├── NOTICE ├── dracut ├── 30ignition │ ├── ignition-luks.conf │ ├── 99-xx-ignition-systemd-cryptsetup.rules │ ├── ignition-setup-base.service │ ├── ignition-diskful-subsequent.target │ ├── ignition-subsequent.target │ ├── ignition-diskful.target │ ├── ignition-setup-base.sh │ ├── ignition-remount-sysroot.service │ ├── ignition-complete.target │ ├── ignition-files.service │ ├── ignition-fetch.service │ ├── ignition-setup-user.service │ ├── coreos-gpt-setup.sh │ ├── ignition-fetch-offline.service │ ├── ignition-setup-user.sh │ ├── ignition-mount.service │ ├── ignition-disks.service │ ├── coreos-gpt-setup.service │ ├── coreos-teardown-initramfs.service │ ├── ignition-generator │ ├── module-setup.sh │ └── coreos-teardown-initramfs.sh ├── 99emergency-timeout │ ├── ignition-virtio-dump-journal.sh │ ├── ignition-virtio-dump-journal.service │ ├── module-setup.sh │ └── timeout.sh └── 99journald-conf │ ├── module-setup.sh │ └── 00-journal-log-forwarding.conf ├── Makefile ├── .cci.jenkinsfile ├── LICENSE ├── systemd └── ignition-firstboot-complete.service ├── README.md ├── DCO └── code-of-conduct.md /NOTICE: -------------------------------------------------------------------------------- 1 | CoreOS Project 2 | Copyright 2018 CoreOS, Inc 3 | 4 | This product includes software developed at CoreOS, Inc. 5 | (http://www.coreos.com/). 6 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-luks.conf: -------------------------------------------------------------------------------- 1 | # We don't ship cracklib dicts in the initramfs, so don't check 2 | # generated clevis keys against them 3 | dictcheck = 0 4 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: all 2 | all: 3 | @echo "(No build step)" 4 | 5 | .PHONY: install 6 | install: all 7 | for x in dracut/*; do \ 8 | bn=$$(basename $$x); \ 9 | install -D -t $(DESTDIR)/usr/lib/dracut/modules.d/$${bn} $$x/*; \ 10 | done 11 | install -D -m 644 -t $(DESTDIR)/usr/lib/systemd/system systemd/* 12 | -------------------------------------------------------------------------------- /dracut/99emergency-timeout/ignition-virtio-dump-journal.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | port=/dev/virtio-ports/com.coreos.ignition.journal 5 | if [ -e "${port}" ]; then 6 | journalctl -o json > "${port}" 7 | # And this signals end of stream 8 | echo '{}' > "${port}" 9 | else 10 | echo "Didn't find virtio port ${port}" 11 | fi 12 | -------------------------------------------------------------------------------- /dracut/99journald-conf/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | depends() { 6 | echo systemd 7 | } 8 | 9 | install() { 10 | inst_simple "$moddir/00-journal-log-forwarding.conf" \ 11 | "/etc/systemd/journald.conf.d/00-journal-log-forwarding.conf" 12 | } 13 | -------------------------------------------------------------------------------- /dracut/99emergency-timeout/ignition-virtio-dump-journal.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (virtio dump) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | ConditionVirtualization=|kvm 7 | ConditionVirtualization=|qemu 8 | After=basic.target 9 | 10 | [Service] 11 | Type=oneshot 12 | RemainAfterExit=yes 13 | EnvironmentFile=/run/ignition.env 14 | ExecStart=/usr/bin/ignition-virtio-dump-journal 15 | 16 | -------------------------------------------------------------------------------- /dracut/30ignition/99-xx-ignition-systemd-cryptsetup.rules: -------------------------------------------------------------------------------- 1 | SUBSYSTEM!="block", GOTO="systemd_cryptsetup_end" 2 | 3 | # This overrides systemd default behavior from 99-systemd.rules, which ignores unformatted crypto devices. 4 | # https://github.com/systemd/systemd/commit/90e6abaea0cfd25093aae1ad862c5c909ae55829 5 | # Ignition relies on unformatted crypto devices being discovered to trigger formatting 6 | SUBSYSTEM=="block", ENV{DM_UUID}=="CRYPT-*", ENV{ID_PART_TABLE_TYPE}=="", ENV{ID_FS_USAGE}=="", ENV{SYSTEMD_READY}="1" 7 | 8 | LABEL="systemd_cryptsetup_end" 9 | -------------------------------------------------------------------------------- /dracut/99journald-conf/00-journal-log-forwarding.conf: -------------------------------------------------------------------------------- 1 | [Journal] 2 | # For now we are using kmsg for multiplexing output to 3 | # multiple console devices during early boot. 4 | # 5 | # We do not want to use kmsg in the future as there may be sensitive 6 | # ignition data that leaks to non-root users (by reading the kernel 7 | # ring buffer using `dmesg`). In the future we will rely on kernel 8 | # console multiplexing (link below) for this and will not use kmsg. 9 | # 10 | # https://github.com/coreos/fedora-coreos-tracker/issues/136 11 | ForwardToKMsg=yes 12 | MaxLevelKMsg=info 13 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-setup-base.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (setup base config) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | 8 | OnFailure=emergency.target 9 | OnFailureJobMode=isolate 10 | 11 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 12 | Before=ignition-fetch-offline.service 13 | 14 | [Service] 15 | Type=oneshot 16 | RemainAfterExit=yes 17 | EnvironmentFile=/run/ignition.env 18 | ExecStart=/usr/sbin/ignition-setup-base 19 | -------------------------------------------------------------------------------- /.cci.jenkinsfile: -------------------------------------------------------------------------------- 1 | // Documentation: https://github.com/coreos/coreos-ci/blob/master/README-upstream-ci.md 2 | 3 | cosaPod(buildroot: true) { 4 | checkout scm 5 | 6 | // we want to test against the latest ignition until they're merged 7 | // https://github.com/coreos/fedora-coreos-tracker/issues/511 8 | 9 | // hack to satisfy golang compiler wanting to cache things 10 | shwrap("mkdir cache") 11 | withEnv(["XDG_CACHE_HOME=${env.WORKSPACE}/cache"]) { 12 | shwrap("git clone https://github.com/coreos/ignition") 13 | fcosBuild(make: true, makeDirs: ["ignition"]) 