coreos · ajeddeloh · Mar 26, 2019 · Mar 20, 2019 · Mar 21, 2019 · Mar 26, 2019
diff --git a/dracut/30ignition/coreos-mount-var.service b/dracut/30ignition/coreos-mount-var.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Mount OSTree /var
+DefaultDependencies=false
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Make sure /sysroot is mounted first, since we're mounting under there
+Requires=initrd-root-fs.target
+After=initrd-root-fs.target
+
+# Need to do this before Ignition mounts any other filesystems (potentially
+# shadowing our own bind mount).
+Before=ignition-mount.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-mount-var mount
+ExecStop=/usr/sbin/coreos-mount-var umount
diff --git a/dracut/30ignition/coreos-mount-var.sh b/dracut/30ignition/coreos-mount-var.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+set -euo pipefail
+
+fatal() {
+    echo "$@" >&2
+    exit 1
+}
+
+if [ $# -ne 1 ] || { [[ $1 != mount ]] && [[ $1 != umount ]]; }; then
+    fatal "Usage: $0 <mount|umount>"
+fi
+
+get_ostree_arg() {
+    # yes, this doesn't account for spaces within args, e.g. myarg="my val", but
+    # it still works for our purposes
+    (
+    IFS=$' '
+    # shellcheck disable=SC2013
+    for arg in $(cat /proc/cmdline); do
+        if [[ $arg == ostree=* ]]; then
+            echo "${arg#ostree=}"
+        fi
+    done
+    )
+}
+
+do_mount() {
+    ostree=$(get_ostree_arg)
+    if [ -z "${ostree}" ]; then
+        fatal "No ostree= kernel argument in /proc/cmdline"
+    fi
+
+    deployment_path=/sysroot/${ostree}
+    if [ ! -L "${deployment_path}" ]; then
+        fatal "${deployment_path} is not a symlink"
+    fi
+
+    stateroot_var_path=$(realpath "${deployment_path}/../../var")
+    if [ ! -d "${stateroot_var_path}" ]; then
+        fatal "${stateroot_var_path} is not a directory"
+    fi
+
+    echo "Mounting $stateroot_var_path"
+    mount --bind "$stateroot_var_path" /sysroot/var
+}
+
+do_umount() {
+    echo "Unmounting /sysroot/var"
+    umount /sysroot/var
+}
+
+"do_$1"
diff --git a/dracut/30ignition/coreos-populate-var.service b/dracut/30ignition/coreos-populate-var.service
@@ -0,0 +1,16 @@
+[Unit]
+Description=Populate OSTree /var
+DefaultDependencies=false
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Need to do this with all mount points active
+After=ignition-mount.service
+
+# But *before* we start dumping files in there
+Before=ignition-files.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/coreos-populate-var
diff --git a/dracut/30ignition/coreos-populate-var.sh b/dracut/30ignition/coreos-populate-var.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -euo pipefail
+
+fatal() {
+    echo "$@" >&2
+    exit 1
+}
+
+if [ $# -ne 0 ]; then
+    fatal "Usage: $0"
+fi
+
+# See the similar code block in Anaconda, which handles this today for Atomic
+# Host and Silverblue:
+# https://github.com/rhinstaller/anaconda/blob/b9ea8ce4e68196b30a524c1cc5680dcdc4b89371/pyanaconda/payload/rpmostreepayload.py#L332
+
+# Simply manually mkdir /var/lib; the tmpfiles.d entries otherwise reference
+# users/groups which we don't have access to from here (though... we *could*
+# import them from the sysroot, and have nss-altfiles in the initrd, but meh...
+# let's just wait for systemd-sysusers which will make this way easier:
+# https://github.com/coreos/fedora-coreos-config/pull/56/files#r262592361).
+mkdir -p /sysroot/var/lib
+
+systemd-tmpfiles --create --boot --root=/sysroot \
+    --prefix=/var/home \
+    --prefix=/var/roothome \
+    --prefix=/var/opt \
+    --prefix=/var/srv \
+    --prefix=/var/usrlocal \
+    --prefix=/var/mnt \
+    --prefix=/var/media
+
+# Ask for /var to be relabeled.
+# See also: https://github.com/coreos/ignition/issues/635.
+mkdir -p /run/tmpfiles.d
+echo "Z /var - - -" > /run/tmpfiles.d/var-relabel.conf
+
+# XXX: https://github.com/systemd/systemd/pull/11903
+for unit in systemd-{journal-catalog-update,random-seed}.service; do
+    mkdir -p /run/systemd/system/${unit}.d
+    cat > /run/systemd/system/${unit}.d/after-tmpfiles.conf <<EOF
+[Unit]
+After=systemd-tmpfiles-setup.service
+EOF
+done
diff --git a/dracut/30ignition/ignition-ask-var-mount.service b/dracut/30ignition/ignition-ask-var-mount.service
diff --git a/dracut/30ignition/ignition-complete.target b/dracut/30ignition/ignition-complete.target
@@ -5,11 +5,9 @@
 # initrd.
 [Unit]
 Description=Ignition Complete
+OnFailure=emergency.target
+OnFailureJobMode=isolate
 
