-user-sessions.service
-ConditionPathExists=/etc/.ignition-result.json
-
-[Service]
-Type=oneshot
-ExecStart=/usr/libexec/coreos-ignition-write-issues
-RemainAfterExit=yes
-
-[Install]
-WantedBy=multi-user.target

overlay.d/05core/usr/lib/systemd/system/coreos-printk-quiet.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=CoreOS: Set printk To Level 4 (warn)
-Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1244
-# We can run right after `/proc` being mounted at least
-DefaultDependencies=no
-# We run as early as possible; the only dependency we have really
-# is the implicit After=systemd-journald.socket injected by the
-# default of our stdout writing to the journal.
-Conflicts=shutdown.target
-Before=sysinit.target shutdown.target
-# We want this service to read what we wrote
-Before=systemd-sysctl.service
-# Relatedly, we don't want to override an explicitly specified kernel argument
-ConditionKernelCommandLine=!debug
-ConditionKernelCommandLine=!quiet
-ConditionKernelCommandLine=!loglevel
-
-[Service]
-Type=oneshot
-RemainAfterExit=yes
-# We need to make /run/sysctl.d if it doesn't exist and also
-# ensure it has a SELinux label that works for systemd-sysctl.service.
-# Then we just generate a sysctl file which is read by systemd-sysctl.service.
-ExecStart=/bin/bash -euo pipefail -c 'mkdir -p /run/sysctl.d && chcon --reference=/etc/sysctl.d /run/sysctl.d && echo "kernel.printk = 4" > /run/sysctl.d/01-coreos-printk.conf'
-
-[Install]
-WantedBy=sysinit.target

overlay.d/05core/usr/lib/systemd/system/emergency.service.d/coreos-sulogin-force.conf

@@ -1,6 +1,6 @@
 # https://github.com/coreos/coreos-installer/commit/15a79263d0bd5d72056a6080f6687dc10cba2dda
 # https://github.com/systemd/systemd/pull/10397
-# We want things like `systemd.unit=emergency.target` and `single` on the
+# We want things like `systemd.unit=emergency.target` and `single` on the 
 # kernel command line to just work even with our locked root account.
 # This file is used as an override for both emergency.target and rescue.target.
 [Service]

overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf

@@ -1,7 +0,0 @@
-# Create a flag file to notify coreos-ignition-delete-config.service that
-# we've run, and put it in /run because /var isn't mounted yet.
-# coreos-ignition-delete-config.service will then avoid trying to delete
-# the config again, and will create a persistent stamp file in /var/lib.
-
-[Service]
-ExecStart=/bin/touch /run/coreos-ignition-delete-config.stamp

overlay.d/05core/usr/libexec/coreos-check-ignition-config

@@ -21,36 +21,12 @@ if [ $(cat /proc/sys/kernel/random/boot_id) = "${ignitionBoot}" ]; then
         cat << EOF > /etc/issue.d/30_coreos_ignition_run_more_than_once.issue
 ${WARN}
 ############################################################################
-WARNING: Ignition previously ran on ${prevdate}. Unexpected
+WARNING: Ignition previously ran on ${prevdate}. Unexpected 
 behavior may occur. Ignition is not designed to run more than once per system.
 ############################################################################
 ${RESET}
 EOF
     fi
-    # In Ignition, we've two config validation checks, the one after
-    # fetching a config and the second after merging configs. Sometimes,
-    # a warning goes away after merging, however, it's possible that a
-    # warning appears in case merging creates a contradiction between
-    # two fields. So this workflow eventually sends duplicate warnings
-    # in journal entries. Hence, we need to avoid displaying duplicate
-    # Ignition warnings on the console.
-    # For e.g. In the journal entries, we might see the following logs:
-    #
-    # warning at $.systemd.units.0.contents, line 1 col 997: unit "echo@.service" is enabled, but has no install section so enable does nothing
-    # warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
-    #
-    # In order to normalize these logs, we'd need to get rid of the line
-    # and column numbers entirely using the sed command, and then use
-    # `sort -u` to remove duplicate content. After this, we'd see the
-    # following warning on the console:
-    #
-    # warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
-    #
-    # TODO: find a way to query journal entries recorded before the
-    # system switches to real root
-    journalctl -t ignition -o cat -p warning | sed -r 's/, line [0-9]+ col [0-9]+//g' | sort -u | while read line; do
-        echo -e "${WARN}Ignition: $line${RESET}" >> /etc/issue.d/30_coreos_ignition_warnings.issue
-    done
 else
     nreboots=$(($(journalctl --list-boots | wc -l) - 1))
     [ "${nreboots}" -eq 1 ] && boot="boot" || boot="boots"

