Skip to content

Commit 242f076

Browse files
gursewak1997gursewak1997
authored
Merge pull request #1470 from gursewak1997/add-docs-transient-ro
docs: add documentation for root.transient-ro feature
2 parents e72aed0 + 4407a37 commit 242f076

File tree

1 file changed

+48
-0
lines changed

1 file changed

+48
-0
lines changed

docs/src/filesystem.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,54 @@ More on prepare-root: <https://ostreedev.github.io/ostree/man/ostree-prepare-roo
213213

214214
Note that regenerating the initramfs is required when changing this file.
215215

216+
## Dynamic mountpoints with transient-ro
217+
218+
The `transient-ro` option allows privileged users to create dynamic toplevel mountpoints
219+
at runtime while keeping the filesystem read-only by default. This is particularly useful for
220+
applications that need to bind mount host paths that may be platform-specific or dynamic.
221+
222+
### Use cases
223+
224+
This feature addresses scenarios where:
225+
226+
- Applications need to bind mount host directories that match the host's absolute paths
227+
- Platform-specific mountpoints are required (e.g., `/Users` on macOS)
228+
- Dynamic mountpoints need to be created after deployment but before application startup
229+
- The filesystem should remain read-only for regular processes
230+
231+
### Configuration
232+
233+
To enable this feature, add the following to `/usr/lib/ostree/prepare-root.conf`:
234+
235+
```toml
236+
[root]
237+
transient-ro = true
238+
```
239+
240+
### How it works
241+
242+
When `transient-ro=true` is set:
243+
244+
1. The overlayfs upper directory is mounted read-only by default
245+
2. Privileged processes can remount it as writable only in a new mount namespace, and perform arbitrary changes there, such as creating new toplevel mountpoints
246+
3. These mountpoints persist for the current boot but do not survive reboots or upgrades
247+
4. Regular processes continue to see a read-only filesystem
248+
249+
A privileged process can achieve this using standard Linux commands. For example:
250+
251+
```bash
252+
# unshare -m -- /bin/sh -c 'mount -o remount,rw / && mkdir /new-mountpoint'
253+
```
254+
255+
### Example: Podman machine integration
256+
257+
A common use case is with `podman machine` on macOS, where the VM needs to bind mount
258+
host paths like `/Users/username` into the VM. With `transient-ro`, the system can:
259+
260+
1. Create the `/Users` directory dynamically at runtime
261+
2. Bind mount the host's `/Users` directory to the VM's `/Users`
262+
3. Keep the rest of the filesystem read-only for security
263+
216264
## Enabling transient etc
217265

218266
The default (per above) is to have `/etc` persist. If however you do

0 commit comments

Comments
 (0)