94171f104c
Systemd, depending on the version and the configuration, can attempt to open urandom when a ramdisk boots, before the udevd is launched to handle the devices. In particular in FIPS mode, this can result in the ramdisk crashing. In order to handle this, we pre-create the chracter device files which can be statically used in the early start sequence to allow the agent to boot and deploy. Change-Id: I587e66a0d6b652c4aeca6fc211602d999d4641e8
91 lines
3.2 KiB
Bash
Executable File
91 lines
3.2 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# dib-lint: disable=safe_sudo
|
|
|
|
if [ "${DIB_DEBUG_TRACE:-0}" -gt 0 ]; then
|
|
set -x
|
|
fi
|
|
set -eu
|
|
set -o pipefail
|
|
|
|
|
|
[ -n "$TARGET_ROOT" ]
|
|
|
|
USER=${USER:-$(whoami)}
|
|
|
|
source $_LIB/img-functions
|
|
|
|
IMAGE_PATH=$(readlink -f $IMAGE_NAME)
|
|
cd $TARGET_ROOT
|
|
|
|
DIB_IPA_COMPRESS_CMD="${DIB_IPA_COMPRESS_CMD:-gzip}"
|
|
|
|
echo "#disabled" > ./tmp/fstab.new
|
|
sudo mv ./tmp/fstab.new ./etc/fstab
|
|
sudo ln -s ./sbin/init ./
|
|
|
|
# NOTE(TheJulia): Make a random and urandom entry to handle
|
|
# long standing systemd bug cases where it may, depending on
|
|
# underlying OS config/version, try to open the random number
|
|
# generator before initializing.
|
|
# This class of issue has appeared frquently with systemd,
|
|
# https://github.com/systemd/systemd/issues/4167 is a commonly
|
|
# referenced example of this behavior.
|
|
if ! [ -a ./dev/random ]; then
|
|
sudo mknod ./dev/random c 1 8
|
|
fi
|
|
if ! [ -a ./dev/urandom ]; then
|
|
sudo mknod ./dev/urandom c 1 9
|
|
fi
|
|
|
|
# Note(JayF): to anyone trying to make this more configurable in the future,
|
|
# there are significant hurdles around shell quoting if you try to put these
|
|
# find commands into variables for making them more configurable.
|
|
if [ "${DIB_IPA_MINIMAL_PRUNE:-0}" -gt 0 ]; then
|
|
# Operator opted out of full ramdisk pruning; do not proactively remove
|
|
# directories that may be in use by other elements/packages
|
|
sudo find . -xdev \
|
|
-path './sys/*' -prune -o \
|
|
-path './tmp/*' -prune -o \
|
|
-path './boot/*' -prune -o \
|
|
-path './root/.cache' -prune -o \
|
|
-name '*.pyc' -prune -o \
|
|
-name '*.pyo' -prune -o \
|
|
-print | sudo cpio -o -H newc | ${DIB_IPA_COMPRESS_CMD} > ${IMAGE_PATH}.initramfs
|
|
else
|
|
# This performs a full prune, leading to the smallest possible ramdisk
|
|
# size. This may break operator-configured packages or elements that
|
|
# depend on pruned paths.
|
|
# Note: The pci.ids, which is used by lshw, are located on Ubuntu
|
|
# in /usr/share/misc. Therefore we are removing only the
|
|
# ./usr/share/misc/m* (will remove the magic and magic.mgc files).
|
|
# on RHEL pci.ids is locate on /usr/share/hwdata/pci.ids.
|
|
sudo find . -xdev \
|
|
-path './sys/*' -prune -o \
|
|
-path './tmp/*' -prune -o \
|
|
-path './boot/*' -prune -o \
|
|
-path './root/.cache' -prune -o \
|
|
-path "*site-packages/babel/locale-data/*" -prune -o \
|
|
-path './usr/include/*' -prune -o \
|
|
-path './usr/lib/locale/*' -prune -o \
|
|
-path './usr/share/doc/*' -prune -o \
|
|
-path './usr/share/man/*' -prune -o \
|
|
-path './usr/share/GeoIP/*' -prune -o \
|
|
-path './usr/share/info/*' -prune -o \
|
|
-path './usr/share/licenses/*' -prune -o \
|
|
-path './usr/share/locale/*' -prune -o \
|
|
-path './usr/share/misc/m*' -prune -o \
|
|
-path './usr/src/kernels/*' -prune -o \
|
|
-path './var/cache/*' -prune -o \
|
|
-path './var/log/*' -prune -o \
|
|
-name '*.pyc' -prune -o \
|
|
-name '*.pyo' -prune -o \
|
|
-print | sudo cpio -o -H newc | ${DIB_IPA_COMPRESS_CMD} > ${IMAGE_PATH}.initramfs
|
|
fi
|
|
|
|
select_boot_kernel_initrd $TARGET_ROOT
|
|
sudo cp $BOOTDIR/$KERNEL ${IMAGE_PATH}.kernel
|
|
sudo chown $USER: ${IMAGE_PATH}.kernel
|
|
# Output image sizes for debugging
|
|
sudo ls -lh ${IMAGE_PATH}.*
|