diff mbox series

[isar-cip-core,v3,4/6] Move content of home to IMMUTABLE_DATA_DIR

Message ID 20250305102807.2614514-5-Quirin.Gylstorff@siemens.com (mailing list archive)
State New
Headers show
Series Make /home partition optional | expand

Commit Message

Quirin Gylstorff March 5, 2025, 10:27 a.m. UTC 
From: Quirin Gylstorff <quirin.gylstorff@siemens.com>

This reduces the amount of necessary partitions. It also
simplifies possible update strategies for the persistent
partitions, e.g. for the `A/B snapshot support for persistent /var`
[1].

This fixes issue #123.

[1]: https://lists.cip-project.org/g/cip-dev/message/17703.

https://gitlab.com/cip-project/cip-core/isar-cip-core/-/issues/123
Signed-off-by: Quirin Gylstorff <quirin.gylstorff@siemens.com>
---
 classes/read-only-rootfs.bbclass              | 19 +++++++++++++++--
 kas/opt/encrypt-all.yml                       |  2 +-
 kas/opt/separate-home-partition.yml           | 21 +++++++++++++++++++
 ...ook_0.6.bb => initramfs-crypt-hook_0.7.bb} |  2 +-
 4 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 kas/opt/separate-home-partition.yml
 rename recipes-initramfs/initramfs-crypt-hook/{initramfs-crypt-hook_0.6.bb => initramfs-crypt-hook_0.7.bb} (98%)
diff mbox series

Patch

diff --git a/classes/read-only-rootfs.bbclass b/classes/read-only-rootfs.bbclass
index 0c8ae24..4e70d81 100644
--- a/classes/read-only-rootfs.bbclass
+++ b/classes/read-only-rootfs.bbclass
@@ -14,8 +14,12 @@  INITRD_IMAGE = "${INITRAMFS_RECIPE}-${DISTRO}-${MACHINE}.initrd.img"
 
 do_image_wic[depends] += "${INITRAMFS_RECIPE}:do_build"
 
-IMAGE_INSTALL += "home-fs"
-WIC_HOME_PARTITION = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
+WIC_HOME_PARTITION:separate-home-part = "part /home --source rootfs --change-directory=home --fstype=ext4 --label home --align 1024  --size 1G --fsuuid 1f55d66a-40d8-11ee-be56-0242ac120002 --uuid c07d5e8f-3448-46dc-9c0f-58904f369524"
+
+WIC_HOME_PARTITION = ""
+IMAGE_INSTALL += " move-homedir-var"
+IMAGE_INSTALL:append:separate-home-part = " home-fs"
+IMAGE_INSTALL:remove:separate-home-part = " move-homedir-var"
 
 IMAGE_INSTALL:append:buster   = " tmp-fs"
 IMAGE_INSTALL:append:bullseye = " tmp-fs"
@@ -37,6 +41,17 @@  copy_dpkg_state() {
     sudo cp -a ${ROOTFSDIR}/var/lib/dpkg "$IMMUTABLE_VAR_LIB/"
 }
 
+ROOTFS_POSTPROCESS_COMMAND:append = " copy_home_to_immutable_data"
+ROOTFS_POSTPROCESS_COMMAND:remove:separate-home-part = " copy_home_to_immutable_data"
+copy_home_to_immutable_data() {
+    IMMUTABLE_HOME_DIR="${ROOTFSDIR}${IMMUTABLE_DATA_DIR}/"
+    sudo mkdir -p "$IMMUTABLE_HOME_DIR"
+    sudo mv ${ROOTFSDIR}/home "$IMMUTABLE_HOME_DIR/"
+    # as the rootfs is read-only we need to create the link
+    # between /var/home and /home during creation.
+    sudo chroot ${IMAGE_ROOTFS} ln -s /var/home /home
+}
+
 RO_ROOTFS_EXCLUDE_DIRS ??= ""
 EROFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
 SQUASHFS_EXCLUDE_DIRS = "${RO_ROOTFS_EXCLUDE_DIRS}"
diff --git a/kas/opt/encrypt-all.yml b/kas/opt/encrypt-all.yml
index b6d4041..faf7206 100644
--- a/kas/opt/encrypt-all.yml
+++ b/kas/opt/encrypt-all.yml
@@ -20,4 +20,4 @@  local_conf_header:
     # As we use a weak default assignment in the intramfs-crypt-hook recipe we need
     # to set all partitions
     CRYPT_PARTITIONS = "${ABROOTFS_PART_UUID_A}::reencrypt ${ABROOTFS_PART_UUID_B}::reencrypt \
-                         home:/home:reencrypt var:/var:reencrypt"
+                         var:/var:reencrypt"
diff --git a/kas/opt/separate-home-partition.yml b/kas/opt/separate-home-partition.yml
new file mode 100644
index 0000000..194b132
--- /dev/null
+++ b/kas/opt/separate-home-partition.yml
@@ -0,0 +1,21 @@ 
+#
+# CIP Core, generic profile
+#
+# Copyright (c) Siemens AG, 2025
+#
+# Authors:
+#  Quirin Gylstorff <quirin.gylstorff@siemens.com>
+#
+# SPDX-License-Identifier: MIT
+#
+# This kas file adds a separate home partition an image.
+# This provide backward compability to the previous isar-cip-core
+# versions.
+header:
+  version: 14
+
+local_conf_header:
+  separate-home-partition: |
+    OVERRIDES .= ":separate-home-part"
+  add-home-partition-to-crypt: |
+    CRYPT_PARTITIONS:append:separate-home-part = " home:/home:reencrypt"
diff --git a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
similarity index 98%
rename from recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
rename to recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
index df335c9..80a4755 100644
--- a/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.6.bb
+++ b/recipes-initramfs/initramfs-crypt-hook/initramfs-crypt-hook_0.7.bb
@@ -70,7 +70,7 @@  SRC_URI += "file://encrypt_partition.env.tmpl \
             file://pwquality.conf"
 
 # CRYPT_PARTITIONS elements are <partition-label>:<mountpoint>:<reencrypt or format>[:expand]
-CRYPT_PARTITIONS ??= "home:/home:reencrypt var:/var:reencrypt"
+CRYPT_PARTITIONS ??= "var:/var:reencrypt"
 # CRYPT_CREATE_FILE_SYSTEM_CMD contains the shell command to create the filesystem
 # in a newly formatted LUKS Partition
 CRYPT_CREATE_FILE_SYSTEM_CMD ??= "/usr/sbin/mke2fs -t ext4"