[RFC PATCH] bind: add support for read-only rootfs

[RFC PATCH] bind: add support for read-only rootfs

[Mark Hatle]

From: Chen Qi <Qi.Chen@windriver.com>

This patch adds support for read-only rootfs to the bind service.

Now the init script will check a variable, ALLOW_ROOTFS_READ_ONLY,
to see whether it should start the bind service in a read-only rootfs
or not. The value is by default unset, thus disabling starting bind
service in a read-only rootfs. If the variable is set to "yes", as
stated in the configuration file, the init script would try to make
necessary bind mounts so that the bind service could be started correctly.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
---
 meta/recipes-connectivity/bind/bind-9.8.1/bind9    |  3 +
 .../init.d-add-support-for-read-only-rootfs.patch  | 70 +++++++++++++++++
 .../bind/bind-9.8.1/init.d-fix-indentation.patch   | 90 ++++++++++++++++++++++
 meta/recipes-connectivity/bind/bind_9.8.1.bb       |  3 +
 4 files changed, 166 insertions(+)
 create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
 create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch

diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind9 b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
index 3d5b69b..2774334 100644
--- a/meta/recipes-connectivity/bind/bind-9.8.1/bind9
+++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
@@ -28,3 +28,6 @@
 ROOTDIR="/var/named/chroot"
 OPTIONS="-u bind"
 
+# When using a read-only rootfs additional setup may be required
+# uncomment the following line to make bind start in read-only rootfs
+#ALLOW_ROOTFS_READ_ONLY="yes"
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
new file mode 100644
index 0000000..13166da
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
@@ -0,0 +1,70 @@
+Subject: init.d: add support for read-only rootfs
+
+Upstream-Status: Inappropriate [oe-core specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ init.d | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 45 insertions(+)
+
+diff --git a/init.d b/init.d
+index 4a1faaa..70e0219 100644
+--- a/init.d
++++ b/init.d
+@@ -6,8 +6,53 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
+ # Don't modify this line, change or create /etc/default/bind9.
+ OPTIONS=""
+ 
++test -f /etc/default/rcS && . /etc/default/rcS
+ test -f /etc/default/bind9 && . /etc/default/bind9
+ 
++# This function is here because it's possible that /var and / are on different partitions.
++is_on_read_only_partition () {
++    DIRECTORY=$1
++    dir=`readlink -f $DIRECTORY`
++    while true; do
++	if [ ! -d "$dir" ]; then
++	    echo "ERROR: $dir is not a directory"
++	    exit 1
++	else
++	    for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
++		END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
++		[ "$flag" = "FOUND" ] && partition="read-write"
++		[ "$flag" = "ro" ] && { partition="read-only"; break; }
++	    done
++	    if [ "$dir" = "/" -o -n "$partition" ]; then
++		break
++	    else
++		dir=`dirname $dir`
++	    fi
++	fi
++    done
++    [ "$partition" = "read-only" ] && echo "yes" || echo "no"
++}
++
++bind_mount () {
++    olddir=$1
++    newdir=$2
++    mkdir -p $olddir
++    cp -a $newdir/* $olddir
++    mount --bind $olddir $newdir
++}
++
++# Deal with read-only rootfs
++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
++    if [ "$ALLOW_ROOTFS_READ_ONLY" = "yes" ]; then
++	[ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
++    else
++	[ "$VERBOSE" != "no" ] && echo "WARN: read-only rootfs, bind service disabled"
++	exit 0
++    fi
++fi
++
+ test -x /usr/sbin/rndc || exit 0
+ 
+ if [ -n "$ROOTDIR" ]; then
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
new file mode 100644
index 0000000..0833685
--- /dev/null
+++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
@@ -0,0 +1,90 @@
+Subject: init.d: fix indentation
+
+Upstream-Status: Inappropriate [oe-core specific]
+
+Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
+---
+ init.d | 64 ++++++++++++++++++++++++++++++++--------------------------------
+ 1 file changed, 32 insertions(+), 32 deletions(-)
+
+diff --git a/init.d b/init.d
+index ff641ea..4a1faaa 100644
+--- a/init.d
++++ b/init.d
+@@ -22,41 +22,41 @@ ROOTDIR_MOUNT='/etc/bind /var/run/named /var/run/bind /var/cache/bind
+ /etc/localtime /dev/random /dev/zero /dev/null'
+ 
+ mount_chroot_conf() {
+-  if [ -n "$ROOTDIR" ]; then
+-    for all in $ROOTDIR_MOUNT; do
+-      # Skip nonexistant files
+-      [ -e "$all" ] || continue
+-
+-      # If mount source is a file
+-      if ! [ -d "$all" ]; then
+-        # mount it only if it is not present in chroot or it is empty
+-        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
+-          touch "$ROOTDIR$all"
+-          mount --bind "$all" "$ROOTDIR$all"
+-        fi
+-      else
+-        # Mount source is a directory. Mount it only if directory in chroot is
+-        # empty.
+-	if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
+-          mount --bind "$all" "$ROOTDIR$all"
+-	fi
+-      fi
+-    done
+-  fi
++    if [ -n "$ROOTDIR" ]; then
++	for all in $ROOTDIR_MOUNT; do
++            # Skip nonexistant files
++	    [ -e "$all" ] || continue
++
++            # If mount source is a file
++	    if ! [ -d "$all" ]; then
++                # mount it only if it is not present in chroot or it is empty
++		if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
++		    touch "$ROOTDIR$all"
++		    mount --bind "$all" "$ROOTDIR$all"
++		fi
++	    else
++                # Mount source is a directory. Mount it only if directory in chroot is
++                # empty.
++		if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
++		    mount --bind "$all" "$ROOTDIR$all"
++		fi
++	    fi
++	done
++    fi
+ }
+ 
+ umount_chroot_conf() {
+-  if [ -n "$ROOTDIR" ]; then
+-    for all in $ROOTDIR_MOUNT; do
+-      # Check if file is mount target. Do not use /proc/mounts because detecting
+-      # of modified mounted files can fail.
+-      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
+-        umount "$ROOTDIR$all"
+-        # Remove temporary created files
+-        [ -f "$all" ] && rm -f "$ROOTDIR$all"
+-      fi
+-    done
+-  fi
++    if [ -n "$ROOTDIR" ]; then
++	for all in $ROOTDIR_MOUNT; do
++            # Check if file is mount target. Do not use /proc/mounts because detecting
++            # of modified mounted files can fail.
++	    if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
++		umount "$ROOTDIR$all"
++                # Remove temporary created files
++		[ -f "$all" ] && rm -f "$ROOTDIR$all"
++	    fi
++	done
++    fi
+ }
+ 
+ case "$1" in
+-- 
+1.8.3.1
+
diff --git a/meta/recipes-connectivity/bind/bind_9.8.1.bb b/meta/recipes-connectivity/bind/bind_9.8.1.bb
index b28829b..66a092c 100644
--- a/meta/recipes-connectivity/bind/bind_9.8.1.bb
+++ b/meta/recipes-connectivity/bind/bind_9.8.1.bb
@@ -21,6 +21,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
            file://mips1-not-support-opcode.diff \
            file://bind9 \
            file://setup-chroot-hooks.patch \
+           file://init.d-fix-indentation.patch \
+           file://init.d-add-support-for-read-only-rootfs.patch \
 	   "
 
 SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7"
@@ -58,6 +60,7 @@ do_install_append() {
 	rm "${D}${mandir}/man1/nslookup.1"
 	rmdir "${D}${localstatedir}/run"
 	rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
+	install -d "${D}${localstatedir}/cache/bind"
 	install -d "${D}${sysconfdir}/bind"
 	install -d "${D}${sysconfdir}/init.d"
 	install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
-- 
1.8.1.2.545.g2f19ada

Re: [RFC PATCH] bind: add support for read-only rootfs

[Mark Hatle]

Sorry I forgot to add, this requires the patch that was sent to the list 
2013-09-29 -- bind: run in the chrooted jail

