Merge pull request #3934 from flatcar/chewi/ignition-mounting

Drop old Ignition OEM mounting code and bump bootengine with new mount handling

changelog/changes/2026-04-15-ignition-oem.md

@@ -0,0 +1 @@
+- Reworked how the OEM partition is mounted at boot time so that Ignition no longer has to handle this by itself, thereby requiring less patching. This should not affect any existing usage, but it is a significant underlying change, so it needs to be called out. Please report any unexpected issues. ([flatcar/script#3934](https://github.com/flatcar/scripts/pull/3934))

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/Manifest

@@ -1 +1 @@
-DIST coreos-init-1660f54f79dbba285a64c52d3338f5566e1d770d.tar.gz 59695 BLAKE2B 02c67fa98ee0b97123cb322fb6eabacf7ae7a282914408a8246371552ed222cc3eb56f27d5c42230158a4f7907db9cdfd4b7f51e96995aac2a0f903ff34d034d SHA512 d1282837b52f550855e6c0990796e270c32d7b0882b062f401aff9c9eea7a7c8fba4f2a051f9c42be9316022fa8ee214dc28a8078b306577629d01d96e32d5e8
+DIST coreos-init-9c940ec78b8eb513397ece28bd6cb0d2af6cc342.tar.gz 60774 BLAKE2B b141646a9ff796825cd0726413c3deacc3d60ac1e9dedbfa72e2f563c4b10ef5f7db5dcafefae75f83a21dd83d811c73611598c27faf70e7d486ffff9d62377e SHA512 4532a1069313cacf2f2d92a71859f6550e87e6cfe1966326b2bfa0279770f2e58d9956ccebc1ddebca2336a8d0e0bc778e73fa0d79c63374a23de5c2b8638c9b

sdk_container/src/third_party/coreos-overlay/coreos-base/coreos-init/coreos-init-9999.ebuild

@@ -14,7 +14,7 @@ if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://github.com/flatcar/init.git"
 	inherit git-r3
 else
-	EGIT_VERSION="1660f54f79dbba285a64c52d3338f5566e1d770d" # flatcar-master
+	EGIT_VERSION="9c940ec78b8eb513397ece28bd6cb0d2af6cc342" # flatcar-master
 	SRC_URI="https://github.com/flatcar/init/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz"
 	S="${WORKDIR}/init-${EGIT_VERSION}"
 	KEYWORDS="amd64 arm arm64 x86"

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0013-Partially-revert-drop-OEM-URI-support.patch

@@ -1,19 +1,21 @@
-From b617624e830507f68268db881fdb1576ed25fb41 Mon Sep 17 00:00:00 2001
-From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
-Date: Wed, 25 May 2022 10:38:16 +0200
-Subject: [PATCH 13/19] Revert "*: drop OEM URI support"
+From df6384f8f0e93ab3b61cd04822cf808c7c2d289a Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 1 Apr 2026 16:11:52 +0100
+Subject: [PATCH 13/17] Partially revert "*: drop OEM URI support"
 
-This reverts commit 0c088d6de77aa1b1f47b9252a07f51cb1e249df3.
+This partially reverts commit 0c088d6de77aa1b1f47b9252a07f51cb1e249df3.
+
+Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
 ---
  config/v3_0/types/url.go    |  2 +-
  config/v3_1/types/url.go    |  2 +-
  config/v3_2/types/url.go    |  2 +-
  config/v3_3/types/url.go    |  2 +-
  config/v3_4/types/url.go    |  2 +-
- docs/supported-platforms.md |  1 +
- internal/distro/distro.go   | 11 ++++-
- internal/resource/url.go    | 91 +++++++++++++++++++++++++++++++++++++
- 8 files changed, 106 insertions(+), 7 deletions(-)
+ docs/supported-platforms.md |  2 ++
+ internal/distro/distro.go   |  3 +++
+ internal/resource/url.go    | 27 +++++++++++++++++++++++++++
+ 8 files changed, 37 insertions(+), 5 deletions(-)
 
 diff --git a/config/v3_0/types/url.go b/config/v3_0/types/url.go
 index 2d8c44b1..f560bc22 100644
@@ -81,32 +83,23 @@ index b1f96337..752044ce 100644
  	case "s3":
  		if v, ok := u.Query()["versionId"]; ok {
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index afd49437..f8e1d3ae 100644
+index afd49437..897eeabd 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -12,6 +12,7 @@ Ignition is currently supported for the following platforms:
+@@ -12,6 +12,8 @@ Ignition is currently supported for the following platforms:
  * [Amazon Web Services] (`aws`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Microsoft Azure] (`azure`)- Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
  * [Microsoft Azure Stack] (`azurestack`) - Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
 +* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
++* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
  * [DigitalOcean] (`digitalocean`) - Ignition will read its configuration from the droplet userdata. Cloud SSH keys and network configuration are handled separately.
 diff --git a/internal/distro/distro.go b/internal/distro/distro.go
-index 9d9351e7..f3c32aaf 100644
+index 9d9351e7..fb12b792 100644
 --- a/internal/distro/distro.go
 +++ b/internal/distro/distro.go
-@@ -23,13 +23,17 @@ import (
- // -X github.com/flatcar/ignition/v2/internal/distro.mdadmCmd=/opt/bin/mdadm
- var (
- 	// Device node directories and paths
--	diskByLabelDir = "/dev/disk/by-label"
-+	diskByLabelDir    = "/dev/disk/by-label"
-+	diskByPartUUIDDir = "/dev/disk/by-partuuid"
-+	oemDevicePath     = "/dev/disk/by-label/OEM"
- 
- 	// initrd file paths
- 	kernelCmdlinePath = "/proc/cmdline"
+@@ -30,6 +30,8 @@ var (
  	bootIDPath        = "/proc/sys/kernel/random/boot_id"
  	// initramfs directory containing distro-provided base config
  	systemConfigDir = "/usr/lib/ignition"
@@ -115,15 +108,7 @@ index 9d9351e7..f3c32aaf 100644
  
  	// Helper programs
  	groupaddCmd  = "groupadd"
-@@ -83,11 +87,14 @@ var (
- 	luksCexSecureKeyRepo    = "/etc/zkey/repository/"
- )
- 
--func DiskByLabelDir() string { return diskByLabelDir }
-+func DiskByLabelDir() string    { return diskByLabelDir }
-+func DiskByPartUUIDDir() string { return diskByPartUUIDDir }
-+func OEMDevicePath() string     { return fromEnv("OEM_DEVICE", oemDevicePath) }
- 
+@@ -88,6 +90,7 @@ func DiskByLabelDir() string { return diskByLabelDir }
  func KernelCmdlinePath() string { return kernelCmdlinePath }
  func BootIDPath() string        { return bootIDPath }
  func SystemConfigDir() string   { return fromEnv("SYSTEM_CONFIG_DIR", systemConfigDir) }
@@ -132,15 +117,10 @@ index 9d9351e7..f3c32aaf 100644
  func GroupaddCmd() string  { return groupaddCmd }
  func GroupdelCmd() string  { return groupdelCmd }
 diff --git a/internal/resource/url.go b/internal/resource/url.go
-index 5f08f059..a9f7f7ba 100644
+index 5f08f059..ab1d80fa 100644
 --- a/internal/resource/url.go
 +++ b/internal/resource/url.go
-@@ -23,10 +23,12 @@ import (
- 	"fmt"
- 	"hash"
- 	"io"
-+	"io/ioutil"
- 	"net"
+@@ -27,6 +27,7 @@ import (
  	"net/http"
  	"net/url"
  	"os"
@@ -148,17 +128,15 @@ index 5f08f059..a9f7f7ba 100644
  	"strings"
  	"syscall"
  	"time"
-@@ -34,7 +36,9 @@ import (
+@@ -34,6 +35,7 @@ import (
  	"cloud.google.com/go/compute/metadata"
  	"cloud.google.com/go/storage"
  	configErrors "github.com/flatcar/ignition/v2/config/shared/errors"
 +	"github.com/flatcar/ignition/v2/internal/distro"
  	"github.com/flatcar/ignition/v2/internal/log"
-+	"github.com/flatcar/ignition/v2/internal/systemd"
  	"github.com/flatcar/ignition/v2/internal/util"
  	"golang.org/x/oauth2/google"
- 	"google.golang.org/api/option"
-@@ -165,6 +169,8 @@ func (f *Fetcher) FetchToBuffer(u url.URL, opts FetchOptions) ([]byte, error) {
+@@ -165,6 +167,8 @@ func (f *Fetcher) FetchToBuffer(u url.URL, opts FetchOptions) ([]byte, error) {
  		err = f.fetchFromTFTP(u, dest, opts)
  	case "data":
  		err = f.fetchFromDataURL(u, dest, opts)
@@ -167,7 +145,7 @@ index 5f08f059..a9f7f7ba 100644
  	case "s3", "arn":
  		buf := &s3buf{
  			WriteAtBuffer: manager.NewWriteAtBuffer([]byte{}),
-@@ -237,6 +243,8 @@ func (f *Fetcher) Fetch(u url.URL, dest *os.File, opts FetchOptions) error {
+@@ -237,6 +241,8 @@ func (f *Fetcher) Fetch(u url.URL, dest *os.File, opts FetchOptions) error {
  		return f.fetchFromTFTP(u, dest, opts)
  	case "data":
  		return f.fetchFromDataURL(u, dest, opts)
@@ -176,7 +154,7 @@ index 5f08f059..a9f7f7ba 100644
  	case "s3", "arn":
  		return f.fetchFromS3(u, dest, opts)
  	case "gs":
-@@ -447,6 +455,53 @@ type s3target interface {
+@@ -447,6 +453,27 @@ type s3target interface {
  	io.ReadSeeker
  }
  
