Merge pull request #2132 from edcdavid/fix-kubeconfig-location

OCPBUGS-46376: Disk encryption with TPM PCR 1 and 7 protection: upgrade not detected with TALM method

ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/build.sh

@@ -14,5 +14,6 @@ ${MCMAKER} -stdout -name 01-disk-encryption-rebind -mcp "${MCPROLE}" \
 	file -source hwupgrade-detection-methods/fwup.sh -path /usr/local/bin/hwupgrade-detection-methods/fwup.sh -mode 0755 \
 	file -source hwupgrade-detection-methods/ostree.sh -path /usr/local/bin/hwupgrade-detection-methods/ostree.sh -mode 0755 \
 	file -source hwupgrade-detection-methods/talm.sh -path /usr/local/bin/hwupgrade-detection-methods/talm.sh -mode 0755 \
+	file -source order.conf -path /etc/systemd/system/crio-.scope.d/order.conf -mode 0644 \
 	unit -source pcr-rebind-boot.service \
 	unit -source pcr-disable-shutdown.service

ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/hwupgrade-detection-methods/talm.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 set -o errexit -o nounset -o pipefail
 
-SPOKE_KUBECONFIG_PATH=/var/lib/kubelet/kubeconfig
+SPOKE_KUBECONFIG_PATH=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/lb-int.kubeconfig
 HUB_SECRET_NAMESPACE=open-cluster-management-agent
 HUB_SECRET_NAME=hub-kubeconfig-secret
 
@@ -31,12 +31,13 @@ isZtpState() {
 	talmState="$1"
 	RESULT=$FALSE
 
+	clusterName=$(oc --kubeconfig "$SPOKE_KUBECONFIG_PATH" get klusterlet klusterlet -ojsonpath='{.spec.clusterName}')
 	case "$talmState" in
 	"running")
-		RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$(hostname --short)" -ojson | jq '.metadata.labels["ztp-running"]!=null')
+		RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$clusterName" -ojson | jq '.metadata.labels["ztp-running"]!=null')
 		;;
 	"done")
-		RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$(hostname --short)" -ojson | jq '.metadata.labels["ztp-done"]!=null')
+		RESULT=$(KUBECONFIG=/tmp/kubeconfig-hub oc get managedcluster "$clusterName" -ojson | jq '.metadata.labels["ztp-done"]!=null')
 		;;
 	*)
 		# Code to execute when no patterns match

ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/order.conf

@@ -0,0 +1,3 @@
+# This unit ensures that containers stay up on shutdown until the pcr-disable-shutdown service is able to run 
+[Unit]
+Before=pcr-disable-shutdown.service

ztp/extra-manifests-builder/01-disk-encryption-pcr-rebind/pcr-disable-shutdown.service

@@ -1,7 +1,7 @@
 [Service]
 Type=oneshot
 RemainAfterExit=true
-ExecStart=/usr/bin/true
 ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh
+
 [Install]
 WantedBy=multi-user.target

ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-master.yaml

@@ -37,9 +37,13 @@ spec:
         mode: 493
         path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh
       - contents:
-          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK
+          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg==
         mode: 493
         path: /usr/local/bin/hwupgrade-detection-methods/talm.sh
+      - contents:
+          source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg==
+        mode: 420
+        path: /etc/systemd/system/crio-.scope.d/order.conf
     systemd:
       units:
       - contents: |
@@ -57,8 +61,8 @@ spec:
           [Service]
           Type=oneshot
           RemainAfterExit=true
-          ExecStart=/usr/bin/true
           ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh
+
           [Install]
           WantedBy=multi-user.target
         enabled: true

ztp/kube-compare-reference/optional/machine-config/01-disk-encryption-pcr-rebind-worker.yaml

