Howto apply `noexec` flag to /var on Fedora CoreOS already deployed to production

Hi all,
I have FCOS 37 deployed to ~100 remotely managed systems. I need to apply the noexec flag to the /var partition on these systems. I found this page Configuring Storage :: Fedora Docs which talks about how this flag might be applied to a butane config, but I cannot use this as this is can only be applied during the initial provisioning and these systems are already deployed remotely. There is no /etc/fstab file on FCOS 37, so I don’t think that the flag may be applied by editing the fstab.

How do I configure the system to mount the /var partition with the noexec flag?

I know nothing about Fedora CoreOS beyond its intersection with Silverblue, but if you did something like this from your link:

  filesystems:
    - path: /var
      device: /dev/disk/by-partlabel/var
      # We can select the filesystem we'd like.
      format: ext4
      # Ask Butane to generate a mount unit for us so that this filesystem
      # gets mounted in the real root.
      with_mount_unit: true

I’d expect you have a /etc/systemd/system/var.mount. In any case, systemctl cat /var should show you where the mount is defined.

In lieu of editing that file, you could create a drop-in: /etc/systemd/system/var.mount.d/noexec.conf:

[Mount]
Options=noexec

Note that this would override any options already set in the main unit file.

Like @chrisawi , I am by no means a CoreOS expert and his approach should be successful.

Additionally, if /etc/fstab exists, CoreOS will read it and generate mount units from its contents.

if you want to create your own mount unit then you can just drop this and define it separately or you could leave it and do the /etc/systemd/system/var.mount.d/noexec.conf as suggested by @chrisawi.

Creating a /etc/fstab works, as does creating a systemd config file.
Thank you!

Having /var mounted as noexec might cause issues if updating to F40, see this other thread.

This probably does not impact Fedora CoreOS as we don’t re-generate the initramfs on the nodes by default. This would have to be confirmed.