From 9b682d80faa4fe88489a664e9cd01c03bffcd319 Mon Sep 17 00:00:00 2001
From: Kelvin Fan <kfan@redhat.com>
Date: Wed, 18 Nov 2020 17:30:48 -0500
Subject: [PATCH] 15coreos-network: Add new unit to remove firstboot networking
 config

We would like to mount `/boot` read-only in the real root, so add a
new unit in 15coreos-network to temporarily mount /boot rw and clean
up firstboot networking configuration files late in the initramfs.
Remove the current 15-coreos-firstboot-network.conf since it would
not work once `/boot` is mounted ro.

xref https://github.com/coreos/fedora-coreos-config/pull/659
---
 .../coreos-cleanup-firstboot-network.service  | 20 +++++++++++++++++++
 .../coreos-cleanup-firstboot-network.sh       | 19 ++++++++++++++++++
 .../coreos-copy-firstboot-network.sh          |  4 ----
 .../15coreos-network/module-setup.sh          |  5 +++++
 4 files changed, 44 insertions(+), 4 deletions(-)
 create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.service
 create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.sh

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.service b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.service
new file mode 100644
index 0000000000..590a9bd3c4
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.service
@@ -0,0 +1,20 @@
+# This unit will run late in the initrd process and clean up firstboot
+# networking config files if the user copied them into the installed
+# system (most likely by using `coreos-installer install --copy-network`).
+# We want to make sure the firstboot networking config files in /boot are
+# cleaned up only after Ignition completed successfully. 
+
+[Unit]
+Description=CoreOS Clean Up Firstboot Networking Config
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+After=ignition-files.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/coreos-cleanup-firstboot-network
+RemainAfterExit=no
+# MountFlags=slave is so the umount of /boot is guaranteed to happen.
+# /boot will only be mounted for the lifetime of the unit.
+MountFlags=slave
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.sh b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.sh
new file mode 100755
index 0000000000..c6732122fc
--- /dev/null
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-cleanup-firstboot-network.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -euo pipefail
+
+# For a description of how this is used, see coreos-cleanup-firstboot-network.service
+
+bootmnt=/mnt/boot_partition
+bootdev=/dev/disk/by-label/boot
+firstboot_network_dir_basename="coreos-firstboot-network"
+initramfs_firstboot_network_dir="${bootmnt}/${firstboot_network_dir_basename}"
+
+# Mount /boot. Note that we mount /boot but we don't unmount it because we
+# are run in a systemd unit with MountFlags=slave so it is unmounted for us.
+mount -o rw ${bootdev} ${bootmnt}
+
+if [ -n "$(ls -A ${initramfs_firstboot_network_dir} 2>/dev/null)" ]; then
+    rm -r ${initramfs_firstboot_network_dir}
+else
+    echo "info: no firstboot networking config files to clean from /boot. skipping"
+fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
index 072dc7b487..61c486c89c 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/coreos-copy-firstboot-network.sh
@@ -26,10 +26,6 @@ if [ -n "$(ls -A ${initramfs_firstboot_network_dir} 2>/dev/null)" ]; then
     echo "info: copying files from ${initramfs_firstboot_network_dir} to ${initramfs_network_dir}"
     mkdir -p ${initramfs_network_dir}
     cp -v ${initramfs_firstboot_network_dir}/* ${initramfs_network_dir}/
-    # If we make it to the realroot (successfully ran ignition) then
-    # clean up the files in the firstboot network dir
-    echo "R ${realroot_firstboot_network_dir} - - - - -" > \
-        /run/tmpfiles.d/15-coreos-firstboot-network.conf
 else
     echo "info: no files to copy from ${initramfs_firstboot_network_dir}. skipping"
 fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/module-setup.sh
index 0f8e6a7c9f..65f14277f0 100644
--- a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/module-setup.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-network/module-setup.sh
@@ -24,4 +24,9 @@ install() {
     inst_simple "$moddir/50-afterburn-network-kargs-default.conf" \
         "/usr/lib/systemd/system/afterburn-network-kargs.service.d/50-afterburn-network-kargs-default.conf"
 
+    inst_simple "$moddir/coreos-cleanup-firstboot-network.sh" \
+        "/usr/sbin/coreos-cleanup-firstboot-network"
+    install_and_enable_unit "coreos-cleanup-firstboot-network.service" \
+        "initrd.target"
+
 }