From: Michael Olbrich <m.olbrich@pengutronix.de>
To: ptxdist@pengutronix.de
Subject: Re: [ptxdist] [PATCH] fixup! rootfs: keep /var writable, even if the rootfs is read-only
Date: Mon, 24 Jun 2019 08:57:35 +0200 [thread overview]
Message-ID: <20190624065735.5oulc6yddy3zzabn@pengutronix.de> (raw)
In-Reply-To: <20190624064825.31374-1-m.olbrich@pengutronix.de>
Hi,
I've experimented with this a bit. Here are some changes I'd like to
squash into the patch.
On Mon, Jun 24, 2019 at 08:48:25AM +0200, Michael Olbrich wrote:
> ---
> projectroot/etc/fstab | 6 ++---
> .../lib/systemd/system/run-varoverlayfs.mount | 3 +--
> projectroot/usr/lib/systemd/system/var.mount | 3 ++-
> projectroot/usr/sbin/mount.varoverlayfs | 6 ++---
> rules/rootfs.make | 26 +++++++++----------
> 5 files changed, 21 insertions(+), 23 deletions(-)
>
> diff --git a/projectroot/etc/fstab b/projectroot/etc/fstab
> index c79c8de4d896..364b495a9c8b 100644
> --- a/projectroot/etc/fstab
> +++ b/projectroot/etc/fstab
> @@ -11,6 +11,6 @@ debugfs /sys/kernel/debug debugfs noauto 0 0
> # ramdisks
> tmpfs /tmp tmpfs nosuid,nodev,mode=1777,size=20% 0 0
> tmpfs /run tmpfs nosuid,nodev,strictatime,mode=0755 0 0
> -#log /var/log tmpfs nosuid,nodev,noexec,mode=0755,size=10% 0 0
> -#lock /var/lock tmpfs nosuid,nodev,noexec,mode=0755,size=1M 0 0
> -#tmp /var/tmp tmpfs nosuid,nodev,mode=1777,size=20% 0 0
> +@VAR_OVERLAYFS@tmpfs /var/log tmpfs nosuid,nodev,noexec,mode=0755,size=10% 0 0
> +@VAR_OVERLAYFS@tmpfs /var/lock tmpfs nosuid,nodev,noexec,mode=0755,size=1M 0 0
> +@VAR_OVERLAYFS@tmpfs /var/tmp tmpfs nosuid,nodev,mode=1777,size=20% 0 0
I want it to be very obvious that the file is modified.
> diff --git a/projectroot/usr/lib/systemd/system/run-varoverlayfs.mount b/projectroot/usr/lib/systemd/system/run-varoverlayfs.mount
> index 034dbfee1b84..c067b9b96f53 100644
> --- a/projectroot/usr/lib/systemd/system/run-varoverlayfs.mount
> +++ b/projectroot/usr/lib/systemd/system/run-varoverlayfs.mount
> @@ -1,10 +1,9 @@
> [Unit]
> Description=Overlay for '/var'
> Before=local-fs.target
> -OnFailure=rescue.service
Handled by local-fs.target.requires/... below.
>
> [Mount]
> Where=/run/varoverlayfs
> What=tmpfs
> Type=tmpfs
> -Options=nosuid,nodev,noexec,mode=0755,size=10%,nr_inodes=100
> +Options=size=20%
The largest of the three filesystems has 20% so I want to keep that. 100
inodes by far not enough. I don't think there is a good limit.
The other options are not propagated to the overlayfs anyways, so they can
be skipped.
> diff --git a/projectroot/usr/lib/systemd/system/var.mount b/projectroot/usr/lib/systemd/system/var.mount
> index 764108924b9d..bd635023704d 100644
> --- a/projectroot/usr/lib/systemd/system/var.mount
> +++ b/projectroot/usr/lib/systemd/system/var.mount
> @@ -1,10 +1,11 @@
> [Unit]
> Description=Writable support for '/var'
> +After=run-varoverlayfs.mount
I wanted to use RequiresMountsFor=.. here but that conflicts with
unmounting the filesystem after mounting the overlayfs.
