Match publisher id

Take a publisher ID and match it for mounting configuration drives to prevent the wrong device from being used. Change-Id: Iafa77d9213eba864ca6dfa2d56d294e6ef4d2cd4
2024-04-05 10:09:28 -07:00 · 2024-04-05 10:09:28 -07:00 · f92befe127
commit f92befe127
parent bdbbc53885
3 changed files with 61 additions and 0 deletions
--- a/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk
+++ b/dib/ironic-python-agent-ramdisk/post-install.d/80-ironic-python-agent-ramdisk
@ -31,6 +31,7 @@ case "$DIB_INIT_SYSTEM" in
        if $DIB_IPA_ENABLE_RESCUE; then
            systemctl enable ironic-agent-create-rescue-user.path
        fi
+        systemctl enable ironic-agent-resolve-config-drive.service
        # NOTE(rpittau) disable caching remote package index to prevent
        # delays due to failures.
        # This is a new service for dnf-based systems (e.g. Centos8) to speed
--- a/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
+++ b/dib/ironic-python-agent-ramdisk/static/etc/systemd/system/ironic-agent-resolve-config-drive.service
@ -0,0 +1,13 @@
+[Unit]
+Description=Ironic agent config drive setup
+Wants=network-pre.target
+Before=network-pre.target
+After=local-fs.target
+
+[Service]
+ExecStart=/bin/bash /usr/local/bin/ironic-python-agent-resolve-configdrive.sh
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
--- a/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
+++ b/dib/ironic-python-agent-ramdisk/static/usr/local/bin/ironic-python-agent-resolve-configdrive.sh
@ -0,0 +1,47 @@
+#!/bin/bash
+
+set -eux
+set -o pipefail
+
+echo "Resolving the configuration drive for Ironic."
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+
+# Inspired by/based on glean-early.sh
+# https://opendev.org/opendev/glean/src/branch/master/glean/init/glean-early.sh
+
+# NOTE(TheJulia): We care about iso images, and would expect lower case as a
+# result. In the case of VFAT partitions, they would be upper case.
+CONFIG_DRIVE_LABEL="config-2"
+
+# Identify the number of devices
+device_count=$(lsblk -o PATH,LABEL | grep $CONFIG_DRIVE_LABEL | wc -l)
+
+# Identify if we have an a publisher id set
+publisher_id=""
+if grep -q "ir_pub_id" /proc/cmdline; then
+    publisher_id=$(cat /proc/cmdline | sed -e 's/^.*ir_pub_id=//' -e 's/ .*$//')
+fi
+
+if [ $device_count -lt 1 ]; then
+    # Nothing to do here, exit!
+    exit 0
+else
+    # We have *something* to do here.
+    mkdir -p /mnt/config
+    if [[ "${publisher_id}" != "" ]]; then
+        # We need to enumerate through the devices, and obtain the
+        for device in $(lsblk -o PATH,LABEL|grep config-2|cut -f1 -d" "); do
+            device_id=$(udevadm info --query=property --property=ID_FS_PUBLISHER_ID $device | sed s/ID_FS_PUBLISHER_ID=//)
+            if [[ "${publisher_id}" == "${device_id}" ]]; then
+                # SUCCESS! Valid device! Do it!
+                echo "Device ${device} matches the ${publisher_id}. Mounting..."
+                mount -t iso9660 -o ro,mode=0700 "${device}" /mnt/config || true
+                # We've mounted the device, the world is happy.
+                exit 0
+            else
+                echo "Did not identify $device as a valid ISO for Ironic."
+            fi
+        done
+    fi
+fi