8894bb3949
I'd like to encourage people to make OSTree-managed systems more strictly read-only in multiple places. Ideally everywhere is read-only normally besides `/var/`, `/tmp/`, and `/run`. `/boot` is a good example of something to make readonly. Particularly now that there's work on the `admin unlock` verb, we need to protect the system better against things like `rpm -Uvh kernel.rpm` because the RPM-packaged kernel won't understand how to do OSTree right. In order to make this work of course, we *do* need to remount `/boot` as writable when we're doing an upgrade that changes the kernel configuration. So the strategy is to detect whether it's read-only, and if so, temporarily mount read-write, then remount read-only when the upgrade is done. We can generalize this in the future to also do `/etc` (and possibly `/sysroot/ostree/` although that gets tricky). One detail: In order to detect "is this path a mountpoint" is nontrivial - I looked at copying the systemd code, but the right place is to use `libmount` anyways. |
||
|---|---|---|
| .. | ||
| adapting-existing.md | ||
| atomic-upgrades.md | ||
| buildsystem-and-repos.md | ||
| deployment.md | ||
| formats.md | ||
| introduction.md | ||
| related-projects.md | ||
| repo.md | ||