packages: change systemd boot sequence

packages/acpid/acpid.service

@@ -6,4 +6,4 @@ Type=forking
 ExecStart=/usr/sbin/acpid -c /usr/lib/acpid/events
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=preconfigured.target

packages/chrony/chronyd.service

@@ -1,12 +1,12 @@
 [Unit]
 Description=A versatile implementation of the Network Time Protocol
 Documentation=https://chrony.tuxfamily.org
-After=network-online.target configured.target
-Requires=network-online.target configured.target
+After=network-online.target preconfigured.target
+Wants=network-online.target preconfigured.target
 
 [Service]
 Type=simple
 ExecStart=/usr/sbin/chronyd -d -F -1
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=configured.target

packages/dbus-broker/dbus-broker.service

@@ -19,4 +19,4 @@ ExecReload=/usr/bin/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.f
 
 [Install]
 Alias=dbus.service
-WantedBy=multi-user.target
+WantedBy=preconfigured.target

packages/ecs-agent/ecs.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Amazon Elastic Container Service - container agent
 Documentation=https://aws.amazon.com/documentation/ecs/
-Requires=docker.service configured.target
+Requires=docker.service
 After=docker.service configured.target
 Wants=network-online.target configured.target
 

packages/host-ctr/host-containerd.service

@@ -1,8 +1,8 @@
 [Unit]
 Description=containerd runtime for host containers
 Documentation=https://containerd.io
-After=network-online.target configured.target
-Wants=network-online.target configured.target
+After=network-online.target preconfigured.target
+Wants=network-online.target preconfigured.target
 
 [Service]
 EnvironmentFile=/etc/network/proxy.env
@@ -19,4 +19,4 @@ LimitNOFILE=infinity
 TasksMax=infinity
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=configured.target

packages/kubernetes-1.15/kubelet.service

@@ -29,4 +29,3 @@ MemoryAccounting=true
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=mark-successful-boot.service

packages/kubernetes-1.16/kubelet.service

@@ -29,4 +29,3 @@ MemoryAccounting=true
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=mark-successful-boot.service

packages/kubernetes-1.17/kubelet.service

@@ -29,4 +29,3 @@ MemoryAccounting=true
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=mark-successful-boot.service

packages/kubernetes-1.18/kubelet.service

@@ -29,4 +29,3 @@ MemoryAccounting=true
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=mark-successful-boot.service

packages/kubernetes-1.19/kubelet.service

@@ -29,4 +29,3 @@ MemoryAccounting=true
 
 [Install]
 WantedBy=multi-user.target
-RequiredBy=mark-successful-boot.service

packages/libaudit/audit-rules.service

@@ -12,4 +12,4 @@ ExecStart=/sbin/auditctl -R /usr/share/audit/audit.rules
 ExecStop=-/sbin/auditctl -D
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=preconfigured.target

packages/os/apiserver.service

@@ -9,4 +9,4 @@ ExecStart=/usr/bin/apiserver --datastore-path /var/lib/bottlerocket/datastore/cu
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=preconfigured.target

packages/os/early-boot-config.service

@@ -1,11 +1,18 @@
 [Unit]
 Description=Bottlerocket userdata configuration system
 # Need network online to talk to IMDS.
-After=network-online.target apiserver.service
-Requires=network-online.target apiserver.service
+After=network-online.target apiserver.service storewolf.service
+# Don't restart the unit if the network goes offline or apiserver restarts
+Wants=apiserver.service network-online.target
+# Don't start the unit if storewolf.service fails
+Requires=storewolf.service
 # We only want to run once, at first boot.  This file is created by early-boot-config
 # after a successful run.
 ConditionPathExists=!/var/lib/bottlerocket/early-boot-config.ran
+# Block manual interactions with this service, since it could leave the system in an
+# unexpected state
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
@@ -14,4 +21,4 @@ RemainAfterExit=true
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/os/host-containers@.service

@@ -7,8 +7,6 @@ Wants=host-containerd.service
 Type=simple
 EnvironmentFile=/etc/host-containers/%i.env
 Environment=LOCAL_DIR=/local
-# Create directories for container persistent storage
-ExecStartPre=/usr/bin/mkdir -m 1777 -p ${LOCAL_DIR}/host-containers/%i
 ExecStart=/usr/bin/host-ctr run \
     --container-id='%i' \
     --source='${CTR_SOURCE}' \

packages/os/mark-successful-boot.service

@@ -1,15 +1,18 @@
 [Unit]
 Description=Call signpost to mark the boot as successful after all required targets are met.
-After=multi-user.target
-# Each service that must start correctly in order for a boot to be successful should be of type "notify"
-# and include "RequiredBy=mark-successful-boot.service" in its [Install] section.
+# This unit is in charge of updating the partitions on successful boots. Use other service
+# units instead of adding more `ExecStart*` lines to prevent indirect dependencies on
+# other units not listed in the `RequiredBy` section.
+Requires=migrator.service
+# Block manual interactions with this service, manually running it could leave the system in an
+# unexpected state
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
-EnvironmentFile=/etc/network/proxy.env
 Type=oneshot
 RemainAfterExit=true
 ExecStart=/bin/signpost mark-successful-boot
-ExecStartPost=-/usr/bin/metricdog send-boot-success
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/os/migrator.service

@@ -1,11 +1,18 @@
 [Unit]
 Description=Bottlerocket data store migrator
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/migrator --datastore-path /var/lib/bottlerocket/datastore/current --migration-directory /var/lib/bottlerocket-migrations --root-path /usr/share/updog/root.json --metadata-directory /var/cache/bottlerocket-metadata --migrate-to-version-from-os-release
+ExecStart=/usr/bin/migrator \
+  --datastore-path /var/lib/bottlerocket/datastore/current \
+  --migration-directory /var/lib/bottlerocket-migrations \
+  --root-path /usr/share/updog/root.json \
+  --metadata-directory /var/cache/bottlerocket-metadata \
+  --migrate-to-version-from-os-release
 RemainAfterExit=true
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/os/os.spec

@@ -34,6 +34,7 @@ Source107: host-containers@.service
 Source110: mark-successful-boot.service
 Source111: metricdog.service
 Source112: metricdog.timer
+Source113: send-boot-success.service
 
 # 2xx sources: tmpfilesd configs
 Source200: migration-tmpfiles.conf
@@ -337,7 +338,7 @@ install -p -m 0644 %{S:5} %{S:6} %{buildroot}%{_cross_templatedir}
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 \
   %{S:100} %{S:101} %{S:102} %{S:103} %{S:105} \
-  %{S:106} %{S:107} %{S:110} %{S:111} %{S:112} \
+  %{S:106} %{S:107} %{S:110} %{S:111} %{S:112} %{S:113}\
   %{buildroot}%{_cross_unitdir}
 
 install -d %{buildroot}%{_cross_tmpfilesdir}
@@ -440,6 +441,7 @@ install -p -m 0644 %{S:300} %{buildroot}%{_cross_udevrulesdir}/80-ephemeral-stor
 %{_cross_templatedir}/metricdog-toml
 %{_cross_unitdir}/metricdog.service
 %{_cross_unitdir}/metricdog.timer
+%{_cross_unitdir}/send-boot-success.service
 
 %files -n %{_cross_os}logdog
 %{_cross_bindir}/logdog

packages/os/send-boot-success.service

@@ -0,0 +1,16 @@
+[Unit]
+Description=Send boot success
+# The unit depends on 'configured.target' since Metricdog indirectly
+# depends on the proxy.env file created by settings-applier in the
+# preconfigured target
+After=network-online.target configured.target
+Wants=network-online.target configured.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=true
+EnvironmentFile=/etc/network/proxy.env
+ExecStart=-/usr/bin/metricdog send-boot-success
+
+[Install]
+WantedBy=multi-user.target

packages/os/settings-applier.service

@@ -1,8 +1,13 @@
 [Unit]
 Description=Applies settings to create config files
 After=storewolf.service sundog.service early-boot-config.service apiserver.service
-Requires=apiserver.service
-Wants=storewolf.service sundog.service early-boot-config.service
+Requires=storewolf.service sundog.service early-boot-config.service
+# We don't want to restart the unit if apiserver restarts
+Wants=apiserver.service
+# Block manual interactions with this service, since it could leave the system in an
+# unexpected state
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
@@ -12,4 +17,4 @@ RemainAfterExit=true
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/os/storewolf.service

@@ -2,6 +2,10 @@
 Description=Datastore creator
 After=migrator.service
 Requires=migrator.service
+# Block manual interactions with this service, since it could leave the system in an
+# unexpected state
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
@@ -10,4 +14,4 @@ RemainAfterExit=true
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/os/sundog.service

@@ -1,8 +1,14 @@
 [Unit]
 Description=User-specified setting generators
-# Need network access to support commands talking to IMDS.
+# Needs network access to support commands talking to IMDS.
 After=network-online.target apiserver.service early-boot-config.service
-Requires=network-online.target apiserver.service
+Requires=early-boot-config.service
+# We don't want to restart the unit if the network goes offline or apiserver restarts
+Wants=network-online.target apiserver.service
+# Block manual interactions with this service, since it could leave the system in an
+# unexpected state
+RefuseManualStart=true
+RefuseManualStop=true
 
 [Service]
 Type=oneshot
@@ -13,4 +19,4 @@ RemainAfterExit=true
 StandardError=journal+console
 
 [Install]
-WantedBy=multi-user.target
+RequiredBy=preconfigured.target

packages/release/activate-configured.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Isolates configured.target
+After=preconfigured.target
+Requires=preconfigured.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl set-default configured
+ExecStart=/usr/bin/systemctl isolate default
+RemainAfterExit=true
+StandardError=journal+console
+
+[Install]
+WantedBy=preconfigured.target

packages/release/activate-multi-user.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Isolates multi-user.target
+After=configured.target
+Requires=configured.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl set-default multi-user
+ExecStart=/usr/bin/systemctl isolate default
+RemainAfterExit=true
+StandardError=journal+console
+
+[Install]
+WantedBy=configured.target

packages/release/configured.target

@@ -1,5 +1,8 @@
 [Unit]
-Description=Bottlerocket user and dynamic configuration complete
-After=settings-applier.service
-Requires=settings-applier.service early-boot-config.service
+Description=Bottlerocket final configuration complete
+After=preconfigured.target
+Requires=preconfigured.target
 AllowIsolate=yes
+
+[Install]
+RequiredBy=multi-user.target

packages/release/multi-user.target

@@ -0,0 +1,7 @@
+[Unit]
+Description=Multi-User System
+Documentation=man:systemd.special(7)
+Requires=basic.target configured.target
+Conflicts=rescue.service rescue.target
+After=basic.target rescue.service rescue.target configured.target
+AllowIsolate=yes

packages/release/preconfigured.target

@@ -0,0 +1,11 @@
+[Unit]
+Description=Bottlerocket initial configuration complete
+AllowIsolate=yes
+After=basic.target
+Requires=basic.target
+# Prevent manually starting/stopping the target
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Install]
+RequiredBy=configured.target multi-user.target

packages/release/release.spec

@@ -16,7 +16,11 @@ Source200: motd.template
 Source201: proxy-env
 
 Source1000: eth0.xml
+Source1001: multi-user.target
 Source1002: configured.target
+Source1003: preconfigured.target
+Source1004: activate-configured.service
+Source1005: activate-multi-user.service
 
 # Mounts for writable local storage.
 Source1006: prepare-local.service
@@ -108,7 +112,8 @@ EOF
 
 install -d %{buildroot}%{_cross_unitdir}
 install -p -m 0644 \
-  %{S:1002} %{S:1006} %{S:1007} %{S:1008} %{S:1009} %{S:1010} %{S:1015} \
+  %{S:1001} %{S:1002} %{S:1003} %{S:1004} %{S:1005} \
+  %{S:1006} %{S:1007} %{S:1008} %{S:1009} %{S:1010} %{S:1015} \
   %{buildroot}%{_cross_unitdir}
 
 LOWERPATH=$(systemd-escape --path %{_cross_sharedstatedir}/kernel-devel/lower)
@@ -129,6 +134,8 @@ install -d %{buildroot}%{_cross_templatedir}
 install -p -m 0644 %{S:200} %{buildroot}%{_cross_templatedir}/motd
 install -p -m 0644 %{S:201} %{buildroot}%{_cross_templatedir}/proxy-env
 
+ln -s %{_cross_unitdir}/preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
+
 %files
 %{_cross_factorydir}%{_cross_sysconfdir}/hosts
 %{_cross_factorydir}%{_cross_sysconfdir}/nsswitch.conf
@@ -138,6 +145,11 @@ install -p -m 0644 %{S:201} %{buildroot}%{_cross_templatedir}/proxy-env
 %{_cross_libdir}/os-release
 %{_cross_libdir}/systemd/system.conf.d/80-release.conf
 %{_cross_unitdir}/configured.target
+%{_cross_unitdir}/preconfigured.target
+%{_cross_unitdir}/multi-user.target
+%{_cross_unitdir}/default.target
+%{_cross_unitdir}/activate-configured.service
+%{_cross_unitdir}/activate-multi-user.service
 %{_cross_unitdir}/prepare-local.service
 %{_cross_unitdir}/var.mount
 %{_cross_unitdir}/opt.mount

packages/systemd/systemd.spec

@@ -212,6 +212,13 @@ install -p -m 0644 %{S:3} %{buildroot}%{_cross_libdir}/systemd/journald.conf.d/j
 # with container networking by attempting to manage veth devices.
 rm -f %{buildroot}%{_cross_libdir}/systemd/network/*
 
+# Remove default, multi-user and graphical targets provided by systemd,
+# we override default/multi-user in the release spec and graphical
+# is never used
+rm -f %{buildroot}%{_cross_libdir}/systemd/{system,user}/default.target
+rm -f %{buildroot}%{_cross_libdir}/systemd/{system,user}/multi-user.target
+rm -f %{buildroot}%{_cross_libdir}/systemd/{system,user}/graphical.target
+
 %files
 %license LICENSE.GPL2 LICENSE.LGPL2.1
 %{_cross_attribution_file}