From 5f6f9d3037a2e11d590693791ba9a5967aa67c6f Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 31 Oct 2023 16:49:36 -0400 Subject: [PATCH] 05core: make coreos-secex-ignition-decrypt.service virtio device dep explicit The decryption script requires the encrypted Ignition virtio device to be present. Previously, we used `Before=coreos-gpt-setup.service`, which I think ran late enough that the device would always be present by then. But we've now moved that service and `After=systemd-udevd.service` isn't good enough so the service now fails because the device doesn't exist. Fix this by directly listing the requirement on the device in the unit, which is more explicit anyway. And because of systemd's "ConditionPathExists don't turn off Requires" semantic, make the unit dynamically enabled by the diskful generator. As a bonus, we now have one less service in the default initramfs transaction (which actually was getting pulled in on all arches too). --- .../modules.d/35coreos-ignition/coreos-diskful-generator | 5 +++++ .../coreos-secex-ignition-decrypt.service | 7 +++++-- .../lib/dracut/modules.d/35coreos-ignition/module-setup.sh | 3 ++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator index d799354a25..51d61cbc30 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator @@ -145,4 +145,9 @@ StandardOutput=null StandardError=null EOF done + + # This one is done dynamically because it hard Requires a device to appear + # and if it's always part of the transaction, systemd will want the device + # to appear regardless of ConditionPathExists. + add_requires coreos-secex-ignition-decrypt.service ignition-diskful.target fi diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service index c4edac3d58..e52a29348f 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service @@ -1,3 +1,5 @@ +# This service is enabled by coreos-diskful-generator + [Unit] Description=CoreOS Secex Ignition Config Decryptor ConditionPathExists=/etc/initrd-release @@ -7,8 +9,9 @@ DefaultDependencies=false OnFailure=emergency.target OnFailureJobMode=isolate -# Run after udevd and before Ignition -After=systemd-udevd.service +# Run after the crypt device becomes available and before Ignition +Requires=dev-disk-by\x2did-virtio\x2dignition_crypted.device +After=dev-disk-by\x2did-virtio\x2dignition_crypted.device Before=ignition-fetch-offline.service [Service] diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh index f78725fdc6..b66a0c2782 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh @@ -83,7 +83,8 @@ install() { # IBM Secure Execution. Ignition config for reencryption of / and /boot inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign - install_ignition_unit "coreos-secex-ignition-decrypt.service" + inst_simple "$moddir/coreos-secex-ignition-decrypt.service" \ + "$systemdsystemunitdir/coreos-secex-ignition-decrypt.service" inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \ "/usr/sbin/coreos-secex-ignition-decrypt"