Skip to content

Commit

Permalink
daemon: Use MountFlags=slave and opt-in to OSTree read-only /sysroot
Browse files Browse the repository at this point in the history
This is all we need to tell libostree that we support a read-only
`/sysroot` and `/boot`.

See ostreedev/ostree#1265
PR in ostreedev/ostree#1767
  • Loading branch information
cgwalters committed Dec 11, 2019
1 parent 4e3c41b commit c44c5cf
Show file tree
Hide file tree
Showing 4 changed files with 18 additions and 0 deletions.
2 changes: 2 additions & 0 deletions src/daemon/rpm-ostreed.service.in
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@ ConditionPathExists=/ostree
[Service]
Type=dbus
BusName=org.projectatomic.rpmostree1
# To use the read-only sysroot bits
MountFlags=slave
NotifyAccess=main
@SYSTEMD_ENVIRON@
ExecStart=@bindir@/rpm-ostree start-daemon
Expand Down
4 changes: 4 additions & 0 deletions src/daemon/rpmostreed-sysroot.c
Original file line number Diff line number Diff line change
Expand Up @@ -758,9 +758,13 @@ rpmostreed_sysroot_populate (RpmostreedSysroot *self,
{
g_return_val_if_fail (self != NULL, FALSE);

/* See also related code in rpmostred-transaction.c */
const char *sysroot_path = rpmostree_sysroot_get_path (RPMOSTREE_SYSROOT (self));
g_autoptr(GFile) sysroot_file = g_file_new_for_path (sysroot_path);
self->ot_sysroot = ostree_sysroot_new (sysroot_file);
if (!ostree_sysroot_initialize (self->ot_sysroot, error))
return FALSE;
ostree_sysroot_set_mount_namespace_in_use (self->ot_sysroot);

/* This creates and caches an OstreeRepo instance inside
* OstreeSysroot to ensure subsequent ostree_sysroot_get_repo()
Expand Down
8 changes: 8 additions & 0 deletions src/daemon/rpmostreed-transaction.c
Original file line number Diff line number Diff line change
Expand Up @@ -573,6 +573,14 @@ transaction_initable_init (GInitable *initable,
* everything from disk.
*/
priv->sysroot = ostree_sysroot_new (tmp_path);
/* See also related code in rpmostreed-sysroot.c */
if (!ostree_sysroot_initialize (priv->sysroot, error))
return FALSE;
/* We use MountFlags=slave in the unit file, which combined
* with this ensures we support read-only /sysroot mounts.
* https://github.com/ostreedev/ostree/issues/1265
**/
ostree_sysroot_set_mount_namespace_in_use (priv->sysroot);
g_signal_connect (priv->sysroot, "journal-msg",
G_CALLBACK (on_sysroot_journal_msg), self);

Expand Down
4 changes: 4 additions & 0 deletions tests/vmcheck/test-kernel-args.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ set -euo pipefail

set -x

# Note this test is run with forced read-only sysroot on
# https://github.com/coreos/rpm-ostree/pull/1896
vm_cmd ostree config --repo /sysroot/ostree/repo set sysroot.readonly true

osname=$(vm_get_booted_deployment_info osname)

vm_kargs_now() {
Expand Down

0 comments on commit c44c5cf

Please sign in to comment.