Read only rootfs

hgdahmen · January 11, 2020, 2:11pm

Hi,

I’d like to use clear linux to develop something like a kiosk application on the Intel NUC platform. I’ve seen the live images use an overlayfs in a way that would suit my needs to make the rootfs read only.

So now I want to create my own variation of this. It looks like the live images somehow incorporate the file
/usr/share/clr-installer/iso_templates initrd_init_template that does the mount into their initrd. Can somehow explain how this special config ends up in the live image or point me to the command line that is used to create the image? There seems to be going on more than just using the yaml file for creating an image. What am I missing here?

puneetse · January 11, 2020, 10:17pm

Mounting rootfs has to be done earlier in the process than other mounts. This stackoverflow thread discusses the special considerations with using overlayfs for rootfs in a lot of detail: linux - How to use OverlayFS to protect the root filesystem? - Unix & Linux Stack Exchange.

You can look at the content of /boot and kernel cmdline from the live image to see the order the images get loaded in.

The Clear Linux installer mounts the rootfs with mounts a SquashFS for compressed readonly parts and then puts an overlayfs onto in ram/tmpfs for the writeable/disposable parts. Paging @mhorn to double check me.

Lucapz · January 12, 2020, 8:49am

systemd.volatile=overlay

Also new with systemd 242 is the ability for booting the system where the root file-system is setup as an OverlayFS mount with a root-only root directory with a writable TMPFS. In other words, the underlying root device is not modified albeit all changes lost at reboot. This behavior can be started with the systemd.volatile=overlay kernel command-line parameter. Systemd-nspawn also now supports this volatile overlay mode.

dracut rootovl

https://www.enricozini.org/blog/2019/himblick/read-only-rootfs/

hgdahmen · January 13, 2020, 2:03pm

@Lucapz thank you for hinting me at those.

@puneetse Yes I have seen the squashfs and the stackexchange article. What was unclear to me is how the initrd of the live installer gets modified to include the mount command that causes this special mount setup. It turns out there are some things hardcoded to produce a special initrd when using the --iso option with clr-install. So that doesn’t help me much.

I have tried using the command line option by doing this
mkdir /etc/kernel
touch /etc/kernel/cmdline
echo “systemd.volatile=overlay” > /etc/kernel/cmdline
clr-boot-manager update

That configures the command line but it does not enable the overlay mount behaviour. Do I need to recreate the initrd? I am fairly new to dracut and modifying init systems in general. I am reading about it, but I already have some questions about how things are put together in clr-linux.

I am using the bootloader bundle and I have looked through its packages but I can’t really see how it all works together to boot my system. In particular I fail to understand how the bootloader is getting its initrd.

Can someone point me in the right direction here?

hgdahmen · January 13, 2020, 5:29pm

Ok I now found out that the contents of “/usr/lib/initrd.d/” will get copied to the boot partition and be appended as initrd parameters to the kernel command line by configuring some bootloader config file.

When using dracut to generate an image and use above mechanism to use the generated initramfs during boot then my system won’t boot anymore. The generated initramfs also appears to only contain a few kernel modules.

Am I understanding something wrong there?

I stumbled across the bootloader-extras bundle which seems to include some pre-built initramfs that uses systemd, is this maybe a starting point?

mhorn · January 13, 2020, 5:45pm

@puneetse You are correct in how the Installer ISO functions.

@hgdahmen The installer source is in GitHub here:

If you look in the isoutils folder, there is a good readme that explains how our ISO is created:

github.com

clearlinux/clr-installer/blob/8a7e4b486cce3367f7cfefe06c4523460f3f9963/isoutils/ISO_README.md

**Why did we do this?**

Supporting Legacy systems is (or was) a requirement of the installation media only. This means that Clear Linux itself does (or did) not support booting on non-EFI systems at all. ISO support was added mainly to support legacy boot and also because it is industry standard.

There was already an example of how this is done in the release tools (create-iso.sh), much of how ISO generation works was built on the process in this script.

**How is the ISO boot process different?**

The normal boot process uses a 2-stage bootloader with a shim (bootloaderx64.efi) and systemd-boot (loaderx64.efi) as the second stage.

A very broad overview looks like this:

(system boot) -> (EFI firmware) -> (bootloaderx64.efi) -> (loaderx64.efi) -> Kernel

The ISO has more steps, and two distinct boot flows

On EFI:

(system boot) -> (EFI firmware) -> (bootloaderx64.efi) -> (loaderx64.efi) -> (initrd) -> (initrd init, syscheck and fs overlay) -> (switch_root and launch init)

This file has been truncated. show original

hgdahmen · January 13, 2020, 6:05pm

@mhorn I have already seen the relevant code as explained in my above answer. Sadly this doesn’t help me, because after checking the code I am still no wiser on how to modify a default Clear Linux install to use an initrd and exhibit the same behaviour and keep it after kernel updates and survive other things that swupd triggers.

mhorn · January 13, 2020, 6:29pm

There I won’t be able to help you. We create a new ISO image for each release.
Something like a Kiosk probably needs to be more static than a rolling update OS.