DynamicUsers and read-only /var

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Our organization uses a diskless setup to boot hundreds of machines
using a read-only NFS export of their common rootfs.

To be able to run services that need to write in /var, we can't just
have /var as a tmpfs, because it contains files installed by packages
that are required by some services to run. Our current solution was to
have /var in read-only, but have a list of directories where some
services actually write (/var/log, /var/spool/mail, etc) and mount
them as tmpfs.

This year, some services like systemd-timesyncd are shipped with
DynamicUser=yes by default in our distribution (Archlinux), which
means the above solution no longer works. My understanding is that
systemd requires a writable /var to be able to symlink the state
directory the first time it is launched.

Our only option here, if we don't want to manually disable dynamic
users in all the services, seems to be to mount /var in a
copy-on-write overlayfs. We could do that, but it's a bit cutting edge
and dangerous for us. Two years ago, overlayfs didn't even support nfs
as its lower directory, that's why we avoided it so far.

As I know you don't like to add requirements to have a writable /var,
I'd love to have your input on this issue! Is there anything we missed
that would allow us to keep using dynamic user services with a
read-only /var, or do we have to use the overlay solution?

Thanks,

-- 
Antoine Pietri
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux