-
Notifications
You must be signed in to change notification settings - Fork 305
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
If the `prepare-root.conf` file contains: ``` [etc] transient=yes ``` Then during prepare-root, an overlayfs is mounted as /etc, with the upper dir being in /run. If composefs is used, the lower dir is `usr/etc` from the composefs image (which is ralabeled to work as /etc), or it is the deployed `$deploydir/usr/etc`. Note that for this to work with selinux, the commit must have been built with OSTREE_REPO_COMMIT_MODIFIER_FLAGS_USRETC_AS_ETC. Otherwise the lower will have the wrong selinux contexts for the final location. We also set the transient-etc key in the ostree-booted file, pointing it to the upper directory that is used. There are some additional complexities here: * Any system using selinux and using transient etc must enable the new ostree selinux module. Otherwise the overlayfs filesystem will not have enough permissions to access the expected files in etc. * Any /etc files created in the initramfs will not be labeled, because the selinux policy has not been loaded. In addition, the upper dir is on a tmpfs, and any manually set xattr-based selinux labels on those are reset during policy load. To work around this we hook into ostree-remount and relabel all files on /etc that have are from the overlayfs upper dir. * During the initramfs, Systemd mounts /run/machine-id on top of /etc/machine-id, and if this mount exists during boot, then systemd-machine-id-commit.service will remove it and update the real file with its content once etc is writable. This conflicts with the relabeling above as we will relabel the bind mount. To handle this we do the relabeling in a private mount namespace where the machine-id file has been unmounted. * ostree-remount no longer needs to remount /etc read-only in the transient-etc case. Signed-off-by: Alexander Larsson <[email protected]>
- Loading branch information
1 parent
4b65d2d
commit fb575ba
Showing
5 changed files
with
143 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters