List of partitions for overlayroot

Bug #1758389 reported by Nikolay Turpitko on 2018-03-23
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cloud-initramfs-tools (Ubuntu)

Bug Description

I'm experimenting with overlayroot in VirtualBox.
In my setup I have separate /boot, /var, /home and / (root) partitions.
I want /boot and / (root) partitions be protected with overlayroot=tmpfs, but others be mounted normally as rw. There is an option 'recurse', but it allows only to switch on/off handling of all other partitions, which is not suits my needs.

Is it possible to add another option like 'overlayroot_partitions=boot,backup' or 'overlayroot_exclude_partitions=home,var'?

Nikolay Turpitko (nikolay-w) wrote :

I attached a patch, illustrating changes I propose.
I amended "recurse" option so that it take a regexp of filesystem names to work on, besides old values "0" and "1". That is, old values keep their meaning, but if recurese is set to something like "boot|backup" it will work only on those filesystems.

I tested with option `overlayroot="tmpfs:swap=1,recurse=boot|backup,driver=overlay"`. It works for me, but I don't know other use cases, for which people use this package and cannot properly test them, obviously. Also, reusing "recurse" option though simple, but may be questionable by someone. So, see the patch as an illustration of idea, not as a completed solution.

Also, I found that "overlayroot-chroot" did not mount separate /var partition and without it apt/dpkg failed to properly remove packages. I added "var" into list of filesystems which "overlayroot-chroot" binds before executing chroot. This is also may be not inline with original design, but I just don't know how to properly deal with it.

With these modifications package works for me, but still is not quite perfect solution for my goal. Which is to protect /, /boot and /backup partitions of my laptop from incidental modifications, but leave /home, /var, /swap and /tmp partitions in rw mode. I do not want to mount all partitions as a single /, because I have SDD+HDD and partitions should be on different drives (for example, / is on SDD and /var - on HDD). Also I do not want to mount my /home as ro. And in my tests I even was not able to boot with read-only /var. With my modifications and settings I can boot and work with system almost normally, except that incidental attempt to remove package without "overlay-chroot" can modify dpkg's database (which is on rw /var), though / and /boot are protected and restored after reboot alright. Alas, it leaves system in a half-damaged state. I'd appreciate some idea to prevent this. But, probably, just an alias will do.

The attachment "0001-Allow-to-list-affected-filesystems-in-recurse.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Nikolay Turpitko (nikolay-w) wrote :

Simplified conditional logic and allowed to negate expression.

Nikolay Turpitko (nikolay-w) wrote :

Please disregard last paragraph in my comment #1. I've found that I was not able to boot with recurse=1 not due of read-only /var, but due of script's attempt to remount absent cdrom for which I have an entry in my /etc/fstab (added by system installer).

Nevertheless, I found new configuration useful to exclude some filesystems from recurse. For example, to properly boot with (separate) read-only /,/boot,/var and read-write /home I use string like below in my /etc/overlayroot.local.conf:

I checked - this syntax also works for kernel command line, I only had to put recurse option in single quotes like: "... overlayroot=tmpfs:swap=1,recurse='not:cdrom|home'".

Scott Moser (smoser) on 2018-07-09
Changed in cloud-initramfs-tools (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers