WIP: FCOS

Author: travier

examples/.gitignore

@@ -5,6 +5,7 @@ bootc-bls/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
 bootc-bls/extra/usr/bin/bootc
 bootc-bls/extra/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
 bootc-uki/VARS_CUSTOM.secboot.qcow2.template
+bootc-uki/bootc
 bootc-uki/extra-fcos/usr/bin/bootc
 bootc-uki/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup
 bootc-uki/extra/usr/bin/bootc

examples/bootc-uki/build.base-fcos

@@ -1,6 +1,6 @@
 #!/bin/bash
 
 export FROM="quay.io/fedora/fedora-coreos:stable"
-export TAG="$quay.io/fedora/fedora-coreos-base-uki:stable"
+export TAG="quay.io/fedora/fedora-coreos-base-uki:stable"
 export EXTRA="extra-fcos"
 exec ./build.base

examples/bootc-uki/extra-fcos/usr/lib/dracut/dracut.conf.d/37composefs.conf

@@ -0,0 +1,3 @@
+# we need to force these in via the initramfs because we don't have modules in
+# the base image
+force_drivers+=" virtio_net vfat "

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh

@@ -0,0 +1,105 @@
+#!/bin/bash
+# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
+# ex: ts=8 sw=4 sts=4 et filetype=sh
+
+check() {
+    if [[ $IN_KDUMP == 1 ]]; then
+        return 1
+    fi
+}
+
+depends() {
+    echo systemd network ignition coreos-live
+}
+
+install_ignition_unit() {
+    local unit="$1"; shift
+    local target="${1:-ignition-complete.target}"; shift
+    local instantiated="${1:-$unit}"; shift
+    inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit"
+    # note we `|| exit 1` here so we error out if e.g. the units are missing
+    # see https://github.com/coreos/fedora-coreos-config/issues/799
+    systemctl -q --root="$initdir" add-requires "$target" "$instantiated" || exit 1
+}
+
+install() {
+    inst_multiple \
+        basename \
+        diff \
+        lsblk \
+        sed \
+        grep \
+        uname
+
+
+    # In some cases we had to vendor gdisk in Ignition.
+    # If this is the case here use that one.
+    # See https://issues.redhat.com/browse/RHEL-56080
+    if [ -f /usr/libexec/ignition-sgdisk ]; then
+        inst /usr/libexec/ignition-sgdisk /usr/sbin/sgdisk
+    else
+        inst sgdisk
+    fi
+
+    # For IBM SecureExecution
+    if [[ $(uname -m) = s390x ]]; then
+        inst_multiple \
+            gpg \
+            gpg-agent
+    fi
+
+    inst_simple "$moddir/coreos-diskful-generator" \
+        "$systemdutildir/system-generators/coreos-diskful-generator"
+
+    inst_script "$moddir/coreos-gpt-setup.sh" \
+        "/usr/sbin/coreos-gpt-setup"
+
+    # This has to work only on diskful systems during firstboot.
+    # coreos-diskful-generator will create a symlink
+    inst_simple "$moddir/80-coreos-boot-disk.rules" \
+        "/usr/lib/coreos/80-coreos-boot-disk.rules"
+
+    inst_script "$moddir/coreos-disk-contains-fs.sh" \
+        "/usr/lib/udev/coreos-disk-contains-fs"
+
+    inst_script "$moddir/coreos-ignition-setup-user.sh" \
+        "/usr/sbin/coreos-ignition-setup-user"
+
+    inst_script "$moddir/coreos-post-ignition-checks.sh" \
+        "/usr/sbin/coreos-post-ignition-checks"
+
+    install_ignition_unit coreos-post-ignition-checks.service
+
+    # For consistency tear down the network and persist multipath between the initramfs and
+    # real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763
+    inst_script "$moddir/coreos-teardown-initramfs.sh" \
+        "/usr/sbin/coreos-teardown-initramfs"
+    install_ignition_unit coreos-teardown-initramfs.service
+
+    # units only started when we have a boot disk
+    # path generated by systemd-escape --path /dev/disk/by-label/root
+    install_ignition_unit coreos-gpt-setup.service ignition-diskful.target
+
+    # dracut inst_script doesn't allow overwrites and we are replacing
+    # the default script placed by Ignition
+    binpath="/usr/sbin/ignition-kargs-helper"
+    cp "$moddir/coreos-kargs.sh" "$initdir$binpath"
+    install_ignition_unit coreos-kargs-reboot.service
+
+    install_ignition_unit coreos-ignition-unique-boot.service ignition-diskful.target
+    install_ignition_unit coreos-unique-boot.service ignition-diskful.target
+    install_ignition_unit coreos-ignition-setup-user.service
+
+    # IBM Secure Execution. Ignition config for reencryption of / and /boot
+    inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
+    inst_simple "$moddir/coreos-secex-ignition-prepare.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-prepare.service"
+    inst_script "$moddir/coreos-secex-ignition-prepare.sh" \
+        "/usr/sbin/coreos-secex-ignition-prepare"
+
+    inst_multiple jq blkid
+    inst_script "$moddir/coreos-rootflags.sh" \
+        "/usr/sbin/coreos-rootflags"
+    # Install unit, but don't enable it. Will be pulled in by diskful generator.
+    inst_simple "$moddir/coreos-rootflags.service" "$systemdsystemunitdir/coreos-rootflags.service"
+}

