push dkl init boot logic here

boot-v1.go

@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -119,6 +120,13 @@ func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) {
 	mount("overlay", "/system", "overlay", rootMountFlags,
 		"lowerdir="+strings.Join(lowers, ":")+",upperdir=/changes/upperdir,workdir=/changes/workdir")
 
+	// make root rshared (default in systemd, required by Kubernetes 1.10+)
+	// equivalent to "mount --make-rshared /"
+	// see kernel's Documentation/sharedsubtree.txt (search rshared)
+	if err := syscall.Mount("", "/system", "", syscall.MS_SHARED|syscall.MS_REC, ""); err != nil {
+		fatalf("FATAL: mount --make-rshared / failed: %v", err)
+	}
+
 	if bootMounted {
 		if layersInMemory {
 			if err := syscall.Unmount("/boot", 0); err != nil {
@@ -158,6 +166,37 @@ func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) {
 		}
 	}
 
+	// - groups
+	for _, group := range cfg.Groups {
+		log.Print("creating group ", group.Name)
+
+		opts := make([]string, 0)
+		opts = append(opts /* chroot */, "/system", "groupadd", "-r")
+		if group.Gid != 0 {
+			opts = append(opts, "-g", strconv.Itoa(group.Gid))
+		}
+		opts = append(opts, group.Name)
+
+		run("chroot", opts...)
+	}
+
+	// - user
+	for _, user := range cfg.Users {
+		log.Print("creating user ", user.Name)
+
+		opts := make([]string, 0)
+		opts = append(opts /* chroot */, "/system", "useradd", "-r")
+		if user.Gid != 0 {
+			opts = append(opts, "-g", strconv.Itoa(user.Gid))
+		}
+		if user.Uid != 0 {
+			opts = append(opts, "-u", strconv.Itoa(user.Uid))
+		}
+		opts = append(opts, user.Name)
+
+		run("chroot", opts...)
+	}
+
 	return
 }