overlay.d/05core/usr/libexec/coreos-ignition-delete-config

@@ -1,23 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-cmdline=( $(</proc/cmdline) )
-cmdline_arg() {
-    local name="$1" value
-    for arg in "${cmdline[@]}"; do
-        if [[ "${arg%%=*}" == "${name}" ]]; then
-            value="${arg#*=}"
-        fi
-    done
-    echo "${value}"
-}
-
-# Avoid running again if ignition-delete-config.service has run, but still
-# create our own stamp file now that /var is mounted.
-if [ ! -e /run/coreos-ignition-delete-config.stamp ]; then
-    PLATFORM_ID=$(cmdline_arg ignition.platform.id)
-    /usr/libexec/ignition-rmcfg --platform=${PLATFORM_ID}
-fi
-
-touch /var/lib/coreos-ignition-delete-config.stamp

overlay.d/05core/usr/libexec/coreos-ignition-firstboot-complete

@@ -3,6 +3,10 @@ set -euo pipefail
 
 mount -o remount,rw /boot
 
+if [[ $(uname -m) = s390x ]]; then
+    zipl
+fi
+
 # We're done provisioning. Remove the whole /boot/ignition directory if present,
 # which may include a baked Ignition config. See
 # https://github.com/coreos/fedora-coreos-tracker/issues/889.
@@ -12,8 +16,3 @@ rm -rf /boot/ignition
 # this file. Fail if we are unable to remove it, rather than risking rerunning
 # Ignition at next boot.
 rm /boot/ignition.firstboot
-
-# rdcore zipl checks for /boot/ignition.firstboot
-if [[ $(uname -m) = s390x ]]; then
-    /usr/lib/dracut/modules.d/50rdcore/rdcore zipl --boot-mount=/boot
-fi

overlay.d/06el9/usr/lib/dracut/dracut.conf.d/coreos-zstd.conf

@@ -1,8 +0,0 @@
-# Compress initrd with zstd.  dracut defaults to -15, but we want the
-# maximum reasonable compression, so override the command line to use
-# dracut's defaults along with -19.
-#
-# We can't use this in RHCOS 8 because the kernel doesn't enable
-# CONFIG_RD_ZSTD.
-
-compress="zstd -19 -q -T0"

overlay.d/14NetworkManager-plugins/usr/lib/NetworkManager/conf.d/10-disable-default-plugins.conf

@@ -0,0 +1,9 @@
+# Stop NetworkManager from trying to load the ifcfg-rh plugin by default,
+# which we don't ship.  This actually disables all default plugins, of which
+# ifcfg-rh is currently the only one.  
+#
+# Note that we must do this for now because `-=` syntax doesn't work
+# with compiled-in defaults. Proposed upstream fix:
+# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/491
+[main]
+plugins=

overlay.d/15fcos/usr/lib/motd.d/tracker.motd

@@ -1,3 +1,3 @@
 Tracker: https://github.com/coreos/fedora-coreos-tracker
-Discuss: https://discussion.fedoraproject.org/tag/coreos
+Discuss: https://discussion.fedoraproject.org/c/server/coreos/
 

overlay.d/15fcos/usr/lib/systemd/system-preset/45-fcos.preset

@@ -1,3 +1,5 @@
+# User metrics client
+enable fedora-coreos-pinger.service
 enable coreos-check-ssh-keys.service
 # Check if cgroupsv1 is still being used
 enable coreos-check-cgroups.service

overlay.d/15fcos/usr/lib/systemd/system/coreos-check-ssh-keys.service

@@ -1,4 +1,4 @@
-# This service is used for printing a message if no ssh keys were added
+# This service is used for printing a message if no ssh keys were added 
 # by Ignition/Afterburn
 [Unit]
 Description=Check that ssh-keys are added by Afterburn/Ignition

overlay.d/15fcos/usr/lib/sysusers.d/00-coreos-nobody.conf

@@ -1,9 +0,0 @@
-# Legacy IDs for 'nobody' user/group. This is a CoreOS mismatched entry
-# which will need to be migrated:
-# https://github.com/coreos/fedora-coreos-tracker/issues/1201
-
-# g nobody 65534
-# u nobody 65534:65534 "Kernel Overflow User" - -
-
-g nobody 99
-u nobody 99:99 "Kernel Overflow User" - -

