Support installing extensions shipped by RHCOS

cmd/machine-config-daemon/mount_container.go

@@ -0,0 +1,71 @@
+package main
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	daemon "github.com/openshift/machine-config-operator/pkg/daemon"
+	"github.com/openshift/machine-config-operator/pkg/daemon/constants"
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+)
+
+var mountContainer = &cobra.Command{
+	Use:                   "mount-container",
+	DisableFlagsInUseLine: true,
+	Short:                 "Pull and mount container",
+	Args:                  cobra.ExactArgs(1),
+	Run:                   executeMountContainer,
+}
+
+// init executes upon import
+func init() {
+	rootCmd.AddCommand(mountContainer)
+	pflag.CommandLine.AddGoFlagSet(flag.CommandLine)
+}
+
+func saveToFile(content, path string) error {
+	file, err := os.Create(path)
+	if err != nil {
+		file.Close()
+		return fmt.Errorf("Error creating file %s: %v", path, err)
+	}
+	defer file.Close()
+	if _, err := file.WriteString(content); err != nil {
+		return err
+	}
+	return nil
+
+}
+
+func runMountContainer(_ *cobra.Command, args []string) error {
+	flag.Set("logtostderr", "true")
+	flag.Parse()
+	var containerMntLoc, containerImage, containerName string
+	containerImage = args[0]
+
+	var err error
+	if containerMntLoc, containerName, err = daemon.MountOSContainer(containerImage); err != nil {
+		return err
+	}
+	// Save mounted container name and location into file for later to be used
+	// for OS rebase and applying extensions
+	if err := saveToFile(containerName, constants.MountedOSContainerName); err != nil {
+		return fmt.Errorf("Failed saving container name: %v", err)
+	}
+	if err := saveToFile(containerMntLoc, constants.MountedOSContainerLocation); err != nil {
+		return fmt.Errorf("Failed saving mounted container location: %v", err)
+	}
+
+	return nil
+
+}
+
+func executeMountContainer(cmd *cobra.Command, args []string) {
+	err := runMountContainer(cmd, args)
+	if err != nil {
+		fmt.Printf("error: %v\n", err)
+		os.Exit(1)
+	}
+}

cmd/machine-config-daemon/pivot.go

@@ -15,6 +15,7 @@ import (
 
 	"github.com/golang/glog"
 	daemon "github.com/openshift/machine-config-operator/pkg/daemon"
+	"github.com/openshift/machine-config-operator/pkg/daemon/constants"
 	"github.com/openshift/machine-config-operator/pkg/daemon/pivot/types"
 	errors "github.com/pkg/errors"
 	"github.com/spf13/cobra"
@@ -214,8 +215,10 @@ func run(_ *cobra.Command, args []string) (retErr error) {
 	flag.Set("logtostderr", "true")
 	flag.Parse()
 
-	var container string
+	var containerName string
 	if fromEtcPullSpec || len(args) == 0 {
+		// In this case we will just rebase to OSImage provided in etcPivotFile.
+		// Extensions won't apply. This should be consistent with old behavior.
 		fromEtcPullSpec = true
 		data, err := ioutil.ReadFile(etcPivotFile)
 		if err != nil {
@@ -224,14 +227,34 @@ func run(_ *cobra.Command, args []string) (retErr error) {
 			}
 			return errors.Wrapf(err, "failed to read from %s", etcPivotFile)
 		}
-		container = strings.TrimSpace(string(data))
+		container := strings.TrimSpace(string(data))
+		unitName := "mco-mount-container"
+		glog.Infof("Pulling in image and mounting container on host via systemd-run unit=%s", unitName)
+		err = exec.Command("systemd-run", "--wait", "--collect", "--unit="+unitName,
+			"-E", "RPMOSTREE_CLIENT_ID=mco", constants.HostSelfBinary, "mount-container", container).Run()
+		if err != nil {
+			return errors.Wrapf(err, "failed to create extensions repo")
+		}
+		var containerName string
+		if containerName, err = daemon.ReadFromFile(constants.MountedOSContainerName); err != nil {
+			return err
+		}
+
+		defer func() {
+			// Ideally other than MCD pivot, OSContainer shouldn't be needed by others.
+			// With above assumption, we should be able to delete OSContainer image as well as associated container with force option
+			exec.Command("podman", "rm", containerName).Run()
+			exec.Command("podman", "rmi", container).Run()
+			glog.Infof("Deleted container %s and corresponding image %s", containerName, container)
+		}()
+
 	} else {
-		container = args[0]
+		containerName = args[0]
 	}
 
 	client := daemon.NewNodeUpdaterClient()
 
