Make sure to not run the installer twice if the first time succeeds

The following sequence of events is invalid:
- installer runs and succeeds
- we sign the drivers
- installer runs again

This is because, during the second run, the installer will detect that
the drivers have been modified (because of the signatures), and will
consider the whole install invalid. It will then try to uninstall the
drivers. (aside: the error message this produces is a little confusing
because of how our code uses overlayfs, but the signed drivers get
uninstalled no matter what)

We solve this in the code by only calling the "install libs" function
when we either aren't doing legacy linking (which doesn't run the
installer), or the installer failed when doing legacy linking.

Typically, the installer won't run and succeed when doing legacy
linking. But when module signature enforcement is disabled (like in
GKE), it will succeed.

TEST=Run on cos-85 with module signature enforcement disabled. Run on
cos-85 with module signature enforcement enabled. Run on cos-93 with
module signature enforcement enabled. Run on cos-93 with module
signature enforcement disabled.

Change-Id: Ideeb71377404632d645d89bb417c60b73d41c3b5
Tested-by: Robert Kolchmeyer <>
Cloud-Build: GCB Service account <>
Reviewed-by: Arnav Kansal <>
1 file changed
tree: 77a84c7e5572fca14c56ed1c5df5ff7d2693da08
  1. BUILD.bazel
  6. cloudbuild.yaml
  7. deps.bzl
  8. go.mod
  9. go.sum
  10. release/
  12. src/
  13. testing/

Tools for Container-Optimized OS

This is a repository of various tools developed for Container-Optimized OS. Examples include cos-gpu-installer, cos-toolbox, etc.

See for how to contribute.