Compare commits
No commits in common. "master" and "r8" have entirely different histories.
1
.gitignore
vendored
1
.gitignore
vendored
@ -2,4 +2,3 @@ build/
|
||||
.direnv/
|
||||
.envrc
|
||||
ass
|
||||
.idea
|
@ -10,10 +10,3 @@ repos:
|
||||
- extras
|
||||
|
||||
include: manifests/rocky-coreos.yaml
|
||||
|
||||
postprocess:
|
||||
- |
|
||||
#!/usr/bin/env bash
|
||||
set -xeuo pipefail
|
||||
# Remove rltype from repo urls
|
||||
find /etc/yum.repos.d/ -type f -exec sed -i 's/\$rltype//g' {} \;
|
||||
|
@ -3,7 +3,6 @@
|
||||
|
||||
include:
|
||||
- ignition-and-ostree.yaml
|
||||
- shared-el9.yaml
|
||||
- shared-workarounds.yaml
|
||||
- system-configuration.yaml
|
||||
- user-experience.yaml
|
||||
|
@ -1,7 +1,6 @@
|
||||
# Config file for overriding permission bits on overlay files/dirs
|
||||
# Format: =<file mode in decimal> <absolute path to a file or directory>
|
||||
|
||||
# sudo prefers its config files to be mode 440, and some security scanners
|
||||
# complain if /etc/sudoers.d files are world-readable.
|
||||
# Some security scanners complain if /etc/sudoers.d files have 0044 mode bits
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1981979
|
||||
=288 /etc/sudoers.d/coreos-sudo-group
|
||||
=384 /etc/sudoers.d/coreos-sudo-group
|
||||
|
@ -1,2 +0,0 @@
|
||||
# Default rpm-ostree model is server-side generated initramfs
|
||||
hostonly=no
|
@ -1,3 +0,0 @@
|
||||
# We don't ship `strip` or `eu-strip` today, and even if we did, it doesn't
|
||||
# save much space. So let's disable it to avoid the error-looking message.
|
||||
do_strip=no
|
@ -1,15 +0,0 @@
|
||||
# We don't support root on NFS, so we don't need it in the initramfs. It also
|
||||
# conflicts with /var mount support in ignition because NFS tries to mount stuff
|
||||
# in /var/ and then ignition can't cleanly unmount it. For example:
|
||||
# https://github.com/dracutdevs/dracut/blob/1856ae95c873a6fe855b3dccd0144f1a96b9e71c/modules.d/95nfs/nfs-start-rpc.sh#L7
|
||||
# See also discussion in https://github.com/coreos/fedora-coreos-config/pull/60
|
||||
# Further, we currently do not use LVM, iSCSI or dmraid
|
||||
omit_dracutmodules+=" nfs lvm iscsi dmraid "
|
||||
# More storage modules we don't use
|
||||
omit_dracutmodules+=" fcoe fcoe-uefi nbd "
|
||||
# We use NetworkManager
|
||||
omit_dracutmodules+=" systemd-networkd network-legacy network-wicked "
|
||||
# We use systemd network naming
|
||||
omit_dracutmodules+=" biosdevname "
|
||||
# Random stuff we don't want
|
||||
omit_dracutmodules+=" rngd busybox dbus-daemon memstrack pcsc bluetooth "
|
@ -0,0 +1,18 @@
|
||||
#!/bin/bash
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
# We want to provide Azure udev rules as part of the initrd, so that Ignition
|
||||
# is able to detect disks and act on them.
|
||||
#
|
||||
# If the WALinuxAgent-udev package is changed to install the udev rules as
|
||||
# part of the initramfs, we should drop this module.
|
||||
#
|
||||
# See https://bugzilla.redhat.com/show_bug.cgi?id=1909287
|
||||
# See also https://bugzilla.redhat.com/show_bug.cgi?id=1756173
|
||||
|
||||
install() {
|
||||
inst_multiple \
|
||||
/usr/lib/udev/rules.d/66-azure-storage.rules \
|
||||
/usr/lib/udev/rules.d/99-azure-product-uuid.rules
|
||||
}
|
@ -1,70 +0,0 @@
|
||||
{
|
||||
"ignition": {
|
||||
"version": "3.2.0"
|
||||
},
|
||||
"storage": {
|
||||
"disks": [
|
||||
{
|
||||
"device": "${BOOTDEV}",
|
||||
"partitions": [
|
||||
{
|
||||
"label": "boot",
|
||||
"number": 3
|
||||
},
|
||||
{
|
||||
"label": "root",
|
||||
"number": 4,
|
||||
"resize": true,
|
||||
"sizeMiB": 0
|
||||
},
|
||||
{
|
||||
"number": 5,
|
||||
"shouldExist": false,
|
||||
"wipePartitionEntry": true
|
||||
},
|
||||
{
|
||||
"number": 6,
|
||||
"shouldExist": false,
|
||||
"wipePartitionEntry": true
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"luks": [
|
||||
{
|
||||
"device": "/dev/disk/by-partlabel/boot",
|
||||
"label": "crypt_bootfs",
|
||||
"name": "boot",
|
||||
"options": [
|
||||
"--integrity",
|
||||
"hmac-sha256"
|
||||
],
|
||||
"wipeVolume": true
|
||||
},
|
||||
{
|
||||
"device": "/dev/disk/by-partlabel/root",
|
||||
"label": "crypt_rootfs",
|
||||
"name": "root",
|
||||
"options": [
|
||||
"--integrity",
|
||||
"hmac-sha256"
|
||||
],
|
||||
"wipeVolume": true
|
||||
}
|
||||
],
|
||||
"filesystems": [
|
||||
{
|
||||
"device": "/dev/mapper/boot",
|
||||
"format": "ext4",
|
||||
"label": "boot",
|
||||
"wipeFilesystem": true
|
||||
},
|
||||
{
|
||||
"device": "/dev/mapper/root",
|
||||
"format": "xfs",
|
||||
"label": "root",
|
||||
"wipeFilesystem": true
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
@ -1,10 +0,0 @@
|
||||
# CoreOS-specific symlink for boot disk
|
||||
|
||||
ACTION!="add|change", GOTO="stable_boot_end"
|
||||
SUBSYSTEM!="block", GOTO="stable_boot_end"
|
||||
|
||||
ENV{DEVTYPE}=="disk" \
|
||||
, PROGRAM=="coreos-disk-contains-fs $name boot" \
|
||||
, SYMLINK+="disk/by-id/coreos-boot-disk"
|
||||
|
||||
LABEL="stable_boot_end"
|
@ -16,12 +16,6 @@ After=dev-disk-by\x2dlabel-boot.device
|
||||
After=ignition-files.service
|
||||
# As above, this isn't strictly necessary, but on principle.
|
||||
After=coreos-multipath-wait.target
|
||||
# Finish before systemd starts tearing down services
|
||||
Before=initrd.target
|
||||
# initrd-parse-etc.service starts initrd-cleanup.service which will race
|
||||
# with us completing before we get nuked. Need to get to the bottom of it,
|
||||
# but for now we need this.
|
||||
Before=initrd-parse-etc.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
@ -34,12 +34,18 @@ if [ -z "${root}" ]; then
|
||||
rdcore rootmap /sysroot --boot-mount ${bootmnt}
|
||||
fi
|
||||
|
||||
# This does a few things:
|
||||
# 1. it puts the boot UUID in /run/coreos/bootfs_uuid which is used by the real
|
||||
# root for mounting the bootfs in this boot
|
||||
# 2. it adds a boot=UUID= karg which is used by the real root for mounting the
|
||||
# bootfs in subsequent boots
|
||||
# 3. it create a .root_uuid stamp file on the bootfs or fails if one exists
|
||||
# 4. it adds GRUB bootuuid.cfg dropins so that GRUB selects the boot filesystem
|
||||
# by UUID
|
||||
rdcore bind-boot /sysroot ${bootmnt}
|
||||
# And similarly, only inject boot= if it's not already present.
|
||||
boot=$(karg boot)
|
||||
if [ -z "${boot}" ]; then
|
||||
# XXX: `rdcore rootmap --inject-boot-karg` or maybe `rdcore bootmap`
|
||||
eval $(blkid -o export "${bootdev}")
|
||||
if [ -z "${UUID}" ]; then
|
||||
# This should never happen
|
||||
echo "Boot filesystem ${bootdev} has no UUID" >&2
|
||||
exit 1
|
||||
fi
|
||||
rdcore kargs --boot-mount ${bootmnt} --append boot=UUID=${UUID}
|
||||
# but also put it in /run for the first boot real root mount
|
||||
mkdir -p /run/coreos
|
||||
echo "${UUID}" > /run/coreos/bootfs_uuid
|
||||
fi
|
||||
|
@ -1,20 +0,0 @@
|
||||
#!/bin/bash
|
||||
# checks whether `disk` contains filesystem labeled `label`
|
||||
set -euo pipefail
|
||||
|
||||
disk=$1
|
||||
label=$2
|
||||
|
||||
# during execution of udev rules on disks 'lsblk' returns empty fields
|
||||
for pt in /sys/block/$disk/*; do
|
||||
name=$(basename $pt)
|
||||
if [[ "$name" =~ ${disk}p?[[:digit:]] ]] && [[ -e "/sys/block/$disk/$name/start" ]];
|
||||
then
|
||||
eval $(udevadm info --query=property -n /dev/$name | grep -e ID_FS_LABEL -e PARTNAME)
|
||||
if [[ "${ID_FS_LABEL:-}" == "$label" ]] || [[ "${PARTNAME:-}" == "$label" ]]; then
|
||||
exit 0
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
exit 1
|
@ -57,21 +57,4 @@ After=dev-disk-by\x2dlabel-boot.device
|
||||
Requires=coreos-gpt-setup.service
|
||||
After=coreos-gpt-setup.service
|
||||
EOF
|
||||
|
||||
# create symlink for udev rule
|
||||
mkdir -p /run/udev/rules.d/
|
||||
ln -sf /usr/lib/coreos/80-coreos-boot-disk.rules \
|
||||
/run/udev/rules.d/80-coreos-boot-disk.rules
|
||||
|
||||
# IBM Secure Execution case
|
||||
# During firstboot we have to reencrypt '/boot' and '/', to do that an Ignition config
|
||||
# is injected. 'coreos-boot-disk' is required for this
|
||||
secure_execution=0
|
||||
if [[ $(uname -m) == s390x ]] && [[ -e /sys/firmware/uv/prot_virt_guest ]]; then
|
||||
secure_execution=$(cat /sys/firmware/uv/prot_virt_guest)
|
||||
fi
|
||||
if [[ "${secure_execution}" = "1" ]]; then
|
||||
mkdir -p /run/coreos/
|
||||
touch /run/coreos/secure-execution
|
||||
fi
|
||||
fi
|
||||
|
@ -1,19 +0,0 @@
|
||||
[Unit]
|
||||
Description=CoreOS Ensure Unique Boot Filesystem
|
||||
ConditionPathExists=/etc/initrd-release
|
||||
OnFailure=emergency.target
|
||||
OnFailureJobMode=isolate
|
||||
|
||||
# That's a weak dependency, so service won't fail if boot dissaperears
|
||||
Wants=dev-disk-by\x2dlabel-boot.device
|
||||
After=dev-disk-by\x2dlabel-boot.device
|
||||
|
||||
# Start after ignition has finished with disks but before mounting them
|
||||
After=ignition-disks.service
|
||||
Before=ignition-mount.service
|
||||
Before=ignition-ostree-uuid-root.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/rdcore verify-unique-fs-label boot
|
@ -1,17 +0,0 @@
|
||||
# This unit will run late in the initrd process after the Ignition files
|
||||
# stage has completed successfully so that we may validate ignition changes
|
||||
|
||||
[Unit]
|
||||
Description=CoreOS Post Ignition Checks
|
||||
ConditionPathExists=/usr/lib/initrd-release
|
||||
OnFailure=emergency.target
|
||||
OnFailureJobMode=isolate
|
||||
|
||||
# Start after Ignition has finished creating files and before ignition umount
|
||||
After=ignition-files.service
|
||||
Before=ignition-complete.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/sbin/coreos-post-ignition-checks
|
||||
RemainAfterExit=yes
|
@ -1,18 +0,0 @@
|
||||
#!/bin/bash
|
||||
# See coreos-post-ignition-checks.service for more information about this script
|
||||
set -euo pipefail
|
||||
|
||||
# Verify that GRUB password directives are only used when GRUB is being used
|
||||
arch=$(uname -p)
|
||||
# Butane sugar will tell ignition to mount /boot to /sysroot/boot. We can simply check if
|
||||
# the file exists to see whether the check needs to be performed.
|
||||
# It is possible that the user creates a config, which will mount /boot at a different path
|
||||
# but that case is not officially supported.
|
||||
if [ -f /sysroot/boot/grub2/user.cfg ]; then
|
||||
# s390x does not use GRUB, ppcle64 uses petitboot with a GRUB config parser which does not support passwords
|
||||
# So in both these cases, GRUB password is not supported
|
||||
if grep -q password_pbkdf2 /sysroot/boot/grub2/user.cfg && [[ "$arch" =~ ^(s390x|ppc64le)$ ]]; then
|
||||
echo "Ignition config provisioned a GRUB password, which is not supported on $arch"
|
||||
exit 1
|
||||
fi
|
||||
fi
|
@ -22,21 +22,6 @@ dracut_func() {
|
||||
return $rc
|
||||
}
|
||||
|
||||
# Get the BOOTIF and rd.bootif kernel arguments from
|
||||
# the kernel command line.
|
||||
get_bootif_kargs() {
|
||||
bootif_kargs=""
|
||||
bootif_karg=$(dracut_func getarg BOOTIF)
|
||||
if [ ! -z "$bootif_karg" ]; then
|
||||
bootif_kargs+="BOOTIF=${bootif_karg}"
|
||||
fi
|
||||
rdbootif_karg=$(dracut_func getarg rd.bootif)
|
||||
if [ ! -z "$rdbootif_karg" ]; then
|
||||
bootif_kargs+=" rd.bootif=${rdbootif_karg}"
|
||||
fi
|
||||
echo $bootif_kargs
|
||||
}
|
||||
|
||||
# Determine if the generated NM connection profiles match the default
|
||||
# that would be given to us if the user had provided no additional
|
||||
# configuration. i.e. did the user give us any network configuration
|
||||
@ -48,9 +33,6 @@ are_default_NM_configs() {
|
||||
# pick up our CoreOS default networking kargs from the afterburn dropin
|
||||
DEFAULT_KARGS_FILE=/usr/lib/systemd/system/afterburn-network-kargs.service.d/50-afterburn-network-kargs-default.conf
|
||||
source <(grep -o 'AFTERBURN_NETWORK_KARGS_DEFAULT=.*' $DEFAULT_KARGS_FILE)
|
||||
# Also pick up BOOTIF/rd.bootif kargs and apply them here.
|
||||
# See https://github.com/coreos/fedora-coreos-tracker/issues/1048
|
||||
BOOTIF_KARGS=$(get_bootif_kargs)
|
||||
# Make two dirs for storing files to use in the comparison
|
||||
mkdir -p /run/coreos-teardown-initramfs/connections-compare-{1,2}
|
||||
# Make another that's just a throwaway for the initrd-data-dir
|
||||
@ -61,8 +43,7 @@ are_default_NM_configs() {
|
||||
# Do a new run with the default input
|
||||
/usr/libexec/nm-initrd-generator \
|
||||
-c /run/coreos-teardown-initramfs/connections-compare-2 \
|
||||
-i /run/coreos-teardown-initramfs/initrd-data-dir \
|
||||
-- $AFTERBURN_NETWORK_KARGS_DEFAULT $BOOTIF_KARGS
|
||||
-i /run/coreos-teardown-initramfs/initrd-data-dir -- $AFTERBURN_NETWORK_KARGS_DEFAULT
|
||||
# remove unique identifiers from the files (so our diff can work)
|
||||
sed -i '/^uuid=/d' /run/coreos-teardown-initramfs/connections-compare-{1,2}/*
|
||||
# currently the output will differ based on whether rd.neednet=1
|
||||
@ -94,11 +75,9 @@ are_default_NM_configs() {
|
||||
propagate_initramfs_networking() {
|
||||
# Check for any real root config in the two locations where a user could have
|
||||
# provided network configuration. On FCOS we only support keyfiles, but on RHCOS
|
||||
# we support keyfiles and ifcfg. We also need to ignore readme-ifcfg-rh.txt
|
||||
# which is a cosmetic file added in
|
||||
# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/commit/96d7362
|
||||
# we support keyfiles and ifcfg
|
||||
if [ -n "$(ls -A /sysroot/etc/NetworkManager/system-connections/)" -o \
|
||||
-n "$(ls -A -I readme-ifcfg-rh.txt /sysroot/etc/sysconfig/network-scripts/)" ]; then
|
||||
-n "$(ls -A /sysroot/etc/sysconfig/network-scripts/)" ]; then
|
||||
echo "info: networking config is defined in the real root"
|
||||
realrootconfig=1
|
||||
else
|
||||
@ -232,9 +211,6 @@ main() {
|
||||
# clean it up so that no information from outside of the
|
||||
# real root is passed on to NetworkManager in the real root
|
||||
rm -rf /run/NetworkManager/
|
||||
|
||||
rm -f /run/udev/rules.d/80-coreos-boot-disk.rules
|
||||
rm -f /dev/disk/by-id/coreos-boot-disk
|
||||
}
|
||||
|
||||
main
|
||||
|
@ -1,22 +0,0 @@
|
||||
[Unit]
|
||||
Description=Ensure filesystem labeled `boot` is unique
|
||||
ConditionPathExists=/etc/initrd-release
|
||||
DefaultDependencies=no
|
||||
Before=ignition-diskful.target
|
||||
Wants=systemd-udevd.service
|
||||
After=systemd-udevd.service
|
||||
# And since the boot device may be on multipath; optionally wait for it to
|
||||
# appear via the dynamic target.
|
||||
After=coreos-multipath-wait.target
|
||||
Requires=dev-disk-by\x2dlabel-boot.device
|
||||
After=dev-disk-by\x2dlabel-boot.device
|
||||
# Run before services that modify/use `boot` partition
|
||||
Before=coreos-gpt-setup.service coreos-boot-edit.service
|
||||
|
||||
OnFailure=emergency.target
|
||||
OnFailureJobMode=isolate
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/bin/rdcore verify-unique-fs-label boot
|
@ -22,9 +22,7 @@ install() {
|
||||
diff \
|
||||
lsblk \
|
||||
sed \
|
||||
grep \
|
||||
sgdisk \
|
||||
uname
|
||||
sgdisk
|
||||
|
||||
inst_simple "$moddir/coreos-diskful-generator" \
|
||||
"$systemdutildir/system-generators/coreos-diskful-generator"
|
||||
@ -32,22 +30,9 @@ install() {
|
||||
inst_script "$moddir/coreos-gpt-setup.sh" \
|
||||
"/usr/sbin/coreos-gpt-setup"
|
||||
|
||||
# This has to work only on diskful systems during firstboot.
|
||||
# coreos-diskful-generator will create a symlink
|
||||
inst_simple "$moddir/80-coreos-boot-disk.rules" \
|
||||
"/usr/lib/coreos/80-coreos-boot-disk.rules"
|
||||
|
||||
inst_script "$moddir/coreos-disk-contains-fs.sh" \
|
||||
"/usr/lib/udev/coreos-disk-contains-fs"
|
||||
|
||||
inst_script "$moddir/coreos-ignition-setup-user.sh" \
|
||||
"/usr/sbin/coreos-ignition-setup-user"
|
||||
|
||||
inst_script "$moddir/coreos-post-ignition-checks.sh" \
|
||||
"/usr/sbin/coreos-post-ignition-checks"
|
||||
|
||||
install_ignition_unit coreos-post-ignition-checks.service
|
||||
|
||||
# For consistency tear down the network and persist multipath between the initramfs and
|
||||
# real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763
|
||||
inst_script "$moddir/coreos-teardown-initramfs.sh" \
|
||||
@ -70,10 +55,5 @@ install() {
|
||||
install_ignition_unit "coreos-boot-edit.service" \
|
||||
"ignition-diskful.target"
|
||||
|
||||
install_ignition_unit coreos-ignition-unique-boot.service ignition-diskful.target
|
||||
install_ignition_unit coreos-unique-boot.service ignition-diskful.target
|
||||
install_ignition_unit coreos-ignition-setup-user.service
|
||||
|
||||
# IBM Secure Execution. Ignition config for reencryption of / and /boot
|
||||
inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
|
||||
}
|
||||
|
@ -23,12 +23,12 @@ elif [[ -n "${rootfs_url}" ]]; then
|
||||
# rootfs URL was provided as karg. Fetch image, check its hash, and
|
||||
# unpack it.
|
||||
echo "Fetching rootfs image from ${rootfs_url}..."
|
||||
if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* && ${rootfs_url} != tftp:* ]]; then
|
||||
if [[ ${rootfs_url} != http:* && ${rootfs_url} != https:* ]]; then
|
||||
# Don't commit to supporting protocols we might not want to expose in
|
||||
# the long term.
|
||||
echo "Unsupported scheme for image specified by:" >&2
|
||||
echo "coreos.live.rootfs_url=${rootfs_url}" >&2
|
||||
echo "Only HTTP, HTTPS, and TFTP are supported. Please fix your PXE configuration." >&2
|
||||
echo "Only HTTP and HTTPS are supported. Please fix your PXE configuration." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
|
@ -152,20 +152,6 @@ Type=squashfs
|
||||
# is checked by coreos-assembler cmd-buildextend-live at build time.
|
||||
Options=loop,offset=124
|
||||
EOF
|
||||
|
||||
# And one more unit to workaround what we think is a systemd bug.
|
||||
# We've found the system can stall waiting for run-media-iso.mount
|
||||
# and apparently any operation seems to be effective at reviving
|
||||
# the system.
|
||||
# https://github.com/coreos/fedora-coreos-tracker/issues/1233#issuecomment-1238814171
|
||||
cat >"${UNIT_DIR}/workaround-stalled-media-iso-mount.service" <<EOF
|
||||
[Service]
|
||||
Type=simple
|
||||
StandardOutput=journal
|
||||
StandardError=journal
|
||||
ExecStart=bash -c "sleep 10; echo 'warn: tracker issue workaround engaged for https://github.com/coreos/fedora-coreos-tracker/issues/1233'"
|
||||
EOF
|
||||
add_requires workaround-stalled-media-iso-mount.service basic.target
|
||||
fi
|
||||
|
||||
# It turns out that `tmpfs` currently munches all SELinux labels
|
||||
|
@ -5,9 +5,6 @@ Before=initrd.target
|
||||
# we write to the rootfs, so run after it's ready
|
||||
After=initrd-root-fs.target
|
||||
|
||||
# we only propagate if multipath wasn't configured via Ignition
|
||||
After=ignition-files.service
|
||||
|
||||
# That service starts initrd-cleanup.service which will race with us completing
|
||||
# before we get nuked. Need to get to the bottom of it, but for now we need
|
||||
# this (XXX: add link to systemd issue here).
|
||||
|
@ -4,20 +4,14 @@ set -euo pipefail
|
||||
# Persist automatic multipath configuration, if any.
|
||||
# When booting with `rd.multipath=default`, the default multipath
|
||||
# configuration is written. We need to ensure that the multipath configuration
|
||||
# is persisted to the rootfs.
|
||||
# is persisted to the final target.
|
||||
|
||||
if [ ! -f /etc/multipath.conf ]; then
|
||||
echo "info: initrd file /etc/multipath.conf does not exist"
|
||||
echo "info: no initrd multipath configuration to propagate"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -f /sysroot/etc/multipath.conf ]; then
|
||||
echo "info: real root file /etc/multipath.conf exists"
|
||||
echo "info: not propagating initrd multipath configuration"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo "info: propagating initrd multipath configuration"
|
||||
if [ ! -f /sysroot/etc/multipath.conf ] && [ -f /etc/multipath.conf ]; then
|
||||
echo "info: propagating automatic multipath configuration"
|
||||
cp -v /etc/multipath.conf /sysroot/etc/
|
||||
mkdir -p /sysroot/etc/multipath/multipath.conf.d
|
||||
coreos-relabel /etc/multipath.conf
|
||||
coreos-relabel /etc/multipath/multipath.conf.d
|
||||
else
|
||||
echo "info: no initramfs automatic multipath configuration to propagate"
|
||||
fi
|
||||
|
@ -2,20 +2,20 @@
|
||||
# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
|
||||
# ex: ts=8 sw=4 sts=4 et filetype=sh
|
||||
|
||||
install_unit() {
|
||||
install_ignition_unit() {
|
||||
local unit=$1; shift
|
||||
local target=${1:-initrd}
|
||||
local target=${1:-complete}
|
||||
inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit"
|
||||
# note we `|| exit 1` here so we error out if e.g. the units are missing
|
||||
# see https://github.com/coreos/fedora-coreos-config/issues/799
|
||||
systemctl -q --root="$initdir" add-requires "${target}.target" "$unit" || exit 1
|
||||
systemctl -q --root="$initdir" add-requires "ignition-${target}.target" "$unit" || exit 1
|
||||
}
|
||||
|
||||
install() {
|
||||
inst_script "$moddir/coreos-propagate-multipath-conf.sh" \
|
||||
"/usr/sbin/coreos-propagate-multipath-conf"
|
||||
|
||||
install_unit coreos-propagate-multipath-conf.service
|
||||
install_ignition_unit coreos-propagate-multipath-conf.service subsequent
|
||||
|
||||
inst_simple "$moddir/coreos-multipath-generator" \
|
||||
"$systemdutildir/system-generators/coreos-multipath-generator"
|
||||
|
@ -6,8 +6,6 @@ ConditionKernelCommandLine=ostree
|
||||
ConditionPathExists=!/run/ostree-live
|
||||
After=ignition-ostree-growfs.service
|
||||
After=ostree-prepare-root.service
|
||||
# Allow Ignition config to blank out the warning
|
||||
Before=ignition-files.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
@ -17,12 +17,6 @@ path=/sysroot
|
||||
# this shouldn't happen for us but we're being conservative.
|
||||
src=$(findmnt -nvr -o SOURCE "$path" | tail -n1)
|
||||
|
||||
# In the IBM Secure Execution case we use Ignition to grow and reencrypt rootfs
|
||||
# see overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
|
||||
if [[ -f /run/coreos/secure-execution ]]; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ ! -f "${saved_partstate}" ]; then
|
||||
partition=$(realpath /dev/disk/by-label/root)
|
||||
else
|
||||
|
@ -1,18 +0,0 @@
|
||||
# RHOCS 4.12.s390x has an old kernel with a known issue: https://bugzilla.redhat.com/show_bug.cgi?id=2075085
|
||||
# Once we have kernel >= 4.18.0-387.el8.s390x we should drop this unit and copy config in coreos-diskful-generator
|
||||
[Unit]
|
||||
Description=Ignition OSTree: Inject Secure Execution Config
|
||||
DefaultDependencies=false
|
||||
ConditionArchitecture=s390x
|
||||
ConditionKernelCommandLine=ostree
|
||||
ConditionPathExists=/run/coreos/secure-execution
|
||||
OnFailure=emergency.target
|
||||
OnFailureJobMode=isolate
|
||||
|
||||
After=coreos-gpt-setup.service
|
||||
Before=ignition-fetch-offline.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/libexec/ignition-ostree-secex-config
|
@ -1,5 +0,0 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
bootdev=$(blkid --list-one --output device --match-token PARTLABEL=boot | sed 's,[0-9]\+$,,')
|
||||
sed "s,\${BOOTDEV},$bootdev," < /usr/lib/coreos/01-secex.ign > /usr/lib/ignition/base.d/01-secex.ign
|
@ -43,10 +43,9 @@ get_partlabels_for_parttype() {
|
||||
mount_verbose() {
|
||||
local srcdev=$1; shift
|
||||
local destdir=$1; shift
|
||||
local mode=${1:-ro}
|
||||
echo "Mounting ${srcdev} ${mode} ($(realpath "$srcdev")) to $destdir"
|
||||
echo "Mounting ${srcdev} ($(realpath "$srcdev")) to $destdir"
|
||||
mkdir -p "${destdir}"
|
||||
mount -o "${mode}" "${srcdev}" "${destdir}"
|
||||
mount "${srcdev}" "${destdir}"
|
||||
}
|
||||
|
||||
# Sometimes, for some reason the by-label symlinks aren't updated. Detect these
|
||||
@ -57,10 +56,7 @@ udev_trigger_on_label_mismatch() {
|
||||
local expected_dev=$1; shift
|
||||
local actual_dev
|
||||
expected_dev=$(realpath "${expected_dev}")
|
||||
# We `|| :` here because sometimes /dev/disk/by-label/$label is missing.
|
||||
# We've seen this on Fedora kernels with debug enabled (common in `rawhide`).
|
||||
# See https://github.com/coreos/fedora-coreos-tracker/issues/1092
|
||||
actual_dev=$(realpath "/dev/disk/by-label/$label" || :)
|
||||
actual_dev=$(realpath "/dev/disk/by-label/$label")
|
||||
if [ "$actual_dev" != "$expected_dev" ]; then
|
||||
echo "Expected /dev/disk/by-label/$label to point to $expected_dev, but points to $actual_dev; triggering udev"
|
||||
udevadm trigger --settle "$expected_dev"
|
||||
@ -73,18 +69,6 @@ get_partition_offset() {
|
||||
cat "/sys${devpath}/start"
|
||||
}
|
||||
|
||||
# copied from generator-lib.sh
|
||||
karg() {
|
||||
local name="$1" value="${2:-}"
|
||||
local cmdline=( $(</proc/cmdline) )
|
||||
for arg in "${cmdline[@]}"; do
|
||||
if [[ "${arg%%=*}" == "${name}" ]]; then
|
||||
value="${arg#*=}"
|
||||
fi
|
||||
done
|
||||
echo "${value}"
|
||||
}
|
||||
|
||||
mount_and_restore_filesystem_by_label() {
|
||||
local label=$1; shift
|
||||
local mountpoint=$1; shift
|
||||
@ -92,51 +76,10 @@ mount_and_restore_filesystem_by_label() {
|
||||
local new_dev
|
||||
new_dev=$(jq -r "$(query_fslabel "${label}") | .[0].device" "${ignition_cfg}")
|
||||
udev_trigger_on_label_mismatch "${label}" "${new_dev}"
|
||||
mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}" rw
|
||||
find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} +
|
||||
mount_verbose "/dev/disk/by-label/${label}" "${mountpoint}"
|
||||
find "${saved_fs}" -mindepth 1 -maxdepth 1 -exec mv -t "${mountpoint}" {} \;
|
||||
}
|
||||
|
||||
mount_and_save_filesystem_by_label() {
|
||||
local label=$1; shift
|
||||
local saved_fs=$1; shift
|
||||
local fs=/dev/disk/by-label/${label}
|
||||
if [[ -f /run/coreos/secure-execution ]]; then
|
||||
local roothash_karg=${label}fs.roothash
|
||||
local roothash=$(karg "${roothash_karg}")
|
||||
if [ -z "${roothash}" ]; then
|
||||
echo "Missing kernel argument ${roothash_karg}; aborting"
|
||||
exit 1
|
||||
fi
|
||||
local roothash_part=/dev/disk/by-partlabel/${label}hash
|
||||
veritysetup open "${fs}" "${label}" "${roothash_part}" "${roothash}"
|
||||
fs=/dev/mapper/${label}
|
||||
fi
|
||||
mount_verbose "${fs}" /var/tmp/mnt
|
||||
cp -aT /var/tmp/mnt "${saved_fs}"
|
||||
umount /var/tmp/mnt
|
||||
if [[ -f /run/coreos/secure-execution ]]; then
|
||||
veritysetup close "${label}"
|
||||
fi
|
||||
}
|
||||
|
||||
# In Secure Execution case user is not allowed to modify partition table
|
||||
check_and_set_secex_config() {
|
||||
if [[ -f /run/coreos/secure-execution ]]; then
|
||||
local wr=$(jq "$(query_fslabel root) | length" "${ignition_cfg}")
|
||||
local wb=$(jq "$(query_fslabel boot) | length" "${ignition_cfg}")
|
||||
if [ "${wr}${wb}" != "00" ]; then
|
||||
echo "Modifying bootfs and rootfs is not supported in Secure Execution mode"
|
||||
exit 1
|
||||
fi
|
||||
# Cached config isn't merged, so reset it and recheck again, just to make sure
|
||||
ignition_cfg=/usr/lib/ignition/base.d/01-secex.ign
|
||||
fi
|
||||
}
|
||||
|
||||
# We could have done this during 'detect' below, but other cases also request
|
||||
# info from config, so just check cached one and reset to secex.ign now
|
||||
check_and_set_secex_config
|
||||
|
||||
case "${1:-}" in
|
||||
detect)
|
||||
# Mounts are not in a private namespace so we can mount ${saved_data}
|
||||
@ -201,13 +144,15 @@ case "${1:-}" in
|
||||
# Mounts happen in a private mount namespace since we're not "offically" mounting
|
||||
if [ -d "${saved_root}" ]; then
|
||||
echo "Moving rootfs to RAM..."
|
||||
mount_and_save_filesystem_by_label root "${saved_root}"
|
||||
mount_verbose "${root_part}" /sysroot
|
||||
cp -aT /sysroot "${saved_root}"
|
||||
# also store the state of the partition
|
||||
lsblk "${root_part}" --nodeps --pairs -b --paths -o NAME,TYPE,SIZE > "${partstate_root}"
|
||||
fi
|
||||
if [ -d "${saved_boot}" ]; then
|
||||
echo "Moving bootfs to RAM..."
|
||||
mount_and_save_filesystem_by_label boot "${saved_boot}"
|
||||
mount_verbose "${boot_part}" /sysroot/boot
|
||||
cp -aT /sysroot/boot "${saved_boot}"
|
||||
fi
|
||||
if [ -d "${saved_esp}" ]; then
|
||||
echo "Moving EFI System Partition to RAM..."
|
||||
@ -255,8 +200,8 @@ case "${1:-}" in
|
||||
# 3. We don't need the by-label symlink to be correct and
|
||||
# nothing later in boot will be mounting the filesystem
|
||||
mountpoint="/mnt/esp-${label}"
|
||||
mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}" rw
|
||||
find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -at "${mountpoint}" {} +
|
||||
mount_verbose "/dev/disk/by-partlabel/${label}" "${mountpoint}"
|
||||
find "${saved_esp}" -mindepth 1 -maxdepth 1 -exec cp -a {} "${mountpoint}" \;
|
||||
done
|
||||
fi
|
||||
if [ -d "${saved_bios}" ]; then
|
||||
|
@ -11,8 +11,6 @@ Before=ignition-fetch-offline.service
|
||||
# Any services looking at mounts need to order after this
|
||||
# because it causes device re-probing.
|
||||
After=coreos-gpt-setup.service
|
||||
# If we're going to reprovision the bootfs, then there's no need to restamp
|
||||
ConditionKernelCommandLine=!bootfs.roothash
|
||||
|
||||
Before=systemd-fsck@dev-disk-by\x2dlabel-boot.service
|
||||
Requires=dev-disk-by\x2dlabel-boot.device
|
||||
|
@ -8,7 +8,6 @@ Before=sysroot.mount initrd-root-fs.target
|
||||
After=ignition-disks.service
|
||||
# If we've reprovisioned the rootfs, then there's no need to restamp
|
||||
ConditionPathExists=!/run/ignition-ostree-transposefs
|
||||
ConditionKernelCommandLine=!rootfs.roothash
|
||||
|
||||
After=dev-disk-by\x2dlabel-root.device
|
||||
# Avoid racing with fsck
|
||||
|
@ -30,12 +30,6 @@ install() {
|
||||
sort \
|
||||
uniq
|
||||
|
||||
if [[ $(uname -m) = s390x ]]; then
|
||||
# for Secure Execution
|
||||
inst_multiple \
|
||||
veritysetup
|
||||
fi
|
||||
|
||||
# ignition-ostree-growfs deps
|
||||
inst_multiple \
|
||||
basename \
|
||||
@ -107,9 +101,4 @@ install() {
|
||||
/usr/libexec/coreos-check-rootfs-size
|
||||
|
||||
inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel
|
||||
|
||||
# Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2075085
|
||||
install_ignition_unit ignition-ostree-secex-config.service
|
||||
inst_script "$moddir/ignition-ostree-secex-config.sh" \
|
||||
/usr/libexec/ignition-ostree-secex-config
|
||||
}
|
||||
|
@ -5,7 +5,6 @@
|
||||
Description=CoreOS: Touch /run/agetty.reload
|
||||
Documentation=https://bugzilla.redhat.com/show_bug.cgi?id=1932053
|
||||
DefaultDependencies=false
|
||||
Before=initrd.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
|
@ -1,78 +0,0 @@
|
||||
# Display relevant errors then enter emergency shell
|
||||
|
||||
# _wait_for_journalctl_to_stop will block until either:
|
||||
# - no messages have appeared in journalctl for the past 5 seconds
|
||||
# - 15 seconds have elapsed
|
||||
_wait_for_journalctl_to_stop() {
|
||||
local time_since_last_log=0
|
||||
|
||||
local time_started="$(date '+%s')"
|
||||
local now="$(date '+%s')"
|
||||
|
||||
while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
|
||||
sleep 1
|
||||
|
||||
local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
|
||||
local now="$(date '+%s')"
|
||||
|
||||
local time_since_last_log=$((now-last_log_timestamp))
|
||||
done
|
||||
}
|
||||
|
||||
_display_relevant_errors() {
|
||||
failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
|
||||
if [ -n "${failed}" ]; then
|
||||
# Something failed, suppress kernel logs so that it's more likely
|
||||
# the useful bits from the journal are available.
|
||||
dmesg --console-off
|
||||
|
||||
# There's a couple straggler systemd messages. Wait until it's been 5
|
||||
# seconds since something was written to the journal.
|
||||
_wait_for_journalctl_to_stop
|
||||
|
||||
# Print Ignition logs
|
||||
if echo ${failed} | grep -qFe 'ignition-'; then
|
||||
cat <<EOF
|
||||
------
|
||||
Ignition has failed. Please ensure your config is valid. Note that only
|
||||
Ignition spec v3.0.0+ configs are accepted.
|
||||
|
||||
A CLI validation tool to check this called ignition-validate can be
|
||||
downloaded from GitHub:
|
||||
https://github.com/coreos/ignition/releases
|
||||
------
|
||||
|
||||
EOF
|
||||
fi
|
||||
|
||||
# If this is a live boot, check for ENOSPC in initramfs filesystem
|
||||
# Try creating a 64 KiB file, in case a small file was deleted on
|
||||
# service failure
|
||||
# https://github.com/coreos/fedora-coreos-tracker/issues/1055
|
||||
if [ -f /etc/coreos-live-initramfs ] && \
|
||||
! dd if=/dev/zero of=/tmp/check-space bs=4K count=16 2>/dev/null; then
|
||||
cat <<EOF
|
||||
------
|
||||
Ran out of memory when unpacking initrd filesystem. Ensure your system has
|
||||
at least 2 GiB RAM if booting with coreos.live.rootfs_url, or 4 GiB otherwise.
|
||||
------
|
||||
|
||||
EOF
|
||||
# Don't show logs from failed units, since they'll just be
|
||||
# random misleading errors.
|
||||
else
|
||||
echo "Displaying logs from failed units: ${failed}"
|
||||
for unit in ${failed}; do
|
||||
# 10 lines should be enough for everyone
|
||||
SYSTEMD_COLORS=true journalctl -b --no-pager --no-hostname -u ${unit} -n 10
|
||||
done
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
# Print warnings/informational messages to all configured consoles on the
|
||||
# machine. Code inspired by https://github.com/dracutdevs/dracut/commit/32f68c1
|
||||
MESSAGE="$(_display_relevant_errors)"
|
||||
while read -r _tty rest; do
|
||||
echo -e "$MESSAGE" > /dev/"$_tty"
|
||||
done < /proc/consoles
|
@ -7,7 +7,6 @@ ConditionVirtualization=|qemu
|
||||
Requires=systemd-journald.service
|
||||
After=systemd-journald.service
|
||||
After=basic.target
|
||||
Before=initrd.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
@ -15,10 +15,9 @@ install_unit_wants() {
|
||||
install() {
|
||||
inst_multiple \
|
||||
cut \
|
||||
date \
|
||||
dd
|
||||
date
|
||||
|
||||
inst_hook emergency 99 "${moddir}/emergency-shell.sh"
|
||||
inst_hook emergency 99 "${moddir}/timeout.sh"
|
||||
|
||||
inst_script "$moddir/ignition-virtio-dump-journal.sh" "/usr/bin/ignition-virtio-dump-journal"
|
||||
install_unit_wants ignition-virtio-dump-journal.service emergency.target
|
@ -0,0 +1,99 @@
|
||||
# Before starting the emergency shell, prompt the user to press Enter.
|
||||
# If they don't, reboot the system.
|
||||
#
|
||||
# Assumes /bin/sh is bash.
|
||||
|
||||
# _wait_for_journalctl_to_stop will block until either:
|
||||
# - no messages have appeared in journalctl for the past 5 seconds
|
||||
# - 15 seconds have elapsed
|
||||
_wait_for_journalctl_to_stop() {
|
||||
local time_since_last_log=0
|
||||
|
||||
local time_started="$(date '+%s')"
|
||||
local now="$(date '+%s')"
|
||||
|
||||
while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do
|
||||
sleep 1
|
||||
|
||||
local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)"
|
||||
local now="$(date '+%s')"
|
||||
|
||||
local time_since_last_log=$((now-last_log_timestamp))
|
||||
done
|
||||
}
|
||||
|
||||
_prompt_for_timeout() {
|
||||
local timeout=300
|
||||
local interval=15
|
||||
|
||||
if [[ -e /.emergency-shell-confirmed ]]; then
|
||||
return
|
||||
fi
|
||||
failed=$(systemctl --failed --no-legend --plain | cut -f 1 -d ' ')
|
||||
if [ -n "${failed}" ]; then
|
||||
# Something failed, suppress kernel logs so that it's more likely
|
||||
# the useful bits from the journal are available.
|
||||
dmesg --console-off
|
||||
|
||||
# There's a couple straggler systemd messages. Wait until it's been 5
|
||||
# seconds since something was written to the journal.
|
||||
_wait_for_journalctl_to_stop
|
||||
|
||||
# Print Ignition logs
|
||||
if echo ${failed} | grep -qFe 'ignition-'; then
|
||||
cat <<EOF
|
||||
------
|
||||
Ignition has failed. Please ensure your config is valid. Note that only
|
||||
Ignition spec v3.0.0+ configs are accepted.
|
||||
|
||||
A CLI validation tool to check this called ignition-validate can be
|
||||
downloaded from GitHub:
|
||||
https://github.com/coreos/ignition/releases
|
||||
------
|
||||
|
||||
EOF
|
||||
fi
|
||||
echo "Displaying logs from failed units: ${failed}"
|
||||
for unit in ${failed}; do
|
||||
# 10 lines should be enough for everyone
|
||||
journalctl -b --no-pager --no-hostname -u ${unit} -n 10
|
||||
done
|
||||
fi
|
||||
|
||||
# Regularly prompt with time remaining. This ensures the prompt doesn't
|
||||
# get lost among kernel and systemd messages, and makes it clear what's
|
||||
# going on if the user just connected a serial console.
|
||||
while [[ $timeout > 0 ]]; do
|
||||
local m=$(( $timeout / 60 ))
|
||||
local s=$(( $timeout % 60 ))
|
||||
local m_label="minutes"
|
||||
if [[ $m = 1 ]]; then
|
||||
m_label="minute"
|
||||
fi
|
||||
|
||||
if [[ $s != 0 ]]; then
|
||||
echo -n -e "Press Enter for emergency shell or wait $m $m_label $s seconds for reboot. \r"
|
||||
else
|
||||
echo -n -e "Press Enter for emergency shell or wait $m $m_label for reboot. \r"
|
||||
fi
|
||||
|
||||
local anything
|
||||
if read -t $interval anything; then
|
||||
> /.emergency-shell-confirmed
|
||||
return
|
||||
fi
|
||||
timeout=$(( $timeout - $interval ))
|
||||
done
|
||||
|
||||
echo -e "\nRebooting."
|
||||
# This is not very nice, but since reboot.target likely conflicts with
|
||||
# the existing goal target wrt the desired state of shutdown.target,
|
||||
# there doesn't seem to be a better option.
|
||||
systemctl reboot --force
|
||||
exit 0
|
||||
}
|
||||
|
||||
# If we're invoked from a dracut breakpoint rather than
|
||||
# dracut-emergency.service, we won't have a controlling terminal and stdio
|
||||
# won't be connected to it. Explicitly read/write /dev/console.
|
||||
_prompt_for_timeout < /dev/console > /dev/console
|
@ -5,15 +5,8 @@ enable console-login-helper-messages-gensnippet-os-release.service
|
||||
enable console-login-helper-messages-gensnippet-ssh-keys.service
|
||||
# CA certs (probably to add to base fedora eventually)
|
||||
enable coreos-update-ca-trust.service
|
||||
# Set kernel console log level
|
||||
enable coreos-printk-quiet.service
|
||||
# https://github.com/coreos/ignition/issues/1125
|
||||
enable coreos-ignition-firstboot-complete.service
|
||||
# Delete Ignition config from provider on platforms where it's possible
|
||||
# https://github.com/coreos/ignition/pull/1350
|
||||
enable ignition-delete-config.service
|
||||
# Delete Ignition config from provider when upgrading existing nodes
|
||||
enable coreos-ignition-delete-config.service
|
||||
# Boot checkin services for cloud providers.
|
||||
enable afterburn-checkin.service
|
||||
enable afterburn-firstboot-checkin.service
|
||||
@ -30,5 +23,5 @@ enable bootupd.socket
|
||||
# Ideally it should have been added as part of base Fedora - but since it was arch specific, it was not added: https://bugzilla.redhat.com/show_bug.cgi?id=1433859
|
||||
enable rtas_errd.service
|
||||
enable clevis-luks-askpass.path
|
||||
# Provide status information about the Ignition run
|
||||
enable coreos-ignition-write-issues.service
|
||||
# Provide information if no ignition is provided
|
||||
enable coreos-check-ignition-config.service
|
||||
|
@ -0,0 +1,14 @@
|
||||
# This service is used for printing a message if
|
||||
# no Ignition config is provided.
|
||||
[Unit]
|
||||
Description=Check if Ignition config is provided
|
||||
Before=systemd-user-sessions.service
|
||||
ConditionPathExists=/etc/.ignition-result.json
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/coreos-check-ignition-config
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,28 +0,0 @@
|
||||
# Can be removed from FCOS in Fedora 37 or after the next barrier release,
|
||||
# whichever comes first. Can be removed from RHCOS in the first release
|
||||
# after every node is guaranteed to have booted at least once with 4.11 or
|
||||
# higher.
|
||||
|
||||
[Unit]
|
||||
Description=CoreOS Delete Ignition Config From Hypervisor
|
||||
Documentation=https://coreos.github.io/ignition/
|
||||
|
||||
ConditionKernelCommandLine=|ignition.platform.id=virtualbox
|
||||
ConditionKernelCommandLine=|ignition.platform.id=vmware
|
||||
ConditionPathExists=!/var/lib/coreos-ignition-delete-config.stamp
|
||||
# Hack: if the user masked ignition-delete-config.service, we shouldn't run
|
||||
# either.
|
||||
ConditionPathIsSymbolicLink=!/etc/systemd/system/ignition-delete-config.service
|
||||
|
||||
# We check a stamp file written by ignition-delete-config.service. That
|
||||
# service runs Before=sysinit.target, on which we have a default dependency,
|
||||
# so this is really just documentation.
|
||||
After=ignition-delete-config.service
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/coreos-ignition-delete-config
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,16 +0,0 @@
|
||||
# This service writes issue files describing status
|
||||
# information about the Ignition run, which includes
|
||||
# Ignition warnings and information if no Ignition
|
||||
# config is provided.
|
||||
[Unit]
|
||||
Description=Create Ignition Status Issue Files
|
||||
Before=systemd-user-sessions.service
|
||||
ConditionPathExists=/etc/.ignition-result.json
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=/usr/libexec/coreos-ignition-write-issues
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
@ -1,27 +0,0 @@
|
||||
[Unit]
|
||||
Description=CoreOS: Set printk To Level 4 (warn)
|
||||
Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/1244
|
||||
# We can run right after `/proc` being mounted at least
|
||||
DefaultDependencies=no
|
||||
# We run as early as possible; the only dependency we have really
|
||||
# is the implicit After=systemd-journald.socket injected by the
|
||||
# default of our stdout writing to the journal.
|
||||
Conflicts=shutdown.target
|
||||
Before=sysinit.target shutdown.target
|
||||
# We want this service to read what we wrote
|
||||
Before=systemd-sysctl.service
|
||||
# Relatedly, we don't want to override an explicitly specified kernel argument
|
||||
ConditionKernelCommandLine=!debug
|
||||
ConditionKernelCommandLine=!quiet
|
||||
ConditionKernelCommandLine=!loglevel
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
# We need to make /run/sysctl.d if it doesn't exist and also
|
||||
# ensure it has a SELinux label that works for systemd-sysctl.service.
|
||||
# Then we just generate a sysctl file which is read by systemd-sysctl.service.
|
||||
ExecStart=/bin/bash -euo pipefail -c 'mkdir -p /run/sysctl.d && chcon --reference=/etc/sysctl.d /run/sysctl.d && echo "kernel.printk = 4" > /run/sysctl.d/01-coreos-printk.conf'
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
@ -1,7 +0,0 @@
|
||||
# Create a flag file to notify coreos-ignition-delete-config.service that
|
||||
# we've run, and put it in /run because /var isn't mounted yet.
|
||||
# coreos-ignition-delete-config.service will then avoid trying to delete
|
||||
# the config again, and will create a persistent stamp file in /var/lib.
|
||||
|
||||
[Service]
|
||||
ExecStart=/bin/touch /run/coreos-ignition-delete-config.stamp
|
@ -27,30 +27,6 @@ behavior may occur. Ignition is not designed to run more than once per system.
