/run/, resolvconf and read-only root
This message is about three interdependent goals:
1. To create /run/, which makes it possible ...
2. to implement variable resolver configuration, which will help
3. to make it possible to mount / read-only.
(In the present context, "variable" information is information
that changes during the normal operation of a system, not
just when the system is administered.)
So far in pursuit of #3 I have filed a few bug reports asking
that programs store certain variable information under /var/.
Those changes should be straightforward and relatively
uncontroversial. As was discussed here earlier, however,
some programs cannot use /var/ and need something like /run/.
Creating /run/ and creating a variable resolver configuration
framework are liable to be more controversial. (It shouldn't
be too controversial at the FHS level, however. I have posted
questions on the FHS list and no serious objections have been
raised against the idea of /run/. Someone pointed out that
several distros already use /initrd/ without FHS permission.
There's good reason for that, so no big deal.)
So, ... before I begin asking maintainers to implement the
necessary changes, I ask for commentary here on the following
outline.
#1 /run/
=========
Jamie Wilkinson has prepared patches: http://spacepants.org/
and is updating them for the latest sysvinit release (2.85).
* base-files
Add /run/ directory
* pam, shadow
Allow either /etc/nologin or /run/nologin to prevent
nonroot login
* sysvinit:
Touch /run/nologin (not /etc/nologin) when there is a
delay before a shutdown.
* util-linux
Use /run/mtab for mount's statefile
#2. Variable resolver configuration
===================================
The resolver configuration file, /etc/resolv.conf, is one of the
variable files in /etc/. ppp/pppconfig and pump both modify it,
stomping on each other's changes if they are both used. Neither
of them notifies DNS caches of available forwarders.
It is proposed that these problems be solved by means of the
following variable resolver configuration scheme.
* Symlink /etc/resolv.conf -> /run/resolvconf/resolv.conf
* Resolv.conf-like files are maintained for each i'face in
/run/resolvconf/interface/ by the configurator of that i'face
* DNS cache configuration file fragments go in /run/<dnscache>/
* /sbin/update-resolver regenerates /run/resolvconf/resolv.conf
and calls DNS cache update scripts in /etc/resolvconf/update.d/
to update DNS cache configuration file fragments in
/run/<dnscache>/
TODO -- done in EXPERIMENTAL resolvconf package -- latest version:
http://panopticon.csustan.edu/thood/resolvconf_0.3.tar.gz
http://panopticon.csustan.edu/thood/resolvconf_0.3_all.deb
* resolvconf (to be integrated into libc6, home of the resolver)
* Create /sbin/update-resolver="/etc/init.d/resolvconf reload"
* Create /etc/init.d/resolvconf script to:
* Write /run/resolvconf/resolv.conf which lists nameservers
from /run/resolvconf/interface/* files
* Do "run-parts /etc/resolvconf/update.d"
* Symlink /etc/rcS.d/S39resolvconf -> /etc/init.d/resolvconf
* ppp
* Create script /etc/ppp/ip-up.d/resolvconf to:
* Write the lines:
nameserver $DNS1
nameserver $DNS2
to /run/resolvconf/interface/$PPP_IFACE
* Then run update-resolver
* Create script /etc/ppp/ip-down.d/resolvconf to:
* Delete /run/resolvconf/interface/$PPP_IFACE
* Then run update-resolver
* bind
* Create script /etc/resolvconf/update.d/bind to:
* Convert /etc/bind/named.options.sed into
/run/bind/named.options (which is to be included
in /etc/bind/named.conf)
* Then run "/etc/init.d/bind reload"
TODO
* pppconfig
* Modify /etc/ppp/ip-up.d/0dns-up, /etc/ppp/ip-down.d/0dns-down
to call /sbin/update-resolver if available instead of futzing
with /etc/resolv.conf
* pump
* Change /sbin/pump to:
* Write resolv.conf info to /run/resolvconf/interface/pppX
instead of to the current /etc/resolv.conf
* Then run update-resolver
* dhcp3-client
* Change /etc/dhcp3/dhclient-script to:
* Write resolv.conf info to /run/resolvconf/interface/$IFACE
instead of to the current /etc/resolv.conf
* Then run update-resolver
* ifupdown
* Allow nameservers to be listed in /etc/network/interfaces
thus:
nameserver a.b.c.d
For each such nameserver:
* Write to /run/resolvconf/interface/$IFACE the line
nameserver a.b.c.d
* Then run update-resolver
* bind
* Change the /etc/bind/named.conf file to include
/run/bind/named.options
* Convert /etc/bind/named.conf.options into
/etc/bind/named.options.sed
* Change /etc/init.d/bind script to:
* At the bottom of start(), write
nameserver 127.0.0.1
to /run/resolvconf/interface/lo
and then run update-resolver
* At top of stop(), delete /run/resolvconf/interface/lo
and run update-resolver
* dnscache
* Something similar
3. Read-only /
==============
If / is to be mounted read-only in normal use, files that are
modified in normal use cannot be stored in /etc/.
TODO, wishes filed
* sysvinit
#150355: Move motd to /var/lib/
#188087 [DONE in 2.85-1]: Eliminate ioctl.save
* util-linux
#156489 [PENDING?]: Move adjtime out of /etc/
* ppp
#187756: Tolerate read-only /etc/
* pppconfig
#187810 [PENDING?]: Support read-only /etc/
#187651: Make resolv.conf futzing optional
* cupsys
#187954 [PENDING]: Move printcap.cups under /var/
TODO
* ppp
* Change /usr/sbin/pppd to:
* Store pidfile in /run/, not in /var/run/
* dhcp3-client
* Change /sbin/dhclient to:
* By default, store pidfile in /run/, not in /var/run/
* ifupdown
* Store ifstate in /run/network/, not in /etc/network/
* diskless tools
* "Fix"
* sysvinit
* Add support for mounting / read-only.
* Add support for mounting /run/ as a separate filesystem.
* The patches in #30446 and #186892 should be reviewed
in implementing this.
WONTDO
* linuxlogo
#187953 [REJECTED?]: Do not store linuxlogo files in /etc/.
The administrator will have to deal with linuxlogo files.
--
Thomas Hood <jdthood0@yahoo.co.uk>
Reply to: