dracut/30ignition: Reboot the system after ignition if kargs.d is present

[zonggen]

As mentioned in https://github.com/coreos/ignition-dracut/issues/81#issuecomment-494888494,
this change adds a service that checks for the presence of /etc/ostree/kargs.d and redeploys
then reboots the system if it exists.

Closes: #81

[cgwalters]

Shouldn't have code that is specific to a hardcoded ref. Though this of course gets into a bit of a mess as all the nice high level logic around kargs is most recently in rpm-ostree, specifically rpm-ostree kargs which handles all of this.

Which isn't designed to be run from the initramfs today, although for that matter neither is ostree.

Are you sure this script would work? It looks like you're using /etc/ostree/kargs.d but that's the copy in the initramfs, it'd need to be /sysroot/etc/ostree/kargs.d here right?

[zonggen]

Shouldn't have code that is specific to a hardcoded ref.
although for that matter neither is ostree.

Can I use ostree refs --repo /sysroot/ostree/repo to retrieve the REFSPEC or ostree should not be used at all?

Are you sure this script would work?

I'm not sure, since I haven't tested on this.. will be testing tomorrow morning

It looks like you're using /etc/ostree/kargs.d but that's the copy in the initramfs, it'd need to be /sysroot/etc/ostree/kargs.d

I have a blurred understanding of which part is in initramfs and which part is in sysroot before. Now I think I have a sense that before mounting sysroot, all of the files resides in initramfs. Thank you for pointing that out !

[jlebon]

Note also you'll want to test this on top of ostreedev/ostree#1836. See some tips from @cgwalters and @rfairley on doing that in ostreedev/ostree#479.

Can I use ostree refs --repo /sysroot/ostree/repo to retrieve the REFSPEC or ostree should not be used at all?

Sure. There shouldn't be other refs or deployments in there on first boot normally. Though another approach that would survive that would be to pick up the ostree= karg (see e.g. cmdline_arg in the generator), then pickup refspec from $(realpath $ostree_arg).origin. Not necessary as a first pass though!

[rfairley]

👍 - I left some instructions with those tips collected here: ostreedev/ostree#1836 (comment)

To test with Ignition, instead of editing fedora-coreos-base.yaml and adding kargs snippets using the add-files field, you can add those files under /etc/ostree/kargs.d through an Ignition config (haven't tried this, but should work!).

[zonggen]

Using ostree refs --repo /sysroot/ostree/repo for now, might change to $(realpath $ostree_arg).origin in the future

[ajeddeloh]

I'd avoid using the Ignition (X) for things that aren't Ignition stages.

[zonggen]

Changed to Description=Reboot after Ignition to apply kargs

[ajeddeloh]

nit: ignition-mount does not actually mount the rootfs; it mounts all other filesystems defined by the Ignition config.

[zonggen]

Thanks for explaining!
One followup question is that, is it initrd-root-fs.target that mounts the rootfs?

[jlebon]

Check out bootup(7) and systemd.special(7). Those are super helpful for understanding the boot process!

[ajeddeloh]

Do we need this?

[zonggen]

I'm not sure about this, so I left it untouched, comparing to other service files..

[jlebon]

The env file is useful if you have code dependent on a specific PLATFORM_ID. Otherwise, we don't strictly need it (but it doesn't hurt either of course!).

[ajeddeloh]

I'd prefer to drop it if we don't need it. Less to confuse people.

[zonggen]

Agreed, dropping this line

[jlebon]

Hmm, we shouldn't need this. ignition-complete.target is ordered before the main initrd.target, which is reached well before initrd-switch-root.target.

[zonggen]

Dropping this line..

[jlebon]

Check out bootup(7) and systemd.special(7). Those are super helpful for understanding the boot process!

[jlebon]

Maybe let's call it ignition-apply-kargs.service or something?

[ajeddeloh]

I'd prefer to drop ignition from the name entirely. It's not running Ignition at all. It would be good to keep reboot in the unit name as well to make it clear what it's doing. Just spitballing apply-kargs-and-reboot.service?

[jlebon]

I'm not a fan of unit names that don't contain any hint of where it came from. The ignition in the unit name is more to namespace it in that sense (maybe ignition-dracut-... would work too). Of course, we could (and probably should) also add e.g. Documentation=https://github.com/coreos/ignition-dracut or something, which I don't think we do today.

[zonggen]

Changed the name to ignition-apply-kargs.service and ignition-apply-kargs.sh, and added Reboot after Ignition to apply kargs to description.

[jlebon]

Could probably do ConditionDirectoryNotEmpty=/sysroot/etc/ostree/kargs.d here. systemd checks the condition at the time the unit would be started.

[ajeddeloh]

I was thinking about that and I'm not sure. We may want more complicated checks in the future that the systemd conditionals can't support. That being said, I suppose it's fine for now; we can always change it to something more complex if it comes to that.

