Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not mount /boot/efi by default #694

Closed
travier opened this issue Dec 7, 2020 · 6 comments · Fixed by coreos/fedora-coreos-config#794
Closed

Do not mount /boot/efi by default #694

travier opened this issue Dec 7, 2020 · 6 comments · Fixed by coreos/fedora-coreos-config#794
Assignees
@bgilbert
Labels
jira for syncing to jira kind/enhancement

Comments

@travier
Copy link
Member

travier commented Dec 7, 2020

Objectives

To avoid issues on AWS and to better convey the fact that users and administrators should not manually alter the content of the EFI partition, we want to not mount /boot/efi / the EFI partition by default.

The only programs on the system that should alter ESP partition content should be bootupd and fwupd and special support will be included for them to operate properly.

References

Split from #652

From coreos/fedora-coreos-config#407:

Nothing in the OS touches the ESP by default, so there's no reason to mount it by default, particularly writable. This is good for avoiding wear&tear on the filesystem, but I am specifically doing this as preparation for potentially removing the ESP from AWS images, because AWS ImportImage chokes on its presence: openshift/os#396

See also: coreos/fedora-coreos-config#356
@travier travier added jira for syncing to jira kind/enhancement labels Dec 7, 2020
@travier travier mentioned this issue Dec 7, 2020
Closed
@travier travier changed the title Do not mount /boot/efi by default Do not mount /boot/efi by default Dec 7, 2020
@jamescassell
Copy link
Collaborator

I'd rather just make/keep it read-only than unmounted.

@bgilbert
Copy link
Contributor

It looks like we're going to have to rework full-disk RAID support to maintain multiple independent ESPs, rather than RAIDing the replicas together. That necessitates keeping the ESP unmounted, since "the ESP" would no longer be a coherent concept; anything modifying ESP content would need to mount and independently modify each copy.

@dustymabe
Copy link
Member

What about anything reading ESP content? Would mounting one "replica" read-only suffice?

Not sure it would be a valid use case to want to read ESP content, but from an "optics" perspective if people look at their mounts and don't see /boot/efi they might assume (incorrectly) the system is booted via BIOS and not UEFI.

@bgilbert
Copy link
Contributor

It would suffice, but I worry that someone would mount -o remount,rw if they wanted to change something, without understanding the consequences.

I hope users aren't associating /boot/efi with the system having booted via UEFI. But even if so, I think we should consider breaking that expectation.

@bgilbert bgilbert mentioned this issue Dec 20, 2020
Merged
@bgilbert
Copy link
Contributor

coreos/fedora-coreos-config#794 removes the mount.

bgilbert added a commit to coreos/fedora-coreos-config that referenced this issue Dec 22, 2020
@bgilbert
coreos-boot-mount-generator: stop mounting /boot/efi
33a7393 
On RAID systems we're now going to have multiple ESPs, no one of which is
the "canonical ESP", so there's nothing we can mount here.  Drop the
mount unit.

Fixes: coreos/fedora-coreos-tracker#694
@dustymabe dustymabe added the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Dec 23, 2020
@jlebon jlebon mentioned this issue Jan 6, 2021
Merged
@dustymabe
Copy link
Member

The fix for this went into testing stream release 33.20210104.2.0. Please try out the new release and report issues.

@dustymabe dustymabe removed the status/pending-testing-release Fixed upstream. Waiting on a testing release. label Jan 7, 2021
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
@bgilbert @HuijingHei
coreos-boot-mount-generator: stop mounting /boot/efi
d90c5be 
On RAID systems we're now going to have multiple ESPs, no one of which is
the "canonical ESP", so there's nothing we can mount here.  Drop the
mount unit.

Fixes: coreos/fedora-coreos-tracker#694
HuijingHei pushed a commit to HuijingHei/fedora-coreos-config that referenced this issue Oct 10, 2023
@bgilbert @HuijingHei
coreos-boot-mount-generator: stop mounting /boot/efi
422a492 
On RAID systems we're now going to have multiple ESPs, no one of which is
the "canonical ESP", so there's nothing we can mount here.  Drop the
mount unit.

Fixes: coreos/fedora-coreos-tracker#694
@travier travier mentioned this issue Nov 29, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bgilbert bgilbert

Labels
jira for syncing to jira kind/enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

40ignition-ostree: copy ESP contents as independent filesystems
5 participants
@bgilbert @dustymabe @jamescassell @kelvinfan001 @travier