Rescue extension for CoreOS with DHCP tenant networks

This patch adds support for rescue mode with DHCP tenant networks in
CoreOS. Applying network config from a configdrive is not yet supported
but will be in a future patch.

Co-Authored-By: Jay Faulkner <jay@jvf.cc>
Co-Authored-By: Taku Izumi <izumi.taku@jp.fujitsu.com>
Co-Authored-By: Annie Lezil <annie.lezil@gmail.com>
Co-Authored-By: Aparna <aparnavtce@gmail.com>
Co-Authored-By: Shivanand Tendulker <stendulker@gmail.com>
Change-Id: I7898ff22800dedba73d7fbfb3801378867abe183
Partial-Bug: 1526449

3 files changed, 83 insertions, 2 deletions

diff --git a/imagebuild/coreos/oem/cloud-config.yml b/imagebuild/coreos/oem/cloud-config.yml
index 03f71ced..2ce383e2 100644
--- a/imagebuild/coreos/oem/cloud-config.yml
+++ b/imagebuild/coreos/oem/cloud-config.yml
@@ -189,6 +189,41 @@ coreos:
         Type=none
         Options=bind
 
+    - name: setup-rescue-directories.service
+      command: start
+      content: |
+        [Unit]
+        Description=Create directories for rescue mode configuration
+        After=ironic-python-agent-container-creation.service
+        Requires=ironic-python-agent-container-creation.service
+
+        [Service]
+        Type=oneshot
+        RemainAfterExit=yes
+        ExecStart=/usr/bin/mkdir /etc/ipa-rescue-config
+        ExecStart=/usr/bin/mkdir /opt/ironic-python-agent/etc/ipa-rescue-config
+
+    - name: opt-ironic\x2dpython\x2dagent-etc-ipa\x2drescue\x2dconfig.mount
+      command: start
+      content: |
+        [Unit]
+        DefaultDependencies=no
+
+        Conflicts=umount.target
+        Before=umount.target
+
+        After=ironic-python-agent-container-creation.service
+        After=setup-rescue-directories.service
+
+        Requires=ironic-python-agent-container-creation.service
+        Requires=setup-rescue-directories.service
+
+        [Mount]
+        What=/etc/ipa-rescue-config
+        Where=/opt/ironic-python-agent/etc/ipa-rescue-config
+        Type=none
+        Options=bind
+
     - name: ironic-python-agent.service
       command: start
       content: |
@@ -203,6 +238,8 @@ coreos:
         After=opt-ironic\x2dpython\x2dagent-mnt.mount
         After=opt-ironic\x2dpython\x2dagent-etc-resolvconf.service
         After=opt-ironic\x2dpython\x2dagent-run-log.mount
+        After=setup-rescue-directories.service
+        After=opt-ironic\x2dpython\x2dagent-etc-ipa\x2drescue\x2dconfig.mount
 
         Requires=ironic-python-agent-container-creation.service
         Requires=opt-ironic\x2dpython\x2dagent-proc.mount
@@ -213,6 +250,8 @@ coreos:
         Requires=opt-ironic\x2dpython\x2dagent-mnt.mount
         Requires=opt-ironic\x2dpython\x2dagent-etc-resolvconf.service
         Requires=opt-ironic\x2dpython\x2dagent-run-log.mount
+        Requires=setup-rescue-directories.service
+        Requires=opt-ironic\x2dpython\x2dagent-etc-ipa\x2drescue\x2dconfig.mount
 
         [Service]
         ExecStartPre=-/usr/sbin/modprobe ipmi_msghandler
@@ -220,6 +259,6 @@ coreos:
         ExecStartPre=-/usr/sbin/modprobe ipmi_si
         ExecStart=/usr/bin/chroot /opt/ironic-python-agent \
                                   /usr/local/bin/ironic-python-agent
-        Restart=always
+        ExecStopPost=/usr/share/oem/finalize_rescue.sh
+        Restart=on-failure
         RestartSec=30s
-
diff --git a/imagebuild/coreos/oem/finalize_rescue.sh b/imagebuild/coreos/oem/finalize_rescue.sh
new file mode 100755
index 00000000..e8e5b744
--- /dev/null
+++ b/imagebuild/coreos/oem/finalize_rescue.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+
+create_rescue_user() {
+    echo "Adding rescue user with root privileges..."
+    crypted_pass=$(</etc/ipa-rescue-config/ipa-rescue-password)
+    sudo useradd -m rescue -G sudo -p $crypted_pass
+    sudo echo "rescue ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/rescue
+}
+
+setup_dhcp_network() {
+    DHCP_CONFIG_TEMPLATE=/usr/share/oem/rescue-dhcp-config.network
+
+    echo "Configuring DHCP networks on all interfaces..."
+    echo "Removing all existing network configuration..."
+    sudo rm /etc/systemd/network/*
+
+    echo "Configuring all interfaces except loopback to DHCP..."
+    for interface in $(ls /sys/class/net) ; do
+        if [ $interface != "lo" ]; then
+            sudo sed "s/RESCUE_NETWORK_INTERFACE/$interface/" $DHCP_CONFIG_TEMPLATE > /etc/systemd/network/50-$interface.network || true
+        fi
+    done
+
+    sudo systemctl restart systemd-networkd
+}
+
+echo "Attempting to start rescue mode configuration..."
+if [ -f /etc/ipa-rescue-config/ipa-rescue-password ]; then
+    # NOTE(mariojv) An exit code of 0 is always forced here to avoid making IPA
+    # restart after something fails. IPA should not restart when this script
+    # executes to avoid exposing its API to a tenant network.
+    create_rescue_user || exit 0
+    setup_dhcp_network || exit 0
+    # TODO(mariojv) Add support for configdrive and static networks
+else
+    echo "One or more of the files needed for rescue mode does not exist, not rescuing."
+fi
diff --git a/imagebuild/coreos/oem/rescue-dhcp-config.network b/imagebuild/coreos/oem/rescue-dhcp-config.network
new file mode 100644
index 00000000..0f7ded34
--- /dev/null
+++ b/imagebuild/coreos/oem/rescue-dhcp-config.network
@@ -0,0 +1,5 @@
+[Match]
+Name=RESCUE_NETWORK_INTERFACE
+
+[Network]
+DHCP=yes