s390x: workaround broken 'coreos-boot-disk' in 01-secex.ign config fo…

…r RHCOS BZ: https://bugzilla.redhat.com/show_bug.cgi?id=2075085 RHCOS may have (and has now) kernel with a known issue, which makes not possible to use 'coreos-boot-disk' symlink in the config. Once we have kernel >= 4.18.0-387.el8.s390x we should revert this commit Signed-off-by: Nikita Dubrovskii <[email protected]>
HuijingHei · Oct 10, 2023 · d39fa86 · d39fa86
1 parent 29bc2f9
commit d39fa86
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 4 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/01-secex.ign
@@ -5,7 +5,7 @@
   "storage": {
     "disks": [
       {
-        "device": "/dev/disk/by-id/coreos-boot-disk",
+        "device": "${BOOTDEV}",
         "partitions": [
           {
             "label": "boot",
@@ -36,7 +36,7 @@
     ],
     "luks": [
       {
-        "device": "/dev/disk/by-partlabel/boot",
+        "device": "${BOOTDEV}3",
         "label": "crypt_bootfs",
         "name": "boot",
         "options": [
@@ -46,7 +46,7 @@
         "wipeVolume": true
       },
       {
-        "device": "/dev/disk/by-partlabel/root",
+        "device": "${BOOTDEV}4",
         "label": "crypt_rootfs",
         "name": "root",
         "options": [

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -73,6 +73,5 @@ EOF
     if [[ "${secure_execution}" = "1" ]]; then
         mkdir -p /run/coreos/
         touch /run/coreos/secure-execution
-        mv /usr/lib/coreos/01-secex.ign /usr/lib/ignition/base.d/01-secex.ign
     fi
 fi
diff --git a/....d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.service b/....d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.service
@@ -0,0 +1,18 @@
+# RHOCS 4.12.s390x has an old kernel with a known issue: https://bugzilla.redhat.com/show_bug.cgi?id=2075085
+# Once we have kernel >= 4.18.0-387.el8.s390x we should drop this unit and copy config in coreos-diskful-generator
+[Unit]
+Description=Ignition OSTree: Inject secex config
+DefaultDependencies=false
+ConditionArchitecture=s390x
+ConditionKernelCommandLine=ostree
+ConditionPathExists=/run/coreos/secure-execution
+OnFailure=emergency.target
+OnFailureJobMode=isolate
+
+After=cryptsetup.target
+Before=ignition-fetch-offline.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ignition-ostree-secex-config
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-secex-config.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+
+if [[ -f /run/coreos/secure-execution ]]; then
+    bootdev=$(blkid --list-one --output device --match-token PARTLABEL=boot | sed 's,[0-9]\+$,,')
+    sed "s,\${BOOTDEV},$bootdev," < /usr/lib/coreos/01-secex.ign > /usr/lib/ignition/base.d/01-secex.ign
+fi
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -113,5 +113,13 @@ install() {
 
     install_ignition_unit ignition-ostree-close-luks.service
     install_ignition_unit ignition-ostree-drop-luks.service
+<<<<<<< HEAD
 >>>>>>> 6774eef6 (s390x: reencrypt boot- and rootfs if SecureExecution is enabled)
+=======
+
+    # Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=2075085
+    install_ignition_unit ignition-ostree-secex-config.service
+    inst_script "$moddir/ignition-ostree-secex-config.sh" \
+        /usr/libexec/ignition-ostree-secex-config
+>>>>>>> eee0d711 (s390x: workaround broken 'coreos-boot-disk' in 01-secex.ign config for RHCOS)
 }