Use kernel cmdline to configure clevis-unlock

flatcar · Mar 4, 2024 · 2c08b2a · 2c08b2a
1 parent 89c3d21
commit 2c08b2a
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 9 deletions.
diff --git a/dracut/40clevis-unlock/clevis-network-generator b/dracut/40clevis-unlock/clevis-network-generator
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+set -e
+
+UNIT_DIR="$1"
+
+if cat /proc/cmdline | grep -qw "rd.clevis_unlock=network"; then
+    mkdir -p "${UNIT_DIR}/clevis-unlock.service.d"
+
+    cat >${UNIT_DIR}/clevis-unlock.service.d/network_dependency.conf <<EOF
+    # Automatically generated by clevis-network-generator
+
+    [Unit]
+    Wants=systemd-networkd.service systemd-resolved.service network-online.target
+    After=systemd-networkd.service systemd-resolved.service network-online.target
+EOF
+fi
diff --git a/dracut/40clevis-unlock/clevis-unlock.service b/dracut/40clevis-unlock/clevis-unlock.service
@@ -6,12 +6,8 @@ RequiresMountsFor=/sysusr/usr/
 Before=initrd-root-fs.target
 # dracut-initqueue will wait for /dev/disk/by-label/ROOT, so we must decrypt the root disk before dracut-initqueue.
 Before=dracut-initqueue.service
-Wants=systemd-networkd.service
-After=systemd-networkd.service
-Wants=systemd-resolved.service
-After=systemd-resolved.service
-Wants=network-online.target
-After=network-online.target
+ConditionKernelCommandLine=|rd.clevis_unlock=network
+ConditionKernelCommandLine=|rd.clevis_unlock=no_network
 
 [Service]
 # We let the unlocker run in "loop" mode: it will keep retrying unlocking until there are no more devices to unlock.

diff --git a/dracut/40clevis-unlock/module-setup.sh b/dracut/40clevis-unlock/module-setup.sh
@@ -1,9 +1,7 @@
 #!/bin/bash
-# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*-
-# ex: ts=8 sw=4 sts=4 et filetype=sh
 
 depends() {
-    echo clevis
+    echo systemd clevis
 }
 
 install() {
@@ -22,4 +20,7 @@ install() {
         "${systemdsystemunitdir}/clevis-unlock.service"
 
     systemctl --root "$initdir" enable clevis-unlock.service
+
+    inst_simple "$moddir/clevis-network-generator" \
+        "$systemdutildir/system-generators/clevis-network-generator"
 }