coreos · cgwalters · Nov 6, 2023 · Oct 30, 2023 · Oct 30, 2023 · Oct 30, 2023
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -13,6 +13,7 @@ set -e
 exec 1>/dev/kmsg; exec 2>&1
 
 UNIT_DIR="${1:-/tmp}"
+EARLY_DIR="${2:-/tmp}"
 
 IFS=" " read -r -a cmdline <<< "$(</proc/cmdline)"
 cmdline_arg() {
@@ -84,17 +85,37 @@ if ! $(cmdline_bool 'ignition.firstboot' 0); then
     exit 0
 fi
 
-# coreos-ignition-setup-user.service should depend on the boot device node
-# only on diskful boots
+# coreos-ignition-setup-user.service and `coreos-copy-firstboot-network.service`
+# should depend on the boot device node only on diskful boots
 mkdir -p "${UNIT_DIR}/coreos-ignition-setup-user.service.d"
+mkdir -p "${UNIT_DIR}/coreos-copy-firstboot-network.service.d"
 cat > "${UNIT_DIR}/coreos-ignition-setup-user.service.d/diskful.conf" <<EOF
 [Unit]
 Requires=dev-disk-by\x2dlabel-boot.device
 After=dev-disk-by\x2dlabel-boot.device
-
-Requires=coreos-gpt-setup.service
-After=coreos-gpt-setup.service
 EOF
+cp "${UNIT_DIR}/coreos-ignition-setup-user.service.d/diskful.conf" \
+    "${UNIT_DIR}/coreos-copy-firstboot-network.service.d/diskful.conf"
+
+# If booting from iSCSI, then we need networking first before we
+# can see the bootfs. This has some implications.
+if test -n "$(cmdline_arg rd.iscsi.firmware)" || test -n "$(cmdline_arg netroot)"; then
+    mkdir -p "${EARLY_DIR}/ignition-complete.target.requires"
+
+    # In the injected Ignition config case, `coreos-ignition-setup-user.service`
+    # can't "pass" the config to `ignition-fetch-offline.service`. So we neuter
+    # the latter so that `ignition-fetch.service` (which runs after networking
+    # comes up) can pick it up instead.
+    ln -sf /dev/null "${EARLY_DIR}/ignition-complete.target.requires/ignition-fetch-offline.service"
+    # activate ignition-fetch.service
+    mkdir -p /run/ignition
+    touch /run/ignition/neednet
+
+    # With iSCSI, configuring networking via kargs is a hard requirement
+    # since it can't be picked up from the bootfs (i.e. injected via
+    # `--copy-network`). So neuter `coreos-copy-firstboot-network.service`.
+    ln -sf /dev/null "${EARLY_DIR}/ignition-complete.target.requires/coreos-copy-firstboot-network.service"
+fi
 
 # create symlink for udev rule
 mkdir -p /run/udev/rules.d/

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-gpt-setup.service
@@ -1,31 +1,25 @@
 [Unit]
 Description=Generate New UUID For Boot Disk GPT
 ConditionPathExists=/etc/initrd-release
-DefaultDependencies=no
-Before=local-fs-pre.target systemd-fsck-root.service
+Before=systemd-fsck-root.service
 Before=ignition-diskful.target
-Wants=systemd-udevd.service
-After=systemd-udevd.service
 
-# This unit must be the first to run when the disk holding the root partition
-# becomes available. To avoid relying on the name of the root partition which
-# is different between RHCOS LUKS setup and current FCOS setup, we wait for the
-# partition labeled 'boot' to become available. This is reliable as we don't
-# have any plan to support re-provisioning/re-writing the /boot partition,
-#
-# This is the only unit where it is safe to wait only on a specific disk label
-# as this will call udevadm settle after the GPT setup. Units that requires the
-# boot and root partitions to be available should order themselves after this
-# unit.
+# Have some ordering with this service since it also wants to access the bootfs.
+# We run after it since that service runs early and is skipped if we're on
+# iSCSI, but we still run.
+After=coreos-copy-firstboot-network.service
+
 Requires=dev-disk-by\x2dlabel-boot.device
 After=dev-disk-by\x2dlabel-boot.device
+
 # And since the boot device may be on multipath; optionally wait for it to
 # appear via the dynamic target.
-After=coreos-multipath-wait.target
+After=coreos-unique-boot.service
+Before=ignition-ostree-uuid-boot.service
 
 # Run before services that use device nodes, preventing them from racing
 # with udev activity generated by sgdisk
-Before=coreos-ignition-setup-user.service ignition-disks.service
+Before=ignition-kargs.service
 