On 11/21/13, 12:59 AM, Mark Hatle wrote:
> From: Chen Qi <Qi.Chen@windriver.com>
>
> This patch adds support for read-only rootfs to the bind service.
>
> Now the init script will check a variable, ALLOW_ROOTFS_READ_ONLY,
> to see whether it should start the bind service in a read-only rootfs
> or not. The value is by default unset, thus disabling starting bind
> service in a read-only rootfs. If the variable is set to "yes", as
> stated in the configuration file, the init script would try to make
> necessary bind mounts so that the bind service could be started correctly.
>
> Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
> ---
>   meta/recipes-connectivity/bind/bind-9.8.1/bind9    |  3 +
>   .../init.d-add-support-for-read-only-rootfs.patch  | 70 +++++++++++++++++
>   .../bind/bind-9.8.1/init.d-fix-indentation.patch   | 90 ++++++++++++++++++++++
>   meta/recipes-connectivity/bind/bind_9.8.1.bb       |  3 +
>   4 files changed, 166 insertions(+)
>   create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
>   create mode 100644 meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
>
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/bind9 b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> index 3d5b69b..2774334 100644
> --- a/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/bind9
> @@ -28,3 +28,6 @@
>   ROOTDIR="/var/named/chroot"
>   OPTIONS="-u bind"
>
> +# When using a read-only rootfs additional setup may be required
> +# uncomment the following line to make bind start in read-only rootfs
> +#ALLOW_ROOTFS_READ_ONLY="yes"
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
> new file mode 100644
> index 0000000..13166da
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-add-support-for-read-only-rootfs.patch
> @@ -0,0 +1,70 @@
> +Subject: init.d: add support for read-only rootfs
> +
> +Upstream-Status: Inappropriate [oe-core specific]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + init.d | 45 +++++++++++++++++++++++++++++++++++++++++++++
> + 1 file changed, 45 insertions(+)
> +
> +diff --git a/init.d b/init.d
> +index 4a1faaa..70e0219 100644
> +--- a/init.d
> ++++ b/init.d
> +@@ -6,8 +6,53 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin
> + # Don't modify this line, change or create /etc/default/bind9.
> + OPTIONS=""
> +
> ++test -f /etc/default/rcS && . /etc/default/rcS
> + test -f /etc/default/bind9 && . /etc/default/bind9
> +
> ++# This function is here because it's possible that /var and / are on different partitions.
> ++is_on_read_only_partition () {
> ++    DIRECTORY=$1
> ++    dir=`readlink -f $DIRECTORY`
> ++    while true; do
> ++	if [ ! -d "$dir" ]; then
> ++	    echo "ERROR: $dir is not a directory"
> ++	    exit 1
> ++	else
> ++	    for flag in `awk -v dir=$dir '{ if ($2 == dir) { print "FOUND"; split($4,FLAGS,",") } }; \
> ++		END { for (f in FLAGS) print FLAGS[f] }' < /proc/mounts`; do
> ++		[ "$flag" = "FOUND" ] && partition="read-write"
> ++		[ "$flag" = "ro" ] && { partition="read-only"; break; }
> ++	    done
> ++	    if [ "$dir" = "/" -o -n "$partition" ]; then
> ++		break
> ++	    else
> ++		dir=`dirname $dir`
> ++	    fi
> ++	fi
> ++    done
> ++    [ "$partition" = "read-only" ] && echo "yes" || echo "no"
> ++}
> ++
> ++bind_mount () {
> ++    olddir=$1
> ++    newdir=$2
> ++    mkdir -p $olddir
> ++    cp -a $newdir/* $olddir
> ++    mount --bind $olddir $newdir
> ++}
> ++
> ++# Deal with read-only rootfs
> ++if [ "$ROOTFS_READ_ONLY" = "yes" ]; then
> ++    if [ "$ALLOW_ROOTFS_READ_ONLY" = "yes" ]; then
> ++	[ "$VERBOSE" != "no" ] && echo "WARN: start bind service in read-only rootfs"
> ++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
> ++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
> ++    else
> ++	[ "$VERBOSE" != "no" ] && echo "WARN: read-only rootfs, bind service disabled"
> ++	exit 0
> ++    fi
> ++fi
> ++
> + test -x /usr/sbin/rndc || exit 0
> +
> + if [ -n "$ROOTDIR" ]; then
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
> new file mode 100644
> index 0000000..0833685
> --- /dev/null
> +++ b/meta/recipes-connectivity/bind/bind-9.8.1/init.d-fix-indentation.patch
> @@ -0,0 +1,90 @@
> +Subject: init.d: fix indentation
> +
> +Upstream-Status: Inappropriate [oe-core specific]
> +
> +Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
> +---
> + init.d | 64 ++++++++++++++++++++++++++++++++--------------------------------
> + 1 file changed, 32 insertions(+), 32 deletions(-)
> +
> +diff --git a/init.d b/init.d
> +index ff641ea..4a1faaa 100644
> +--- a/init.d
> ++++ b/init.d
> +@@ -22,41 +22,41 @@ ROOTDIR_MOUNT='/etc/bind /var/run/named /var/run/bind /var/cache/bind
> + /etc/localtime /dev/random /dev/zero /dev/null'
> +
> + mount_chroot_conf() {
> +-  if [ -n "$ROOTDIR" ]; then
> +-    for all in $ROOTDIR_MOUNT; do
> +-      # Skip nonexistant files
> +-      [ -e "$all" ] || continue
> +-
> +-      # If mount source is a file
> +-      if ! [ -d "$all" ]; then
> +-        # mount it only if it is not present in chroot or it is empty
> +-        if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
> +-          touch "$ROOTDIR$all"
> +-          mount --bind "$all" "$ROOTDIR$all"
> +-        fi
> +-      else
> +-        # Mount source is a directory. Mount it only if directory in chroot is
> +-        # empty.
> +-	if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
> +-          mount --bind "$all" "$ROOTDIR$all"
> +-	fi
> +-      fi
> +-    done
> +-  fi
> ++    if [ -n "$ROOTDIR" ]; then
> ++	for all in $ROOTDIR_MOUNT; do
> ++            # Skip nonexistant files
> ++	    [ -e "$all" ] || continue
> ++
> ++            # If mount source is a file
> ++	    if ! [ -d "$all" ]; then
> ++                # mount it only if it is not present in chroot or it is empty
> ++		if ! [ -e "$ROOTDIR$all" ] || [ `stat -c'%s' "$ROOTDIR$all"` -eq 0 ]; then
> ++		    touch "$ROOTDIR$all"
> ++		    mount --bind "$all" "$ROOTDIR$all"
> ++		fi
> ++	    else
> ++                # Mount source is a directory. Mount it only if directory in chroot is
> ++                # empty.
> ++		if [ -e "$all" ] && [ `ls -1A $ROOTDIR$all | wc -l` -eq 0 ]; then
> ++		    mount --bind "$all" "$ROOTDIR$all"
> ++		fi
> ++	    fi
> ++	done
> ++    fi
> + }
> +
> + umount_chroot_conf() {
> +-  if [ -n "$ROOTDIR" ]; then
> +-    for all in $ROOTDIR_MOUNT; do
> +-      # Check if file is mount target. Do not use /proc/mounts because detecting
> +-      # of modified mounted files can fail.
> +-      if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
> +-        umount "$ROOTDIR$all"
> +-        # Remove temporary created files
> +-        [ -f "$all" ] && rm -f "$ROOTDIR$all"
> +-      fi
> +-    done
> +-  fi
> ++    if [ -n "$ROOTDIR" ]; then
> ++	for all in $ROOTDIR_MOUNT; do
> ++            # Check if file is mount target. Do not use /proc/mounts because detecting
> ++            # of modified mounted files can fail.
> ++	    if mount | grep -q '.* on '"$ROOTDIR$all"' .*'; then
> ++		umount "$ROOTDIR$all"
> ++                # Remove temporary created files
> ++		[ -f "$all" ] && rm -f "$ROOTDIR$all"
> ++	    fi
> ++	done
> ++    fi
> + }
> +
> + case "$1" in
> +--
> +1.8.3.1
> +
> diff --git a/meta/recipes-connectivity/bind/bind_9.8.1.bb b/meta/recipes-connectivity/bind/bind_9.8.1.bb
> index b28829b..66a092c 100644
> --- a/meta/recipes-connectivity/bind/bind_9.8.1.bb
> +++ b/meta/recipes-connectivity/bind/bind_9.8.1.bb
> @@ -21,6 +21,8 @@ SRC_URI = "ftp://ftp.isc.org/isc/bind9/${PV}/${BPN}-${PV}.tar.gz \
>              file://mips1-not-support-opcode.diff \
>              file://bind9 \
>              file://setup-chroot-hooks.patch \
> +           file://init.d-fix-indentation.patch \
> +           file://init.d-add-support-for-read-only-rootfs.patch \
>   	   "
>
>   SRC_URI[md5sum] = "cf31117c5d35af34d4c0702970ad9fb7"
> @@ -58,6 +60,7 @@ do_install_append() {
>   	rm "${D}${mandir}/man1/nslookup.1"
>   	rmdir "${D}${localstatedir}/run"
>   	rmdir --ignore-fail-on-non-empty "${D}${localstatedir}"
> +	install -d "${D}${localstatedir}/cache/bind"
>   	install -d "${D}${sysconfdir}/bind"
>   	install -d "${D}${sysconfdir}/init.d"
>   	install -m 644 ${S}/conf/* "${D}${sysconfdir}/bind/"
>

