Merge pull request #16047 from poettering/udev-ro-block

udev: optionally mark all block devices popping up read-only by default

2 files changed, 24 insertions, 7 deletions

diff --git a/man/kernel-command-line.xml b/man/kernel-command-line.xml
index 7e59a1aaed..52939deec0 100644
--- a/man/kernel-command-line.xml
+++ b/man/kernel-command-line.xml
@@ -273,7 +273,8 @@
         <term><varname>rd.udev.event_timeout=</varname></term>
         <term><varname>udev.timeout_signal=</varname></term>
         <term><varname>rd.udev.timeout_signal=</varname></term>
-
+        <term><varname>udev.blockdev_read_only</varname></term>
+        <term><varname>rd.udev.blockdev_read_only</varname></term>
         <term><varname>net.ifnames=</varname></term>
         <term><varname>net.naming-scheme=</varname></term>
 
diff --git a/man/systemd-udevd.service.xml b/man/systemd-udevd.service.xml
index 55edc17353..c6c1d9bcc6 100644
--- a/man/systemd-udevd.service.xml
+++ b/man/systemd-udevd.service.xml
@@ -77,7 +77,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-c=</option></term>
+        <term><option>-c</option></term>
         <term><option>--children-max=</option></term>
         <listitem>
           <para>Limit the number of events executed in parallel.</para>
@@ -85,7 +85,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-e=</option></term>
+        <term><option>-e</option></term>
         <term><option>--exec-delay=</option></term>
         <listitem>
           <para>Delay the execution of <varname>RUN</varname>
@@ -97,7 +97,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-t=</option></term>
+        <term><option>-t</option></term>
         <term><option>--event-timeout=</option></term>
         <listitem>
           <para>Set the number of seconds to wait for events to finish. After
@@ -121,7 +121,7 @@
       </varlistentry>
 
       <varlistentry>
-        <term><option>-N=</option></term>
+        <term><option>-N</option></term>
         <term><option>--resolve-names=</option></term>
         <listitem>
           <para>Specify when systemd-udevd should resolve names of users and groups.
@@ -140,8 +140,8 @@
 
   <refsect1><title>Kernel command line</title>
     <variablelist class='kernel-commandline-options'>
-      <para>Parameters starting with "rd." will be read when
-      <command>systemd-udevd</command> is used in an initrd.</para>
+      <para>Parameters prefixed with "rd." will be read when <command>systemd-udevd</command> is used in an
+      initrd, those without will be processed both in the initrd and on the host.</para>
       <varlistentry>
         <term><varname>udev.log_priority=</varname></term>
         <term><varname>rd.udev.log_priority=</varname></term>
@@ -185,6 +185,22 @@
         </listitem>
       </varlistentry>
       <varlistentry>
+        <term><varname>udev.blockdev_read_only</varname></term>
+        <term><varname>rd.udev.blockdev_read_only</varname></term>
+        <listitem>
+          <para>If specified, mark all physical block devices read-only as they appear. Synthetic block
+          devices (such as loopback block devices or device mapper devices) are left as they are. This is
+          useful to guarantee that the contents of physical block devices remains unmodified during runtime,
+          for example to implement fully stateless systems, for testing or for recovery situations where
+          corrupted file systems shall not be corrupted further through accidental modification.</para>
+
+          <para>A block device may be marked writable again by issuing the <command>blockdev
+          --setrw</command> command, see <citerefentry
+          project='man-pages'><refentrytitle>blockdev</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+          for details.</para>
+        </listitem>
+      </varlistentry>
+      <varlistentry>
         <term><varname>net.ifnames=</varname></term>
         <listitem>
           <para>Network interfaces are renamed to give them predictable names