Merge pull request #582 from ginglis13/soci-snapshotter-change-service

Soci snapshotter change service

Author: ginglis13

packages/containerd-1.7/containerd.service

@@ -3,6 +3,7 @@ Description=containerd container runtime
 Documentation=https://containerd.io
 After=network-online.target configured.target
 Wants=network-online.target configured.target
+Requires=configure-snapshotter.service
 
 [Service]
 Slice=runtime.slice

packages/containerd-2.0/containerd.service

@@ -3,6 +3,7 @@ Description=containerd container runtime
 Documentation=https://containerd.io
 After=network-online.target configured.target
 Wants=network-online.target configured.target
+Requires=configure-snapshotter.service
 
 [Service]
 Slice=runtime.slice

packages/release/configure-snapshotter.service

@@ -0,0 +1,30 @@
+[Unit]
+Description=Configure Snapshotter
+Before=containerd.service
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/containerd/selected-snapshotter
+EnvironmentFile=-/var/cache/containerd/active-snapshotter
+# Skip cleanup if either snapshotter variable is empty
+ExecCondition=[ -n "${ACTIVE_SNAPSHOTTER}" ]
+ExecCondition=[ -n "${SELECTED_SNAPSHOTTER}" ]
+# Check if the active snapshotter has changed
+ExecCondition=[ "${SELECTED_SNAPSHOTTER}" != "${ACTIVE_SNAPSHOTTER}" ]
+# Don't error if the directories don't exist.
+ExecStart=-/usr/bin/find /var/lib/soci-snapshotter -mindepth 1 -delete -true
+ExecStart=-/usr/bin/find /var/lib/containerd -mindepth 1 -delete -true
+ExecStart=/usr/bin/truncate -s0 /var/cache/containerd/active-snapshotter
+ExecStart=/usr/bin/echo 'ACTIVE_SNAPSHOTTER="${SELECTED_SNAPSHOTTER}"'
+
+# Set the ACTIVE_SNAPSHOTTER regardless of if conditions are met for cleanup.
+# This mitigates the behavior that an unmet ExecCondition will truncate the active-snapshotter EnvironmentFile.
+ExecStopPost=/usr/bin/truncate -s0 /var/cache/containerd/active-snapshotter
+ExecStopPost=/usr/bin/echo 'ACTIVE_SNAPSHOTTER="${SELECTED_SNAPSHOTTER}"'
+
+RemainAfterExit=true
+# Write the active snapshotter.
+StandardOutput=file:/var/cache/containerd/active-snapshotter
+
+[Install]
+WantedBy=multi-user.target

packages/release/release-snapshotter-tmpfiles.conf

@@ -0,0 +1,2 @@
+d /var/cache/containerd 0755 - - -
+f /var/cache/containerd/active-snapshotter 0644 - - - ACTIVE_SNAPSHOTTER="overlayfs"

packages/release/release.spec

@@ -23,6 +23,7 @@ Source95: release-systemd-networkd.conf
 Source96: release-repart-local.conf
 Source98: release-systemd-system.conf
 Source99: release-ca-certificates-tmpfiles.conf
+Source100: release-snapshotter-tmpfiles.conf
 
 # Templates for the settings API.
 Source200: motd.template
@@ -35,6 +36,7 @@ Source206: aws-config
 Source207: aws-credentials
 Source208: modules-load.template
 Source209: log4j-hotpatch-enabled
+Source210: selected-snapshotter-template
 
 # Core targets, services, and slices.
 Source1001: multi-user.target
@@ -81,6 +83,7 @@ Source1064: [email protected]
 Source1065: check-kernel-integrity.service
 Source1066: check-fips-modules.service
 Source1067: [email protected]
+Source1068: configure-snapshotter.service
 
 # Mounts that require build-time edits.
 Source1080: var-lib-kernel-devel-lower.mount.in
@@ -177,6 +180,7 @@ install -d %{buildroot}%{_cross_tmpfilesdir}
 install -p -m 0644 %{S:93} %{buildroot}%{_cross_tmpfilesdir}/release.conf
 install -p -m 0644 %{S:99} %{buildroot}%{_cross_tmpfilesdir}/release-ca-certificates.conf
 install -p -m 0644 %{S:94} %{buildroot}%{_cross_tmpfilesdir}/release-fips.conf
+install -p -m 0644 %{S:100} %{buildroot}%{_cross_tmpfilesdir}/release-snapshotter.conf
 
 install -d %{buildroot}%{_cross_libdir}/systemd/networkd.conf.d
 install -p -m 0644 %{S:95} %{buildroot}%{_cross_libdir}/systemd/networkd.conf.d/80-release.conf
@@ -215,7 +219,7 @@ install -p -m 0644 \
   %{S:1045} %{S:1046} %{S:1047} %{S:1048} %{S:1049} \
   %{S:1050} \
   %{S:1060} %{S:1061} %{S:1062} %{S:1063} %{S:1064} \
-  %{S:1065} %{S:1066} %{S:1067} \
+  %{S:1065} %{S:1066} %{S:1067} %{S:1068} \
   %{buildroot}%{_cross_unitdir}
 
 install -d %{buildroot}%{_cross_unitdir}/systemd-tmpfiles-setup.service.d
@@ -274,6 +278,7 @@ install -p -m 0644 %{S:206} %{buildroot}%{_cross_templatedir}/aws-config
 install -p -m 0644 %{S:207} %{buildroot}%{_cross_templatedir}/aws-credentials
 install -p -m 0644 %{S:208} %{buildroot}%{_cross_templatedir}/modules-load
 install -p -m 0644 %{S:209} %{buildroot}%{_cross_templatedir}/log4j-hotpatch-enabled
+install -p -m 0644 %{S:210} %{buildroot}%{_cross_templatedir}/selected-snapshotter
 
 install -d %{buildroot}%{_cross_unitdir}/systemd-udev-trigger.service.d/
 install -p -m 0644 %{S:1105} %{buildroot}%{_cross_unitdir}/systemd-udev-trigger.service.d/00-selinux.conf
@@ -360,6 +365,9 @@ ln -s preconfigured.target %{buildroot}%{_cross_unitdir}/default.target
 %{_cross_templatedir}/log4j-hotpatch-enabled
 %{_cross_udevrulesdir}/61-mount-cdrom.rules
 %{_cross_datadir}/logdog.d/logdog.common.conf
+%{_cross_unitdir}/configure-snapshotter.service
+%{_cross_templatedir}/selected-snapshotter
+%{_cross_tmpfilesdir}/release-snapshotter.conf
 
 %files fips
 %{_cross_bootconfigdir}/10-fips.conf

packages/release/selected-snapshotter-template

@@ -0,0 +1,5 @@
+[required-extensions]
+container-runtime = "v1"
+std = { version = "v1" }
++++
+SELECTED_SNAPSHOTTER="{{#if settings.container-runtime.snapshotter}}{{settings.container-runtime.snapshotter}}{{else}}overlayfs{{/if}}"

packages/selinux-policy/rules.cil

@@ -251,7 +251,7 @@
 (allow api_s private_t (files (mutate)))
 (allow clock_s measure_t (files (mutate)))
 (allow network_s lease_t (files (mutate)))
-(allow runtime_s cache_t (files (mutate)))
+(allow trusted_s cache_t (files (mutate)))
 
 ; Other components should not be permitted to modify these files,
 ; or to manage mounts for these directories.