Bug 1444018 - Stateless: READONLY=yes does not work on RHEL 7
Summary: Stateless: READONLY=yes does not work on RHEL 7
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: initscripts
Version: 7.4
Hardware: All
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: David Kaspar // Dee'Kej
QA Contact: qe-baseos-daemons
Marek Suchánek
URL:
Whiteboard:
Depends On: 1268349
Blocks: 1465901 1472751 1549617 1549689
TreeView+ depends on / blocked
 
Reported: 2017-04-20 12:41 UTC by Frantisek Sumsal
Modified: 2018-05-14 10:43 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
The "READONLY=yes" option is not sufficient to configure a read-only system In Red Hat Enterprise Linux 6, the "READONLY=yes" option in the `/etc/sysconfig/readonly-root` file was used to configure a read-only system partition. In Red Hat Enterprise Linux 7, the option is no longer sufficient, because *systemd* uses a new approach to mounting the system partition. To configure a read-only system in Red Hat Enterprise Linux 7: * Set the "READONLY=yes" option in `/etc/sysconfig/readonly-root`. * Add the "ro" option to the root mount point in the `/etc/fstab` file.
Clone Of:
Environment:
Last Closed: 2018-05-10 15:32:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Frantisek Sumsal 2017-04-20 12:41:01 UTC 
Description of problem:
Setting READONLY to 'yes' in /etc/sysconfig/readonly-root does not work on RHEL 7 - root file system is mounted as read-write after reboot. After discussion with systemd devels we came to conclusion that this is caused by missing drop-in files for affected mounts, as they are handled by systemd in RHEL 7.

Version-Release number of selected component (if applicable):
initscripts-9.49.37-1.el7

How reproducible:
always

Steps to Reproduce:
# sed -i'' -re 's/(READONLY=).*/\1yes/' /etc/sysconfig/readonly-root
# reboot
# grep READONLY= /etc/sysconfig/readonly-root
# grep " / " /proc/mounts
# touch /test

Actual results:
# grep READONLY= /etc/sysconfig/readonly-root 
READONLY=yes
# grep " / " /proc/mounts
rootfs / rootfs rw 0 0
/dev/mapper/VolGroup00-LogVol00 / ext4 rw,seclabel,relatime,data=ordered 0 0
# touch /test
# echo $?
0

Expected results:
## Example from RHEL 6.9
# grep READONLY= /etc/sysconfig/readonly-root
READONLY=yes
# grep " / " /proc/mounts
rootfs / rootfs rw 0 0
/dev/vda1 / ext4 ro,seclabel,relatime,barrier=1,data=ordered 0 0
# touch /test
touch: cannot touch `/test': Read-only file system
Comment 5 David Kaspar // Dee'Kej 2018-05-10 15:32:29 UTC 
We have discussed this issue thoroughly with both Lukas & Michal, and come to a conclusion it's not possible to fix this issue in any sane way.

Turned out the drop-ins for this issue won't work. It would require a quite huge change to systemd, which wouldn't be accepted by upstream. And we definitely do not want to keep such a change donwstream only...

The simplest workaround is for user to READONLY=yes in /etc/sysconfig/readonly-root, and to manually append the 'ro' to mount options of '/' mount point in /etc/fstab.

Therefore, I'm closing thsi as CANTFIX, and I will request a KB article / documentation change for this.

https://github.com/fedora-sysv/initscripts/pull/190
Comment 6 Marek Suchánek 2018-05-11 16:07:37 UTC 
Hello David,

I've edited your draft doc text for the 7.5 Release Notes. Can you please review my description and let me know if any changes are necessary?

Thanks,
Marek
Comment 7 David Kaspar // Dee'Kej 2018-05-14 10:43:25 UTC 
(In reply to Marek Suchanek from comment #6)
> Hello David,
> 
> I've edited your draft doc text for the 7.5 Release Notes. Can you please
> review my description and let me know if any changes are necessary?
> 
> Thanks,
> Marek

Looks good to me. :)
Note You need to log in before you can comment on or make changes to this bug.