forked from coreos/fedora-coreos-config
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
overlay: remove /boot/ignition on upgrade if present
On subsequent boots, if /boot/ignition is present, remove it. This fixes up old nodes with a world-readable Ignition config in /boot. coreos/fedora-coreos-tracker#889
- Loading branch information
1 parent
8697376
commit 7d2cf33
Showing
4 changed files
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
overlay.d/15fcos/usr/lib/systemd/system/coreos-cleanup-ignition-config.service
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| [Unit] | ||
| Description=Clean Up Injected Ignition Config in /boot | ||
| Documentation=https://github.com/coreos/fedora-coreos-tracker/issues/889 | ||
| # Newer Ignition will handle this on first boot; we only want to clean up | ||
| # leftover configs on upgrade. Disambiguate those two code paths for tests. | ||
| ConditionKernelCommandLine=!ignition.firstboot | ||
| RequiresMountsFor=/boot | ||
| ConditionPathExists=/boot/ignition | ||
| # We ship a kdump.service dropin that remounts /boot rw; avoid conflicts | ||
| Before=kdump.service | ||
|
|
||
| [Service] | ||
| Type=oneshot | ||
| ExecStart=/usr/libexec/coreos-cleanup-ignition-config | ||
| RemainAfterExit=yes | ||
| # MountFlags=slave ensures the rw mount of /boot is private to the unit | ||
| MountFlags=slave | ||
|
|
||
| [Install] | ||
| WantedBy=multi-user.target |
10 changes: 10 additions & 0 deletions
10
overlay.d/15fcos/usr/libexec/coreos-cleanup-ignition-config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| #!/usr/bin/bash | ||
| # | ||
| # Clean up existing nodes that have a world-readable /boot/ignition/config.ign. | ||
| # Remove this after the next barrier release on all streams. | ||
| # https://github.com/coreos/fedora-coreos-tracker/issues/889 | ||
|
|
||
| set -euo pipefail | ||
|
|
||
| mount -o remount,rw /boot | ||
| rm -rf /boot/ignition |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| #!/bin/bash | ||
| # Old instances might have a leftover Ignition config in /boot/ignition on | ||
| # upgrade. Manually create one, reboot, and ensure that it's correctly | ||
| # cleaned up. | ||
| # https://github.com/coreos/fedora-coreos-tracker/issues/889 | ||
|
|
||
| set -xeuo pipefail | ||
|
|
||
| ok() { | ||
| echo "ok" "$@" | ||
| } | ||
|
|
||
| fatal() { | ||
| echo "$@" >&2 | ||
| exit 1 | ||
| } | ||
|
|
||
| case "${AUTOPKGTEST_REBOOT_MARK:-}" in | ||
| "") | ||
| sudo mount -o remount,rw /boot | ||
| sudo mkdir -p /boot/ignition | ||
| sudo touch /boot/ignition/config.ign | ||
| /tmp/autopkgtest-reboot rebooted | ||
| ;; | ||
| rebooted) | ||
| [[ ! -e /boot/ignition ]] | ||
| ok "/boot/ignition was removed" | ||
| ;; | ||
| *) | ||
| fatal "unexpected mark: ${AUTOPKGTEST_REBOOT_MARK}" | ||
| ;; | ||
| esac |