After= is useful because it makes the dependency explicit. This way systemd
knows about it an can detect dependency loops if run-varoverlayfs.mount is
changed and accidentally depends on var.mount.
> Before=local-fs.target
> -OnFailure=rescue.service
>
> [Mount]
> Where=/var
> # note: this is a dummy filesystem only to trigger the corresponding mount helper
> What=varoverlayfs
> Type=varoverlayfs
> +Options=metacopy=on
This saves space on the ram disk. This requires a relatively new kernel.
Putting it here makes it easier to override if an older kernel is used.
> diff --git a/projectroot/usr/sbin/mount.varoverlayfs b/projectroot/usr/sbin/mount.varoverlayfs
> index afd5f2076245..f8fc8c88f349 100644
> --- a/projectroot/usr/sbin/mount.varoverlayfs
> +++ b/projectroot/usr/sbin/mount.varoverlayfs
> @@ -1,11 +1,11 @@
> -#!/bin/sh
> +#!/bin/sh -e
> # Mount helper tool to mount some kind of writable filesystem over '/var'
> # (which might be read-only).
> # What kind of filesystem is used to mount over '/var' can be controlled via
> # the 'run-varoverlayfs.mount' mount unit and is usually a RAM disk.
>
> -systemctl start run-varoverlayfs.mount
> mkdir -p /run/varoverlayfs/upper
> mkdir -p /run/varoverlayfs/work
> -mount -t overlay overlay -olowerdir=/var,upperdir=/run/varoverlayfs/upper,workdir=/run/varoverlayfs/work /var
> +mount -t overlay -olowerdir=/var,upperdir=/run/varoverlayfs/upper,workdir=/run/varoverlayfs/work "${@}"
Propagate the options from the mount unit.
> systemctl stop run-varoverlayfs.mount
> +rmdir /run/varoverlayfs
> diff --git a/rules/rootfs.make b/rules/rootfs.make
> index 8183d028886c..d7b7eccdc734 100644
> --- a/rules/rootfs.make
> +++ b/rules/rootfs.make
> @@ -122,9 +122,16 @@ ifdef PTXCONF_ROOTFS_VAR_TMP
> @$(call install_copy, rootfs, 0, 0, 01777, /var/tmp)
> endif
> ifdef PTXCONF_ROOTFS_VAR_OVERLAYFS
> - @$(call install_alternative, rootfs, 0, 0, 0644, /usr/lib/systemd/system/run-varoverlayfs.mount)
> - @$(call install_alternative, rootfs, 0, 0, 0755, /usr/sbin/mount.varoverlayfs)
> - @$(call install_alternative, rootfs, 0, 0, 0644, /usr/lib/systemd/system/var.mount)
> + @$(call install_alternative, rootfs, 0, 0, 0644, \
> + /usr/lib/systemd/system/run-varoverlayfs.mount)
> + @$(call install_link, rootfs, ../run-varoverlayfs.mount, \
> + /usr/lib/systemd/system/local-fs.target.requires/run-varoverlayfs.mount)
> + @$(call install_alternative, rootfs, 0, 0, 0755, \
> + /usr/sbin/mount.varoverlayfs)
> + @$(call install_alternative, rootfs, 0, 0, 0644, \
> + /usr/lib/systemd/system/var.mount)
> + @$(call install_link, rootfs, ../var.mount, \
> + /usr/lib/systemd/system/local-fs.target.requires/var.mount)
Explicit dependencies. Without this, e.g. tmpfiles.d is started too early.
And it makes sure that errors are handled and dependency loops detected.
Any objections?
