matthew/sonic-buildimage
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
e28c30d4e4
sonic-buildimage/files/initramfs-tools/union-mount.j2

192 lines
6.4 KiB
Plaintext
Raw Normal View History

New release v1.0.0
2016-03-08 13:42:20 -06:00
#!/bin/sh -e
[baseimage]: allocate varlog disk in the initramfs stage (#936) moving to initramfs unifies disk allocate on different platforms. use fallocate instead of dd to speed up the disk allocation. By default, mkfs.ext4 has -E discard option which discards the blocks at the mkfs time, also speed up the initialization time.
2017-09-06 22:07:32 -05:00
PREREQS="varlog"
prereqs() { echo "$PREREQS"; }
New release v1.0.0
2016-03-08 13:42:20 -06:00
case $1 in
prereqs)
[baseimage]: allocate varlog disk in the initramfs stage (#936) moving to initramfs unifies disk allocate on different platforms. use fallocate instead of dd to speed up the disk allocation. By default, mkfs.ext4 has -E discard option which discards the blocks at the mkfs time, also speed up the initialization time.
2017-09-06 22:07:32 -05:00
prereqs
New release v1.0.0
2016-03-08 13:42:20 -06:00
exit 0
;;
esac
Squash merge latest code to github branch
2016-07-26 14:01:58 -05:00
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
docker_inram=false
logs_inram=false
secureboot=false
bootloader=generic
[kdump] Fix OOM events in crashkernel (#6447) A few issues where discovered with crashkernel on Arista platforms. 1) platforms using `docker_inram=on` would end up OOM in kdump environment. This happens because the same initramfs is used by SONiC and the crashkernel. With `docker_inram=on` the `dockerfs.tar.gz` is extracted in a `tmpfs` created for the occasion. Since `dockerfs.tar.gz` weights more than 1.5G, it doesn't fit into the kdump environment and ends up OOM. This OOM event can in turn trigger a panic. 2) Arista platforms with `secureboot` enabled would fail to load the crashkernel because the kernel parameter would be discarded on boot. This happens because the `boot0` in secureboot mode is strict about kernel parameter injection. 3) The secureboot path allowlist would remove kernel crash reports. 4) The kdump service would fail on Arista products since `/boot/` is empty in `secureboot` **- How I did it** 1) To prevent an OOM event in the crashkernel the fix is to avoid the codepaths in `union-mount` that create tmpfs and populate them. Some more codepath specific to Arista devices are also skipped to make the kdump process faster. This relies on detecting that the initramfs is starting in a kdump environment and skipping some initialization. The `/usr/sbin/kdump-config` tool appends a few kernel cmdline arguments when loading the crashkernel. The most unique one is `systemd.unit=kdump-tools.service` which is used in a few initramfs hooks to set `in_kdump`. 2) To allow `kdump` to work in `secureboot` environment the cmdline generation in boot0 was slightly modified. The codepath to load kernel parameters changed by SONiC is now running for booting in secure mode. It was altered to prevent an append only behavior which would grow the `kernel-cmdline` at every reboot. This ever growing behavior would lead `kexec` to fail to load the kernel due to a too long cmdline. 3) To get the kernel crash under /var/crash this path has to be added to `allowlist_paths` 4) The `/host/image-XXX/boot` folder is now populated in `secureboot` mode but not used. **- How to verify it** Regular boot: - enable kdump - enable docker_inram=on via kernel-params - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness OOM events on the console - after: crash kernel works and crash available under /var/crash Secure boot: - enable kdump - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness no kdump - after: crash kernel works and crash available under /var/crash Co-authored-by: Boyang Yu <byu@arista.com>
2021-02-02 03:55:09 -06:00
in_kdump=false
[aboot] use ram partition for /var/log for devices with 3.7G disks (#8400) Master/202012 image size grew quite a bit. 3.7G harddrive can no longer hold one image and safely upgrade to another image. Every bit of harddrive space is precious to save now. Also sh syntax seemingly changed, [ condition ] && action was a legit syntax in 201911 branch but it is an error when condition not met with 202012 or later images. Change the syntax to if statement to avoid the issue. Signed-off-by: Ying Xie ying.xie@microsoft.com
2021-08-13 11:01:34 -05:00
varlog_size=0
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
# Extract kernel parameters
for x in $(cat /proc/cmdline); do
case "$x" in
Aboot=*)
bootloader=aboot
;;
docker_inram=on)
docker_inram=true
;;
logs_inram=on)
logs_inram=true
;;
[aboot] use ram partition for /var/log for devices with 3.7G disks (#8400) Master/202012 image size grew quite a bit. 3.7G harddrive can no longer hold one image and safely upgrade to another image. Every bit of harddrive space is precious to save now. Also sh syntax seemingly changed, [ condition ] && action was a legit syntax in 201911 branch but it is an error when condition not met with 202012 or later images. Change the syntax to if statement to avoid the issue. Signed-off-by: Ying Xie ying.xie@microsoft.com
2021-08-13 11:01:34 -05:00
varlog_size=*)
varlog_size="${x#varlog_size=}"
;;
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
secure_boot_enable=[y1])
secureboot=true
docker_inram=true
;;
platform=*)
platform_flag="${x#platform=}"
;;
[kdump] Fix OOM events in crashkernel (#6447) A few issues where discovered with crashkernel on Arista platforms. 1) platforms using `docker_inram=on` would end up OOM in kdump environment. This happens because the same initramfs is used by SONiC and the crashkernel. With `docker_inram=on` the `dockerfs.tar.gz` is extracted in a `tmpfs` created for the occasion. Since `dockerfs.tar.gz` weights more than 1.5G, it doesn't fit into the kdump environment and ends up OOM. This OOM event can in turn trigger a panic. 2) Arista platforms with `secureboot` enabled would fail to load the crashkernel because the kernel parameter would be discarded on boot. This happens because the `boot0` in secureboot mode is strict about kernel parameter injection. 3) The secureboot path allowlist would remove kernel crash reports. 4) The kdump service would fail on Arista products since `/boot/` is empty in `secureboot` **- How I did it** 1) To prevent an OOM event in the crashkernel the fix is to avoid the codepaths in `union-mount` that create tmpfs and populate them. Some more codepath specific to Arista devices are also skipped to make the kdump process faster. This relies on detecting that the initramfs is starting in a kdump environment and skipping some initialization. The `/usr/sbin/kdump-config` tool appends a few kernel cmdline arguments when loading the crashkernel. The most unique one is `systemd.unit=kdump-tools.service` which is used in a few initramfs hooks to set `in_kdump`. 2) To allow `kdump` to work in `secureboot` environment the cmdline generation in boot0 was slightly modified. The codepath to load kernel parameters changed by SONiC is now running for booting in secure mode. It was altered to prevent an append only behavior which would grow the `kernel-cmdline` at every reboot. This ever growing behavior would lead `kexec` to fail to load the kernel due to a too long cmdline. 3) To get the kernel crash under /var/crash this path has to be added to `allowlist_paths` 4) The `/host/image-XXX/boot` folder is now populated in `secureboot` mode but not used. **- How to verify it** Regular boot: - enable kdump - enable docker_inram=on via kernel-params - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness OOM events on the console - after: crash kernel works and crash available under /var/crash Secure boot: - enable kdump - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness no kdump - after: crash kernel works and crash available under /var/crash Co-authored-by: Boyang Yu <byu@arista.com>
2021-02-02 03:55:09 -06:00
systemd.unit=kdump-tools.service)
in_kdump=true
;;
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
esac
done
[tmpfs var/log] mount /var/log as tmpfs for some platforms (#2780) SONiC is a heavy writer to /var/log partition, we noticed that this behavior causes certain flash drive to become read-only over time. To avoid this issue, we mount /var/log parition on these devices as tmpfs. - Mount /var/log as tmpfs - /var/log default size is 128M - Adjust size according to existing var-log.ext4 file size. - Adjust size to between 5% to 10% of total memory size. Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-04-15 00:46:26 -05:00
set_tmpfs_log_partition_size()
{
[aboot] use ram partition for /var/log for devices with 3.7G disks (#8400) Master/202012 image size grew quite a bit. 3.7G harddrive can no longer hold one image and safely upgrade to another image. Every bit of harddrive space is precious to save now. Also sh syntax seemingly changed, [ condition ] && action was a legit syntax in 201911 branch but it is an error when condition not met with 202012 or later images. Change the syntax to if statement to avoid the issue. Signed-off-by: Ying Xie ying.xie@microsoft.com
2021-08-13 11:01:34 -05:00
if [ $varlog_size -gt 0 ]; then
