[PATCH 0/3] Add sub dir for passwd files

[PATCH 0/3] Add sub dir for passwd files

[Joakim Tjernlund]

These patches adds the possibility to store passwd/shadow files
in a sub dir, like /etc/pwdb
In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
to support password changes etc.

This patchset is to probe wether OE would be interested in such feature


Joakim Tjernlund (3):
  base-passwd: Add PW_SUBDIR
  shadow: Add PW_SUBDIR
  pseudo: Add PW_SUBDIR

 .../base-passwd/base-passwd_3.5.29.bb         | 24 +++--
 meta/recipes-devtools/pseudo/pseudo.inc       | 11 ++-
 .../0001-Define-SUBUID_FILE-SUBGID_FILE.patch | 92 +++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc       | 30 +++++-
 4 files changed, 142 insertions(+), 15 deletions(-)
 create mode 100644 meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch

-- 
2.41.0

[PATCH 1/3] base-passwd: Add PW_SUBDIR

[Joakim Tjernlund]

Add support for creating passwd files in a /etc subdir
Set PW_SUBIR to pwdb to get passwd  files in /etc/pwdb

Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
---
 .../base-passwd/base-passwd_3.5.29.bb         | 24 ++++++++++++-------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
index ef7792ae49..e453be0763 100644
--- a/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
+++ b/meta/recipes-core/base-passwd/base-passwd_3.5.29.bb
@@ -20,6 +20,9 @@ SRC_URI = "https://launchpad.net/debian/+archive/primary/+files/${BPN}_${PV}.tar
 SRC_URI[md5sum] = "6beccac48083fe8ae5048acd062e5421"
 SRC_URI[sha256sum] = "f0b66388b2c8e49c15692439d2bee63bcdd4bbbf7a782c7f64accc55986b6a36"
 
+#Set PW_SUBDIR to pwdb to get passwd  files in /etc/pwdb
+PW_SUBDIR ?= ""
+
 # the package is taken from launchpad; that source is static and goes stale
 # so we check the latest upstream from a directory that does get updated
 UPSTREAM_CHECK_URI = "${DEBIAN_MIRROR}/main/b/base-passwd/"
@@ -50,10 +53,11 @@ basepasswd_sysroot_postinst() {
 #!/bin/sh
 
 # Install passwd.master and group.master to sysconfdir
-install -d -m 755 ${STAGING_DIR_TARGET}${sysconfdir}
+install -d -m 755 ${STAGING_DIR_TARGET}${sysconfdir}/${PW_SUBDIR}
 for i in passwd group; do
 	install -p -m 644 ${STAGING_DIR_TARGET}${datadir}/base-passwd/\$i.master \
-		${STAGING_DIR_TARGET}${sysconfdir}/\$i
+		${STAGING_DIR_TARGET}${sysconfdir}/${PW_SUBDIR}/\$i
+	[ -n "${PW_SUBDIR}" ] && ln -fs ${PW_SUBDIR}/\$i ${STAGING_DIR_TARGET}${sysconfdir}/\$i
 done
 
