#!/bin/bash # # Set up readonly-root support. # . /etc/init.d/functions # Check SELinux status SELINUX_STATE= if [ -e "/sys/fs/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then if [ -r "/sys/fs/selinux/enforce" ] ; then SELINUX_STATE=$(cat "/sys/fs/selinux/enforce") else # assume enforcing if you can't read it SELINUX_STATE=1 fi fi selinux_fixup() { if [ -n "$SELINUX_STATE" ] && [ -e "$1" ]; then restorecon -R "$1" fi } # Only read this once. [ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline) READONLY= if [ -f /etc/sysconfig/readonly-root ]; then . /etc/sysconfig/readonly-root fi if strstr "$cmdline" readonlyroot ; then READONLY=yes [ -z "$RW_MOUNT" ] && RW_MOUNT=/var/lib/stateless/writable [ -z "$STATE_MOUNT" ] && STATE_MOUNT=/var/lib/stateless/state fi if strstr "$cmdline" noreadonlyroot ; then READONLY=no fi MOUNTS=() if [ "$READONLY" = "yes" -o "$TEMPORARY_STATE" = "yes" ]; then add_mount() { mnt=${1%/} MOUNTS=("${MOUNTS[@]}" "$mnt") } cp_empty() { if [ -e "$1" ]; then echo "$1" | cpio -p -vd "$RW_MOUNT" &>/dev/null add_mount $1 fi } cp_dirs() { if [ -e "$1" ]; then mkdir -p "$RW_MOUNT$1" find "$1" -type d -print0 | cpio -p -0vd "$RW_MOUNT" &>/dev/null add_mount $1 fi } cp_files() { if [ -e "$1" ]; then cp -a --parents "$1" "$RW_MOUNT" add_mount $1 fi } # Common mount options for scratch space regardless of # type of backing store mountopts= # Scan partitions for local scratch storage rw_mount_dev=$(blkid -t LABEL="$RW_LABEL" -l -o device) # First try to mount scratch storage from /etc/fstab, then any # partition with the proper label. If either succeeds, be sure # to wipe the scratch storage clean. If both fail, then mount # scratch storage via tmpfs. if mount $mountopts "$RW_MOUNT" > /dev/null 2>&1 ; then rm -rf "$RW_MOUNT" > /dev/null 2>&1 elif [ x$rw_mount_dev != x ] && mount $rw_mount_dev $mountopts "$RW_MOUNT" > /dev/null 2>&1; then rm -rf "$RW_MOUNT" > /dev/null 2>&1 else mount -n -t tmpfs $RW_OPTIONS $mountopts none "$RW_MOUNT" fi for file in /etc/rwtab /etc/rwtab.d/* /run/initramfs/rwtab ; do is_ignored_file "$file" && continue [ -f $file ] && while read type path ; do case "$type" in empty) cp_empty $path ;; files) cp_files $path ;; dirs) cp_dirs $path ;; *) ;; esac done < <(cat $file) done for m in "${MOUNTS[@]}"; do prefix=0 for mount_point in "${MOUNTS[@]}"; do [[ $m = $mount_point ]] && continue if [[ $m =~ ^$mount_point/.* ]] ; then prefix=1 break fi done [[ $prefix -eq 1 ]] && continue mount -n --bind "$RW_MOUNT$m" "$m" selinux_fixup "$m" done # Use any state passed by initramfs [ -d /run/initramfs/state ] && cp -a /run/initramfs/state/* $RW_MOUNT # In theory there should be no more than one network interface active # this early in the boot process -- the one we're booting from. # Use the network address to set the hostname of the client. This # must be done even if we have local storage. ipaddr= if [ "$HOSTNAME" = "localhost" -o "$HOSTNAME" = "localhost.localdomain" ]; then ipaddr=$(ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }') for ip in $ipaddr ; do HOSTNAME= eval $(ipcalc -h $ipaddr 2>/dev/null) [ -n "$HOSTNAME" ] && { hostname ${HOSTNAME} ; break; } done fi # Clients with read-only root filesystems may be provided with a # place where they can place minimal amounts of persistent # state. SSH keys or puppet certificates for example. # # Ideally we'll use puppet to manage the state directory and to # create the bind mounts. However, until that's all ready this # is sufficient to build a working system. # First try to mount persistent data from /etc/fstab, then any # partition with the proper label, then fallback to NFS state_mount_dev=$(blkid -t LABEL="$STATE_LABEL" -l -o device) if mount $mountopts $STATE_OPTIONS "$STATE_MOUNT" > /dev/null 2>&1 ; then /bin/true elif [ x$state_mount_dev != x ] && mount $state_mount_dev $mountopts "$STATE_MOUNT" > /dev/null 2>&1; then /bin/true elif [ ! -z "$CLIENTSTATE" ]; then # No local storage was found. Make a final attempt to find # state on an NFS server. mount -t nfs $CLIENTSTATE/$HOSTNAME $STATE_MOUNT -o rw,nolock fi if [ -w "$STATE_MOUNT" ]; then mount_state() { if [ -e "$1" ]; then [ ! -e "$STATE_MOUNT$1" ] && cp -a --parents "$1" "$STATE_MOUNT" mount -n --bind "$STATE_MOUNT$1" "$1" fi } for file in /etc/statetab /etc/statetab.d/* ; do is_ignored_file "$file" && continue [ ! -f "$file" ] && continue if [ -f "$STATE_MOUNT/$file" ] ; then mount -n --bind "$STATE_MOUNT/$file" "$file" fi for path in $(grep -v "^#" "$file" 2>/dev/null); do mount_state "$path" selinux_fixup "$path" done done if [ -f "$STATE_MOUNT/files" ] ; then for path in $(grep -v "^#" "$STATE_MOUNT/files" 2>/dev/null); do mount_state "$path" selinux_fixup "$path" done fi fi if mount | grep -q /var/lib/nfs/rpc_pipefs ; then mount -t rpc_pipefs sunrpc /var/lib/nfs/rpc_pipefs fi fi