Red Hat SummitChapter 10. Creating root level directories and symlinks at runtime with image mode for RHEL
As a privileged user, you can create dynamic, top-level mountpoints at runtime while the filesystem remains read-only by default by using the transient-ro option. This is useful for applications that require bind-mount host paths that can be platform-specific or dynamic.
This feature addresses the following use cases:
- Applications that require specific, absolute host paths for bind-mounts.
-
Platforms that require specific mountpoints, for example,
/users. - Requirement to create dynamic mountpoints after deployment, but before an application starts.
- A security requirement to keep the root filesystem read-only for all regular processes.
10.1. Working of the transient-ro true option
Enable the transient-ro=true option in Red Hat Enterprise Linux bootc images to implement stateless deployments. This configuration directs file system writes to temporary storage, discarding runtime changes upon system reboot.
The following workflow describes the boot process changes:
transient-ro=truemounts theoverlayfsupper directory inread-onlymode by default.-
With this, a privileged process, such as
rootor asystemdservice, can remount the root filesystem asread-write, but only within a new, private mount namespace.
-
With this, a privileged process, such as
- Within the private namespace, the process can perform changes, such as creating new top-level directories to serve as mountpoints.
- The mountpoints persist for the current boot, but do not persist through reboots or upgrades.
-
All other regular processes on the system continue to see the original, unmodified,
read-onlyroot filesystem.
For security reasons, only privileged users (root) can create these mountpoints:
- The mountpoints are transient and do not persist across reboots.
-
The filesystem remains
read-onlyfor non-privileged processes.
Because of a limitation in util-linux, you must set the LIBMOUNT_FORCE_MOUNT2=always environment variable when you perform mount operations with the transient-ro option. This variable affects the mount namespace functionality that transient-ro requires.
10.2. Creating dynamic mountpoints with transient-ro
As a root user, you can use the bootc root.transient-ro feature to build a transient overlay on top of the root file system that is read-only by default, create dynamic top-level mountpoints, and remount the filesystem as read-write when needed.
When using the root.transient-ro feature, to ensure applications can properly access host directories and create necessary mountpoints on read-only filesystems, several considerations apply:
- Applications need to bind-mount host directories that match the host’s absolute paths.
-
Platform-specific mountpoints are required, such as
/Userson macOS. - Creation of dynamic mount points after deployment but before application startup.
-
The filesystem remains
read-onlyfor regular processes.
Prerequisites
-
The
container-toolsmeta-package is installed.
Procedure
Create a
transient-root-example.serviceservice to create the directory withreadandwritepermissions. In the following example,/etc/afsexists.[Unit] Description=Transient Root Example - Dynamic Mount Point Creation After=local-fs.target ConditionPathExists=/etc/afs DefaultDependencies=no [Service] Type=oneshot RemainAfterExit=yes MountFlags=slave # LIBMOUNT_FORCE_MOUNT2=always is required for mount command compatibility # See: https://github.com/util-linux/util-linux/issues/3171 Environment=LIBMOUNT_FORCE_MOUNT2=always ExecStart=/usr/bin/bash -c "echo 'Transient root example: Detected /etc/afs, remounting root as read-write'; mount -o remount,rw /; mkdir -p /afs; echo 'Created /afs directory for AFS mount point'" [Install] WantedBy=multi-user.targetAdd the following configuration to the ContainerFile:
# Copy the systemd service unit that demonstrates dynamic mount point creation # The service will: # 1. Check for existence of /etc/afs (ConditionPathExists) # 2. Use MountFlags=slave for proper mount propagation # 3. Set LIBMOUNT_FORCE_MOUNT2=always for mount command compatibility # 4. Remount root as read-write and create /afs directory when triggered COPY transient-root-example.service /usr/lib/systemd/system/ # Enable the service to start automatically on boot RUN systemctl enable transient-root-example.serviceTo enable the
transient-rooption during the container build process, create the following configuration to the/usr/lib/ostree/prepare-root.conffile inside the image:RUN echo -e '[root]\ntransient=true' > /usr/lib/ostree/prepare-root.conf && \ set -x; kver=$(cd /usr/lib/modules && echo *); dracut -vf /usr/lib/modules/$kver/initramfs.img $kverNoteWhen you make changes to the file system configuration, you must regenerate the initramfs image.
Build the bootc image with the transient root file system:
$ podman build --cap-add SYS_ADMIN -t transient-root-ro:test .This adds the
SYS_ADMINcapability thatbootcrequires forostreeoperations during the build.
Verification
Verify that
transient-ro = trueconfiguration file was correctly set in the built image:$ podman run --rm transient-root-ro:test cat /usr/lib/ostree/prepare-root.confYou can see an output similar to the following:
[root] transient-ro = trueOn the running system, verify the runtime functionality:
- Boot the image.
Create the
/etc/afstest directory.$ sudo mkdir -p /etc/afsRestart the service to trigger dynamic mount point creation:
$ systemctl restart transient-root-example.serviceThe service remounts root as
read-writeand creates the/afsdirectory.
To test the functionality without a
systemdservice, create a test directory as root on the running system:$ sudo export LIBMOUNT_FORCE_MOUNT2=always $ sudo unshare -m -- /bin/sh -c 'mount -o remount,rw / && mkdir /transient-test'Verify if the directory was created:
$ sudo ls -d /transient-test /transient-testVerify the
read-onlystatus for other processes by attempting to write to the root filesystem:$ touch /another-test-file touch: cannot touch '/another-test-file': Read-only file system
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}