Re: [RFC PATCH] bind: add support for read-only rootfs

[Phil Blundell]

On Thu, 2013-11-21 at 00:59 -0600, Mark Hatle wrote:
> +# When using a read-only rootfs additional setup may be required
> +# uncomment the following line to make bind start in read-only rootfs
> +#ALLOW_ROOTFS_READ_ONLY="yes"

If the filesystem is read-only then it's going to be fairly difficult
for the user to uncomment this line on the target.

Why would you ever want this variable to be set to anything other than
"yes"?  If your filesystem is not in fact read-only then it isn't going
to have any effect, and if your filesystem is read-only then bind won't
work without it.

> ++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
> ++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named

Is it really necessary to mount a tmpfs at /etc/bind?  Can't those files
just be relocated somewhere else?

p.

Re: [RFC PATCH] bind: add support for read-only rootfs

[Paul Eggleton]

Hi Mark,

On Thursday 21 November 2013 01:02:11 Mark Hatle wrote:
> Sorry I forgot to add, this requires the patch that was sent to the list
> 2013-09-29 -- bind: run in the chrooted jail

... which seems to have been rejected:

http://patches.openembedded.org/patch/53845/

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

Re: [RFC PATCH] bind: add support for read-only rootfs

[ChenQi]

On 11/21/2013 08:12 PM, Phil Blundell wrote:
> On Thu, 2013-11-21 at 00:59 -0600, Mark Hatle wrote:
>> +# When using a read-only rootfs additional setup may be required
>> +# uncomment the following line to make bind start in read-only rootfs
>> +#ALLOW_ROOTFS_READ_ONLY="yes"
> If the filesystem is read-only then it's going to be fairly difficult
> for the user to uncomment this line on the target.

Hi Phil,

I think the user can remount it read-write or just do it at rootfs time.

> Why would you ever want this variable to be set to anything other than
> "yes"?  If your filesystem is not in fact read-only then it isn't going
> to have any effect, and if your filesystem is read-only then bind won't
> work without it.

The purpose is to disable bind in a read-only file system by default.
But if user really wants it, they can set this value to 'yes'.

>> ++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
>> ++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
> Is it really necessary to mount a tmpfs at /etc/bind?  Can't those files
> just be relocated somewhere else?

I'm afraid not. At least I don't know how.

Best Regards,
Chen Qi

> p.
>
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
>

Re: [RFC PATCH] bind: add support for read-only rootfs

[Phil Blundell]

On Thu, 2013-11-21 at 20:24 +0800, ChenQi wrote:
> The purpose is to disable bind in a read-only file system by default.
> But if user really wants it, they can set this value to 'yes'.

