Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: clear net config from initrd via NM config #156

Merged
merged 1 commit into from
Apr 18, 2024
Merged

refactor: clear net config from initrd via NM config #156

merged 1 commit into from
Apr 18, 2024

Conversation

maddymeows
Copy link
Contributor

Uses a NetworkManager config drop in file to accomplish the equivalent of the previous network flushing dracut module.

I have no idea how correct my approach is, I took the general approach from another system role I found. Nor do I know of any way to properly test this on real systems.

Closes #155

@maddymeows maddymeows force-pushed the clear-initrd-netcfg-via-nm-conf branch from fa16f9c to 0330316 Compare April 17, 2024 17:04
@maddymeows maddymeows changed the title Clear network config from initrd via NM config feat: clear net config from initrd via NM config Apr 17, 2024
@richm
Copy link
Contributor

richm commented Apr 17, 2024

[citest]

@richm
Copy link
Contributor

richm commented Apr 17, 2024

Nice! And - this just might allow the role to work on rpm-ostree and other image-based systems . . .

@maddymeows
Copy link
Contributor Author

Nice! And - this just might allow the role to work on rpm-ostree and other image-based systems . . .

I believe there's some additional rpm-ostree prep that would need to be done because of package installation, from what I gathered looking at roles that do support it.

@richm
Copy link
Contributor

richm commented Apr 17, 2024

Nice! And - this just might allow the role to work on rpm-ostree and other image-based systems . . .

I believe there's some additional rpm-ostree prep that would need to be done because of package installation, from what I gathered looking at roles that do support it.

That is correct.

@maddymeows maddymeows force-pushed the clear-initrd-netcfg-via-nm-conf branch from 0330316 to efdf8ec Compare April 17, 2024 21:44
@richm richm changed the title feat: clear net config from initrd via NM config refactor: clear net config from initrd via NM config Apr 18, 2024
@richm
Copy link
Contributor

richm commented Apr 18, 2024

I'm changing this to a refactor instead of a feat - it's changing the underlying implementation, and should not be visible to end users. A feat is something that will typically be visible to users - a new parameter listed in defaults/main.yml and README.md, or other big change to the functionality.

@richm richm merged commit e1a6f3b into linux-system-roles:main Apr 18, 2024
18 checks passed
@richm
Copy link
Contributor

richm commented May 10, 2024

@maddymeows @sergio-correia with this patch, does the nbde_client role still need to rebuild initramfs - that is - it still needs to run the handler https://github.com/linux-system-roles/nbde_client/blob/main/handlers/main.yml ? which is currently doing

        "dracut",
        "-fv",
        "--regenerate-all"

?
If so, then unfortunately this doesn't help rpm-ostree:

dracut: Executing: /usr/bin/dracut --kver=5.14.0-444.el9.x86_64 -fv
dracut: Can't write to /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64: Directory /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64 does not exist or is not accessible.

@sergio-correia
Copy link
Member

@maddymeows @sergio-correia with this patch, does the nbde_client role still need to rebuild initramfs - that is - it still needs to run the handler https://github.com/linux-system-roles/nbde_client/blob/main/handlers/main.yml ? which is currently doing

        "dracut",
        "-fv",
        "--regenerate-all"

? If so, then unfortunately this doesn't help rpm-ostree:

dracut: Executing: /usr/bin/dracut --kver=5.14.0-444.el9.x86_64 -fv
dracut: Can't write to /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64: Directory /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64 does not exist or is not accessible.

@jlebon: Hi, would you be able to help here, please? I am not entirely sure if we need to rebuild the initramfs on ostree systems .

@maddymeows
Copy link
Contributor Author

@maddymeows @sergio-correia with this patch, does the nbde_client role still need to rebuild initramfs - that is - it still needs to run the handler https://github.com/linux-system-roles/nbde_client/blob/main/handlers/main.yml ? which is currently doing

        "dracut",
        "-fv",
        "--regenerate-all"

? If so, then unfortunately this doesn't help rpm-ostree:

dracut: Executing: /usr/bin/dracut --kver=5.14.0-444.el9.x86_64 -fv
dracut: Can't write to /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64: Directory /boot/efi/706714ad34de45c39d09e185f5baedd7/5.14.0-444.el9.x86_64 does not exist or is not accessible.

I believe initramfs generation on rpm-ostree systems is done with rpm-ostree initramfs --enable.

I'm also unsure about kernel cmdline now that I think of it, I believe the build process is isolated in a way from the live system which means it can't read /etc/dracut.conf.d. I believe use of rpm-ostree kargs is mandatory for adding something like rd.neednet=1.

@jlebon
Copy link

jlebon commented May 17, 2024

Hi,

@maddymeows @sergio-correia with this patch, does the nbde_client role still need to rebuild initramfs - that is - it still needs to run the handler main/handlers/main.yml ? which is currently doing

AIUI, the /etc/NetworkManager/conf.d/ dropin added here only needs to be present in the real root, not the initramfs, so rebuilding the initramfs should not be necessary. I'd consider @bengal the authoritative source on this though. :)

The /etc/dracut.conf.d/ dropin would require a rebuild but at least on rpm-ostree/bootc systems, it's much much nicer to actually add a kernel argument instead. You can do this using rpm-ostree kargs as @maddymeows mentioned.

For more general context, the commit message of latchset/clevis@c52caeb might be of interest.

That said, I should also mention that with the latest image mode efforts, there's interest in being able to run Ansible playbooks as part of image building (see e.g. this example). It's possible to rebuild the initramfs also in this flow (see e.g. this example), but ideally soon one will instead be able to affect the kernel cmdline by dropping in a file in a directory as part of the container build and bootc would know to add the karg during deployment. That story is still developing though, so just something to keep in mind for now.

@bengal
Copy link

bengal commented May 17, 2024

The following configuration:

[device]
keep-configuration=no
allowed-connections=except:origin:nm-initrd-generator

only needs to be present in the real root, as it tells NM running there to not use the connection profiles inherited from initrd.

It would be better to name the section something like [device-00-nbde_client] instead of [device] because the latter could be overridden by other configuration files with the same section name.

@maddymeows
Copy link
Contributor Author

AIUI, the /etc/NetworkManager/conf.d/ dropin added here only needs to be present in the real root, not the initramfs, so rebuilding the initramfs should not be necessary. I'd consider @bengal the authoritative source on this though. :)

That's correct, but would need to keep in mind that clevis-dracut brings in a dracut module, which, if not present in the base image, would still require a rebuild of the initramfs image. I believe it's in the base image for FCOS but I wouldn't know about others.

It would be better to name the section something like [device-00-nbde_client] instead of [device] because the latter could be overridden by other configuration files with the same section name.

Interesting, I think I misunderstood the examples on how to use the [device] section, but it appears you're correct. Though looking at the manual they're not sorted and are parsed in order of appearance, so I wouldn't put in the 00 to remove false assumptions on parsing priority.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@spetrosi spetrosi spetrosi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Place files in /usr/local instead of /usr
6 participants
@maddymeows @richm @sergio-correia @jlebon @bengal @spetrosi