To fulfill OverlayFS workdir requirements, the mount-copybind script
creates a workdir. But if the mount operation fails for any reason,
the workdir is left there.
Then, subsequent runs of mount-copybind will again try to
create the directory and pollute system logs with failed mkdir error
messages.
This commit mitigates the problem by unconditionally removing workdir
if the OverlayFS is not used or fails to run.
(From OE-Core rev: 7872edbb33024fc710ac683eaef5635b89a1b994)
Signed-off-by: Ricardo Simoes <ricardo.simoes@pt.bosch.com>
Signed-off-by: Mark Jonas <mark.jonas@de.bosch.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
When the mountpoint parameter is a directory, the mount-copybind will
first try to use OverlayFS. Because of that, it needs to create the
OverlayFS workdir (determined by the overlay_workdir).
But if the environment variable MOUNT_COPYBIND_AVOID_OVERLAYFS is set
to "1", the script uses bind mount. In that case, the overlay_workdir
is useless, leaving the spec parent directory in a dirty state.
This commit changes mount-copybind so that the overlay_workdir is only
created when MOUNT_COPYBIND_AVOID_OVERLAYFS is not set to 1.
(From OE-Core rev: 323765607f262b5fea0f19e8a05aeffe5076235a)
Signed-off-by: Ricardo Simoes <ricardo.simoes@pt.bosch.com>
Signed-off-by: Mark Jonas <mark.jonas@de.bosch.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The mount-copybind script will create the parent directory of the bind
mount if it does not exist. But actually, if this is the case, the
service will not even start because of the ConditionPathIsReadWrite.
This patch adds a "or" condition to allow the service to start also if
the parent directory of the bind mount does not exist.
(From OE-Core rev: 1ca031b77546056ca1994469b0f2e93ea2018edf)
Signed-off-by: Stéphane Veyret <sveyret@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Remove setting TimeoutSec and allow the DefaultTimeSec to be set for the
volatile-binds services.
(From OE-Core rev: 86aea324e423ce5f411a21afa18356339e3545a8)
Signed-off-by: Portia Stephens <stephensportia@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The systemd-unit parameter DefaultDependencies changed from true/false
to yes/no. This changed in systemd in v242.
(From OE-Core rev: add4dcb03dc7b034253db05f0023cb97cab8b26d)
Signed-off-by: Portia Stephens <stephensportia@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Use the new MOUNT_COPYBIND_AVOID_OVERLAYFS flag provided by mount-copybind.
When SELinux is enabled, processes accessing OverlayFS mounts will get a denial
if the process setting up the mount doesn't have all the permissions that
the accessor has.
(From OE-Core rev: 6002bdc77643c363a8326bf163baecba8b36e3e0)
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
$ shellcheck meta/recipes-core/volatile-binds/files/mount-copybind
In meta/recipes-core/volatile-binds/files/mount-copybind line 54:
mountcontext=",rootcontext=$(matchpathcon -n $mountpoint)"
^---------^ SC2086: Double quote to prevent globbing and word splitting.
Did you mean:
mountcontext=",rootcontext=$(matchpathcon -n "$mountpoint")"
For more information:
https://www.shellcheck.net/wiki/SC2086 -- Double quote to prevent globbing ...
(From OE-Core rev: 56c7962a6c31acfe0e118f713954aeafd7e2d9c0)
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
If selinux is enabled, the context of the mountpoint for overlayfs
needs to be specified manually via the rootcontext option. To this
end, the required context is determined using matchpathcon(1) and
passed via the rootcontext mount option.
Additionally, if the mount source directory is created by mount-copybind
it also needs to take care that the context of the directory is correct
(From OE-Core rev: 57f51e8c73ab9f55f20815a9459c3afad2b281e6)
Signed-off-by: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
bind mounts don't use the SELinux label of the target, but the SELinux
label of the source.
This patch restores the SELinux context of the bind mount recursively using
restorecon.
(From OE-Core rev: 6f3e231dc9bc11772573bf9683de9804460362d1)
Signed-off-by: Tobias Kaufmann <Tobias.KA.Kaufmann@bmw.de>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
With systemd v246 the syslog target now generates a warning (and has
been deprecated for some time). Drop the target and allow the default to
take effect.
(From OE-Core rev: dba15118a749b5e633f03b662c9ba00d6b0eff02)
Signed-off-by: Alex Kiernan <alex.kiernan@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Copying files from the read-only root filesystem to the tmpfs
providing the volatile directories can be slow and waste memory.
If the kernel supports the overlay filesystem, use it to mount
a writable tmpfs on top of the read-only directory from the
rootfs and avoid copies.
Analogous to the modification made to initscripts's
read-only-rootfs-hook in 370fda1b2e8d5dc011522131bba4106de26bfb19.
(From OE-Core rev: b4976f3cf8cd028f165100b67867adb862da4d7f)
Signed-off-by: Matt Hoosier <matt.hoosier@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
It calls /sbin/umount to stop service var-volatile-lib. But umount is
installed into directory /bin. Correct it.
(From OE-Core rev: 55851c6f389cb027496c96f6e0609c8892032e4d)
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This recipe is designed to play a key role in a read-only rootfs
of systemd based systems. It generates service files from a template,
volatile-binds.service.in and the VOLATILE_BINDS variable.
By default, VOLATILE_BINDS takes the value of "/var/volatile/lib /var/lib\n",
which leads to the generation of volatile-var-lib.service file.
This file doesn't have any effect in a read-write system, as it
has "ConditionPathIsReadWrite = !/var/lib" in the [Unit] section.
In other words, this file only has effect in a read-only rootfs.
(From OE-Core rev: ed7d30dc0cdb6d6c56c50ac7a3440c4ed0ee70d3)
Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Saul Wold <sgw@linux.intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
