From: Mark Hatle <mark.hatle@windriver.com>
To: <openembedded-core@lists.openembedded.org>
Subject: Re: [RFC PATCH] bind: add support for read-only rootfs
Date: Thu, 21 Nov 2013 01:02:11 -0600 [thread overview]
Message-ID: <528DAFF3.2070006@windriver.com> (raw)
In-Reply-To: <1385017169-22068-1-git-send-email-mark.hatle@windriver.com>
Sorry I forgot to add, this requires the patch that was sent to the list
2013-09-29 -- bind: run in the chrooted jail
On 11/21/13, 12:59 AM, Mark Hatle wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> This patch adds support for read-only rootfs to the bind service.
>
> Now the init script will check a variable, ALLOW_ROOTFS_READ_ONLY,
> to see whether it should start the bind service in a read-only rootfs
> or not. The value is by default unset, thus disabling starting bind
> service in a read-only rootfs. If the variable is set to "yes", as
> stated in the configuration file, the init script would try to make
> necessary bind mounts so that the bind service could be started correctly.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
> meta/recipes-connectivity/bind/bind-9.8.1/bind9 | 3 +
> .../init.d-add-support-for-read-only-rootfs.patch | 70 +++++++++++++++++
> .../bind/bind-9.8.1/init.d-fix-indentation.patch | 90 ++++++++++++++++++++++
> meta/recipes-connectivity/bind/bind_9.8.1.bb | 3 +
> 4 files changed, 166 insertions(+)
> create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
> create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
>
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind9 b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> index 3d5b69b..2774334 100644
> --- a/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> @@ -28,3 +28,6 @@
> ROOTDIR="/var/named/chroot"
> OPTIONS="-u bind"
>
> +# When using a read-only rootfs additional setup may be required
> +# uncomment the following line to make bind start in read-only rootfs
> +#ALLOW_ROOTFS_READ_ONLY="yes"
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
> new file mode 100644
> index 0000000..13166da
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
> @@ -0,0 +1,70 @@
> +Subject: init.d: add support for read-only rootfs
> +
> +Upstream-Status: Inappropriate [oe-core specific]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + init.d | 45 +++++++++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 45 insertions(+)
> +
> +diff --git a/init.d b/init.d
> +index 4a1faaa..70e0219 100644
> +--- a/init.d
> ++++ b/init.d
> +@@ -6,8 +6,53 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
> + # Don't modify this line, change or create /etc/default/bind9.
> + OPTIONS=""
> +
> ++test -f /etc/default/rcS && . /etc/default/rcS
> + test -f /etc/default/bind9 && . /etc/default/bind9
> +
> ++# This function is here because it's possible that /var and / are on different partitions.
> ++is_on_read_only_partition () {
> ++ DIRECTORY=$1
> ++ dir=`readlink -f $DIRECTORY`
> ++ while true; do
> ++ if [ ! -d "$dir" ]; then
> ++ echo "ERROR: $dir is not a directory"
> ++ exit 1
> ++ else
> ++ for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
> ++ END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
> ++ [ "$flag" = "FOUND" ] && partition="read-write"
> ++ [ "$flag" = "ro" ] && { partition="read-only"; break; }
> ++ done
> ++ if [ "$dir" = "/" -o -n "$partition" ]; then
> ++ break
> ++ else
> ++ dir=`dirname $dir`
> ++ fi
> ++ fi
> ++ done
> ++ [ "$partition" = "read-only" ] && echo "yes" || echo "no"
> ++}
> ++
> ++bind_mount () {
> ++ olddir=$1
> ++ newdir=$2
> ++ mkdir -p $olddir
> ++ cp -a $newdir/* $olddir
> ++ mount --bind $olddir $newdir
> ++}
> ++
> ++# Deal with read-only rootfs
> ++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
> ++ if [ "$ALLOW_ROOTFS_READ_ONLY" = "yes" ]; then
> ++ [ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
> ++ [ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
> ++ [ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
> ++ else
> ++ [ "$VERBOSE" != "no" ] && echo "WARN: read-only rootfs, bind service disabled"
> ++ exit 0
> ++ fi
> ++fi
> ++
> + test -x /usr/sbin/rndc || exit 0
> +
> + if [ -n "$ROOTDIR" ]; then
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
> new file mode 100644
> index 0000000..0833685
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
> @@ -0,0 +1,90 @@
> +Subject: init.d: fix indentation
> +
> +Upstream-Status: Inappropriate [oe-core specific]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + init.d | 64 ++++++++++++++++++++++++++++++++--------------------------------
> + 1 file changed, 32 insertions(+), 32 deletions(-)
> +
> +diff --git a/init.d b/init.d
> +index ff641ea..4a1faaa 100644
> +--- a/init.d
> ++++ b/init.d
> +@@ -22,41 +22,41 @@ ROOTDIR_MOUNT='/etc/bind /var/run/named /var/run/bind /var/cache/bind
> + /etc/localtime /dev/random /dev/zero /dev/null'
> +
> + mount_chroot_conf() {
> +- if [ -n "$ROOTDIR" ]; then
> +- for all in $ROOTDIR_MOUNT; do
> +- # Skip nonexistant files
> +- [ -e "$all" ] || continue
> +-
> +- # If mount source is a file
> +- if ! [ -d "$all" ]; then
> +- # mount it only if it is not present in chroot or it is empty
> +- if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
> +- touch "$ROOTDIR$all"
> +- mount --bind "$all" "$ROOTDIR$all"
> +- fi
> +- else
> +- # Mount source is a directory. Mount it only if directory in chroot is
> +- # empty.
> +- if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
> +- mount --bind "$all" "$ROOTDIR$all"
> +- fi
> +- fi
> +- done
> +- fi
> ++ if [ -n "$ROOTDIR" ]; then
> ++ for all in $ROOTDIR_MOUNT; do
> ++ # Skip nonexistant files
> ++ [ -e "$all" ] || continue
> ++
> ++ # If mount source is a file
> ++ if ! [ -d "$all" ]; then
> ++ # mount it only if it is not present in chroot or it is empty
> ++ if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
> ++ touch "$ROOTDIR$all"
> ++ mount --bind "$all" "$ROOTDIR$all"
> ++ fi
> ++ else
> ++ # Mount source is a directory. Mount it only if directory in chroot is
> ++ # empty.
> ++ if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
> ++ mount --bind "$all" "$ROOTDIR$all"
> ++ fi
> ++ fi
> ++ done
> ++ fi
> + }
> +
> + umount_chroot_conf() {
> +- if [ -n "$ROOTDIR" ]; then
> +- for all in $ROOTDIR_MOUNT; do
> +- # Check if file is mount target. Do not use /proc/mounts because detecting
> +- # of modified mounted files can fail.
> +- if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
> +- umount "$ROOTDIR$all"
> +- # Remove temporary created files
> +- [ -f "$all" ] && rm -f "$ROOTDIR$all"
> +- fi
> +- done
> +- fi
> ++ if [ -n "$ROOTDIR" ]; then
> ++ for all in $ROOTDIR_MOUNT; do
> ++ # Check if file is mount target. Do not use /proc/mounts because detecting
> ++ # of modified mounted files can fail.
> ++ if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
> ++ umount "$ROOTDIR$all"
> ++ # Remove temporary created files
> ++ [ -f "$all" ] && rm -f "$ROOTDIR$all"
> ++ fi
> ++ done
> ++ fi
> + }
> +
> + case "$1" in
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-connectivity/bind/bind_9.8.1.bb b/meta/recipes-connectivity/bind/bind_9.8.1.bb
> index b28829b..66a092c 100644
> --- a/meta/recipes-connectivity/bind/bind_9.8.1.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.8.1.bb
> @@ -21,6 +21,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
> file://mips1-not-support-opcode.diff \
> file://bind9 \
> file://setup-chroot-hooks.patch \
> + file://init.d-fix-indentation.patch \
> + file://init.d-add-support-for-read-only-rootfs.patch \
> "
>
> SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7"
> @@ -58,6 +60,7 @@ do_install_append() {
> rm "${D}${mandir}/man1/nslookup.1"
> rmdir "${D}${localstatedir}/run"
> rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
> + install -d "${D}${localstatedir}/cache/bind"
> install -d "${D}${sysconfdir}/bind"
> install -d "${D}${sysconfdir}/init.d"
> install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
>
next prev parent reply other threads:[~2013-11-21 7:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-21 6:59 [RFC PATCH] bind: add support for read-only rootfs Mark Hatle
2013-11-21 7:02 ` Mark Hatle [this message]
2013-11-21 12:19 ` Paul Eggleton
2013-11-21 12:12 ` Phil Blundell
2013-11-21 12:24 ` ChenQi
2013-11-21 12:40 ` Phil Blundell
2013-11-21 14:44 ` Mark Hatle
2013-11-21 18:05 ` Phil Blundell
2013-11-21 14:42 ` Mark Hatle
2013-11-21 14:51 ` Phil Blundell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=528DAFF3.2070006@windriver.com \
--to=mark.hatle@windriver.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.