05core: make coreos-secex-ignition-decrypt.service virtio device dep …

…explicit The decryption script requires the encrypted Ignition virtio device to be present. Previously, we used `Before=coreos-gpt-setup.service`, which I think ran late enough that the device would always be present by then. But we've now moved that service and `After=systemd-udevd.service` isn't good enough so the service now fails because the device doesn't exist. Fix this by directly listing the requirement on the device in the unit, which is more explicit anyway. And because of systemd's "ConditionPathExists don't turn off Requires" semantic, make the unit dynamically enabled by the diskful generator. As a bonus, we now have one less service in the default initramfs transaction (which actually was getting pulled in on all arches too).
coreos · Nov 6, 2023 · 48ad3a3 · 48ad3a3
1 parent b509dbe
commit 48ad3a3
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 3 deletions.
diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-diskful-generator
@@ -145,4 +145,9 @@ StandardOutput=null
 StandardError=null
 EOF
     done
+
+    # This one is done dynamically because it hard Requires a device to appear
+    # and if it's always part of the transaction, systemd will want the device
+    # to appear regardless of ConditionPathExists.
+    add_requires coreos-secex-ignition-decrypt.service ignition-diskful.target
 fi
diff --git a/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service b/...d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-secex-ignition-decrypt.service
@@ -1,3 +1,5 @@
+# This service is enabled by coreos-diskful-generator
+
 [Unit]
 Description=CoreOS Secex Ignition Config Decryptor
 ConditionPathExists=/etc/initrd-release
@@ -7,8 +9,9 @@ DefaultDependencies=false
 OnFailure=emergency.target
 OnFailureJobMode=isolate
 
-# Run after udevd and before Ignition
-After=systemd-udevd.service
+# Run after the crypt device becomes available and before Ignition
+Requires=dev-disk-by\x2did-virtio\x2dignition_crypted.device
+After=dev-disk-by\x2did-virtio\x2dignition_crypted.device
 Before=ignition-fetch-offline.service
 
 [Service]

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/module-setup.sh
@@ -83,7 +83,8 @@ install() {
 
     # IBM Secure Execution. Ignition config for reencryption of / and /boot
     inst_simple "$moddir/01-secex.ign" /usr/lib/coreos/01-secex.ign
-    install_ignition_unit "coreos-secex-ignition-decrypt.service"
+    inst_simple "$moddir/coreos-secex-ignition-decrypt.service" \
+        "$systemdsystemunitdir/coreos-secex-ignition-decrypt.service"
     inst_script "$moddir/coreos-secex-ignition-decrypt.sh" \
         "/usr/sbin/coreos-secex-ignition-decrypt"