From b0b1d9cfff73a019a9c58e364dd7f66f19c1d26f Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 14 Jul 2020 16:08:16 -0400 Subject: [PATCH 1/3] tests/misc-ro: generalize NIC naming test Instead of checking for `ens` on QEMU, just check that the interface name *isn't* `eth*`. This should be cross-platform, so we can drop the `systemd-run` wrapper. --- tests/kola/misc-ro | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro index b4e2546ac2..fab7731db2 100755 --- a/tests/kola/misc-ro +++ b/tests/kola/misc-ro @@ -1,6 +1,6 @@ #!/bin/bash # This is a place to put random quick read-only tests. -set -euo pipefail +set -xeuo pipefail ok() { echo "ok" "$@" @@ -15,5 +15,7 @@ systemctl is-enabled logrotate.service ok logrotate # https://github.com/coreos/fedora-coreos-config/commit/2a5c2abc796ac645d705700bf445b50d4cda8f5f -systemd-run -P -p ConditionVirtualization=kvm --wait /bin/sh -c 'set -euo pipefail; ip link | grep -o -e " ens[0-9]:"' +if ip link | grep -o -e " eth[0-9]:"; then + fatal "detected eth* NIC naming on node" +fi ok nic naming From 963a9a8828b7c2de7de2d58be948cb7fd1fd2957 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 14 Jul 2020 17:35:19 -0400 Subject: [PATCH 2/3] Move to conditional networking We have all the piece in place now to move to conditional networking. So let's drop the `rd.neednet=1` firstboot karg. Also don't enable coreos-liveiso-network-kargs.service on FCOS since it's no longer needed (i.e. the live ISO will now enable initrd networking as required given the embedded Ignition config). On RHCOS, we still need it for now until we move to spec3. Then we can remove the service and script completely. Fixes: https://github.com/coreos/fedora-coreos-tracker/issues/443 --- image.yaml | 6 ++--- .../coreos-copy-firstboot-network.service | 4 ++++ .../coreos-liveiso-network-kargs.service | 4 ++++ .../20live/coreos-liveiso-network-kargs.sh | 5 +++++ .../dracut/modules.d/20live/live-generator | 6 ++++- .../system/coreos-liveiso-success.service | 3 +-- tests/kola/misc-ro | 22 +++++++++++++++++++ 7 files changed, 44 insertions(+), 6 deletions(-) diff --git a/image.yaml b/image.yaml index 653342ddd2..a91ab32025 100644 --- a/image.yaml +++ b/image.yaml @@ -9,9 +9,9 @@ extra-kargs: # https://fedoraproject.org/wiki/Changes/CGroupsV2 - systemd.unified_cgroup_hierarchy=0 -# Kernel arguments to be used on first-boot. -ignition-network-kcmdline: - - 'rd.neednet=1' +# Disable networking by default on firstboot. We can drop this once cosa stops +# defaulting to `ip=dhcp,dhcp6 rd.neednet=1` when it doesn't see this key. +ignition-network-kcmdline: [] # Optional remote by which to prefix the deployed OSTree ref ostree-remote: fedora diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-firstboot-network/coreos-copy-firstboot-network.service b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-firstboot-network/coreos-copy-firstboot-network.service index 2762042128..2fd6151b01 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-firstboot-network/coreos-copy-firstboot-network.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/15coreos-firstboot-network/coreos-copy-firstboot-network.service @@ -43,6 +43,10 @@ After=coreos-gpt-setup@dev-disk-by\x2dlabel-root.service # Since we are mounting /boot/, require the device first Requires=dev-disk-by\x2dlabel-boot.device After=dev-disk-by\x2dlabel-boot.device +# Need to run after fetch-offline stage since it may re-run the NM cmdline +# hook which will generate NM configs from the network kargs, but we want to +# have precedence. +After=ignition-fetch-offline.service [Service] Type=oneshot diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.service b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.service index 72ac3c3cf5..a774914fb2 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.service @@ -24,6 +24,10 @@ # prompt without requiring networking on boot. The user can # then configure the networking interactively. # +# Note that this script is only used on RHCOS now. We should be able to remove +# it once RHCOS moves to spec3. On FCOS/spec3, this is replaced by the +# conditional networking work: +# https://github.com/coreos/fedora-coreos-config/pull/426 [Unit] Description=Request live ISO networking DefaultDependencies=no diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.sh b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.sh index 9049686ad4..d989243b36 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.sh +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-liveiso-network-kargs.sh @@ -2,6 +2,11 @@ # For a description of how this is used see coreos-liveiso-network-kargs.service +# Note that this script is only used on RHCOS now. We should be able to remove +# it once RHCOS moves to spec3. On FCOS/spec3, this is replaced by the +# conditional networking work: +# https://github.com/coreos/fedora-coreos-config/pull/426 + # Load the dracut library for getarg source /usr/lib/dracut-lib.sh diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator b/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator index 2a9c91e62c..82819d4f6b 100755 --- a/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator @@ -31,7 +31,11 @@ add_requires sysroot.mount initrd-root-fs.target add_requires sysroot-etc.mount initrd-root-fs.target add_requires sysroot-var.mount initrd-root-fs.target -add_requires coreos-liveiso-network-kargs.service initrd.target +# Need to be flexible here until RHCOS moves to spec3. +if ! (ignition -help || :) |& grep -q 'fetch-offline'; then + add_requires coreos-liveiso-network-kargs.service initrd.target +fi + add_requires coreos-liveiso-reconfigure-nm-wait-online.service initrd.target mkdir -p "${UNIT_DIR}/ostree-prepare-root.service.d" diff --git a/overlay.d/05core/usr/lib/systemd/system/coreos-liveiso-success.service b/overlay.d/05core/usr/lib/systemd/system/coreos-liveiso-success.service index befc41e790..a3db8673a6 100644 --- a/overlay.d/05core/usr/lib/systemd/system/coreos-liveiso-success.service +++ b/overlay.d/05core/usr/lib/systemd/system/coreos-liveiso-success.service @@ -4,8 +4,7 @@ [Unit] Description=CoreOS Live ISO virtio success Documentation=https://github.com/coreos/fedora-coreos-config -# Only run on the Live ISO, and only if there's no Ignition config; -# the second bits here invert the conditionals in coreos-liveiso-network-kargs.service. +# Only run on the Live ISO, and only if there's no Ignition config ConditionKernelCommandLine=coreos.liveiso ConditionPathExists=!/config.ign ConditionVirtualization=|kvm diff --git a/tests/kola/misc-ro b/tests/kola/misc-ro index fab7731db2..9f0ed720d4 100755 --- a/tests/kola/misc-ro +++ b/tests/kola/misc-ro @@ -11,6 +11,15 @@ fatal() { exit 1 } +on_platform() { + grep -q " ignition.platform.id=$1 " /proc/cmdline +} + +get_journal_msg_timestamp() { + journalctl -o json -b 0 --grep "$1" \ + | jq -r --slurp '.[0]["__MONOTONIC_TIMESTAMP"]' +} + systemctl is-enabled logrotate.service ok logrotate @@ -19,3 +28,16 @@ if ip link | grep -o -e " eth[0-9]:"; then fatal "detected eth* NIC naming on node" fi ok nic naming + +switchroot_ts=$(get_journal_msg_timestamp 'Switching root.') +nm_ts=$(get_journal_msg_timestamp 'NetworkManager .* starting') +# by default, kola on QEMU shouldn't need to bring up networking +# https://github.com/coreos/fedora-coreos-config/pull/426 +if [[ $nm_ts -lt $switchroot_ts ]] && on_platform qemu; then + fatal "NetworkManager started in initramfs!" +# and as a sanity-check that this test works, verify that on AWS +# we did bring up networking in the initrd +elif [[ $nm_ts -gt $switchroot_ts ]] && on_platform aws; then + fatal "NetworkManager not started in initramfs!" +fi +ok conditional initrd networking From 613f69129b069f443101ab7084c80115c7ce13ec Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Wed, 15 Jul 2020 09:09:30 -0400 Subject: [PATCH 3/3] 05core/autologin: query journal instead of /run/ignition.json We shouldn't use `/run/ignition.json` to determine whether a user config was provided since it's implementation details. Instead, use the new official journal messages that Ignition emits. This is complicated by the fact that we need to support RHCOS, where the journal messages haven't been backported. Use the fact that we always have a base config to key off of whether to use the old behaviour vs the new one. (More accurately, we'd want to check for https://github.com/coreos/ignition/pull/1002, but there's no easy way to do this from the outside. Alternatively we can check the Ignition version, though that's deeply nested under `/usr/lib/dracut/...`). Anyway, this should be temporary until RHCOS moves to spec v3. Closes: #514 --- .../coreos-liveiso-autologin-generator | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-liveiso-autologin-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-liveiso-autologin-generator index dec68b3c30..af8ea9d445 100755 --- a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-liveiso-autologin-generator +++ b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-liveiso-autologin-generator @@ -101,8 +101,22 @@ fi # If the user supplied an Ignition config, they have the ability to enable # autologin themselves. Don't automatically render them insecure, since # they might be running in production and booting via e.g. IPMI. -if [ -e /run/ignition.json ] ; then - exit 0 + +# This is a hack for RHCOS Ignition which doesn't have +# https://github.com/coreos/ignition/pull/958. This works because right now both +# RHCOS and FCOS unconditionally bake in a base config. Once RHCOS moves to +# Ignition v2, we can drop this and just leave the else block. +ign_basecfg_msg=$(journalctl -q MESSAGE_ID=57124006b5c94805b77ce473e92a8aeb IGNITION_CONFIG_TYPE=base) +if [ -z "${ign_basecfg_msg}" ]; then + if [ -e /run/ignition.json ]; then + exit 0 + fi +else + # See https://github.com/coreos/ignition/pull/958 for the MESSAGE_ID source. + ign_usercfg_msg=$(journalctl -q MESSAGE_ID=57124006b5c94805b77ce473e92a8aeb IGNITION_CONFIG_TYPE=user) + if [ -n "${ign_usercfg_msg}" ]; then + exit 0 + fi fi write_dropin "getty@.service" "--noclear"