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-diskful-subsequent.target: -------------------------------------------------------------------------------- 1 | # This target is a combination of ignition-subsequent.target and 2 | # ignition-diskful.target - units here should only run when we have a 3 | # boot disk and *aren't* doing the first boot. 4 | [Unit] 5 | Description=Ignition Subsequent Boot Disk Setup 6 | Documentation=https://github.com/coreos/ignition 7 | ConditionPathExists=/etc/initrd-release 8 | Before=ignition-subsequent.target 9 | 10 | # Make sure we stop all the units before switching root 11 | Conflicts=initrd-switch-root.target umount.target 12 | Conflicts=dracut-emergency.service emergency.service emergency.target 13 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-subsequent.target: -------------------------------------------------------------------------------- 1 | # This target is queued to run when Ignition will *not* run. 2 | # It's intended right now for mounting sysroot, which happens in a quite 3 | # different order on the Ignition boot versus "subsequent" boots. 4 | [Unit] 5 | Description=Subsequent (Not Ignition) boot complete 6 | Documentation=https://github.com/coreos/ignition 7 | ConditionPathExists=/etc/initrd-release 8 | Before=initrd.target 9 | 10 | # Make sure we stop all the units before switching root 11 | Conflicts=initrd-switch-root.target umount.target 12 | Conflicts=dracut-emergency.service emergency.service emergency.target 13 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-diskful.target: -------------------------------------------------------------------------------- 1 | # This target contains Ignition units that should only run when we have a 2 | # boot disk, i.e. when we're not running diskless from a live image in RAM. 3 | # Like ignition-complete.target, it only runs on first boot. 4 | [Unit] 5 | Description=Ignition Boot Disk Setup 6 | Documentation=https://github.com/coreos/ignition 7 | ConditionPathExists=/etc/initrd-release 8 | Before=ignition-complete.target 9 | 10 | # Make sure we stop all the units before switching root 11 | Conflicts=initrd-switch-root.target umount.target 12 | Conflicts=dracut-emergency.service emergency.service emergency.target 13 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-setup-base.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | copy_file_if_exists() { 5 | src="${1}"; dst="${2}" 6 | if [ -f "${src}" ]; then 7 | echo "Copying ${src} to ${dst}" 8 | cp "${src}" "${dst}" 9 | else 10 | echo "File ${src} does not exist.. Skipping copy" 11 | fi 12 | } 13 | 14 | destination=/usr/lib/ignition 15 | mkdir -p $destination 16 | 17 | # We will support grabbing a platform specific base.ign config 18 | # from the initrd at /usr/lib/ignition/platform/${PLATFORM_ID}/base.ign 19 | copy_file_if_exists "/usr/lib/ignition/platform/${PLATFORM_ID}/base.ign" "${destination}/base.ign" 20 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-remount-sysroot.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Remount /sysroot read-write for Ignition 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | # Some Linux Distributions don't pass a rw option on the kernel 6 | # commandline and thus mount the root filesystem ro by default. In 7 | # this case, remount /sysroot to rw (issue #37) 8 | DefaultDependencies=no 9 | Before=ignition-diskful.target 10 | 11 | OnFailure=emergency.target 12 | OnFailureJobMode=isolate 13 | 14 | After=sysroot.mount 15 | ConditionPathIsReadWrite=!/sysroot 16 | 17 | [Service] 18 | Type=oneshot 19 | RemainAfterExit=yes 20 | ExecStart=/bin/mount -o remount,rw /sysroot 21 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-complete.target: -------------------------------------------------------------------------------- 1 | # This target is reached when Ignition finishes running. Note that it gets 2 | # activated *only* on first boot (or if ignition.firstboot=1 is provided). 3 | # Thus, it is also an API for units to use so that they are activated only on 4 | # first boot. Simply add a link under ignition-complete.target.requires in the 5 | # initrd. 6 | [Unit] 7 | Description=Ignition Complete 8 | Documentation=https://github.com/coreos/ignition 9 | ConditionPathExists=/etc/initrd-release 10 | Before=initrd.target 11 | 12 | # Make sure we stop all the units before switching root 13 | Conflicts=initrd-switch-root.target umount.target 14 | Conflicts=dracut-emergency.service emergency.service emergency.target 15 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-files.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (files) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | 8 | OnFailure=emergency.target 9 | OnFailureJobMode=isolate 10 | 11 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 12 | After=ignition-mount.service 13 | 14 | # Run before initrd-parse-etc so that we can drop files it then picks up. 15 | Before=initrd-parse-etc.service 16 | 17 | [Service] 18 | Type=oneshot 19 | RemainAfterExit=yes 20 | EnvironmentFile=/run/ignition.env 21 | ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=files --log-to-stdout 22 | -------------------------------------------------------------------------------- /dracut/99emergency-timeout/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | install_unit_wants() { 6 | local unit="$1"; shift 7 | local target="$1"; shift 8 | local instantiated="${1:-$unit}"; shift 9 | inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit" 10 | mkdir -p "$initdir/$systemdsystemunitdir/$target.wants" 11 | ln_r "../$unit" "$systemdsystemunitdir/$target.wants/$instantiated" 12 | } 13 | 14 | install() { 15 | inst_multiple \ 16 | cut \ 17 | date 18 | 19 | inst_hook emergency 99 "${moddir}/timeout.sh" 20 | 21 | inst_script "$moddir/ignition-virtio-dump-journal.sh" "/usr/bin/ignition-virtio-dump-journal" 22 | install_unit_wants ignition-virtio-dump-journal.service emergency.target 23 | } 24 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-fetch.