#!/bin/sh -e PREREQS="varlog" prereqs() { echo "$PREREQS"; } case $1 in prereqs) prereqs exit 0 ;; esac set_tmpfs_log_partition_size() { varlogsize=128 # NOTE: certain platforms, when reaching initramfs stage, have a small # limit of mounting tmpfs partition, potentially due to amount # of RAM available in this stage. e.g. Arista 7050-qx32[s] and 7060-cx32s [ X"$aboot_platform" = X"x86_64-arista_7050_qx32" ] && return [ X"$aboot_platform" = X"x86_64-arista_7050_qx32s" ] && return [ X"$aboot_platform" = X"x86_64-arista_7060_cx32s" ] && return [ X"$aboot_platform" = X"x86_64-arista_7060cx2_32s" ] && return # set varlogsize to existing var-log.ext4 size if [ -f ${rootmnt}/host/disk-img/var-log.ext4 ]; then varlogsize=$(ls -l ${rootmnt}/host/disk-img/var-log.ext4 | awk '{print $5}') varlogsize=$(($varlogsize/1024/1024)) fi # make sure varlogsize is between 5% to 10% of total memory size memkb=$(grep MemTotal /proc/meminfo | awk '{print $2}') memmb=$(($memkb/1024)) minsize=$(($memmb*5/100)) maxsize=$(($memmb*10/100)) [ $minsize -ge $varlogsize ] && varlogsize=$minsize [ $maxsize -le $varlogsize ] && varlogsize=$maxsize } remove_not_in_allowlist_files() { image_dir=$1 allowlist_file=${rootmnt}/host/$image_dir/allowlist_paths.conf # Return if the secure_boot_enable option is not set if ! (cat /proc/cmdline | grep -i -q "secure_boot_enable=[y1]"); then return fi # Return if the allowlist file does not exist if ! test -f "${allowlist_file}"; then echo "The file ${allowlist_file} is missing, failed to mount rw folder." 1>&2 exit 1 fi rw_dir=${rootmnt}/host/$image_dir/rw # Set the grep pattern file, remove the blank line in config file allowlist_pattern_file=${rootmnt}/host/$image_dir/allowlist_paths.pattern awk -v rw_dir="$rw_dir" 'NF {print rw_dir"/"$0"$"}' ${allowlist_file} > $allowlist_pattern_file # Find the files in the rw folder, and remove the files not in the allowlist find ${rw_dir} -type f | grep -v -f $allowlist_pattern_file | xargs /bin/rm -f rm -f $allowlist_pattern_file } ## Mount the overlay file system: rw layer over squashfs image_dir=$(cat /proc/cmdline | sed -e 's/.*loop=\(\S*\)\/.*/\1/') mkdir -p ${rootmnt}/host/$image_dir/rw mkdir -p ${rootmnt}/host/$image_dir/work ## Remove the files not in allowlist in the rw folder remove_not_in_allowlist_files "$image_dir" ## Remove the executable permission for all the files in rw folder except home folder rw_dir=${rootmnt}/host/$image_dir/rw find ${rw_dir} -type f -not -path ${rw_dir}/home -exec chmod a-x {} + mount -n -o lowerdir=${rootmnt},upperdir=${rootmnt}/host/$image_dir/rw,workdir=${rootmnt}/host/$image_dir/work -t overlay root-overlay ${rootmnt} ## Check if the root block device is still there [ -b ${ROOT} ] || mdev -s case "${ROOT}" in ubi*) mtd=$(cat /proc/cmdline | sed -e 's/.*ubi.mtd=\([0-9]\) .*/\1/') if [ ! -f /dev/${ROOT}_0 ]; then ubiattach /dev/ubi_ctrl -m $mtd || true fi mount -t ubifs /dev/${ROOT}_0 ${rootmnt}/host ;; *) ## Mount the raw partition again mount ${ROOT} ${rootmnt}/host ;; esac mkdir -p ${rootmnt}/var/lib/docker if [ -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} ]; then ## mount tmpfs and extract docker into it mount -t tmpfs -o rw,nodev,size={{ DOCKER_RAMFS_SIZE }} tmpfs ${rootmnt}/var/lib/docker tar xz --numeric-owner -f ${rootmnt}/host/$image_dir/{{ FILESYSTEM_DOCKERFS }} -C ${rootmnt}/var/lib/docker else ## Mount the working directory of docker engine in the raw partition, bypass the overlay mount --bind ${rootmnt}/host/$image_dir/{{ DOCKERFS_DIR }} ${rootmnt}/var/lib/docker fi ## Mount the boot directory in the raw partition, bypass the overlay mkdir -p ${rootmnt}/boot mount --bind ${rootmnt}/host/$image_dir/boot ${rootmnt}/boot ## Mount loop device or tmpfs for /var/log onie_platform="" aboot_platform="" if [ -f ${rootmnt}/host/machine.conf ]; then . ${rootmnt}/host/machine.conf fi if [ X"$aboot_platform" = X"x86_64-arista_7050_qx32" ] || [ X"$aboot_platform" = X"x86_64-arista_7050_qx32s" ] || [ X"$aboot_platform" = X"x86_64-arista_7060_cx32s" ] then set_tmpfs_log_partition_size mount -t tmpfs -o rw,nosuid,nodev,size=${varlogsize}M tmpfs ${rootmnt}/var/log [ -f ${rootmnt}/host/disk-img/var-log.ext4 ] && rm -rf ${rootmnt}/host/disk-img/var-log.ext4 else [ -f ${rootmnt}/host/disk-img/var-log.ext4 ] && fsck.ext4 -v -p ${rootmnt}/host/disk-img/var-log.ext4 2>&1 \ | gzip -c >> /tmp/fsck.log.gz [ -f ${rootmnt}/host/disk-img/var-log.ext4 ] && mount -t ext4 -o loop,rw ${rootmnt}/host/disk-img/var-log.ext4 ${rootmnt}/var/log fi ## fscklog file: /tmp will be lost when overlayfs is mounted if [ -f /tmp/fsck.log.gz ]; then mv /tmp/fsck.log.gz ${rootmnt}/var/log fi