distro/rhel: make edge images properly sysroot.readonly=true

Make edge raw images (both the raw image type and the same in the edge simplified installer) mount the /sysroot as read-only. This was already done in Fedora 37+ (547f7a66b3). Copied commit message from 6f89e9d499 to a comment in all places where the accompanying "rw" kernel option is set explaining the requirement, since the option is counter-intuitive. Signed-off-by: Antonio Murdaca <runcom@linux.com> Signed-off-by: Antonio Murdaca <antoniomurdaca@gmail.com> Co-Authored-By: Achilleas Koutsou <achilleas@koutsou.net>
2022-10-07 16:07:51 +02:00 · 2022-10-07 16:07:51 +02:00 · 6d15dc144c
commit 6d15dc144c
parent 6bb7de5269
6 changed files with 64 additions and 32 deletions
--- a/test/data/ansible/check_ostree.yaml
+++ b/test/data/ansible/check_ostree.yaml
@ -5,6 +5,7 @@
    workspace: "{{ lookup('env', 'WORKSPACE') }}"
    skip_rollback_test: "false"
    fdo_credential: "false"
+    edge_type: "none"
    embeded_container: "false"
    total_counter: "0"
    failed_counter: "0"
@ -232,25 +233,12 @@
      shell: findmnt -r -o OPTIONS -n /sysroot | awk -F "," '{print $1}'
      register: result_sysroot_mount_status

-    - name: /sysroot should be mount with rw permission
-      block:
-        - assert:
-            that:
-              - result_sysroot_mount_status.stdout == "rw"
-            fail_msg: "/sysroot is not mounted with rw permission"
-            success_msg: "/sysroot is mounted with rw permission"
-      always:
-        - set_fact:
-            total_counter: "{{ total_counter | int + 1 }}"
-      rescue:
-        - name: failed count + 1
-          set_fact:
-            failed_counter: "{{ failed_counter | int + 1 }}"
-      when: (ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
-            (ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat')
-
    # https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
-    - name: /sysroot should be mount with ro permission since Fedora 37
+    # There are three checks here for /sysroot permission based on pr https://github.com/osbuild/osbuild-composer/pull/3053
+    # 1. for edge-commit and edge-installer, check ro when fedora >= 37
+    # 2. for edge-commit and edge-installer, check rw for other os.
+    # 3. for edge-simplified-installer and edge-raw-image, check ro for all os.
+    - name: /sysroot should be mount with ro permission for edge-commit and edge-installer on Fedora >= 37
      block:
        - assert:
            that:
@ -264,7 +252,40 @@
        - name: failed count + 1
          set_fact:
            failed_counter: "{{ failed_counter | int + 1 }}"
-      when: ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '>=')
+      when: (edge_type == "none") and (ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '>='))
+
+    - name: /sysroot should be mount with rw permission for edge-commit and edge-installer on all OS except Fedora >= 37
+      block:
+        - assert:
+            that:
+              - result_sysroot_mount_status.stdout == "rw"
+            fail_msg: "/sysroot is not mounted with rw permission"
+            success_msg: "/sysroot is mounted with rw permission"
+      always:
+        - set_fact:
+            total_counter: "{{ total_counter | int + 1 }}"
+      rescue:
+        - name: failed count + 1
+          set_fact:
+            failed_counter: "{{ failed_counter | int + 1 }}"
+      when: (edge_type == "none") and ((ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
+            (ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat'))
+
+    - name: /sysroot should be mount with ro permission for edge-simplified-installer and edge-raw-image
+      block:
+        - assert:
+            that:
+              - result_sysroot_mount_status.stdout == "ro"
+            fail_msg: "/sysroot is not mounted with ro permission"
+            success_msg: "/sysroot is mounted with ro permission"
+      always:
+        - set_fact:
+            total_counter: "{{ total_counter | int + 1 }}"
+      rescue:
+        - name: failed count + 1
+          set_fact:
+            failed_counter: "{{ failed_counter | int + 1 }}"
+      when: edge_type == "edge-simplified-installer" or edge_type == "edge-raw-image"

    # case: check /var mount point
    - name: check /var mount point
@ -397,8 +418,8 @@
        - name: failed count + 1
          set_fact:
            failed_counter: "{{ failed_counter | int + 1 }}"
-      when: (ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
-            (ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat')
+      when: (edge_type == "none") and ((ansible_facts['distribution'] == 'Fedora' and ansible_facts['distribution_version'] is version('37', '<')) or
+            (ansible_facts['distribution'] == 'CentOS') or (ansible_facts['distribution'] == 'RedHat'))

    # case: check dmesg error and failed log
    - name: check dmesg output