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (fetch) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | After=basic.target 8 | ConditionPathExists=/run/ignition/neednet 9 | 10 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 11 | # We run after the setup stage has run because it may copy in new/different 12 | # ignition configs for us to consume. 13 | After=ignition-fetch-offline.service 14 | Before=ignition-disks.service 15 | 16 | OnFailure=emergency.target 17 | OnFailureJobMode=isolate 18 | 19 | # If we run, we definitely need network, so make sure we run after. 20 | After=network.target 21 | 22 | [Service] 23 | Type=oneshot 24 | RemainAfterExit=yes 25 | EnvironmentFile=/run/ignition.env 26 | ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=fetch 27 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-setup-user.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (setup user config) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | 8 | OnFailure=emergency.target 9 | OnFailureJobMode=isolate 10 | 11 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 12 | Before=ignition-fetch-offline.service 13 | 14 | # We want to make sure we're not racing with multipath taking ownership of the 15 | # boot device. 16 | Before=multipathd.service 17 | 18 | # On diskful boots, ignition-generator adds Requires/After on 19 | # dev-disk-by\x2dlabel-boot.device & coreos-gpt-setup.service 20 | 21 | [Service] 22 | Type=oneshot 23 | RemainAfterExit=yes 24 | # The MountFlags=slave is so the umount of /boot is guaranteed to happen 25 | # /boot will only be mounted for the lifetime of the unit. 26 | MountFlags=slave 27 | ExecStart=/usr/sbin/ignition-setup-user 28 | -------------------------------------------------------------------------------- /dracut/30ignition/coreos-gpt-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # randomizes the disk guid on the disk containing the partition specified by $1 3 | # and moves the secondary gpt header/partition table to the end of the disk where it 4 | # should be. If the disk guid is already randomized, it does nothing. 5 | set -euo pipefail 6 | 7 | UNINITIALIZED_GUID='00000000-0000-4000-a000-000000000001' 8 | 9 | # On RHEL 8 the version of lsblk doesn't have PTUUID. Let's detect 10 | # if lsblk supports it. In the future we can remove the 'if' and 11 | # just use the 'else'. 12 | if ! lsblk --help | grep -q PTUUID; then 13 | # Get the PKNAME 14 | eval $(lsblk --output PKNAME --pairs --paths --nodeps "$1") 15 | # Get the PTUUID 16 | eval $(blkid -o export $PKNAME) 17 | else 18 | # PTUUID is the disk guid, PKNAME is the parent kernel name 19 | eval $(lsblk --output PTUUID,PKNAME --pairs --paths --nodeps "$1") 20 | fi 21 | 22 | [ "$PTUUID" != "$UNINITIALIZED_GUID" ] && exit 0 23 | 24 | sgdisk --disk-guid=R --move-second-header "$PKNAME" 25 | udevadm settle 26 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-fetch-offline.service: -------------------------------------------------------------------------------- 1 | # This unit creates /run/ignition/neednet if networking needs to be enabled. 2 | # The distro is responsible for sequencing a unit between 3 | # ignition-fetch-offline.service and ignition-fetch.service, detecting the 4 | # flag file with ConditionPathExists=, and enabling networking. 5 | 6 | [Unit] 7 | Description=Ignition (fetch-offline) 8 | Documentation=https://github.com/coreos/ignition 9 | ConditionPathExists=/etc/initrd-release 10 | DefaultDependencies=false 11 | Before=ignition-complete.target 12 | After=basic.target 13 | 14 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 15 | # We run after the setup stage has run because it may copy in new/different 16 | # ignition configs for us to consume. 17 | After=ignition-setup-base.service 18 | After=ignition-setup-user.service 19 | Before=ignition-fetch.service 20 | 21 | OnFailure=emergency.target 22 | OnFailureJobMode=isolate 23 | 24 | [Service] 25 | Type=oneshot 26 | RemainAfterExit=yes 27 | EnvironmentFile=/run/ignition.env 28 | ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=fetch-offline 29 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-setup-user.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | copy_file_if_exists() { 5 | src="${1}"; dst="${2}" 6 | if [ -f "${src}" ]; then 7 | echo "Copying ${src} to ${dst}" 8 | cp "${src}" "${dst}" 9 | else 10 | echo "File ${src} does not exist.. Skipping copy" 11 | fi 12 | } 13 | 14 | destination=/usr/lib/ignition 15 | mkdir -p $destination 16 | 17 | if command -v is-live-image >/dev/null && is-live-image; then 18 | # Live image. If the user has supplied a config.ign via an appended 19 | # initrd, put it in the right place. 20 | copy_file_if_exists "/config.ign" "${destination}/user.ign" 21 | else 22 | # We will support a user embedded config in the boot partition 23 | # under $bootmnt/ignition/config.ign. Note that we mount /boot 24 | # but we don't unmount boot because we are run in a systemd unit 25 | # with MountFlags=slave so it is unmounted for us. 26 | bootmnt=/mnt/boot_partition 27 | mkdir -p $bootmnt 28 | # mount as read-only since we don't strictly need write access and we may be 29 | # running alongside other code that also has it mounted ro 30 | mount -o ro /dev/disk/by-label/boot $bootmnt 31 | copy_file_if_exists "${bootmnt}/ignition/config.ign" "${destination}/user.ign" 32 | fi 33 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-mount.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (mount) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | 8 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 9 | # We need to make sure the partitions and filesystems are set up before 10 | # mounting. This is also guaranteed through After=initrd-root-fs.target but 11 | # just to be explicit. 