Add Bootstrap Commands

packages/os/bootstrap-commands-tmpfiles.conf

@@ -0,0 +1 @@
+d /etc/bootstrap-commands 0750 root root -

packages/os/bootstrap-commands-toml

@@ -0,0 +1,18 @@
+[required-extensions]
+bootstrap-commands= "v1"
+std = { version = "v1", helpers = ["if_not_null", "toml_encode"]}
++++
+{{#if_not_null settings.bootstrap-commands}}
+{{#each settings.bootstrap-commands}}
+[bootstrap-commands."{{@key}}"]
+{{#if_not_null this.commands}}
+commands = {{ toml_encode this.commands }}
+{{/if_not_null}}
+{{#if_not_null this.mode}}
+mode = "{{{this.mode}}}"
+{{/if_not_null}}
+{{#if_not_null this.essential}}
+essential = {{this.essential}}
+{{/if_not_null}}
+{{/each}}
+{{/if_not_null}}

packages/os/bootstrap-commands.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Bootstrap Commands
+# We depend on systemd-logind.service for running systemd-inhibit.
+After=systemd-logind.service settings-applier.service apiserver.service
+Requires=systemd-logind.service settings-applier.service apiserver.service
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemd-inhibit --what=shutdown --why="Running bootstrap commands" --mode=delay /usr/bin/bootstrap-commands
+RemainAfterExit=true
+StandardError=journal+console
+SyslogIdentifier=bootstrap-commands
+
+[Install]
+RequiredBy=preconfigured.target

packages/os/os.spec

@@ -32,6 +32,7 @@ Source17: corndog-toml
 Source18: bootstrap-containers-toml
 Source19: host-containers-toml
 Source20: bottlerocket-fips-checks-metadata-json
+Source21: bootstrap-commands-toml
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -52,13 +53,15 @@ Source119: reboot-if-required.service
 Source120: warm-pool-wait.service
 Source122: has-boot-ever-succeeded.service
 Source123: pluto.service
+Source124: bootstrap-commands.service
 
 # 2xx sources: tmpfilesd configs
 Source200: migration-tmpfiles.conf
 Source201: host-containers-tmpfiles.conf
 Source202: thar-be-updates-tmpfiles.conf
 Source203: bootstrap-containers-tmpfiles.conf
 Source204: storewolf-tmpfiles.conf
+Source205: bootstrap-commands-tmpfiles.conf
 
 # 3xx sources: udev rules
 Source300: ephemeral-storage.rules
@@ -74,6 +77,7 @@ BuildRequires: %{_cross_os}glibc-devel
 Requires: %{_cross_os}apiclient
 Requires: %{_cross_os}apiserver
 Requires: %{_cross_os}bloodhound
+Requires: %{_cross_os}bootstrap-commands
 Requires: %{_cross_os}corndog
 Requires: %{_cross_os}certdog
 Requires: %{_cross_os}ghostdog
@@ -246,6 +250,11 @@ Requires: %{_cross_os}binutils
 %description -n %{_cross_os}driverdog
 %{summary}.
 
+%package -n %{_cross_os}bootstrap-commands
+Summary: Manages bootstrap-commands
+%description -n %{_cross_os}bootstrap-commands
+%{summary}.
+
 %package -n %{_cross_os}bootstrap-containers
 Summary: Manages bootstrap-containers
 Requires: %{_cross_os}host-ctr
@@ -350,6 +359,7 @@ echo "** Output from non-static builds:"
     -p metricdog \
     -p ghostdog \
     -p corndog \
+    -p bootstrap-commands \
     -p bootstrap-containers \
     -p prairiedog \
     -p certdog \
@@ -385,7 +395,7 @@ for p in \
   storewolf settings-committer \
   migrator prairiedog certdog \
   signpost updog metricdog logdog \
-  ghostdog bootstrap-containers \
+  ghostdog bootstrap-commands bootstrap-containers \
   shimpei bloodhound \
   bottlerocket-cis-checks \
   bottlerocket-fips-checks \
@@ -473,14 +483,14 @@ if [ -s "%{_cross_repo_root_json}" ] ; then
 fi
 
 install -d %{buildroot}%{_cross_templatedir}
-install -p -m 0644 %{S:5} %{S:6} %{S:7} %{S:8} %{S:14} %{S:15} %{S:16} %{S:17} %{S:18} %{S:19} \
+install -p -m 0644 %{S:5} %{S:6} %{S:7} %{S:8} %{S:14} %{S:15} %{S:16} %{S:17} %{S:18} %{S:19} %{S:21} \
   %{buildroot}%{_cross_templatedir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 \
   %{S:100} %{S:102} %{S:103} %{S:105} \
   %{S:106} %{S:107} %{S:110} %{S:111} %{S:112} \
-  %{S:113} %{S:114} %{S:119} %{S:122} %{S:123} \
+  %{S:113} %{S:114} %{S:119} %{S:122} %{S:123} %{S:124} \
   %{buildroot}%{_cross_unitdir}
 
 sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:115} > link-kernel-modules.service
@@ -502,6 +512,7 @@ install -p -m 0644 %{S:201} %{buildroot}%{_cross_tmpfilesdir}/host-containers.co
 install -p -m 0644 %{S:202} %{buildroot}%{_cross_tmpfilesdir}/thar-be-updates.conf
 install -p -m 0644 %{S:203} %{buildroot}%{_cross_tmpfilesdir}/bootstrap-containers.conf
 install -p -m 0644 %{S:204} %{buildroot}%{_cross_tmpfilesdir}/storewolf.conf
+install -p -m 0644 %{S:205} %{buildroot}%{_cross_tmpfilesdir}/bootstrap-commands.conf
 
 install -d %{buildroot}%{_cross_udevrulesdir}
 install -p -m 0644 %{S:300} %{buildroot}%{_cross_udevrulesdir}/80-ephemeral-storage.rules
@@ -640,6 +651,12 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %{_cross_bindir}/certdog
 %{_cross_templatedir}/certdog-toml
 
+%files -n %{_cross_os}bootstrap-commands
+%{_cross_bindir}/bootstrap-commands
+%{_cross_unitdir}/bootstrap-commands.service
+%{_cross_tmpfilesdir}/bootstrap-commands.conf
+%{_cross_templatedir}/bootstrap-commands-toml
+
 %files -n %{_cross_os}bootstrap-containers
 %{_cross_bindir}/bootstrap-containers
 %{_cross_unitdir}/[email protected]

packages/systemd/systemd-logind.conf

@@ -0,0 +1,4 @@
+[Login]
+# Maximum time a system shutdown or sleep request is delayed due to to an inhibitor lock.
+# We set it to 5 minutes to let configurations in bootstrap commands to finish before a restart.
+InhibitDelayMaxSec=300

packages/systemd/systemd.spec

@@ -14,6 +14,7 @@ Source3: journald.conf
 Source4: issue
 Source5: systemd-journald.conf
 Source6: systemd-sysusers.conf
+Source7: systemd-logind.conf
 
 # Backport of upstream patches that make the netlink default timeout
 # configurable.  Bottlerocket carries this patch and configures the timeout in
@@ -302,6 +303,9 @@ install -p -m 0644 %{S:5} %{buildroot}%{_cross_unitdir}/systemd-journald.service
 install -d %{buildroot}%{_cross_unitdir}/systemd-sysusers.service.d
 install -p -m 0644 %{S:6} %{buildroot}%{_cross_unitdir}/systemd-sysusers.service.d/systemd-sysusers.conf
 