[zonggen]

Checking kargs.d inside ignition-apply-kargs.sh for now, might change to ConditionDirectoryNotEmpty=/sysroot/etc/ostree/kargs.d after testing.

[jlebon]

Hmm, I think we need After=ignition-files.service, so that user-configs can also drop kargs files and have them immediately take effect.

[zonggen]

Yep, that makes sense!

[jlebon]

The env file is useful if you have code dependent on a specific PLATFORM_ID. Otherwise, we don't strictly need it (but it doesn't hurt either of course!).

[jlebon]

Note also you'll want to test this on top of ostreedev/ostree#1836. See some tips from @cgwalters and @rfairley on doing that in ostreedev/ostree#479.

Can I use ostree refs --repo /sysroot/ostree/repo to retrieve the REFSPEC or ostree should not be used at all?

Sure. There shouldn't be other refs or deployments in there on first boot normally. Though another approach that would survive that would be to pick up the ostree= karg (see e.g. cmdline_arg in the generator), then pickup refspec from $(realpath $ostree_arg).origin. Not necessary as a first pass though!

[zonggen]

@jlebon Thank you for the review and for the pointers to the bootup(7) and systemd.special(7)!

[zonggen]

Update:

• tested by creating /etc/ostree/kargs.d/ using ignition config inside cmd-run of cosa
• bootup failed with:

localhost ignition-apply-kargs[637]: /usr/sbin/ignition-apply-kargs[637]: /usr/sbin/ignition-apply-kargs: line 7: ostree: command not found

Related issue: coreos/fedora-coreos-tracker#34

[arithx]

@zonggen that output makes it look like ostree isn't present in the initramfs, maybe try adding it to the inst_multiple in the module-setup?

[cgwalters]

that output makes it look like ostree isn't present in the initramfs,

Right, that also leads to the point that at the present time, there's a tiny bit of ostree in the initramfs but the rest of the functionality (upgrades, changing kargs, or in general making new deployments) hasn't been tested in the initramfs. It might work, it might require libostree changes.

[ajeddeloh]

Right, that also leads to the point that at the present time, there's a tiny bit of ostree in the initramfs but the rest of the functionality (upgrades, changing kargs, or in general making new deployments) hasn't been tested in the initramfs. It might work, it might require libostree changes.

I assume you mean when running implicitly referring to the running system, right? There's no reason it should behave differently when running using --sysroot, --os, and friends in the initramfs, right?

[zonggen]

Update:

• adding inst_multiple in the module-setup fixed the problem ostree: command not found
• however ignition-apply-kargs.service failed with error: No file or directory on

local REFSPEC=( $(ostree refs --repo /sysroot/ostree/repo) )

• then I tried:

# retrieve 'ostree=' karg from '/proc/cmdline' 
cmdline=( $(</proc/cmdline) )
cmdline_arg() {
    local name="ostree" value=""
    for arg in "${cmdline[@]}"; do
        if [[ "${arg%%=*}" == "${name}" ]]; then
            value="${arg#*=}"
            break
        fi
    done
    echo "${value}"
}

local REFSPEC="$(realpath $(cmdline_arg)).origin"

which still failed with similar error: No file or directory on the value of $(cmdline_arg), meaning that neither /sysroot/ostree/repo or $(cmdline_arg) exists (in fact /sysroot is empty after ignition-files.service and before ignition-complete.target).

It seems that both directories only exist after initrd-switch-root.target, but we don't want to reboot from the real root https://github.com/coreos/ignition-dracut/issues/81#issue-445194150..

[ajeddeloh]

Wont this run Ignition on second boot as well since we don't remove the ignition-firstboot file?

[zonggen]

Added checking on ignition.firstboot inside /proc/cmdline (link to test branch), but still failed with same error on /sysroot/ostree/repo not existing.

[ajeddeloh]

is the ignition-mount unit active when this unit is running? It might be that it's getting stopped which triggers unmounting everything. Maybe try a Requires=ignition-mount.service?

[jlebon]

then I tried:

Note that the ostree= arg isn't the deployment root, it's a directory under /ostree, so you'll want to append that to /sysroot, then do realpath on that. See e.g. https://github.com/coreos/fedora-coreos-config/blob/eba405180411ead8e496a881704d6fb2e673cf61/overlay/usr/lib/dracut/modules.d/40coreos-var/coreos-mount-var.sh#L27.

Might be easier to play around with these paths in a fully booted FCOS machine first so you see how these paths all fit together. It's definitely not straightforward on first approach. :)

in fact /sysroot is empty after ignition-files.service and before ignition-complete.target

Hmm, that's really odd. Note that from the emergency shell, systemd will unmount everything (including /sysroot), so if you're testing there, you'll want to remount things manually (or you can printf debug things from your module too).

