In our university lab environment, our current setup involves the computers booting Debian over PXE. Right now, this is a very manual, error-prone and space-inefficient process as we build squashfs images using bash scripts, chroot, etc. Using containers instead would make it easy to integrate this into our VCS/CI, moreover composefs seems to be a good way to get the space requirements for storing multiple images down.
As such, I went ahead to see whether I could manage to get a Debian system to boot over PXE with a composefs repository on our existing read only nfs share. To my surprise, all of this was pretty straightforward - the only changes that were required were to build the initramfs using dracut with the composefs-setup-root module included (I could adapt the systemd service and module-setup.sh pretty much 1:1 from bootc) and putting kernel and initramfs into the right place.
As our previous setup was overlay-based and oftentimes students might need to install a package, I decided to go with a transient root fs. etc and var are configured to be transient too (I assumed this might be the only way to make this work on a ro-share?):
cat <<EOF > /usr/lib/composefs/setup-root-conf.toml
etc.mount = "transient"
var.mount = "transient"
root.transient = true
EOF
This almost works. However, when I finally boot this image, dbus and all the other services that try to drop privileges fail with permission denied errors. It took a while to figure out why: The root (/) has 0700 permissions set after boot. I suspect this is because ensure_dir sets these permissions for the overlayfs working directories. Changing this to 0755 solved this for me and made the system boot successfully.
Would it be feasible to relax the default permissions a bit? Or make them configurable?
In our university lab environment, our current setup involves the computers booting Debian over PXE. Right now, this is a very manual, error-prone and space-inefficient process as we build squashfs images using bash scripts, chroot, etc. Using containers instead would make it easy to integrate this into our VCS/CI, moreover composefs seems to be a good way to get the space requirements for storing multiple images down.
As such, I went ahead to see whether I could manage to get a Debian system to boot over PXE with a composefs repository on our existing read only nfs share. To my surprise, all of this was pretty straightforward - the only changes that were required were to build the initramfs using dracut with the
composefs-setup-rootmodule included (I could adapt the systemd service and module-setup.sh pretty much 1:1 from bootc) and putting kernel and initramfs into the right place.As our previous setup was overlay-based and oftentimes students might need to install a package, I decided to go with a transient root fs. etc and var are configured to be transient too (I assumed this might be the only way to make this work on a ro-share?):
This almost works. However, when I finally boot this image, dbus and all the other services that try to drop privileges fail with permission denied errors. It took a while to figure out why: The root (/) has 0700 permissions set after boot. I suspect this is because
ensure_dirsets these permissions for the overlayfs working directories. Changing this to 0755 solved this for me and made the system boot successfully.Would it be feasible to relax the default permissions a bit? Or make them configurable?