diff options
| author | Colin Walters <walters@verbum.org> | 2018-10-03 14:57:19 +0000 |
|---|---|---|
| committer | Colin Walters <walters@verbum.org> | 2019-12-11 15:33:57 +0000 |
| commit | 5af403be0cc64df50ad21cef05f3268ead256d6d (patch) | |
| tree | 2b6157627dbf92d4556c4b7910a878326081fa13 /src/boot/ostree-remount.service | |
| parent | 20daf9688006f17e11af7692d2e43292b36df71f (diff) | |
| download | ostree-5af403be0cc64df50ad21cef05f3268ead256d6d.tar.gz | |
Support mounting /sysroot (and /boot) read-only
We want to support extending the read-only state to cover `/sysroot`
and `/boot`, since conceptually all of the data there should only
be written via libostree. Or at least for `/boot` should *mostly*
just be written by ostree.
This change needs to be opt-in though to avoid breaking anyone.
Add a `sysroot/readonly` key to the repository config which instructs
`ostree-remount.service` to ensure `/sysroot` is read-only. This
requires a bit of a dance because `/sysroot` is actually the same
filesystem as `/`; so we make `/etc` a writable bind mount in this case.
We also need to handle `/var` in the "OSTree default" case of a bind
mount; the systemd generator now looks at the writability state of
`/sysroot` and uses that to determine whether it should have the
`var.mount` unit happen before or after `ostree-remount.service.`
Also add an API to instruct the libostree shared library
that the caller has created a new mount namespace. This way
we can freely remount read-write.
This approach extends upon in a much better way previous work
we did to support remounting `/boot` read-write.
Closes: https://github.com/ostreedev/ostree/issues/1265
Diffstat (limited to 'src/boot/ostree-remount.service')
| -rw-r--r-- | src/boot/ostree-remount.service | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/boot/ostree-remount.service b/src/boot/ostree-remount.service index b98110c2..4c3ed94a 100644 --- a/src/boot/ostree-remount.service +++ b/src/boot/ostree-remount.service @@ -22,12 +22,12 @@ DefaultDependencies=no ConditionKernelCommandLine=ostree OnFailure=emergency.target Conflicts=umount.target -After=-.mount +# Run after core mounts +After=-.mount var.mount After=systemd-remount-fs.service +# But we run *before* most other core bootup services that need write access to /etc and /var Before=local-fs.target umount.target -# Other early boot units that need to write to /var Before=systemd-random-seed.service plymouth-read-write.service systemd-journal-flush.service -# tmpfiles.d usually needs write access to a few places Before=systemd-tmpfiles-setup.service [Service] |