# Use the varlog_size passed in from command line
varlogsize=$varlog_size
else
varlogsize=128
# set varlogsize to existing var-log.ext4 size
if [ -f ${rootmnt}/host/disk-img/var-log.ext4 ]; then
varlogsize=$(ls -l ${rootmnt}/host/disk-img/var-log.ext4 | awk '{print $5}')
varlogsize=$(($varlogsize/1024/1024))
fi
fi
# make sure varlogsize is between 5% to 10% of total memory size
memkb=$(grep MemTotal /proc/meminfo | awk '{print $2}')
memmb=$(($memkb/1024))
minsize=$(($memmb*5/100))
maxsize=$(($memmb*10/100))
if [ $minsize -ge $varlogsize ]; then
varlogsize=$minsize
fi
if [ $maxsize -le $varlogsize ]; then
varlogsize=$maxsize
fi
[tmpfs var/log] mount /var/log as tmpfs for some platforms (#2780) SONiC is a heavy writer to /var/log partition, we noticed that this behavior causes certain flash drive to become read-only over time. To avoid this issue, we mount /var/log parition on these devices as tmpfs. - Mount /var/log as tmpfs - /var/log default size is 128M - Adjust size according to existing var-log.ext4 file size. - Adjust size to between 5% to 10% of total memory size. Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-04-15 00:46:26 -05:00
}
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
remove_not_in_allowlist_files()
{
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
local allowlist_file="$1"
local targeted_dir="$2"
local allowlist_pattern_file=/tmp/allowlist_paths.pattern
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
# Return if the allowlist file does not exist
if ! test -f "${allowlist_file}"; then
echo "The file ${allowlist_file} is missing, failed to mount rw folder." 1>&2
exit 1
fi
# Set the grep pattern file, remove the blank line in config file
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
awk -v rw_dir="$targeted_dir" 'NF {print rw_dir"/"$0"$"}' ${allowlist_file} > $allowlist_pattern_file
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
# Find the files in the rw folder, and remove the files not in the allowlist
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
find ${targeted_dir} -type f | grep -v -f $allowlist_pattern_file | xargs /bin/rm -f
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
rm -f $allowlist_pattern_file
}
[baseimage]: build root filesystem via overlay fs instead of aufs
2017-09-02 17:32:31 -05:00
## Mount the overlay file system: rw layer over squashfs
[image]: SONiC-to-SONiC update (#464)
2017-04-21 19:23:36 -05:00
image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/')
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
rw_dir=${rootmnt}/host/$image_dir/rw
work_dir=${rootmnt}/host/$image_dir/work
mkdir -p "$rw_dir"
mkdir -p "$work_dir"
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
## Remove the files not in allowlist in the rw folder
[kdump] Fix OOM events in crashkernel (#6447) A few issues where discovered with crashkernel on Arista platforms. 1) platforms using `docker_inram=on` would end up OOM in kdump environment. This happens because the same initramfs is used by SONiC and the crashkernel. With `docker_inram=on` the `dockerfs.tar.gz` is extracted in a `tmpfs` created for the occasion. Since `dockerfs.tar.gz` weights more than 1.5G, it doesn't fit into the kdump environment and ends up OOM. This OOM event can in turn trigger a panic. 2) Arista platforms with `secureboot` enabled would fail to load the crashkernel because the kernel parameter would be discarded on boot. This happens because the `boot0` in secureboot mode is strict about kernel parameter injection. 3) The secureboot path allowlist would remove kernel crash reports. 4) The kdump service would fail on Arista products since `/boot/` is empty in `secureboot` **- How I did it** 1) To prevent an OOM event in the crashkernel the fix is to avoid the codepaths in `union-mount` that create tmpfs and populate them. Some more codepath specific to Arista devices are also skipped to make the kdump process faster. This relies on detecting that the initramfs is starting in a kdump environment and skipping some initialization. The `/usr/sbin/kdump-config` tool appends a few kernel cmdline arguments when loading the crashkernel. The most unique one is `systemd.unit=kdump-tools.service` which is used in a few initramfs hooks to set `in_kdump`. 2) To allow `kdump` to work in `secureboot` environment the cmdline generation in boot0 was slightly modified. The codepath to load kernel parameters changed by SONiC is now running for booting in secure mode. It was altered to prevent an append only behavior which would grow the `kernel-cmdline` at every reboot. This ever growing behavior would lead `kexec` to fail to load the kernel due to a too long cmdline. 3) To get the kernel crash under /var/crash this path has to be added to `allowlist_paths` 4) The `/host/image-XXX/boot` folder is now populated in `secureboot` mode but not used. **- How to verify it** Regular boot: - enable kdump - enable docker_inram=on via kernel-params - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness OOM events on the console - after: crash kernel works and crash available under /var/crash Secure boot: - enable kdump - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness no kdump - after: crash kernel works and crash available under /var/crash Co-authored-by: Boyang Yu <byu@arista.com>
2021-02-02 03:55:09 -06:00
if [ "$secureboot" = true ] && [ "$in_kdump" = false ]; then
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
if [ "$bootloader" = "aboot" ]; then
swi_path="${rootmnt}/host/$(sed -E 's/.*loop=([^ ]+).*/\1/' /proc/cmdline)"
unzip -q "$swi_path" allowlist_paths.conf -d /tmp
allowlist_file=/tmp/allowlist_paths.conf
else
allowlist_file=${rootmnt}/host/$image_dir/allowlist_paths.conf
fi
[secureboot] only remove exec bit in secureboot Address issue #4832
2020-06-23 13:33:44 -05:00
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
remove_not_in_allowlist_files "$allowlist_file" "$rw_dir"
[secureboot] only remove exec bit in secureboot Address issue #4832
2020-06-23 13:33:44 -05:00
## Remove the executable permission for all the files in rw folder except home folder
find ${rw_dir} -type f -not -path ${rw_dir}/home -exec chmod a-x {} +
fi
[secure boot] Support rw files allowlist (#4585) * Support rw files allowlist for Sonic Secure Boot * Improve the performance * fix bug * Move the config description into a md file * Change to use a simple way to remove the blank line * Support chmod a-x in rw folder * Change function name * Change some unnecessary words
2020-06-13 02:10:13 -05:00
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
mount -n -o lowerdir=${rootmnt},upperdir=${rw_dir},workdir=${work_dir} -t overlay root-overlay ${rootmnt}
[union-mount] Rescan dev if root partition disapear (#298) On some platforms after the initramfs init scripts have mounted the root device its block device disapear from /dev. The union-mount script therefore can't mount the root device over the aufs. If this case happen, issue a rescan of the devices to repopulate the /dev filesystem.
2017-02-16 01:18:02 -06:00
## Check if the root block device is still there
[ -b ${ROOT} ] || mdev -s
[initramfs] Updated required tools for initramfs (#3734) * [initramfs] Updated reuired tools for initramfs Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Updated required tools for initramfs Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [Platform] [Marvell] Platform specific debian package for et6448m device Signed-off-by: Antony Rheneus <arheneus@marvell.com> * Removed auto-generated files Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Added mtd and uboot firmware tools package required for arm arch Its been enabled to all arch including amd64 Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Added mtd and uboot firmware tools package required for arm arch Its been enabled to all arch including amd64 Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Marvell arm modules update and platform config update Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [iniramfs] add initramfs uboot-utils hook script only for ARM Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-01-15 10:25:01 -06:00
case "${ROOT}" in
ubi*)
mtd=$(cat /proc/cmdline | sed -e 's/.*ubi.mtd=\([0-9]\) .*/\1/')
if [ ! -f /dev/${ROOT}_0 ]; then
[platform][marvell] Arm 32-bit Arch support changes (#5749) - Added Arm 32-bit arch build fixes - Added marvell armhf platform specific changes Signed-off-by: Sabareesh Kumar Anandan <sanandan@marvell.com>
2020-12-03 14:38:50 -06:00
ubiattach /dev/ubi_ctrl -m $mtd 2>dev/null || true
[initramfs] Updated required tools for initramfs (#3734) * [initramfs] Updated reuired tools for initramfs Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Updated required tools for initramfs Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [Platform] [Marvell] Platform specific debian package for et6448m device Signed-off-by: Antony Rheneus <arheneus@marvell.com> * Removed auto-generated files Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Added mtd and uboot firmware tools package required for arm arch Its been enabled to all arch including amd64 Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Added mtd and uboot firmware tools package required for arm arch Its been enabled to all arch including amd64 Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [initramfs] Marvell arm modules update and platform config update Signed-off-by: Antony Rheneus <arheneus@marvell.com> * [iniramfs] add initramfs uboot-utils hook script only for ARM Signed-off-by: Antony Rheneus <arheneus@marvell.com>
2020-01-15 10:25:01 -06:00
fi
mount -t ubifs /dev/${ROOT}_0 ${rootmnt}/host
;;
*)
## Mount the raw partition again
mount ${ROOT} ${rootmnt}/host
;;
esac
[build]: enable docker in ram option for small disk device (#3279) when device disk is small, do not unzip dockerfs.tar.gz on disk. keep the tar file on the disk, unzip to tmpfs in the initrd phase. enabled this for 7050-qx32 Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-08-07 01:04:00 -05:00
Squash merge latest code to github branch
2016-07-26 14:01:58 -05:00
mkdir -p ${rootmnt}/var/lib/docker
[kdump] Fix OOM events in crashkernel (#6447) A few issues where discovered with crashkernel on Arista platforms. 1) platforms using `docker_inram=on` would end up OOM in kdump environment. This happens because the same initramfs is used by SONiC and the crashkernel. With `docker_inram=on` the `dockerfs.tar.gz` is extracted in a `tmpfs` created for the occasion. Since `dockerfs.tar.gz` weights more than 1.5G, it doesn't fit into the kdump environment and ends up OOM. This OOM event can in turn trigger a panic. 2) Arista platforms with `secureboot` enabled would fail to load the crashkernel because the kernel parameter would be discarded on boot. This happens because the `boot0` in secureboot mode is strict about kernel parameter injection. 3) The secureboot path allowlist would remove kernel crash reports. 4) The kdump service would fail on Arista products since `/boot/` is empty in `secureboot` **- How I did it** 1) To prevent an OOM event in the crashkernel the fix is to avoid the codepaths in `union-mount` that create tmpfs and populate them. Some more codepath specific to Arista devices are also skipped to make the kdump process faster. This relies on detecting that the initramfs is starting in a kdump environment and skipping some initialization. The `/usr/sbin/kdump-config` tool appends a few kernel cmdline arguments when loading the crashkernel. The most unique one is `systemd.unit=kdump-tools.service` which is used in a few initramfs hooks to set `in_kdump`. 2) To allow `kdump` to work in `secureboot` environment the cmdline generation in boot0 was slightly modified. The codepath to load kernel parameters changed by SONiC is now running for booting in secure mode. It was altered to prevent an append only behavior which would grow the `kernel-cmdline` at every reboot. This ever growing behavior would lead `kexec` to fail to load the kernel due to a too long cmdline. 3) To get the kernel crash under /var/crash this path has to be added to `allowlist_paths` 4) The `/host/image-XXX/boot` folder is now populated in `secureboot` mode but not used. **- How to verify it** Regular boot: - enable kdump - enable docker_inram=on via kernel-params - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness OOM events on the console - after: crash kernel works and crash available under /var/crash Secure boot: - enable kdump - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness no kdump - after: crash kernel works and crash available under /var/crash Co-authored-by: Boyang Yu <byu@arista.com>
2021-02-02 03:55:09 -06:00
if [ "$in_kdump" = false ]; then
if [ "$secureboot" = true ]; then
mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
if [ "$bootloader" = "aboot" ]; then
unzip -qp "$swi_path" dockerfs.tar.gz | tar xz --numeric-owner -C ${rootmnt}/var/lib/docker
## Boot folder is not extracted during secureboot since content would inherently become unsafe
mkdir -p ${rootmnt}/host/$image_dir/boot
else
echo "secureboot unsupported for bootloader $bootloader" 1>&2
exit 1
fi
elif [ -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} ]; then
## mount tmpfs and extract docker into it
mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker
tar xz --numeric-owner -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} -C ${rootmnt}/var/lib/docker
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
else
[kdump] Fix OOM events in crashkernel (#6447) A few issues where discovered with crashkernel on Arista platforms. 1) platforms using `docker_inram=on` would end up OOM in kdump environment. This happens because the same initramfs is used by SONiC and the crashkernel. With `docker_inram=on` the `dockerfs.tar.gz` is extracted in a `tmpfs` created for the occasion. Since `dockerfs.tar.gz` weights more than 1.5G, it doesn't fit into the kdump environment and ends up OOM. This OOM event can in turn trigger a panic. 2) Arista platforms with `secureboot` enabled would fail to load the crashkernel because the kernel parameter would be discarded on boot. This happens because the `boot0` in secureboot mode is strict about kernel parameter injection. 3) The secureboot path allowlist would remove kernel crash reports. 4) The kdump service would fail on Arista products since `/boot/` is empty in `secureboot` **- How I did it** 1) To prevent an OOM event in the crashkernel the fix is to avoid the codepaths in `union-mount` that create tmpfs and populate them. Some more codepath specific to Arista devices are also skipped to make the kdump process faster. This relies on detecting that the initramfs is starting in a kdump environment and skipping some initialization. The `/usr/sbin/kdump-config` tool appends a few kernel cmdline arguments when loading the crashkernel. The most unique one is `systemd.unit=kdump-tools.service` which is used in a few initramfs hooks to set `in_kdump`. 2) To allow `kdump` to work in `secureboot` environment the cmdline generation in boot0 was slightly modified. The codepath to load kernel parameters changed by SONiC is now running for booting in secure mode. It was altered to prevent an append only behavior which would grow the `kernel-cmdline` at every reboot. This ever growing behavior would lead `kexec` to fail to load the kernel due to a too long cmdline. 3) To get the kernel crash under /var/crash this path has to be added to `allowlist_paths` 4) The `/host/image-XXX/boot` folder is now populated in `secureboot` mode but not used. **- How to verify it** Regular boot: - enable kdump - enable docker_inram=on via kernel-params - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness OOM events on the console - after: crash kernel works and crash available under /var/crash Secure boot: - enable kdump - reboot - generate a crash `echo c > /proc/sysrq-trigger` - before: witness no kdump - after: crash kernel works and crash available under /var/crash Co-authored-by: Boyang Yu <byu@arista.com>
2021-02-02 03:55:09 -06:00
## Mount the working directory of docker engine in the raw partition, bypass the overlay
mount --bind ${rootmnt}/host/$image_dir/{{ DOCKERFS_DIR }} ${rootmnt}/var/lib/docker
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
fi
[build]: enable docker in ram option for small disk device (#3279) when device disk is small, do not unzip dockerfs.tar.gz on disk. keep the tar file on the disk, unzip to tmpfs in the initrd phase. enabled this for 7050-qx32 Signed-off-by: Guohan Lu <gulv@microsoft.com>
2019-08-07 01:04:00 -05:00
fi
[baseimage]: build root filesystem via overlay fs instead of aufs
2017-09-02 17:32:31 -05:00
## Mount the boot directory in the raw partition, bypass the overlay
Squash merge latest code to github branch
2016-07-26 14:01:58 -05:00
mkdir -p ${rootmnt}/boot
[image]: SONiC-to-SONiC update (#464)
2017-04-21 19:23:36 -05:00
mount --bind ${rootmnt}/host/$image_dir/boot ${rootmnt}/boot
[DELL]: FTOS to SONiC fast conversion fixes (#4807) While migrating to SONiC 20181130, identified a couple of issues: 1. union-mount needs /host/machine.conf parameters for vendor specific checks : however, in case of migration, the /host/machine.conf is extracted from ONIE only in https://github.com/Azure/sonic-buildimage/blob/master/files/image_config/platform/rc.local#L127. 2. Since grub.cfg is updated to have net.ifnames=0 biosdevname=0, 70-persistent-net.rules changes are no longer required.
2020-06-19 13:02:08 -05:00
[secureboot] Add secureboot support for Arista devices (#4741) * Add secureboot support in boot0 * Initramfs changes for secureboot on Aboot devices * Do not compress squashfs and gz in fs.zip It doesn't make much sense to do so since these files are already compressed. Also not compressing the squashfs has the advantage of making it mountable via a loop device. * Add loopoffset parameter to initramfs-tools
2020-06-22 11:30:31 -05:00
## Mount loop device or tmpfs for /var/log
if $logs_inram; then
[aboot] use ram partition for /var/log for devices with 3.7G disks (#8400) Master/202012 image size grew quite a bit. 3.7G harddrive can no longer hold one image and safely upgrade to another image. Every bit of harddrive space is precious to save now. Also sh syntax seemingly changed, [ condition ] && action was a legit syntax in 201911 branch but it is an error when condition not met with 202012 or later images. Change the syntax to if statement to avoid the issue. Signed-off-by: Ying Xie ying.xie@microsoft.com
