Closed dmcilvaney closed 5 days ago
Can't say much if anyone is expecting to still use it, but if it's out before 3.0 GA, then I guess it's OK.
The code changes look good to me. I love removing code.:)
EFLOW does, but I've already reached out. MIC should be a reasonable replacement.
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-static
subpackages, etc.) have had theirRelease
tag incremented../cgmanifest.json
,./toolkit/scripts/toolchain/cgmanifest.json
,.github/workflows/cgmanifest.json
)./SPECS/LICENSES-AND-NOTICES/data/licenses.json
,./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md
,./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON
)*.signatures.json
filessudo make go-tidy-all
andsudo make go-test-coverage
passSummary
The new grub flow does not play well with our old dm-verity implementation. The
ImageCustomizer
tool supports creating verity images now, so lets just get rid of the old verity.When we first added
ReadOnlyVerityRoot
to the config for Mariner 1.0 there was no support fordm-verity
insystemd
ordracut
so we needed to build a custom solution. Those components now natively support dm-verity, so let's not re-invent the wheel.For 3.0 GA just disable the config, a full clean-up can come after GA since we will have to roll back large parts of https://github.com/microsoft/azurelinux/pull/549 (72 files). Cleanup shouldn't be hard but it's a big bit of code to drop right before GA.
Change Log
ReadOnlyVerityRoot.Enable = true
will result in an error.read-only-root-efi.json
config.Does this affect the toolchain?
NO
Associated issues
Test Methodology
sudo make go-tools
which runsimageconfigvalidator_test.go
. I ensured it failed onread-only-root-efi.json
sudo make image CONFIG_FILE=./imageconfigs/read-only-root-efi.json
fails with (before removing config):