Extending read-only state to /sysroot and /boot

[cgwalters]

Today ostree has a ro bind mount over /usr, but one can just do e.g. rm -rf /sysroot/* and the whole system is destroyed.

Similarly, we tried to have support for /boot as a ro mount but it needs work.

What we should do is have these be ro by default, and then have apps using libostree create a new mount namespace, and make manipulations there. That way the system stays read-only to everything else. Alternatively, we could teach libostree how to do that internally, but it'd get ugly fast...we'd need to fork off a subprocess basically.

For example rpm-ostreed and eos-updater could change their systemd unit files to create a new mount namespace, and tell libostree that one is set up.

(Conceptually this overlaps a ton with systemd's ProtectSystem=strict...we're basically imposing that on the whole system by default)

[cgwalters]

See also for /tmp:
https://pagure.io/fedora-atomic/pull-request/62
coreos/rpm-ostree#820

[giuseppe]

would this be an issue for system containers that use /ostree/deploy/$OS_NAME/$DEST_FILE for creating hard links?

[cgwalters]

@giuseppe an important bit from the above is:

...and then have apps using libostree create a new mount namespace, and make manipulations there.

The goal here isn't to make things truly immutable, it's to prevent things like restorecon -R / from destroying the system. And similar non-ostree-aware tools.

See also on-list discussion:

https://mail.gnome.org/archives/ostree-list/2017-December/msg00009.html

[giuseppe]

I see, thanks. Could the new API allow also the current mount namespace to be used? It will be the user responsibility to ensure a new mount namespace is created and /sysroot can be remounted as writeable (and back to ro if needed).

[cgwalters]

PR in #1767

[cgwalters]

Requirements to implement this for Fedora CoreOS:

coreos/fedora-coreos-config#39
coreos/ignition-dracut#36

[jlebon]

Yeah, we really should fix this. Right now, restorecon -R / and autorelabel=1 are super dangerous (see e.g. user report at https://twitter.com/goozbach/status/1118697493657681920?s=19).

To anyone in that situation, you can recover from this by booting with enforcing=0, then:

# rpm-ostree status -v # copy "BaseCommit" or if missing, "Commit"
# ostree checkout -H $checksum /ostree/repo/tmp/selinux-fix
# ostree fsck --delete
# ostree commit --consume --link-checkout-speedup --orphan --selinux-policy=/ /ostree/repo/tmp/selinux-fix
# restorecon -Rv /var
# restorecon -Rv /etc
# ostree admin deploy fedora-atomic:fedora/29/x86_64/atomic-host # or whatever refspec you're on
# reboot

At this point, you should be able to boot in enforcing mode again. Final cleanup:

# rpm-ostree cleanup --rollback

Note this will blow away all your layered packages; you'll have to relayer those again.

[goozbach]

should that be BaseCommit or Commit instead of checksum?

[jlebon]

Thanks! I edited the original comment.

[goozbach]

For future reference I had to do an rpm-ostree upgrade prior to the above steps for them to work.

Other than that, this workaround is good!

[bam80]

Yeah, we really should fix this. Right now, restorecon -R / and autorelabel=1 are super dangerous

I still broke my Fedora Silverblue 31 system with restorecon -R / command. Isn't it fixed yet?

[jlebon]

I still broke my Fedora Silverblue 31 system with restorecon -R / command. Isn't it fixed yet?

OSTree knows how to handle read-only /sysroot, but it doesn't automatically apply to existing nodes, because it requires modifying files not maintained by updates. We'll probably need a systemd service in fedora-release-silverblue or something to transition over existing systems.

[bam80]

Thanks @jlebon. Could we dedicate a separate issue for that part of the task then?