@@ -37,9 +37,13 @@ spec:
         mode: 493
         path: /usr/local/bin/hwupgrade-detection-methods/ostree.sh
       - contents:
-          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS92YXIvbGliL2t1YmVsZXQva3ViZWNvbmZpZwpIVUJfU0VDUkVUX05BTUVTUEFDRT1vcGVuLWNsdXN0ZXItbWFuYWdlbWVudC1hZ2VudApIVUJfU0VDUkVUX05BTUU9aHViLWt1YmVjb25maWctc2VjcmV0CgojIHJldHJpZXZlcyB0aGUga3ViZWNvbmZpZyBmb3IgdGhpcyBzcG9rZSdzIGNsdXN0ZXIKZ2V0SHViS3ViZWNvbmZpZygpIHsKCWxvY2FsIGt1YmVDb25maWdQYXRoIG5hbWVzcGFjZSBzZWNyZXROYW1lIEtVQkVDT05GSUdfREFUQSBUTFNfS0VZIFRMU19DUlQKCglrdWJlQ29uZmlnUGF0aD0iJDEiCgluYW1lc3BhY2U9IiQyIgoJc2VjcmV0TmFtZT0iJDMiCglLVUJFQ09ORklHX0RBVEE9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgLmRhdGEua3ViZWNvbmZpZyB8IHNlZCAncy8iLy9nJyB8IGJhc2U2NCAtZCkKCWlmIFsgLXogIiRLVUJFQ09ORklHX0RBVEEiIF07IHRoZW4KCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglUTFNfS0VZPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxICcuZGF0YS4idGxzLmtleSInIHwgc2VkICdzLyIvL2cnKQoJVExTX0NSVD0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5jcnQiJyB8IHNlZCAncy8iLy9nJykKCWVjaG8gIiRLVUJFQ09ORklHX0RBVEEiIHwgc2VkIC1lICJzL2NsaWVudC1jZXJ0aWZpY2F0ZTogdGxzLmNydC9jbGllbnQtY2VydGlmaWNhdGUtZGF0YTogJFRMU19DUlQvZyIgfCBzZWQgLWUgInMvY2xpZW50LWtleTogdGxzLmtleS9jbGllbnQta2V5LWRhdGE6ICRUTFNfS0VZL2ciID4vdG1wL2t1YmVjb25maWctaHViCglyZXR1cm4gIiRUUlVFIgp9CgojIFJldHJlaXZlcyBUQUxNJ3Mgc3RhdGUgaW4gdGhlIGh1YiBjbHVzdGVyJ3MgbWFuYWdlZENsdXN0ZXIgb2JqZWN0LiBUYWtlcyBvbmUgYXJndW1lbnQ6CiMgZG9uZSAtPiByZXR1cm4gJFRSVUUgaWYgdGhlIHp0cC1kb25lIGxhYmVsIGlzIHNldCwgJEZBTFNFIG90aGVyd2lzZQojIHJ1bm5pbmcgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtcnVubmluZyBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKaXNadHBTdGF0ZSgpIHsKCWxvY2FsIHRhbG1TdGF0ZSBSRVNVTFQKCgl0YWxtU3RhdGU9IiQxIgoJUkVTVUxUPSRGQUxTRQoKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1ydW5uaW5nIl0hPW51bGwnKQoJCTs7CgkiZG9uZSIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJChob3N0bmFtZSAtLXNob3J0KSIgLW9qc29uIHwganEgJy5tZXRhZGF0YS5sYWJlbHNbInp0cC1kb25lIl0hPW51bGwnKQoJCTs7CgkqKQoJCSMgQ29kZSB0byBleGVjdXRlIHdoZW4gbm8gcGF0dGVybnMgbWF0Y2gKCQk7OwoJZXNhYwoJaWYgWyAiJFJFU1VMVCIgPT0gImZhbHNlIiBdOyB0aGVuCgkJbG9nRGVidWcgIlRBTE0gJHRhbG1TdGF0ZSBzdGF0ZSBpcyAkUkVTVUxUIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCXJldHVybiAiJFRSVUUiCn0KCmlzVEFMTVVwZGF0aW5nKCkgewoJaWYgISBnZXRIdWJLdWJlY29uZmlnICRTUE9LRV9LVUJFQ09ORklHX1BBVEggJEhVQl9TRUNSRVRfTkFNRVNQQUNFICRIVUJfU0VDUkVUX05BTUU7IHRoZW4KCQlsb2dJbmZvICJUQUxNIG5vdCBhdmFpbGFibGUgb3IgaHViIGt1YmVjb25maWcgaXMgbm8gcmVhZHkgeWV0IGF0ICRTUE9LRV9LVUJFQ09ORklHX1BBVEggcGF0aCwgY2Fubm90IGdldCBzcG9rZSBzZWNyZXQgJEhVQl9TRUNSRVRfTkFNRSBpbiAkSFVCX1NFQ1JFVF9OQU1FU1BBQ0UgbmFtZXNwYWNlIgoJCXJldHVybiAiJEZBTFNFIgoJZmkKCWlzWnRwU3RhdGUgInJ1bm5pbmciCglyZXR1cm4gJD8KfQoKIyBBZGQgYSBuZXcgZnVuY3Rpb24gdG8gdGhlIGFycmF5IG9mIHVwZGF0ZSBkZXRlY3Rpb24gbWV0aG9kcwpzZXJ2ZXJVcGRhdGVEZXRlY3Rpb25NZXRob2RzKz0oImlzVEFMTVVwZGF0aW5nIikK
+          source: data:text/plain;charset=utf-8;base64,IyEvYmluL2Jhc2gKc2V0IC1vIGVycmV4aXQgLW8gbm91bnNldCAtbyBwaXBlZmFpbAoKU1BPS0VfS1VCRUNPTkZJR19QQVRIPS9ldGMva3ViZXJuZXRlcy9zdGF0aWMtcG9kLXJlc291cmNlcy9rdWJlLWFwaXNlcnZlci1jZXJ0cy9zZWNyZXRzL25vZGUta3ViZWNvbmZpZ3MvbGItaW50Lmt1YmVjb25maWcKSFVCX1NFQ1JFVF9OQU1FU1BBQ0U9b3Blbi1jbHVzdGVyLW1hbmFnZW1lbnQtYWdlbnQKSFVCX1NFQ1JFVF9OQU1FPWh1Yi1rdWJlY29uZmlnLXNlY3JldAoKIyByZXRyaWV2ZXMgdGhlIGt1YmVjb25maWcgZm9yIHRoaXMgc3Bva2UncyBjbHVzdGVyCmdldEh1Ykt1YmVjb25maWcoKSB7Cglsb2NhbCBrdWJlQ29uZmlnUGF0aCBuYW1lc3BhY2Ugc2VjcmV0TmFtZSBLVUJFQ09ORklHX0RBVEEgVExTX0tFWSBUTFNfQ1JUCgoJa3ViZUNvbmZpZ1BhdGg9IiQxIgoJbmFtZXNwYWNlPSIkMiIKCXNlY3JldE5hbWU9IiQzIgoJS1VCRUNPTkZJR19EQVRBPSQob2MgLS1rdWJlY29uZmlnICIka3ViZUNvbmZpZ1BhdGgiIGdldCBzZWNyZXQgLW4gIiRuYW1lc3BhY2UiICIkc2VjcmV0TmFtZSIgLW8ganNvbiB8IGpxIC5kYXRhLmt1YmVjb25maWcgfCBzZWQgJ3MvIi8vZycgfCBiYXNlNjQgLWQpCglpZiBbIC16ICIkS1VCRUNPTkZJR19EQVRBIiBdOyB0aGVuCgkJcmV0dXJuICIkRkFMU0UiCglmaQoJVExTX0tFWT0kKG9jIC0ta3ViZWNvbmZpZyAiJGt1YmVDb25maWdQYXRoIiBnZXQgc2VjcmV0IC1uICIkbmFtZXNwYWNlIiAiJHNlY3JldE5hbWUiIC1vIGpzb24gfCBqcSAnLmRhdGEuInRscy5rZXkiJyB8IHNlZCAncy8iLy9nJykKCVRMU19DUlQ9JChvYyAtLWt1YmVjb25maWcgIiRrdWJlQ29uZmlnUGF0aCIgZ2V0IHNlY3JldCAtbiAiJG5hbWVzcGFjZSIgIiRzZWNyZXROYW1lIiAtbyBqc29uIHwganEgJy5kYXRhLiJ0bHMuY3J0IicgfCBzZWQgJ3MvIi8vZycpCgllY2hvICIkS1VCRUNPTkZJR19EQVRBIiB8IHNlZCAtZSAicy9jbGllbnQtY2VydGlmaWNhdGU6IHRscy5jcnQvY2xpZW50LWNlcnRpZmljYXRlLWRhdGE6ICRUTFNfQ1JUL2ciIHwgc2VkIC1lICJzL2NsaWVudC1rZXk6IHRscy5rZXkvY2xpZW50LWtleS1kYXRhOiAkVExTX0tFWS9nIiA+L3RtcC9rdWJlY29uZmlnLWh1YgoJcmV0dXJuICIkVFJVRSIKfQoKIyBSZXRyZWl2ZXMgVEFMTSdzIHN0YXRlIGluIHRoZSBodWIgY2x1c3RlcidzIG1hbmFnZWRDbHVzdGVyIG9iamVjdC4gVGFrZXMgb25lIGFyZ3VtZW50OgojIGRvbmUgLT4gcmV0dXJuICRUUlVFIGlmIHRoZSB6dHAtZG9uZSBsYWJlbCBpcyBzZXQsICRGQUxTRSBvdGhlcndpc2UKIyBydW5uaW5nIC0+IHJldHVybiAkVFJVRSBpZiB0aGUgenRwLXJ1bm5pbmcgbGFiZWwgaXMgc2V0LCAkRkFMU0Ugb3RoZXJ3aXNlCmlzWnRwU3RhdGUoKSB7Cglsb2NhbCB0YWxtU3RhdGUgUkVTVUxUCgoJdGFsbVN0YXRlPSIkMSIKCVJFU1VMVD0kRkFMU0UKCgljbHVzdGVyTmFtZT0kKG9jIC0ta3ViZWNvbmZpZyAiJFNQT0tFX0tVQkVDT05GSUdfUEFUSCIgZ2V0IGtsdXN0ZXJsZXQga2x1c3RlcmxldCAtb2pzb25wYXRoPSd7LnNwZWMuY2x1c3Rlck5hbWV9JykKCWNhc2UgIiR0YWxtU3RhdGUiIGluCgkicnVubmluZyIpCgkJUkVTVUxUPSQoS1VCRUNPTkZJRz0vdG1wL2t1YmVjb25maWctaHViIG9jIGdldCBtYW5hZ2VkY2x1c3RlciAiJGNsdXN0ZXJOYW1lIiAtb2pzb24gfCBqcSAnLm1ldGFkYXRhLmxhYmVsc1sienRwLXJ1bm5pbmciXSE9bnVsbCcpCgkJOzsKCSJkb25lIikKCQlSRVNVTFQ9JChLVUJFQ09ORklHPS90bXAva3ViZWNvbmZpZy1odWIgb2MgZ2V0IG1hbmFnZWRjbHVzdGVyICIkY2x1c3Rlck5hbWUiIC1vanNvbiB8IGpxICcubWV0YWRhdGEubGFiZWxzWyJ6dHAtZG9uZSJdIT1udWxsJykKCQk7OwoJKikKCQkjIENvZGUgdG8gZXhlY3V0ZSB3aGVuIG5vIHBhdHRlcm5zIG1hdGNoCgkJOzsKCWVzYWMKCWlmIFsgIiRSRVNVTFQiID09ICJmYWxzZSIgXTsgdGhlbgoJCWxvZ0RlYnVnICJUQUxNICR0YWxtU3RhdGUgc3RhdGUgaXMgJFJFU1VMVCIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglsb2dEZWJ1ZyAiVEFMTSAkdGFsbVN0YXRlIHN0YXRlIGlzICRSRVNVTFQiCglyZXR1cm4gIiRUUlVFIgp9Cgppc1RBTE1VcGRhdGluZygpIHsKCWlmICEgZ2V0SHViS3ViZWNvbmZpZyAkU1BPS0VfS1VCRUNPTkZJR19QQVRIICRIVUJfU0VDUkVUX05BTUVTUEFDRSAkSFVCX1NFQ1JFVF9OQU1FOyB0aGVuCgkJbG9nSW5mbyAiVEFMTSBub3QgYXZhaWxhYmxlIG9yIGh1YiBrdWJlY29uZmlnIGlzIG5vIHJlYWR5IHlldCBhdCAkU1BPS0VfS1VCRUNPTkZJR19QQVRIIHBhdGgsIGNhbm5vdCBnZXQgc3Bva2Ugc2VjcmV0ICRIVUJfU0VDUkVUX05BTUUgaW4gJEhVQl9TRUNSRVRfTkFNRVNQQUNFIG5hbWVzcGFjZSIKCQlyZXR1cm4gIiRGQUxTRSIKCWZpCglpc1p0cFN0YXRlICJydW5uaW5nIgoJcmV0dXJuICQ/Cn0KCiMgQWRkIGEgbmV3IGZ1bmN0aW9uIHRvIHRoZSBhcnJheSBvZiB1cGRhdGUgZGV0ZWN0aW9uIG1ldGhvZHMKc2VydmVyVXBkYXRlRGV0ZWN0aW9uTWV0aG9kcys9KCJpc1RBTE1VcGRhdGluZyIpCg==
         mode: 493
         path: /usr/local/bin/hwupgrade-detection-methods/talm.sh
+      - contents:
+          source: data:text/plain;charset=utf-8;base64,IyBUaGlzIHVuaXQgZW5zdXJlcyB0aGF0IGNvbnRhaW5lcnMgc3RheSB1cCBvbiBzaHV0ZG93biB1bnRpbCB0aGUgcGNyLWRpc2FibGUtc2h1dGRvd24gc2VydmljZSBpcyBhYmxlIHRvIHJ1biAKW1VuaXRdCkJlZm9yZT1wY3ItZGlzYWJsZS1zaHV0ZG93bi5zZXJ2aWNlCg==
+        mode: 420
+        path: /etc/systemd/system/crio-.scope.d/order.conf
     systemd:
       units:
       - contents: |
@@ -57,8 +61,8 @@ spec:
           [Service]
           Type=oneshot
           RemainAfterExit=true
-          ExecStart=/usr/bin/true
           ExecStop=/usr/local/bin/disablePcrOnRebootOrShutdown.sh
+
           [Install]
           WantedBy=multi-user.target
         enabled: true