create_disk: Enable read-only /sysroot #736
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
After the ostree/rpm-ostree PRs land, we need another PR here to use |
cgwalters
added a commit
to cgwalters/coreos-assembler
that referenced
this pull request
Sep 5, 2019
Add the immutable bit to the physical root; we don't expect people to be creating anything there. A use case for OSTree in general is to support installing *inside* the existing root of a deployed OS, so OSTree doesn't do this by default, but we have no reason not to enable it here. Administrators should generally expect that state data is in /etc and /var; if anything else is in /sysroot it's probably by accident. I just happened to think of this while working on coreos#736
cgwalters
added a commit
that referenced
this pull request
Sep 5, 2019
Add the immutable bit to the physical root; we don't expect people to be creating anything there. A use case for OSTree in general is to support installing *inside* the existing root of a deployed OS, so OSTree doesn't do this by default, but we have no reason not to enable it here. Administrators should generally expect that state data is in /etc and /var; if anything else is in /sysroot it's probably by accident. I just happened to think of this while working on #736
|
Let's hold this until we finalize the semantics in the OSTree patch? |
cgwalters
force-pushed
the
sysroot-ro
branch
from
8781424
to
0196576
Compare
Let's opt-in to this by default. See ostreedev/ostree#1265 This currently is a no-op if the required ostree support hasn't landed yet, so I think we can safely merge this PR first.
cgwalters
force-pushed
the
sysroot-ro
branch
from
0196576
to
368495f
Compare
|
This LGTM. OOC if you've got this already built locally, does this indeed plug the |
Although we don't need that one the same way we need |
Yep indeed. It's a trivial change in fedora-coreos-config. But...there are legitimate reasons for an admin or tools to e.g. I think I'd like to do it anyways, since |
jlebon
approved these changes
Dec 11, 2019
|
Hm sorry I should have clarified my idea was to land the rpm-ostree change before this one so we didn't need to do it all at once. |
|
But I think we can probably just merge that now? |
cgwalters
added a commit
to cgwalters/fedora-coreos-config
that referenced
this pull request
Apr 17, 2020
Ironically ostree has had support for a `ro` boot for a long time, and only more recently did we land the [sysroot readonly](coreos/coreos-assembler#736). But we never actually went and made `/boot` `ro` for FCOS, so let's do it now. This was actually motivated by someone wanting to "security harden" RHCOS running through a checklist saying certain mounts should be `nodev`. Let's add `nosuid` while we're here.
cgwalters
added a commit
to cgwalters/fedora-coreos-config
that referenced
this pull request
Apr 17, 2020
Ironically ostree has had support for a `ro` boot for a long time, and only more recently did we land the [sysroot readonly](coreos/coreos-assembler#736). But we never actually went and made `/boot` `ro` for FCOS, so let's do it now. This was actually motivated by someone wanting to "security harden" RHCOS running through a checklist saying certain mounts should be `nodev`. Let's add `nosuid` while we're here.
jlebon
added a commit
to jlebon/fedora-coreos-config
that referenced
this pull request
Aug 6, 2021
It's not read by coreos-assembler, which has been turning on read-only `/sysroot` unconditionally for a while now: coreos/coreos-assembler#736
dustymabe
pushed a commit
to coreos/fedora-coreos-config
that referenced
this pull request
Aug 6, 2021
It's not read by coreos-assembler, which has been turning on read-only `/sysroot` unconditionally for a while now: coreos/coreos-assembler#736
HuijingHei
pushed a commit
to HuijingHei/fedora-coreos-config
that referenced
this pull request
Oct 10, 2023
It's not read by coreos-assembler, which has been turning on read-only `/sysroot` unconditionally for a while now: coreos/coreos-assembler#736
HuijingHei
pushed a commit
to HuijingHei/fedora-coreos-config
that referenced
this pull request
Oct 10, 2023
It's not read by coreos-assembler, which has been turning on read-only `/sysroot` unconditionally for a while now: coreos/coreos-assembler#736
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Let's opt-in to this by default.
See ostreedev/ostree#1265
This currently is a no-op if the required ostree support hasn't
landed yet, so I think we can safely merge this PR first.