overlay: add 15copy-installer-network dracut module #346
Conversation
|
In order to propagate networking from the live ISO installer environment the installer will place files into a directory in /boot/ (coreos/coreos-installer#212) and the systemd service/script from this PR will pick that up and apply it during the initramfs boot process on the ignition boot (firstboot) of the installed system. |
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
from
99904e0 to
6016e33
Compare
There was a problem hiding this comment.
It still feels wrong to me that this mechanism takes precedence over karg network options the user might've input. Though I guess we can fix that once we do coreos/coreos-assembler#1298 as discussed in coreos/fedora-coreos-tracker#460.
| # location for NetworkManager to use the configuration. | ||
| echo "info: copying files from ${installer_network_dir} to ${initramfs_network_dir}" | ||
| mkdir -p $initramfs_network_dir | ||
| cp -v ${installer_network_dir}/* ${initramfs_network_dir}/ |
There was a problem hiding this comment.
I think we also want to delete installer_network_dir here, no? Otherwise, it'll just hang around forever.
There was a problem hiding this comment.
I'd rather keep /boot/ mounted read-only here. I don't think it hurts to keep the directory around especially since nothing after firstboot will consume it anyway.
There was a problem hiding this comment.
Oh right, forgot about the ro mount.
I don't think it hurts to keep the directory around especially since nothing after firstboot will consume it anyway.
Right yeah, not so much that it conflicts with anything. It's just bad optics IMO to have it stay in the root of /boot forever. For example, back when we used Anaconda, we would actively remove everything in /sysroot except what was needed (coreos/coreos-assembler#492). Nowadays we just have /boot, /ostree, and .coreos-aleph-version.json, which is nice. Similarly an ls /boot right now only has the files we actually need.
WDYT about adding a /run/tmpfiles.d/10-coreos-installer-network.conf file which has:
R /boot/coreos-installer-network - - - - -
?
There was a problem hiding this comment.
ok added a second commit to clean up via tmpfiles.d. I can squash it if desired.
....d/05core/usr/lib/dracut/modules.d/15copy-installer-network/coreos-copy-installer-network.sh
Outdated
Show resolved
Hide resolved
...core/usr/lib/dracut/modules.d/15copy-installer-network/coreos-copy-installer-network.service
Outdated
Show resolved
Hide resolved
I don't really feel like it's that wrong considering the user just did an install and explicitly told the installer to bake specific networking configuration in specifically for this first boot. We do have to do it this way for now (ignoring kargs completely) because we do embed default networking args, but as you mention below 👇🏼 we maybe be able to rework it when we no longer do that.
|
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
from
6016e33 to
a873d2b
Compare
...core/usr/lib/dracut/modules.d/15copy-installer-network/coreos-copy-installer-network.service
Outdated
Show resolved
Hide resolved
| # [4] https://github.com/dracutdevs/dracut/blob/master/modules.d/35network-manager/module-setup.sh#L36 | ||
| # | ||
| [Unit] | ||
| Description=Copy Live ISO Installer Networking Config |
There was a problem hiding this comment.
Live ISO is a misnomer here. --copy-network can be done from live PXE, or in principle from a Fedora live image running the coreos-installer container.
There was a problem hiding this comment.
Technically you are right. How about Copy CoreOS Installer Networking Config ?
There was a problem hiding this comment.
We could also keep it generic as just a mechanism for baking in network configs in the image and coreos-installer just happens to use it. So e.g. it'd be Copy Network Configs and the directory would be ${bootmnt}/coreos-network-configs or something.
There was a problem hiding this comment.
I'm okay with either of those options.
There was a problem hiding this comment.
(This is similar to how we support adding a $boot/ignition/config.ign without the help of coreos-installer, and in fact kola knows how to do this today.)
There was a problem hiding this comment.
ok if we want to change the name of the directory now is the time to do it. I named it something specific because I didn't see other uses for this (or at least not other encouraged uses). What do you all think we should do?
