-
Notifications
You must be signed in to change notification settings - Fork 402
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
allow layered nodes to revert to non-layered
This adds code that reverts from a layered MachineConfigPool to a non-layered MachineConfigPool. Why this was so troublesome is: - When a MachineConfig is written to the node, it is placed in the portions of the filesystem that are mutable according to ostree. - When a container image containing those MachineConfigs is written onto the node using rpm-ostree, it technically overwrites those preexisting MachineConfigs. In doing so, the container is now claiming (for lack of a better term) ownership of those files. - The "factory" OS image does not contain these MachineConfigs. - So when we roll back from the customized image to the "factory" image, because the MachineConfig files on disk are now owned by the customized container, they are removed when the factory OS image is rebased. If an ad-hoc file is written to a mutable part of the filesystem after the container has been applied, provided that the container does not claim ownership of a file with the same name, the ad-hoc file will persist after a reboot. To take full advantage of this fact, this does the following: 1. Introduces a `machine-config-daemon-revert.service` systemd service, which is disabled by default. The contents of this are similar to the `machine-config-daemon-firstboot.service`, with the exception being that it is required by a default system target. 2. In the event that a revert is detected, this file is cloned to a different service name in the systemd root (`/etc/systemd/system`). 3. The systemd service is then enabled, the new MachineConfig is written to disk under `/etc/ignition-machine-config-encapsulated.json`. 4. The node reboots. 5. During the bootup, the new service detects the presence of `/etc/ignition-machine-config-encapsulated.json` and runs the MCD in bootstrap mode to rewrite all of the configs to disk. This (unfortunately) includes a second node reboot. 6. Following the second node reboot, the node should be in the reverted configuration.
- Loading branch information
1 parent
613885d
commit f841c70
Showing
6 changed files
with
214 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
templates/common/_base/units/machine-config-daemon-revert.service.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
name: machine-config-daemon-revert.service | ||
mask: true | ||
enabled: false | ||
contents: | | ||
[Unit] | ||
Description=Machine Config Daemon Revert | ||
# Make sure it runs only on OSTree booted system | ||
ConditionPathExists=/run/ostree-booted | ||
# Removal of this file signals firstboot completion | ||
ConditionPathExists=/etc/ignition-machine-config-encapsulated.json | ||
After=network.target | ||
[Service] | ||
Type=oneshot | ||
RemainAfterExit=yes | ||
# Disable existing repos (if any) so that OS extensions would use embedded RPMs only | ||
ExecStartPre=-/usr/bin/sh -c "sed -i 's/enabled=1/enabled=0/' /etc/yum.repos.d/*.repo" | ||
# Run this via podman because we want to use the nmstatectl binary in our container | ||
ExecStart=/usr/bin/podman run --authfile=/var/lib/kubelet/config.json --rm --privileged --net=host -v /:/rootfs --entrypoint machine-config-daemon '{{ .Images.machineConfigOperator }}' firstboot-complete-machineconfig --persist-nics | ||
ExecStart=/usr/bin/podman run --authfile=/var/lib/kubelet/config.json --rm --privileged --pid=host --net=host -v /:/rootfs --entrypoint machine-config-daemon '{{ .Images.machineConfigOperator }}' firstboot-complete-machineconfig | ||
{{if .Proxy -}} | ||
EnvironmentFile=/etc/mco/proxy.env | ||
{{end -}} | ||
[Install] | ||
RequiredBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters