fix: mount sysroot as ro

This will  re-mount sysroot as ro
to avoid accidental changes. Its similar to
https://pagure.io/workstation-ostree-config/blob/main/f/postprocess.sh#_8
with only the documenation being fedora agnostic.
The change is as per discussion in:
https://github.com/ostreedev/ostree/issues/2734
Fedora changes: 5bbc140133
Resolves: rhbz#2153434
This commit is contained in:
Sayan Paul 2022-11-24 15:51:53 +05:30
parent be092351df
commit b63fd9483b
3 changed files with 99 additions and 1 deletions

View File

@ -0,0 +1,74 @@
#!/bin/bash
# Update an existing system to use a read only sysroot
# and https://bugzilla.redhat.com/show_bug.cgi?id=2060976
set -euo pipefail
main() {
# Used to condition execution of this unit at the systemd level
local -r stamp_file="/var/lib/.ostree-readonly-sysroot"
if [[ -f "${stamp_file}" ]]; then
exit 0
fi
local -r ostree_sysroot_readonly="$(ostree config --repo=/sysroot/ostree/repo get "sysroot.readonly" &> /dev/null || echo "false")"
if [[ "${ostree_sysroot_readonly}" == "true" ]]; then
# Nothing to do
touch "${stamp_file}"
exit 0
fi
local -r boot_entries="$(ls -A /boot/loader/entries/ | wc -l)"
# Ensure that we can read BLS entries to avoid touching systems where /boot
# is not mounted
if [[ "${boot_entries}" -eq 0 ]]; then
echo "No BLS entry found: Maybe /boot is not mounted?" 1>&2
echo "This is unexpected thus no migration will be performed" 1>&2
touch "${stamp_file}"
exit 0
fi
# Check if any existing deployment is still missing the rw karg
local rw_kargs_found=0
local count=0
for f in "/boot/loader/entries/"*; do
count="$(grep -c "^options .* rw" "${f}" || true)"
if [[ "${count}" -ge 1 ]]; then
rw_kargs_found=$((rw_kargs_found + 1))
fi
done
# Some deployments are still missing the rw karg. Let's try to update them
if [[ "${boot_entries}" -ne "${rw_kargs_found}" ]]; then
ostree admin kargs edit-in-place --append-if-missing=rw || \
echo "Failed to edit kargs in place with ostree" 1>&2
fi
# Re-check if any existing deployment is still missing the rw karg
rw_kargs_found=0
count=0
for f in "/boot/loader/entries/"*; do
count="$(grep -c "^options .* rw" "${f}" || true)"
if [[ "${count}" -ge 1 ]]; then
rw_kargs_found=$((rw_kargs_found + 1))
fi
done
unset count
# If all deployments are good, then we can set the sysroot.readonly option
# in the ostree repo config
if [[ "${boot_entries}" -eq "${rw_kargs_found}" ]]; then
echo "Setting up the sysroot.readonly option in the ostree repo config"
ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
touch "${stamp_file}"
exit 0
fi
# If anything else before failed, we will retry on next boot
echo "Will retry next boot" 1>&2
exit 0
}
main "${@}"

View File

@ -0,0 +1,14 @@
[Unit]
Description=Read-Only Sysroot Migration
Documentation=https://ostreedev.github.io/ostree
ConditionPathExists=!/var/lib/.ostree-readonly-sysroot
RequiresMountsFor=/sysroot /boot
ConditionPathIsReadWrite=/sysroot
[Service]
Type=oneshot
ExecStart=/usr/libexec/ostree-readonly-sysroot-migration
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

View File

@ -8,8 +8,11 @@
Summary: Tool for managing bootable, immutable filesystem trees
Name: ostree
Version: 2022.6
Release: 1%{?dist}
Release: 2%{?dist}
Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libostree-%{version}.tar.xz
Source1: ostree-readonly-sysroot-migration
Source2: ostree-readonly-sysroot-migration.service
License: LGPLv2+
URL: https://ostree.readthedocs.io/en/latest/
@ -109,6 +112,8 @@ env NOCONFIGURE=1 ./autogen.sh
%make_build
%install
install -m 644 -D %{SOURCE2} %{buildroot}/usr/lib/systemd/system/ostree-readonly-sysroot-migration.service
install -m 755 -D %{SOURCE1} %{buildroot}/usr/libexec/ostree-readonly-sysroot-migration
%make_install INSTALL="install -p -c"
find %{buildroot} -name '*.la' -delete
@ -139,6 +144,8 @@ find %{buildroot} -name '*.la' -delete
%{_prefix}/lib/ostree
# Moved in git master
%{_libexecdir}/libostree/*
%{_prefix}/lib/systemd/system/ostree-readonly-sysroot-migration.service
%{_libexecdir}/ostree-readonly-sysroot-migration
%files libs
%{_sysconfdir}/ostree
@ -168,6 +175,9 @@ find %{buildroot} -name '*.la' -delete
%endif
%changelog
* Wed Dec 14 2022 Sayan Paul <saypaul@redhat.com> - 2022.6-2
- Resolves: rhbz#2060976
* Thu Oct 13 2022 Luca BRUNO <lucab@redhat.com> - 2022.6-1
- New upstream version
https://github.com/ostreedev/ostree/releases/tag/v2022.6