Revert "feat: [NODE-1441] Upgrade GuestOS to 24.04 (#938)"

This reverts commit 87ed927.

ic-os/components/boundary-guestos/etc/systemd/system/node_exporter.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Node Exporter
-After=network.target
+After=syslog.target network.target
 
 [Service]
 User=node_exporter

ic-os/components/boundary-guestos/etc/systemd/system/setup-hostname.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Set up hostname
+Before=systemd-networkd.target
 DefaultDependencies=no
 After=bootstrap-ic-node.service
 Before=systemd-networkd.service

ic-os/components/early-boot/relabel-machine-id/guestos/relabel-machine-id.sh

@@ -2,5 +2,4 @@
 
 # machine-id is set up in initramfs and bind-mounted over to the rootfs. Since
 # policy is not loaded in initramfs yet, it has wrong security context.
-systemd-machine-id-setup --commit
 restorecon -v /etc/machine-id

ic-os/components/early-boot/relabel-machine-id/relabel-machine-id.sh

@@ -4,5 +4,4 @@
 # over to the rootfs. Since policy is not loaded in initramfs yet, it has
 # wrong security context. Fix this up, but ignore failures (this will not
 # work on first boot).
-systemd-machine-id-setup --commit
 restorecon -v /etc/machine-id || true

ic-os/components/early-boot/setup-hostname/hostos/setup-hostname.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=Set up hostname
+Before=systemd-networkd.target
 DefaultDependencies=no
 Before=systemd-networkd.service
 After=systemd-tmpfiles-setup.service

ic-os/components/early-boot/setup-hostname/setup-hostname.service

@@ -1,8 +1,9 @@
 [Unit]
 Description=Set up hostname
-Before=systemd-networkd.service
+Before=systemd-networkd.target
 DefaultDependencies=no
 After=bootstrap-ic-node.service
+Before=systemd-networkd.service
 
 [Install]
 WantedBy=multi-user.target

ic-os/components/guestos.bzl

@@ -38,18 +38,18 @@ component_files = {
     Label("ic/ic.json5.template"): "/opt/ic/share/ic.json5.template",
 
     # init
-    Label("init/bootstrap-ic-node/bootstrap-ic-node.sh"): "/opt/ic/bin/bootstrap-ic-node.sh",
-    Label("init/bootstrap-ic-node/bootstrap-ic-node.service"): "/etc/systemd/system/bootstrap-ic-node.service",
-    Label("init/setup-encryption/setup-encryption.sh"): "/opt/ic/bin/setup-encryption.sh",
-    Label("init/setup-encryption/setup-encryption.service"): "/etc/systemd/system/setup-encryption.service",
-    Label("init/setup-encryption/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh",
+    Label("init/bootstrap-ic-node/guestos/bootstrap-ic-node.sh"): "/opt/ic/bin/bootstrap-ic-node.sh",
+    Label("init/bootstrap-ic-node/guestos/bootstrap-ic-node.service"): "/etc/systemd/system/bootstrap-ic-node.service",
+    Label("init/setup-encryption/guestos/setup-encryption.sh"): "/opt/ic/bin/setup-encryption.sh",
+    Label("init/setup-encryption/guestos/setup-encryption.service"): "/etc/systemd/system/setup-encryption.service",
+    Label("init/setup-encryption/guestos/setup-var-encryption.sh"): "/opt/ic/bin/setup-var-encryption.sh",
     Label("init/setup-lvs/setup-lvs.service"): "/etc/systemd/system/setup-lvs.service",
     Label("init/setup-lvs/guestos/setup-lvs.sh"): "/opt/ic/bin/setup-lvs.sh",
 
     # misc
     Label("misc/logging.sh"): "/opt/ic/bin/logging.sh",
     Label("misc/metrics.sh"): "/opt/ic/bin/metrics.sh",
-    Label("misc/serial-getty@/guestos/override.conf"): "/etc/systemd/system/[email protected].d/override.conf",
+    Label("misc/serial-getty@/guestos/[email protected]"): "/etc/systemd/system/[email protected]",
     Label("misc/chrony/chrony.conf"): "/etc/chrony/chrony.conf",
     Label("misc/chrony/chrony-var.service"): "/etc/systemd/system/chrony-var.service",
     Label("misc/vsock/10-vhost-vsock.rules"): "/etc/udev/rules.d/10-vhost-vsock.rules",
@@ -90,7 +90,7 @@ component_files = {
 
     # networking
     Label("networking/generate-network-config/guestos/generate-network-config.service"): "/etc/systemd/system/generate-network-config.service",
-    Label("networking/retry-ipv6-config/retry-ipv6-config.sh"): "/opt/ic/bin/retry-ipv6-config.sh",
+    Label("networking/retry-ipv6-config/guestos/retry-ipv6-config.sh"): "/opt/ic/bin/retry-ipv6-config.sh",
     Label("networking/retry-ipv6-config/retry-ipv6-config.service"): "/etc/systemd/system/retry-ipv6-config.service",
     Label("networking/nftables/reload_nftables.path"): "/etc/systemd/system/reload_nftables.path",
     Label("networking/nftables/reload_nftables.service"): "/etc/systemd/system/reload_nftables.service",

ic-os/components/init/bootstrap-ic-node/bootstrap-ic-node.sh → ic-os/components/init/bootstrap-ic-node/guestos/bootstrap-ic-node.sh

@@ -180,7 +180,7 @@ while [ ! -f /boot/config/CONFIGURED ]; do
     fi
 
     # Fix up permissions. This is actually the wrong place.
-    chown ic-replica:nogroup -R /var/lib/ic/data
+    chown ic-replica.nogroup -R /var/lib/ic/data
 
     if [ "${DEV}" != "" ]; then
         umount /mnt

ic-os/components/init/setup-encryption/setup-encryption.service → ic-os/components/init/setup-encryption/guestos/setup-encryption.service

@@ -3,11 +3,11 @@ Description=Set up encrypted storage on first boot
 DefaultDependencies=no
 After=boot-config.mount
 Requires=boot-config.mount
-Before=cryptsetup-pre.target
-Wants=cryptsetup-pre.target
+Before=systemd-cryptsetup@vda10\x2dcrypt.service
 
 [Install]
 WantedBy=local-fs.target
+RequiredBy=systemd-cryptsetup@vda10\x2dcrypt.service
 
 [Service]
 Type=oneshot

ic-os/components/misc/guestos/crypttab

@@ -1 +1 @@
-vda10-crypt /dev/vda10  /boot/config/store.keyfile  luks,discard
+vda10-crypt /dev/vda10  /boot/config/store.keyfile  luks2,discard

ic-os/components/misc/serial-getty@/guestos/serial-getty@.service

@@ -0,0 +1,35 @@
+#  Overwrite the default systemd serial getty service to
+#  run our own console getty.
+
+[Unit]
+Description=Serial Getty on %I
+BindsTo=dev-%i.device
+After=dev-%i.device systemd-user-sessions.service plymouth-quit-wait.service getty-pre.target
+After=rc-local.service
+
+# If additional gettys are spawned during boot then we should make
+# sure that this is synchronized before getty.target, even though
+# getty.target didn't actually pull it in.
+Before=getty.target
+IgnoreOnIsolate=yes
+
+# IgnoreOnIsolate causes issues with sulogin, if someone isolates
+# rescue.target or starts rescue.service from multi-user.target or
+# graphical.target.
+Conflicts=rescue.service
+Before=rescue.service
+
+[Service]
+ExecStart=-/opt/ic/bin/infogetty -r /etc/allow_console_root /dev/%I
+Type=idle
+Restart=always
+UtmpIdentifier=%I
+TTYPath=/dev/%I
+TTYReset=yes
+TTYVHangup=yes
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+
+[Install]
+WantedBy=getty.target

ic-os/components/misc/serial-getty@/setupos/serial-getty@.service

@@ -0,0 +1,40 @@
+#  Overwrite the default systemd serial getty service to
+#  run our own console getty.
+
+[Unit]
+Description=Serial Getty on %I
+Documentation=man:agetty(8) man:systemd-getty-generator(8)
+Documentation=http://0pointer.de/blog/projects/serial-console.html
+BindsTo=dev-%i.device
+After=dev-%i.device systemd-user-sessions.service plymouth-quit-wait.service getty-pre.target
+After=rc-local.service
+
+# If additional gettys are spawned during boot then we should make
+# sure that this is synchronized before getty.target, even though
+# getty.target didn't actually pull it in.
+Before=getty.target
+IgnoreOnIsolate=yes
+
+# IgnoreOnIsolate causes issues with sulogin, if someone isolates
+# rescue.target or starts rescue.service from multi-user.target or
+# graphical.target.
+Conflicts=rescue.service
+Before=rescue.service
+
+[Service]
+# The '-o' option value tells agetty to replace 'login' arguments with an
+# option to preserve environment (-p), followed by '--' for safety, and then
+# the entered username.
+ExecStart=-/sbin/agetty -p -a root -o '-p -- \\u' --keep-baud 115200,38400,9600 %I $TERM
+Type=idle
+Restart=always
+UtmpIdentifier=%I
+TTYPath=/dev/%I
+TTYReset=yes
+TTYVHangup=yes
+KillMode=process
+IgnoreSIGPIPE=no
+SendSIGHUP=yes
+
+[Install]
+WantedBy=getty.target

ic-os/components/misc/vsock/vsock-agent.service

@@ -1,5 +1,6 @@
 [Unit]
 Description=VSOCK agent daemon
+After=syslog.target
 
 [Service]
 User=root

ic-os/components/monitoring/node_exporter/node_exporter.service

@@ -1,6 +1,6 @@
 [Unit]
 Description=Node Exporter
-After=network.target
+After=syslog.target network.target
 
 [Service]
 User=node_exporter

ic-os/components/networking/generate-network-config/guestos/generate-network-config.service

@@ -1,7 +1,6 @@
 [Unit]
 Description=Generate network config
 After=bootstrap-ic-node.service
-Requires=bootstrap-ic-node.service
 Before=systemd-networkd.service
 
 [Install]

ic-os/components/selinux/filebeat/filebeat.te

@@ -41,7 +41,6 @@ init_daemon_domain(filebeat_t, filebeat_exec_t)
 # Allow filebeat to perform its primary function, namely to read
 # the journal files.
 systemd_read_journal_files(filebeat_t)
-systemd_watch_journal_dirs(filebeat_t)
 
 # It wants to send the logs to remote host, allow unrestricted TCP for
 # this for now. Maybe this can be reasonably constrained more tightly.
@@ -57,7 +56,6 @@ corenet_all_recvfrom_unlabeled(filebeat_t)
 
 # Read generic etc files (e.g. nsswitch.conf)
 files_read_etc_files(filebeat_t)
-files_read_etc_runtime_files(filebeat_t)
 
 # Read CA certificate
 miscfiles_read_generic_certs(filebeat_t)
@@ -126,7 +124,6 @@ require {
 search_dirs_pattern(filebeat_t, bin_t, bin_t)
 
 # Allow to read `/sys/fs/cgroup/unified/system.slice/filebeat.service/cgroup.controllers`
-require { type cgroup_t; }
 fs_read_cgroup_files(filebeat_t)
 allow filebeat_t cgroup_t:dir read;
 

ic-os/components/selinux/ic-node/ic-node.te

@@ -322,7 +322,6 @@ allow ic_canister_sandbox_t ic_canister_mem_t : file { map read write getattr };
 allow ic_replica_t ic_canister_mem_t : file { map read write getattr };
 
 # Wants to read its own control group. Should deny that.
-require { type cgroup_t; }
 dontaudit ic_canister_sandbox_t cgroup_t : dir { search };
 dontaudit ic_canister_sandbox_t cgroup_t : file { open read getattr };
 

ic-os/components/selinux/manageboot/manageboot.te

@@ -22,7 +22,7 @@ application_domain(ic_manageboot_t, ic_manageboot_exec_t)
 # write upgrades into partition). Allow entering sudo, and return
 # to the original domain when sudo re-executes the script (so
 # it is now running same domain, but with root privileges).
-sudo_role_template(ic_manageboot, ic_manageboot_t, ic_manageboot_exec_t, system_r)
+sudo_role_template(ic_manageboot, system_r, ic_manageboot_t)
 domtrans_pattern(ic_manageboot_sudo_t, ic_manageboot_exec_t, ic_manageboot_t)
 # Under certain circumstances, sudo signals its children.
 allow ic_manageboot_sudo_t ic_manageboot_t : process { signal };
@@ -123,7 +123,7 @@ allow ic_manageboot_t ic_manageboot_t : unix_stream_socket { connect create geta
 # Allow searching runtime process directories (/var/run which is symlinked to /run).
 # It is not perfectly clear what/why it is doing that, but it is harmless
 # enough. May to to forbid it and see if it still works.
-files_search_runtime(ic_manageboot_t)
+files_search_pids(ic_manageboot_t)
 
 # Allow reading /opt/ic/share/version.txt
-read_files_pattern(ic_manageboot_t, usr_t, usr_t)
+read_files_pattern(ic_manageboot_t, usr_t, usr_t)

ic-os/components/selinux/misc-fixes/misc-fixes.te

@@ -15,16 +15,12 @@ permissive unconfined_t;
 require { type lvm_t; }
 
 # Note that "cryptsetup" is also running as lvm_t.
-require { type initrc_t, initrc_runtime_t; }
-allow lvm_t initrc_t : sem rw_sem_perms;
 
 # cryptsetup needs to create /run/cryptsetup: This is its lockfile directory to
 # track which devices, which is the lockfile directory tracking devices on
 # which operations are in progress
-require { type var_run_t, initrc_runtime_t; }
+require { type var_run_t; }
 create_dirs_pattern(lvm_t, var_run_t, var_run_t)
-manage_dirs_pattern(lvm_t, initrc_runtime_t, initrc_runtime_t)
-manage_files_pattern(lvm_t, initrc_runtime_t, initrc_runtime_t)
 
 # lvm cryptsetup needs to manage its own cryptographic keys
 allow lvm_t lvm_t : key manage_key_perms;

ic-os/components/selinux/node_exporter/node_exporter.te

@@ -115,12 +115,3 @@ require {
     type user_runtime_root_t;
 }
 allow node_exporter_t user_runtime_root_t:dir { search };
-
-# Allow reading udev state data from /run/udev/data
-udev_read_runtime_files(node_exporter_t)
-
-# Allow reading /proc/pressure
-kernel_read_psi(node_exporter_t)
-
-# Allow reading under mount points with mnt_t
-files_list_mnt(node_exporter_t)

ic-os/components/selinux/systemd-fixes/systemd-fixes.te

@@ -119,13 +119,6 @@ list_dirs_pattern(systemd_tmpfiles_t, unlabeled_t, unlabeled_t)
 # A tempfile is used as part of setting up machine-id
 read_files_pattern(systemd_tmpfiles_t, tmpfs_t, tmpfs_t)
 
-###############################################################################
-# systemd-generator
-
-# systemd_generator_t is missing this permission, and it blocks ssh
-require { type systemd_generator_t; }
-init_delete_runtime_files(systemd_generator_t)
-
 ###############################################################################
 # udev
 
@@ -153,12 +146,6 @@ systemd_connect_userdb(local_login_t)
 # ssh also needs access to userdb
 systemd_connect_userdb(sshd_t)
 
-###############################################################################
-# systemd-notify
-
-require { type systemd_runtime_notify_t; }
-allow sshd_t systemd_runtime_notify_t : sock_file write_sock_file_perms;
-
 ###############################################################################
 # pcscd
 

ic-os/components/setupos.bzl

@@ -34,7 +34,7 @@ component_files = {
     Label("misc/chrony/chrony.conf"): "/etc/chrony/chrony.conf",
     Label("misc/chrony/chrony-var.service"): "/etc/systemd/system/chrony-var.service",
     Label("misc/fetch-property.sh"): "/opt/ic/bin/fetch-property.sh",
-    Label("misc/serial-getty@/setupos/override.conf"): "/etc/systemd/system/[email protected].d/override.conf",
+    Label("misc/serial-getty@/setupos/[email protected]"): "/etc/systemd/system/[email protected]",
     Label("monitoring/journald.conf"): "/etc/systemd/journald.conf",
 
     # networking

ic-os/components/upgrade/shared-resources/setup-shared-resources/setup-shared-data.service

@@ -4,6 +4,7 @@ DefaultDependencies=no
 Requires=dev-mapper-store\x2dshared\x2d\x2ddata.device
 After=dev-mapper-store\x2dshared\x2d\x2ddata.device
 Before=systemd-fsck@dev-mapper-store\x2dshared\x2d\x2ddata.service
+Before=var-lib-ic-data\x2dnode.mount
 # Add an explicit sequencing to LVM setup. The observed problem is that the
 # LV apparently becomes notified as "ready" through udev before the actual
 # lvcreate command has finished. This results in filesystem setup racing with
@@ -14,6 +15,7 @@ Requires=setup-lvs.service
 
 [Install]
 RequiredBy=systemd-fsck@dev-mapper-store\x2dshared\x2d\x2ddata.service
+RequiredBy=var-lib-ic-data\x2dnode.mount
 WantedBy=local-fs.target
 
 [Service]

ic-os/components/upgrade/systemd-generators/guestos/mount-generator

@@ -71,6 +71,7 @@ function make_var_cryptsetup() {
     echo "Description=Cryptography Setup for var_crypt"
     echo "DefaultDependencies=no"
     echo "IgnoreOnIsolate=true"
+    echo "After=setup-encryption.service"
     echo "After=cryptsetup-pre.target"
     echo "Before=blockdev@dev-mapper-var_crypt.target"
     echo "Wants=blockdev@dev-mapper-var_crypt.target"
@@ -98,5 +99,5 @@ make_requires localfs.target boot.mount
 make_requires boot-efi.mount boot.mount
 make_requires boot-grub.mount boot.mount
 
-make_var_cryptsetup "$CURRENT_SYSTEM" >"$UNIT_DIR"/systemd-cryptsetup@var_crypt.service
-make_requires dev-mapper-var_crypt.device systemd-cryptsetup@var_crypt.service
+make_var_cryptsetup "$CURRENT_SYSTEM" >"$UNIT_DIR"/cryptsetup@var_crypt.service
+make_requires dev-mapper-var_crypt.device cryptsetup@var_crypt.service