Michael
> endif
>
> # #
> @@ -144,17 +151,8 @@ ifdef PTXCONF_ROOTFS_GSHADOW
> endif
> ifdef PTXCONF_ROOTFS_FSTAB
> @$(call install_alternative, rootfs, 0, 0, 0644, /etc/fstab)
> -ifndef PTXCONF_ROOTFS_VAR_OVERLAYFS
> -ifdef PTXCONF_ROOTFS_VAR_TMP
> - @$(call install_replace, rootfs, /etc/fstab, #tmp, "tmpfs")
> -endif
> -ifdef PTXCONF_ROOTFS_VAR_LOG
> - @$(call install_replace, rootfs, /etc/fstab, #log, "tmpfs")
> -endif
> -ifdef PTXCONF_ROOTFS_VAR_LOCK
> - @$(call install_replace, rootfs, /etc/fstab, #lock, "tmpfs")
> -endif
> -endif # PTXCONF_ROOTFS_VAR_OVERLAYFS
> + @$(call install_replace, rootfs, /etc/fstab, @VAR_OVERLAYFS@, \
> + $(call ptx/ifdef,PTXCONF_ROOTFS_VAR_OVERLAYFS,#))
> endif # PTXCONF_ROOTFS_FSTAB
> ifdef PTXCONF_ROOTFS_MTAB_FILE
> @$(call install_alternative, rootfs, 0, 0, 0644, /etc/mtab)
> --
> 2.20.1
>
>
> _______________________________________________
> ptxdist mailing list
> ptxdist@pengutronix.de
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
next prev parent reply other threads:[~2019-06-24 6:57 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-05 12:54 [ptxdist] More collected changes Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 01/20] rootfs: keep /var writable, even if the rootfs is read-only Juergen Borleis
2019-06-24 6:48 ` [ptxdist] [PATCH] fixup! " Michael Olbrich
2019-06-24 6:57 ` Michael Olbrich [this message]
2019-06-05 12:54 ` [ptxdist] [PATCH 02/20] rootfs: keep '/var/tmp' permissions in sync with 'systemd' Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 03/20] rootfs: '/var' is a mandatory directory according to FHS Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 04/20] conman: adapt package's '/var/lib' requirements Juergen Borleis
2019-06-11 8:17 ` Michael Olbrich
2019-06-05 12:54 ` [ptxdist] [PATCH 05/20] networkmanager: " Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 06/20] ntp: adapt package's '/var/lib' and '/var/log' requirements Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 07/20] dnsmasq: version bump 2.79 -> 2.80 Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 08/20] dnsmasq: clean up rule file Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 09/20] dnsmasq: adapt package's '/var/lib' requirements Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 10/20] mariadb: " Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 11/20] samba: adapt package's '/var/lib' and '/var/cache' requirements Juergen Borleis
2019-06-07 7:15 ` Michael Olbrich
2019-06-05 12:54 ` [ptxdist] [PATCH 12/20] polkit: adapt package's '/var/lib' requirements Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 13/20] nfsutils: " Juergen Borleis
2019-06-07 7:25 ` Michael Olbrich
2019-06-05 12:54 ` [ptxdist] [PATCH 14/20] logrotate: " Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 15/20] systemd: adapt package's '/var/lib' and '/var/cache' requirements Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 16/20] sysstat: adapt package's '/var/log' requirements Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 17/20] minicoredumper: adapt package's '/var/cache' requirements Juergen Borleis
2019-06-07 7:27 ` Michael Olbrich
2019-06-05 12:54 ` [ptxdist] [PATCH 18/20] opkg: move opkg-database to a read-only location Juergen Borleis
2019-06-11 8:19 ` Michael Olbrich
2019-06-05 12:54 ` [ptxdist] [PATCH 19/20] dbus: adapt run-time socket path Juergen Borleis
2019-06-05 12:54 ` [ptxdist] [PATCH 20/20] Update and sync autotools based package templates Juergen Borleis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190624065735.5oulc6yddy3zzabn@pengutronix.de \
--to=m.olbrich@pengutronix.de \
--cc=ptxdist@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox