bootstrap-containers: prevent bootstrap containers from restarting

bootstrap-containers@ units create a sentinel file when they first run. If the sentinel file exists, the unit will be skipped over. This will prevent non-essential bootstrap-containers from being restarted by systemd when multi-user.target is reached.
bottlerocket-os · Apr 21, 2021 · 2f1530a · 2f1530a
1 parent 708d095
commit 2f1530a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/packages/os/bootstrap-containers-tmpfiles.conf b/packages/os/bootstrap-containers-tmpfiles.conf
@@ -1,3 +1,4 @@
 d /etc/bootstrap-containers 0750 root root -
+d /run/bootstrap-containers 0755 root root -
 d /local/bootstrap-containers 0700 root root -
 T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:secret_t:s0
diff --git a/packages/os/bootstrap-containers@.service b/packages/os/bootstrap-containers@.service
@@ -7,10 +7,16 @@ Wants=host-containers.service
 # started by systemd
 RefuseManualStart=true
 RefuseManualStop=true
+# If a sentinel file exists for this bootstrap container, it means we should skip
+# since we've run this bootstrap container already.
+ConditionPathExists=!/run/bootstrap-containers/%i.ran
 
 [Service]
 Type=oneshot
 EnvironmentFile=/etc/bootstrap-containers/%i.env
+# Create a sentinel file to mark that we've run
+ExecStart=/usr/bin/touch /run/bootstrap-containers/%i.ran
+# Run the bootstrap container
 ExecStart=/usr/bin/host-ctr run \
     --container-id='%i' \
     --source='${CTR_SOURCE}' \