 OnFailure=emergency.target
 OnFailureJobMode=isolate

diff --git a/...ay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.service b/...ay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.service
@@ -4,15 +4,17 @@ Documentation=https://github.com/coreos/ignition
 ConditionPathExists=/etc/initrd-release
 DefaultDependencies=false
 
-# We run before config fetch because we may copy in new/different configs
-# for Ignition to consume.
-Before=ignition-fetch-offline.service
+# We run before config fetch because we may copy in new/different
+# configs for Ignition to consume. We include both fetch stages since
+# ignition-fetch-offline.service is neutered in a root on iSCSI boot (see
+# `coreos-diskful-generator`).
+Before=ignition-fetch-offline.service ignition-fetch.service
 
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
 # On diskful boots, coreos-diskful-generator adds Requires/After on
-# dev-disk-by\x2dlabel-boot.device and coreos-gpt-setup.service
+# dev-disk-by\x2dlabel-boot.device
 
 [Service]
 Type=oneshot

diff --git a/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -7,8 +7,8 @@ DefaultDependencies=false
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# Run after virtio_blk and before Ignition
-After=coreos-gpt-setup.service
+# Run after udevd and before Ignition
+After=systemd-udevd.service
 Before=ignition-fetch-offline.service
 
 [Service]

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-teardown-initramfs.sh
@@ -229,13 +229,22 @@ main() {
     # Load libraries from dracut
     load_dracut_libs
 
-    # Take down all interfaces set up in the initramfs
-    down_interfaces
+    # If we're using iSCSI, then we can't tear down networking since we'll lose
+    # root. This means in that case that the network config written to the real
+    # root won't be applied "from scratch". But anyway, since networking must
+    # stay on, it's simply not supported to configure the real root in a way
+    # that would require tearing down the connection on the interface involved.
+    if dracut_func getargbool 0 rd.iscsi.firmware || dracut_func getarg netroot; then
+        echo "info: iSCSI in use; not tearing down networking"
+    else
+        # Take down all interfaces set up in the initramfs
+        down_interfaces
 
-    # Clean up all routing
-    echo "info: flushing all routing"
-    ip route flush table main
-    ip route flush cache
+        # Clean up all routing
+        echo "info: flushing all routing"
+        ip route flush table main
+        ip route flush cache
+    fi
 
     # Hopefully our logic is sound enough that this is never needed, but
     # user's can explicitly disable initramfs network/hostname propagation

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-multipath-wait.target b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-multipath/coreos-multipath-wait.target
@@ -11,8 +11,8 @@ After=multipathd.service
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# This is already enforced transitively by coreos-gpt-setup.service, but
-# let's be more explicit and list it directly here too.
+# This is one of the earliest services that accesses the bootfs so make sure we
+# already have our multipath target.
 Before=coreos-ignition-setup-user.service
 
 # This is already enforced by coreos-multipath-trigger.service, though ideally

diff --git a/....d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-copy-firstboot-network.service b/....d/05core/usr/lib/dracut/modules.d/35coreos-network/coreos-copy-firstboot-network.service
@@ -11,7 +11,7 @@
 # - In the diskful case, we need to look for networking configuration on the
 #   /boot partition
 #     - i.e. after /dev/disk/by-label/boot is available
-#     - which is implied by running after coreos-gpt-setup (see below)
+#     - which is injected via coreos-diskful-generator
 # - Need to run before networking is brought up.
 #     - This is done in nm-initrd.service [1]
 #     - i.e. Before=nm-initrd.service
@@ -41,9 +41,6 @@ Before=nm-initrd.service
 # compat: remove when everyone is on dracut 054+
 Before=dracut-initqueue.service
 After=dracut-cmdline.service
-# Any services looking at mounts need to order after this
-# because it causes device re-probing.
-After=coreos-gpt-setup.service
 # And since the boot device may be on multipath; optionally wait for it to
 # appear via the dynamic target.
 After=coreos-multipath-wait.target

diff --git a/...lay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service b/...lay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-uuid-boot.service
@@ -1,16 +1,13 @@
 [Unit]
 Description=Ignition OSTree: Regenerate Filesystem UUID (boot)
-DefaultDependencies=false
 ConditionPathExists=/usr/lib/initrd-release
 ConditionKernelCommandLine=ostree
 ConditionPathExists=!/run/ostree-live
-# We run pretty early
-Before=coreos-copy-firstboot-network.service
-Before=coreos-ignition-setup-user.service
-Before=ignition-fetch-offline.service
 # Any services looking at mounts need to order after this
 # because it causes device re-probing.
 After=coreos-gpt-setup.service
+Before=ignition-disks.service
+
 # If we're going to reprovision the bootfs, then there's no need to restamp
 ConditionKernelCommandLine=!bootfs.roothash