[zonggen]

Trying both remounting and printing debug message 👍

[zonggen]

is the ignition-mount unit active when this unit is running? It might be that it's getting stopped which triggers unmounting everything. Maybe try a Requires=ignition-mount.service?

Added the Requires=ignition-mount.service, but still complaining about the same error..

[jlebon]

Note that the ostree= arg isn't the deployment root, it's a directory under /ostree, so you'll want to append that to /sysroot, then do realpath on that.

Wrote this in a haste, and it's not quite right. So for posterity, let me expand on this: ostree= is a path to a symlink. Doing realpath on that symlink will yield the deployment root. But it's under /ostree (i.e. it's relative to the physical root partition), so you have to prefix it with /sysroot first when resolving from the initrd. To learn more about why it's set up that way, check out: https://ostree.readthedocs.io/en/latest/manual/atomic-upgrades/#the-ostreeboot-directory

So something like: origin=$(realpath /sysroot/$(cmdline_arg ostree)).origin should work. Once you have that, you could peek inside it to get the refspec=. It's not entirely foolproof either, since e.g. rpm-ostree uses baserefspec=. But for our purposes here, just grepping for refspec= should work fine (or ostree refs should work too as mentioned earlier).

Added the Requires=ignition-mount.service, but still complaining about the same error..

Right, ignition-files.service already requires it, so it's a no-op.

Did you try just e.g. ls /sysroot from the dracut module itself?

[zonggen]

Did you try just e.g. ls /sysroot from the dracut module itself?

Yes, just tried it. Seems like everything is mounted correctly, also ls /sysroot/ostree gave me

     |- boot.1
     |- boot.1.1
     |- deploy
     |- repo

which looks correct..

[zonggen]

Running ostree admin deploy "fedora/x86_64/coreos/testing-devel" directly inside ignition-apply-kargs.sh failed with error: No such file or directory.

[zonggen]

Update:

• ostree admin status failed with opendir(ostree/repo): No such file or directory,
• ls /sysroot/ostree showed /sysroot/ostree/repo exists
• ls / showed /ostree does not exist
• I'm wondering if ostree is looking at the /ostree/repo under / instead of /sysroot, which caused ostree admin deploy "fedora/x86_64/coreos/testing-devel" failed.

[cgwalters]

You definitely need a --sysroot=/sysroot argument here.
And also it should be $REFSPEC and not REFSPEC literally.

Also there is ostree admin instutil set-kargs which mutates the deployment in-place rather than creating a new one which...is probably better here.

[zonggen]

Yes --sysroot=/sysroot solved the issue here : )

And also it should be $REFSPEC and not REFSPEC literally.

I only corrected this in local testing branch, should've updated pr branch too. Sorry about this.
Currently I'm testing on ostree admin instutil set-kargs 👍

[zonggen]

Update:

• Tried both ostree admin deploy and ostree admin instutil set-kargs

---

1. ostree admin deploy

REFSPEC=( $(ostree refs --repo /sysroot/ostree/repo) )
ostree admin --sysroot=/sysroot --os=fcos deploy ${REFSPEC}

Failed with

error: Performing initial cleanup: Cleaning deployments: Removing ostree/deploy/fedora-coreos/deploy/df834127e66e07a84c123ca67bededbba779c33646b791a9ca524bf9084.0: unlinkat(sysroot): Device or resource busy
Main process exited, code=exited, status=1/FAILURE
Failed with result 'exit-code'.

---

2. ostree admin instutil set-kargs

kargs=$(cat /sysroot/etc/ostree/kargs.d/karg_file)
ostree admin instutil set-kargs -v --sysroot=/sysroot --replace ${kargs}

Failed with

error: Unable to find a deployment in sysroot

$ ls /sysroot/ostree/deploy/fedora-coreos/deploy
9c75a8b92f0068ffd5fbfae9a72427f688749af94b7215d7b35d0d47a4bfae9a72427f688749af94b7215d7b35d0d47a48336dd.0
9c75a8b92f0068ffd5fbfae9a72427f688749af94b7215d7b35d0d47a48336dd.0427f688749af94b7215d7b35d0d47a48336dd.0.origin

[cgwalters]

The problem here boils down to a lot of the libostree code just not being designed to run from the initramfs unfortunately...

I think the problem in the first case is that ostree isn't expecting things to be mounted at the target path in the --sysroot case. Though I'd need to think through it.

The second one, not sure what's going on there.

[zonggen]

I agree, even running ostree admin instutil set-kargs under real root will result in error: Attempting to remove booted deployment, hinting that ostree is not happy with modifying already booted / mounted deployment.

[dustymabe]

is this something we still want to do? Does it need a new round of review?

[zonggen]

It is safe to close this pr since it would not work until libostree can be run inside initramfs..