common: Setup read only sysroot via ostree config
This commit is contained in:
parent
0667595535
commit
3b190aff6c
3 changed files with 15 additions and 109 deletions
|
@ -12,6 +12,8 @@ include:
|
||||||
# - bootupd.yaml
|
# - bootupd.yaml
|
||||||
# Dracut configuration for the initramfs
|
# Dracut configuration for the initramfs
|
||||||
- initramfs.yaml
|
- initramfs.yaml
|
||||||
|
# Read only sysroot
|
||||||
|
- sysroot-ro.yaml
|
||||||
|
|
||||||
packages:
|
packages:
|
||||||
# Ensure that we have a kernel. Kernel packages are not in any comps group
|
# Ensure that we have a kernel. Kernel packages are not in any comps group
|
||||||
|
|
109
postprocess.sh
109
postprocess.sh
|
@ -1,115 +1,6 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env bash
|
||||||
set -xeuo pipefail
|
set -xeuo pipefail
|
||||||
|
|
||||||
# Setup unit & script for readonly sysroot migration:
|
|
||||||
# - https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
|
|
||||||
# - https://bugzilla.redhat.com/show_bug.cgi?id=2060976
|
|
||||||
|
|
||||||
cat > /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service <<'EOF'
|
|
||||||
[Unit]
|
|
||||||
Description=Fedora Silverblue Read-Only Sysroot Migration
|
|
||||||
Documentation=https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
|
|
||||||
ConditionPathExists=!/var/lib/.fedora_silverblue_readonly_sysroot
|
|
||||||
RequiresMountsFor=/sysroot /boot
|
|
||||||
ConditionPathIsReadWrite=/sysroot
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=oneshot
|
|
||||||
ExecStart=/usr/libexec/fedora-silverblue-readonly-sysroot
|
|
||||||
RemainAfterExit=yes
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
||||||
EOF
|
|
||||||
|
|
||||||
chmod 644 /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service
|
|
||||||
|
|
||||||
cat > /usr/libexec/fedora-silverblue-readonly-sysroot <<'EOF'
|
|
||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Update an existing system to use a read only sysroot
|
|
||||||
# See https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
|
|
||||||
# and https://bugzilla.redhat.com/show_bug.cgi?id=2060976
|
|
||||||
|
|
||||||
set -euo pipefail
|
|
||||||
|
|
||||||
main() {
|
|
||||||
# Used to condition execution of this unit at the systemd level
|
|
||||||
local -r stamp_file="/var/lib/.fedora_silverblue_readonly_sysroot"
|
|
||||||
|
|
||||||
if [[ -f "${stamp_file}" ]]; then
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -r ostree_sysroot_readonly="$(ostree config --repo=/sysroot/ostree/repo get "sysroot.readonly" &> /dev/null || echo "false")"
|
|
||||||
if [[ "${ostree_sysroot_readonly}" == "true" ]]; then
|
|
||||||
# Nothing to do
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
local -r boot_entries="$(ls -A /boot/loader/entries/ | wc -l)"
|
|
||||||
|
|
||||||
# Ensure that we can read BLS entries to avoid touching systems where /boot
|
|
||||||
# is not mounted
|
|
||||||
if [[ "${boot_entries}" -eq 0 ]]; then
|
|
||||||
echo "No BLS entry found: Maybe /boot is not mounted?" 1>&2
|
|
||||||
echo "This is unexpected thus no migration will be performed" 1>&2
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Check if any existing deployment is still missing the rw karg
|
|
||||||
local rw_kargs_found=0
|
|
||||||
local count=0
|
|
||||||
for f in "/boot/loader/entries/"*; do
|
|
||||||
count="$(grep -c "^options .* rw" "${f}" || true)"
|
|
||||||
if [[ "${count}" -ge 1 ]]; then
|
|
||||||
rw_kargs_found=$((rw_kargs_found + 1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
|
|
||||||
# Some deployments are still missing the rw karg. Let's try to update them
|
|
||||||
if [[ "${boot_entries}" -ne "${rw_kargs_found}" ]]; then
|
|
||||||
ostree admin kargs edit-in-place --append-if-missing=rw || \
|
|
||||||
echo "Failed to edit kargs in place with ostree" 1>&2
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Re-check if any existing deployment is still missing the rw karg
|
|
||||||
rw_kargs_found=0
|
|
||||||
count=0
|
|
||||||
for f in "/boot/loader/entries/"*; do
|
|
||||||
count="$(grep -c "^options .* rw" "${f}" || true)"
|
|
||||||
if [[ "${count}" -ge 1 ]]; then
|
|
||||||
rw_kargs_found=$((rw_kargs_found + 1))
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
unset count
|
|
||||||
|
|
||||||
# If all deployments are good, then we can set the sysroot.readonly option
|
|
||||||
# in the ostree repo config
|
|
||||||
if [[ "${boot_entries}" -eq "${rw_kargs_found}" ]]; then
|
|
||||||
echo "Setting up the sysroot.readonly option in the ostree repo config"
|
|
||||||
ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
|
|
||||||
touch "${stamp_file}"
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
# If anything else before failed, we will retry on next boot
|
|
||||||
echo "Will retry next boot" 1>&2
|
|
||||||
exit 0
|
|
||||||
}
|
|
||||||
|
|
||||||
main "${@}"
|
|
||||||
EOF
|
|
||||||
|
|
||||||
chmod 755 /usr/libexec/fedora-silverblue-readonly-sysroot
|
|
||||||
|
|
||||||
# Enable the corresponding unit
|
|
||||||
systemctl enable fedora-silverblue-readonly-sysroot.service
|
|
||||||
|
|
||||||
###
|
|
||||||
|
|
||||||
# Workaround for Python timestamp mismatch
|
# Workaround for Python timestamp mismatch
|
||||||
# See: https://github.com/ostreedev/ostree/issues/1469
|
# See: https://github.com/ostreedev/ostree/issues/1469
|
||||||
|
|
||||||
|
|
13
sysroot-ro.yaml
Normal file
13
sysroot-ro.yaml
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
# Set up default root config to mount sysroot as read only
|
||||||
|
# https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
|
||||||
|
# See: https://gitlab.com/fedora/bootc/base-images/-/blob/main/tier-0/ostree.yaml
|
||||||
|
postprocess:
|
||||||
|
- |
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
set -xeuo pipefail
|
||||||
|
|
||||||
|
install -dm 0755 -o 0 -g 0 /usr/lib/ostree
|
||||||
|
cat >> /usr/lib/ostree/prepare-root.conf << 'EOF'
|
||||||
|
[sysroot]
|
||||||
|
readonly = true
|
||||||
|
EOF
|
Loading…
Reference in a new issue