Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1444018

Summary: Stateless: READONLY=yes does not work on RHEL 7
Product: Red Hat Enterprise Linux 7 Reporter: Frantisek Sumsal <fsumsal>
Component: initscriptsAssignee: David Kaspar // Dee'Kej <deekej>
Status: CLOSED CANTFIX QA Contact: qe-baseos-daemons
Severity: medium Docs Contact: Marek Suchánek <msuchane>
Priority: medium    
Version: 7.4CC: deekej, initscripts-maint-list
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
The "READONLY=yes" option is not sufficient to configure a read-only system In Red Hat Enterprise Linux 6, the "READONLY=yes" option in the `/etc/sysconfig/readonly-root` file was used to configure a read-only system partition. In Red Hat Enterprise Linux 7, the option is no longer sufficient, because *systemd* uses a new approach to mounting the system partition. To configure a read-only system in Red Hat Enterprise Linux 7: * Set the "READONLY=yes" option in `/etc/sysconfig/readonly-root`. * Add the "ro" option to the root mount point in the `/etc/fstab` file.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-10 15:32:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1268349    
Bug Blocks: 1465901, 1472751, 1549617, 1549689    

Description Frantisek Sumsal 2017-04-20 12:41:01 UTC 
Description of problem:
Setting READONLY to 'yes' in /etc/sysconfig/readonly-root does not work on RHEL 7 - root file system is mounted as read-write after reboot. After discussion with systemd devels we came to conclusion that this is caused by missing drop-in files for affected mounts, as they are handled by systemd in RHEL 7.

Version-Release number of selected component (if applicable):
initscripts-9.49.37-1.el7

How reproducible:
always

Steps to Reproduce:
# sed -i'' -re 's/(READONLY=).*/\1yes/' /etc/sysconfig/readonly-root
# reboot
# grep READONLY= /etc/sysconfig/readonly-root
# grep " / " /proc/mounts
# touch /test

Actual results:
# grep READONLY= /etc/sysconfig/readonly-root 
READONLY=yes
# grep " / " /proc/mounts
rootfs / rootfs rw 0 0
/dev/mapper/VolGroup00-LogVol00 / ext4 rw,seclabel,relatime,data=ordered 0 0
# touch /test
# echo $?
0

Expected results:
## Example from RHEL 6.9
# grep READONLY= /etc/sysconfig/readonly-root
READONLY=yes
# grep " / " /proc/mounts
rootfs / rootfs rw 0 0
/dev/vda1 / ext4 ro,seclabel,relatime,barrier=1,data=ordered 0 0
# touch /test
touch: cannot touch `/test': Read-only file system
Comment 5 David Kaspar // Dee'Kej 2018-05-10 15:32:29 UTC 
We have discussed this issue thoroughly with both Lukas & Michal, and come to a conclusion it's not possible to fix this issue in any sane way.

Turned out the drop-ins for this issue won't work. It would require a quite huge change to systemd, which wouldn't be accepted by upstream. And we definitely do not want to keep such a change donwstream only...

The simplest workaround is for user to READONLY=yes in /etc/sysconfig/readonly-root, and to manually append the 'ro' to mount options of '/' mount point in /etc/fstab.

Therefore, I'm closing thsi as CANTFIX, and I will request a KB article / documentation change for this.

https://github.com/fedora-sysv/initscripts/pull/190
Comment 6 Marek Suchánek 2018-05-11 16:07:37 UTC 
Hello David,

I've edited your draft doc text for the 7.5 Release Notes. Can you please review my description and let me know if any changes are necessary?

Thanks,
Marek
Comment 7 David Kaspar // Dee'Kej 2018-05-14 10:43:25 UTC 
(In reply to Marek Suchanek from comment #6)
> Hello David,
> 
> I've edited your draft doc text for the 7.5 Release Notes. Can you please
> review my description and let me know if any changes are necessary?
> 
> Thanks,
> Marek

Looks good to me. :)