2021-08-13 11:01:34 -05:00
# NOTE: some platforms, when reaching initramfs stage, have a small
# limit of mounting tmpfs partition, potentially due to amount
# of RAM available in this stage. Therefore limiting the size
# set for tmpfs partitions.
#
# Another reason for using tmpfs /var/log partition is:
# Some platforms have a small flash and therefore the log partition takes valuable space.
# To improve the longevity of these devices storing the logs in memory will permit more
# SONiC image growth before being bottlenecked.
set_tmpfs_log_partition_size
mount -t tmpfs -o rw,nosuid,nodev,size=${varlogsize}M tmpfs ${rootmnt}/var/log
if [ -f ${rootmnt}/host/disk-img/var-log.ext4 ]; then
rm -rf ${rootmnt}/host/disk-img/var-log.ext4
fi
[tmpfs var/log] mount /var/log as tmpfs for some platforms (#2780) SONiC is a heavy writer to /var/log partition, we noticed that this behavior causes certain flash drive to become read-only over time. To avoid this issue, we mount /var/log parition on these devices as tmpfs. - Mount /var/log as tmpfs - /var/log default size is 128M - Adjust size according to existing var-log.ext4 file size. - Adjust size to between 5% to 10% of total memory size. Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-04-15 00:46:26 -05:00
else
[aboot] use ram partition for /var/log for devices with 3.7G disks (#8400) Master/202012 image size grew quite a bit. 3.7G harddrive can no longer hold one image and safely upgrade to another image. Every bit of harddrive space is precious to save now. Also sh syntax seemingly changed, [ condition ] && action was a legit syntax in 201911 branch but it is an error when condition not met with 202012 or later images. Change the syntax to if statement to avoid the issue. Signed-off-by: Ying Xie ying.xie@microsoft.com
2021-08-13 11:01:34 -05:00
if [ -f ${rootmnt}/host/disk-img/var-log.ext4 ]; then
fsck.ext4 -v -p ${rootmnt}/host/disk-img/var-log.ext4 2>&1 | gzip -c >> /tmp/fsck.log.gz
mount -t ext4 -o loop,rw ${rootmnt}/host/disk-img/var-log.ext4 ${rootmnt}/var/log
fi
[tmpfs var/log] mount /var/log as tmpfs for some platforms (#2780) SONiC is a heavy writer to /var/log partition, we noticed that this behavior causes certain flash drive to become read-only over time. To avoid this issue, we mount /var/log parition on these devices as tmpfs. - Mount /var/log as tmpfs - /var/log default size is 128M - Adjust size according to existing var-log.ext4 file size. - Adjust size to between 5% to 10% of total memory size. Signed-off-by: Ying Xie <ying.xie@microsoft.com>
2019-04-15 00:46:26 -05:00
fi
[baseimage]: Run fsck filesystem check support prior mounting filesystem (#4431) * Run fsck filesystem check support prior mounting filesystem If the filesystem become non clean ("dirty"), SONiC does not run fsck to repair and mark it as clean again. This patch adds the functionality to run fsck on each boot, prior to the filesystem being mounted. This allows the filesystem to be repaired if needed. Note that if the filesystem is maked as clean, fsck does nothing and simply return so this is perfectly fine to call fsck every time prior to mount the filesystem. How to verify this patch (using bash): Using an image without this patch: Make the filesystem "dirty" (not clean) [we are making the assumption that filesystem is stored in /dev/sda3 - Please adjust depending of the platform] [do this only on a test platform!] dd if=/dev/sda3 of=superblock bs=1 count=2048 printf "$(printf '\\x%02X' 2)" | dd of="superblock" bs=1 seek=1082 count=1 conv=notrunc &> /dev/null dd of=/dev/sda3 if=superblock bs=1 count=2048 Verify that filesystem is not clean tune2fs -l /dev/sda3 | grep "Filesystem state:" reboot and verify that the filesystem is still not clean Redo the same test with an image with this patch, and verify that at next reboot the filesystem is repaired and becomes clean. fsck log is stored on syslog, using the string FSCK as markup.
2020-04-30 02:33:20 -05:00
## fscklog file: /tmp will be lost when overlayfs is mounted
if [ -f /tmp/fsck.log.gz ]; then
mv /tmp/fsck.log.gz ${rootmnt}/var/log
fi
Reference in New Issue Copy Permalink