aboutsummaryrefslogtreecommitdiffstats
path: root/usr/lib/systemd/readonly-root
blob: a367958086db94bd7b48f1d29e8fab87c16a235f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
#!/bin/bash
#
# Set up readonly-root support.
#

. /etc/init.d/functions

# We need to initialize the $HOSTNAME variable by ourselves now:
# (It was previously done for RHEL-6 branch, but got lost in time.)
HOSTNAME="$(hostname)"

# Check SELinux status
SELINUX_STATE=
if [ -e "/sys/fs/selinux/enforce" ] && [ "$(cat /proc/self/attr/current | tr -d '\000' )" != "kernel" ]; then
	if [ -r "/sys/fs/selinux/enforce" ] ; then
		SELINUX_STATE=$(cat "/sys/fs/selinux/enforce")
	else
		# assume enforcing if you can't read it
		SELINUX_STATE=1
	fi
fi

selinux_fixup() {
	if [ -n "$SELINUX_STATE" ] && [ -e "$1" ]; then
		restorecon -R "$1"
	fi
}

# Only read this once.
[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline)

READONLY=
if [ -f /etc/sysconfig/readonly-root ]; then
	. /etc/sysconfig/readonly-root
fi
if strstr "$cmdline" readonlyroot ; then
	READONLY=yes
	[ -z "$RW_MOUNT" ] && RW_MOUNT=/var/lib/stateless/writable
	[ -z "$STATE_MOUNT" ] && STATE_MOUNT=/var/lib/stateless/state
fi
if strstr "$cmdline" noreadonlyroot ; then
	READONLY=no
fi

MOUNTS=()
if [ "$READONLY" = "yes" -o "$TEMPORARY_STATE" = "yes" ]; then

        add_mount() {
                mnt=${1%/}
                MOUNTS=("${MOUNTS[@]}" "$mnt")
        }

        cp_empty() {
                if [ -e "$1" ]; then
			echo "$1" | cpio -p -vd "$RW_MOUNT" &>/dev/null
                        add_mount $1
		fi
        }

        cp_dirs() {
		if [ -e "$1" ]; then
			mkdir -p "$RW_MOUNT$1"
			find "$1" -type d -print0 | cpio -p -0vd "$RW_MOUNT" &>/dev/null
                        add_mount $1
		fi
	}

        cp_files() {
		if [ -e "$1" ]; then
			cp -a --parents "$1" "$RW_MOUNT"
                        add_mount $1
		fi
	}

	# Common mount options for scratch space regardless of
	# type of backing store
	mountopts=

	# Scan partitions for local scratch storage
	rw_mount_dev=$(blkid -t LABEL="$RW_LABEL" -l -o device)

        bindmountopts=
        [ "$SLAVE_MOUNTS" = "yes" ] && bindmountopts="--make-slave"

	# First try to mount scratch storage from /etc/fstab, then any
	# partition with the proper label.  If either succeeds, be sure
	# to wipe the scratch storage clean.  If both fail, then mount
	# scratch storage via tmpfs.
	if mount $mountopts "$RW_MOUNT" > /dev/null 2>&1 ; then
		rm -rf "$RW_MOUNT" > /dev/null 2>&1
	elif [ x$rw_mount_dev != x ] && mount $rw_mount_dev $mountopts "$RW_MOUNT" > /dev/null 2>&1; then
		rm -rf "$RW_MOUNT"  > /dev/null 2>&1
	else
		mount -n -t tmpfs $RW_OPTIONS $mountopts none "$RW_MOUNT"
	fi

	for file in /etc/rwtab /etc/rwtab.d/* /run/initramfs/rwtab ; do
		is_ignored_file "$file" && continue
	[ -f $file ] && while read type path ; do
			case "$type" in
				empty)
					cp_empty $path
					;;
				files)
					cp_files $path
					;;
				dirs)
					cp_dirs $path
					;;
				*)
					;;
			esac
                done < <(cat $file)
	done

        for m in "${MOUNTS[@]}"; do
                prefix=0
                for mount_point in "${MOUNTS[@]}"; do
                        [[ $m = $mount_point ]] && continue
                        if [[ $m =~ ^$mount_point/.* ]] ; then
                                prefix=1
                                break
                        fi
                done
                [[ $prefix -eq 1 ]] && continue

                mount -n --bind $bindmountopts "$RW_MOUNT$m" "$m"
	        selinux_fixup "$m"
        done

	# Use any state passed by initramfs
	[ -d /run/initramfs/state ] && cp -a /run/initramfs/state/* $RW_MOUNT

	# In theory there should be no more than one network interface active
	# this early in the boot process -- the one we're booting from.
	# Use the network address to set the hostname of the client.  This
	# must be done even if we have local storage.
	ipaddr=
	if [ "$HOSTNAME" = "localhost" -o "$HOSTNAME" = "localhost.localdomain" ]; then
		ipaddr=$(ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }')
		for ip in $ipaddr ; do
			HOSTNAME=
			eval $(ipcalc -h $ipaddr 2>/dev/null)
			[ -n "$HOSTNAME" ] && { hostname ${HOSTNAME} ; break; }
		done
	fi
	
	# Clients with read-only root filesystems may be provided with a
	# place where they can place minimal amounts of persistent
	# state.  SSH keys or puppet certificates for example.
	#
	# Ideally we'll use puppet to manage the state directory and to
	# create the bind mounts.  However, until that's all ready this
	# is sufficient to build a working system.

	# First try to mount persistent data from /etc/fstab, then any
	# partition with the proper label, then fallback to NFS
	state_mount_dev=$(blkid -t LABEL="$STATE_LABEL" -l -o device)
	if mount $mountopts $STATE_OPTIONS "$STATE_MOUNT" > /dev/null 2>&1 ; then
		/bin/true
	elif [ x$state_mount_dev != x ] && mount $state_mount_dev $mountopts "$STATE_MOUNT" > /dev/null 2>&1;  then
		/bin/true
	elif [ ! -z "$CLIENTSTATE" ]; then
		# No local storage was found.  Make a final attempt to find
		# state on an NFS server.

		mount -t nfs $CLIENTSTATE/$HOSTNAME $STATE_MOUNT -o rw,nolock
	fi

	if [ -w "$STATE_MOUNT" ]; then

		mount_state() {
			if [ -e "$1" ]; then
				[ ! -e "$STATE_MOUNT$1" ] && cp -a --parents "$1" "$STATE_MOUNT"
				mount -n --bind $bindmountopts "$STATE_MOUNT$1" "$1"
			fi
		}

		for file in /etc/statetab /etc/statetab.d/* ; do
			is_ignored_file "$file" && continue
			[ ! -f "$file" ] && continue

			if [ -f "$STATE_MOUNT/$file" ] ; then
				mount -n --bind $bindmountopts "$STATE_MOUNT/$file" "$file"
			fi

			for path in $(grep -v "^#" "$file" 2>/dev/null); do
				mount_state "$path"
				selinux_fixup "$path"
			done
		done

		if [ -f "$STATE_MOUNT/files" ] ; then
			for path in $(grep -v "^#" "$STATE_MOUNT/files" 2>/dev/null); do
				mount_state "$path"
				selinux_fixup "$path"
			done
		fi
	fi

        if mount | grep -q /var/lib/nfs/rpc_pipefs ; then
                mount -t rpc_pipefs sunrpc /var/lib/nfs/rpc_pipefs
        fi
fi