 # Run any useradd postinsts
@@ -89,15 +93,19 @@ python populate_packages:prepend() {
     f.close()
 
     preinst = """#!/bin/sh
-mkdir -p $D${sysconfdir}
-if [ ! -e $D${sysconfdir}/passwd ]; then
-\tcat << 'EOF' > $D${sysconfdir}/passwd
+mkdir -p $D${sysconfdir}/${PW_SUBDIR}
+if [ ! -e $D${sysconfdir}/${PW_SUBDIR}/passwd ]; then
+\tcat << 'EOF' > $D${sysconfdir}/${PW_SUBDIR}/passwd
 """ + passwd + """EOF
 fi
-if [ ! -e $D${sysconfdir}/group ]; then
-\tcat << 'EOF' > $D${sysconfdir}/group
+if [ ! -e $D${sysconfdir}/${PW_SUBDIR}/group ]; then
+\tcat << 'EOF' > $D${sysconfdir}/${PW_SUBDIR}/group
 """ + group + """EOF
 fi
+if [ -n "${PW_SUBDIR}" ]; then
+ln -fs ${PW_SUBDIR}/passwd $D${sysconfdir}/passwd
+ln -fs ${PW_SUBDIR}/group $D${sysconfdir}/group
+fi
 """
     d.setVar(d.expand('pkg_preinst:${PN}'), preinst)
 }
@@ -114,5 +122,5 @@ pkg_postinst:${PN}-update () {
 if [ -n "$D" ]; then
 	exit 0
 fi
-${sbindir}/update-passwd
+${sbindir}/update-passwd -P /etc/${PW_SUBDIR}/passwd -S /etc/${PW_SUBDIR}/shadow -G /etc/${PW_SUBDIR}/group
 }
-- 
2.41.0

[PATCH 2/3] shadow: Add PW_SUBDIR

[Joakim Tjernlund]

Add support for creating passwd files in a /etc subdir
Set PW_SUBIR to pwdb to get passwd files in /etc/pwdb

Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
---
 .../0001-Define-SUBUID_FILE-SUBGID_FILE.patch | 92 +++++++++++++++++++
 meta/recipes-extended/shadow/shadow.inc       | 30 +++++-
 2 files changed, 118 insertions(+), 4 deletions(-)
 create mode 100644 meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch

diff --git a/meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch b/meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch
new file mode 100644
index 0000000000..b02a61e3c2
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-Define-SUBUID_FILE-SUBGID_FILE.patch
@@ -0,0 +1,92 @@
+From f605fb315faef7ddcad70d638f3b3aa16ea98fc0 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+Date: Thu, 2 Nov 2023 00:27:10 +0100
+Subject: [PATCH] Define SUBUID_FILE/SUBGID_FILE
+
+Upstream-Status: Pending
+
+These where hard coded, make them definable like SHADOW_FILE
+
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
+---
+ lib/defines.h         | 8 ++++++++
+ lib/subordinateio.c   | 6 +++---
+ libmisc/prefix_flag.c | 8 ++++----
+ 3 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/lib/defines.h b/lib/defines.h
+index fc1521c..27b220f 100644
+--- a/lib/defines.h
++++ b/lib/defines.h
+@@ -312,6 +312,14 @@ char *strchr (), *strrchr (), *strtok ();
+ #define SHADOW_FILE "/etc/shadow"
+ #endif
+ 
++#ifndef SUBUID_FILE
++#define SUBUID_FILE "/etc/subuid"
++#endif
++
++#ifndef SUBGID_FILE
++#define SUBGID_FILE "/etc/subgid"
++#endif
++
+ #ifdef SHADOWGRP
+ #ifndef SGROUP_FILE
+ #define SGROUP_FILE "/etc/gshadow"
+diff --git a/lib/subordinateio.c b/lib/subordinateio.c
+index 9ca70b8..9ddc5e1 100644
+--- a/lib/subordinateio.c
++++ b/lib/subordinateio.c
+@@ -206,7 +206,7 @@ static const struct subordinate_range *find_range(struct commonio_db *db,
+         /*
+          * We only do special handling for these two files
+          */
+-        if ((0 != strcmp(db->filename, "/etc/subuid")) && (0 != strcmp(db->filename, "/etc/subgid")))
++        if ((0 != strcmp(db->filename, SUBUID_FILE)) && (0 != strcmp(db->filename, SUBGID_FILE)))
+                 return NULL;
+ 
+         /*
+@@ -554,7 +554,7 @@ static int remove_range (struct commonio_db *db,
+ }
+ 
+ static struct commonio_db subordinate_uid_db = {
+-	"/etc/subuid",		/* filename */
++	SUBUID_FILE,		/* filename */
+ 	&subordinate_ops,	/* ops */
+ 	NULL,			/* fp */
+ #ifdef WITH_SELINUX
+@@ -650,7 +650,7 @@ uid_t sub_uid_find_free_range(uid_t min, uid_t max, unsigned long count)
+ }
+ 
+ static struct commonio_db subordinate_gid_db = {
+-	"/etc/subgid",		/* filename */
++	SUBGID_FILE,		/* filename */
+ 	&subordinate_ops,	/* ops */
+ 	NULL,			/* fp */
+ #ifdef WITH_SELINUX
+diff --git a/libmisc/prefix_flag.c b/libmisc/prefix_flag.c
+index d4dfbc2..0e7dfa7 100644
+--- a/libmisc/prefix_flag.c
++++ b/libmisc/prefix_flag.c
+@@ -120,14 +120,14 @@ extern const char* process_prefix_flag (const char* short_opt, int argc, char **
+ 		spw_setdbname(spw_db_file);
+ 
+ #ifdef ENABLE_SUBIDS
+-		len = strlen(prefix) + strlen("/etc/subuid") + 2;
++		len = strlen(prefix) + strlen(SUBUID_FILE) + 2;
+ 		suid_db_file = xmalloc(len);
+-		snprintf(suid_db_file, len, "%s/%s", prefix, "/etc/subuid");
++		snprintf(suid_db_file, len, "%s/%s", prefix, SUBUID_FILE);
+ 		sub_uid_setdbname(suid_db_file);
+ 
+-		len = strlen(prefix) + strlen("/etc/subgid") + 2;
++		len = strlen(prefix) + strlen(SUBGID_FILE) + 2;
+ 		sgid_db_file = xmalloc(len);
+-		snprintf(sgid_db_file, len, "%s/%s", prefix, "/etc/subgid");
++		snprintf(sgid_db_file, len, "%s/%s", prefix, SUBGID_FILE);
+ 		sub_gid_setdbname(sgid_db_file);
+ #endif
+ 
+-- 
+2.41.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 3c1dd2f98e..bcb9b09a49 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -18,6 +18,7 @@ SRC_URI = "https://github.com/shadow-maint/shadow/releases/download/v${PV}/${BP}
            file://useradd \
            file://CVE-2023-29383.patch \
            file://0001-Overhaul-valid_field.patch \
+           file://0001-Define-SUBUID_FILE-SUBGID_FILE.patch \
            "
 
