hmm, I think you could have the whole /var as a tmpfs and use systemd-tmpfiles (man:tmpfiles.d) to initialize /var at startup by copying some template directory from a read-only location (typicalli in /usr) On 16/05/2018 13:29, Antoine Pietri wrote: > Hi, > > Our organization uses a diskless setup to boot hundreds of machines > using a read-only NFS export of their common rootfs. > > To be able to run services that need to write in /var, we can't just > have /var as a tmpfs, because it contains files installed by packages > that are required by some services to run. Our current solution was to > have /var in read-only, but have a list of directories where some > services actually write (/var/log, /var/spool/mail, etc) and mount > them as tmpfs. > > This year, some services like systemd-timesyncd are shipped with > DynamicUser=yes by default in our distribution (Archlinux), which > means the above solution no longer works. My understanding is that > systemd requires a writable /var to be able to symlink the state > directory the first time it is launched. > > Our only option here, if we don't want to manually disable dynamic > users in all the services, seems to be to mount /var in a > copy-on-write overlayfs. We could do that, but it's a bit cutting edge > and dangerous for us. Two years ago, overlayfs didn't even support nfs > as its lower directory, that's why we avoided it so far. > > As I know you don't like to add requirements to have a writable /var, > I'd love to have your input on this issue! Is there anything we missed > that would allow us to keep using dynamic user services with a > read-only /var, or do we have to use the overlay solution? > > Thanks, > -- SMILE <http://www.smile.eu/> 20 rue des Jardins 92600 Asnières-sur-Seine *Jérémy ROSEN* Architecte technique Responsable de l'expertise Smile-ECS email jeremy.rosen at smile.fr <mailto:jeremy.rosen at smile.fr> phone +33141402967 url http://www.smile.eu Twitter <https://twitter.com/GroupeSmile> Facebook <https://www.facebook.com/smileopensource> LinkedIn <https://www.linkedin.com/company/smile> Github <https://github.com/Smile-SA> Découvrez lâ??univers Smile, rendez-vous sur smile.eu <http://smile.eu/?utm_source=signature&utm_medium=email&utm_campaign=signature> eco Pour la planète, n'imprimez ce mail que si c'est nécessaire -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20180516/082e8ed5/attachment.html>
DynamicUsers and read-only /var
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: DynamicUsers and read-only /var
- From: jeremy.rosen@xxxxxxxx (Jérémy Rosen)
- Date: Wed, 16 May 2018 15:05:23 +0200
- In-reply-to: <CAOMH6m3G5C4pSOs2R9e5QTjPxradBRp3CduOeGBa+Nghh-6EFg@mail.gmail.com>
- References: <CAOMH6m3G5C4pSOs2R9e5QTjPxradBRp3CduOeGBa+Nghh-6EFg@mail.gmail.com>
- References:
- DynamicUsers and read-only /var
- From: Antoine Pietri
- DynamicUsers and read-only /var
- Prev by Date: Running “telinit u” on glibc update
- Next by Date: Running “telinit u” on glibc update
- Previous by thread: DynamicUsers and read-only /var
- Next by thread: DynamicUsers and read-only /var
- Index(es):
 |