 # Make sure we stop all the units before switching root
 Conflicts=initrd-switch-root.target umount.target
 Conflicts=dracut-emergency.service emergency.service emergency.target
-
-# This ensures that we fail the boot if the stopping units fails
-OnFailure=emergency.target
-OnFailureJobMode=isolate
diff --git a/dracut/30ignition/ignition-disks.service b/dracut/30ignition/ignition-disks.service
@@ -2,6 +2,8 @@
 Description=Ignition (disks)
 DefaultDependencies=false
 Before=ignition-complete.target
+OnFailure=emergency.target
+OnFailureJobMode=isolate
 
 # This stage runs between `basic.target` and `initrd-root-fs.target`,
 # see https://www.freedesktop.org/software/systemd/man/bootup.html

diff --git a/dracut/30ignition/ignition-files.service b/dracut/30ignition/ignition-files.service
@@ -2,28 +2,16 @@
 Description=Ignition (files)
 DefaultDependencies=false
 Before=ignition-complete.target
+OnFailure=emergency.target
+OnFailureJobMode=isolate
 
-# Ignition files stage starts after /sysroot is mounted.
-Requires=initrd-root-fs.target
-After=initrd-root-fs.target
-
-# Run after ignition-setup has run because ignition-setup
-# may copy in new/different ignition configs for us to consume.
-After=ignition-setup.service
-
-# Make sure root filesystem is mounted read-write
-After=ignition-remount-sysroot.service
+# We need all the filesystems already mounted.
+Requires=ignition-mount.service
+After=ignition-mount.service
 
 # Run before initrd-parse-etc so that we can drop files it then picks up.
 Before=initrd-parse-etc.service
 
-# Network may be required to fetch userdata content.
-After=network.target
-
-# This is guaranteed through After=initrd-root-fs.target but just to
-# be explicit we'll add an After=ignition-disks.service here.
-After=ignition-disks.service
-
 [Service]
 Type=oneshot
 EnvironmentFile=/run/ignition.env

diff --git a/dracut/30ignition/ignition-mount.service b/dracut/30ignition/ignition-mount.service
@@ -0,0 +1,23 @@
+[Unit]
+Description=Ignition (mount)
+DefaultDependencies=false
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+# Make sure the final /sysroot is ready first, since we're mounting under there
+Requires=initrd-root-fs.target
+After=initrd-root-fs.target
+
+# Make sure root filesystem is remounted read-write if needed
+After=ignition-remount-sysroot.service
+
+# This is guaranteed through After=initrd-root-fs.target but just to
+# be explicit.
+After=ignition-disks.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=/run/ignition.env
+ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=mount --log-to-stdout
+ExecStop=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=umount --log-to-stdout
diff --git a/dracut/30ignition/ignition-remount-sysroot.service b/dracut/30ignition/ignition-remount-sysroot.service
@@ -7,6 +7,8 @@ DefaultDependencies=no
 After=sysroot.mount
 Before=ignition-complete.target
 ConditionPathIsReadWrite=!/sysroot
+OnFailure=emergency.target
+OnFailureJobMode=isolate
 
 [Service]
 Type=oneshot

diff --git a/dracut/30ignition/ignition-setup.service b/dracut/30ignition/ignition-setup.service
@@ -2,6 +2,8 @@
 Description=Ignition (setup)
 DefaultDependencies=false
 Before=ignition-complete.target
+OnFailure=emergency.target
+OnFailureJobMode=isolate
 
 Requires=local-fs-pre.target
 Before=local-fs-pre.target

diff --git a/dracut/30ignition/ignition-setup.sh b/dracut/30ignition/ignition-setup.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
-set -eu
+set -euo pipefail
 
 copy_file_if_exists() {
     src="${1}"; dst="${2}"

diff --git a/dracut/30ignition/module-setup.sh b/dracut/30ignition/module-setup.sh
@@ -26,6 +26,8 @@ install() {
         systemd-detect-virt \
         useradd \
         usermod \
+        realpath \
+        systemd-tmpfiles \
         touch
 
     # This one is optional; https://src.fedoraproject.org/rpms/ignition/pull-request/9
@@ -49,9 +51,17 @@ install() {
 
     install_ignition_unit ignition-setup.service
     install_ignition_unit ignition-disks.service
+    install_ignition_unit ignition-mount.service
     install_ignition_unit ignition-files.service
-    install_ignition_unit ignition-ask-var-mount.service
     install_ignition_unit ignition-remount-sysroot.service
+
+    install_ignition_unit coreos-mount-var.service
+    inst_script "$moddir/coreos-mount-var.sh" \
+        "/usr/sbin/coreos-mount-var"
+
+    install_ignition_unit coreos-populate-var.service
+    inst_script "$moddir/coreos-populate-var.sh" \
+        "/usr/sbin/coreos-populate-var"
 }
 
 has_fw_cfg_module() {