Demo entry 5762776

/lib/systemd/rhel-readonly

   

Submitted by anonymous on Jul 14, 2016 at 11:56
Language: Bash. Code size: 6.0 kB.

#!/bin/bash
#
# Set up readonly-root support.
#

. /etc/init.d/functions

# Check SELinux status
SELINUX_STATE=
if [ -e "/sys/fs/selinux/enforce" ] && [ "$(cat /proc/self/attr/current)" != "kernel" ]; then
	if [ -r "/sys/fs/selinux/enforce" ] ; then
		SELINUX_STATE=$(cat "/sys/fs/selinux/enforce")
	else
		# assume enforcing if you can't read it
		SELINUX_STATE=1
	fi
fi

selinux_fixup() {
	if [ -n "$SELINUX_STATE" ] && [ -e "$1" ]; then
		restorecon -R "$1"
	fi
}

# Only read this once.
[ -z "${cmdline}" ] && cmdline=$(cat /proc/cmdline)

READONLY=
if [ -f /etc/sysconfig/readonly-root ]; then
	. /etc/sysconfig/readonly-root
fi
if strstr "$cmdline" readonlyroot ; then
	READONLY=yes
	[ -z "$RW_MOUNT" ] && RW_MOUNT=/var/lib/stateless/writable
	[ -z "$STATE_MOUNT" ] && STATE_MOUNT=/var/lib/stateless/state
fi
if strstr "$cmdline" noreadonlyroot ; then
	READONLY=no
fi

MOUNTS=()
if [ "$READONLY" = "yes" -o "$TEMPORARY_STATE" = "yes" ]; then

        add_mount() {
                mnt=${1%/}
                MOUNTS=("${MOUNTS[@]}" "$mnt")
        }

        cp_empty() {
                if [ -e "$1" ]; then
			echo "$1" | cpio -p -vd "$RW_MOUNT" &>/dev/null
                        add_mount $1
		fi
        }

        cp_dirs() {
		if [ -e "$1" ]; then
			mkdir -p "$RW_MOUNT$1"
			find "$1" -type d -print0 | cpio -p -0vd "$RW_MOUNT" &>/dev/null
                        add_mount $1
		fi
	}

        cp_files() {
		if [ -e "$1" ]; then
			cp -a --parents "$1" "$RW_MOUNT"
                        add_mount $1
		fi
	}

	# Common mount options for scratch space regardless of
	# type of backing store
	mountopts=

	# Scan partitions for local scratch storage
	rw_mount_dev=$(blkid -t LABEL="$RW_LABEL" -l -o device)

        bindmountopts=
        [ "$SLAVE_MOUNTS" = "yes" ] && bindmountopts="--make-slave"

	# First try to mount scratch storage from /etc/fstab, then any
	# partition with the proper label.  If either succeeds, be sure
	# to wipe the scratch storage clean.  If both fail, then mount
	# scratch storage via tmpfs.
	if mount $mountopts "$RW_MOUNT" > /dev/null 2>&1 ; then
		rm -rf "$RW_MOUNT" > /dev/null 2>&1
	elif [ x$rw_mount_dev != x ] && mount $rw_mount_dev $mountopts "$RW_MOUNT" > /dev/null 2>&1; then
		rm -rf "$RW_MOUNT"  > /dev/null 2>&1
	else
		mount -n -t tmpfs $RW_OPTIONS $mountopts none "$RW_MOUNT"
	fi

	for file in /etc/rwtab /etc/rwtab.d/* /run/initramfs/rwtab ; do
		is_ignored_file "$file" && continue
	[ -f $file ] && while read type path ; do
			case "$type" in
				empty)
					cp_empty $path
					;;
				files)
					cp_files $path
					;;
				dirs)
					cp_dirs $path
					;;
				*)
					;;
			esac
                done < <(cat $file)
	done

        for m in "${MOUNTS[@]}"; do
                prefix=0
                for mount_point in "${MOUNTS[@]}"; do
                        [[ $m = $mount_point ]] && continue
                        if [[ $m =~ ^$mount_point/.* ]] ; then
                                prefix=1
                                break
                        fi
                done
                [[ $prefix -eq 1 ]] && continue

                mount -n --bind $bindmountopts "$RW_MOUNT$m" "$m"
	        selinux_fixup "$m"
        done

	# Use any state passed by initramfs
	[ -d /run/initramfs/state ] && cp -a /run/initramfs/state/* $RW_MOUNT

	# In theory there should be no more than one network interface active
	# this early in the boot process -- the one we're booting from.
	# Use the network address to set the hostname of the client.  This
	# must be done even if we have local storage.
	ipaddr=
	if [ "$HOSTNAME" = "localhost" -o "$HOSTNAME" = "localhost.localdomain" ]; then
		ipaddr=$(ip addr show to 0.0.0.0/0 scope global | awk '/[[:space:]]inet / { print gensub("/.*","","g",$2) }')
		for ip in $ipaddr ; do
			HOSTNAME=
			eval $(ipcalc -h $ipaddr 2>/dev/null)
			[ -n "$HOSTNAME" ] && { hostname ${HOSTNAME} ; break; }
		done
	fi

	# Clients with read-only root filesystems may be provided with a
	# place where they can place minimal amounts of persistent
	# state.  SSH keys or puppet certificates for example.
	#
	# Ideally we'll use puppet to manage the state directory and to
	# create the bind mounts.  However, until that's all ready this
	# is sufficient to build a working system.

	# First try to mount persistent data from /etc/fstab, then any
	# partition with the proper label, then fallback to NFS
	state_mount_dev=$(blkid -t LABEL="$STATE_LABEL" -l -o device)
	if mount $mountopts $STATE_OPTIONS "$STATE_MOUNT" > /dev/null 2>&1 ; then
		/bin/true
	elif [ x$state_mount_dev != x ] && mount $state_mount_dev $mountopts "$STATE_MOUNT" > /dev/null 2>&1;  then
		/bin/true
	elif [ ! -z "$CLIENTSTATE" ]; then
		# No local storage was found.  Make a final attempt to find
		# state on an NFS server.

		mount -t nfs $CLIENTSTATE/$HOSTNAME $STATE_MOUNT -o rw,nolock
	fi

	if [ -w "$STATE_MOUNT" ]; then

		mount_state() {
			if [ -e "$1" ]; then
				[ ! -e "$STATE_MOUNT$1" ] && cp -a --parents "$1" "$STATE_MOUNT"
				mount -n --bind $bindmountopts "$STATE_MOUNT$1" "$1"
			fi
		}

		for file in /etc/statetab /etc/statetab.d/* ; do
			is_ignored_file "$file" && continue
			[ ! -f "$file" ] && continue

			if [ -f "$STATE_MOUNT/$file" ] ; then
				mount -n --bind $bindmountopts "$STATE_MOUNT/$file" "$file"
			fi

			for path in $(grep -v "^#" "$file" 2>/dev/null); do
				mount_state "$path"
				selinux_fixup "$path"
			done
		done

		if [ -f "$STATE_MOUNT/files" ] ; then
			for path in $(grep -v "^#" "$STATE_MOUNT/files" 2>/dev/null); do
				mount_state "$path"
				selinux_fixup "$path"
			done
		fi
	fi

        if mount | grep -q /var/lib/nfs/rpc_pipefs ; then
                mount -t rpc_pipefs sunrpc /var/lib/nfs/rpc_pipefs
        fi
fi

This snippet took 0.01 seconds to highlight.

Back to the Entry List or Home.

Delete this entry (admin only).