boot.mount: generate from initrd

We originally had it created from a systemd generator in the real root, but that was because we only wanted `/boot/efi` to be mounted on EFI systems. Nowadays, we no longer mount `/boot/efi` anyway. We still need some dynamicity for multipath handling though, so we can't just have it be a static `boot.mount`. Let's at least move it to the initramfs, where it's nicer to generate from because (1) we don't need dynamicity *per-boot* so a generator is overkill, (2) errors in generating the mount will fail the boot, and (3) a future patch will add some more dynamicity.
coreos · Oct 1, 2021 · a43b2cb · a43b2cb
1 parent 182dba5
commit a43b2cb
Show file tree

Hide file tree

Showing 2 changed files with 47 additions and 80 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh
@@ -33,3 +33,50 @@ root=$(karg root)
 if [ -z "${root}" ]; then
     /usr/bin/rdcore rootmap /sysroot --boot-mount ${bootmnt}
 fi
+
+# Generate the boot mount unit for the real root. Allow an Ignition config to
+# override it.
+mntfile=/etc/systemd/system/boot.mount
+if [ ! -f "/sysroot/${mntfile}" ]; then
+    # If the root device is multipath, hook up /boot to use that too,
+    # based on our custom udev rules in 90-coreos-device-mapper.rules
+    # that creates "label found on mpath" links.
+    # Otherwise, use the usual by-label symlink.
+    # See discussion in https://github.com/coreos/fedora-coreos-config/pull/1022
+    # TODO add equivalent of getargbool() so we handle rd.multipath=0
+    if [ -n "$(karg rd.multipath)" ]; then
+        bootdev=/dev/disk/by-label/dm-mpath-boot
+    fi
+
+    devservice=$(systemd-escape -p "${bootdev}" --suffix=service)
+
+    # We mount read-only by default mostly to protect
+    # against accidental damage.  Only a few things
+    # owned by CoreOS should be touching /boot or the ESP.
+    # Use nodev,nosuid because some hardening guides want
+    # that even though it's of minimal value.
+    options=ro,nodev,nosuid
+
+    cat > "/sysroot/${mntfile}" <<EOF
+[Unit]
+Description=CoreOS Mount for /boot
+Documentation=https://github.com/coreos/fedora-coreos-config
+
+Before=local-fs.target
+Requires=systemd-fsck@${devservice}
+After=systemd-fsck@${devservice}
+
+[Mount]
+What=${bootdev}
+Where=/boot
+Options=${options}
+
+[Install]
+WantedBy=local-fs.target
+EOF
+
+    systemctl -q --root="/sysroot" enable boot.mount
+    # relabel mount file and symlink (the latter doesn't really matter, but we
+    # might as well)
+    coreos-relabel "${mntfile}" /etc/systemd/system/local-fs.target.wants
+fi
diff --git a/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator b/overlay.d/05core/usr/lib/systemd/system-generators/coreos-boot-mount-generator