mirror of
https://github.com/ostreedev/ostree.git
synced 2024-12-22 17:35:55 +03:00
74a3d2da9c
We want to start switching things so that the toplevel `/ostree` repository is mode 0700, to close off unprivileged code from being able to access it. Previous deployment roots may have setuid binaries, etc. The `/var/lib/containers/storage` directory is mode 0700 for this reason I believe. Closes: https://github.com/ostreedev/ostree/issues/3211
113 lines
4.1 KiB
XML
113 lines
4.1 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<!--
|
|
Copyright 2014 Anne LoVerso <anne.loverso@students.olin.edu>
|
|
|
|
SPDX-License-Identifier: LGPL-2.0+
|
|
|
|
This library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2 of the License, or (at your option) any later version.
|
|
|
|
This library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with this library. If not, see <https://www.gnu.org/licenses/>.
|
|
-->
|
|
|
|
<refentry id="ostree">
|
|
|
|
<refentryinfo>
|
|
<title>ostree admin init-fs</title>
|
|
<productname>OSTree</productname>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<contrib>Developer</contrib>
|
|
<firstname>Colin</firstname>
|
|
<surname>Walters</surname>
|
|
<email>walters@verbum.org</email>
|
|
</author>
|
|
</authorgroup>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>ostree admin init-fs</refentrytitle>
|
|
<manvolnum>1</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>ostree-admin-init-fs</refname>
|
|
<refpurpose>Initialize a new root filesystem</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>ostree admin init-fs</command> <arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="req">PATH</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>
|
|
Initialize an empty physical root filesystem in the designated PATH, with normal toplevels and correct permissions for each directory.
|
|
Primarily useful for operating system installers.
|
|
</para>
|
|
</refsect1>
|
|
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--modern</option></term>
|
|
<listitem><para>
|
|
Equivalent to <literal>--epoch=1</literal>.
|
|
</para></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--epoch</option></term>
|
|
<listitem><para>
|
|
This accepts an integer value in the range [0-1], inclusive. The default is zero
|
|
for compatibility.
|
|
</para>
|
|
<para>
|
|
When set to 1, the command will skip adding a number of toplevel "API filesystems"
|
|
such as <literal>/proc</literal>
|
|
to the toplevel of the physical root. These should be unnecessary, as they
|
|
should only be mounted in the final deployment root. The main exception
|
|
is <literal>/boot</literal>, which may need to be mounted in some setups
|
|
before the target root.
|
|
</para>
|
|
<para>
|
|
Epoch 2 is the same as 1, except that the toplevel <literal>ostree</literal>
|
|
directory is mode 0700, denying access from unprivileged code. This
|
|
is a new recommended best practice as it avoids access to old configuration
|
|
files in <literal>/etc</literal> in previous deployments, as well as
|
|
potentially old setuid binaries in <literal>/ostree/repo</literal>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Example</title>
|
|
<para><command>$ mkdir /example</command></para>
|
|
<para><command>$ ostree admin init-fs --epoch=1 /example</command></para>
|
|
<para><command>$ ls /example </command></para>
|
|
<para>
|
|
<emphasis>boot</emphasis>
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|