@@ -195,81 +173,15 @@ index 5f08f059..a9f7f7ba 100644
 +	if fi, err := os.Open(absPath); err == nil {
 +		defer fi.Close()
 +		return f.decompressCopyHashAndVerify(dest, fi, opts)
-+	} else if !os.IsNotExist(err) {
++	} else {
 +		f.Logger.Err("failed to read oem config: %v", err)
 +		return ErrFailed
 +	}
-+
-+	f.Logger.Info("oem config not found in %q, looking on oem partition",
-+		distro.OEMLookasideDir())
-+
-+	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
-+	if err != nil {
-+		f.Logger.Err("failed to create mount path for oem partition: %v", err)
-+		return ErrFailed
-+	}
-+	// try oemMountPath, requires mounting it.
-+	if err := f.mountOEM(oemMountPath); err != nil {
-+		f.Logger.Err("failed to mount oem partition: %v", err)
-+		return ErrFailed
-+	}
-+	defer os.Remove(oemMountPath)
-+	defer f.umountOEM(oemMountPath)
-+
-+	absPath = filepath.Join(oemMountPath, path)
-+	fi, err := os.Open(absPath)
-+	if err != nil {
-+		f.Logger.Err("failed to read oem config: %v", err)
-+		return ErrFailed
-+	}
-+	defer fi.Close()
-+
-+	return f.decompressCopyHashAndVerify(dest, fi, opts)
 +}
 +
  // FetchFromS3 gets data from an S3 bucket as described by u and writes it into
  // dest, returning an error if one is encountered. It will attempt to acquire
  // IAM credentials from the EC2 metadata service, and if this fails will attempt
-@@ -735,3 +790,39 @@ func (f *Fetcher) parseARN(arnURL string) (string, string, string, string, error
- 	key := strings.Join(urlSplit[1:], "/")
- 	return bucket, key, "", regionHint, nil
- }
-+
-+// mountOEM waits for the presence of and mounts the oem partition at
-+// oemMountPath. oemMountPath will be created if it does not exist.
-+func (f *Fetcher) mountOEM(oemMountPath string) error {
-+	dev := []string{distro.OEMDevicePath()}
-+	if err := systemd.WaitOnDevices(context.Background(), dev, "oem-cmdline"); err != nil {
-+		f.Logger.Err("failed to wait for oem device: %v", err)
-+		return err
-+	}
-+
-+	if err := os.MkdirAll(oemMountPath, 0700); err != nil {
-+		f.Logger.Err("failed to create oem mount point: %v", err)
-+		return err
-+	}
-+
-+	if err := f.Logger.LogOp(
-+		func() error {
-+			return syscall.Mount(dev[0], oemMountPath, "ext4", 0, "")
-+		},
-+		"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
-+	); err != nil {
-+		return fmt.Errorf("failed to mount device %q at %q: %v",
-+			distro.OEMDevicePath(), oemMountPath, err)
-+	}
-+
-+	return nil
-+}
-+
-+// umountOEM unmounts the oem partition at oemMountPath.
-+func (f *Fetcher) umountOEM(oemMountPath string) {
-+	// ignore the error for the linter
-+	_ = f.Logger.LogOp(
-+		func() error { return syscall.Unmount(oemMountPath, 0) },
-+		"unmounting %q", oemMountPath,
-+	)
-+}
 -- 
-2.51.0
+2.53.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0014-config-Support-oem-schema-in-newer-config-spec-versi.patch

