From 8e08f7bb3d681d4761ad63253633cb8a675f3cc2 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Fri, 13 May 2022 01:17:41 -0400 Subject: [PATCH] 05core: add coreos-ignition-delete-config.service for upgrade boots Ignition 2.14.0 adds ignition-delete-config.service, which deletes Ignition configs from VMware and VirtualBox on first boot. Add coreos-ignition-delete-config.service to do the same thing on existing machines on upgrade, using a stamp file in /var/lib to avoid multiple runs. Add a drop-in for ignition-delete-config.service that creates a stamp file in /run, and then chain from that stamp to the long-term stamp in /var/lib, ensuring that we don't delete configs twice on newly- provisioned machines. The upstream service can't create the stamp directly in /var/lib because it runs before /var is mounted. Prevent coreos-ignition-delete-config.service from running if ignition-delete-config.service is masked, ensuring that the mask operation documented upstream prevents the config from ever being deleted, as intended. We can remove this after the next barrier release in FCOS and barrier equivalent in RHCOS. --- .../systemd/system-preset/40-coreos.preset | 2 + .../coreos-ignition-delete-config.service | 28 ++++++ .../10-flag-file.conf | 7 ++ .../usr/libexec/coreos-ignition-delete-config | 23 +++++ tests/kola/ignition/delete-config/config.bu | 36 ++++++++ .../ignition/delete-config/data/commonlib.sh | 1 + tests/kola/ignition/delete-config/test.sh | 88 +++++++++++++++++++ 7 files changed, 185 insertions(+) create mode 100644 overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service create mode 100644 overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf create mode 100755 overlay.d/05core/usr/libexec/coreos-ignition-delete-config create mode 100644 tests/kola/ignition/delete-config/config.bu create mode 120000 tests/kola/ignition/delete-config/data/commonlib.sh create mode 100755 tests/kola/ignition/delete-config/test.sh diff --git a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset index 9c0a2761c4..4f332211f4 100644 --- a/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset +++ b/overlay.d/05core/usr/lib/systemd/system-preset/40-coreos.preset @@ -10,6 +10,8 @@ enable coreos-ignition-firstboot-complete.service # Delete Ignition config from provider on platforms where it's possible # https://github.com/coreos/ignition/pull/1350 enable ignition-delete-config.service +# Delete Ignition config from provider when upgrading existing nodes +enable coreos-ignition-delete-config.service # Boot checkin services for cloud providers. enable afterburn-checkin.service enable afterburn-firstboot-checkin.service diff --git a/overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service b/overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service new file mode 100644 index 0000000000..cdcea6200a --- /dev/null +++ b/overlay.d/05core/usr/lib/systemd/system/coreos-ignition-delete-config.service @@ -0,0 +1,28 @@ +# Can be removed from FCOS in Fedora 37 or after the next barrier release, +# whichever comes first. Can be removed from RHCOS in the first release +# after every node is guaranteed to have booted at least once with 4.11 or +# higher. + +[Unit] +Description=CoreOS Delete Ignition Config From Hypervisor +Documentation=https://coreos.github.io/ignition/ + +ConditionKernelCommandLine=|ignition.platform.id=virtualbox +ConditionKernelCommandLine=|ignition.platform.id=vmware +ConditionPathExists=!/var/lib/coreos-ignition-delete-config.stamp +# Hack: if the user masked ignition-delete-config.service, we shouldn't run +# either. +ConditionPathIsSymbolicLink=!/etc/systemd/system/ignition-delete-config.service + +# We check a stamp file written by ignition-delete-config.service. That +# service runs Before=sysinit.target, on which we have a default dependency, +# so this is really just documentation. +After=ignition-delete-config.service + +[Service] +Type=oneshot +ExecStart=/usr/libexec/coreos-ignition-delete-config +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf b/overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf new file mode 100644 index 0000000000..e501d74dab --- /dev/null +++ b/overlay.d/05core/usr/lib/systemd/system/ignition-delete-config.service.d/10-flag-file.conf @@ -0,0 +1,7 @@ +# Create a flag file to notify coreos-ignition-delete-config.service that +# we've run, and put it in /run because /var isn't mounted yet. +# coreos-ignition-delete-config.service will then avoid trying to delete +# the config again, and will create a persistent stamp file in /var/lib. + +[Service] +ExecStart=/bin/touch /run/coreos-ignition-delete-config.stamp diff --git a/overlay.d/05core/usr/libexec/coreos-ignition-delete-config b/overlay.d/05core/usr/libexec/coreos-ignition-delete-config new file mode 100755 index 0000000000..59d4f0cf60 --- /dev/null +++ b/overlay.d/05core/usr/libexec/coreos-ignition-delete-config @@ -0,0 +1,23 @@ +#!/bin/bash + +set -euo pipefail + +cmdline=( $(