Merge pull request #3853 from flatcar/chewi/ignition-oem

sys-apps/ignition: Apply oem:// and mounting fixes

changelog/bugfixes/2026-03-25-ignition-oem.md

@@ -0,0 +1 @@
+- Fixed loading Ignition config from the initrd with `ignition.config.url=oem:///myconf.ign`. This was broken since moving to the minimal initrd. ([scripts#3853](https://github.com/flatcar/scripts/pull/3853))

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0018-usr-share-oem-oem.patch

@@ -1,12 +1,16 @@
-From 12188bc2ac6220685b9a43132d0e85dce36c4ca5 Mon Sep 17 00:00:00 2001
-From: Krzesimir Nowak <knowak@microsoft.com>
-Date: Tue, 4 Apr 2023 12:12:42 +0200
-Subject: [PATCH 18/19] /usr/share/oem -> /oem
+From 8bf635277ccd8f0aeb3bb2e2c67f73dd4188e618 Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 25 Mar 2026 10:55:24 +0000
+Subject: [PATCH 18/21] /usr/share/oem -> /oem
 
+Flatcar previously kept looking at the initrd's /usr/share/oem even
+after the migration for compatibility, but the minimal initrd now moves
+it to /oem before Ignition starts.
 ---
- config/util/translate.go  | 2 +-
- internal/distro/distro.go | 5 ++++-
- 2 files changed, 5 insertions(+), 2 deletions(-)
+ config/util/translate.go    | 2 +-
+ docs/supported-platforms.md | 2 +-
+ internal/distro/distro.go   | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/config/util/translate.go b/config/util/translate.go
 index 347d148c..d4c057b2 100644
@@ -21,22 +25,32 @@ index 347d148c..d4c057b2 100644
  		} else {
  			// generate a new path
  			fsMap[name] = "/tmp/" + name + "-ign" + strconv.FormatUint(addedSuffixCounter, 10)
+diff --git a/docs/supported-platforms.md b/docs/supported-platforms.md
+index 0a30664c..1522d0ef 100644
+--- a/docs/supported-platforms.md
++++ b/docs/supported-platforms.md
+@@ -12,7 +12,7 @@ Ignition is currently supported for the following platforms:
+ * [Amazon Web Services] (`aws`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
+ * [Microsoft Azure] (`azure`)- Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
+ * [Microsoft Azure Stack] (`azurestack`) - Ignition will read its configuration from the custom data provided to the instance. Cloud SSH keys are handled separately.
+-* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/usr/share/oem`.
++* Bare Metal - Use the `ignition.config.url` kernel parameter to provide a URL to the configuration. The URL can use the `http://`, `https://`, `tftp://`, `s3://`, or `gs://` schemes to specify a remote config or the `oem://` scheme to specify a local config, rooted in `/oem`.
+ * [Brightbox] (`brightbox`) - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
+ * [CloudStack] (`cloudstack`) - Ignition will read its configuration from the instance userdata via either metadata service or config drive. Cloud SSH keys are handled separately.
+ * `cloudsigma` - Ignition will read its configuration from the instance userdata. Cloud SSH keys are handled separately.
 diff --git a/internal/distro/distro.go b/internal/distro/distro.go
-index f3c32aaf..7359eefe 100644
+index f3c32aaf..36bdf3f5 100644
 --- a/internal/distro/distro.go
 +++ b/internal/distro/distro.go
-@@ -32,7 +32,10 @@ var (
- 	bootIDPath        = "/proc/sys/kernel/random/boot_id"
+@@ -33,7 +33,7 @@ var (
  	// initramfs directory containing distro-provided base config
  	systemConfigDir = "/usr/lib/ignition"
--	// initramfs directory to check before retrieving file from OEM partition
-+	// initramfs directory to check before retrieving file from
-+	// OEM partition; note that OEM partition is mounted on /oem
-+	// on the host, but initrds still use /usr/share/oem for
-+	// backwards compatilibity
- 	oemLookasideDir = "/usr/share/oem"
+ 	// initramfs directory to check before retrieving file from OEM partition
+-	oemLookasideDir = "/usr/share/oem"
++	oemLookasideDir = "/oem"
  
