30ignition-coreos: Add coreos-boot-edit.{service,sh}

overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh

@@ -10,6 +10,7 @@ firstboot_network_dir_basename="coreos-firstboot-network"
 initramfs_firstboot_network_dir="${bootmnt}/${firstboot_network_dir_basename}"
 initramfs_network_dir="/run/NetworkManager/system-connections/"
 realroot_firstboot_network_dir="/boot/${firstboot_network_dir_basename}"
+copy_firstboot_network_stamp="/run/coreos-copy-firstboot-network.stamp"
 
 # Mount /boot. Note that we mount /boot but we don't unmount boot because we
 # are run in a systemd unit with MountFlags=slave so it is unmounted for us.
@@ -26,10 +27,9 @@ if [ -n "$(ls -A ${initramfs_firstboot_network_dir} 2>/dev/null)" ]; then
     echo "info: copying files from ${initramfs_firstboot_network_dir} to ${initramfs_network_dir}"
     mkdir -p ${initramfs_network_dir}
     cp -v ${initramfs_firstboot_network_dir}/* ${initramfs_network_dir}/
-    # If we make it to the realroot (successfully ran ignition) then
-    # clean up the files in the firstboot network dir
-    echo "R ${realroot_firstboot_network_dir} - - - - -" > \
-        /run/tmpfiles.d/15-coreos-firstboot-network.conf
+    # Drop stamp file in /run to indicate that there are firstboot networking
+    # configuration files in /boot that should be cleaned up after Ignition.
+    touch ${copy_firstboot_network_stamp}
 else
     echo "info: no files to copy from ${initramfs_firstboot_network_dir}. skipping"
 fi

overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.service

@@ -0,0 +1,23 @@
+# This unit will run late in the initrd process after Ignition is completed
+# successfully and temporarily mount /boot read-write to make edits
+# (e.g. removing firstboot networking configuration files if necessary).
+
+[Unit]
+Description=CoreOS Boot Edit
+ConditionPathExists=/usr/lib/initrd-release
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Since we are mounting /boot, require the device first
+Requires=dev-disk-by\x2dlabel-boot.device
+After=dev-disk-by\x2dlabel-boot.device
+# Start after Ignition has finished
+After=ignition-files.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/coreos-boot-edit
+RemainAfterExit=yes
+# MountFlags=slave is so the umount of /boot is guaranteed to happen.
+# /boot will only be mounted for the lifetime of the unit.
+MountFlags=slave

overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/coreos-boot-edit.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+set -euo pipefail
+
+# For a description of how this is used, see `coreos-boot-edit.service`.
+
+# Mount /boot. Note that we mount /boot but we don't unmount it because we
+# are run in a systemd unit with MountFlags=slave so it is unmounted for us.
+bootmnt=/mnt/boot_partition
+mkdir -p ${bootmnt}
+bootdev=/dev/disk/by-label/boot
+mount -o rw ${bootdev} ${bootmnt}
+
+# Clean up firstboot networking config files if the user copied them into the
+# installed system (most likely by using `coreos-installer install --copy-network`).
+firstboot_network_dir_basename="coreos-firstboot-network"
+initramfs_firstboot_network_dir="${bootmnt}/${firstboot_network_dir_basename}"
+copy_firstboot_network_stamp="/run/coreos-copy-firstboot-network.stamp"
+if [ -f ${copy_firstboot_network_stamp} ]; then
+    rm -vrf ${initramfs_firstboot_network_dir}
+else
+    echo "info: no firstboot networking config files to clean from /boot. skipping"
+fi

overlay.d/05core/usr/lib/dracut/modules.d/30ignition-coreos/module-setup.sh

@@ -36,4 +36,11 @@ install() {
     # units only started when we have a boot disk
     # path generated by systemd-escape --path /dev/disk/by-label/root
     install_ignition_unit coreos-gpt-setup.service ignition-diskful.target
+
+    inst_script "$moddir/coreos-boot-edit.sh" \
+        "/usr/sbin/coreos-boot-edit"
+    # Only start when the system has disks since we are editing /boot.
+    install_ignition_unit "coreos-boot-edit.service" \
+        "ignition-diskful.target"
+
 }