@@ -0,0 +1,41 @@
+From 22332650e3b97479aca7144b04a6dbd2590596de Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Mon, 6 Apr 2026 13:13:58 +0100
+Subject: [PATCH 14/18] config: Support oem:// schema in newer config spec
+ versions
+
+Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
+---
+ config/v3_5/types/url.go              | 2 +-
+ config/v3_6_experimental/types/url.go | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/config/v3_5/types/url.go b/config/v3_5/types/url.go
+index b1f96337..752044ce 100644
+--- a/config/v3_5/types/url.go
++++ b/config/v3_5/types/url.go
+@@ -32,7 +32,7 @@ func validateURL(s string) error {
+ 	}
+ 
+ 	switch u.Scheme {
+-	case "http", "https", "tftp", "gs":
++	case "http", "https", "tftp", "gs", "oem":
+ 		return nil
+ 	case "s3":
+ 		if v, ok := u.Query()["versionId"]; ok {
+diff --git a/config/v3_6_experimental/types/url.go b/config/v3_6_experimental/types/url.go
+index b1f96337..752044ce 100644
+--- a/config/v3_6_experimental/types/url.go
++++ b/config/v3_6_experimental/types/url.go
+@@ -32,7 +32,7 @@ func validateURL(s string) error {
+ 	}
+ 
+ 	switch u.Scheme {
+-	case "http", "https", "tftp", "gs":
++	case "http", "https", "tftp", "gs", "oem":
+ 		return nil
+ 	case "s3":
+ 		if v, ok := u.Query()["versionId"]; ok {
+-- 
+2.53.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0014-internal-resource-url-support-btrfs-as-OEM-partition.patch

@@ -1,39 +0,0 @@
-From ca4cd35a3124d696c236549111b1655f6feffb97 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Kai=20L=C3=BCke?= <kailuke@microsoft.com>
-Date: Wed, 7 Jul 2021 18:40:52 +0200
-Subject: [PATCH 14/19] internal/resource/url: support btrfs as OEM partition
- filesystem
-
-When btrfs is used to fit more content into the partition, mounting
-fails because ext4 was hardcoded.
-When mounting ext4 fails, try mounting as btrfs.
----
- internal/resource/url.go | 11 ++++++++++-
- 1 file changed, 10 insertions(+), 1 deletion(-)
-
-diff --git a/internal/resource/url.go b/internal/resource/url.go
-index a9f7f7ba..4471db96 100644
---- a/internal/resource/url.go
-+++ b/internal/resource/url.go
-@@ -811,8 +811,17 @@ func (f *Fetcher) mountOEM(oemMountPath string) error {
- 		},
- 		"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
- 	); err != nil {
--		return fmt.Errorf("failed to mount device %q at %q: %v",
-+		f.Logger.Err("failed to mount ext4 device %q at %q, trying btrfs: %v",
- 			distro.OEMDevicePath(), oemMountPath, err)
-+		if err := f.Logger.LogOp(
-+			func() error {
-+				return syscall.Mount(dev[0], oemMountPath, "btrfs", 0, "")
-+			},
-+			"mounting %q at %q", distro.OEMDevicePath(), oemMountPath,
-+		); err != nil {
-+			return fmt.Errorf("failed to mount btrfs device %q at %q: %v",
-+				distro.OEMDevicePath(), oemMountPath, err)
-+		}
- 	}
- 
- 	return nil
--- 
-2.51.0
-

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0017-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch

@@ -1,7 +1,7 @@
-From 9840bd7740f5667f8b2d6e3d87da226dab14bf83 Mon Sep 17 00:00:00 2001
+From f0030362abcedf24149860673ef0596cf3051787 Mon Sep 17 00:00:00 2001
 From: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 Date: Mon, 4 Mar 2024 15:05:14 +0100
-Subject: [PATCH 17/19] docs: Add re-added platforms to docs to pass tests
+Subject: [PATCH 17/18] docs: Add re-added platforms to docs to pass tests
 
 Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 Co-Authored-By: Krzesimir Nowak <knowak@microsoft.com
@@ -10,18 +10,18 @@ Co-Authored-By: Krzesimir Nowak <knowak@microsoft.com
  1 file changed, 4 insertions(+)
 
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index f8e1d3ae..0a30664c 100644
+index 897eeabd..2a861637 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -15,6 +15,7 @@ Ignition is currently supported for the following platforms:
- * Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
+@@ -16,6 +16,7 @@ Ignition is currently supported for the following platforms:
+ * PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
 +* `cloudsigma` - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [DigitalOcean] (`digitalocean`) - Ignition will read its configuration from the droplet userdata. Cloud SSH keys and network configuration are handled separately.
  * [Exoscale] (`exoscale`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Google Cloud] (`gcp`) - Ignition will read its configuration from the instance metadata entry named "user-data". Cloud SSH keys are handled separately.
-@@ -30,6 +31,9 @@ Ignition is currently supported for the following platforms:
+@@ -31,6 +32,9 @@ Ignition is currently supported for the following platforms:
  * [Equinix Metal] (`packet`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [IBM Power Systems Virtual Server] (`powervs`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [QEMU] (`qemu`) - Ignition will read its configuration from the 'opt/com.coreos/config' key on the QEMU Firmware Configuration Device (available in QEMU 2.4.0 and higher).
@@ -32,5 +32,5 @@ index f8e1d3ae..0a30664c 100644
  * [UpCloud] (`upcloud`) - Ignition will read its configuration from the instance userdata fetched from the metadata service (which is NOT enabled by default, make sure you enable it if you use custom images). Cloud SSH keys are handled separately.
  * [VirtualBox] (`virtualbox`) - Use the VirtualBox guest property `/Ignition/Config` to provide the config to the virtual machine.
 -- 
-2.51.0
+2.53.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0018-usr-share-oem-oem.patch

@@ -1,16 +1,18 @@
-From 8bf635277ccd8f0aeb3bb2e2c67f73dd4188e618 Mon Sep 17 00:00:00 2001
+From 8f5d1b4685b12817ea7d65673de51b3ee384988d Mon Sep 17 00:00:00 2001
 From: James Le Cuirot <jlecuirot@microsoft.com>
 Date: Wed, 25 Mar 2026 10:55:24 +0000
-Subject: [PATCH 18/21] /usr/share/oem -> /oem
+Subject: [PATCH 18/18] /usr/share/oem -> /oem
 
 Flatcar previously kept looking at the initrd's /usr/share/oem even
 after the migration for compatibility, but the minimal initrd now moves
 it to /oem before Ignition starts.
+
+Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
 ---
  config/util/translate.go    | 2 +-
- docs/supported-platforms.md | 2 +-
+ docs/supported-platforms.md | 4 ++--
  internal/distro/distro.go   | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
+ 3 files changed, 4 insertions(+), 4 deletions(-)
 
 diff --git a/config/util/translate.go b/config/util/translate.go
 index 347d148c..d4c057b2 100644
@@ -26,23 +28,25 @@ index 347d148c..d4c057b2 100644
  			// generate a new path
  			fsMap[name] = "/tmp/" + name + "-ign" + strconv.FormatUint(addedSuffixCounter, 10)
 diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
-index 0a30664c..1522d0ef 100644
+index 2a861637..084f5964 100644
 --- a/docs/supported-platforms.md
 +++ b/docs/supported-platforms.md
-@@ -12,7 +12,7 @@ Ignition is currently supported for the following platforms:
+@@ -12,8 +12,8 @@ Ignition is currently supported for the following platforms:
  * [Amazon Web Services] (`aws`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [Microsoft Azure] (`azure`)- Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
  * [Microsoft Azure Stack] (`azurestack`) - Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
 -* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
+-* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
 +* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/oem`.
++* PXE - Use the `ignition.config.url` and first boot kernel parameters to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, or `s3://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/oem`.
  * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
  * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
  * `cloudsigma` - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
 diff --git a/internal/distro/distro.go b/internal/distro/distro.go
-index f3c32aaf..36bdf3f5 100644
+index fb12b792..3a6c2ae3 100644
 --- a/internal/distro/distro.go
 +++ b/internal/distro/distro.go
-@@ -33,7 +33,7 @@ var (
+@@ -31,7 +31,7 @@ var (
  	// initramfs directory containing distro-provided base config
  	systemConfigDir = "/usr/lib/ignition"
  	// initramfs directory to check before retrieving file from OEM partition

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch

@@ -1,44 +0,0 @@
-From 14b7be1a0a51408df54b36590a25d2cbab228bbc Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <jlecuirot@microsoft.com>
-Date: Wed, 25 Mar 2026 11:09:40 +0000
-Subject: [PATCH 20/21] Create /mnt directory before attempting to mount OEM
- partition
-
-This was previously fixed, but it then broke again when the /mnt/oem
-mount path was replaced with a temp directory under /mnt. Parent
-directories are not created for you when requesting a temp directory.
----
- internal/resource/url.go | 10 +++++-----
- 1 file changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/internal/resource/url.go b/internal/resource/url.go
-index 4471db96..86136422 100644
---- a/internal/resource/url.go
-+++ b/internal/resource/url.go
-@@ -478,6 +478,11 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
- 	f.Logger.Info("oem config not found in %q, looking on oem partition",
- 		distro.OEMLookasideDir())
- 
-+	if err := os.MkdirAll("/mnt", 0755); err != nil {
-+		f.Logger.Err("failed to create /mnt directory for oem mount path: %v", err)
-+		return err
-+	}
-+
- 	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
- 	if err != nil {
- 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
-@@ -800,11 +805,6 @@ func (f *Fetcher) mountOEM(oemMountPath string) error {
- 		return err
- 	}
- 
--	if err := os.MkdirAll(oemMountPath, 0700); err != nil {
--		f.Logger.Err("failed to create oem mount point: %v", err)
--		return err
--	}
--
- 	if err := f.Logger.LogOp(
- 		func() error {
- 			return syscall.Mount(dev[0], oemMountPath, "ext4", 0, "")
--- 
-2.53.0
-

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch

@@ -1,34 +0,0 @@
-From daab4ae13c6511183609c5160999ab1e011a0d8c Mon Sep 17 00:00:00 2001
-From: James Le Cuirot <jlecuirot@microsoft.com>
-Date: Wed, 25 Mar 2026 11:12:37 +0000
-Subject: [PATCH 21/21] Replace deprecated ioutil.TempDir call with
- os.MkdirTemp
-
----
- internal/resource/url.go | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/internal/resource/url.go b/internal/resource/url.go
-index 86136422..a38f4e87 100644
---- a/internal/resource/url.go
-+++ b/internal/resource/url.go
-@@ -23,7 +23,6 @@ import (
- 	"fmt"
- 	"hash"
- 	"io"
--	"io/ioutil"
- 	"net"
- 	"net/http"
- 	"net/url"
-@@ -483,7 +482,7 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
- 		return err
- 	}
- 
--	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
-+	oemMountPath, err := os.MkdirTemp("/mnt", "oem")
- 	if err != nil {
- 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
- 		return ErrFailed
--- 
-2.53.0
-

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild

@@ -28,15 +28,13 @@ else
 		"${FILESDIR}/0010-VMware-Fix-guestinfo.-.config.data-and-.config.url-v.patch"
 		"${FILESDIR}/0011-config-version-handle-configuration-version-1.patch"
 		"${FILESDIR}/0012-config-util-add-cloud-init-detection-to-initial-pars.patch"
-		"${FILESDIR}/0013-Revert-drop-OEM-URI-support.patch"
-		"${FILESDIR}/0014-internal-resource-url-support-btrfs-as-OEM-partition.patch"
+		"${FILESDIR}/0013-Partially-revert-drop-OEM-URI-support.patch"
+		"${FILESDIR}/0014-config-Support-oem-schema-in-newer-config-spec-versi.patch"
 		"${FILESDIR}/0015-translation-support-OEM-and-oem.patch"
 		"${FILESDIR}/0016-revert-internal-oem-drop-noop-OEMs.patch"
 		"${FILESDIR}/0017-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch"
 		"${FILESDIR}/0018-usr-share-oem-oem.patch"
 		"${FILESDIR}/0019-internal-exec-stages-mount-Mount-oem.patch"
-		"${FILESDIR}/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch"
-		"${FILESDIR}/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch"
 	)
 fi
 

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/Manifest

@@ -1 +1 @@
-DIST bootengine-9c6a9e4c03e27cdfc5056bf6a76788d2b7165cbb.tar.gz 37123 BLAKE2B a3fafdd8ca38f5eca2df8cfe7fb7825ecfa3b41146c1be327fdf261444d52fa7c582b8351239d1c50532db89d3b863dde445de5dfe60ad167c36c8c8460c2a40 SHA512 e3569138b05b7c07554a37a767a60318f1df918532317f1a9f11b2cd12fc5e7079f8c713287104169575eea93fd83c4238cf230787941341f1d157e9069527bb
+DIST bootengine-003a67d93a99705391a0a1fa825f018b074d8e8b.tar.gz 37805 BLAKE2B 25abb7cf425a02c330245c7efc63406ee823fd9921afd39f9b413eda1451fa48ed150dd104cb550f9b81e7445b4c9e50a0ec55077dbf6de0c712cbcb7339dd67 SHA512 a9246398a560a7bbdb7b1d714012fdca65a2475843cfcb5fd20551086165623d248c577b6170fb32a75709a67014b33581c415e4c5410202e29a57e6a0ff6d88

sdk_container/src/third_party/coreos-overlay/sys-kernel/bootengine/bootengine-9999.ebuild

@@ -10,7 +10,7 @@ if [[ ${PV} == 9999 ]]; then
 	EGIT_REPO_URI="https://github.com/flatcar/bootengine.git"
 	inherit git-r3
 else
-	EGIT_VERSION="9c6a9e4c03e27cdfc5056bf6a76788d2b7165cbb" # flatcar-master
+	EGIT_VERSION="003a67d93a99705391a0a1fa825f018b074d8e8b" # flatcar-master
 	SRC_URI="https://github.com/flatcar/bootengine/archive/${EGIT_VERSION}.tar.gz -> ${PN}-${EGIT_VERSION}.tar.gz"
 	S="${WORKDIR}/${PN}-${EGIT_VERSION}"
 	KEYWORDS="amd64 arm arm64 x86"
@@ -20,26 +20,14 @@ LICENSE="BSD"
 SLOT="0/${PVR}"
 
 src_install() {
-	insinto /usr/lib/dracut/modules.d/
-	doins -r dracut/.
 	dosbin update-bootengine
 	dosbin minimal-init
 
+	insinto /usr/lib/dracut/modules.d
+	doins -r dracut/.
+
 	# must be executable since dracut's install scripts just
 	# re-use existing filesystem permissions during initrd creation.
-	chmod +x \
-		"${ED}"/usr/lib/dracut/modules.d/51*-generator/*-generator \
-		"${ED}"/usr/lib/dracut/modules.d/51diskless-generator/diskless-btrfs \
-		"${ED}"/usr/lib/dracut/modules.d/51networkd-dependency-generator/*-generator \
-		"${ED}"/usr/lib/dracut/modules.d/50flatcar-network/parse-ip-for-networkd.sh \
-		"${ED}"/usr/lib/dracut/modules.d/53disk-uuid/disk-uuid.sh \
-		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-generator \
-		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-setup.sh \
-		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-setup-pre.sh \
-		"${ED}"/usr/lib/dracut/modules.d/53ignition/ignition-kargs-helper \
-		"${ED}"/usr/lib/dracut/modules.d/53ignition/retry-umount.sh \
-		"${ED}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root \
-		"${ED}"/usr/lib/dracut/modules.d/99setup-root/initrd-setup-root-after-ignition \
-		"${ED}"/usr/lib/dracut/modules.d/99setup-root/gpg-agent-wrapper \
-		|| die chmod
+	cd "${ED}"/usr/lib/dracut/modules.d || die
+	find "${S}"/dracut -type f -executable -printf "%P\0" | xargs -0 chmod +x || die
 }