Rework initrd usr mount to start Ignition/Afterburn from there #52
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Jan 20, 2023
This pulls in flatcar/bootengine#52 to reduce the size of the unified kernel image by starting Ignition/ Afterburn from the /usr partition. This also requires to install the Ignition binary to /usr.
This was referenced Jan 20, 2023
Merged
krnowak
reviewed
Jan 23, 2023
The check for the norecovery option used the same condition but had different actions in the if branch. Also, for the systemd generator the unit name was wrong because it was just the unit name of the bind mount. Align the check for the norecovery option and also use the right unit name.
The size of the unified kernel image grew so much that we almost hit the limit of the fixed /boot partition. While we could tweak which kernel modules are present the largest contributors are actually Ignition and Afterburn (coreos-metadata). Since we also ship Afterburn on the /usr partition and have Ignition installed there, too (but currently masked), we could do what was done for Torcx and directly call it from there (but with LD_LIBRARY_PATH instead of chroot). There are a few corner cases where this was not directly possible due to the order of events in the initrd and these had to be reworked. This establishes a structure that allows the /sysusr/usr mount to be used for calling Ignition and Afterburn. This mount point was set up by systemd already but since we have a legacy generator, this needed adaption, too. The final /usr mount in /sysroot/usr is still set up. In the case of the systemd generator it is a bind mount, for the legacy generator it is a separate mount, both work but we could align this to also use a bind mount. The afterburn-network-kargs.service starts a bit later now because it depends on the /sysusr mount and this also means that the parse-ip-for-networkd dracut hook needed to run at a later stage, here solved with an own service but since the dracut hook mechanism with sourcing is complicated, the script still runs as hook to serialize the environment. The fsck check for /usr was also in the way and thus we write out a dummy systemd-fsck-usr.service since we don't need to check /usr as it's verity-protected. In the end with these changes we significantly reduce the unified kernel image size and have more breathing room for the next years. If we have to move some other binaries or even kernel modules that are not essential for loading /usr itself, we can move them out of the initrd based on this work. Size reduction for arm64 is 58 MB -> 52 MB, for amd64 it is 55 MB -> 49MB.
pothos
force-pushed
the
kai/initrd-rework
branch
from
223dfde
to
7f0ba3b
Compare
krnowak
approved these changes
Jan 25, 2023
pothos
added a commit
to flatcar-archive/coreos-overlay
that referenced
this pull request
Jan 25, 2023
This pulls in flatcar/bootengine#52 to reduce the size of the unified kernel image by starting Ignition/ Afterburn from the /usr partition. This also requires to install the Ignition binary to /usr.
t-lo
pushed a commit
to flatcar/scripts
that referenced
this pull request
Apr 17, 2023
This pulls in flatcar/bootengine#52 to reduce the size of the unified kernel image by starting Ignition/ Afterburn from the /usr partition. This also requires to install the Ignition binary to /usr.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Rework initrd usr mount to start Ignition/Afterburn from there
The size of the unified kernel image grew so much that we almost hit
the limit of the fixed /boot partition. While we could tweak which
kernel modules are present the largest contributors are actually
Ignition and Afterburn (coreos-metadata). Since we also ship Afterburn
on the /usr partition and have Ignition installed there, too (but
currently masked), we could do what was done for Torcx and directly
call it from there (but with LD_LIBRARY_PATH instead of chroot). There
are a few corner cases where this was not directly possible due to the
order of events in the initrd and these had to be reworked.
This establishes a structure that allows the /sysusr/usr mount to be
used for calling Ignition and Afterburn. This mount point was set up
by systemd already but since we have a legacy generator, this needed
adaption, too. The final /usr mount in /sysroot/usr is still set up.
In the case of the systemd generator it is a bind mount, for the
legacy generator it is a separate mount, both work but we could align
this to also use a bind mount. The afterburn-network-kargs.service
starts a bit later now because it depends on the /sysusr mount and
this also means that the parse-ip-for-networkd dracut hook needed to
run at a later stage, here solved with an own service but since the
dracut hook mechanism with sourcing is complicated, the script still
runs as hook to serialize the environment. The fsck check for /usr was
also in the way and thus we write out a dummy systemd-fsck-usr.service
since we don't need to check /usr as it's verity-protected. In the end
with these changes we significantly reduce the unified kernel image
size and have more breathing room for the next years. If we have to
move some other binaries or even kernel modules that are not essential
for loading /usr itself, we can move them out of the initrd based on
this work. Size reduction for arm64 is 58 MB -> 52 MB, for amd64 it is
55 MB -> 49MB.
Align check for initrd-provided /usr
Fix non-working norecovery option
The check for the norecovery option used the same condition but had
different actions in the if branch. Also, for the systemd generator
the unit name was wrong because it was just the unit name of the bind
mount.
Align the check for the norecovery option and also use the right unit
name.
How to use
Testing done
CI run
Tested the
usr=cmdline case manually, tested the first bootip=10.0.2.15::10.0.2.2:255.255.255.0::eth0:off::cmdline case (and once withnetroot=dummy) and ran the CI to test the kargs VMware case and that Ignition works.