|
||||
${RESET}
|
||||
EOF
|
||||
fi
|
||||
# In Ignition, we've two config validation checks, the one after
|
||||
# fetching a config and the second after merging configs. Sometimes,
|
||||
# a warning goes away after merging, however, it's possible that a
|
||||
# warning appears in case merging creates a contradiction between
|
||||
# two fields. So this workflow eventually sends duplicate warnings
|
||||
# in journal entries. Hence, we need to avoid displaying duplicate
|
||||
# Ignition warnings on the console.
|
||||
# For e.g. In the journal entries, we might see the following logs:
|
||||
#
|
||||
# warning at $.systemd.units.0.contents, line 1 col 997: unit "echo@.service" is enabled, but has no install section so enable does nothing
|
||||
# warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
|
||||
#
|
||||
# In order to normalize these logs, we'd need to get rid of the line
|
||||
# and column numbers entirely using the sed command, and then use
|
||||
# `sort -u` to remove duplicate content. After this, we'd see the
|
||||
# following warning on the console:
|
||||
#
|
||||
# warning at $.systemd.units.0.contents: unit "echo@.service" is enabled, but has no install section so enable does nothing
|
||||
#
|
||||
# TODO: find a way to query journal entries recorded before the
|
||||
# system switches to real root
|
||||
journalctl -t ignition -o cat -p warning | sed -r 's/, line [0-9]+ col [0-9]+//g' | sort -u | while read line; do
|
||||
echo -e "${WARN}Ignition: $line${RESET}" >> /etc/issue.d/30_coreos_ignition_warnings.issue
|
||||
done
|
||||
else
|
||||
nreboots=$(($(journalctl --list-boots | wc -l) - 1))
|
||||
[ "${nreboots}" -eq 1 ] && boot="boot" || boot="boots"
|
@ -1,23 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -euo pipefail
|
||||
|
||||
cmdline=( $(</proc/cmdline) )
|
||||
cmdline_arg() {
|
||||
local name="$1" value
|
||||
for arg in "${cmdline[@]}"; do
|
||||
if [[ "${arg%%=*}" == "${name}" ]]; then
|
||||
value="${arg#*=}"
|
||||
fi
|
||||
done
|
||||
echo "${value}"
|
||||
}
|
||||
|
||||
# Avoid running again if ignition-delete-config.service has run, but still
|
||||
# create our own stamp file now that /var is mounted.
|
||||
if [ ! -e /run/coreos-ignition-delete-config.stamp ]; then
|
||||
PLATFORM_ID=$(cmdline_arg ignition.platform.id)
|
||||
/usr/libexec/ignition-rmcfg --platform=${PLATFORM_ID}
|
||||
fi
|
||||
|
||||
touch /var/lib/coreos-ignition-delete-config.stamp
|
@ -3,6 +3,10 @@ set -euo pipefail
|
||||
|
||||
mount -o remount,rw /boot
|
||||
|
||||
if [[ $(uname -m) = s390x ]]; then
|
||||
zipl
|
||||
fi
|
||||
|
||||
# We're done provisioning. Remove the whole /boot/ignition directory if present,
|
||||
# which may include a baked Ignition config. See
|
||||
# https://github.com/coreos/fedora-coreos-tracker/issues/889.
|
||||
@ -12,8 +16,3 @@ rm -rf /boot/ignition
|
||||
# this file. Fail if we are unable to remove it, rather than risking rerunning
|
||||
# Ignition at next boot.
|
||||
rm /boot/ignition.firstboot
|
||||
|
||||
# rdcore zipl checks for /boot/ignition.firstboot
|
||||
if [[ $(uname -m) = s390x ]]; then
|
||||
/usr/lib/dracut/modules.d/50rdcore/rdcore zipl --boot-mount=/boot
|
||||
fi
|
||||
|
@ -1,8 +0,0 @@
|
||||
# Compress initrd with zstd. dracut defaults to -15, but we want the
|
||||
# maximum reasonable compression, so override the command line to use
|
||||
# dracut's defaults along with -19.
|
||||
#
|
||||
# We can't use this in RHCOS 8 because the kernel doesn't enable
|
||||
# CONFIG_RD_ZSTD.
|
||||
|
||||
compress="zstd -19 -q -T0"
|
@ -0,0 +1,9 @@
|
||||
# Stop NetworkManager from trying to load the ifcfg-rh plugin by default,
|
||||
# which we don't ship. This actually disables all default plugins, of which
|
||||
# ifcfg-rh is currently the only one.
|
||||
#
|
||||
# Note that we must do this for now because `-=` syntax doesn't work
|
||||
# with compiled-in defaults. Proposed upstream fix:
|
||||
# https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/491
|
||||
[main]
