mrballcb · June 6, 2019 15:25
diff --git a/coreos_systemd_units.txt b/coreos_systemd_units.txt
 # The CoreOS ami is opinionated (IMHO, and is not a bad thing).  There are two opinions it projects that are of interest:
 # 1) automatically download updates, apply, and reboot nodes (with locking in etcd to prevent too many from doing it at once)
 # 2) enable selinux by default, but in permissive mode.

 # The first can cause problems if your app is not totally written with cloud concepts in mind.
 # The second can cause problems if you have a really large EBS volume with a lot of files getting mounted by Kube because the mount
 # enables selinux, which then performs a recursive relabeling of the volume when it mounts.  You should always leave selinux on, but
 # if you have a specific case where this is a problem, evaluate your options and your liability.

 # You can define both of these in your kops cluster definition or in a specific instanceGroup definition.

 # This will to stop the automatic update/reboot process:

 spec:
  hooks:
  - before:
    - update-engine.service
    manifest: |
      Type=oneshot
      ExecStartPre=/usr/bin/systemctl mask --now update-engine.service
      ExecStartPre=/usr/bin/systemctl mask --now locksmithd.service
      ExecStart=/usr/bin/systemctl reset-failed update-engine.service
    name: disable-automatic-updates.service

 # This will COMPLETELY disable selinux and reboot to take effect.
 spec:
  hooks:
  - manifest: |
      Type=oneshot
      ExecStart=/usr/bin/sh -c "[ -L /etc/selinux/config ] && rm /etc/selinux/config && echo 'SELINUX=disabled' > /etc/selinux/config && /usr/sbin/reboot || exit 0"
    name: disable-selinux-and-reboot.service
    # Can add this to make it run after the disable automatic updates unit above
    requires:
    - disable-automatic-updates.service

 # By the way, I can't stand systemD. Completely loses the "do one thing and do it best" unix approach.
	# The CoreOS ami is opinionated (IMHO, and is not a bad thing). There are two opinions it projects that are of interest:
	# 1) automatically download updates, apply, and reboot nodes (with locking in etcd to prevent too many from doing it at once)
	# 2) enable selinux by default, but in permissive mode.

	# The first can cause problems if your app is not totally written with cloud concepts in mind.
	# The second can cause problems if you have a really large EBS volume with a lot of files getting mounted by Kube because the mount
	# enables selinux, which then performs a recursive relabeling of the volume when it mounts. You should always leave selinux on, but
	# if you have a specific case where this is a problem, evaluate your options and your liability.

	# You can define both of these in your kops cluster definition or in a specific instanceGroup definition.

	# This will to stop the automatic update/reboot process:

	spec:
	hooks:
	- before:
	- update-engine.service
	manifest: \|
	Type=oneshot
	ExecStartPre=/usr/bin/systemctl mask --now update-engine.service
	ExecStartPre=/usr/bin/systemctl mask --now locksmithd.service
	ExecStart=/usr/bin/systemctl reset-failed update-engine.service
	name: disable-automatic-updates.service

	# This will COMPLETELY disable selinux and reboot to take effect.
	spec:
	hooks:
	- manifest: \|
	Type=oneshot
	ExecStart=/usr/bin/sh -c "[ -L /etc/selinux/config ] && rm /etc/selinux/config && echo 'SELINUX=disabled' > /etc/selinux/config && /usr/sbin/reboot \|\| exit 0"
	name: disable-selinux-and-reboot.service
	# Can add this to make it run after the disable automatic updates unit above
	requires:
	- disable-automatic-updates.service

	# By the way, I can't stand systemD. Completely loses the "do one thing and do it best" unix approach.