am currently trying to create an overlay for /etc to change the rootfs to read-only in the future.
Using a manual mount command work, adding an entry to fstab work with a manual mount -a.
But it is not mounting automatically during boot up.
thank you for your response. But mounting the rootfs as read-only is not the problem.
After mounting the root partition as read-only, I want to overlay the /etc directory with
a folder on a separate partition. And this does not work at start-up.
i found a solution thanks to this thread filesystem - How do I use OverlayFS? - Ask Ubuntu
You have to add a requires option for the overlay to wait until the desired upper
directory is ready to mount.
The additional entries in the fstab file looks like this:
Overlay over /etc may break /etc/machine-id. And when machine-id is broken (empty /etc/machine-id after /etc overlay mount), some services may fail to operate. For example, systemd-networkd won’t be able to configure and start network interfaces. Perhaps using connman hides the issue, I don’t know, you always check contents of machine-id.
Will it break or not depends on what is first, rw /etc overlay mount or systemd machine-id commit. If machine-id commit happens first, and it sees read only /etc/machine-id, then it will mount -B over it machine-id form tmpfs. And then, when /etc overlay is mounted, previous bind mount will be hidden by empty /etc/machine-id .
I think it is better to implement service similar to Yocto virtual binds to mount /etc overlay. Service should check presence of bind mount of /etc/machine-id (BTW mountpoint executable checks only fstab items, it doesn’t see temporary mounts). It should take contents of machine-id and either copy contents back to machine-id in overlay (after overlay is mounted), or perhaps unmount /etc/machine-id bind, rw remount for a moment RO root, update machine-id, and remount it back RW. Remounting RW should be better I think, machine-id should be generated once on first boot.
Hello @Edward,
Thank you for sharing your findings. We know that on our BSP Reference Images, it’s impossible to run the rootfs RO. As you already noticed, there are some details on the way some of the software runs today, making it harder to achieve such a goal. In the case of our reference images, having the ability to run them RO would also prevent other features that we implement on them from working and that’s a tradeoff we’re not willing to make.
Our BSP layer currently also doesn’t support the implementation of RO rootfs very easily. This is something that we are going to track and fix internally in due time.
In the meantime, I would also like to point out that Torizon core already implements a RO rootfs and ostree by default, and it could be a good option for some projects.