overlay.d/15fcos/usr/lib/sysusers.d/00-coreos-static.conf

@@ -1,32 +0,0 @@
-# These are pinned users/groups whose static IDs are only used
-# this way on CoreOS nodes.
-
-g cgred 996
-g chrony 992
-g cockpit-ws 987
-g dockerroot 986
-g etcd 997
-g input 104
-g kube 994
-g nfsnobody 65534
-g polkitd 998
-g ssh_keys 999
-g sssd 993
-g sudo 16
-g systemd-bus-proxy 988
-g systemd-network 990
-g systemd-resolve 989
-g systemd-timesync 991
-
-u chrony            994:992     -                              /var/lib/chrony -
-u cockpit-ws        988:987     "User for cockpit-ws"          -               -
-u dockerroot        997:986     "Docker User"                  /var/lib/docker -
-u etcd              998:997     "etcd user"                    /var/lib/etcd   -
-u kube              996:994     "Kubernetes user"              -               -
-u nfsnobody         65534:65534 "Anonymous NFS User"           /var/lib/nfs    -
-u polkitd           999:998     "User for polkitd"             -               -
-u sssd              995:993     "User for sssd"                -               -
-u systemd-bus-proxy 989:988     "systemd Bus Proxy"            -               -
-u systemd-network   991:990     "systemd Network Management"   -               -
-u systemd-resolve   990:989     "systemd Resolver"             -               -
-u systemd-timesync  993:991     "systemd Time Synchronization" -               -

overlay.d/15fcos/usr/lib/sysusers.d/10-setup-basic.conf

@@ -1,43 +0,0 @@
-# These are basic users/groups coming from the default entries
-# in the 'setup' package. They can be dropped once that package
-# starts shipping its own sysusers.d entries.
-
-g adm 4
-g audio 63
-g bin 1
-g cdrom 11
-g daemon 2
-g dialout 18
-g disk 6
-g floppy 19
-g ftp 50
-g games 20
-g kmem 9
-g lock 54
-g lp 7
-g mail 12
-g man 15
-g mem 8
-g root 0
-g sys 3
-g tape 33
-g tty 5
-g users 100
-g video 39
-g wheel 10
-
-u adm      3:4      "adm"      /var/adm        -
-u bin      1:1      "bin"      /bin            -
-u daemon   2:2      "daemon"   /sbin           -
-u ftp      14:50    "FTP User" /var/ftp        -
-# Workaround for systemd-sysusers bug, will be fixed in v252:
-# https://github.com/systemd/systemd/issues/24217
-# u games  12:100   "games"    /usr/games      -
-u games    12:users "games"    /usr/games      -
-u halt     7:0      "halt"     /sbin           /sbin/halt
-u lp       4:7      "lp"       /var/spool/lpd  -
-u mail     8:12     "mail"     /var/spool/mail -
-u operator 11:0     "operator" /root           -
-u root     0:0      "root"     /root           /bin/bash
-u shutdown 6:0      "shutdown" /sbin           /sbin/shutdown
-u sync     5:0      "sync"     /sbin           /bin/sync

overlay.d/15fcos/usr/lib/sysusers.d/10-static-extra.conf

@@ -1,24 +0,0 @@
-# These are users/groups with static IDs which follow usual Fedora-wide
-# allocation. They are usually coming from relevant packages, but we also
-# pre-populate them on CoreOS.
-
-g avahi-autoipd 170
-g ceph 167
-g dbus 81
-g dip 40
-g rpc 32
-g rpcuser 29
-g sshd 74
-g systemd-journal 190
-g tcpdump 72
-g utempter 35
-g utmp 22
-
-u avahi-autoipd 170:170     "Avahi IPv4LL Stack"          /var/lib/avahi-autoipd -
-u ceph          167:167     "Ceph daemons"                /var/lib/ceph          -
-u dbus          81:81       "System Message Bus"          -                      -
-u nfsnobody     65534:65534 "Anonymous NFS User"          /var/lib/nfs           -
-u rpc           32:32       "Rpcbind Daemon"              /var/lib/rpcbind       -
-u rpcuser       29:29       "RPC Service User"            /var/lib/nfs           -
-u sshd          74:74       "Privilege-separated SSH"     /var/empty/sshd        -
-u tcpdump       72:72       -                             -                      -

overlay.d/15fcos/usr/libexec/coreos-check-ssh-keys

@@ -1,5 +1,5 @@
 #!/usr/bin/bash
-# This script will print a message in the serial console
+# This script will print a message in the serial console 
 # if no ssh keys were added by Ignition/Afterburn.
 main() {
     # Change the output color to yellow
@@ -7,22 +7,19 @@ main() {
     # No color
     nc='\033[0m'
 
-    # See https://github.com/coreos/ignition/pull/964 for the MESSAGE_ID
+    # See https://github.com/coreos/ignition/pull/964 for the MESSAGE_ID 
-    # source. It will track the authorized-ssh-keys entries in journald
+    # source. It will track the authorized-ssh-keys entries in journald 
-    # provided via Ignition. Limit journal output to the most recent boot
+    # provided via Ignition.
-    # so we don't get output from re-used /var/ partitions.
     ignitionusers=$(
-            journalctl -b 0 -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
+            journalctl -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
             jq -r '.MESSAGE' | \
             xargs -I{} echo "Ignition: {}")
 
-    # See https://github.com/coreos/afterburn/pull/397 for the MESSAGE_ID
+    # See https://github.com/coreos/afterburn/pull/397 for the MESSAGE_ID 
-    # source. It will track the authorized-ssh-keys entries in journald
+    # source. It will track the authorized-ssh-keys entries in journald  
-    # provided via Afterburn.Limit journal output to the most recent boot
+    # provided via Afterburn.
-    # so we don't get output from re-used /var/ partitions.
-
     afterburnusers=$(
-            journalctl -b 0 -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
+            journalctl -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
             jq -r '.MESSAGE' | \
             xargs -I{} echo "Afterburn: {}")
 

overlay.d/20platform-chrony/usr/lib/systemd/system-generators/coreos-platform-chrony

@@ -11,12 +11,16 @@ set -euo pipefail
 #
 # Originally spawned from discussion in https://github.com/openshift/installer/pull/3513
 
-. /usr/lib/coreos/generator-lib.sh
+# Generators don't have logging right now
+# https://github.com/systemd/systemd/issues/15638
+exec 1>/dev/kmsg; exec 2>&1
 
 self=$(basename $0)
 confpath=/run/coreos-platform-chrony.conf
 
-platform=$(karg ignition.platform.id)
+# Yeah this isn't a completely accurate kernel argument parser but
+# we don't have one shared across shell services at the moment.
+platform="$(grep -Eo ' ignition.platform.id=[a-z]+' /proc/cmdline | cut -f 2 -d =)"
 case "${platform}" in
     azure|azurestack|aws|gcp) ;;  # OK, this is a platform we know how to support
     *) exit 0 ;;

overlay.d/README.md

@@ -1,18 +1,7 @@
-These overlay directories are automatically committed to the build OSTree repo
-by coreos-assembler. They are then explicitly included in our various manifest
-files via `ostree-layers` (this used to be done automatically, but that's no
-longer the case).
-
 05core
-------
-
-This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
-
-06el9
 -----
 
-This overlay includes content shared between FCOS and RHCOS/SCOS 9, but not
+This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
-RHCOS 8.
 
 08nouveau
 ---------
@@ -28,6 +17,11 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1700056
 
 Warning about `/etc/sysconfig`.
 
+14NetworkManager-plugins
+------------------------
+
+Disables the Red Hat Linux legacy `ifcfg` format.
+
 15fcos
 ------
 
@@ -36,16 +30,10 @@ Things that are more closely "Fedora CoreOS":
 * disable password logins by default over SSH
 * enable SSH keys written by Ignition and Afterburn
 * branding (MOTD)
-* enable FCOS-specific services by default
+* enable services by default (fedora-coreos-pinger)
 * display warnings on the console if no ignition config was provided or no ssh
   key found.
 
-16disable-zincati
------------------
-
-Disable Zincati on non-production streams:
-https://github.com/coreos/fedora-coreos-tracker/issues/163
-
 20platform-chrony
 -----------------
 

rocky.repo

@@ -5,7 +5,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStre
 gpgcheck=1
 enabled=1
 countme=1
-gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
+gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
 
 [baseos]
 name=Rocky Linux $releasever - BaseOS
@@ -14,7 +14,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-
 gpgcheck=1
 enabled=1
 countme=1
-gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
+gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
 
 [extras]
 name=Rocky Linux $releasever - Extras
@@ -23,4 +23,4 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-
 gpgcheck=1
 enabled=1
 countme=1
-gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
+gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever