snap-bootstrap: experimental: handling install/factory reset steps within snap-bootstrap

[kubiko]

This is a reference PR implementing install and factory-reset modes within snap-bootstrap
It should server also as tracking for the work done so far.
This activity is split across multiple PRs and not all might be mentioned here, especially if they have already landed.
As such, this PR can be regularly rebased and force-pushed to update tracking.

Current state: install mode support had landed on the master branch

Related PRs:
Open:
#12641

Landed:
#12846

Keeping original descriptions around for reference:
Original description:

Experimental attempt to handle install step within snap-bootstrap, effectively compressing initial install into a single boot.

Since the install step relies on additional tools to manage partitions, create file systems, set up encryption, this change has to be also accompanied by additional tools in initramfs.
As a reference of initramfs size increases:

• additional tools and extra features in snap-bootstrap (sec tools) resulted in 2.3MB size increase for UC22 (arm64, zstd compression)

TODOs:
Improve seed meta loading. We load seed meta 3 times(assuming preseeded image)

• initial essential snaps for install, hashes: kernel, base, gadget
• handling preseed, hashes: all
• post-install snapd handling, hashes: snapd
  Since we support parallelism we should ideally:
• load all the essentials (kernel, core, snapd, gadget) most systems are either single and 4+ cores
• reuse the hash of essential snaps and only hash other snaps

[pedronis]

this looks promising, we need to look into:

• when do we do this? always? can we? not always but based on what?
  • does that mean that install handlers go away?
• what to do about hooks, calling fde-reveal-key instead of fde-setup is a change of contract that doesn't make sense, also it means we cannot really do this always
• we need to properly split the parts of devicestate we are reusing to a package (to avoid bringing in most of overlord in snap-bootstrap), and also try to have even more higher-level helpers, there is still quite a bit of stuff that feels repeated from install code and could go out of sync
• we need to see what do about places that look at the kernel command line directly, I could spot:
  • https://github.com/snapcore/core-base/search?q=ConditionKernelCommandLine

  • ./overlord/configstate/configcore/services.go:		mode, _, _ := boot.ModeAndRecoverySystemFromKernelCommandLine()
    ./cmd/snap/cmd_auto_import.go:	mode, _, err := boot.ModeAndRecoverySystemFromKernelCommandLine()
    ./cmd/snap-bootstrap/cmd_initramfs_mounts.go:	mode, recoverySystem, err := boot.ModeAndRecoverySystemFromKernelCommandLine()
    

• what to do about install-device hook

[pedronis]

is the idea to always do this? should we do this only if preseed is setup?

[pedronis]

it seems we can't do this in general because of the different hook contract ?

[kubiko]

I have a rather radical opinion here :)
I thin we should completely eliminate "install boot" for all the scenarios unless proven otherwise that this is needed.
initramfs is exactly what we want as an ephemeral system to run install in.

[pedronis]

as we discussed we have to:

• start smaller and decide how to trigger this (which probably relates to the question about the hook contract)
• we still have use cases for the full install mode (dedicated installers for example)

[pedronis]

this probably can be one helper?

[pedronis]

there is a bit more than this happening in doRestartSystemToRunMode that we might want/need to take care of

[kubiko]

Actually, this should be removed from here and system should be marked as bootable later once it actually boots.
If we mark system  runable here and it fails later, the install would not be re-run. Perhaps more fitting place for this would be:
https://github.com/snapcore/snapd/blob/master//boot/boot.go#L355

[pedronis]

nitpick: this has a bit too many bool args

[kubiko]

Ideally I'd extend initramfsMountsState struct to do more, so we do not pass this many things.
But fair point

[pedronis]

this brings in most overlord which we don't want, we will have to split out the bits we need of devicestate to their own package

[kubiko]

I had this very concern when I was prototyping with a separate go binary.
In case of snap-bootstrap we are unfortunately already pulling it in:
https://github.com/snapcore/snapd/blob/master/cmd/snap-bootstrap/cmd_initramfs_mounts.go#L46
So defo something to improve. And yes I can confirm it does increate size noticeably.

[pedronis]

configcore is different, is designed not to pull in most of overlord if things are compiled with -tags nomanagers which we do for snap-boostrap or should

[pedronis]

yes, we cannot assume we will do encryption

[kubiko]

it's potentially next TODO to fix this

[pedronis]

we need to find a way to share even more of this with install handler code

[kubiko]

Ultimately I think we should move the install handler to bootstrap.

[pedronis]

again it seems this should be made into one helper

[pedronis]

this looks a bit odd, there should be a more direct to know this

[kubiko]

I'd love a simpler way here, but I could not find a go helper to get single-mount info.

Ultimately I do not think we will need this.
We divided /run/mnt/data and /run/mnt/ubuntu-data because we boot into install mode, where /run/mnt/data is tmpfs but this is no more concern. So my preference would be to run the install directly to /run/mnt/data and this extra dance is no more needed.

[pedronis]

this is not called anyway?

[kubiko]

I was calling it in my early PoC, but then I notice snap-bootstrap is not doing any cleanup so I'm not calling it now. but at least keep the code in case we decide to call it.
For debugging it was also helpful to see the state of the system where it bailed out.

It's a bit philosophical if we need to clean, or if we even should:

• in secure mode, there is non-interactive shell anyway, and we anyway wiped the whole thing.
• in debug mode, it's probably good to give a change to see what is where. If we unmount enc partitions and lock fde-hook, extend TPM, there is no way to mount them again....

[ernestl]

@kubiko is this still useful/relevant?

[ernestl]

Discussed with @kubiko , this is still relevant and should not be removed.