bootstrap-commands: implement bootstrap command execution

bottlerocket-os · Sep 4, 2024 · e139cf4 · e139cf4
1 parent 17abbba
commit e139cf4
Show file tree

Hide file tree

Showing 15 changed files with 599 additions and 47 deletions.
diff --git a/packages/os/bootstrap-commands-tmpfiles.conf b/packages/os/bootstrap-commands-tmpfiles.conf
@@ -0,0 +1 @@
+d /etc/bootstrap-commands 0750 root root -
diff --git a/packages/os/bootstrap-commands-toml b/packages/os/bootstrap-commands-toml
@@ -0,0 +1,18 @@
+[required-extensions]
+bootstrap-commands= "v1"
+std = { version = "v1", helpers = ["if_not_null", "toml_encode"]}
++++
+{{#if_not_null settings.bootstrap-commands}}
+{{#each settings.bootstrap-commands}}
+[bootstrap-commands."{{@key}}"]
+{{#if_not_null this.commands}}
+commands = {{ toml_encode this.commands }}
+{{/if_not_null}}
+{{#if_not_null this.mode}}
+mode = "{{{this.mode}}}"
+{{/if_not_null}}
+{{#if_not_null this.essential}}
+essential = {{this.essential}}
+{{/if_not_null}}
+{{/each}}
+{{/if_not_null}}
diff --git a/packages/os/bootstrap-commands.service b/packages/os/bootstrap-commands.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Bootstrap Commands
+# We depend on systemd-logind.service for running systemd-inhibit.
+After=systemd-logind.service settings-applier.service apiserver.service
+Requires=systemd-logind.service settings-applier.service apiserver.service
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemd-inhibit --what=shutdown --why="Running bootstrap commands" --mode=delay /usr/bin/bootstrap-commands
+RemainAfterExit=true
+StandardError=journal+console
+SyslogIdentifier=bootstrap-commands
+
+[Install]
+RequiredBy=preconfigured.target
diff --git a/packages/os/os.spec b/packages/os/os.spec
@@ -32,6 +32,7 @@ Source17: corndog-toml
 Source18: bootstrap-containers-toml
 Source19: host-containers-toml
 Source20: bottlerocket-fips-checks-metadata-json
+Source21: bootstrap-commands-toml
 
 # 1xx sources: systemd units
 Source100: apiserver.service
@@ -52,13 +53,15 @@ Source119: reboot-if-required.service
 Source120: warm-pool-wait.service
 Source122: has-boot-ever-succeeded.service
 Source123: pluto.service
+Source124: bootstrap-commands.service
 
 # 2xx sources: tmpfilesd configs
 Source200: migration-tmpfiles.conf
 Source201: host-containers-tmpfiles.conf
 Source202: thar-be-updates-tmpfiles.conf
 Source203: bootstrap-containers-tmpfiles.conf
 Source204: storewolf-tmpfiles.conf
+Source205: bootstrap-commands-tmpfiles.conf
 
 # 3xx sources: udev rules
 Source300: ephemeral-storage.rules
@@ -74,6 +77,7 @@ BuildRequires: %{_cross_os}glibc-devel
 Requires: %{_cross_os}apiclient
 Requires: %{_cross_os}apiserver
 Requires: %{_cross_os}bloodhound
+Requires: %{_cross_os}bootstrap-commands
 Requires: %{_cross_os}corndog
 Requires: %{_cross_os}certdog
 Requires: %{_cross_os}ghostdog
@@ -246,6 +250,11 @@ Requires: %{_cross_os}binutils
 %description -n %{_cross_os}driverdog
 %{summary}.
 
+%package -n %{_cross_os}bootstrap-commands
+Summary: Manages bootstrap-commands
+%description -n %{_cross_os}bootstrap-commands
+%{summary}.
+
 %package -n %{_cross_os}bootstrap-containers
 Summary: Manages bootstrap-containers
 Requires: %{_cross_os}host-ctr
@@ -350,6 +359,7 @@ echo "** Output from non-static builds:"
     -p metricdog \
     -p ghostdog \
     -p corndog \
+    -p bootstrap-commands \
     -p bootstrap-containers \
     -p prairiedog \
     -p certdog \
@@ -385,7 +395,7 @@ for p in \
   storewolf settings-committer \
   migrator prairiedog certdog \
   signpost updog metricdog logdog \
-  ghostdog bootstrap-containers \
+  ghostdog bootstrap-commands bootstrap-containers \
   shimpei bloodhound \
   bottlerocket-cis-checks \
   bottlerocket-fips-checks \
@@ -473,14 +483,14 @@ if [ -s "%{_cross_repo_root_json}" ] ; then
 fi
 
 install -d %{buildroot}%{_cross_templatedir}
-install -p -m 0644 %{S:5} %{S:6} %{S:7} %{S:8} %{S:14} %{S:15} %{S:16} %{S:17} %{S:18} %{S:19} \
+install -p -m 0644 %{S:5} %{S:6} %{S:7} %{S:8} %{S:14} %{S:15} %{S:16} %{S:17} %{S:18} %{S:19} %{S:21} \
   %{buildroot}%{_cross_templatedir}
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 \
   %{S:100} %{S:102} %{S:103} %{S:105} \
   %{S:106} %{S:107} %{S:110} %{S:111} %{S:112} \
-  %{S:113} %{S:114} %{S:119} %{S:122} %{S:123} \
+  %{S:113} %{S:114} %{S:119} %{S:122} %{S:123} %{S:124} \
   %{buildroot}%{_cross_unitdir}
 
 sed -e 's|PREFIX|%{_cross_prefix}|g' %{S:115} > link-kernel-modules.service
@@ -502,6 +512,7 @@ install -p -m 0644 %{S:201} %{buildroot}%{_cross_tmpfilesdir}/host-containers.co
 install -p -m 0644 %{S:202} %{buildroot}%{_cross_tmpfilesdir}/thar-be-updates.conf
 install -p -m 0644 %{S:203} %{buildroot}%{_cross_tmpfilesdir}/bootstrap-containers.conf
 install -p -m 0644 %{S:204} %{buildroot}%{_cross_tmpfilesdir}/storewolf.conf
+install -p -m 0644 %{S:205} %{buildroot}%{_cross_tmpfilesdir}/bootstrap-commands.conf
 
 install -d %{buildroot}%{_cross_udevrulesdir}
 install -p -m 0644 %{S:300} %{buildroot}%{_cross_udevrulesdir}/80-ephemeral-storage.rules
@@ -640,6 +651,12 @@ install -p -m 0644 %{S:400} %{S:401} %{S:402} %{buildroot}%{_cross_licensedir}
 %{_cross_bindir}/certdog
 %{_cross_templatedir}/certdog-toml
 
+%files -n %{_cross_os}bootstrap-commands
+%{_cross_bindir}/bootstrap-commands
+%{_cross_unitdir}/bootstrap-commands.service
+%{_cross_tmpfilesdir}/bootstrap-commands.conf
+%{_cross_templatedir}/bootstrap-commands-toml
+
 %files -n %{_cross_os}bootstrap-containers
 %{_cross_bindir}/bootstrap-containers
 %{_cross_unitdir}/[email protected]

diff --git a/packages/release/release.spec b/packages/release/release.spec
@@ -85,6 +85,7 @@ Source1085: usr-libexec.mount.in
 Source1100: systemd-tmpfiles-setup-service-debug.conf
 Source1101: systemd-resolved-service-env.conf
 Source1102: systemd-networkd-service-env.conf
+Source1103: systemd-logind-inhibit-maxdelay.conf
 
 # network link rules
 Source1200: 80-release.link
@@ -172,6 +173,9 @@ install -p -m 0644 %{S:98} %{buildroot}%{_cross_libdir}/systemd/system.conf.d/80
 install -d %{buildroot}%{_cross_libdir}/systemd/network
 install -p -m 0644 %{S:1200} %{buildroot}%{_cross_libdir}/systemd/network/80-release.link
 
+install -d %{buildroot}%{_cross_libdir}/systemd/logind.conf.d
+install -p -m 0644 %{S:1103} %{buildroot}%{_cross_libdir}/systemd/logind.conf.d/systemd-logind.conf
+
 cat >%{buildroot}%{_cross_libdir}/os-release <<EOF
 NAME=Bottlerocket
 ID=bottlerocket
@@ -265,6 +269,7 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
 %{_cross_libdir}/os-release
 %dir %{_cross_libdir}/repart.d
 %{_cross_libdir}/repart.d/80-local.conf
+%{_cross_libdir}/systemd/logind.conf.d/systemd-logind.conf
 %{_cross_libdir}/systemd/network/80-release.link
 %{_cross_libdir}/systemd/networkd.conf.d/80-release.conf
 %{_cross_libdir}/systemd/system.conf.d/80-release.conf

diff --git a/packages/release/systemd-logind-inhibit-maxdelay.conf b/packages/release/systemd-logind-inhibit-maxdelay.conf
@@ -0,0 +1,4 @@
+[Login]
+# Maximum time a system shutdown or sleep request is delayed due to to an inhibitor lock.
+# We set it to 5 minutes to let configurations in bootstrap commands to finish before a restart.
+InhibitDelayMaxSec=300