12 | After=ignition-disks.service 13 | Before=ignition-files.service 14 | 15 | # Make sure ExecStop= runs before we switch root 16 | Before=initrd-switch-root.target 17 | 18 | OnFailure=emergency.target 19 | OnFailureJobMode=isolate 20 | 21 | # Make sure the final /sysroot is ready first, since we're mounting under there 22 | Requires=initrd-root-fs.target 23 | After=initrd-root-fs.target 24 | 25 | # Make sure root filesystem is remounted read-write if needed 26 | After=ignition-remount-sysroot.service 27 | 28 | [Service] 29 | Type=oneshot 30 | RemainAfterExit=yes 31 | EnvironmentFile=/run/ignition.env 32 | ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=mount --log-to-stdout 33 | ExecStop=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=umount --log-to-stdout 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2013 The CoreOS Authors. All rights reserved. 2 | 3 | Redistribution and use in source and binary forms, with or without 4 | modification, are permitted provided that the following conditions are met: 5 | 6 | 1. Redistributions of source code must retain the above copyright notice, this 7 | list of conditions and the following disclaimer. 8 | 2. Redistributions in binary form must reproduce the above copyright notice, 9 | this list of conditions and the following disclaimer in the documentation 10 | and/or other materials provided with the distribution. 11 | 12 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND 13 | ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED 14 | WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 15 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR 16 | ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES 17 | (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 18 | LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 19 | ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 20 | (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 21 | SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 22 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-disks.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Ignition (disks) 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=false 6 | Before=ignition-complete.target 7 | 8 | # Stage order: setup -> fetch-offline [-> fetch] -> disks -> mount -> files. 9 | After=ignition-fetch.service 10 | Before=ignition-mount.service 11 | 12 | # This stage runs between `basic.target` and `initrd-root-device.target`, 13 | # see https://www.freedesktop.org/software/systemd/man/bootup.html 14 | # Make sure to run before the file system checks, as sgdisk will trigger 15 | # udev events, potentially resulting in race conditions due to disappearing 16 | # devices. 17 | 18 | # Note that CL runs this before `local-fs-pre.target` to allow for configs that 19 | # completely wipe the rootfs. Though we're not there yet. But we still run 20 | # before `sysroot.mount` on principle. 21 | Before=initrd-root-device.target 22 | Before=sysroot.mount 23 | 24 | OnFailure=emergency.target 25 | OnFailureJobMode=isolate 26 | 27 | # This stage requires udevd to detect disk partitioning changes. 28 | Requires=systemd-udevd.service 29 | After=systemd-udevd.service 30 | 31 | [Service] 32 | Type=oneshot 33 | RemainAfterExit=yes 34 | EnvironmentFile=/run/ignition.env 35 | ExecStart=/usr/bin/ignition --root=/sysroot --platform=${PLATFORM_ID} --stage=disks 36 | -------------------------------------------------------------------------------- /systemd/ignition-firstboot-complete.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Mark boot complete 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionKernelCommandLine=ignition.firstboot 5 | ConditionPathExists=!/run/ostree-live 6 | RequiresMountsFor=/boot 7 | 8 | [Service] 9 | Type=oneshot 10 | RemainAfterExit=yes 11 | # The MountFlags=slave is so we remount /boot temporarily writable; 12 | # see https://github.com/ostreedev/ostree/issues/1265 for the bigger picture. 13 | # This option creates a new mount namespace; from the point of view of 14 | # everything else, /boot stays readonly. We only have a transient writable mount 15 | # for the lifetime of the unit. 16 | # 17 | # Also regarding the lack of `-f` for rm ; we should have only run if GRUB 18 | # detected this file. Fail if we are unable to remove it, rather than risking 19 | # rerunning Ignition at next boot. 20 | MountFlags=slave 21 | # It is better to have a separate script to do this but it might be polluting 22 | # the target system with some script in i.e. /usr/sbin/firstboot-complete 23 | # The retval code is still respected with having this if-else block. 24 | ExecStart=/bin/sh -c \ 25 | 'mount -o remount,rw /boot && \ 26 | if [[ $(uname -m) = s390x ]]; then zipl; fi && \ 27 | rm /boot/ignition.firstboot' 28 | 29 | [Install] 30 | # Part of basic.target so this happens early on in firstboot 31 | WantedBy=basic.target 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ARCHIVED 2 | 3 | **This repository is now archived. The dracut modules are now 4 | in-tree as of Ignition [v2.5.0](https://github.com/coreos/ignition/commit/77ddd5a0eab60604f8b04dee539a14bded771620).** 5 | 6 | Please submit any dracut modules to [Ignition](https://github.com/coreos/ignition). 7 | 8 | # ignition-dracut for Fedora CoreOS 9 | 10 | This repo holds custom dracut modules required by Fedora and 11 | RHEL CoreOS for Ignition to work properly. 12 | 13 | It's packaged on Fedora together with 14 | [Ignition](https://github.com/coreos/ignition) in the 15 | [ignition](https://src.fedoraproject.org/rpms/ignition) 16 | package. 17 | 18 | The easiest way to test it out is to pick up the latest 19 | Fedora CoreOS preview artifact from: 20 | 21 | https://getfedora.org/coreos/download/ 22 | 23 | You can see an example of how to pass a config 24 | on qemu at least in coreos-assembler: 25 | 26 | https://github.com/coreos/coreos-assembler/blob/master/src/cmd-run 27 | 28 | Note that a lot of things are in flux and subject to rapid 29 | change. E.g. some key names have changed wrt their 30 | equivalents in CoreOS Container Linux. 31 | 32 | ### Branches 33 | 34 | There are two branches: 35 | - `master` works with the `master` branch of Ignition and is 36 | currently used by Fedora CoreOS, which targets Ignition v2 37 | (spec 3). 38 | - `spec2x` works with the `spec2x` branch of Ignition and is 39 | currently used by RHEL CoreOS, which (for now) targets 40 | Ignition v0.x (spec 2). 41 | -------------------------------------------------------------------------------- /dracut/30ignition/coreos-gpt-setup.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Generate new UUID for boot disk GPT 3 | Documentation=https://github.com/coreos/ignition 4 | ConditionPathExists=/etc/initrd-release 5 | DefaultDependencies=no 6 | Before=local-fs-pre.target systemd-fsck-root.service 7 | Before=ignition-diskful.target 8 | Wants=systemd-udevd.service 9 | After=systemd-udevd.service 10 | 11 | # This unit must the first to run when the disk holding the root partition 12 | # becomes available. To avoid relying on the name of the root partition which 13 | # is different between RHCOS LUKS setup and current FCOS setup, we wait for the 14 | # partition labeled 'boot' to become available. This is reliable as we don't 15 | # have any plan to support re-provisioning/re-writing the /boot partition, 16 | # 17 | # This is the only unit where it is safe to wait only on a specific disk label 18 | # as this will call udevadm settle after the GPT setup. Units that requires the 19 | # boot and root partitions to be available should order themselves after this 20 | # unit. 21 | Requires=dev-disk-by\x2dlabel-boot.device 22 | After=dev-disk-by\x2dlabel-boot.device 23 | 24 | # Run before services that use device nodes, preventing them from racing 25 | # with udev activity generated by sgdisk 26 | Before=ignition-setup-base.service ignition-setup-user.service ignition-disks.service 27 | 28 | OnFailure=emergency.target 29 | OnFailureJobMode=isolate 30 | 31 | [Service] 32 | Type=oneshot 33 | RemainAfterExit=yes 34 | ExecStart=/usr/sbin/coreos-gpt-setup /dev/disk/by-label/boot 35 | -------------------------------------------------------------------------------- /DCO: -------------------------------------------------------------------------------- 1 | Developer Certificate of Origin 2 | Version 1.1 3 | 4 | Copyright (C) 2004, 2006 The Linux Foundation and its contributors. 5 | 660 York Street, Suite 102, 6 | San Francisco, CA 94110 USA 7 | 8 | Everyone is permitted to copy and distribute verbatim copies of this 9 | license document, but changing it is not allowed. 10 | 11 | 12 | Developer's Certificate of Origin 1.1 13 | 14 | By making a contribution to this project, I certify that: 15 | 16 | (a) The contribution was created in whole or in part by me and I 17 | have the right to submit it under the open source license 18 | indicated in the file; or 19 | 20 | (b) The contribution is based upon previous work that, to the best 21 | of my knowledge, is covered under an appropriate open source 22 | license and I have the right under that license to submit that 23 | work with modifications, whether created in whole or in part 24 | by me, under the same open source license (unless I am 25 | permitted to submit under a different license), as indicated 26 | in the file; or 27 | 28 | (c) The contribution was provided directly to me by some other 29 | person who certified (a), (b) or (c) and I have not modified 30 | it. 31 | 32 | (d) I understand and agree that this project and the contribution 33 | are public and that a record of the contribution (including all 34 | personal information I submit with it, including my sign-off) is 35 | maintained indefinitely and may be redistributed consistent with 36 | this project or the open source license(s) involved. 37 | -------------------------------------------------------------------------------- /dracut/30ignition/coreos-teardown-initramfs.service: -------------------------------------------------------------------------------- 1 | # Clean up the initramfs networking on first boot 2 | # so the real network is being brought up 3 | # https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763 4 | 5 | [Unit] 6 | Description=CoreOS Tear down initramfs 7 | DefaultDependencies=false 8 | 9 | # We want to run the teardown after all other Ignition stages 10 | # have run because some platforms (like Packet) do remote status 11 | # reporting for each Ignition stage. Since we are tearing down 12 | # the networking using an ExecStop we need to make sure we run 13 | # the ExecStop *after* any other ignition*.service unit's ExecStop. 14 | # The only other one right now is ignition-mount that has an ExecStop 15 | # for doing an unmount. Since the ordering for ExecStop is the 16 | # opposite of ExecStart we need to use `Before=ignition-mount.service`. 17 | # https://github.com/coreos/fedora-coreos-tracker/issues/440 18 | Before=ignition-mount.service 19 | Before=ignition-complete.target 20 | 21 | # Make sure ExecStop= runs before we switch root 22 | Conflicts=initrd-switch-root.target umount.target 23 | Before=initrd-switch-root.target 24 | 25 | OnFailure=emergency.target 26 | OnFailureJobMode=isolate 27 | 28 | # If we are already heading towards emergency.target 29 | # then don't try to stop this unit because it will fail 30 | # when trying to access files in /sysroot/etc/. The failure 31 | # is mostly harmless but having the extra error messages 32 | # leads us away from the original problem. 