From 2f1530ad39d8ef57f1a9dc8f8a0b89501f3d06a1 Mon Sep 17 00:00:00 2001
From: Erikson Tung <etung@amazon.com>
Date: Tue, 20 Apr 2021 11:53:30 -0700
Subject: [PATCH] bootstrap-containers: prevent bootstrap containers from
 restarting

bootstrap-containers@ units create a sentinel file when they first
 run. If the sentinel file exists, the unit will be skipped over.

This will prevent non-essential bootstrap-containers from being
restarted by systemd when multi-user.target is reached.
---
 packages/os/bootstrap-containers-tmpfiles.conf | 1 +
 packages/os/bootstrap-containers@.service      | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/packages/os/bootstrap-containers-tmpfiles.conf b/packages/os/bootstrap-containers-tmpfiles.conf
index 7a7aa9b3a82..00c3c035e20 100644
--- a/packages/os/bootstrap-containers-tmpfiles.conf
+++ b/packages/os/bootstrap-containers-tmpfiles.conf
@@ -1,3 +1,4 @@
 d /etc/bootstrap-containers 0750 root root -
+d /run/bootstrap-containers 0755 root root -
 d /local/bootstrap-containers 0700 root root -
 T /local/bootstrap-containers - - - - security.selinux=system_u:object_r:secret_t:s0
diff --git a/packages/os/bootstrap-containers@.service b/packages/os/bootstrap-containers@.service
index 72dbd64d742..7e35eaf01dd 100644
--- a/packages/os/bootstrap-containers@.service
+++ b/packages/os/bootstrap-containers@.service
@@ -7,10 +7,16 @@ Wants=host-containers.service
 # started by systemd
 RefuseManualStart=true
 RefuseManualStop=true
+# If a sentinel file exists for this bootstrap container, it means we should skip
+# since we've run this bootstrap container already.
+ConditionPathExists=!/run/bootstrap-containers/%i.ran
 
 [Service]
 Type=oneshot
 EnvironmentFile=/etc/bootstrap-containers/%i.env
+# Create a sentinel file to mark that we've run
+ExecStart=/usr/bin/touch /run/bootstrap-containers/%i.ran
+# Run the bootstrap container
 ExecStart=/usr/bin/host-ctr run \
     --container-id='%i' \
     --source='${CTR_SOURCE}' \