From 36eafff45f5378042d15c646bb6d9bd3dc645c4c Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Fri, 11 Dec 2020 11:39:30 +0000 Subject: [PATCH 1/3] core/dracut/ignition-ostree: add a bwrap-in-sysroot helper This introduces a new `coreos-sysroot-bwrap` helper in initramfs, for binaries that need to be executed with the final sysroot as a target, but before the pivot-root happens. --- .../40ignition-ostree/coreos-sysroot-bwrap | 53 +++++++++++++++++++ .../40ignition-ostree/module-setup.sh | 3 ++ 2 files changed, 56 insertions(+) create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-sysroot-bwrap diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-sysroot-bwrap b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-sysroot-bwrap new file mode 100755 index 0000000000..dd51530b2a --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/coreos-sysroot-bwrap @@ -0,0 +1,53 @@ +#!/usr/bin/env bash +# +# Needed to work around the initrd `rootfs` / filesystem not being a valid +# mount to pivot out of. For reference, see: +# - https://github.com/torvalds/linux/blob/26bc672134241a080a83b2ab9aa8abede8d30e1c/fs/namespace.c#L3605 +# - https://gist.github.com/jlebon/fb6e7c6dcc3ce17d3e2a86f5938ec033 +set -euo pipefail + +TMP_CHROOT_DIR="" + +main() { + setup_chroot_tmpdir + run_chrooted_bwrap "$@" +} + +setup_chroot_tmpdir() { + TMP_CHROOT_DIR=$(mktemp --directory --tmpdir=/mnt '.coreos-sysroot-bwrap.tmp.XXXXXXXXXX') + mount --bind / "${TMP_CHROOT_DIR}" + mount --make-private "${TMP_CHROOT_DIR}" + mount --bind "${TMP_CHROOT_DIR}" "${TMP_CHROOT_DIR}" + for mnt in proc sys dev; do + mount --bind /$mnt "${TMP_CHROOT_DIR}"/$mnt + done + touch "${TMP_CHROOT_DIR}"/run/ostree-booted + mount --bind /sysroot "${TMP_CHROOT_DIR}"/sysroot +} + +run_chrooted_bwrap() { + chroot "${TMP_CHROOT_DIR}" \ + /usr/bin/env --chdir /sysroot \ + bwrap \ + --unshare-pid --unshare-uts --unshare-ipc --unshare-net \ + --unshare-cgroup-try --dev /dev --proc /proc --chdir / \ + --ro-bind usr /usr --bind etc /etc --dir /tmp --tmpfs /var/tmp \ + --tmpfs /run --ro-bind /run/ostree-booted /run/ostree-booted \ + --symlink usr/lib /lib \ + --symlink usr/lib64 /lib64 \ + --symlink usr/bin /bin \ + --symlink usr/sbin /sbin -- "$@" +} + +cleanup() { + if test -z "${TMP_CHROOT_DIR}"; then + return + fi + + umount --lazy --recursive "${TMP_CHROOT_DIR}" + umount --recursive "${TMP_CHROOT_DIR}" + rmdir "${TMP_CHROOT_DIR}" +} + +trap cleanup EXIT +main "$@" diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh index bb7c50acbb..6a0e4f01f0 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh @@ -15,7 +15,9 @@ install_ignition_unit() { install() { inst_multiple \ + bwrap \ realpath \ + rmdir \ setfiles \ systemd-sysusers \ systemd-tmpfiles \ @@ -87,4 +89,5 @@ install() { inst_script "$moddir/coreos-growpart" /usr/libexec/coreos-growpart inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel + inst_script "$moddir/coreos-sysroot-bwrap" /usr/bin/coreos-sysroot-bwrap } From b39c0553b397981328adeb2058464e680fd7f2ab Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Fri, 11 Dec 2020 12:36:34 +0000 Subject: [PATCH 2/3] core/dracut/ignition-ostree: add ignition-ostree-sysusers service This introduces a new `ignition-ostree-sysusers.service`, which takes care of poulating users and groups on the target sysroot before the Ignition `files` stage. --- .../ignition-ostree-sysusers | 19 +++++++++++++++++++ .../ignition-ostree-sysusers.service | 17 +++++++++++++++++ .../40ignition-ostree/module-setup.sh | 4 ++++ 3 files changed, 40 insertions(+) create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers.service diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers new file mode 100755 index 0000000000..172b5a8e43 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers @@ -0,0 +1,19 @@ +#!/usr/bin/env bash +# Run systemd-sysusers for the target OSTree sysroot. + +set -euo pipefail + +main() { + coreos-sysroot-bwrap systemd-sysusers + coreos-relabel \ + /etc/group \ + /etc/group- \ + /etc/gshadow \ + /etc/gshadow- \ + /etc/passwd \ + /etc/passwd- \ + /etc/shadow \ + /etc/shadow- +} + +main "$@" diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers.service b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers.service new file mode 100644 index 0000000000..9dbfdacfc3 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-sysusers.service @@ -0,0 +1,17 @@ +[Unit] +Description=Populate OSTree sysusers +DefaultDependencies=false +ConditionKernelCommandLine=|ostree + +# Need to do this with all mount points active +After=ignition-mount.service + +# But *before* we start dumping files in there +Before=ignition-files.service +Before=ignition-ostree-populate-var.service + +[Service] +Type=oneshot +RemainAfterExit=yes +MountFlags=slave +ExecStart=/usr/sbin/ignition-ostree-sysusers diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh index 6a0e4f01f0..67069a670b 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh @@ -58,6 +58,10 @@ install() { sgdisk \ find + inst_script "$moddir/ignition-ostree-sysusers" \ + "/usr/sbin/ignition-ostree-sysusers" + install_ignition_unit ignition-ostree-sysusers.service + for x in mount populate; do install_ignition_unit ignition-ostree-${x}-var.service inst_script "$moddir/ignition-ostree-${x}-var.sh" "/usr/sbin/ignition-ostree-${x}-var" From dd25144656d37409d566a473bff097060068d1df Mon Sep 17 00:00:00 2001 From: Luca BRUNO Date: Mon, 14 Dec 2020 10:36:00 +0000 Subject: [PATCH 3/3] tests/ignition: check file ownership for system users This ensure that entries in Ignition configuration can reference system users even if not present in ostree commit (e.g. `zincati). --- tests/kola/ignition/sysusers/config.fcc | 12 ++++++++++++ tests/kola/ignition/sysusers/test.sh | 20 ++++++++++++++++++++ 2 files changed, 32 insertions(+) create mode 100644 tests/kola/ignition/sysusers/config.fcc create mode 100755 tests/kola/ignition/sysusers/test.sh diff --git a/tests/kola/ignition/sysusers/config.fcc b/tests/kola/ignition/sysusers/config.fcc new file mode 100644 index 0000000000..d42a6d19c4 --- /dev/null +++ b/tests/kola/ignition/sysusers/config.fcc @@ -0,0 +1,12 @@ +--- +variant: fcos +version: 1.0.0 +storage: + files: + - path: /etc/zincati/config.d/00-dummy-placeholder.toml + mode: 0644 + user: + name: "zincati" + contents: + inline: | + # Dummy placeholder diff --git a/tests/kola/ignition/sysusers/test.sh b/tests/kola/ignition/sysusers/test.sh new file mode 100755 index 0000000000..049b0825fe --- /dev/null +++ b/tests/kola/ignition/sysusers/test.sh @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +set -euo pipefail + +ok() { + echo "ok" "$@" +} + +fatal() { + echo "$@" >&2 + exit 1 +} + +TARGET="/etc/zincati/config.d/00-dummy-placeholder.toml" +OWNER=$(stat -c '%U' "${TARGET}") + +# make sure the placeholder file is owned by the proper system user. +if test "${OWNER}" != 'zincati' ; then + fatal "unexpected owner of ${TARGET}: ${OWNER}" +fi +ok "placeholder file correctly owned by zincati user"