push dkl init boot logic here

boot-v1.go

@@ -5,6 +5,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -158,6 +159,46 @@ func applyConfig(cfgPath string, bootMounted bool) (cfg *configV1) {
 		}
 	}
 
+	// - setup root user
+	if passwordHash := cfg.RootUser.PasswordHash; passwordHash == "" {
+		log.Print("deleting root password")
+		run("chroot", "/system", "passwd", "-d", "root")
+	} else {
+		log.Print("setting root password")
+		run("chroot", "/system", "sh", "-c", "chpasswd --encrypted <<EOF\nroot:"+passwordHash+"\nEOF")
+	}
+
+	// - groups
+	for _, group := range cfg.Groups {
+		log.Print("creating group ", group.Name)
+
+		opts := make([]string, 0)
+		opts = append(opts /* chroot */, "/system", "groupadd", "-r")
+		if group.Gid != 0 {
+			opts = append(opts, "-g", strconv.Itoa(group.Gid))
+		}
+		opts = append(opts, group.Name)
+
+		run("chroot", opts...)
+	}
+
+	// - user
+	for _, user := range cfg.Users {
+		log.Print("creating user ", user.Name)
+
+		opts := make([]string, 0)
+		opts = append(opts /* chroot */, "/system", "useradd", "-r")
+		if user.Gid != 0 {
+			opts = append(opts, "-g", strconv.Itoa(user.Gid))
+		}
+		if user.Uid != 0 {
+			opts = append(opts, "-u", strconv.Itoa(user.Uid))
+		}
+		opts = append(opts, user.Name)
+
+		run("chroot", opts...)
+	}
+
 	return
 }
 

main.go

@@ -22,7 +22,11 @@ const (
 	// VERSION is the current version of init
 	VERSION = "Direktil init v2.0"
 
-	rootMountFlags  = 0
+	// make root rshared (default in systemd, required by Kubernetes 1.10+)
+	// equivalent to "mount --make-rshared /"
+	// see kernel's Documentation/sharedsubtree.txt (search rshared)
+	rootMountFlags = syscall.MS_SHARED | syscall.MS_REC
+
 	bootMountFlags  = syscall.MS_NOEXEC | syscall.MS_NODEV | syscall.MS_NOSUID | syscall.MS_RDONLY
 	layerMountFlags = syscall.MS_RDONLY
 )