I'm still struggling a bit to understand the reasoning here.  Why would
you install bind in the first place if you didn't want it to be enabled?

p.

Re: [RFC PATCH] bind: add support for read-only rootfs

[Mark Hatle]

On 11/21/13, 6:12 AM, Phil Blundell wrote:
> On Thu, 2013-11-21 at 00:59 -0600, Mark Hatle wrote:
>> +# When using a read-only rootfs additional setup may be required
>> +# uncomment the following line to make bind start in read-only rootfs
>> +#ALLOW_ROOTFS_READ_ONLY="yes"
>
> If the filesystem is read-only then it's going to be fairly difficult
> for the user to uncomment this line on the target.

A post image process script would be capable of un-commenting that line (or 
simply replacing the file with a specific image specific configuration.)

> Why would you ever want this variable to be set to anything other than
> "yes"?  If your filesystem is not in fact read-only then it isn't going
> to have any effect, and if your filesystem is read-only then bind won't
> work without it.
>
>> ++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
>> ++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
>
> Is it really necessary to mount a tmpfs at /etc/bind?  Can't those files
> just be relocated somewhere else?

My understanding is both locations need to be RW for bind to work properly.  In 
a normal READONLY filesystem configuration, neither is RW by default.

--Mark

> p.
>
>

Re: [RFC PATCH] bind: add support for read-only rootfs

[Mark Hatle]

On 11/21/13, 6:40 AM, Phil Blundell wrote:
> On Thu, 2013-11-21 at 20:24 +0800, ChenQi wrote:
>> The purpose is to disable bind in a read-only file system by default.
>> But if user really wants it, they can set this value to 'yes'.
>
> I'm still struggling a bit to understand the reasoning here.  Why would
> you install bind in the first place if you didn't want it to be enabled?

Why do people use core-image-sato, and then try to remove python?

Sorry for the snarkiness, but that's what is being avoided here.

I have to send these patches, due to the YP compliance guidelines, which is why 
this is an RFC and not something I'm suggesting for the actual oe-core.. (since 
the patch it depends on was not accepted.)

--Mark

> p.
>
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>

Re: [RFC PATCH] bind: add support for read-only rootfs

[Phil Blundell]

On Thu, 2013-11-21 at 08:42 -0600, Mark Hatle wrote:
> On 11/21/13, 6:12 AM, Phil Blundell wrote:
> > On Thu, 2013-11-21 at 00:59 -0600, Mark Hatle wrote:
> >> +# When using a read-only rootfs additional setup may be required
> >> +# uncomment the following line to make bind start in read-only rootfs
> >> +#ALLOW_ROOTFS_READ_ONLY="yes"
> >
> > If the filesystem is read-only then it's going to be fairly difficult
> > for the user to uncomment this line on the target.
> 
> A post image process script would be capable of un-commenting that line (or 
> simply replacing the file with a specific image specific configuration.)

That's true, but I still don't understand why this ought to be
necessary.  Why should it not just default to being enabled?

> >> ++	[ `is_on_read_only_partition /etc/bind` = "yes" ] && bind_mount /var/volatile/bind/etc /etc/bind
> >> ++	[ `is_on_read_only_partition /var/named` = "yes" ] && bind_mount /var/volatile/bind/named /var/named
> >
> > Is it really necessary to mount a tmpfs at /etc/bind?  Can't those files
> > just be relocated somewhere else?
> 
> My understanding is both locations need to be RW for bind to work properly.  In 
> a normal READONLY filesystem configuration, neither is RW by default.

What files does it need to write to /etc/bind?

p.

Re: [RFC PATCH] bind: add support for read-only rootfs

[Phil Blundell]

On Thu, 2013-11-21 at 08:44 -0600, Mark Hatle wrote:
> I have to send these patches, due to the YP compliance guidelines, which is why 
> this is an RFC and not something I'm suggesting for the actual oe-core.. (since 
> the patch it depends on was not accepted.)

Ah, right, sorry, I hadn't quite understood that you didn't plan on
actually getting this patch merged.  If this was just an informational
"this is what Wind River is doing internally" then obviously that's
fine.

p.