diff --git a/dracut/30ignition/99-xx-ignition-systemd-cryptsetup.rules b/dracut/30ignition/99-xx-ignition-systemd-cryptsetup.rules new file mode 100644 index 0000000..041b286 --- /dev/null +++ b/dracut/30ignition/99-xx-ignition-systemd-cryptsetup.rules @@ -0,0 +1,8 @@ +SUBSYSTEM!="block", GOTO="systemd_cryptsetup_end" + +# This overrides systemd default behavior from 99-systemd.rules, which ignores unformatted crypto devices. +# https://github.com/systemd/systemd/commit/90e6abaea0cfd25093aae1ad862c5c909ae55829 +# Ignition relies on unformatted crypto devices being discovered to trigger formatting +SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="1" + +LABEL="systemd_cryptsetup_end" diff --git a/dracut/30ignition/ignition-complete.target b/dracut/30ignition/ignition-complete.target new file mode 100644 index 0000000..6241b1d --- /dev/null +++ b/dracut/30ignition/ignition-complete.target @@ -0,0 +1,14 @@ +# This target is reached when Ignition finishes running. Note that it gets +# activated *only* on first boot (or if ignition.firstboot=1 is provided). +# Thus, it is also an API for units to use so that they are activated only on +# first boot. Simply add a link under ignition-complete.target.requires in the +# initrd. +[Unit] +Description=Ignition Complete +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +Before=initrd.target + +# Make sure we stop all the units before switching root +Conflicts=initrd-switch-root.target umount.target +Conflicts=dracut-emergency.service emergency.service emergency.target diff --git a/dracut/30ignition/ignition-diskful-subsequent.target b/dracut/30ignition/ignition-diskful-subsequent.target new file mode 100644 index 0000000..0adda1f --- /dev/null +++ b/dracut/30ignition/ignition-diskful-subsequent.target @@ -0,0 +1,12 @@ +# This target is a combination of ignition-subsequent.target and +# ignition-diskful.target - units here should only run when we have a +# boot disk and *aren't* doing the first boot. +[Unit] +Description=Ignition Subsequent Boot Disk Setup +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +Before=ignition-subsequent.target + +# Make sure we stop all the units before switching root +Conflicts=initrd-switch-root.target umount.target +Conflicts=dracut-emergency.service emergency.service emergency.target diff --git a/dracut/30ignition/ignition-diskful.target b/dracut/30ignition/ignition-diskful.target new file mode 100644 index 0000000..c59b217 --- /dev/null +++ b/dracut/30ignition/ignition-diskful.target @@ -0,0 +1,12 @@ +# This target contains Ignition units that should only run when we have a +# boot disk, i.e. when we're not running diskless from a live image in RAM. +# Like ignition-complete.target, it only runs on first boot. +[Unit] +Description=Ignition Boot Disk Setup +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +Before=ignition-complete.target + +# Make sure we stop all the units before switching root +Conflicts=initrd-switch-root.target umount.target +Conflicts=dracut-emergency.service emergency.service emergency.target diff --git a/dracut/30ignition/ignition-disks.service b/dracut/30ignition/ignition-disks.service index 1b40784..4e2b783 100644 --- a/dracut/30ignition/ignition-disks.service +++ b/dracut/30ignition/ignition-disks.service @@ -1,25 +1,41 @@ [Unit] Description=Ignition (disks) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release DefaultDependencies=false +Before=ignition-complete.target +# Flatcar: Requires=local-fs-pre.target Before=local-fs-pre.target - Requires=ignition-setup.service After=ignition-setup.service -# setup networking -Wants=systemd-networkd.service -After=systemd-networkd.service +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +After=ignition-fetch.service +Before=ignition-mount.service + +# This stage runs between `basic.target` and `initrd-root-device.target`, +# see https://www.freedesktop.org/software/systemd/man/bootup.html +# Make sure to run before the file system checks, as sgdisk will trigger +# udev events, potentially resulting in race conditions due to disappearing +# devices. -# generate resolv.conf -Wants=systemd-resolved.service -After=systemd-resolved.service +# Note that CL runs this before `local-fs-pre.target` to allow for configs that +# completely wipe the rootfs. Though we're not there yet. But we still run +# before `sysroot.mount` on principle. +Before=initrd-root-device.target +Before=sysroot.mount OnFailure=emergency.target OnFailureJobMode=isolate +# This stage requires udevd to detect disk partitioning changes. +Requires=systemd-udevd.service +After=systemd-udevd.service + [Service] Type=oneshot +RemainAfterExit=yes EnvironmentFile=/run/ignition.env -ExecStart=/usr/bin/ignition --root=/sysroot --oem=${OEM_ID} --stage=disks +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=disks diff --git a/dracut/30ignition/ignition-fetch-offline.service b/dracut/30ignition/ignition-fetch-offline.service new file mode 100644 index 0000000..3a4b010 --- /dev/null +++ b/dracut/30ignition/ignition-fetch-offline.service @@ -0,0 +1,33 @@ +# This unit creates /run/ignition/neednet if networking needs to be enabled. +# The distro is responsible for sequencing a unit between +# ignition-fetch-offline.service and ignition-fetch.service, detecting the +# flag file with ConditionPathExists=, and enabling networking. + +[Unit] +Description=Ignition (fetch-offline) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +Before=ignition-complete.target +# Flatcar: +#After=basic.target +Wants=sockets.target paths.target slices.target +After=sockets.target paths.target slices.target + +# Flatcar: +Requires=local-fs-pre.target +Before=local-fs-pre.target +Requires=ignition-setup.service +After=ignition-setup.service + +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +Before=ignition-fetch.service + +OnFailure=emergency.target +OnFailureJobMode=isolate + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=/run/ignition.env +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=fetch-offline diff --git a/dracut/30ignition/ignition-fetch.service b/dracut/30ignition/ignition-fetch.service new file mode 100644 index 0000000..8adf32b --- /dev/null +++ b/dracut/30ignition/ignition-fetch.service @@ -0,0 +1,38 @@ +[Unit] +Description=Ignition (fetch) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +Before=ignition-complete.target +# Flatcar: +#After=basic.target +ConditionPathExists=/run/ignition/neednet +# Don't run if the `fetch-offline` stage successfully fetched a config +ConditionPathExists=!/run/ignition.json + +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +# We run after the setup stage has run because it may copy in new/different +# ignition configs for us to consume. +After=ignition-fetch-offline.service +Before=ignition-disks.service + +OnFailure=emergency.target +OnFailureJobMode=isolate + +# If we run, we definitely need network, so make sure we run after. +After=network.target +# Flatcar: +Wants=systemd-networkd.service +After=systemd-networkd.service +Wants=systemd-resolved.service +After=systemd-resolved.service +Requires=local-fs-pre.target +Before=local-fs-pre.target +Requires=ignition-setup.service +After=ignition-setup.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=/run/ignition.env +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=fetch diff --git a/dracut/30ignition/ignition-files.service b/dracut/30ignition/ignition-files.service index 30b8615..b551107 100644 --- a/dracut/30ignition/ignition-files.service +++ b/dracut/30ignition/ignition-files.service @@ -1,30 +1,30 @@ [Unit] Description=Ignition (files) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release DefaultDependencies=false -Before=initrd-parse-etc.service +Before=ignition-complete.target +# Flatcar: Requires=initrd-root-fs.target After=initrd-root-fs.target - Requires=ignition-setup.service ignition-disks.service After=ignition-setup.service ignition-disks.service - # setup the root filesystem before we try do things like create users on it. Requires=initrd-setup-root.service After=initrd-setup-root.service -# setup networking -Wants=systemd-networkd.service -After=systemd-networkd.service - -# generate resolv.conf -Wants=systemd-resolved.service -After=systemd-resolved.service - OnFailure=emergency.target OnFailureJobMode=isolate +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +After=ignition-mount.service + +# Run before initrd-parse-etc so that we can drop files it then picks up. +Before=initrd-parse-etc.service + [Service] Type=oneshot +RemainAfterExit=yes EnvironmentFile=/run/ignition.env -ExecStart=/usr/bin/ignition --root=/sysroot --oem=${OEM_ID} --stage=files +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=files --log-to-stdout diff --git a/dracut/30ignition/ignition-generator b/dracut/30ignition/ignition-generator index d9cce14..9f676a6 100755 --- a/dracut/30ignition/ignition-generator +++ b/dracut/30ignition/ignition-generator @@ -4,6 +4,10 @@ set -e +# Generators don't have logging right now +# https://github.com/systemd/systemd/issues/15638 +exec 1>/dev/kmsg; exec 2>&1 + UNIT_DIR="${1:-/tmp}" cmdline=( $( ${UNIT_DIR}/ignition-setup.service < /run/ignition.env +# Ignition changed the platform name to "aws" +if [ "${oem_cmdline}" = "ec2" ]; then + oem_cmdline="aws" +fi + +{ echo "OEM_ID=${oem_cmdline}" ; echo "PLATFORM_ID=${oem_cmdline}" ; } > /run/ignition.env diff --git a/dracut/30ignition/ignition-kargs-helper b/dracut/30ignition/ignition-kargs-helper new file mode 100644 index 0000000..6907ad1 --- /dev/null +++ b/dracut/30ignition/ignition-kargs-helper @@ -0,0 +1,70 @@ +#!/bin/bash + +# Based on https://github.com/coreos/ignition/blob/02c1c638b51f5694d1d1d8305c09ff6dc3e4fa0e/examples/ignition-kargs-helper + +set -euxo pipefail + +# Handle PXE boots gracefully by not mounting any disk and instead error out early +if [ "${OEM_ID}" = "pxe" ]; then + echo "error: can't set kargs for PXE boots" >&2 + exit 1 +fi + +# Mount the OEM partition. Note that we mount but we don't unmount it because we +# are run in a systemd unit with MountFlags=slave so it is unmounted for us. +oemmnt=/mnt/oem_partition +mkdir -p ${oemmnt} +oemdev=/dev/disk/by-label/OEM +mount -o rw ${oemdev} ${oemmnt} +grubcfg="${oemmnt}/grub.cfg" + +# We do not handle all cases of conditional setup of linux_append or linux_console because we will not emulate the GRUB scripting logic. +# Therefore, we only support the special lines 'set linux_append="($linux_append) ..."' which must not be starting with whitespace and should not be surrounded by an if-block. +# Any conditional setup before or afterwards or the values of linux_console are not considered. +orig_kernelopts="$(grep -o '^set linux_append="[^"]*' $grubcfg | sed 's,^set linux_append=",,' | sed 's,$linux_append,,' | tr '\n' ' ' | sed -e 's,^[[:space:]]*,,' -e 's,[[:space:]]*$,,')" +# add leading and trailing whitespace to allow for easy sed replacements +kernelopts=" $orig_kernelopts " + +while [[ $# -gt 0 ]] +do + key="$1" + + case $key in + --should-exist) + arg="$2" + # don't repeat the arg + if [[ ! "${kernelopts[*]}" =~ " ${arg} " ]]; then + kernelopts="$kernelopts$arg " + fi + shift 2 + ;; + --should-not-exist) + kernelopts="$(echo "$kernelopts" | sed "s| $2 | |g")" + shift 2 + ;; + *) + echo "Unknown option" + exit 1 + ;; + esac +done + +# trim the leading and trailing whitespace +kernelopts="$(echo "$kernelopts" | sed -e 's,^[[:space:]]*,,' -e 's,[[:space:]]*$,,')" + +# only apply the changes & reboot if changes have been made +if [[ "$kernelopts" != "$orig_kernelopts" ]]; then + # Remove all existing definitions + sed -i 's,^set linux_append=".*",,' $grubcfg + # write out a single one to replace them + echo "set linux_append=\"\$linux_append $kernelopts\"" >> $grubcfg + + # set the first-boot flag file to make sure Ignition runs again on the next boot (e.g., when a manual first boot was forced in the GRUB menu) + bootmnt=/mnt/boot_partition + mkdir -p ${bootmnt} + bootdev=/dev/disk/by-label/EFI-SYSTEM + mount -o rw ${bootdev} ${bootmnt} + touch "${bootmnt}/flatcar/first_boot" + + systemctl reboot --force +fi diff --git a/dracut/30ignition/ignition-kargs.service b/dracut/30ignition/ignition-kargs.service new file mode 100644 index 0000000..fb15ec4 --- /dev/null +++ b/dracut/30ignition/ignition-kargs.service @@ -0,0 +1,27 @@ +[Unit] +Description=Ignition (kargs) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +Before=ignition-complete.target + +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +After=ignition-fetch.service +Before=ignition-disks.service +# Flatcar: +Requires=local-fs-pre.target +Before=local-fs-pre.target +Requires=ignition-setup.service +After=ignition-setup.service + +OnFailure=emergency.target +OnFailureJobMode=isolate + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=/run/ignition.env +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=kargs +# MountFlags=slave is so the umount of /boot is guaranteed to happen. +# /boot will only be mounted for the lifetime of the unit. +MountFlags=slave diff --git a/dracut/30ignition/ignition-luks.conf b/dracut/30ignition/ignition-luks.conf new file mode 100644 index 0000000..fa17ea1 --- /dev/null +++ b/dracut/30ignition/ignition-luks.conf @@ -0,0 +1,3 @@ +# We don't ship cracklib dicts in the initramfs, so don't check +# generated clevis keys against them +dictcheck = 0 diff --git a/dracut/30ignition/ignition-mount.service b/dracut/30ignition/ignition-mount.service new file mode 100644 index 0000000..e26858c --- /dev/null +++ b/dracut/30ignition/ignition-mount.service @@ -0,0 +1,39 @@ +[Unit] +Description=Ignition (mount) +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +DefaultDependencies=false +Before=ignition-complete.target + +# Stage order: fetch-offline [-> fetch] [-> kargs] -> disks -> mount -> files. +# We need to make sure the partitions and filesystems are set up before +# mounting. This is also guaranteed through After=initrd-root-fs.target but +# just to be explicit. +After=ignition-disks.service +Before=ignition-files.service + +# Make sure ExecStop= runs before we switch root +Before=initrd-switch-root.target + +OnFailure=emergency.target +OnFailureJobMode=isolate + +# Make sure the final /sysroot is ready first, since we're mounting under there +Requires=initrd-root-fs.target +After=initrd-root-fs.target + +# Make sure root filesystem is remounted read-write if needed +After=ignition-remount-sysroot.service + +# Flatcar: +Requires=initrd-setup-root.service +After=Requires=initrd-setup-root.service +Requires=ignition-setup.service +After=ignition-setup.service + +[Service] +Type=oneshot +RemainAfterExit=yes +EnvironmentFile=/run/ignition.env +ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=mount --log-to-stdout +ExecStop=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=umount --log-to-stdout diff --git a/dracut/30ignition/ignition-remount-sysroot.service b/dracut/30ignition/ignition-remount-sysroot.service new file mode 100644 index 0000000..f004d20 --- /dev/null +++ b/dracut/30ignition/ignition-remount-sysroot.service @@ -0,0 +1,20 @@ +[Unit] +Description=Remount /sysroot read-write for Ignition +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +# Some Linux Distributions don't pass a rw option on the kernel +# commandline and thus mount the root filesystem ro by default. In +# this case, remount /sysroot to rw (issue #37) +DefaultDependencies=no +Before=ignition-diskful.target + +OnFailure=emergency.target +OnFailureJobMode=isolate + +After=sysroot.mount +ConditionPathIsReadWrite=!/sysroot + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/bin/mount -o remount,rw /sysroot diff --git a/dracut/30ignition/ignition-subsequent.target b/dracut/30ignition/ignition-subsequent.target new file mode 100644 index 0000000..95ae838 --- /dev/null +++ b/dracut/30ignition/ignition-subsequent.target @@ -0,0 +1,12 @@ +# This target is queued to run when Ignition will *not* run. +# It's intended right now for mounting sysroot, which happens in a quite +# different order on the Ignition boot versus "subsequent" boots. +[Unit] +Description=Subsequent (Not Ignition) boot complete +Documentation=https://github.com/coreos/ignition +ConditionPathExists=/etc/initrd-release +Before=initrd.target + +# Make sure we stop all the units before switching root +Conflicts=initrd-switch-root.target umount.target +Conflicts=dracut-emergency.service emergency.service emergency.target diff --git a/dracut/30ignition/module-setup.sh b/dracut/30ignition/module-setup.sh index 289b6b4..ee5c846 100755 --- a/dracut/30ignition/module-setup.sh +++ b/dracut/30ignition/module-setup.sh @@ -3,64 +3,127 @@ # ex: ts=8 sw=4 sts=4 et filetype=sh depends() { + # Flatcar: do not depend on "url-lib network" echo qemu systemd } +install_ignition_unit() { + local unit="$1"; shift + local target="${1:-ignition-complete.target}"; shift + local instantiated="${1:-$unit}"; shift + inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit" + mkdir -p "$initdir/$systemdsystemunitdir/$target.requires" + ln_r "../$unit" "$systemdsystemunitdir/$target.requires/$instantiated" +} + install() { + # Flatcar: add coreos-metadata, systemd-detect-virt, mountpoint, nvme inst_multiple \ - ignition \ coreos-metadata \ - useradd \ - usermod \ + basename \ + lsblk + + # Not all features of the configuration may be available on all systems + # (e.g. on embedded systems), so only add applications which are actually + # present + inst_multiple -o \ groupadd \ + groupdel \ systemd-detect-virt \ mountpoint \ mkfs.btrfs \ mkfs.ext4 \ + mkfs.fat \ mkfs.xfs \ - mkfs.vfat \ mkswap \ nvme \ + sgdisk \ + useradd \ + userdel \ + usermod \ wipefs + # Flatcar: add cloud_aws_ebs_nvme_id inst_script "$udevdir/cloud_aws_ebs_nvme_id" \ "/usr/lib/udev/cloud_aws_ebs_nvme_id" + # Needed for clevis binding; note all binaries related to unlocking are + # included by the Clevis dracut modules. + inst_multiple -o \ + clevis-encrypt-sss \ + clevis-encrypt-tang \ + clevis-encrypt-tpm2 \ + clevis-luks-bind \ + clevis-luks-common-functions \ + clevis-luks-unlock \ + pwmake \ + tpm2_create + + # Required by s390x's z/VM installation. + # Supporting https://github.com/coreos/ignition/pull/865 + inst_multiple -o chccwdev vmur + + # Required on system using SELinux + inst_multiple -o setfiles + + inst_script "$moddir/ignition-kargs-helper" \ + "/usr/sbin/ignition-kargs-helper" + + # Flatcar: add ignition-setup inst_script "$moddir/ignition-setup.sh" \ "/usr/sbin/ignition-setup" + # Flatcar: use from path + inst_multiple "ignition" + + # Rule to allow udev to discover unformatted encrypted devices + inst_simple "$moddir/99-xx-ignition-systemd-cryptsetup.rules" \ + "/usr/lib/udev/rules.d/99-xx-ignition-systemd-cryptsetup.rules" + + # disable dictcheck + inst_simple "$moddir/ignition-luks.conf" \ + "/etc/security/pwquality.conf.d/ignition-luks.conf" + + # Flatcar: add retry-umount inst_script "$moddir/retry-umount.sh" \ "/usr/sbin/retry-umount" inst_simple "$moddir/ignition-generator" \ "$systemdutildir/system-generators/ignition-generator" - inst_simple "$moddir/ignition-disks.service" \ - "$systemdsystemunitdir/ignition-disks.service" - - inst_simple "$moddir/ignition-files.service" \ - "$systemdsystemunitdir/ignition-files.service" + for x in "complete" "subsequent" "diskful" "diskful-subsequent"; do + inst_simple "$moddir/ignition-$x.target" \ + "$systemdsystemunitdir/ignition-$x.target" + done + # Flatcar: add ignition-quench.service, sysroot-boot.service, + # flatcar-digitalocean-network.service, flatcar-static-network.service, + # flatcar-metadata-hostname.service, flatcar-openstack-hostname.service inst_simple "$moddir/ignition-quench.service" \ "$systemdsystemunitdir/ignition-quench.service" - inst_simple "$moddir/sysroot-boot.service" \ "$systemdsystemunitdir/sysroot-boot.service" - inst_simple "$moddir/flatcar-digitalocean-network.service" \ "$systemdsystemunitdir/flatcar-digitalocean-network.service" - inst_simple "$moddir/flatcar-static-network.service" \ "$systemdsystemunitdir/flatcar-static-network.service" - inst_simple "$moddir/flatcar-metadata-hostname.service" \ "$systemdsystemunitdir/flatcar-metadata-hostname.service" - inst_simple "$moddir/flatcar-openstack-hostname.service" \ "$systemdsystemunitdir/flatcar-openstack-hostname.service" - inst_rules \ - 60-cdrom_id.rules \ - 66-azure-storage.rules \ - 90-cloud-storage.rules + install_ignition_unit ignition-fetch.service + install_ignition_unit ignition-fetch-offline.service + install_ignition_unit ignition-kargs.service + install_ignition_unit ignition-disks.service + install_ignition_unit ignition-mount.service + install_ignition_unit ignition-files.service + + # units only started when we have a boot disk + # path generated by systemd-escape --path /dev/disk/by-label/root + install_ignition_unit ignition-remount-sysroot.service ignition-diskful.target + + # needed for openstack config drive support + # Flatcar: add 66-azure-storage.rules and 90-cloud-storage.rules + inst_rules 60-cdrom_id.rules 66-azure-storage.rules 90-cloud-storage.rules }