From 22477f2408292fbae0c1237fe5b0364e4b7d6ced Mon Sep 17 00:00:00 2001 From: Jan Schintag Date: Tue, 18 Apr 2023 15:43:39 +0200 Subject: [PATCH] 40ignition-ostree/ignition-ostree-growfs: Fix Secure Execution firstboot error Ensure that /dev/disk/by-label/root is present before running service. Do not try to mount disk when running in Secure Execution mode. Fixes: https://github.com/openshift/os/issues/1264 Signed-off-by: Jan Schintag --- .../40ignition-ostree/ignition-ostree-growfs.service | 3 ++- .../40ignition-ostree/ignition-ostree-growfs.sh | 12 ++++++------ 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service index da47d6660c..ebe7596d2e 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.service @@ -3,6 +3,7 @@ Description=Ignition OSTree: Grow Root Filesystem DefaultDependencies=false ConditionKernelCommandLine=ostree ConditionPathExists=!/run/ostree-live +Require=/dev/disk/by-label/root Before=initrd-root-fs.target Before=sysroot.mount ignition-ostree-mount-firstboot-sysroot.service After=ignition-ostree-uuid-root.service @@ -12,4 +13,4 @@ Type=oneshot ExecStart=/usr/sbin/ignition-ostree-growfs RemainAfterExit=yes # So we can transiently mount sysroot -MountFlags=slave \ No newline at end of file +MountFlags=slave diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh index 862cace7d5..8e4bdf5f16 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-growfs.sh @@ -35,6 +35,12 @@ fi # partition *before* ignition-disks. saved_partstate=/run/ignition-ostree-rootfs-partstate.sh +# In the IBM Secure Execution case we use Ignition to grow and reencrypt rootfs +# see overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator +if [[ -f /run/coreos/secure-execution ]]; then + exit 0 +fi + # We run before the rootfs is mounted at /sysroot, but we still need to mount it # (in a private namespace) since XFS and Btrfs can only do resizing online (EXT4 # can do either). @@ -42,12 +48,6 @@ path=/sysroot src=/dev/disk/by-label/root mount "${src}" "${path}" -# In the IBM Secure Execution case we use Ignition to grow and reencrypt rootfs -# see overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator -if [[ -f /run/coreos/secure-execution ]]; then - exit 0 -fi - if [ ! -f "${saved_partstate}" ]; then partition=$(realpath /dev/disk/by-label/root) else