When run ignition on a device mapper, ie, multipath, it fails because
the function blockDevHeld returns true as the block device
contains holders. A block device with holders do not necessary means
the block device is in use (like mounted).
The function blockDevInUse will not check if it is a device mapper
and if so, do not check for blockDevHeld.
Signed-off-by: Tiago Bueno <tiago.bueno@gmail.com>
Wrap the inner loop code in an anonymous function to make sure that
defer calls are triggered for each iteration of the loop and join all
errors as needed.
Diff best viewed with whitespace changes hidden.
Those errors are unlikely to happen and neither is fatal nor a bug as
the file is written in a temporary folder in the initramfs that is
removed before moving to the real root.
Thus log them and ignore them for as we don't want to start failing on
those if we did not before.
Fixes lint:
```
Error return value of `keyFile.Close` is not checked (errcheck)
Error return value of `os.Remove` is not checked (errcheck)
```
Log errors in test code.
Fixes lint:
```
Error return value of `os.RemoveAll` is not checked (errcheck)
Error return value of `os.RemoveAll` is not checked (errcheck)
```
Keep the current behavior as we likely don't have test verifying that
and we don't want to start failing on things that were passing before.
Fixes lint:
```
internal/exec/util/file.go:210:17: Error return value of `tmp.Close` is not checked (errcheck)
internal/exec/util/file.go:219:17: Error return value of `os.Remove` is not checked (errcheck)
internal/exec/util/file.go:247:25: Error return value of `targetFile.Close` is not checked (errcheck)
internal/exec/util/file.go:302:17: Error return value of `dfd.Close` is not checked (errcheck)
internal/exec/util/passwd.go:178:10: Error return value of `f.Close` is not checked (errcheck)
internal/exec/util/selinux.go:45:19: Error return value of `file.Close` is not checked (errcheck)
internal/exec/util/unit.go:195:18: Error return value of `file.Close` is not checked (errcheck)
```
At this point, the file has been created without error, so the execution
can continue and the logic will not change if we ignore this error.
Failure here seams unlikely.
Fixes lint:
```
Error return value of `f.Close` is not checked (errcheck)
```
The linter found staticcheck and errorcheck issues. Deferred statements now use join to combine any new error with an existing one, preventing error information from being lost. Other minor error checks, like for printing text and flushing data have also been addressed.
From https://man7.org/linux/man-pages/man2/lchown.2.html:
> When the owner or group of an executable file is changed by an
> unprivileged user, the S_ISUID and S_ISGID mode bits are cleared.
> POSIX does not specify whether this also should happen when root
> does the chown(); the Linux behavior depends on the kernel version,
> and since Linux 2.2.13, root is treated like other users.
Fixes: #2042
From https://man7.org/linux/man-pages/man2/lchown.2.html:
> When the owner or group of an executable file is changed by an
> unprivileged user, the S_ISUID and S_ISGID mode bits are cleared.
> POSIX does not specify whether this also should happen when root
> does the chown(); the Linux behavior depends on the kernel version,
> and since Linux 2.2.13, root is treated like other users.
Fixes: #2042
The Vet in Go 1.24 will add a new check to the printf analyzer that
"reports a diagnostic for calls of the form `fmt.Printf(s)`, where
`s` is a non-constant format string, with no other arguments.
Such calls are nearly always a mistake as the value of `s` may contain
the `%` symbol; use `fmt.Print` instead."
Alpine Linux does not include systemd’s journal, which causes Ignition
to emit warnings when attempting to log. This PR introduces a check to
determine if the journal is available on the current distribution, and
skips logging to the journal when it is not present.
Signed-off-by: Kevin Cui <bh@bugs.cc>
The sgdisk tool does not update the kernel partition table with BLKPG in
contrast to other similar tools but only uses BLKRRPART which fails as
soon as one partition of the disk is mounted.
Update the kernel partition table with partx when we know that a
partition of the disk is in use.
When a partition or the whole disk is in use, sgdisk should not execute
the destructive operation.
Add a check that errors out when a disk in use or a partition in use is
to be destroyed.
Extend the `luks` schema to support a new `cex` key. When enabled, the
volume key of the LUKS device uses a secure key generated using a CEX
card. The keyfile to unlock the volume is not considered confidential.
Closes: #1693
Co-authored-by: Jonathan Lebon <jonathan@jlebon.com>
The code that handles systemd unit enablement via preset will no op if
disabling a systemd unit that is already disabled, which means that we
wouldn't create a preset file in that case. But we did mark the preset
file as needing relabeling unconditionally. Since `setfiles` errors out
if you pass it a path that doesn't exist, this would break boot.
Fix this by filtering out all entries that don't exist right before we
call `setfiles`. Another approach would've been to only mark the file
for relabeling if we actually did write the file, but this is more
complex than it seems because the relabeling logic needs to know what
is the first component in the path that had to be created. So we'd need
logic both before and after file creation.
This isn't user-reported; we hit this in a CI test.
When `wipeTable` is enabled, we run `sgdisk --zap-all`. But if the table
was corrupted in the first place, `sgdisk` will exit with code 2 which
then breaks boot.
As a workaround, Ignition used to retry the invocation but the context
around it was lost in #544 and #1149 and the retry was removed and
the error-checking was added.
So this patch effectively re-applies 94c98bcb ("sgdisk: retry zap-all
operation on failure"), but now with a comment and a test to make sure
we don't regress again.
Closes: https://github.com/coreos/fedora-coreos-tracker/issues/1596
The "udevadm settle" command used to wait for udev to process the disk
changes and recreate the entries under /dev was still prone to races
where udev didn't get notified yet of the final event to wait for.
This caused the boot with a btrfs root filesystem created by Ignition
to fail almost every time on certain hardware.
Issue tagged events and wait for them to be processed by udev. This is
actually meanigful in all stages not only for the other parts of the
initramfs which may be surprised by sudden device nodes disappearing
shortly like the case was with systemd's fsck service but also for the
inter-stage dependencies which currently are using the waiter for
systemd device units but that doesn't really prevent from races with
udev device node recreation. Thus, these changes are complementary to
the existing waiter which mainly has the purpose to wait for unmodified
devices. For newly created RAIDs we can wait for the new node to be
available as udev will not recreate it.
When mounting filesystems, Ignition was relabeling the mountpoint
directory even if it previously existed.
This isn't necessary, and fails if the mountpoint is on a read-only
filesystem, such as /usr/share/oem on Flatcar.
Relabel the mountpoint only if we create it.
Fixes: https://github.com/coreos/ignition/issues/1452
Ignition depends on `systemctl disable` for disabling units. Currently
if the unit does not exist `systemctl disable` exits 1; however, before
systemd 252 `systemctl disable` exits 0 if `--root` is specified. Since
Ignition depends on systemctl's exit code the new behavior caused a
regression, causing the unit.remove.symlinks blackbox test to fail with:
removing enablement symlink(s) for "enoent.service": cannot remove symlink(s) for enoent.service: exit status 1: "Failed to disable unit, unit enoent.service does not exist.\n"
Before disabling a unit, use `systemctl is-enabled` to verify that the
unit exists and is enabled.
Fixes coreos https://github.com/coreos/ignition/issues/1614
The Hyper-V provider will need to write out state for hv_kvp_daemon.
Add a way for provider fetch functions to return []types.File which
will be saved in State and written out during files stage. Also add a
utility function a provider can use to create a types.File.
Since this functionality should not be used by most providers, avoid
adding an extra argument or return value to every fetch function. Instead,
define an alternative fetch function that will be used if declared in
the registration.
The cmdline and system providers shouldn't be registered with the registry
because we don't want to allow looking them up by name; they're
special-cased in Engine. However, we can still provide Config wrapper
structs for them to simplify their use in Engine.
The platform Config.NewFetcherFunc() and Config.InitFunc() wrappers are
unnecessarily zero-argument accessors that return a function pointer.
Have them call the underlying function directly, like the newer methods.
Note that Config.FetchFunc() still needs to return a function pointer.
Expand schema for 3_4_exp with an advertisement field to allow for
Ignition to support Tang offline provisioning by passing the supplied
advertisement field during first boot's device bind. Fixes #1474
Ignition has never supported LUKS1, so we can't ever try to reuse a
LUKS1 volume created by Ignition. However, a LUKS1 volume may have been
created outside of Ignition, in which case we would conclude that the
volume was not LUKS and clobber it, causing data loss. Detect this case
and fail instead.
If the partition wasn't previously formatted as a LUKS volume, cryptsetup
is supposed to exit non-zero; that's why we're calling it. The resulting
log message was always spurious, but is now more visible since Ignition
errors are shown by c-l-h-m.
There are other options that can be stored in the LUKS header with
--persistent, including notably --perf-no_read_workqueue and
--perf-no_write_workqueue, which can improve performance. We usually
provide options arrays to support advanced features, so add one here.
Since this is an escape hatch feature, we don't try to implement full
option matching in the volume reuse semantics; we just update any reused
volume to use the currently specified open options.
Discard improves performance and longevity on SSDs and space utilization
on thinly-provisioned SAN devices, but also leaks information. It's an
open-time option, not a create-time one, so it can't be enabled via the
options field. Add a spec field to enable it.
For https://github.com/coreos/fedora-coreos-tracker/issues/1392.
After poking around the existing tests it was evident that the
accumulative style of testing used on the `fetch-offline` code caused
some confusing results due to its overlapping nature. To address this
the test structure has been pivoted to a more direct approach.
The lines of the 20-ignition.preset file were being written in arbitrary
order. This shouldn't affect its semantics, but could cause ignition-apply
to produce different filesystem trees from identical configs, breaking
reproducible container builds. Sort the list of units before writing it
out.
Fixes https://github.com/coreos/ignition/issues/1339
