diff options
author | Colin Walters <walters@verbum.org> | 2016-03-21 10:37:38 -0400 |
---|---|---|
committer | Colin Walters <walters@verbum.org> | 2016-03-21 12:49:05 -0400 |
commit | 8894bb39498267f4ae06badc7aa54c4eb4bb7f73 (patch) | |
tree | fd6704c0bc6320131cdb7813dd8c8d7581e95558 /docs | |
parent | b842429bf2c5a7a4e41a8a53d54086a02bf216e1 (diff) | |
download | ostree-8894bb39498267f4ae06badc7aa54c4eb4bb7f73.tar.gz |
deploy: Handle a read-only /boot
I'd like to encourage people to make OSTree-managed systems more
strictly read-only in multiple places. Ideally everywhere is
read-only normally besides `/var/`, `/tmp/`, and `/run`.
`/boot` is a good example of something to make readonly. Particularly
now that there's work on the `admin unlock` verb, we need to protect
the system better against things like `rpm -Uvh kernel.rpm` because
the RPM-packaged kernel won't understand how to do OSTree right.
In order to make this work of course, we *do* need to remount `/boot`
as writable when we're doing an upgrade that changes the kernel
configuration. So the strategy is to detect whether it's read-only,
and if so, temporarily mount read-write, then remount read-only when
the upgrade is done.
We can generalize this in the future to also do `/etc` (and possibly
`/sysroot/ostree/` although that gets tricky).
One detail: In order to detect "is this path a mountpoint" is
nontrivial - I looked at copying the systemd code, but the right place
is to use `libmount` anyways.
Diffstat (limited to 'docs')
-rw-r--r-- | docs/manual/atomic-upgrades.md | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/docs/manual/atomic-upgrades.md b/docs/manual/atomic-upgrades.md index 42855593..fa576734 100644 --- a/docs/manual/atomic-upgrades.md +++ b/docs/manual/atomic-upgrades.md @@ -100,7 +100,10 @@ deployment lists. This happens when doing an upgrade that does not include the kernel; think of a simple translation update. OSTree optimizes for this case because on some systems `/boot` may be on a separate medium such as flash storage not optimized for significant -amounts of write traffic. +amounts of write traffic. Related to this, modern OSTree has support +for having `/boot` be a read-only mount by default - it will +automatically remount read-write just for the portion of time +necessary to update the bootloader configuration. To implement this, OSTree also maintains the directory `/ostree/boot.<replaceable>bootversion</replaceable>`, which is a set |