33 | IgnoreOnIsolate=true 34 | 35 | [Service] 36 | Type=oneshot 37 | RemainAfterExit=yes 38 | ExecStop=/usr/sbin/coreos-teardown-initramfs 39 | -------------------------------------------------------------------------------- /dracut/30ignition/ignition-generator: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | set -e 6 | 7 | # Generators don't have logging right now 8 | # https://github.com/systemd/systemd/issues/15638 9 | exec 1>/dev/kmsg; exec 2>&1 10 | 11 | UNIT_DIR="${1:-/tmp}" 12 | 13 | cmdline=( $(/dev/null || ! is-live-image; then 49 | add_requires ignition-diskful.target ignition-complete.target 50 | 51 | # ignition-setup-user.service should depend on the boot device node 52 | # only on diskful boots 53 | mkdir -p "${UNIT_DIR}/ignition-setup-user.service.d" 54 | cat > "${UNIT_DIR}/ignition-setup-user.service.d/diskful.conf" </dev/null || ! is-live-image; then 69 | add_requires ignition-diskful-subsequent.target ignition-subsequent.target 70 | fi 71 | fi 72 | 73 | echo "PLATFORM_ID=$(cmdline_arg ignition.platform.id)" > /run/ignition.env 74 | -------------------------------------------------------------------------------- /code-of-conduct.md: -------------------------------------------------------------------------------- 1 | ## CoreOS Community Code of Conduct 2 | 3 | ### Contributor Code of Conduct 4 | 5 | As contributors and maintainers of this project, and in the interest of 6 | fostering an open and welcoming community, we pledge to respect all people who 7 | contribute through reporting issues, posting feature requests, updating 8 | documentation, submitting pull requests or patches, and other activities. 9 | 10 | We are committed to making participation in this project a harassment-free 11 | experience for everyone, regardless of level of experience, gender, gender 12 | identity and expression, sexual orientation, disability, personal appearance, 13 | body size, race, ethnicity, age, religion, or nationality. 14 | 15 | Examples of unacceptable behavior by participants include: 16 | 17 | * The use of sexualized language or imagery 18 | * Personal attacks 19 | * Trolling or insulting/derogatory comments 20 | * Public or private harassment 21 | * Publishing others' private information, such as physical or electronic addresses, without explicit permission 22 | * Other unethical or unprofessional conduct. 23 | 24 | Project maintainers have the right and responsibility to remove, edit, or 25 | reject comments, commits, code, wiki edits, issues, and other contributions 26 | that are not aligned to this Code of Conduct. By adopting this Code of Conduct, 27 | project maintainers commit themselves to fairly and consistently applying these 28 | principles to every aspect of managing this project. Project maintainers who do 29 | not follow or enforce the Code of Conduct may be permanently removed from the 30 | project team. 31 | 32 | This code of conduct applies both within project spaces and in public spaces 33 | when an individual is representing the project or its community. 34 | 35 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 36 | reported by contacting a project maintainer, Brandon Philips 37 | , and/or Rithu John . 38 | 39 | This Code of Conduct is adapted from the Contributor Covenant 40 | (http://contributor-covenant.org), version 1.2.0, available at 41 | http://contributor-covenant.org/version/1/2/0/ 42 | 43 | ### CoreOS Events Code of Conduct 44 | 45 | CoreOS events are working conferences intended for professional networking and 46 | collaboration in the CoreOS community. Attendees are expected to behave 47 | according to professional standards and in accordance with their employer’s 48 | policies on appropriate workplace behavior. 49 | 50 | While at CoreOS events or related social networking opportunities, attendees 51 | should not engage in discriminatory or offensive speech or actions including 52 | but not limited to gender, sexuality, race, age, disability, or religion. 53 | Speakers should be especially aware of these concerns. 54 | 55 | CoreOS does not condone any statements by speakers contrary to these standards. 56 | CoreOS reserves the right to deny entrance and/or eject from an event (without 57 | refund) any individual found to be engaging in discriminatory or offensive 58 | speech or actions. 59 | 60 | Please bring any concerns to the immediate attention of designated on-site 61 | staff, Brandon Philips , and/or Rithu John . 62 | -------------------------------------------------------------------------------- /dracut/99emergency-timeout/timeout.sh: -------------------------------------------------------------------------------- 1 | # Before starting the emergency shell, prompt the user to press Enter. 2 | # If they don't, reboot the system. 3 | # 4 | # Assumes /bin/sh is bash. 5 | 6 | # _wait_for_journalctl_to_stop will block until either: 7 | # - no messages have appeared in journalctl for the past 5 seconds 8 | # - 15 seconds have elapsed 9 | _wait_for_journalctl_to_stop() { 10 | local time_since_last_log=0 11 | 12 | local time_started="$(date '+%s')" 13 | local now="$(date '+%s')" 14 | 15 | while [ ${time_since_last_log} -lt 5 -a $((now-time_started)) -lt 15 ]; do 16 | sleep 1 17 | 18 | local last_log_timestamp="$(journalctl -e -n 1 -q -o short-unix | cut -d '.' -f 1)" 19 | local now="$(date '+%s')" 20 | 21 | local time_since_last_log=$((now-last_log_timestamp)) 22 | done 23 | } 24 | 25 | _prompt_for_timeout() { 26 | local timeout=300 27 | local interval=15 28 | 29 | if [[ -e /.emergency-shell-confirmed ]]; then 30 | return 31 | fi 32 | failed=$(systemctl --failed --no-legend | cut -f 1 -d ' ') 33 | if [ -n "${failed}" ]; then 34 | # Something failed, suppress kernel logs so that it's more likely 35 | # the useful bits from the journal are available. 36 | dmesg --console-off 37 | 38 | # There's a couple straggler systemd messages. Wait until it's been 5 39 | # seconds since something was written to the journal. 40 | _wait_for_journalctl_to_stop 41 | 42 | # Print Ignition logs 43 | if echo ${failed} | grep -qFe 'ignition-'; then 44 | cat < 0 ]]; do 67 | local m=$(( $timeout / 60 )) 68 | local s=$(( $timeout % 60 )) 69 | local m_label="minutes" 70 | if [[ $m = 1 ]]; then 71 | m_label="minute" 72 | fi 73 | 74 | if [[ $s != 0 ]]; then 75 | echo -n -e "Press Enter for emergency shell or wait $m $m_label $s seconds for reboot. \r" 76 | else 77 | echo -n -e "Press Enter for emergency shell or wait $m $m_label for reboot. \r" 78 | fi 79 | 80 | local anything 81 | if read -t $interval anything; then 82 | > /.emergency-shell-confirmed 83 | return 84 | fi 85 | timeout=$(( $timeout - $interval )) 86 | done 87 | 88 | echo -e "\nRebooting." 89 | # This is not very nice, but since reboot.target likely conflicts with 90 | # the existing goal target wrt the desired state of shutdown.target, 91 | # there doesn't seem to be a better option. 92 | systemctl reboot --force 93 | exit 0 94 | } 95 | 96 | # If we're invoked from a dracut breakpoint rather than 97 | # dracut-emergency.service, we won't have a controlling terminal and stdio 98 | # won't be connected to it. Explicitly read/write /dev/console. 99 | _prompt_for_timeout < /dev/console > /dev/console 100 | -------------------------------------------------------------------------------- /dracut/30ignition/module-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | depends() { 6 | echo qemu systemd url-lib network 7 | } 8 | 9 | install_ignition_unit() { 10 | local unit="$1"; shift 11 | local target="${1:-ignition-complete.target}"; shift 12 | local instantiated="${1:-$unit}"; shift 13 | inst_simple "$moddir/$unit" "$systemdsystemunitdir/$unit" 14 | mkdir -p "$initdir/$systemdsystemunitdir/$target.requires" 15 | ln_r "../$unit" "$systemdsystemunitdir/$target.requires/$instantiated" 16 | } 17 | 18 | install() { 19 | inst_multiple \ 20 | basename \ 21 | lsblk 22 | 23 | # Not all features of the configuration may be available on all systems 24 | # (e.g. on embedded systems), so only add applications which are actually 25 | # present 26 | inst_multiple -o \ 27 | groupadd \ 28 | mkfs.btrfs \ 29 | mkfs.ext4 \ 30 | mkfs.vfat \ 31 | mkfs.xfs \ 32 | mkswap \ 33 | sgdisk \ 34 | useradd \ 35 | usermod \ 36 | wipefs 37 | 38 | # Needed for clevis binding; note all binaries related to unlocking are 39 | # included by the Clevis dracut modules. 40 | inst_multiple -o \ 41 | clevis-encrypt-sss \ 42 | clevis-encrypt-tang \ 43 | clevis-encrypt-tpm2 \ 44 | clevis-luks-bind \ 45 | clevis-luks-common-functions \ 46 | clevis-luks-unlock \ 47 | pwmake \ 48 | tpm2_create 49 | 50 | # Required by s390x's z/VM installation. 51 | # Supporting https://github.com/coreos/ignition/pull/865 52 | inst_multiple -o chccwdev vmur 53 | 54 | # Required on system using SELinux 55 | inst_multiple -o setfiles 56 | 57 | inst_script "$moddir/coreos-gpt-setup.sh" \ 58 | "/usr/sbin/coreos-gpt-setup" 59 | 60 | inst_script "$moddir/ignition-setup-base.sh" \ 61 | "/usr/sbin/ignition-setup-base" 62 | inst_script "$moddir/ignition-setup-user.sh" \ 63 | "/usr/sbin/ignition-setup-user" 64 | 65 | # Distro packaging is expected to install the ignition binary into the 66 | # module directory. 67 | inst_simple "$moddir/ignition" \ 68 | "/usr/bin/ignition" 69 | 70 | # Rule to allow udev to discover unformatted encrypted devices 71 | inst_simple "$moddir/99-xx-ignition-systemd-cryptsetup.rules" \ 72 | "/usr/lib/udev/rules.d/99-xx-ignition-systemd-cryptsetup.rules" 73 | 74 | # disable dictcheck 75 | inst_simple "$moddir/ignition-luks.conf" \ 76 | "/etc/security/pwquality.conf.d/ignition-luks.conf" 77 | 78 | inst_simple "$moddir/ignition-generator" \ 79 | "$systemdutildir/system-generators/ignition-generator" 80 | 81 | for x in "complete" "subsequent" "diskful" "diskful-subsequent"; do 82 | inst_simple "$moddir/ignition-$x.target" \ 83 | "$systemdsystemunitdir/ignition-$x.target" 84 | done 85 | 86 | # For consistency tear down the network and persist multipath between the initramfs and 87 | # real root. See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763 88 | inst_script "$moddir/coreos-teardown-initramfs.sh" \ 89 | "/usr/sbin/coreos-teardown-initramfs" 90 | install_ignition_unit coreos-teardown-initramfs.service 91 | 92 | install_ignition_unit ignition-setup-base.service 93 | install_ignition_unit ignition-setup-user.service 94 | install_ignition_unit ignition-fetch.service 95 | install_ignition_unit ignition-fetch-offline.service 96 | install_ignition_unit ignition-disks.service 97 | install_ignition_unit ignition-mount.service 98 | install_ignition_unit ignition-files.service 99 | 100 | # units only started when we have a boot disk 101 | # path generated by systemd-escape --path /dev/disk/by-label/root 102 | install_ignition_unit coreos-gpt-setup.service ignition-diskful.target 103 | install_ignition_unit ignition-remount-sysroot.service ignition-diskful.target 104 | 105 | # needed for openstack config drive support 106 | inst_rules 60-cdrom_id.rules 107 | } 108 | -------------------------------------------------------------------------------- /dracut/30ignition/coreos-teardown-initramfs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- 3 | # ex: ts=8 sw=4 sts=4 et filetype=sh 4 | 5 | set -euo pipefail 6 | 7 | # Load dracut libraries. Using getargbool() and getargs() from 8 | # dracut-lib and ip_to_var() from net-lib 9 | load_dracut_libs() { 10 | # dracut is not friendly to set -eu 11 | set +euo pipefail 12 | type getargbool &>/dev/null || . /lib/dracut-lib.sh 13 | type ip_to_var &>/dev/null || . /lib/net-lib.sh 14 | set -euo pipefail 15 | } 16 | 17 | dracut_func() { 18 | # dracut is not friendly to set -eu 19 | set +euo pipefail 20 | "$@"; local rc=$? 21 | set -euo pipefail 22 | return $rc 23 | } 24 | 25 | selinux_relabel() { 26 | # If we have access to coreos-relabel then let's use that because 27 | # it allows us to set labels on things before switching root 28 | # If not, fallback to tmpfiles. 29 | if command -v coreos-relabel; then 30 | coreos-relabel $1 31 | else 32 | echo "Z $1 - - -" >> "/run/tmpfiles.d/$(basename $0)-relabel.conf" 33 | fi 34 | } 35 | 36 | # Propagate initramfs networking if desired. The policy here is: 37 | # 38 | # - If a networking configuration was provided before this point 39 | # (most likely via Ignition) and exists in the real root then 40 | # we do nothing and don't propagate any initramfs networking. 41 | # - If a user did not provide any networking configuration 42 | # then we'll propagate the initramfs networking configuration 43 | # into the real root. 44 | # 45 | # See https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721173 46 | propagate_initramfs_networking() { 47 | # Check the two locations where a user could have provided network configuration 48 | # On FCOS we only support keyfiles, but on RHCOS we support keyfiles and ifcfg 49 | if [ -n "$(ls -A /sysroot/etc/NetworkManager/system-connections/)" -o \ 50 | -n "$(ls -A /sysroot/etc/sysconfig/network-scripts/)" ]; then 51 | echo "info: networking config is defined in the real root" 52 | echo "info: will not attempt to propagate initramfs networking" 53 | else 54 | echo "info: no networking config is defined in the real root" 55 | if [ -n "$(ls -A /run/NetworkManager/system-connections/)" ]; then 56 | echo "info: propagating initramfs networking config to the real root" 57 | cp /run/NetworkManager/system-connections/* /sysroot/etc/NetworkManager/system-connections/ 58 | selinux_relabel /etc/NetworkManager/system-connections/ 59 | else 60 | echo "info: no initramfs networking information to propagate" 61 | fi 62 | fi 63 | } 64 | 65 | # Propagate the ip= karg hostname if desired. The policy here is: 66 | # 67 | # - IF a hostname is specified in static networking ip= kargs 68 | # - AND no hostname was set via Ignition (realroot `/etc/hostname`) 69 | # - THEN we make the last hostname specified in an ip= karg apply 70 | # permanently by writing it into `/etc/hostname` 71 | # 72 | # This may no longer be needed when the following bug is fixed: 73 | # https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/419 74 | propagate_initramfs_hostname() { 75 | if [ -e '/sysroot/etc/hostname' ]; then 76 | echo "info: hostname is defined in the real root" 77 | echo "info: will not attempt to propagate initramfs hostname" 78 | return 0 79 | fi 80 | # Detect if any hostname was provided via static ip= kargs 81 | # run in a subshell so we don't pollute our environment 82 | hostnamefile=$(mktemp) 83 | ( 84 | last_nonempty_hostname='' 85 | # Inspired from ifup.sh from the 40network dracut module. Note that 86 | # $hostname from ip_to_var will only be nonempty for static networking. 87 | for iparg in $(dracut_func getargs ip=); do 88 | dracut_func ip_to_var $iparg 89 | [ -n "${hostname:-}" ] && last_nonempty_hostname="$hostname" 90 | done 91 | echo -n "$last_nonempty_hostname" > $hostnamefile 92 | ) 93 | hostname=$(<$hostnamefile); rm $hostnamefile 94 | if [ -n "$hostname" ]; then 95 | echo "info: propagating initramfs hostname (${hostname}) to the real root" 96 | echo $hostname > /sysroot/etc/hostname 97 | selinux_relabel /etc/hostname 98 | else 99 | echo "info: no initramfs hostname information to propagate" 100 | fi 101 | } 102 | 103 | # Persist automatic multipath configuration, if any. 104 | # When booting with `rd.multipath=default`, the default multipath 105 | # configuration is written. We need to ensure that the mutlipath configuration 106 | # is persisted to the final target. 107 | propagate_initramfs_multipath() { 108 | if [ ! -f /sysroot/etc/multipath.conf ] && [ -f /etc/multipath.conf ]; then 109 | echo "info: propagating automatic multipath configuration" 110 | cp -v /etc/multipath.conf /sysroot/etc/ 111 | mkdir -p /sysroot/etc/multipath/multipath.conf.d 112 | selinux_relabel /etc/multipath.conf 113 | selinux_relabel /etc/multipath/multipath.conf.d 114 | else 115 | echo "info: no initramfs automatic multipath configuration to propagate" 116 | fi 117 | } 118 | 119 | down_interface() { 120 | echo "info: taking down network device: $1" 121 | # On recommendation from the NM team let's try to delete the device 122 | # first and if that doesn't work then set it to down and flush any 123 | # associated addresses. Deleting virtual devices (bonds, teams, bridges, 124 | # ip-tunnels, etc) will clean up any associated kernel resources. A real 125 | # device can't be deleted so that will fail and we'll fallback to setting 126 | # it down and flushing addresses. 127 | if ! ip link delete $1; then 128 | ip link set $1 down 129 | ip addr flush dev $1 130 | fi 131 | } 132 | 133 | # Iterate through the interfaces in the machine and take them down. 134 | # Note that in the futre we would like to possibly use `nmcli` networking off` 135 | # for this. See the following two comments for details: 136 | # https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599721763 137 | # https://github.com/coreos/fedora-coreos-tracker/issues/394#issuecomment-599746049 138 | down_interfaces() { 139 | if ! [ -z "$(ls /sys/class/net)" ]; then 140 | for f in /sys/class/net/*; do 141 | interface=$(basename "$f") 142 | # The `bonding_masters` entry is not a true interface and thus 143 | # cannot be taken down. Also skip local loopback 144 | case "$interface" in 145 | "lo" | "bonding_masters") 146 | continue 147 | ;; 148 | esac 149 | down_interface $interface 150 | done 151 | fi 152 | } 153 | 154 | main() { 155 | # Load libraries from dracut 156 | load_dracut_libs 157 | 158 | # Take down all interfaces set up in the initramfs 159 | down_interfaces 160 | 161 | # Clean up all routing 162 | echo "info: flushing all routing" 163 | ip route flush table main 164 | ip route flush cache 165 | 166 | # Hopefully our logic is sound enough that this is never needed, but 167 | # user's can explicitly disable initramfs network/hostname propagation 168 | # with the coreos.no_persist_ip karg. 169 | if dracut_func getargbool 0 'coreos.no_persist_ip'; then 170 | echo "info: coreos.no_persist_ip karg detected" 171 | echo "info: skipping propagating initramfs settings" 172 | else 173 | propagate_initramfs_hostname 174 | propagate_initramfs_networking 175 | fi 176 | 177 | # Now that the configuration has been propagated (or not) 178 | # clean it up so that no information from outside of the 179 | # real root is passed on to NetworkManager in the real root 180 | rm -rf /run/NetworkManager/ 181 | 182 | # If automated multipath configuration has been enabled, ensure 183 | # that its propagated to the real rootfs. 184 | propagate_initramfs_multipath 185 | } 186 | 187 | main 188 | --------------------------------------------------------------------------------