Age | Commit message (Collapse) | Author |
|
with them missing
This way the root subvolume can be left read-only easily, and variable
and user data writable with explicit quota set.
|
|
/var/lib/container to /var/lib/machines
Given that this is also the place to store raw disk images which are
very much bootable with qemu/kvm it sounds like a misnomer to call the
directory "container". Hence, let's change this sooner rather than
later, and use the generic name, in particular since we otherwise try to
use the generic "machine" preferably over the more specific "container"
or "vm".
|
|
In particular we upgrade /var/lib/container, /var/tmp and /tmp to
subvolumes.
|
|
The .service uses "/var/lib/container", not "containers".
|
|
Create /var/lib/containers so that it exists with an appropriate mode. We want
0700 by default so that users on the host aren't able to call suid root
binaries in the container. This becomes a security issue if a user can enter a
container as root, create a suid root binary, and call that from the host.
(This assumes that containers are caged by mandatory access control or are
started as user).
|
|
Management of /var/cache/man should move to the distribution package
owning the directory (for example, man-db). As man pages are a
non-essential part of the system and unnecessary for minimal setups,
there's no point in having systemd ship these lines.
Distribution packages should make sure the appropriate package for their
distribution adopts this line. Ideally, the line is adopted by the
upstream package.
For Fedora I have filed this bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1110274
|
|
|
|
Let's allow booting up with /var empty. Only create the most basic
directories to get to a working directory structure and symlink set in
/var.
|