There was a problem hiding this comment.
bikeshed: /boot/firstboot-network-configs
There was a problem hiding this comment.
we decided in IRC to go with: /boot/coreos-firstboot-network
There was a problem hiding this comment.
coreos-installer PR to change the dir: coreos/coreos-installer#216
There was a problem hiding this comment.
updated this PR to use /boot/coreos-firstboot-network
In another code review [1] we agreed to make the name of the directory more generic. [1] coreos/fedora-coreos-config#346 (comment)
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
from
a873d2b to
2fe49ad
Compare
|
bringing this out of draft mode. testing looks good (combined with coreos/coreos-installer#216) |
| echo "R ${realroot_firstboot_network_dir} - - - - -" > \ | ||
| /run/tmpfiles.d/15-coreos-firstboot-network.conf |
There was a problem hiding this comment.
Can we move this out so we always do this if the directory exists, not just if it's not empty?
There was a problem hiding this comment.
I'd prefer not. Deleting the files (presumably on success) will already make things hard to debug. This would make it worse I think.
This test passes for me when I run it locally so maybe let's retry. |
|
/retest |
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
from
2fe49ad to
dffc863
Compare
| # - i.e. Before=dracut-cmdline.service | ||
| # - Another is to run *after* nm-config.sh [3] in dracut-cmdline [4] | ||
| # and just delete all the files created by nm-initrd-generator. | ||
| # - i.e. After=dracut-cmdline.service, but Before=dracut-initqueue.service |
There was a problem hiding this comment.
This is a clear and obvious downside of the "running NM via dracut initqueue"...
There was a problem hiding this comment.
Agree. Though when we do finally get NM running via systemd we'll need to make sure we work with the team such that there are two separate services: one for running nm-initrd-generator and one for starting NM. This will enable us to hook in between them OR maybe be able to just say Before=nm-initrd-generator.service
|
The CI failure This appears to be a race condition. The will add a short loop to wait for the device before continuing |
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
2 times, most recently
from
add674d to
03390ec
Compare
|
yay! CI passed now |
...r/lib/dracut/modules.d/15coreos-copy-firstboot-network/coreos-copy-firstboot-network.service
Outdated
Show resolved
Hide resolved
This dracut module delivers a coreos-copy-firstboot-network systemd service and script that will detect when files have been placed into /boot/ by `coreos-installer install --copy-network` and appropriately copy them in place to be used by the initramfs networking. If files are detected within /boot/coreos-firstboot-network/ then they will be considered to be the only source of networking for that ignition boot (i.e. no networking kargs will be applied).
…t-network This will clean up those files if they existed and were used.
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
2 times, most recently
from
8d81ffa to
1d881ac
Compare
|
CI re-ran again because I pushed up a comment change for #346 (comment) and it failed. It appears the same fallacy that plagues |
|
if CI does pass I'll look at the logs and hopefully we'll see at least one |
Add short while loop to handle a race condition where After=dev-disk-by\x2dlabel-boot.device doesn't seem to be sufficient always.
dustymabe
force-pushed
the
dusty-copy-installer-network
branch
from
1d881ac to
ba00a21
Compare
In another code review [1] we agreed to make the name of the directory more generic. [1] coreos/fedora-coreos-config#346 (comment)
It did pass! and we do see it! 👏 👏 👏 👏 |
|
I think the races may be due to |
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
|
Filed as coreos/fedora-coreos-tracker#523 |
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
Make use of the new `fetch-offline` stage: coreos/ignition#979 We run this between the `setup` and `fetch` stages (the latter possibly being skipped if networking is not required). We hit the same issue here that `coreos-copy-firstboot-network.service` hit, which is that we can't run before the `cmdline` hook because that runs *before* udev, but we want the `by-*` symlinks for `ignition-setup-user.service`. The hack we do here is to rerun the NM cmdline hook in case ignition dropped a snippet in `/etc/cmdline.d`. As mentioned in coreos/fedora-coreos-config#346, we'll be able to do this more cleanly once we run NM as a systemd service directly.
This dracut module delivers a coreos-copy-installer-network
systemd service and script that will detect when files have
been placed into /boot/ by
coreos-installer install --copy-networkand appropriately copy them in place to be used by the initramfs
networking. If files are detected within /boot/coreos-installer-network/
then they will be considered to be the only source of networking
for that ignition boot (i.e. no networking kargs will be applied).