-
Notifications
You must be signed in to change notification settings - Fork 4
/
postprocess.sh
executable file
·109 lines (88 loc) · 3.53 KB
/
postprocess.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
#!/usr/bin/env bash
set -xeuo pipefail
# Setup unit & script for readonly sysroot migration:
# - https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
# - https://bugzilla.redhat.com/show_bug.cgi?id=2060976
cat > /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service <<'EOF'
[Unit]
Description=Fedora Silverblue Read-Only Sysroot Migration
Documentation=https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
ConditionPathExists=!/var/lib/.fedora_silverblue_readonly_sysroot
RequiresMountsFor=/sysroot /boot
ConditionPathIsReadWrite=/sysroot
[Service]
Type=oneshot
ExecStart=/usr/libexec/fedora-silverblue-readonly-sysroot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
EOF
chmod 644 /usr/lib/systemd/system/fedora-silverblue-readonly-sysroot.service
cat > /usr/libexec/fedora-silverblue-readonly-sysroot <<'EOF'
#!/bin/bash
# Update an existing system to use a read only sysroot
# See https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot
# and https://bugzilla.redhat.com/show_bug.cgi?id=2060976
set -euo pipefail
main() {
# Used to condition execution of this unit at the systemd level
local -r stamp_file="/var/lib/.fedora_silverblue_readonly_sysroot"
if [[ -f "${stamp_file}" ]]; then
exit 0
fi
local -r ostree_sysroot_readonly="$(ostree config --repo=/sysroot/ostree/repo get "sysroot.readonly" &> /dev/null || echo "false")"
if [[ "${ostree_sysroot_readonly}" == "true" ]]; then
# Nothing to do
touch "${stamp_file}"
exit 0
fi
local -r boot_entries="$(ls -A /boot/loader/entries/ | wc -l)"
# Ensure that we can read BLS entries to avoid touching systems where /boot
# is not mounted
if [[ "${boot_entries}" -eq 0 ]]; then
echo "No BLS entry found: Maybe /boot is not mounted?" 1>&2
echo "This is unexpected thus no migration will be performed" 1>&2
touch "${stamp_file}"
exit 0
fi
# Check if any existing deployment is still missing the rw karg
local rw_kargs_found=0
local count=0
for f in "/boot/loader/entries/"*; do
count="$(grep -c "^options .* rw" "${f}" || true)"
if [[ "${count}" -ge 1 ]]; then
rw_kargs_found=$((rw_kargs_found + 1))
fi
done
# Some deployments are still missing the rw karg. Let's try to update them
if [[ "${boot_entries}" -ne "${rw_kargs_found}" ]]; then
ostree admin kargs edit-in-place --append-if-missing=rw || \
echo "Failed to edit kargs in place with ostree" 1>&2
fi
# Re-check if any existing deployment is still missing the rw karg
rw_kargs_found=0
count=0
for f in "/boot/loader/entries/"*; do
count="$(grep -c "^options .* rw" "${f}" || true)"
if [[ "${count}" -ge 1 ]]; then
rw_kargs_found=$((rw_kargs_found + 1))
fi
done
unset count
# If all deployments are good, then we can set the sysroot.readonly option
# in the ostree repo config
if [[ "${boot_entries}" -eq "${rw_kargs_found}" ]]; then
echo "Setting up the sysroot.readonly option in the ostree repo config"
ostree config --repo=/sysroot/ostree/repo set "sysroot.readonly" "true"
touch "${stamp_file}"
exit 0
fi
# If anything else before failed, we will retry on next boot
echo "Will retry next boot" 1>&2
exit 0
}
main "${@}"
EOF
chmod 755 /usr/libexec/fedora-silverblue-readonly-sysroot
# Enable the corresponding unit
systemctl enable fedora-silverblue-readonly-sysroot.service