diff --git a/src/cmd-buildextend-metal b/src/cmd-buildextend-metal index 8f8d3e9d29..18082675a3 100755 --- a/src/cmd-buildextend-metal +++ b/src/cmd-buildextend-metal @@ -181,6 +181,11 @@ fi disk_args=() +sysroot_ro="$(python3 -c 'import sys, yaml; v=yaml.safe_load(sys.stdin).get("sysroot-ro", False); print("1" if v else "")' < "$configdir/image.yaml")" +if [ -n "${sysroot_ro}" ]; then + disk_args+=("--sysroot-ro") +fi + set -x # Extract the target kernel config, which may inform how we build disks. target_moduledir=$(ostree --repo="${ostree_repo}" ls "${commit}" /usr/lib/modules | grep -o '/usr/lib/modules/.*') diff --git a/src/create_disk.sh b/src/create_disk.sh index 9e0a848b7f..8c31904fe6 100755 --- a/src/create_disk.sh +++ b/src/create_disk.sh @@ -29,6 +29,7 @@ Options: --save-var-subdirs: "yes" to workaround selabel issue for RHCOS --rootfs-size: Create the root filesystem with specified size --boot-verity: Provide this to enable ext4 fs-verity for /boot + --sysroot-ro: Enable read-only /sysroot --rootfs: xfs|ext4verity|luks You probably don't want to run this script by hand. This script is @@ -38,6 +39,7 @@ EOC rootfs_size="0" boot_verity=0 +sysroot_ro=0 rootfs_type="xfs" extrakargs="" @@ -58,6 +60,7 @@ do --save-var-subdirs) save_var_subdirs="${1}"; shift;; --rootfs-size) rootfs_size="${1}"; shift;; --boot-verity) boot_verity=1;; + --sysroot-ro) sysroot_ro=1;; --rootfs) rootfs_type="${1}" shift;; *) echo "${flag} is not understood."; usage; exit 10;; --) break; @@ -396,7 +399,9 @@ esac ostree config --repo $rootfs/ostree/repo set sysroot.bootloader "${bootloader_backend}" # Opt-in to https://github.com/ostreedev/ostree/pull/1767 AKA # https://github.com/ostreedev/ostree/issues/1265 -ostree config --repo $rootfs/ostree/repo set sysroot.readonly true +if [ "${sysroot_ro}" = 1 ]; then + ostree config --repo $rootfs/ostree/repo set sysroot.readonly true +fi touch $rootfs/boot/ignition.firstboot