[systemd-devel] DynamicUsers and read-only /var
Jérémy Rosen
jeremy.rosen at smile.fr
Wed May 16 13:05:23 UTC 2018
hmm, I think you could have the whole /var as a tmpfs and use
systemd-tmpfiles (man:tmpfiles.d) to initialize /var at startup by
copying some template directory from a read-only location (typicalli in
/usr)
On 16/05/2018 13:29, Antoine Pietri wrote:
> Hi,
>
> Our organization uses a diskless setup to boot hundreds of machines
> using a read-only NFS export of their common rootfs.
>
> To be able to run services that need to write in /var, we can't just
> have /var as a tmpfs, because it contains files installed by packages
> that are required by some services to run. Our current solution was to
> have /var in read-only, but have a list of directories where some
> services actually write (/var/log, /var/spool/mail, etc) and mount
> them as tmpfs.
>
> This year, some services like systemd-timesyncd are shipped with
> DynamicUser=yes by default in our distribution (Archlinux), which
> means the above solution no longer works. My understanding is that
> systemd requires a writable /var to be able to symlink the state
> directory the first time it is launched.
>
> Our only option here, if we don't want to manually disable dynamic
> users in all the services, seems to be to mount /var in a
> copy-on-write overlayfs. We could do that, but it's a bit cutting edge
> and dangerous for us. Two years ago, overlayfs didn't even support nfs
> as its lower directory, that's why we avoided it so far.
>
> As I know you don't like to add requirements to have a writable /var,
> I'd love to have your input on this issue! Is there anything we missed
> that would allow us to keep using dynamic user services with a
> read-only /var, or do we have to use the overlay solution?
>
> Thanks,
>
--
SMILE <http://www.smile.eu/>
20 rue des Jardins
92600 Asnières-sur-Seine
*Jérémy ROSEN*
Architecte technique
Responsable de l'expertise Smile-ECS
email jeremy.rosen at smile.fr <mailto:jeremy.rosen at smile.fr>
phone +33141402967
url http://www.smile.eu
Twitter <https://twitter.com/GroupeSmile> Facebook
<https://www.facebook.com/smileopensource> LinkedIn
<https://www.linkedin.com/company/smile> Github
<https://github.com/Smile-SA>
Découvrez l’univers Smile, rendez-vous sur smile.eu
<http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature>
eco Pour la planète, n'imprimez ce mail que si c'est nécessaire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180516/082e8ed5/attachment.html>
More information about the systemd-devel
mailing list