How to handle Ignition first-boot detection

[cgonyeo]

Located here for lack of a better location to put this issue up.

Ignition should only run once. On CL today this is handled by detecting a file on the boot partition in the grub config. If this file is noticed a kernel command line argument is set, which a systemd generator in the initrd notices and then enables the Ignition units. One of these units then deletes the file once Ignition succeeds.

The way I see it there are two main options for achieving this in red hat land:

Detect a file on the boot partition via the grub config

Similar (identical, really) logic as CL could be used in the grub config of RHCOS to trigger Ignition. Additionally it's really straightforward to enable networking in the initrd by adding some kernel command line arguments, so adding those only when Ignition is going to run would be easy.

The biggest downside I see is that this solution becomes much trickier to implement in an RPM for a system that doesn't include Ignition by default (e.g. Fedora). Modifying the grub config for the sake of Ignition on those platforms seems like a bad idea, so if RHCOS goes with this solution a different one will need to be devised for Fedora/etc.

Detect a file on the boot partition via Ignition's systemd generator

A systemd generator is used in the initrd to determine if Ignition should run. This generator could look for the file on the boot partition itself, and enable the network and Ignition when its present.

The downsides of this are:

• I already tried this, but the generator was failing for reasons I don't understand. I may have simply had a programming error, but the generator would succeed when manually run from an emergency shell, so I think the generators run early enough to be racing with udev.
• The generator needs to be able to find the boot partition, so we'll need to mandate that the boot partition has a well known label (e.g. boot). Such a mandate may not be possible on other platforms such as Fedora.
• I have yet to find a reasonable way to start the network once the initrd is running. Finding someone more experienced with dracut may make this a non-issue.

---

I'd love people's thoughts on this, especially on if I'm missing any other big positives/negatives for this approach or if we should strive to keep the RHCOS run-Ignition-once solution the same as we use on other platforms.

[ashcrow]

Detect a file on the boot partition via Ignition's systemd generator

To me this is the more attractive option. I'd like to have unified ignition usage between Fedora/etc.. and CoreOS. Is the testing artifacts you used available somewhere that others could poke around and see if they notice what's breaking?

[cgwalters]

On CL today does it modify the bootloader commandline, or is state stored in the partition table?

If a boot partition exists today in a Fedora-derived system (including FAH, although ostree+grub2 kind of requires a /boot partition), indeed it's mounted by the post-bootloader as part of the normal /etc/fstab processing in post-switchroot. Nothing by default is going to mount it beforehand.

My vote would be to store the "booted" state in /etc somewhere - it's guaranteed to be on the rootfs, and mounting that is the whole point of the initrd. So, /etc/ignition.booted or something?

[bgilbert]

Here's what CL is doing today.

Storing a flag file in /etc could work. In general I think it's slightly better to remove a flag file than to add one (since people might be more tempted to delete an existing file to try to rerun Ignition) but that approach may not make sense here.

[ashcrow]

Any other comments before we come to a conclusion on this?

[dustymabe]

My vote would be to store the "booted" state in /etc somewhere

I think this might be problematic because of ignition-disks.service which i think needs to run before the root filesystem is mounted.