 SRC_URI:append:class-target = " \
@@ -46,6 +47,21 @@ PAM_SRC_URI = "file://pam.d/chfn \
                file://pam.d/passwd \
                file://pam.d/su"
 
+#Set PW_SUBDIR to pwdb to get passwd files in /etc/pwdb
+PW_SUBDIR ?= ""
+PWPRE = "/etc/${PW_SUBDIR}"
+CFLAGS:append = ' -DPASSWD_FILE=\\"${PWPRE}/passwd\\"'
+CFLAGS:append = ' -DSHADOW_FILE=\\"${PWPRE}/shadow\\"'
+CFLAGS:append = ' -DGROUP_FILE=\\"${PWPRE}/group\\"'
+CFLAGS:append = ' -DSGROUP_FILE=\\"${PWPRE}/gshadow\\"'
+CFLAGS:append = ' -DSUBUID_FILE=\\"${PWPRE}/subuid\\"'
+CFLAGS:append = ' -DSUBGID_FILE=\\"${PWPRE}/subgid\\"'
+
+#shadow has it own impl. that uses whatever dir passwd files are in
+do_configure:prepend () {
+    sed -i -e 's/lckpwdf//' ${S}/configure.ac
+}
+
 inherit autotools gettext
 
 export CONFIG_SHELL="/bin/sh"
@@ -157,9 +173,9 @@ do_install:append() {
 	# usermod requires the subuid/subgid files to be in place before being
 	# able to use the -v/-V flags otherwise it fails:
 	# usermod: /etc/subuid does not exist, you cannot use the flags -v or -V
-	install -d ${D}${sysconfdir}
-	touch ${D}${sysconfdir}/subuid
-	touch ${D}${sysconfdir}/subgid
+	install -d ${D}${sysconfdir}/${PW_SUBDIR}
+	touch ${D}${sysconfdir}/${PW_SUBDIR}/subuid
+	touch ${D}${sysconfdir}/${PW_SUBDIR}/subgid
 }
 
