Accepting request 900738 from home:favogt:microselinux

- combustion: Relabel the old snapshot (if necessary) and explicitly
  trigger autorelabel for the new snapshot

- Expand and clarify README

OBS-URL: https://build.opensuse.org/request/show/900738
OBS-URL: https://build.opensuse.org/package/show/devel:kubic:ignition/combustion?expand=0&rev=17
This commit is contained in:
Fabian Vogt 2021-06-18 10:19:05 +00:00 committed by Git OBS Bridge
parent 2982898b18
commit 53c4689a4b
3 changed files with 63 additions and 7 deletions

46
README
View File

@ -19,11 +19,25 @@ The configuration files are copied from a filesystem with the LABEL
It expects a directory "combustion" at the root level of the filesystem and
a file "script" inside, which is executed inside a transactional-update shell.
<root directory>
├── combustion
│ ├── script
│ └── ... other files
└── ignition (optional)
└── config.ign
If a QEMU fw_cfg blob with the name "opt/org.opensuse.combustion/script" is
found, it is preferred and the content of that is used as script.
Example parameter for QEMU:
-fw_cfg name=opt/org.opensuse.combustion/script,file=/var/combustion-script
You can do everything necessary for initial system configuration from this
script, including addition of ssh keys, adding users, changing passwords
or even doing partitioning changes.
Simple example
--------------
Example for formatting a USB drive and adding a config, which installs the
"vim-small" package and creates a /root/welcome file:
@ -43,12 +57,34 @@ echo "Hello User!" >/mnt/combustion/welcome
umount /mnt
```
The "# combustion: network" comment indicates that network needs to be
configured before running the script.
The "# combustion: network" comment triggers networking initialization before
running the script. This is equivalent to passing "rd.neednet=1" on the kernel
cmdline and so the network configuration parameters (man dracut.cmdline) apply
here as well. If those aren't specified, it defaults to "ip=dhcp" for each
available interface.
You can do everything necessary for initial system configuration from this
script, including addition of ssh keys, adding users, changing passwords
or even doing partitioning changes.
More complex configuration example
----------------------------------
This script additionally provides visible feedback during boot, sets a password
and copies a public ssh key (which has to be in the "combustion" folder).
```
#!/bin/bash
# combustion: network
# Redirect output to the console
exec > >(exec tee -a /dev/tty0) 2>&1
# Set a password for root, generate the hash with "openssl passwd -6"
echo 'root:$5$.wn2BZHlEJ5R3B1C$TAHEchlU.h2tvfOpOki54NaHpGYKwdNhjaBuSpDotD7' | chpasswd -e
# Add a public ssh key and enable sshd
mkdir -pm700 /root/.ssh/
cat id_rsa_new.pub >> /root/.ssh/authorized_keys
systemctl enable sshd.service
# Install vim-small
zypper --non-interactive install vim-small
# Leave a marker
echo "Configured with combustion" > /etc/issue.d/combustion
```
How it works
------------

View File

@ -106,6 +106,14 @@ if ! [ -e "${config_dir}/script" ]; then
exit 1
fi
# Have to take care of x-initrd.mount first and from the outside
awk '$4 ~ /x-initrd.mount/ { system("findmnt /sysroot" $2 " >/dev/null || mount -t " $3 " -o " $4 " " $1 " /sysroot" $2) }' /sysroot/etc/fstab
# Make sure the old snapshot is relabeled too, otherwise syncing its /etc fails.
if [ -e /sysroot/etc/selinux/.autorelabel ]; then
NEWROOT=/sysroot bash -c '. /lib/dracut-lib.sh; . /lib/dracut/hooks/pre-pivot/50-selinux-microos-relabel.sh'
fi
# Prepare chroot
for i in proc sys dev; do
mount --rbind /$i /sysroot/$i
@ -113,8 +121,6 @@ done
mount --make-rslave /sysroot
# Mount everything we can, errors deliberately ignored
# Have to take care of x-initrd.mount first and from the outside
awk '$4 ~ /x-initrd.mount/ { system("findmnt /sysroot" $2 " >/dev/null || mount -t " $3 " -o " $4 " " $1 " /sysroot" $2) }' /sysroot/etc/fstab
chroot /sysroot mount -a || true
# t-u needs writable /var/run and /tmp
findmnt /sysroot/run >/dev/null || mount -t tmpfs tmpfs /sysroot/run
@ -150,6 +156,9 @@ EOF
chroot /sysroot transactional-update --no-selfupdate rollback
exit 1
fi
# Snapshot got touched while the policy isn't active, needs relabeling again.
[ -e /sysroot/etc/selinux/.relabelled ] && >> /sysroot/etc/selinux/.autorelabel
else
mount -o remount,rw /sysroot
if ! chroot /sysroot sh -e -c "cd '${config_dir}'; chmod a+x script; ./script"; then

View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Mon Jun 7 14:13:14 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- combustion: Relabel the old snapshot (if necessary) and explicitly
trigger autorelabel for the new snapshot
-------------------------------------------------------------------
Fri Mar 5 13:35:22 UTC 2021 - Fabian Vogt <fvogt@suse.com>
- Expand and clarify README
-------------------------------------------------------------------
Wed Jan 20 09:50:53 UTC 2021 - Fabian Vogt <fvogt@suse.com>