Re: Read-only /etc, machine-id with an overlay - journald failing

[Jérémy ROSEN <jeremy.rosen@xxxxxxxx>]

Le jeu. 27 févr. 2020 à 16:30, Andreas Kempe <andreas.kempe@xxxxxxxx> a écrit :

On Thu, Feb 27, 2020 at 10:04:37AM +0100, Jérémy ROSEN wrote:

It is somewhat comforting knowing that others are seeing similar
issues. :)

And not to far... you're a customer of ours :P

(well... actia in Toulouse is...)

 

> I did a complete analysis of what's going on, with a patch that improves
> the situation here : https://github.com/systemd/systemd/pull/14135
> I am not sure how to deal with it in your specific case.
> the simplest approch would be to mount your overlay in a initrd (or in a
> small script shell that is run before systemd and exec systemd as its last
> step)
>

I was contemplating whether it could be acceptable having the same
static machine-id file pre-generated for all systems. I'm not 100% sure
what it's used for, TBH; would it be a really bad idea?

As long as two machines with the same machine-id are never in contact you should be fine...

Theoretically the machine-id should never cross the network, but you never know what individual apps might do

The only place where that could be problematic is the journal : if you mix the logs of multiple machines with the

same machine-id, you won't be able to tell them appart and that might have other side-effects I wouldn't know about...

 

> My patch wouldn't really help in your case, but maybe you can "cheat" by
> having the underlying /etc/machine-id bein a symlink to the overlay
> directory... that could work.
>

I had a look at your patch and as you said, it doesn't really solve
our use case. At the moment, we decided to remove the overlay from the
affected parts and simply require a new system image if one wants to
change /etc.

We were planning on having signed read-only overlays for configuration
in the future so I guess we'll have to investigate this further at a
later date.

Thank you for taking the time to respond!
Cordially,
Andreas Kempe

--