 PACKAGES =+ "${PN}-base"
@@ -193,12 +209,18 @@ ALTERNATIVE_LINK_NAME[su] = "${base_bindir}/su"
 
 PACKAGE_WRITE_DEPS += "shadow-native"
 pkg_postinst:${PN}:class-target () {
+	install -d $D${sysconfdir}/${PW_SUBDIR}
 	if [ "x$D" != "x" ]; then
 	  rootarg="--root $D"
 	else
 	  rootarg=""
 	fi
-
+	if [ -n "${PW_SUBDIR}" ]; then
+	    ln -fs ${PW_SUBDIR}/subuid $D${sysconfdir}/subuid
+	    ln -fs ${PW_SUBDIR}/subgid $D${sysconfdir}/subgid
+	    ln -fs ${PW_SUBDIR}/shadow $D${sysconfdir}/shadow
+	    ln -fs ${PW_SUBDIR}/gshadow $D${sysconfdir}/gshadow
+	fi
 	pwconv $rootarg || exit 1
 	grpconv $rootarg || exit 1
 }
-- 
2.41.0

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Alexander Kanavin]

On Tue, 14 Nov 2023 at 21:36, Joakim Tjernlund via
lists.openembedded.org
<Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> Add support for creating passwd files in a /etc subdir
> +Subject: [PATCH] Define SUBUID_FILE/SUBGID_FILE
> +
> +Upstream-Status: Pending

Pending... what exactly?

In other words, upstream first, please. This is clearly not something
that oe-core should not be carrying and maintaining and rebasing.

Alex

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Joakim Tjernlund]

On Wed, 2023-11-15 at 13:35 +0100, Alexander Kanavin wrote:
> On Tue, 14 Nov 2023 at 21:36, Joakim Tjernlund via
> lists.openembedded.org
> <Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> > Add support for creating passwd files in a /etc subdir
> > +Subject: [PATCH] Define SUBUID_FILE/SUBGID_FILE
> > +
> > +Upstream-Status: Pending
> 
> Pending... what exactly?

Pending merge
> 
> In other words, upstream first, please. This is clearly not something
> that oe-core should not be carrying and maintaining and rebasing.

Upstream merged it, see  https://github.com/shadow-maint/shadow/commit/ee3a79c6952f8ca649c286c7f76639d9d1dedaad

 Jocke

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Alexander Kanavin]

On Wed, 15 Nov 2023 at 14:42, Joakim Tjernlund
<Joakim.Tjernlund@infinera.com> wrote:
> > Pending... what exactly?
>
> Pending merge

If a patch is pending merge, the correct status is 'Submitted' (with a
link). If it's already been merged, the correct status is 'Backport'
(also with a link). 'Pending' is a frowned-upon status used only when
there's a genuine obstacle to upstream submission.

> > In other words, upstream first, please. This is clearly not something
> > that oe-core should not be carrying and maintaining and rebasing.
>
> Upstream merged it, see  https://github.com/shadow-maint/shadow/commit/ee3a79c6952f8ca649c286c7f76639d9d1dedaad

You need to resubmit here with the correct upstream-status then.

Alex

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Joakim Tjernlund]

On Wed, 2023-11-15 at 14:45 +0100, Alexander Kanavin wrote:
> On Wed, 15 Nov 2023 at 14:42, Joakim Tjernlund
> <Joakim.Tjernlund@infinera.com> wrote:
> > > Pending... what exactly?
> >
> > Pending merge
>
> If a patch is pending merge, the correct status is 'Submitted' (with a
> link). If it's already been merged, the correct status is 'Backport'
> (also with a link). 'Pending' is a frowned-upon status used only when
> there's a genuine obstacle to upstream submission.

I had no idea, will stay away from Pending then. Thanks.

>
> > > In other words, upstream first, please. This is clearly not something
> > > that oe-core should not be carrying and maintaining and rebasing.
> >
> > Upstream merged it, see  https://github.com/shadow-maint/shadow/commit/ee3a79c6952f8ca649c286c7f76639d9d1dedaad
>
> You need to resubmit here with the correct upstream-status then.
>

Will do, I am just not sure on the overall patch submission procedure and what OW in general thinks.
Ideally I would like to have this in Kirkstone (and upwards)

 Jocke

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Alexander Kanavin]

On Wed, 15 Nov 2023 at 15:06, Joakim Tjernlund
<Joakim.Tjernlund@infinera.com> wrote:

> Will do, I am just not sure on the overall patch submission procedure and what OW in general thinks.
> Ideally I would like to have this in Kirkstone (and upwards)

Thanks.

Whether any additional component patches need to be carried by oe-core
has a big influence on what people think, so it's in your interest to
emphasize from the start that the patches do come from upstream, and
will disappear in a future version update.

Alex

Re: [OE-core] [PATCH 2/3] shadow: Add PW_SUBDIR

[Christopher Larson]

[-- Attachment #1: Type: text/plain, Size: 1532 bytes --]

On Nov 15, 2023 at 7:09 AM -0700, Joakim Tjernlund via lists.openembedded.org <Joakim.Tjernlund=infinera.com@lists.openembedded.org>, wrote:
> On Wed, 2023-11-15 at 14:45 +0100, Alexander Kanavin wrote:
> > On Wed, 15 Nov 2023 at 14:42, Joakim Tjernlund
> > <Joakim.Tjernlund@infinera.com> wrote:
> > > > Pending... what exactly?
> > >
> > > Pending merge
> >
> > If a patch is pending merge, the correct status is 'Submitted' (with a
> > link). If it's already been merged, the correct status is 'Backport'
> > (also with a link). 'Pending' is a frowned-upon status used only when
> > there's a genuine obstacle to upstream submission.
>
> I had no idea, will stay away from Pending then. Thanks.
>
> >
> > > > In other words, upstream first, please. This is clearly not something
> > > > that oe-core should not be carrying and maintaining and rebasing.
> > >
> > > Upstream merged it, see https://github.com/shadow-maint/shadow/commit/ee3a79c6952f8ca649c286c7f76639d9d1dedaad
> >
> > You need to resubmit here with the correct upstream-status then.
> >
>
> Will do, I am just not sure on the overall patch submission procedure and what OW in general thinks.

https://docs.yoctoproject.org/contributor-guide/recipe-style-guide.html#patch-upstream-status in the new contributor guide covers it pretty well now.

--
Christopher Larson
chris_larson@mentor.com, chris.larson@siemens.com, kergoth@gmail.com
Principal Software Engineer, Embedded Linux Solutions, Siemens Digital Industries Software

[-- Attachment #2: Type: text/html, Size: 3089 bytes --]

[PATCH 3/3] pseudo: Add PW_SUBDIR

[Joakim Tjernlund]

Add support for creating passwd files in a /etc subdir
Set PW_SUBIR to pwdb to get passwd files in /etc/pwdb

Signed-off-by: Joakim Tjernlund <joakim.tjernlund@infinera.com>
---
 meta/recipes-devtools/pseudo/pseudo.inc | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/meta/recipes-devtools/pseudo/pseudo.inc b/meta/recipes-devtools/pseudo/pseudo.inc
index 7e09b6d58c..7ba2e2261c 100644
--- a/meta/recipes-devtools/pseudo/pseudo.inc
+++ b/meta/recipes-devtools/pseudo/pseudo.inc
@@ -10,6 +10,9 @@ SECTION = "base"
 LICENSE = "LGPL-2.1-only"
 DEPENDS = "sqlite3 attr"
 
