ignition/0001-stages-files-relabel-files-before-systemd-sysctl.patch

36 lines
1.4 KiB
Diff
Raw Normal View History

From bab77f2fa4ecbc1d0428dd6e8a54d34848d78fd1 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Thu, 27 Sep 2018 16:40:24 -0400
Subject: [PATCH] stages/files: relabel files before systemd-sysctl
This is a workaround for an inherent issue with the current relabeling
approach (see #635). `systemd-sysctl.service` is definitely one of those
early services that have a high probability of reading files from `/etc`
before it's relabeled.
They're both pulled in by `sysinit.target`, but
`ignition-relabel.service` has an additional `After=local-fs.target`
which makes it likelier to run later (also see #635 about that). So for
now, let's just hack around this by making sure `systemd-sysctl` runs
after us.
---
internal/exec/stages/files/files.go | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/internal/exec/stages/files/files.go b/internal/exec/stages/files/files.go
index 609a0e8..24676bc 100644
--- a/internal/exec/stages/files/files.go
+++ b/internal/exec/stages/files/files.go
@@ -138,7 +138,7 @@ func (s *stage) addRelabelUnit(config types.Config) error {
Description=Relabel files created by Ignition
DefaultDependencies=no
After=local-fs.target
-Before=sysinit.target
+Before=sysinit.target systemd-sysctl.service
ConditionSecurity=selinux
ConditionPathExists=/etc/selinux/ignition.relabel
OnFailure=emergency.target
--
2.17.1