-
Notifications
You must be signed in to change notification settings - Fork 305
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image (which is ralabeled to work as /etc), or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lower will have the wrong selinux contexts for the final location. We also set the transient-etc key in the ostree-booted file, pointing it to the upper directory that is used. There are some additional complexities here: * Semi-recent versions of selinux-poliy have issues with the overlayfs mount being kernel_t, and that is not allowed to manage files. This should be mostly fixed in selinux-policy-38.21 but some further details need to be ironed out. * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this we hook into ostree-remount and relabel all files on /etc that have are from the overlayfs upper dir. * During the initramfs, Systemd mounts /run/machine-id on top of /etc/machine-id, and if this mount exists during later boot, then systemd-machine-id-commit.service will remove it and update the real file with its content once etc is writable. To ensure that this keeps working, we need to re-add this bind mount in the remounted /etc if /run/machine-id existst. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
- Loading branch information
1 parent
9847a08
commit 1124c80
Showing
5 changed files
with
143 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters