distro/rhel: make edge images properly sysroot.readonly=true

Make edge raw images (both the raw image type and the same in the edge simplified installer) mount the /sysroot as read-only. This was already done in Fedora 37+ (547f7a66b3). Copied commit message from 6f89e9d499 to a comment in all places where the accompanying "rw" kernel option is set explaining the requirement, since the option is counter-intuitive. Signed-off-by: Antonio Murdaca <runcom@linux.com> Signed-off-by: Antonio Murdaca <antoniomurdaca@gmail.com> Co-Authored-By: Achilleas Koutsou <achilleas@koutsou.net>
2022-10-07 16:07:51 +02:00 · 2022-10-07 16:07:51 +02:00 · 6d15dc144c
commit 6d15dc144c
parent 6bb7de5269
6 changed files with 64 additions and 32 deletions
--- a/internal/distro/fedora/images.go
+++ b/internal/distro/fedora/images.go
@ -365,6 +365,8 @@ func iotRawImage(workload workload.Workload,
 	img.Users = users.UsersFromBP(customizations.GetUsers())
 	img.Groups = users.GroupsFromBP(customizations.GetGroups())

+	// "rw" kernel option is required when /sysroot is mounted read-only to
+	// keep stateful parts of the filesystem writeable (/var/ and /etc)
 	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4", "rw"}
 	img.Keyboard = "us"
 	img.Locale = "C.UTF-8"
--- a/internal/distro/rhel8/pipelines.go
+++ b/internal/distro/rhel8/pipelines.go
@ -953,9 +953,12 @@ func ostreeDeployPipeline(
 			OSName: osname,
 		},
 	))
-	p.AddStage(osbuild.NewOSTreeConfigStage(ostreeConfigStageOptions(repoPath, false)))
+	p.AddStage(osbuild.NewOSTreeConfigStage(ostreeConfigStageOptions(repoPath, true)))
 	p.AddStage(osbuild.NewMkdirStage(efiMkdirStageOptions()))
 	kernelOpts := osbuild.GenImageKernelOptions(pt)
+	// "rw" kernel option is required when /sysroot is mounted read-only to
+	// keep stateful parts of the filesystem writeable (/var/ and /etc)
+	kernelOpts = append(kernelOpts, "rw")
 	p.AddStage(osbuild.NewOSTreeDeployStage(
 		&osbuild.OSTreeDeployStageOptions{
 			OsName: osname,
--- a/internal/distro/rhel9/images.go
+++ b/internal/distro/rhel9/images.go
@ -326,9 +326,12 @@ func edgeRawImage(workload workload.Workload,
 	img.Users = users.UsersFromBP(customizations.GetUsers())
 	img.Groups = users.GroupsFromBP(customizations.GetGroups())

-	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
+	// "rw" kernel option is required when /sysroot is mounted read-only to
+	// keep stateful parts of the filesystem writeable (/var/ and /etc)
+	img.KernelOptionsAppend = []string{"modprobe.blacklist=vc4", "rw"}
 	img.Keyboard = "us"
 	img.Locale = "C.UTF-8"
+	img.SysrootReadOnly = true

 	img.Platform = t.platform
 	img.Workload = workload
@ -370,9 +373,12 @@ func edgeSimplifiedInstallerImage(workload workload.Workload,
 	rawImg.Users = users.UsersFromBP(customizations.GetUsers())
 	rawImg.Groups = users.GroupsFromBP(customizations.GetGroups())

-	rawImg.KernelOptionsAppend = []string{"modprobe.blacklist=vc4"}
+	// "rw" kernel option is required when /sysroot is mounted read-only to
+	// keep stateful parts of the filesystem writeable (/var/ and /etc)
+	rawImg.KernelOptionsAppend = []string{"modprobe.blacklist=vc4", "rw"}
 	rawImg.Keyboard = "us"
 	rawImg.Locale = "C.UTF-8"
+	rawImg.SysrootReadOnly = true

 	rawImg.Platform = t.platform
 	rawImg.Workload = workload