From 9097e37a6615f7cd909c55103c0d5ebb2d01b2ea Mon Sep 17 00:00:00 2001 From: D4VID Date: Mon, 23 Dec 2024 17:34:09 +0000 Subject: [PATCH] Initrd scripts for unionfs --- syslinux.md | 107 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 92 insertions(+), 15 deletions(-) diff --git a/syslinux.md b/syslinux.md index 2f55bd7..6cd25b6 100644 --- a/syslinux.md +++ b/syslinux.md @@ -66,6 +66,26 @@ LABEL FIKS OS ## Client system +### Image itself + +Disable systemd-resolved (requires writable /etc/resolve.conf): +`systemctl mask systemd-resolved.service` +`systemctl mask systemd-hostnamed.service` +`systemctl mask systemd-timesyncd.service` +`systemctl mask systemd-update-utmp.service` +`systemctl mask systemd-update-utmp-runlevel.service` + +`systemctl mask ModemManager.service` +`systemctl mask man-db.service` +`systemctl mask logrotate.service` +`systemctl mask grub-initrd-fallback.service` +`systemctl mask grub-common.service` +`systemctl mask snapd` + +`systemctl enable tmp.mount` + +### Initrd + `mkdir initrd-workdir && cd initrd-workdir` `unmkinitramfs /boot/initrd.img-$(uname -r) .` @@ -87,28 +107,85 @@ fscache overlay ``` -`find . | cpio -H newc -o | gzip -9 > /srv/tftp/initrd.img` -Disable systemd-resolved (requires writable /etc/resolve.conf): -`systemctl mask systemd-resolved.service` -`systemctl mask systemd-hostnamed.service` -`systemctl mask systemd-timesyncd.service` -`systemctl mask systemd-update-utmp.service` -`systemctl mask systemd-update-utmp-runlevel.service` +https://www.onlogic.com/blog/how-to-build-a-read-only-linux-system/ -`systemctl mask ModemManager.service` -`systemctl mask man-db.service` -`systemctl mask logrotate.service` -`systemctl mask grub-initrd-fallback.service` -`systemctl mask grub-common.service` -`systemctl mask snapd` +`/etc/initramfs-tools/hooks/ro_root` -`systemctl enable tmp.mount` +```bash +#!/bin/sh -`mksquashfs / /opt/fiks-image.squashfs -e /proc /sys /dev /tmp /run /mnt /media /var/cache /var/tmp /opt` +PREREQ='' + +prereqs() { + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +. /usr/share/initramfs-tools/hook-functions +manual_add_modules aufs +manual_add_modules tmpfs +copy_exec /bin/chmod /bin +``` + + +`/etc/initramfs-tools/scripts/init-bottom/ro_root` + +```bash +#!/bin/sh + +PREREQ='' + +prereqs() { + echo "$PREREQ" +} + +case $1 in +prereqs) + prereqs + exit 0 + ;; +esac + +ro_mount_point="${rootmnt%/}.ro" +rw_mount_point="${rootmnt%/}.rw" + +# Create mount points for the read-only and read/write layers: +mkdir "${ro_mount_point}" "${rw_mount_point}" + +# Move the already-mounted root filesystem to the ro mount point: +mount --move "${rootmnt}" "${ro_mount_point}" + +# Mount the read/write filesystem: +mount -t tmpfs root.rw "${rw_mount_point}" + +# Mount the union: +mount -t aufs -o "dirs=${rw_mount_point}=rw:${ro_mount_point}=ro" root.union "${rootmnt}" + +# Correct the permissions of /: +chmod 755 "${rootmnt}" + +# Make sure the individual ro and rw mounts are accessible from within the root +# once the union is assumed as /. This makes it possible to access the +# component filesystems individually. +mkdir "${rootmnt}/ro" "${rootmnt}/rw" +mount --bind "${ro_mount_point}" "${rootmnt}/ro" +mount --bind "${rw_mount_point}" "${rootmnt}/rw" +``` + +`update-initramfs -u` `scp initrd.img server@192.168.11.11:/srv/nfs/` +`mksquashfs / /opt/fiks-image.squashfs -e /proc /sys /dev /tmp /run /mnt /media /var/cache /var/tmp /opt` + + ## Back on the server