-	_, changed, err := client.PullAndRebase(container, keep)
+	changed, err := client.PerformRpmOSTreeOperations(containerName, keep)
 	if err != nil {
 		return err
 	}
@@ -257,7 +280,7 @@ func run(_ *cobra.Command, args []string) (retErr error) {
 	}
 
 	if !changed {
-		glog.Info("No changes; already at target oscontainer, no kernel args provided")
+		glog.Info("No changes; already at target oscontainer, no kernel args provided, no kernelType switch, no extensions applied")
 	}
 
 	return nil

install/0000_80_machine-config-operator_01_machineconfig.crd.yaml

@@ -307,6 +307,12 @@ spec:
                             description: Name is the name of the unit. This must be suffixed with a
                               valid unit type (e.g. 'thing.service')
                             type: string
+            extensions:
+              description: List of additional features that can be enabled on host
+              type: array
+              items:
+               type: string
+              nullable: true
             fips:
               description: FIPS controls FIPS mode
               type: boolean

lib/resourcemerge/machineconfig.go

@@ -59,6 +59,10 @@ func ensureMachineConfigSpec(modified *bool, existing *mcfgv1.MachineConfigSpec,
 		*modified = true
 		(*existing).FIPS = required.FIPS
 	}
+	if !equality.Semantic.DeepEqual(existing.Extensions, required.Extensions) {
+		*modified = true
+		(*existing).Extensions = required.Extensions
+	}
 }
 
 func ensureControllerConfigSpec(modified *bool, existing *mcfgv1.ControllerConfigSpec, required mcfgv1.ControllerConfigSpec) {

pkg/apis/machineconfiguration.openshift.io/v1/types.go

@@ -176,6 +176,7 @@ type MachineConfigSpec struct {
 
 	// +nullable
 	KernelArguments []string `json:"kernelArguments"`
+	Extensions      []string `json:"extensions"`
 
 	FIPS       bool   `json:"fips"`
 	KernelType string `json:"kernelType"`

pkg/controller/common/helpers.go

@@ -103,6 +103,18 @@ func MergeMachineConfigs(configs []*mcfgv1.MachineConfig, osImageURL string) (*m
 		kargs = append(kargs, cfg.Spec.KernelArguments...)
 	}
 
+	extensions := []string{}
+	for _, cfg := range configs {
+		extensions = append(extensions, cfg.Spec.Extensions...)
+	}
+
+	// Ensure that kernel-devel extension is applied only with default kernel.
+	if kernelType != KernelTypeDefault {
+		if InSlice("kernel-devel", extensions) {
+			return nil, fmt.Errorf("Installing kernel-devel extension is not supported with kernelType: %s", kernelType)
+		}
+	}
+
 	return &mcfgv1.MachineConfig{
 		Spec: mcfgv1.MachineConfigSpec{
 			OSImageURL:      osImageURL,
@@ -112,6 +124,7 @@ func MergeMachineConfigs(configs []*mcfgv1.MachineConfig, osImageURL string) (*m
 			},
 			FIPS:       fips,
 			KernelType: kernelType,
+			Extensions: extensions,
 		},
 	}, nil
 }
@@ -285,12 +298,41 @@ func ValidateIgnition(ignconfig interface{}) error {
 	}
 }
 
+// InSlice search for an element in slice and return true if found, otherwise return false
+func InSlice(elem string, slice []string) bool {
+	for _, k := range slice {
+		if k == elem {
+			return true
+		}
+	}
+	return false
+}
+
+func validateExtensions(exts []string) error {
+	supportedExtensions := []string{"usbguard", "kernel-devel"}
+	invalidExts := []string{}
+	for _, ext := range exts {
+		if !InSlice(ext, supportedExtensions) {
+			invalidExts = append(invalidExts, ext)
+		}
+	}
+	if len(invalidExts) != 0 {
+		return fmt.Errorf("Invalid extensions found: %v", invalidExts)
+	}
+	return nil
+
+}
+
 // ValidateMachineConfig validates that given MachineConfig Spec is valid.
 func ValidateMachineConfig(cfg mcfgv1.MachineConfigSpec) error {
 	if !(cfg.KernelType == "" || cfg.KernelType == KernelTypeDefault || cfg.KernelType == KernelTypeRealtime) {
 		return errors.Errorf("kernelType=%s is invalid", cfg.KernelType)
 	}
 
+	if err := validateExtensions(cfg.Extensions); err != nil {
+		return err
+	}
+
 	if cfg.Config.Raw != nil {
 		ignCfg, err := IgnParseWrapper(cfg.Config.Raw)
 		if err != nil {

pkg/daemon/constants/constants.go

@@ -55,4 +55,23 @@ const (
 	// "currentConfig" state.  Create this file (empty contents is fine) if you wish the MCD
 	// to proceed and attempt to "reconcile" to the new "desiredConfig" state regardless.
 	MachineConfigDaemonForceFile = "/run/machine-config-daemon-force"
+
+	// NewMachineConfigPath contains all the data from the desired MachineConfig
+	// except the spec/Config. We use this information and compare with old MachineConfig
+	// during pivot to update OS to desired state.
+	NewMachineConfigPath = "/run/newMachineConfig.json"
+
+	// OldMachineConfigPath contains all the data from the MachineConfig from the current state
+	// except the spec/Config. We use this information and compare with new old MachienConfig
+	// during pivot to update OS to desired state.
+	OldMachineConfigPath = "/run/oldMachineConfig.json"
+
+	// MountedOSContainerName contains name of OSContainer which we have already pulled in, created and mounted
+	// while we created extensions repo. We are saving the already created container so that we can further
+	// perform OS rebase or install extensions
+	MountedOSContainerName = "/run/mountedOSContainerName"
+
+	// MountedOSContainerLocation contains the path of mounted container referenced in
+	// MountedOSContainer
+	MountedOSContainerLocation = "/run/mountedOSContainerLocation"
 )