mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
8894bb3949
I'd like to encourage people to make OSTree-managed systems more strictly read-only in multiple places. Ideally everywhere is read-only normally besides `/var/`, `/tmp/`, and `/run`. `/boot` is a good example of something to make readonly. Particularly now that there's work on the `admin unlock` verb, we need to protect the system better against things like `rpm -Uvh kernel.rpm` because the RPM-packaged kernel won't understand how to do OSTree right. In order to make this work of course, we *do* need to remount `/boot` as writable when we're doing an upgrade that changes the kernel configuration. So the strategy is to detect whether it's read-only, and if so, temporarily mount read-write, then remount read-only when the upgrade is done. We can generalize this in the future to also do `/etc` (and possibly `/sysroot/ostree/` although that gets tricky). One detail: In order to detect "is this path a mountpoint" is nontrivial - I looked at copying the systemd code, but the right place is to use `libmount` anyways. |
||
---|---|---|
.. | ||
manual | ||
CONTRIBUTING.md | ||
index.md |