stages/files: relabel files before systemd-sysctl

This is a workaround for an inherent issue with the current relabeling approach (see coreos#635). `systemd-sysctl.service` is definitely one of those early services that have a high probability of reading files from `/etc` before it's relabeled. They're both pulled in by `sysinit.target`, but `ignition-relabel.service` has an additional `After=local-fs.target` which makes it likelier to run later (also see coreos#635 about that). So for now, let's just hack around this by making sure `systemd-sysctl` runs after us.
jlebon · Sep 27, 2018 · bab77f2 · bab77f2
1 parent 0c622ab
commit bab77f2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/internal/exec/stages/files/files.go b/internal/exec/stages/files/files.go
@@ -138,7 +138,7 @@ func (s *stage) addRelabelUnit(config types.Config) error {
 Description=Relabel files created by Ignition
 DefaultDependencies=no
 After=local-fs.target
-Before=sysinit.target
+Before=sysinit.target systemd-sysctl.service
 ConditionSecurity=selinux
 ConditionPathExists=/etc/selinux/ignition.relabel
 OnFailure=emergency.target