From 711f39bb12427992936e4f827aea611a4d027050 Mon Sep 17 00:00:00 2001 From: Colin Walters Date: Tue, 13 Feb 2024 21:00:49 -0500 Subject: [PATCH] Mount /boot ro by default See https://github.com/containers/bootc/pull/294 This is particularly motivated by https://github.com/CentOS/centos-bootc-dev/pull/27 because with that suddenly `dnf` will appear to start working but trying to do anything involving the kernel (i.e. mutating `/boot`) will end in sadness, and this puts a stop to that. (This also relates of course to ye olde https://github.com/osbuild/bootc-image-builder/issues/18 where we want the partitioning setup in the default case to come from the container) Signed-off-by: Colin Walters --- bib/cmd/bootc-image-builder/partition_tables.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/bib/cmd/bootc-image-builder/partition_tables.go b/bib/cmd/bootc-image-builder/partition_tables.go index 2a1692f5..68101c09 100644 --- a/bib/cmd/bootc-image-builder/partition_tables.go +++ b/bib/cmd/bootc-image-builder/partition_tables.go @@ -9,6 +9,11 @@ import ( const ( MebiByte = 1024 * 1024 // MiB GibiByte = 1024 * 1024 * 1024 // GiB + // BootOptions defines the mountpoint options for /boot + // See https://github.com/containers/bootc/pull/341 for the rationale for + // using `ro` by default. Briefly it protects against corruption + // by non-ostree aware tools. + BootOptions = "ro" ) var partitionTables = distro.BasePartitionTableMap{ @@ -44,7 +49,7 @@ var partitionTables = distro.BasePartitionTableMap{ Type: "ext4", Mountpoint: "/boot", Label: "boot", - FSTabOptions: "defaults", + FSTabOptions: BootOptions, FSTabFreq: 1, FSTabPassNo: 2, }, @@ -89,7 +94,7 @@ var partitionTables = distro.BasePartitionTableMap{ Type: "ext4", Mountpoint: "/boot", Label: "boot", - FSTabOptions: "defaults", + FSTabOptions: BootOptions, FSTabFreq: 1, FSTabPassNo: 2, },