WIP: Redeploy rootfs #107
WIP: Redeploy rootfs #107
Conversation
cgwalters
force-pushed
the
redeploy-rootfs
branch
from
7705a89 to
17a9684
Compare
|
OK this turns out to block on the SELinux/initramfs issue: #79 (comment) Everything ends up Also annoying is that |
|
More specifically, it blocks on https://lore.kernel.org/selinux/20190912133007.27545-1-jlebon@redhat.com/T/#u. The third paragraph in the commit message covers this exact use case. :) Without that, we're basically stuck between two bad options (loading the policy in the initrd or doing some kind of clever hack so we can redeploy post-pivot but then we'd still have to reboot). |
To clarify: this will be useful, and I think we should include it, but the enhancement request does not need it. The enhancement request specifically states the root filesystem will be written in a Where I see this work being immediately relevant is that if a user does not want encryption, then the LUKS container can be replaced. Longer-term, once Ignition supports setting up LUKS, then we can have a default Ignition configuration for setting up LUKS and use this Dracut module to rewrite the filesystem. |
|
Sorry.... @cgwalters that was entirely an accidental closure. |
Sure, but I don't like the idea of shipping that versus solving the full general problem. We already had to close PRs like coreos/coreos-installer#48 because we don't have this. |
cgwalters
force-pushed
the
redeploy-rootfs
branch
from
17a9684 to
7e946d7
Compare
|
@ajeddeloh When you get a few can you look over this from an architecture perspective? Particularly bits like: How do we hook in a "post-parse pre-disks" Ignition hook for this to run? Relatedly, do you think it's better if Ignition gained an optional ostree integration (and had this code, hence no direct hook necessary) or if (rpm-)ostree gained this code and we had the hook? |
|
In general I'm in favor of this and the post-parse-pre-disks hook. This is dependent on splitting parsing into it's own stage, but I've been wanting to do that anyway (this has also been called "stage 0"). I'm not sure how coupled to Ignition it ought to be. The simplest way would be to say "is there a filesystem in the config with The only concern with false positives I have is it's a performance penalty. We could reduce it a fair bit by not blowing away the rootfs prematurely (looks like that might just be for testing in this pr?) and checking if there are ostree files already before redeploying. This still has the save penalty, but not the restore. |
|
I don't quite understand your suggestion; I was thinking of a
When I was saying "hook" I was thinking of how we use systemd units today to separate things out. Were you thinking something more like a build-time option for Ignition that ran a specified binary? Or an |
That's exactly what I was thinking of, we're on the same page.
Only if jq proves insufficient
Wouldn't be needed with a fetch stage (can use systemd units) |
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107
cgwalters
force-pushed
the
redeploy-rootfs
branch
from
7e946d7 to
54a4beb
Compare
|
OK cool split that out into #110 and wrote some Also here's the |
cgwalters
force-pushed
the
redeploy-rootfs
branch
2 times, most recently
from
5fcd392 to
cd23232
Compare
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107
I had this fix in my WIP ignition-ostree-rootfs stack, and apparently missed putting it in the split-out change. This service runs really really early on, it can't be `After=basic.target`.
I'm working on supporting reprovisioning the rootfs with Ignition on OSTree based systems like Fedora CoreOS, and this will add a lot of tricky logic that relates the two. While we want to support Ignition independent of OSTree and vice versa, it will be a lot cleaner if we centralize the dracut logic in one place. This adds a `31ignition-ostree` module that imports the code from https://github.com/coreos/fedora-coreos-config/tree/092f680a5c75324e3efcd5e50374a2c1b5d4b057/overlay.d/05core/usr/lib/dracut/modules.d/40coreos-var Most notably, this is: 1) A separate dracut module easily skippable 2) The units use `ConditionKernelCommandline=ostree` so will be harmless even if included The units imported here also do this: ``` ConditionPathExists=!/usr/sbin/coreos-mount-var ``` So this change can be safely merged, built and shipped as an RPM, then we can drop the FCOS config bits and enable it later. Tested both ways (inert and enabled). And to clarify, the later ignition-ostree-rootfs stuff will land in this same dracut module.
For redeploying the rootfs
cgwalters
force-pushed
the
redeploy-rootfs
branch
from
cd23232 to
3c5da1f
Compare
|
Moved to coreos/fedora-coreos-config#184 |
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107 (cherry picked from commit 8926f0f)
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107 (cherry picked from commit 8926f0f)
This stage just triggers the internal code which fetches the config and writes `/run/ignition.json`; from there it'd be picked up by later stages the way it was implicitly before. This is prep for adding support for redeploying the rootfs for Fedora CoreOS; we need to have a separate process determine whether the rootfs is being replaced, and if so do a save/restore across `ignition-disks.service`. See: coreos/ignition-dracut#107 (cherry picked from commit 8926f0f)
This is a quick hack to add a
31ignition-ostreemodule that can take care of redeploying the rootfs betweenignition-disks.serviceandignition-mount.service.We obviously only want to run this if the user has provided an Ignition config that replaces the
rootlabeled filesystem. Doing so I think would require adding something like a separateignition-parse.servicestage that touches a stamp file/run/ignition-rootfs-replacedor so, and these services key off that?I'm working on this because openshift/enhancements#15 needs it.