+#Set PW_SUBDIR to pwdb to get passwd files in /etc/pwdb
+PW_SUBDIR ?= ""
+
 FILES:${PN} = "${prefix}/lib/pseudo/lib*/libpseudo.so ${bindir}/* ${localstatedir}/pseudo ${prefix}/var/pseudo"
 INSANE_SKIP:${PN} += "libdir"
 INSANE_SKIP:${PN}-dbg += "libdir"
@@ -131,10 +134,12 @@ do_install () {
 
 do_install:append:class-native () {
 	chrpath ${D}${bindir}/pseudo -r `chrpath ${D}${bindir}/pseudo | cut -d = -f 2 | sed s/XORIGIN/\\$ORIGIN/`
-	install -d ${D}${sysconfdir}
+	install -d ${D}${sysconfdir}/${PW_SUBDIR}
 	# The fallback files should never be modified
-	install -m 444 ${WORKDIR}/fallback-passwd ${D}${sysconfdir}/passwd
-	install -m 444 ${WORKDIR}/fallback-group ${D}${sysconfdir}/group
+	install -m 444 ${WORKDIR}/fallback-passwd ${D}${sysconfdir}/${PW_SUBDIR}/passwd
+        [ -n "${PW_SUBDIR}" ] && ln -fs ${PW_SUBDIR}/passwd ${D}${sysconfdir}/passwd
+	install -m 444 ${WORKDIR}/fallback-group ${D}${sysconfdir}/${PW_SUBDIR}/group
+        [ -n "${PW_SUBDIR}" ] && ln -fs ${PW_SUBDIR}/group ${D}${sysconfdir}/group
 
 	# Two native/nativesdk entries below are the same
 	# If necessary install for the alternative machine arch.  This is only
-- 
2.41.0

Re: [OE-core] [PATCH 0/3] Add sub dir for passwd files

[Ross Burton]

On 14 Nov 2023, at 20:34, Joakim Tjernlund via lists.openembedded.org <Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> 
> These patches adds the possibility to store passwd/shadow files
> in a sub dir, like /etc/pwdb
> In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
> to support password changes etc.

What’s so special about passwd/shadow that they need special treatment in for read-only rootfs?  What happens when you next want to support changes to /etc/group: do we add another variable for that, or re-use PW_SUBDIR?  What about /etc/hostname?  This has a scaling problem: it’s solving your one particular problem but not the general problem.

Anyway, isn’t this a solved problem by using overlayfs?

Ross

Re: [OE-core] [PATCH 0/3] Add sub dir for passwd files

[Joakim Tjernlund]

On Wed, 2023-11-29 at 11:56 +0000, Ross Burton wrote:
> On 14 Nov 2023, at 20:34, Joakim Tjernlund via lists.openembedded.org <Joakim.Tjernlund=infinera.com@lists.openembedded.org> wrote:
> > 
> > These patches adds the possibility to store passwd/shadow files
> > in a sub dir, like /etc/pwdb
> > In a RO Root FS one can bind mount a writeable dir on /etc/pwdb
> > to support password changes etc.
> 
> What’s so special about passwd/shadow that they need special treatment in for read-only rootfs?  What happens when you next want to support changes to /etc/group: do we add another variable for that, or re-use PW_SUBDIR?  What about /etc/hostname?  This has a scaling problem: it’s solving your one particular problem but not the general problem.
> 
You don't think most users want to change default passwd in systems? group is included in this patch too should you want to add/change group
/etc/hostname can be fixed by using a symlink but managing passwd changes can not as shadow does not follow symlinks. --root/--prefix options
in shadow only works for root user

> Anyway, isn’t this a solved problem by using overlayfs?

That would create other problems, the underlaying RO FS needs to stay unchanged over time and a SW upgrade updating RO FS can change
anything in /etc. Could also be considered a security issue as one could update any file in /etc 

 Jocke  

> 
> Ross