|
||||
plugins=
|
@ -1,3 +1,3 @@
|
||||
Tracker: https://github.com/coreos/fedora-coreos-tracker
|
||||
Discuss: https://discussion.fedoraproject.org/tag/coreos
|
||||
Discuss: https://discussion.fedoraproject.org/c/server/coreos/
|
||||
|
||||
|
@ -1,3 +1,5 @@
|
||||
# User metrics client
|
||||
enable fedora-coreos-pinger.service
|
||||
enable coreos-check-ssh-keys.service
|
||||
# Check if cgroupsv1 is still being used
|
||||
enable coreos-check-cgroups.service
|
||||
|
@ -1,9 +0,0 @@
|
||||
# Legacy IDs for 'nobody' user/group. This is a CoreOS mismatched entry
|
||||
# which will need to be migrated:
|
||||
# https://github.com/coreos/fedora-coreos-tracker/issues/1201
|
||||
|
||||
# g nobody 65534
|
||||
# u nobody 65534:65534 "Kernel Overflow User" - -
|
||||
|
||||
g nobody 99
|
||||
u nobody 99:99 "Kernel Overflow User" - -
|
@ -1,32 +0,0 @@
|
||||
# These are pinned users/groups whose static IDs are only used
|
||||
# this way on CoreOS nodes.
|
||||
|
||||
g cgred 996
|
||||
g chrony 992
|
||||
g cockpit-ws 987
|
||||
g dockerroot 986
|
||||
g etcd 997
|
||||
g input 104
|
||||
g kube 994
|
||||
g nfsnobody 65534
|
||||
g polkitd 998
|
||||
g ssh_keys 999
|
||||
g sssd 993
|
||||
g sudo 16
|
||||
g systemd-bus-proxy 988
|
||||
g systemd-network 990
|
||||
g systemd-resolve 989
|
||||
g systemd-timesync 991
|
||||
|
||||
u chrony 994:992 - /var/lib/chrony -
|
||||
u cockpit-ws 988:987 "User for cockpit-ws" - -
|
||||
u dockerroot 997:986 "Docker User" /var/lib/docker -
|
||||
u etcd 998:997 "etcd user" /var/lib/etcd -
|
||||
u kube 996:994 "Kubernetes user" - -
|
||||
u nfsnobody 65534:65534 "Anonymous NFS User" /var/lib/nfs -
|
||||
u polkitd 999:998 "User for polkitd" - -
|
||||
u sssd 995:993 "User for sssd" - -
|
||||
u systemd-bus-proxy 989:988 "systemd Bus Proxy" - -
|
||||
u systemd-network 991:990 "systemd Network Management" - -
|
||||
u systemd-resolve 990:989 "systemd Resolver" - -
|
||||
u systemd-timesync 993:991 "systemd Time Synchronization" - -
|
@ -1,43 +0,0 @@
|
||||
# These are basic users/groups coming from the default entries
|
||||
# in the 'setup' package. They can be dropped once that package
|
||||
# starts shipping its own sysusers.d entries.
|
||||
|
||||
g adm 4
|
||||
g audio 63
|
||||
g bin 1
|
||||
g cdrom 11
|
||||
g daemon 2
|
||||
g dialout 18
|
||||
g disk 6
|
||||
g floppy 19
|
||||
g ftp 50
|
||||
g games 20
|
||||
g kmem 9
|
||||
g lock 54
|
||||
g lp 7
|
||||
g mail 12
|
||||
g man 15
|
||||
g mem 8
|
||||
g root 0
|
||||
g sys 3
|
||||
g tape 33
|
||||
g tty 5
|
||||
g users 100
|
||||
g video 39
|
||||
g wheel 10
|
||||
|
||||
u adm 3:4 "adm" /var/adm -
|
||||
u bin 1:1 "bin" /bin -
|
||||
u daemon 2:2 "daemon" /sbin -
|
||||
u ftp 14:50 "FTP User" /var/ftp -
|
||||
# Workaround for systemd-sysusers bug, will be fixed in v252:
|
||||
# https://github.com/systemd/systemd/issues/24217
|
||||
# u games 12:100 "games" /usr/games -
|
||||
u games 12:users "games" /usr/games -
|
||||
u halt 7:0 "halt" /sbin /sbin/halt
|
||||
u lp 4:7 "lp" /var/spool/lpd -
|
||||
u mail 8:12 "mail" /var/spool/mail -
|
||||
u operator 11:0 "operator" /root -
|
||||
u root 0:0 "root" /root /bin/bash
|
||||
u shutdown 6:0 "shutdown" /sbin /sbin/shutdown
|
||||
u sync 5:0 "sync" /sbin /bin/sync
|
@ -1,24 +0,0 @@
|
||||
# These are users/groups with static IDs which follow usual Fedora-wide
|
||||
# allocation. They are usually coming from relevant packages, but we also
|
||||
# pre-populate them on CoreOS.
|
||||
|
||||
g avahi-autoipd 170
|
||||
g ceph 167
|
||||
g dbus 81
|
||||
g dip 40
|
||||
g rpc 32
|
||||
g rpcuser 29
|
||||
g sshd 74
|
||||
g systemd-journal 190
|
||||
g tcpdump 72
|
||||
g utempter 35
|
||||
g utmp 22
|
||||
|
||||
u avahi-autoipd 170:170 "Avahi IPv4LL Stack" /var/lib/avahi-autoipd -
|
||||
u ceph 167:167 "Ceph daemons" /var/lib/ceph -
|
||||
u dbus 81:81 "System Message Bus" - -
|
||||
u nfsnobody 65534:65534 "Anonymous NFS User" /var/lib/nfs -
|
||||
u rpc 32:32 "Rpcbind Daemon" /var/lib/rpcbind -
|
||||
u rpcuser 29:29 "RPC Service User" /var/lib/nfs -
|
||||
u sshd 74:74 "Privilege-separated SSH" /var/empty/sshd -
|
||||
u tcpdump 72:72 - - -
|
@ -9,20 +9,17 @@ main() {
|
||||
|
||||
# See https://github.com/coreos/ignition/pull/964 for the MESSAGE_ID
|
||||
# source. It will track the authorized-ssh-keys entries in journald
|
||||
# provided via Ignition. Limit journal output to the most recent boot
|
||||
# so we don't get output from re-used /var/ partitions.
|
||||
# provided via Ignition.
|
||||
ignitionusers=$(
|
||||
journalctl -b 0 -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
|
||||
journalctl -o json-pretty MESSAGE_ID=225067b87bbd4a0cb6ab151f82fa364b | \
|
||||
jq -r '.MESSAGE' | \
|
||||
xargs -I{} echo "Ignition: {}")
|
||||
|
||||
# See https://github.com/coreos/afterburn/pull/397 for the MESSAGE_ID
|
||||
# source. It will track the authorized-ssh-keys entries in journald
|
||||
# provided via Afterburn.Limit journal output to the most recent boot
|
||||
# so we don't get output from re-used /var/ partitions.
|
||||
|
||||
# provided via Afterburn.
|
||||
afterburnusers=$(
|
||||
journalctl -b 0 -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
|
||||
journalctl -o json-pretty MESSAGE_ID=0f7d7a502f2d433caa1323440a6b4190 | \
|
||||
jq -r '.MESSAGE' | \
|
||||
xargs -I{} echo "Afterburn: {}")
|
||||
|
||||
|
@ -11,12 +11,16 @@ set -euo pipefail
|
||||
#
|
||||
# Originally spawned from discussion in https://github.com/openshift/installer/pull/3513
|
||||
|
||||
. /usr/lib/coreos/generator-lib.sh
|
||||
# Generators don't have logging right now
|
||||
# https://github.com/systemd/systemd/issues/15638
|
||||
exec 1>/dev/kmsg; exec 2>&1
|
||||
|
||||
self=$(basename $0)
|
||||
confpath=/run/coreos-platform-chrony.conf
|
||||
|
||||
platform=$(karg ignition.platform.id)
|
||||
# Yeah this isn't a completely accurate kernel argument parser but
|
||||
# we don't have one shared across shell services at the moment.
|
||||
platform="$(grep -Eo ' ignition.platform.id=[a-z]+' /proc/cmdline | cut -f 2 -d =)"
|
||||
case "${platform}" in
|
||||
azure|azurestack|aws|gcp) ;; # OK, this is a platform we know how to support
|
||||
*) exit 0 ;;
|
||||
|
@ -1,18 +1,7 @@
|
||||
These overlay directories are automatically committed to the build OSTree repo
|
||||
by coreos-assembler. They are then explicitly included in our various manifest
|
||||
files via `ostree-layers` (this used to be done automatically, but that's no
|
||||
longer the case).
|
||||
|
||||
05core
|
||||
------
|
||||
|
||||
This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
|
||||
|
||||
06el9
|
||||
-----
|
||||
|
||||
This overlay includes content shared between FCOS and RHCOS/SCOS 9, but not
|
||||
RHCOS 8.
|
||||
This overlay matches `fedora-coreos-base.yaml`; core Ignition+ostree bits.
|
||||
|
||||
08nouveau
|
||||
---------
|
||||
@ -28,6 +17,11 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1700056
|
||||
|
||||
Warning about `/etc/sysconfig`.
|
||||
|
||||
14NetworkManager-plugins
|
||||
------------------------
|
||||
|
||||
Disables the Red Hat Linux legacy `ifcfg` format.
|
||||
|
||||
15fcos
|
||||
------
|
||||
|
||||
@ -36,16 +30,10 @@ Things that are more closely "Fedora CoreOS":
|
||||
* disable password logins by default over SSH
|
||||
* enable SSH keys written by Ignition and Afterburn
|
||||
* branding (MOTD)
|
||||
* enable FCOS-specific services by default
|
||||
* enable services by default (fedora-coreos-pinger)
|
||||
* display warnings on the console if no ignition config was provided or no ssh
|
||||
key found.
|
||||
|
||||
16disable-zincati
|
||||
-----------------
|
||||
|
||||
Disable Zincati on non-production streams:
|
||||
https://github.com/coreos/fedora-coreos-tracker/issues/163
|
||||
|
||||
20platform-chrony
|
||||
-----------------
|
||||
|
||||
|
@ -5,7 +5,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStre
|
||||
gpgcheck=1
|
||||
enabled=1
|
||||
countme=1
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
|
||||
|
||||
[baseos]
|
||||
name=Rocky Linux $releasever - BaseOS
|
||||
@ -14,7 +14,7 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-
|
||||
gpgcheck=1
|
||||
enabled=1
|
||||
countme=1
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
|
||||
|
||||
[extras]
|
||||
name=Rocky Linux $releasever - Extras
|
||||
@ -23,4 +23,4 @@ mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=extras-
|
||||
gpgcheck=1
|
||||
enabled=1
|
||||
countme=1
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-9
|
||||
gpgkey=file:///usr/share/distribution-gpg-keys/rocky/RPM-GPG-KEY-Rocky-$releasever
|
||||
|
Loading…
Reference in New Issue
Block a user