packages: add minios package

Cargo.toml

@@ -118,6 +118,7 @@ members = [
   "packages/rdma-core",
   "packages/readline",
   "packages/release",
+  "packages/minios",
   "packages/rocm-container-toolkit",
   "packages/rocm-k8s-device-plugin",
   "packages/runc",

kits/bottlerocket-core-kit/Cargo.toml

@@ -130,6 +130,7 @@ procps = { path = "../../packages/procps" }
 rdma-core = { path = "../../packages/rdma-core" }
 readline = { path = "../../packages/readline" }
 release = { path = "../../packages/release" }
+minios = { path = "../../packages/minios" }
 rocm-k8s-device-plugin = { path = "../../packages/rocm-k8s-device-plugin" }
 rocm-container-toolkit = { path = "../../packages/rocm-container-toolkit" }
 rottweiler = { path = "../../packages/rottweiler" }

packages/minios/80-release.link

@@ -0,0 +1,11 @@
+[Match]
+OriginalName=*
+
+[Link]
+# Bottlerocket disables hwdb so don't include "database" in NamePolicy
+NamePolicy=keep kernel onboard slot path
+AlternativeNamesPolicy=onboard slot path
+
+# Applying a MAC address policy can confuse CNI plugins, which do
+# not expect addresses to change for devices like veth pairs.
+MACAddressPolicy=none

packages/minios/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "minios"
+version = "0.1.0"
+edition = "2021"
+publish = false
+build = "../build.rs"
+
+
+[lib]
+path = "../packages.rs"

packages/minios/activate-configured.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Activate configured.target
+After=preconfigured.target
+Requires=preconfigured.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl set-default configured.target
+ExecStart=/usr/bin/systemctl start configured.target --no-block
+RemainAfterExit=true
+StandardError=journal+console
+
+[Install]
+WantedBy=preconfigured.target

packages/minios/activate-multi-user.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Activate multi-user.target
+After=configured.target
+Requires=configured.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/systemctl set-default multi-user.target
+ExecStart=/usr/bin/systemctl start multi-user.target --no-block
+RemainAfterExit=true
+StandardError=journal+console
+
+[Install]
+WantedBy=configured.target

packages/minios/aws-config.conf

@@ -0,0 +1,5 @@
+[Service]
+# Set the AWS_SDK_LOAD_CONFIG system-wide instead of at the individual service
+# level, to make sure new system services that use the AWS SDK for Go read the
+# shared AWS config
+Environment=AWS_SDK_LOAD_CONFIG=true

packages/minios/configure-snapshotter.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Configure Snapshotter
+Before=containerd.service
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/containerd/selected-snapshotter
+EnvironmentFile=-/var/cache/containerd/active-snapshotter
+# Skip cleanup if either snapshotter variable is empty
+ExecCondition=[ -n "${ACTIVE_SNAPSHOTTER}" ]
+ExecCondition=[ -n "${SELECTED_SNAPSHOTTER}" ]
+# Check if the active snapshotter has changed
+ExecCondition=[ "${SELECTED_SNAPSHOTTER}" != "${ACTIVE_SNAPSHOTTER}" ]
+# Don't error if the directories don't exist.
+ExecStart=-/usr/bin/find /var/lib/soci-snapshotter -mindepth 1 -delete -true
+ExecStart=-/usr/bin/find /var/lib/containerd -mindepth 1 -delete -true
+ExecStart=/usr/bin/truncate -s0 /var/cache/containerd/active-snapshotter
+ExecStart=/usr/bin/echo 'ACTIVE_SNAPSHOTTER="${SELECTED_SNAPSHOTTER}"'
+
+# Set the ACTIVE_SNAPSHOTTER regardless of if conditions are met for cleanup.
+# This mitigates the behavior that an unmet ExecCondition will truncate the active-snapshotter EnvironmentFile.
+ExecStopPost=/usr/bin/truncate -s0 /var/cache/containerd/active-snapshotter
+ExecStopPost=/usr/bin/echo 'ACTIVE_SNAPSHOTTER="${SELECTED_SNAPSHOTTER}"'
+
+RemainAfterExit=true
+# Write the active snapshotter.
+StandardOutput=file:/var/cache/containerd/active-snapshotter
+
+[Install]
+WantedBy=multi-user.target

packages/minios/configured.target

@@ -0,0 +1,8 @@
+[Unit]
+Description=Bottlerocket final configuration complete
+After=preconfigured.target
+Requires=preconfigured.target
+AllowIsolate=yes
+
+[Install]
+RequiredBy=multi-user.target

packages/minios/drivers.target

@@ -0,0 +1,9 @@
+[Unit]
+Description=Driver units
+AllowIsolate=yes
+After=basic.target
+Before=preconfigured.target
+Requires=basic.target
+
+[Install]
+RequiredBy=preconfigured.target multi-user.target

packages/minios/hosts

@@ -0,0 +1,2 @@
+127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
+::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

packages/minios/issue

@@ -0,0 +1,10 @@
+\S
+Kernel \r on an \m (\l)
+
+    ╱╲
+   ╱┄┄╲
+   │▗▖│
+  ╱│  │╲
+  │╰╮╭╯│
+    ╹╹
+

packages/minios/lib-modules.mount.in

@@ -0,0 +1,17 @@
+[Unit]
+Description=Kernel Modules (Read-Write)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+Wants=prepare-var.service
+After=prepare-var.service
+RequiresMountsFor=/var
+
+[Mount]
+What=overlay
+Where=PREFIX/lib/modules
+Type=overlay
+Options=nosuid,nodev,noexec,noatime,lowerdir=/lib/modules,upperdir=/var/lib/kernel-modules/.overlay/upper,workdir=/var/lib/kernel-modules/.overlay/work,context=system_u:object_r:state_t:s0
+
+[Install]
+WantedBy=local-fs.target

packages/minios/local.mount

@@ -0,0 +1,17 @@
+[Unit]
+Description=Local Directory (/local)
+DefaultDependencies=no
+Conflicts=umount.target
+Before=local-fs.target umount.target
+After=prepare-local-fs.service
+Requires=prepare-local-fs.service
+
+[Mount]
+What=/dev/disk/by-partlabel/BOTTLEROCKET-DATA
+Where=/local
+# "noexec" omitted to allow containers and migrations to run
+Options=defaults,nosuid,nodev,noatime,private
+StandardError=journal+console
+
+[Install]
+RequiredBy=local-fs.target

packages/minios/mask-local-mnt.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mask Local Mnt Directory (/local/mnt)
+DefaultDependencies=no
+RequiresMountsFor=/local /mnt
+BindsTo=mnt.mount
+ConditionPathIsMountPoint=!/local/mnt
+Conflicts=umount.target
+Before=umount.target
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+
+# Mask `/local/mnt` to avoid confusion, since it will have most of the contents
+# of `/mnt` but not any of the mounts.
+ExecStart=/usr/bin/mount --bind --options nosuid,nodev,noexec,private /srv /local/mnt
+
+# If `/mnt` is unmounted, this unit will stop because of `BindsTo` above. Try
+# to undo the mount since otherwise the empty directory could be bind-mounted
+# over `/mnt` if `mnt.mount` is restarted.
+ExecStop=/usr/bin/umount /local/mnt
+
+RemainAfterExit=true
+StandardError=journal+console

packages/minios/mask-local-opt.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mask Local Opt Directory (/local/opt)
+DefaultDependencies=no
+RequiresMountsFor=/local /opt
+BindsTo=opt.mount
+ConditionPathIsMountPoint=!/local/opt
+Conflicts=umount.target
+Before=umount.target
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+
+# Mask `/local/opt` to avoid confusion, since it will have most of the contents
+# of `/opt` but not any of the mounts.
+ExecStart=/usr/bin/mount --bind --options nosuid,nodev,noexec,private /srv /local/opt
+
+# If `/opt` is unmounted, this unit will stop because of `BindsTo` above. Try
+# to undo the mount since otherwise the empty directory could be bind-mounted
+# over `/opt` if `opt.mount` is restarted.
+ExecStop=-/usr/bin/umount /local/opt
+
+RemainAfterExit=true
+StandardError=journal+console

packages/minios/mask-local-var.service

@@ -0,0 +1,25 @@
+[Unit]
+Description=Mask Local Var Directory (/local/var)
+DefaultDependencies=no
+RequiresMountsFor=/local /var
+BindsTo=var.mount
+ConditionPathIsMountPoint=!/local/var
+Conflicts=umount.target
+Before=umount.target
+RefuseManualStart=true
+RefuseManualStop=true
+
+[Service]
+Type=oneshot
+
+# Mask `/local/var` to avoid confusion, since it will have most of the contents
+# of `/var` but not any of the mounts.
+ExecStart=/usr/bin/mount --bind --options nosuid,nodev,noexec,private /srv /local/var
+
+# If `/var` is unmounted, this unit will stop because of `BindsTo` above. Try
+# to undo the mount since otherwise the empty directory could be bind-mounted
+# over `/var` if `var.mount` is restarted.
+ExecStop=-/usr/bin/umount /local/var
+
+RemainAfterExit=true
+StandardError=journal+console