Fun little thing I have been working on: teach systemd to boot directly into a disk image downloaded via HTTP within the initrd.
In v257 systemd learnt the ability to download disk images at boot via systemd-import-generator, both DDIs and tarballs, and place them in /var/lib/machines/, /var/lib/portables/, /var/lib/confexts, /var/lib/extensions/. The goal was to provide a way to provision any of these resources automatically at boot. But now that we have this, we can take it a step further:
download the root disk image itself with this. There were a bunch of missing bits to make this nice though:
First of all, for raw disk images we need to attach them to a loopback block device, to make them mountable. Easy-peasy, systemd-dissect --attach already delivers that.
Then, for tar disk images we need to bind mount the downloaded and unpacked image to /sysroot/ (which is where the rootfs goes before we transition into it).
Net result of this: I can now point my UEFI to a single URL where it will load the UKI from. A few seconds later the initrd will pick up the rootfs from the same source, and boot it up. Magic!
Why all this though?
It's mostly to tighten my test loop a bit, for physical devices. So here's what this entails:
1. You build your image with mkosi one your development machine, and ask it to serve your image as HTTP. In other words: `mkosi -f serve`.
2. You boot into the target machine once, and register an EFI variable that enables HTTP boot from your development machine. Simply do `kernel-bootcfg --add-uri=http://192.168.47.11:8081/image.efi --title=testloop --boot-order=0`, using @kraxel's wonderful tool.
3. You simply reboot that target machine. It will now fetch the UKI kernel, which then fetches the root disk image. And everytime you reboot this happens again. The target's machine#s local disks are unnaffected.
4. …
5. Profit!!
Sounds simple? That's because it is.
(Well of course, you wonder where the magic sauce is. It's here: you need to build your UKIs a certain way: i.e. add to the kernel cmdline: `rd.systemd.pull=verify=no,machine,blockdev,bootorigin,raw:root:image.raw rootflags=x-systemd.device-timeout=infinity ip=any`)
So, two take-aways here:
1. Really nice test loop now for testing immutable, modern OSes on physical devices, with onboard tooling
2. Yeah, you can frickin' boot into a damn tarball now, with just an UKI.
WIP PR for all of this is here:
This extends systemd-import-generator to not only download a disk image at boot, but also attach it to a loopback device, so that we can boot from it. We have most of the pieces already in place, t...
and even one more comment:
next steps: instead of downloading root fs via http, access it via nvme-over-tcp.
Benefit: better performance (no ahead of time download, but download as needed), and even better: persistency!
@pid_eins what would be needed for a verification (verify=yes)?
Overall this sounds really cool and a somewhat interesting replacement scenario for PXE in some cases 🤔
Lennart Poettering
Henri
Eric Curtin
Account: Computers
Patrick Lang
David Runge