Mount /boot as RO by default

[travier]

From coreos/fedora-coreos-config#659:

ostree has had support for leaving /boot mounted read-only for a long time: ostreedev/ostree#1767 (And then later extended to /sysroot)

Particularly for CoreOS, only a few things should be touching /boot, and we control all of them. Those projects should create a new mount namespace and remount these partitions writable just while they need it.

The main thing we're accomplishing here is making the system more resilient against accidental damage from a sysadmin
root shell as well as configuration management tools like Puppet/Ansible. None of those should be directly manipulating
files on these partitions, they should go through the API of one of our projects (e.g. rpm-ostree kargs, bootupctl) etc.

While we're here, also andd nodev,nosuid because some OS hardening scanners like to see this. IMO it's of minimal value, but hey, might as well.

From coreos/fedora-coreos-config#407:
> Nothing in the OS touches the ESP by default, so there's no reason to mount it by default, particularly writable. This is good for avoiding wear&tear on the filesystem, but I am specifically doing this as preparation for potentially removing the ESP from AWS images, because AWS ImportImage chokes on its presence: openshift/os#396

See also: coreos/fedora-coreos-config#356

[jlebon]

Note this likely has ramifications for kdump as well because it needs to be able to drop the generated initrd in /boot (or maybe this is motivation enough to clean this up and get it to not save into /boot :) ).

[travier]

Yes, this is definitely related. kdump support does not requires that the generated initrd lives in /boot so this will indeed require some (should be small) configuration changes.

[travier]

Refocusing this issue on /boot RO only. /boot/efi split in #694.

[kelvinfan001]

I believe FCOS should be ready to mount /boot read-only now that we've addressed everything that needs write access to /boot.

Now just waiting for a new release of bootupd that includes the necessary changes to deal with a read-only /boot before we can merge coreos/fedora-coreos-config#659

[dustymabe]

We discussed this at the community meeting today.

Mostly information passing that this is coming soon. No real objections to moving forward. It was pointed out that it might be good for the tools that are remounting /boot/ RW in order to operate in it be able to tell the different between the device being mounted RO by policy or it being mounted RO because of drive corruption.

[kelvinfan001]

coreos/fedora-coreos-config#794 removes the EFI mount. Changing the scope to only /boot.

[kelvinfan001]

coreos/fedora-coreos-config#659 has merged.