"How" is the read-only mechanism for / achieved? (looks like rw mount but is not)

Ask Fedora
1

Hi,

I’m trying Kinoite and want to understand how the read-only mechanism for the (mounted /) is achieved.
If I look at the output of mount or findmnt, it looks like / has rw (read-write) rights.
I also “found out” that a write to /usr/any gives a “read-only” error, but to /any a “permission denied” error.

I couldn’t really find any explanations except that the root is read-only and so on. But not “how.” Attributes of selinux? Other magic?
Can someone explain it (in a short manner) or has useful links? Thanks!

image
image2560×1440 978 KB

2

OSTree or libostree do the magic.
Immuntable system image.

/var and /etc, and of course /home are writable.

3

It’s /sysroot one should be looking at, which is mounted ro. In the findmt command:

/sysroot  /dev/vda3[/root]  btrfs ro,relatime,seclabel,compress=zstd:1,discard=async,space_cache=v2,subvolid=258,subvol=/root
4

@Mike B.
Thanks for the reply.
The /sysroot Mount makes clear the can‘t write to /sysroot but (for me) it looks like just an other mount point (like /home) this is Ro.
Writing to /sysroot gives me (as expected) read only error.

@Flo
Do you mean in general or did libostree some background stuff, which blocks write access?

Or with other words: even with mikes answer, it looks for me, that from mount-view / is writeable.
Of course it’s not, but still not see why. :sweat_smile:

5

/sysroot is the real root. The read-only re-mount was introduced with F37:
https://fedoraproject.org/wiki/Changes/Silverblue_Kinoite_readonly_sysroot

It wasn’t always like this, which caused issues like this one, which then determined Fedora to implement the change.

6

It is a bit more involved than that. Parts of the root file system is bind mounted, for example

/root/ostree/deploy/fedora/deploy/c01d32f2c097d9a686787f79032471d8ff67177c3213578fd85c40b453086e75.0 / rw,relatime shared:1 - btrfs /dev/vda3 rw,seclabel,compress=zstd:1,discard=async,space_cache=v2,subvolid=258,subvol=/root
/root/ostree/deploy/fedora/deploy/c01d32f2c097d9a686787f79032471d8ff67177c3213578fd85c40b453086e75.0/etc /etc rw,relatime shared:2 - btrfs /dev/vda3 rw,seclabel,compress=zstd:1,discard=async,space_cache=v2,subvolid=258,subvol=/root
/root/ostree/deploy/fedora/deploy/c01d32f2c097d9a686787f79032471d8ff67177c3213578fd85c40b453086e75.0/usr /usr ro,relatime shared:3 - btrfs /dev/vda3 rw,seclabel,compress=zstd:1,discard=async,space_cache=v2,subvolid=258,subvol=/root

The root file system is mounted read-write from its deployment, the /usr file system is bind mounted read-only from the same deployment and /etc is mounted read-write.

The details are found in /proc/self/mountinfo, although not in a user friendly format.

flatpaks are in a similar way bind mounted from deployment images.

1 Like
7

:100:

… and with that comes the nice feature that /etc is preserved with each deployment, which saved a few here on the forums after they have made config changes which made their deployment unbootable, yet they could boot into their previous deployment (with non-altered /etc/ contents).

8

Thanks a lot to all of you