From bc0e0dbd11e29a7c0670b40c350db54541f2490f Mon Sep 17 00:00:00 2001
From: David Frank <david.frank@dfinity.org>
Date: Tue, 6 Jan 2026 15:02:57 +0100
Subject: [PATCH 1/2] chore: Consume config directly without untarring (Guest)

Config files are passed from the HostOS into the GuestOS using a config media (aka virtual USB stick) which the GuestOS sees as a block device (usually under `/dev/sda`) containing a vfat filesystem. Previously config files were not directly stored in the filesystem, but they were tarred into a single ic-bootstrap.tar file which was then written to the config media.

The tarring step is unnecessary and makes accessing the config files more difficult since the files have to be untarred first. Furthermore, tars can contain unwanted entries, such as symlinks, devices etc. which can be misused by a malicious host (these are not supported by vfat).

The migration consists of 3 steps:
1) (this PR) Prepare GuestOS to read files directly from the config media and fall back to `ic-bootstrap.tar` when it exists for backwards compatibility.
2) Once 1) has been rolled out to all nodes, stop tarring in HostOS.
3) Once 2) has been rolled out to all nodes, remove fallback from GuestOS.
---
 .../guestos/init/init-config/init-config.sh   | 38 ++++++++++++++-----
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/ic-os/components/guestos/init/init-config/init-config.sh b/ic-os/components/guestos/init/init-config/init-config.sh
index e9241e6bab3e..2b646836d7d5 100644
--- a/ic-os/components/guestos/init/init-config/init-config.sh
+++ b/ic-os/components/guestos/init/init-config/init-config.sh
@@ -1,13 +1,13 @@
 #!/bin/bash
 
-# Initialize configuration in /run/config from bootstrap package.
+# Initialize configuration in /run/config from config partition.
 
 set -eo pipefail
 
 source /opt/ic/bin/logging.sh
 source /opt/ic/bin/metrics.sh
 
-# List all block devices that could potentially contain the ic-bootstrap.tar configuration,
+# List all block devices that could potentially contain the configuration,
 # i.e. "removable" devices, devices with the serial "config"
 # or devices containing a filesystem with the label "CONFIG".
 function find_config_devices() {
@@ -52,6 +52,8 @@ function mount_config_device() {
         if [ "$config_device" != "" ]; then
             echo "Found CONFIG device at $config_device, creating mount at /mnt/config"
 
+            # Ensure that the config device is vfat. If we ever change to another filesystem type, we should ensure
+            # that it only contains regular files and directories (not symlinks, devices, etc.).
             if mount -t vfat -o ro "$config_device" /mnt/config; then
                 echo "Successfully mounted CONFIG device at /mnt/config"
                 return 0
@@ -77,16 +79,34 @@ fi
 
 trap "umount /mnt/config" EXIT
 
-# Verify that ic-bootstrap.tar contains only regular files (-) and directories (d)
-if tar -tvf /mnt/config/ic-bootstrap.tar | cut -c 1 | grep -E -q '[^-d]'; then
-    echo "ic-bootstrap.tar contains non-regular files, aborting"
+mkdir /run/config
+mkdir /run/config/bootstrap
+
+# Check if ic-bootstrap.tar exists (backward compatibility with older HostOS versions)
+# TODO: Remove this check once all nodes have HostOS that supports tarless configuration.
+if [ -f /mnt/config/ic-bootstrap.tar ]; then
+    echo "Found ic-bootstrap.tar, using legacy tar-based configuration"
+
+    # Verify that ic-bootstrap.tar contains only regular files (-) and directories (d)
+    if tar -tvf /mnt/config/ic-bootstrap.tar | cut -c 1 | grep -E -q '[^-d]'; then
+        echo "ic-bootstrap.tar contains non-regular files, aborting"
+        exit 1
+    fi
+
+    tar xf /mnt/config/ic-bootstrap.tar -C /run/config/bootstrap
+else
+    echo "Using direct file-based configuration"
+    cp -r /mnt/config/* /run/config/bootstrap/
+fi
+
+if [ -f /run/config/bootstrap/config.json ]; then
+    cp /run/config/bootstrap/config.json /run/config/config.json
+    chown ic-replica:nogroup /run/config/config.json
+else
+    echo "config.json not found in config partition"
     exit 1
 fi
 
-mkdir -p /run/config/bootstrap
-tar xf /mnt/config/ic-bootstrap.tar -C /run/config/bootstrap
-cp /run/config/bootstrap/config.json /run/config/config.json
-chown ic-replica:nogroup /run/config/config.json
 /opt/ic/bin/config populate-nns-public-key
 
 # Create file under /run/config/guest_vm_type, this can be used to add ConditionPathExists conditions to systemd units

From a8edbdf0063697f861447b988d0f6f0be1c5325d Mon Sep 17 00:00:00 2001
From: David Frank <david.frank@dfinity.org>
Date: Wed, 7 Jan 2026 13:08:50 +0100
Subject: [PATCH 2/2] add ticket

---
 ic-os/components/guestos/init/init-config/init-config.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ic-os/components/guestos/init/init-config/init-config.sh b/ic-os/components/guestos/init/init-config/init-config.sh
index 2b646836d7d5..b98cf0a0903a 100644
--- a/ic-os/components/guestos/init/init-config/init-config.sh
+++ b/ic-os/components/guestos/init/init-config/init-config.sh
@@ -83,7 +83,7 @@ mkdir /run/config
 mkdir /run/config/bootstrap
 
 # Check if ic-bootstrap.tar exists (backward compatibility with older HostOS versions)
-# TODO: Remove this check once all nodes have HostOS that supports tarless configuration.
+# TODO(NODE-1821): Remove this check once all nodes have HostOS that supports tarless configuration.
 if [ -f /mnt/config/ic-bootstrap.tar ]; then
     echo "Found ic-bootstrap.tar, using legacy tar-based configuration"