  	// Helper programs
+ 	groupaddCmd  = "groupadd"
 -- 
-2.51.0
+2.53.0
 

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch

@@ -0,0 +1,44 @@
+From 14b7be1a0a51408df54b36590a25d2cbab228bbc Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 25 Mar 2026 11:09:40 +0000
+Subject: [PATCH 20/21] Create /mnt directory before attempting to mount OEM
+ partition
+
+This was previously fixed, but it then broke again when the /mnt/oem
+mount path was replaced with a temp directory under /mnt. Parent
+directories are not created for you when requesting a temp directory.
+---
+ internal/resource/url.go | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/internal/resource/url.go b/internal/resource/url.go
+index 4471db96..86136422 100644
+--- a/internal/resource/url.go
++++ b/internal/resource/url.go
+@@ -478,6 +478,11 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
+ 	f.Logger.Info("oem config not found in %q, looking on oem partition",
+ 		distro.OEMLookasideDir())
+ 
++	if err := os.MkdirAll("/mnt", 0755); err != nil {
++		f.Logger.Err("failed to create /mnt directory for oem mount path: %v", err)
++		return err
++	}
++
+ 	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
+ 	if err != nil {
+ 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
+@@ -800,11 +805,6 @@ func (f *Fetcher) mountOEM(oemMountPath string) error {
+ 		return err
+ 	}
+ 
+-	if err := os.MkdirAll(oemMountPath, 0700); err != nil {
+-		f.Logger.Err("failed to create oem mount point: %v", err)
+-		return err
+-	}
+-
+ 	if err := f.Logger.LogOp(
+ 		func() error {
+ 			return syscall.Mount(dev[0], oemMountPath, "ext4", 0, "")
+-- 
+2.53.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/files/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch

@@ -0,0 +1,34 @@
+From daab4ae13c6511183609c5160999ab1e011a0d8c Mon Sep 17 00:00:00 2001
+From: James Le Cuirot <jlecuirot@microsoft.com>
+Date: Wed, 25 Mar 2026 11:12:37 +0000
+Subject: [PATCH 21/21] Replace deprecated ioutil.TempDir call with
+ os.MkdirTemp
+
+---
+ internal/resource/url.go | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/internal/resource/url.go b/internal/resource/url.go
+index 86136422..a38f4e87 100644
+--- a/internal/resource/url.go
++++ b/internal/resource/url.go
+@@ -23,7 +23,6 @@ import (
+ 	"fmt"
+ 	"hash"
+ 	"io"
+-	"io/ioutil"
+ 	"net"
+ 	"net/http"
+ 	"net/url"
+@@ -483,7 +482,7 @@ func (f *Fetcher) fetchFromOEM(u url.URL, dest io.Writer, opts FetchOptions) err
+ 		return err
+ 	}
+ 
+-	oemMountPath, err := ioutil.TempDir("/mnt", "oem")
++	oemMountPath, err := os.MkdirTemp("/mnt", "oem")
+ 	if err != nil {
+ 		f.Logger.Err("failed to create mount path for oem partition: %v", err)
+ 		return ErrFailed
+-- 
+2.53.0
+

sdk_container/src/third_party/coreos-overlay/sys-apps/ignition/ignition-9999.ebuild

@@ -35,6 +35,8 @@ else
 		"${FILESDIR}/0017-docs-Add-re-added-platforms-to-docs-to-pass-tests.patch"
 		"${FILESDIR}/0018-usr-share-oem-oem.patch"
 		"${FILESDIR}/0019-internal-exec-stages-mount-Mount-oem.patch"
+		"${FILESDIR}/0020-Create-mnt-directory-before-attempting-to-mount-OEM-.patch"
+		"${FILESDIR}/0021-Replace-deprecated-ioutil.TempDir-call-with-os.Mkdir.patch"
 	)
 fi