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/37bootc/bootc-initramfs-setup.service

@@ -0,0 +1,34 @@
+# Copyright (C) 2013 Colin Walters <[email protected]>
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see <https://www.gnu.org/licenses/>.
+
+[Unit]
+DefaultDependencies=no
+ConditionKernelCommandLine=composefs
+ConditionPathExists=/etc/initrd-release
+After=sysroot.mount
+Requires=sysroot.mount
+Before=initrd-root-fs.target
+Before=initrd-switch-root.target
+
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/bootc-initramfs-setup
+StandardInput=null
+StandardOutput=journal
+StandardError=journal+console
+RemainAfterExit=yes

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/37bootc/module-setup.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/bash
+
+check() {
+    return 0
+}
+
+depends() {
+    return 0
+}
+
+install() {
+    inst \
+        "${moddir}/bootc-initramfs-setup" /usr/bin/bootc-initramfs-setup
+    inst \
+        "${moddir}/bootc-initramfs-setup.service" \
+        "${systemdsystemunitdir}/bootc-initramfs-setup.service"
+
+    $SYSTEMCTL -q --root "${initdir}" add-wants \
+        'initrd-root-fs.target' 'bootc-initramfs-setup.service'
+}

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/coreos-check-rootfs-size

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+
+# See also ignition-ostree-check-rootfs-size.service
+# https://github.com/coreos/fedora-coreos-tracker/issues/586#issuecomment-777220000
+
+# /sysroot is the mounted deploy root, /sysroot/sysroot is the physical root filesystem
+srcdev=$(findmnt -nvr -o SOURCE /sysroot/sysroot | tail -n1)
+size=$(lsblk --nodeps --noheadings --bytes -o SIZE "${srcdev}")
+
+MINIMUM_GB=8
+MINIMUM_BYTES=$((1024 * 1024 * 1024 * MINIMUM_GB))
+
+MOTD_DROPIN=/etc/motd.d/60-coreos-rootfs-size.motd
+
+YELLOW=$(echo -e '\033[0;33m')
+RESET=$(echo -e '\033[0m')
+
+if [ "${size}" -lt "${MINIMUM_BYTES}" ]; then
+    mkdir -p "/sysroot/$(dirname "${MOTD_DROPIN}")"
+    cat > "/sysroot/${MOTD_DROPIN}" <<EOF
+${YELLOW}
+############################################################################
+WARNING: The root filesystem is too small. It is strongly recommended to
+allocate at least ${MINIMUM_GB} GiB of space to allow for upgrades. From June 2021, this
+condition will trigger a failure in some cases. For more information, see:
+https://docs.fedoraproject.org/en-US/fedora-coreos/storage/
+
+You may delete this warning using:
+sudo rm ${MOTD_DROPIN}
+############################################################################
+${RESET}
+EOF
+
+    # And also write it on stdout for the journal and console
+    cat "/sysroot/${MOTD_DROPIN}"
+    coreos-relabel "${MOTD_DROPIN}"
+fi

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/coreos-relabel

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -euo pipefail
+
+err() {
+    echo "$@" >&2
+}
+
+fatal() {
+    err "$@"
+    exit 1
+}
+
+if [ $# -eq 0 ]; then
+    err "Usage: $0 [PATTERN...]"
+    err " e.g.: $0 /etc/passwd '/etc/group*'"
+fi
+
+if [ ! -f /sysroot/etc/selinux/config ]; then
+    exit 0
+fi
+
+source /sysroot/etc/selinux/config
+
+if [ -z "${SELINUXTYPE:-}" ]; then
+    fatal "Couldn't find SELINUXTYPE in /sysroot/etc/selinux/config"
+fi
+
+file_contexts="/sysroot/etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts"
+
+prefixed_patterns=()
+while [ $# -ne 0 ]; do
+    pattern=$1; shift
+    prefixed_patterns+=("/sysroot/$pattern")
+done
+setfiles -vFi0 -r /sysroot "$file_contexts" "${prefixed_patterns[@]}"

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-check-rootfs-size.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Ignition OSTree: Check Root Filesystem Size
+Documentation=https://docs.fedoraproject.org/en-US/fedora-coreos/storage/
+DefaultDependencies=false
+ConditionKernelCommandLine=composefs
+ConditionPathExists=!/run/ostree-live
+After=ignition-ostree-growfs.service
+After=ostree-prepare-root.service
+Requires=ostree-prepare-root.service
+# Allow Ignition config to blank out the warning
+Before=ignition-files.service
+
+[Service]
+Type=oneshot
+ExecStart=/usr/libexec/coreos-check-rootfs-size
+RemainAfterExit=yes

examples/bootc-uki/extra-fcos/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-firstboot-uuid

@@ -0,0 +1,38 @@
+#!/bin/bash
+set -euo pipefail
+# https://github.com/coreos/fedora-coreos-tracker/issues/465
+# coreos-assembler generates disk images which are installed bit-for-bit
+# or booted directly in the cloud.
+# Generate new UUID on firstboot; this is general best practice, but in the future
+# we may use this for mounting by e.g. adding a boot=<uuid> and root=<uuid> kernel args.
+
+label=$1
+
+# Keep this in sync with https://github.com/coreos/coreos-assembler/blob/e3905fd2e138de04184c1cd86b99b0fd83cbe5cf/src/create_disk.sh#L17
+bootfs_uuid="96d15588-3596-4b3c-adca-a2ff7279ea63"
+rootfs_uuid="910678ff-f77e-4a7d-8d53-86f2ac47a823"
+
+target=/dev/disk/by-label/${label}
+if ! [ -b "${target}" ]; then
+  echo "$0: Failed to find block device ${target}" 1>&2
+  exit 1
+fi
+
+eval $(blkid -p -o export ${target})
+case "${label}" in
+  root) orig_uuid="${rootfs_uuid}"; orig_type=xfs ;;
+  boot) orig_uuid="${bootfs_uuid}"; orig_type=ext4 ;;
+  *) echo "unexpected ${label}"; exit 1 ;;
+esac
+
+if [ "${TYPE}" == "${orig_type}" ] && [ "${UUID}" == "${orig_uuid}" ]; then
+  case "${TYPE}" in
+    ext4) tune2fs -U random "${target}"    ;;
+    xfs) xfs_admin -U generate "${target}" ;;
+    *) echo "unexpected filesystem type ${TYPE}" 1>&2; exit 1 ;;
+  esac
+  udevadm settle || :
+  echo "Regenerated UUID for ${target}"
+else
+  echo "No changes required for ${target} TYPE=${TYPE} UUID=${UUID}"
+fi