+install -d %{buildroot}%{_cross_libdir}/systemd/logind.conf.d/
+install -p -m 0644 %{S:7} %{buildroot}%{_cross_libdir}/systemd/logind.conf.d/systemd-logind.conf
+
 # Remove all stock network configurations, as they can interfere
 # with container networking by attempting to manage veth devices.
 rm -f %{buildroot}%{_cross_libdir}/systemd/network/*

sources/Cargo.toml

@@ -23,6 +23,8 @@ members = [
 
     "bloodhound",
 
+    "bootstrap-commands",
+
     "bottlerocket-release",
 
     "bottlerocket-variant",

sources/api/apiserver/src/server/mod.rs

@@ -557,9 +557,9 @@ async fn deactivate_update() -> Result<HttpResponse> {
 /// Reboots the machine
 async fn reboot() -> Result<HttpResponse> {
     debug!("Rebooting now");
-    let output = Command::new("/sbin/shutdown")
-        .arg("-r")
-        .arg("now")
+    let output = Command::new("/usr/bin/systemctl")
+        .arg("reboot")
+        .arg("--check-inhibitors=yes")
         .output()
         .context(error::ShutdownSnafu)?;
     ensure!(

sources/api/bootstrap-containers/src/main.rs

@@ -87,7 +87,7 @@ use std::path::{Path, PathBuf};
 use std::process::{self, Command};
 use std::str::FromStr;
 
-use bottlerocket_modeled_types::{BootstrapContainerMode, Identifier, Url, ValidBase64};
+use bottlerocket_modeled_types::{BootstrapMode, Identifier, Url, ValidBase64};
 
 const ENV_FILE_DIR: &str = "/etc/bootstrap-containers";
 const DROPIN_FILE_DIR: &str = "/etc/systemd/system";
@@ -101,7 +101,7 @@ struct BootstrapContainer {
     #[serde(default, skip_serializing_if = "Option::is_none")]
     source: Option<Url>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
-    mode: Option<BootstrapContainerMode>,
+    mode: Option<BootstrapMode>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
     user_data: Option<ValidBase64>,
     #[serde(default, skip_serializing_if = "Option::is_none")]
@@ -134,7 +134,7 @@ enum Subcommand {
 #[derive(Debug)]
 struct MarkBootstrapArgs {
     container_id: String,
-    mode: BootstrapContainerMode,
+    mode: BootstrapMode,
 }
 
 /// Print a usage message in the event a bad arg is passed
@@ -251,7 +251,7 @@ fn parse_mark_bootstrap_args(args: Vec<String>) -> Result<Subcommand> {
     Ok(Subcommand::MarkBootstrap(MarkBootstrapArgs {
         container_id,
         // Fail if 'mode' is invalid
-        mode: BootstrapContainerMode::try_from(mode).context(error::BootstrapContainerModeSnafu)?,
+        mode: BootstrapMode::try_from(mode).context(error::BootstrapModeSnafu)?,
     }))
 }
 
@@ -605,9 +605,9 @@ mod error {
             source: base64::DecodeError,
         },
 
-        // `try_from` in `BootstrapContainerMode` already returns a useful error message
+        // `try_from` in `BootstrapMode` already returns a useful error message
         #[snafu(display("Failed to parse mode: {}", source))]
-        BootstrapContainerMode {
+        BootstrapMode {
             source: bottlerocket_modeled_types::error::Error,
         },
 

sources/api/schnauzer/src/helpers/mod.rs

@@ -22,7 +22,7 @@ use url::Url;
 pub mod stdlib;
 
 pub use stdlib::{
-    any_enabled, base64_decode, default, goarch, join_array, join_map, negate_or_else,
+    any_enabled, base64_decode, default, goarch, join_array, join_map, negate_or_else, toml_encode,
     IfNotNullHelper, IsArray, IsBool, IsNull, IsNumber, IsObject, IsString,
 };
 
@@ -282,6 +282,18 @@ mod error {
             rps: handlebars::JsonValue,
             burst: handlebars::JsonValue,
         },
+
+        #[snafu(display(
+            "Unable to encode input '{}' from template '{}' as toml: {}",
+            value,
+            source,
+            template
+        ))]
+        TomlEncode {
+            value: serde_json::Value,
+            source: serde_json::Error,
+            template: String,
+        },
     }
 
     // Handlebars helpers are required to return a RenderError.