Skip to content
This repository has been archived by the owner on May 30, 2023. It is now read-only.

sys-apps/ignition: add ignition-rmcfg #1948

Merged
merged 5 commits into from
Jun 14, 2022
Merged

Conversation

tormath1
Copy link
Contributor

@tormath1 tormath1 commented Jun 9, 2022

In this PR, we add the ignition-rmcfg command (in the root filesystem, not in the initramfs) to remove Ignition configuration from booted instance on VMWare and Virtualbox.

See also: GHSA-hj57-j5cw-2mwp


We could add a Mantle test to verify Ignition has been correctly removed from VMWare guestinfo.

No need to backport since ignition-2.14.0 is not yet released.

@tormath1 tormath1 self-assigned this Jun 9, 2022
@tormath1 tormath1 added the main label Jun 9, 2022
@tormath1 tormath1 force-pushed the tormath1/ignition-rmcfg branch 2 times, most recently from 54fb0d1 to 7d4e040 Compare June 14, 2022 07:56
@tormath1 tormath1 marked this pull request as ready for review June 14, 2022 10:42
@tormath1 tormath1 requested a review from a team June 14, 2022 10:43
@@ -0,0 +1 @@
- ignition ([CVE-2022-1706](https://nvd.nist.gov/vuln/detail/CVE-2022-1706))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe a change entry would be good in addition?

Copy link
Contributor Author

@tormath1 tormath1 Jun 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was thinking the same - but it's part of the Ignition-2.14.0 changelog: https://coreos.github.io/ignition/release-notes/#changes which is already mentioned here: 83118a5.
Maybe it's good to add this: https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion which is not directly linked in the changelog.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change to enable it is done in this PR, so I think the operator notes link is very valuable here in case someone would have to opt out

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, done. Thanks for the suggestion :)

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
this helper removes config from VMWare and Virtualbox and should not be
directly used by the user.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@@ -0,0 +1 @@
- VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata. Also see: https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion
Copy link
Contributor

@pothos pothos Jun 14, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata. Also see: https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion
- VMWare: Added `ignition-delete-config.service` to remove Ignition config from VM metadata, see also [here](https://coreos.github.io/ignition/operator-notes/#automatic-config-deletion) ([coreos-overlay#1948](https://github.com/flatcar-linux/coreos-overlay/pull/1948))

Without the markdown formatting I'm not sure if it becomes a clickable link in the homepage?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

have added a link to this PR, too

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
We add `sys-apps/ignition` as a `coreos-base/coreos` dependency to get
`/usr/libexec/ignition-rmcfg` available on the _real_ root.
Now we want `/usr/bin/ignition` to be in the chroot until it's being copied
to the initramfs but we don't want it on the actual root.

With `PKG_INSTALL_MASK`, we'll prevent `/usr/bin/ignition` to be added
to the image in the `./build_image` - at this time, initramfs is already
created and `sys-apps/ignition` is a binary package.

Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
@tormath1 tormath1 merged commit 57ed066 into main Jun 14, 2022
@tormath1 tormath1 deleted the tormath1/ignition-rmcfg branch June 14, 2022 11:56
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants