40ignition-ostree: add ignition-ostree-mount-state-overlays.service

The new experimental `opt-usrlocal-overlays` treefile knob[1] allows users to overlay packages with `/opt`/`/usr/local` content (and eventually, rebase to container images with content in those places). However, booting a base compose with this knob will break Ignition configs that currently write data in e.g. `/opt` since that now points to `/usr/lib/opt`, which is of course read-only. We need to assemble the state overlays from the initramfs so that those configs keep working seamlessly. This is a no-op if state overlays are off (status quo), but it'll make it easier for people and CI to test the feature. This is a tiny part of the required bits if we want to eventually turn this on in FCOS/RHCOS. The other major part is migrating existing systems. [1] coreos/rpm-ostree#4728
jlebon · Feb 6, 2024 · d81422d · d81422d
1 parent 3c70d6a
commit d81422d
Show file tree

Hide file tree

Showing 3 changed files with 68 additions and 0 deletions.
diff --git a/...e/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-state-overlays.service b/...e/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-state-overlays.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=Ignition OSTree Mount State Overlays
+DefaultDependencies=false
+ConditionKernelCommandLine=|ostree
+ConditionPathExists=|/run/ostree-live
+
+# Need to do this with all mount points active
+After=ignition-mount.service
+# Not strictly required, but both do /var things
+After=ignition-ostree-populate-var.service
+
+# But *before* we start dumping files in there
+Before=ignition-files.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ignition-ostree-mount-state-overlays mount
+ExecStop=/usr/libexec/ignition-ostree-mount-state-overlays umount
diff --git a/...05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-state-overlays.sh b/...05core/usr/lib/dracut/modules.d/40ignition-ostree/ignition-ostree-mount-state-overlays.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+set -euo pipefail
+
+fatal() {
+    echo "$@" >&2
+    exit 1
+}
+
+if [ $# -ne 1 ] || { [[ $1 != mount ]] && [[ $1 != umount ]]; }; then
+    fatal "Usage: $0 <mount|umount>"
+fi
+
+# if state overlays are disabled, there's nothing to do
+if ! jq -e '.["opt-usrlocal-overlays"]' /sysroot/usr/share/rpm-ostree/treefile.json; then
+    exit 0
+fi
+
+do_mount() {
+    for overlay in /usr/lib/opt /usr/local; do
+        escaped=$(systemd-escape --path "${overlay}")
+        overlay_dirs=/sysroot/var/ostree/state-overlays/${escaped}
+        # be nice to persistent /var; if the dirs already exist, assume they're
+        # properly labeled
+        need_relabeling=0
+        if [ ! -d "${overlay_dirs}" ]; then
+            mkdir -p "${overlay_dirs}"/{upper,work}
+            coreos-relabel /var/ostree
+            need_relabeling=1
+        fi
+        # ideally we'd use `ostree admin state-overlay`, but that'd require
+        # pulling in bwrap and chroot which isn't yet in the FCOS initrd
+        mount -t overlay overlay /sysroot/${overlay} -o "lowerdir=/sysroot/${overlay},upperdir=${overlay_dirs}/upper,workdir=${overlay_dirs}/work"
+        if [ $need_relabeling = 1 ]; then
+            coreos-relabel ${overlay}
+        fi
+    done
+}
+
+do_umount() {
+    for overlay in /usr/lib/opt /usr/local; do
+        umount /sysroot/${overlay}
+    done
+}
+
+"do_$1"
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/40ignition-ostree/module-setup.sh
@@ -102,5 +102,9 @@ install() {
     inst_script "$moddir/coreos-check-rootfs-size" \
         /usr/libexec/coreos-check-rootfs-size
 
+    install_ignition_unit ignition-ostree-mount-state-overlays.service
+    inst_script "$moddir/ignition-ostree-mount-state-overlays.sh" \
+        /usr/libexec/ignition-ostree-mount-state-overlays
+
     inst_script "$moddir/coreos-relabel" /usr/bin/coreos-relabel
 }