Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support reading configs from /run/ignition and /etc/ignition/ #1891

Open
jlebon opened this issue Jun 18, 2024 · 1 comment
Open

Support reading configs from /run/ignition and /etc/ignition/ #1891

jlebon opened this issue Jun 18, 2024 · 1 comment
Labels
jira for syncing to jira

Comments

@jlebon
Copy link
Member

jlebon commented Jun 18, 2024

Starting from systemd v256, systemd units in the initramfs run with ProtectSystem= by default. This means that /usr is now mounted read-only there:

https://github.com/systemd/systemd/blob/07748c53df5a72111d8b3eef49d275210d6018cd/NEWS#L168-L175

This breaks coreos-ignition-setup-user.sh which is used in various flows to copy the Ignition config to /usr/lib/ignition/.

Let's have Ignition also support sourcing from /run and /etc, which is standard nowadays for a lot of services. I think coreos-ignition-setup-user would probably want to use /etc since it's lifecycled with the initramfs, so we don't have to worry about cleaning it up.
jlebon added a commit to jlebon/fedora-coreos-config that referenced this issue Jun 18, 2024
@jlebon
coreos-ignition-setup-user: remount /usr rw if needed
a31af91 
systemd v256 now runs the initrd with `ProtectSystem=yes`, which makes
`/usr` read-only:

https://github.com/systemd/systemd/blob/07748c53df5a72111d8b3eef49d275210d6018cd/NEWS#L168-L175

This breaks coreos-ignition-setup-user which wants to copy the Ignition
config to `/usr/lib/ignition`.

I think the right fix for this is to have Ignition learn to also source
from `/etc` and `/run`, which is the standard nowadays:

coreos/ignition#1891

But for now at least, we can safely remount `/usr` read-write ourselves
without affecting the rest of the system since we're already running
with `MountFlags=slave`.
@jlebon jlebon mentioned this issue Jun 18, 2024
Merged
@travier
Copy link
Member

travier commented Jun 19, 2024

Maybe we could also completely move to /etc and add a compatibility symlink as that would keep the current logic.

jbtrystram pushed a commit to coreos/fedora-coreos-config that referenced this issue Jun 19, 2024
@jlebon @jbtrystram
coreos-ignition-setup-user: remount /usr rw if needed
44d0ff8 
systemd v256 now runs the initrd with `ProtectSystem=yes`, which makes
`/usr` read-only:

https://github.com/systemd/systemd/blob/07748c53df5a72111d8b3eef49d275210d6018cd/NEWS#L168-L175

This breaks coreos-ignition-setup-user which wants to copy the Ignition
config to `/usr/lib/ignition`.

I think the right fix for this is to have Ignition learn to also source
from `/etc` and `/run`, which is the standard nowadays:

coreos/ignition#1891

But for now at least, we can safely remount `/usr` read-write ourselves
without affecting the rest of the system since we're already running
with `MountFlags=slave`.
@prestist prestist added the jira for syncing to jira label Jun 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
jira for syncing to jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlebon @prestist @travier