From bf49343264d88f481f76f92800c37059c7817cc2 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Thu, 29 Aug 2019 05:00:13 -0400 Subject: [PATCH 1/7] live: copy boot files from installer --- live/EFI/fedora/grub.cfg | 33 +++++++++++++++++ live/README.md | 13 +++++++ live/isolinux/boot.msg | 5 +++ live/isolinux/isolinux.cfg | 72 ++++++++++++++++++++++++++++++++++++++ live/zipl.prm | 1 + 5 files changed, 124 insertions(+) create mode 100755 live/EFI/fedora/grub.cfg create mode 100644 live/README.md create mode 100755 live/isolinux/boot.msg create mode 100755 live/isolinux/isolinux.cfg create mode 100644 live/zipl.prm diff --git a/live/EFI/fedora/grub.cfg b/live/EFI/fedora/grub.cfg new file mode 100755 index 0000000000..3cc1d6ffc4 --- /dev/null +++ b/live/EFI/fedora/grub.cfg @@ -0,0 +1,33 @@ +# Note this file mostly matches the grub.cfg file from within the +# efiboot.img on the Fedora Server DVD iso. Diff this file with that +# file in the future to pick up changes. +# +# One diff to note is we use linux and initrd instead of linuxefi and +# initrdefi. We do this because it works and allows us to use this same +# file on other architecutres. https://github.com/coreos/fedora-coreos-config/issues/63 +# +# This file gets embedded into the efiboot.img on our Fedora CoreOS ISO. +set default="1" + +function load_video { + insmod efi_gop + insmod efi_uga + insmod video_bochs + insmod video_cirrus + insmod all_video +} + +load_video +set gfxpayload=keep +insmod gzio +insmod part_gpt +insmod ext2 + +set timeout=60 +### END /etc/grub.d/00_header ### + +### BEGIN /etc/grub.d/10_linux ### +menuentry 'Install Fedora CoreOS' --class fedora --class gnu-linux --class gnu --class os { + linux /images/vmlinuz nomodeset rd.neednet=1 coreos.inst=yes + initrd /images/initramfs.img +} diff --git a/live/README.md b/live/README.md new file mode 100644 index 0000000000..67068086fa --- /dev/null +++ b/live/README.md @@ -0,0 +1,13 @@ +These files will be copied to the target installer ISO +via the CoreOS Assembler buildextend-installer call. It +picks up all files in the coreos/fedora-coreos-config/installer/ +directory and copies them to the base of the ISO. + +Files currently copied are: + +- isolinux/boot.msg +- isolinux/isolinux.cfg + +Files that get copied into efiboot.img in the ISO: + +- EFI/grub.cfg diff --git a/live/isolinux/boot.msg b/live/isolinux/boot.msg new file mode 100755 index 0000000000..ff54899e1c --- /dev/null +++ b/live/isolinux/boot.msg @@ -0,0 +1,5 @@ + +splash.lss + + - Press the 0107 key to begin the installation process. + diff --git a/live/isolinux/isolinux.cfg b/live/isolinux/isolinux.cfg new file mode 100755 index 0000000000..e9a6efb4c2 --- /dev/null +++ b/live/isolinux/isolinux.cfg @@ -0,0 +1,72 @@ +# Note this file mostly matches the isolinux.cfg file from the Fedora +# Server DVD iso. Diff this file with that file in the future to pick up +# changes. +serial 0 +default vesamenu.c32 +timeout 600 + +display boot.msg + +# Clear the screen when exiting the menu, instead of leaving the menu displayed. +# For vesamenu, this means the graphical background is still displayed without +# the menu itself for as long as the screen remains in graphics mode. +menu clear +menu background splash.png +menu title Fedora CoreOS Installer +menu vshift 8 +menu rows 18 +menu margin 8 +#menu hidden +menu helpmsgrow 15 +menu tabmsgrow 13 + +# Border Area +menu color border * #00000000 #00000000 none + +# Selected item +menu color sel 0 #ffffffff #00000000 none + +# Title bar +menu color title 0 #ff7ba3d0 #00000000 none + +# Press [Tab] message +menu color tabmsg 0 #ff3a6496 #00000000 none + +# Unselected menu item +menu color unsel 0 #84b8ffff #00000000 none + +# Selected hotkey +menu color hotsel 0 #84b8ffff #00000000 none + +# Unselected hotkey +menu color hotkey 0 #ffffffff #00000000 none + +# Help text +menu color help 0 #ffffffff #00000000 none + +# A scrollbar of some type? Not sure. +menu color scrollbar 0 #ffffffff #ff355594 none + +# Timeout msg +menu color timeout 0 #ffffffff #00000000 none +menu color timeout_msg 0 #ffffffff #00000000 none + +# Command prompt text +menu color cmdmark 0 #84b8ffff #00000000 none +menu color cmdline 0 #ffffffff #00000000 none + +# Do not display the actual menu unless the user presses a key. All that is displayed is a timeout message. + +menu tabmsg Press Tab for full configuration options on menu items. + +menu separator # insert an empty line +menu separator # insert an empty line + +label linux + menu label ^Install Fedora CoreOS + kernel /images/vmlinuz + append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes + +menu separator # insert an empty line + +menu end diff --git a/live/zipl.prm b/live/zipl.prm new file mode 100644 index 0000000000..6bdf352ccf --- /dev/null +++ b/live/zipl.prm @@ -0,0 +1 @@ +rd.neednet=1 coreos.inst=yes From 7c866d2f16dec32f4175e3496f8d7a5c495c2bd5 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Thu, 29 Aug 2019 05:02:49 -0400 Subject: [PATCH 2/7] live: update for live images - Change labels - Use short bootloader timeout - Disable installer - Enable Ignition, defaulting to metal platform - Drop nomodeset karg --- live/EFI/fedora/grub.cfg | 6 +++--- live/README.md | 6 +++--- live/isolinux/boot.msg | 2 +- live/isolinux/isolinux.cfg | 9 +++++---- live/zipl.prm | 2 +- 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/live/EFI/fedora/grub.cfg b/live/EFI/fedora/grub.cfg index 3cc1d6ffc4..30eb442aba 100755 --- a/live/EFI/fedora/grub.cfg +++ b/live/EFI/fedora/grub.cfg @@ -23,11 +23,11 @@ insmod gzio insmod part_gpt insmod ext2 -set timeout=60 +set timeout=1 ### END /etc/grub.d/00_header ### ### BEGIN /etc/grub.d/10_linux ### -menuentry 'Install Fedora CoreOS' --class fedora --class gnu-linux --class gnu --class os { - linux /images/vmlinuz nomodeset rd.neednet=1 coreos.inst=yes +menuentry 'Fedora CoreOS (Live)' --class fedora --class gnu-linux --class gnu --class os { + linux /images/vmlinuz rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal initrd /images/initramfs.img } diff --git a/live/README.md b/live/README.md index 67068086fa..6a123986fa 100644 --- a/live/README.md +++ b/live/README.md @@ -1,6 +1,6 @@ -These files will be copied to the target installer ISO -via the CoreOS Assembler buildextend-installer call. It -picks up all files in the coreos/fedora-coreos-config/installer/ +These files will be copied to the target live ISO +via the CoreOS Assembler buildextend-live call. It +picks up all files in the coreos/fedora-coreos-config/live/ directory and copies them to the base of the ISO. Files currently copied are: diff --git a/live/isolinux/boot.msg b/live/isolinux/boot.msg index ff54899e1c..362e9e5ebe 100755 --- a/live/isolinux/boot.msg +++ b/live/isolinux/boot.msg @@ -1,5 +1,5 @@ splash.lss - - Press the 0107 key to begin the installation process. + - Press the 0107 key to boot. diff --git a/live/isolinux/isolinux.cfg b/live/isolinux/isolinux.cfg index e9a6efb4c2..383d3d4cbd 100755 --- a/live/isolinux/isolinux.cfg +++ b/live/isolinux/isolinux.cfg @@ -3,7 +3,7 @@ # changes. serial 0 default vesamenu.c32 -timeout 600 +timeout 10 display boot.msg @@ -12,7 +12,7 @@ display boot.msg # the menu itself for as long as the screen remains in graphics mode. menu clear menu background splash.png -menu title Fedora CoreOS Installer +menu title Fedora CoreOS menu vshift 8 menu rows 18 menu margin 8 @@ -63,9 +63,10 @@ menu separator # insert an empty line menu separator # insert an empty line label linux - menu label ^Install Fedora CoreOS + menu label ^Fedora CoreOS (Live) + menu default kernel /images/vmlinuz - append initrd=/images/initramfs.img nomodeset rd.neednet=1 coreos.inst=yes + append initrd=/images/initramfs.img rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal menu separator # insert an empty line diff --git a/live/zipl.prm b/live/zipl.prm index 6bdf352ccf..7d2928c044 100644 --- a/live/zipl.prm +++ b/live/zipl.prm @@ -1 +1 @@ -rd.neednet=1 coreos.inst=yes +rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal From 88aca0a7a005bec0e123d454653ca505390a8da3 Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Thu, 29 Aug 2019 18:17:51 -0400 Subject: [PATCH 3/7] overlay/05core: add hook script to detect live system ignition-dracut will invoke this to determine whether to enable units that require a boot disk. --- .../05core/usr/lib/dracut/modules.d/20live/is-live-image.sh | 5 +++++ .../05core/usr/lib/dracut/modules.d/20live/module-setup.sh | 4 ++++ 2 files changed, 9 insertions(+) create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/20live/is-live-image.sh create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/20live/module-setup.sh diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/is-live-image.sh b/overlay.d/05core/usr/lib/dracut/modules.d/20live/is-live-image.sh new file mode 100755 index 0000000000..c971af77b3 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/is-live-image.sh @@ -0,0 +1,5 @@ +#!/bin/sh +# Script invoked by ignition-dracut generator to detect whether this is a +# live system without a root device. We can't test for /run/ostree-live +# because it may not have been created yet. +[ -e /root.squashfs ] diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/20live/module-setup.sh new file mode 100644 index 0000000000..e5d92bcc59 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/module-setup.sh @@ -0,0 +1,4 @@ +install() { + inst_script "$moddir/is-live-image.sh" \ + "/usr/bin/is-live-image" +} From 52ad686fbfdf9a36161c344f228e931d9c921eac Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Wed, 4 Sep 2019 14:29:13 -0400 Subject: [PATCH 4/7] overlay/05core: set up /sysroot on live systems If /root.squashfs exists in the initramfs, do the following: 1. Mount /root.squashfs on /sysroot 2. Locate the ostree deployment, add a corresponding ostree= argument to /proc/cmdline by bind-mounting over it, run ostree-prepare-root.service to set up the deployment, and unmount /proc/cmdline 3. Mount a tmpfs on /writable 4. Create needed directories in /writable 5. Create a writable overlay on /sysroot/etc, with /sysroot/etc as lowerdir and upper/work dirs in /writable 6. Bind-mount /writable/var to /sysroot/var 7. Run coreos-populate-var.service to populate /sysroot/var Disable mounting of stateroot /var on live systems, since that's handled by step 6. --- .../20live/coreos-populate-writable.service | 10 ++ .../dracut/modules.d/20live/live-generator | 101 ++++++++++++++++++ .../dracut/modules.d/20live/module-setup.sh | 12 +++ .../dracut/modules.d/20live/ostree-cmdline.sh | 25 +++++ .../dracut/modules.d/20live/writable.mount | 10 ++ .../40coreos-var/coreos-mount-var.service | 1 + 6 files changed, 159 insertions(+) create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-populate-writable.service create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator create mode 100755 overlay.d/05core/usr/lib/dracut/modules.d/20live/ostree-cmdline.sh create mode 100644 overlay.d/05core/usr/lib/dracut/modules.d/20live/writable.mount diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-populate-writable.service b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-populate-writable.service new file mode 100644 index 0000000000..e1d4aa074a --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/coreos-populate-writable.service @@ -0,0 +1,10 @@ +[Unit] +DefaultDependencies=false +RequiresMountsFor=/writable +Before=sysroot-etc.mount sysroot-var.mount + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/bin/mkdir -m 755 -p /writable/etc/upper /writable/var +ExecStart=/usr/bin/mkdir -m 700 -p /writable/etc/work diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator b/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator new file mode 100755 index 0000000000..f68ebc1d5d --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/live-generator @@ -0,0 +1,101 @@ +#!/bin/bash +# -*- mode: shell-script; indent-tabs-mode: nil; sh-basic-offset: 4; -*- +# ex: ts=8 sw=4 sts=4 et filetype=sh + +set -e + +UNIT_DIR="${1:-/tmp}" + +add_requires() { + local name="$1" + local requires_dir="${UNIT_DIR}/initrd-root-fs.target.requires" + mkdir -p "${requires_dir}" + ln -sf "../${name}" "${requires_dir}/${name}" +} + +if [ -e /root.squashfs ]; then + # Create stamp file that everything else should use to detect a live boot + > /run/ostree-live + + add_requires sysroot.mount + add_requires sysroot-etc.mount + add_requires sysroot-var.mount + + mkdir -p "${UNIT_DIR}/ostree-prepare-root.service.d" + cat > "${UNIT_DIR}/ostree-prepare-root.service.d/10-live.conf" <"${UNIT_DIR}/sysroot.mount" <"${UNIT_DIR}/sysroot-etc.mount" <"${UNIT_DIR}/sysroot-var.mount" < /tmp/cmdline + mount --bind /tmp/cmdline /proc/cmdline + ;; + stop) + umount /proc/cmdline + rm /tmp/cmdline + ;; + *) + echo "Usage: $0 {start|stop}" >&2 + exit 1 + ;; +esac diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/20live/writable.mount b/overlay.d/05core/usr/lib/dracut/modules.d/20live/writable.mount new file mode 100644 index 0000000000..35d7d4dc10 --- /dev/null +++ b/overlay.d/05core/usr/lib/dracut/modules.d/20live/writable.mount @@ -0,0 +1,10 @@ +[Unit] +DefaultDependencies=false +Requires=coreos-populate-writable.service +Before=coreos-populate-writable.service + +[Mount] +What=tmpfs +Where=/writable +Type=tmpfs +Options=mode=0700 diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40coreos-var/coreos-mount-var.service b/overlay.d/05core/usr/lib/dracut/modules.d/40coreos-var/coreos-mount-var.service index f4d329f379..d4b7d064e7 100644 --- a/overlay.d/05core/usr/lib/dracut/modules.d/40coreos-var/coreos-mount-var.service +++ b/overlay.d/05core/usr/lib/dracut/modules.d/40coreos-var/coreos-mount-var.service @@ -1,6 +1,7 @@ [Unit] Description=Mount OSTree /var DefaultDependencies=false +ConditionPathExists=!/run/ostree-live # Make sure ExecStop= runs before we switch root Before=initrd-switch-root.target From 4a8a2e24da486442d664823b4a80b86d53fec14f Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Wed, 4 Sep 2019 14:32:57 -0400 Subject: [PATCH 5/7] overlay/05core: skip coreos-growpart.service on live systems There's no on-disk filesystem to resize. --- overlay.d/05core/usr/lib/systemd/system/coreos-growpart.service | 1 + 1 file changed, 1 insertion(+) diff --git a/overlay.d/05core/usr/lib/systemd/system/coreos-growpart.service b/overlay.d/05core/usr/lib/systemd/system/coreos-growpart.service index 0b794312eb..62fe04a8ed 100644 --- a/overlay.d/05core/usr/lib/systemd/system/coreos-growpart.service +++ b/overlay.d/05core/usr/lib/systemd/system/coreos-growpart.service @@ -1,6 +1,7 @@ # See also coreos-growpart script. [Unit] +ConditionPathExists=!/run/ostree-live ConditionPathExists=!/var/lib/coreos-growpart.stamp Before=sshd.service From 1e003b715919ac66a62ba639f8b65ece4ad3283d Mon Sep 17 00:00:00 2001 From: Benjamin Gilbert Date: Wed, 4 Sep 2019 20:14:48 -0400 Subject: [PATCH 6/7] overlay/05core: create boot.mount and boot-efi.mount from generator Conditionalizing the units won't work here because conditions don't affect the dependency on the underlying device unit. Enable boot.mount on non-PXE boots. Enable boot-efi.mount on non-PXE boots on platforms (x86_64 and aarch64) where we have an EFI partition, whether the /boot/efi mountpoint exists or not. Also make the mount units WantedBy local-fs.target, rather than RequiredBy, to prevent boot failures if the mount fails. --- .../coreos-boot-mount-generator | 48 +++++++++++++++++++ .../systemd/system-preset/40-coreos.preset | 2 - .../usr/lib/systemd/system/boot-efi.mount | 11 ----- .../05core/usr/lib/systemd/system/boot.mount | 7 --- 4 files changed, 48 insertions(+), 20 deletions(-) create mode 100755 overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator delete mode 100644 overlay.d/05core/usr/lib/systemd/system/boot-efi.mount delete mode 100644 overlay.d/05core/usr/lib/systemd/system/boot.mount diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator new file mode 100755 index 0000000000..1c975b99b5 --- /dev/null +++ b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator @@ -0,0 +1,48 @@ +#!/bin/bash + +set -euo pipefail + +UNIT_DIR="${1:-/tmp}" + +add_wants() { + local name="$1"; shift + local wants_dir="${UNIT_DIR}/local-fs.target.wants" + mkdir -p "${wants_dir}" + ln -sf "../${name}" "${wants_dir}/${name}" +} + +# Don't create mount units for /boot or /boot/efi on live systems. +# ConditionPathExists won't work here because conditions don't affect +# the dependency on the underlying device unit. +if [ ! -f /run/ostree-live ]; then + add_wants boot.mount + cat > "${UNIT_DIR}/boot.mount" < "${UNIT_DIR}/boot-efi.mount" < Date: Wed, 4 Sep 2019 23:09:26 -0400 Subject: [PATCH 7/7] live: add mitigations=auto,smt karg We enable it in non-live builds. --- live/EFI/fedora/grub.cfg | 2 +- live/isolinux/isolinux.cfg | 2 +- live/zipl.prm | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/live/EFI/fedora/grub.cfg b/live/EFI/fedora/grub.cfg index 30eb442aba..c4ef892bd1 100755 --- a/live/EFI/fedora/grub.cfg +++ b/live/EFI/fedora/grub.cfg @@ -28,6 +28,6 @@ set timeout=1 ### BEGIN /etc/grub.d/10_linux ### menuentry 'Fedora CoreOS (Live)' --class fedora --class gnu-linux --class gnu --class os { - linux /images/vmlinuz rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal + linux /images/vmlinuz mitigations=auto,nosmt rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal initrd /images/initramfs.img } diff --git a/live/isolinux/isolinux.cfg b/live/isolinux/isolinux.cfg index 383d3d4cbd..8e62b3eef9 100755 --- a/live/isolinux/isolinux.cfg +++ b/live/isolinux/isolinux.cfg @@ -66,7 +66,7 @@ label linux menu label ^Fedora CoreOS (Live) menu default kernel /images/vmlinuz - append initrd=/images/initramfs.img rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal + append initrd=/images/initramfs.img mitigations=auto,nosmt rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal menu separator # insert an empty line diff --git a/live/zipl.prm b/live/zipl.prm index 7d2928c044..3eb0018643 100644 --- a/live/zipl.prm +++ b/live/zipl.prm @@ -1 +1 @@ -rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal +mitigations=auto,nosmt rd.neednet=1 ip=dhcp ignition.firstboot ignition.platform.id=metal