From 9df08be38ee2f38bab2b5f928c12465a5501cc85 Mon Sep 17 00:00:00 2001
From: Kelvin Fan <kfan@redhat.com>
Date: Thu, 19 Nov 2020 17:50:14 -0500
Subject: [PATCH 1/2] coreos-copy-firstboot-network.sh: Place stamp file if
 copied

We would like to mount `/boot` read-only in the real root,
so remove the current 15-coreos-firstboot-network.conf since
it would not work once `/boot` is mounted ro. Drop a stamp
file instead so that `coreos-boot-edit.service` would notice
and perform the clean up later in the initramfs.

xref https://github.com/coreos/fedora-coreos-config/pull/659
---
 .../15coreos-network/coreos-copy-firstboot-network.sh      | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
index 072dc7b487..ad24af2caf 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
@@ -26,10 +26,9 @@ if [ -n "$(ls -A ${initramfs_firstboot_network_dir} 2>/dev/null)" ]; then
     echo "info: copying files from ${initramfs_firstboot_network_dir} to ${initramfs_network_dir}"
     mkdir -p ${initramfs_network_dir}
     cp -v ${initramfs_firstboot_network_dir}/* ${initramfs_network_dir}/
-    # If we make it to the realroot (successfully ran ignition) then
-    # clean up the files in the firstboot network dir
-    echo "R ${realroot_firstboot_network_dir} - - - - -" > \
-        /run/tmpfiles.d/15-coreos-firstboot-network.conf
+    # Drop stamp file in /run to indicate that there are firstboot networking
+    # configuration files in /boot that should be cleaned up after Ignition.
+    touch /run/coreos-copy-firstboot-network.stamp
 else
     echo "info: no files to copy from ${initramfs_firstboot_network_dir}. skipping"
 fi

From 4e38b36aa827e3f2bf61efbbed614c6fc5a9d3cd Mon Sep 17 00:00:00 2001
From: Kelvin Fan <kfan@redhat.com>
Date: Thu, 19 Nov 2020 17:53:58 -0500
Subject: [PATCH 2/2] 30ignition-coreos: Add `coreos-boot-edit.{service,sh}`

`coreos-boot-edit.service` will run late in the initrd process after
Ignition is completed successfully and temporarily mount /boot read-write
to make edits in (e.g. removing firstboot networking configuration
files if necessary).
---
 .../coreos-copy-firstboot-network.sh          |  3 ++-
 .../coreos-boot-edit.service                  | 23 +++++++++++++++++++
 .../30ignition-coreos/coreos-boot-edit.sh     | 22 ++++++++++++++++++
 .../30ignition-coreos/module-setup.sh         |  7 ++++++
 4 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.service
 create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.sh

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
index ad24af2caf..51c3cc2538 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
@@ -10,6 +10,7 @@ firstboot_network_dir_basename="coreos-firstboot-network"
 initramfs_firstboot_network_dir="${bootmnt}/${firstboot_network_dir_basename}"
 initramfs_network_dir="/run/NetworkManager/system-connections/"
 realroot_firstboot_network_dir="/boot/${firstboot_network_dir_basename}"
+copy_firstboot_network_stamp="/run/coreos-copy-firstboot-network.stamp"
 
 # Mount /boot. Note that we mount /boot but we don't unmount boot because we
 # are run in a systemd unit with MountFlags=slave so it is unmounted for us.
@@ -28,7 +29,7 @@ if [ -n "$(ls -A ${initramfs_firstboot_network_dir} 2>/dev/null)" ]; then
     cp -v ${initramfs_firstboot_network_dir}/* ${initramfs_network_dir}/
     # Drop stamp file in /run to indicate that there are firstboot networking
     # configuration files in /boot that should be cleaned up after Ignition.
-    touch /run/coreos-copy-firstboot-network.stamp
+    touch ${copy_firstboot_network_stamp}
 else
     echo "info: no files to copy from ${initramfs_firstboot_network_dir}. skipping"
 fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.service b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.service
new file mode 100644
index 0000000000..d12ec05ba5
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.service
@@ -0,0 +1,23 @@
+# This unit will run late in the initrd process after Ignition is completed
+# successfully and temporarily mount /boot read-write to make edits
+# (e.g. removing firstboot networking configuration files if necessary).
+
+[Unit]
+Description=CoreOS Boot Edit
+ConditionPathExists=/usr/lib/initrd-release
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Since we are mounting /boot, require the device first
+Requires=dev-disk-by\x2dlabel-boot.device
+After=dev-disk-by\x2dlabel-boot.device
+# Start after Ignition has finished
+After=ignition-files.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/coreos-boot-edit
+RemainAfterExit=yes
+# MountFlags=slave is so the umount of /boot is guaranteed to happen.
+# /boot will only be mounted for the lifetime of the unit.
+MountFlags=slave
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.sh b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.sh
new file mode 100755
index 0000000000..0a883b39bc
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+set -euo pipefail
+
+# For a description of how this is used, see `coreos-boot-edit.service`.
+
+# Mount /boot. Note that we mount /boot but we don't unmount it because we
+# are run in a systemd unit with MountFlags=slave so it is unmounted for us.
+bootmnt=/mnt/boot_partition
+mkdir -p ${bootmnt}
+bootdev=/dev/disk/by-label/boot
+mount -o rw ${bootdev} ${bootmnt}
+
+# Clean up firstboot networking config files if the user copied them into the
+# installed system (most likely by using `coreos-installer install --copy-network`).
+firstboot_network_dir_basename="coreos-firstboot-network"
+initramfs_firstboot_network_dir="${bootmnt}/${firstboot_network_dir_basename}"
+copy_firstboot_network_stamp="/run/coreos-copy-firstboot-network.stamp"
+if [ -f ${copy_firstboot_network_stamp} ]; then
+    rm -vrf ${initramfs_firstboot_network_dir}
+else
+    echo "info: no firstboot networking config files to clean from /boot. skipping"
+fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/module-setup.sh
index b2bb826570..1c4a53aea2 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/module-setup.sh
@@ -36,4 +36,11 @@ install() {
     # units only started when we have a boot disk
     # path generated by systemd-escape --path /dev/disk/by-label/root
     install_ignition_unit coreos-gpt-setup.service ignition-diskful.target
+
+    inst_script "$moddir/coreos-boot-edit.sh" \
+        "/usr/sbin/coreos-boot-edit"
+    # Only start when the system has disks since we are editing /boot.
+    install_ignition_unit "coreos-boot-edit.service" \
+        "ignition-diskful.target"
+
 }