fix(dx): rework dx incus/swtpm and systemd services. Make incus setup…

… work with Aurora (#1231)
ublue-os · Apr 28, 2024 · 020f325 · 020f325
1 parent 89b41d4
commit 020f325
Show file tree

Hide file tree

Showing 10 changed files with 52 additions and 47 deletions.
diff --git a/just/bluefin-apps.just b/just/bluefin-apps.just
@@ -111,10 +111,10 @@ install-incus:
     #!/usr/bin/env bash
     source /usr/lib/ujust/ujust.sh
     CURRENT_IMAGE=$(rpm-ostree status -b --json | jq -r '.deployments[0]."container-image-reference"')
-    if grep -q "bluefin-dx" <<< $CURRENT_IMAGE
+    if grep -Eq "bluefin-dx|aurora-dx" <<< $CURRENT_IMAGE
     then
         echo 'Installing and configuring Incus.'
-        /usr/bin/bluefin-incus
+        /usr/libexec/bluefin-incus
     else
         echo "Developer mode is currently ${b}${red}Disabled${n}."
         echo "Run \"just devmode\" to turn on Developer mode."

diff --git a/system_files/dx/usr/lib/systemd/system/bluefin-dx-groups.service b/system_files/dx/usr/lib/systemd/system/bluefin-dx-groups.service
@@ -3,7 +3,7 @@ Description=Add wheel members to docker,incus-admin, and lxd groups
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/bluefin-dx-groups
+ExecStart=/usr/libexec/bluefin-dx-groups
 Restart=on-failure
 RestartSec=30
 StartLimitInterval=0

diff --git a/system_files/dx/usr/lib/systemd/system/incus-workaround.service b/system_files/dx/usr/lib/systemd/system/incus-workaround.service
@@ -0,0 +1,32 @@
+[Unit]
+Description=Workaround swtpm not having the correct label
+ConditionFileIsExecutable=/usr/bin/incus
+ConditionFileIsExecutable=/usr/bin/incus-agent
+ConditionPathExists=/usr/lib/incus
+After=local-fs.target
+
+[Service]
+Type=oneshot
+# Copy if it doesn't exist
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/overrides/incus ] || /usr/bin/cp /usr/bin/incus /usr/local/bin/overrides/incus"
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/overrides/incus-agent ] || /usr/bin/cp /usr/bin/incus /usr/local/bin/overrides/incus-agent"
+ExecStartPre=/usr/bin/bash -c "[ -d /usr/local/lib/overrides/incus ] || /usr/bin/cp -R /usr/bin/incus /usr/local/lib/overrides/incus"
+# This is faster than using .mount unit. Also allows for the previous line/cleanup
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/overrides/incus /usr/bin/incus
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/overrides/incus-agent /usr/bin/incus-agent
+ExecStartPre=/usr/bin/mount --bind /usr/local/lib/overrides/incus /usr/lib/incus
+# Fix SELinux label
+ExecStart=/usr/sbin/restorecon /usr/bin/incus
+ExecStart=/usr/sbin/restorecon /usr/bin/incus-agent
+ExecStart=/usr/sbin/restorecon -R /usr/lib/incus
+# Clean-up after ourselves
+ExecStop=/usr/bin/umount /usr/bin/incus
+ExecStop=/usr/bin/umount /usr/bin/incus-agent
+ExecStop=/usr/bin/umount /usr/lib/incus
+ExecStop=/usr/bin/rm /usr/local/bin/overrides/incus
+ExecStop=/usr/bin/rm /usr/local/bin/overrides/incus-agent
+ExecStop=/usr/bin/rm -r /usr/local/lib/overrides/incus
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
diff --git a/system_files/dx/usr/lib/systemd/system/swtpm-workaround.service b/system_files/dx/usr/lib/systemd/system/swtpm-workaround.service
@@ -6,14 +6,14 @@ After=local-fs.target
 [Service]
 Type=oneshot
 # Copy if it doesn't exist
-ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/.swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/.swtpm"
+ExecStartPre=/usr/bin/bash -c "[ -x /usr/local/bin/overrides/swtpm ] || /usr/bin/cp /usr/bin/swtpm /usr/local/bin/overrides/swtpm"
 # This is faster than using .mount unit. Also allows for the previous line/cleanup
-ExecStartPre=/usr/bin/mount --bind /usr/local/bin/.swtpm /usr/bin/swtpm
+ExecStartPre=/usr/bin/mount --bind /usr/local/bin/overrides/swtpm /usr/bin/swtpm
 # Fix SELinux label
 ExecStart=/usr/sbin/restorecon /usr/bin/swtpm
 # Clean-up after ourselves
 ExecStop=/usr/bin/umount /usr/bin/swtpm
-ExecStop=/usr/bin/rm /usr/local/bin/.swtpm
+ExecStop=/usr/bin/rm /usr/local/bin/overrides/swtpm
 RemainAfterExit=yes
 
 [Install]

diff --git a/system_files/dx/usr/lib/systemd/user/bluefin-dx-user-vscode.service b/system_files/dx/usr/lib/systemd/user/bluefin-dx-user-vscode.service
@@ -5,7 +5,7 @@ After=network-online.target ublue-user-setup.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/bluefin-dx-user-vscode
+ExecStart=/usr/libexec/bluefin-dx-user-vscode
 Restart=on-failure
 RestartSec=30
 StartLimitInterval=0

diff --git a/system_files/dx/usr/lib/tmpfiles.d/incus-workaround.conf b/system_files/dx/usr/lib/tmpfiles.d/incus-workaround.conf
@@ -0,0 +1,3 @@
+C /usr/local/bin/overrides/incus - - - - /usr/bin/incus
+C /usr/local/bin/overrides/incus-agent - - - - /usr/bin/incus-agent
+C /usr/local/lib/overrides/incus - - - - /usr/lib/incus
diff --git a/system_files/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf b/system_files/dx/usr/lib/tmpfiles.d/swtpm-workaround.conf
@@ -1,2 +1,2 @@
-C /usr/local/bin/.swtpm - - - - /usr/bin/swtpm
+C /usr/local/bin/overrides/swtpm - - - - /usr/bin/swtpm
 d /var/lib/swtpm-localca 0750 tss tss - -
diff --git a/system_files/dx/usr/bin/bluefin-dx-groups → ...em_files/dx/usr/libexec/bluefin-dx-groups b/system_files/dx/usr/bin/bluefin-dx-groups → ...em_files/dx/usr/libexec/bluefin-dx-groups
diff --git a/...m_files/dx/usr/bin/bluefin-dx-user-vscode → ...les/dx/usr/libexec/bluefin-dx-user-vscode b/...m_files/dx/usr/bin/bluefin-dx-user-vscode → ...les/dx/usr/libexec/bluefin-dx-user-vscode
diff --git a/system_files/dx/usr/bin/bluefin-incus → system_files/dx/usr/libexec/bluefin-incus b/system_files/dx/usr/bin/bluefin-incus → system_files/dx/usr/libexec/bluefin-incus
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
-# All the pieces needed to enable incus on Bluefin-dx
-# This script is meant to be run on a bluefin-dx host
+# All the pieces needed to enable incus on Developer Experience Hosts
+# This script is meant to be run on a {bluefin,aurora}-dx host
 
 # if current user is root, warn and exit
 
@@ -34,60 +34,30 @@ else
     echo "root:1000000:1000000000" | sudo tee -a /etc/subgid
 fi
 
-if grep -q "root:1000:1" /etc/subgid
+if grep -q "root:$UID:1" /etc/subgid
 then
     echo ""
     echo "  * subgid root->user"
 else
-    echo "root:1000:1" | sudo tee -a /etc/subgid
+    echo "root:$UID:1" | sudo tee -a /etc/subgid
 fi
 
-if grep -q "root:1000:1" /etc/subuid
+if grep -q "root:$UID:1" /etc/subuid
 then
     echo ""
     echo "  * subuid root->user"
 else
-    echo "root:1000:1" | sudo tee -a /etc/subuid
+    echo "root:$UID:1" | sudo tee -a /etc/subuid
 fi
 
-# check to see if SELinux is set to permissive or disabled
-
-echo ""
-echo "Checking SELinux status"
-SELINUX_STATUS=$(getenforce)
-
-if [ "$SELINUX_STATUS" = "Enforcing" ]
-then
-    echo ""
-    echo "SELinux must be set to Permissive or Disabled to enable Incus"
-    echo "Choose your new SELinux state:"
-    OPTION=$(gum choose Permissive Disabled Cancel)
-    if [ "$OPTION" = "Cancel" ]
-    then
-        echo "You have chosen to cancel the Incus installation process"
-        exit
-    else
-        sudo setenforce $OPTION
-        echo "You must reboot before continuing. You can run this script again."
-        exit
-    fi
-fi
-
-# create necessary directories for lxcfs and incus
-
-echo ""
-echo "Creating necessary directories for lxcfs and incus"
-sudo mkdir -p /var/lib/lxcfs
-sudo mkdir -p /var/lib/incus
-sudo mkdir -p /var/log/incus
-
 # enable incus services
 
 echo ""
 echo "Enabling incus services"
+sudo systemctl enable --now incus-workaround.service
 sudo systemctl enable --now lxcfs
-sudo systemctl enable --now incus
-
+sudo systemctl enable --now incus.socket
+sudo systemctl start incus.service
 
 # run incus admin init
 echo ""