05core: add support for root on iSCSI #2702
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Rather than having the unit have `After=coreos-gpt-setup.service` as a way to conditionally require the bootfs to be available, have `coreos-diskful-generator` actually inject the requirement dynamically, just like it does already for `coreos-ignition-setup-user.service`. This is prep for moving `coreos-gpt-setup.service`. Part of: coreos/fedora-coreos-tracker#1590
These services need to manipulate the boot disk but if the disk is backed by iSCSI, we need networking first. Move them to run later in the boot process but still before `ignition-disks`. Part of: coreos/fedora-coreos-tracker#1590
In an iSCSI boot, we need networking before we can see the bootfs. So `coreos-ignition-setup-user.service` needs to run after networking. We also can't rely on the `fetch-offline` stage. Tweak things so that in an iSCSI boot (1) we neuter the `fetch-offline` stage, and (2) we still ensure that `coreos-ignition-setup-user.service` runs before the `fetch` stage, which will take care of "consuming" the injected Ignition config. Part of: coreos/fedora-coreos-tracker#1590
In an iSCSI boot, we have no utility for `coreos-copy-firstboot-network.service` since it copies network settings from the bootfs, which will only show up after networking has already come up. Users are required to configure non-default networking via kargs for iSCSI boots. Part of: coreos/fedora-coreos-tracker#1590
During an iSCSI boot, we rely on networking to access the root device. So at no point can networking go down once the rootfs is mounted. This means we have to skip the teardown logic in `coreos-teardown-initramfs` in that case. One way to look at this conceptually is: the goal of this service is to reset everything so that the real root is configured on the first boot like it would be on any other boot (i.e. avoid first boot-specific state carried from the initramfs). Since initramfs networking is required on every boot for iSCSI, it's true on every boot that networking needs to be carried forward across switchroot. So the goal is still met since it's not a first boot-only concern. Part of: coreos/fedora-coreos-tracker#1590
cgwalters
reviewed
Oct 30, 2023
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh
Show resolved
Hide resolved
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
Show resolved
Hide resolved
cgwalters
reviewed
Oct 30, 2023
overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
Show resolved
Hide resolved
cgwalters
previously approved these changes
Oct 30, 2023
…explicit The decryption script requires the encrypted Ignition virtio device to be present. Previously, we used `Before=coreos-gpt-setup.service`, which I think ran late enough that the device would always be present by then. But we've now moved that service and `After=systemd-udevd.service` isn't good enough so the service now fails because the device doesn't exist. Fix this by directly listing the requirement on the device in the unit, which is more explicit anyway. And because of systemd's "ConditionPathExists don't turn off Requires" semantic, make the unit dynamically enabled by the diskful generator. As a bonus, we now have one less service in the default initramfs transaction (which actually was getting pulled in on all arches too).
|
Added another commit now to fix a bug with s390x Secure Execution Ignition decryption! |
|
Can I get a restamp on this one? I've tested this pretty heavily now and it's looking good. We've also now effectively cleared f39 GA (we already have our |
cgwalters
approved these changes
Nov 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See individual commit messages. The high-level overview here is that we just shuffle some services around and neuter others as needed so that we get out of the way of the existing iSCSI code in dracut when the right kargs are present (notably,
rd.iscsi.firmwareornetroot).