%PDF- %PDF-
Direktori : /proc/self/root/etc/ |
Current File : //proc/self/root/etc/overlayroot.conf |
# This is the overlayroot config file # By default, overlayroot is not enabled. # To enable overlayroot: # 1) edit the 'overlayroot' definition below # 2) reboot # # Supported values: # * overlayroot=tmpfs or overlayroot=tmpfs:PARAMETERS # write all changes to a temporary (ram only) backing device # A tmpfs mount will be created, and usable filesystem can # grow to 1/2 available memory. # # available parameters: # * see COMMON PARAMETERS # # examples: # overlayroot=tmpfs # overlayroot=tmpfs:swap=1 # # * overlayroot=DEVICE or overlayroot=device:PARAMETERS # mount DEVICE as overlayfs and write changes there # device must already have kernel mountalbe filesystem on it. # # available parameters are: # * dev: default: "" [REQUIRED] # use given device for backing filesystem. # Note, 'overlayroot=/dev/vdb' is translated to # 'overlayrooot=device:dev=/dev/vdb' # * timeout: default: 0 # if 'dev' provided does not exist, wait up to many seconds for # it to appear. # * see COMMON PARAMETERS # # examples: # overlayroot=/dev/xvdb # overlayroot=/dev/vdb # overlayroot=device:dev=/dev/sdb,timeout=180 # overlayroot=device:dev=LABEL=my-flashdrive,timeout=180 # # * overlayroot=crypt:PARAMETERS # use an encrypted [dmcrypt] device as the backing device. Parameters # are comma delimited key=value pairs. # # available parameters are: # * dev: default: "" [REQUIRED] # use given device for backing filesystem. # * mapname: default: "secure" # the name of the map device to be created in /dev/mapper # * pass: default: "" # if not provided or empty, password is randomly generated # the generated password will be stored for recovery in # /run/initramfs/overlayroot.passwd # * fstype: default: "ext4" # mapname=mapper,pass=foo,fstype=ext4,mkfs=1 # * mkfs: default: 1 # 0: never create filesystem # 1: if pass is given and mount fails, create a new one # if no pass given, create new # 2: if pass is given and mount fails, fail # if no pass given, create new # * timeout: default: 0 # if 'dev' provided does not exist, wait up to many seconds for # it to appear. # * see COMMON PARAMETERS # # examples: # crypt:mapname=mapper,pass=foo,fstype=ext4,mkfs=1,dev=vdb # crypt:mapname=mapper,pass=foo,fstype=ext3,mkfs=1,dev=/dev/disk/by-label/my-jumpdrive,timeout=120 # crypt:dev=xvdb # # * overlayroot=disabled # if set explicitly to 'disabled', or an empty string, then # overlayroot will do nothing. # # # COMMON PARAMETERS: # The following parameters are supported for each of overlayroot= # values above. # * swap: default: 0 # allowed values: 0, 1 # indicate if swap partitions should be allowed. By default swap entries # are removed from /etc/fstab to disable swap. # Swap *files* are always disabled, independent of this setting. # # * recurse: default: 1 # allowed values: 0, 1 # indicate if all mounts should be made read-only, or just /. # if set to 1, then all filesystems will be mounted read-only. # if set to 0, only root will be set to read-only, and changes # to other filesystems will be permenant. For example, if # /home is on a separate partition from / and recurse set to 0 # then changes to /home will go through to the original device. # # * debug: default: 0 # allowed values: 0, 1 # enable debug output if set to 1 # # * dir: default: "/overlay" # the directory under the filesystem to use for writes # default is to use top level directory. For example, use # 'dir=my-tests/run1' and later 'dir=my-tests/run2' # # * driver: default: "auto" # This can be 'overlay' or 'overlayfs'. It will affect which filesystem # is used to provide the overlay and the entries in fstab. # The default value is almost certainly correct. # # overlayroot_cfgdisk: # * default: 'disabled' # If this variable is set, it references a disk/filesystem that # may exist, and include a 'overlayroot.conf' file in it's root directory # If a such a device exists, then it's overlayroot.conf file can # set overlayroot as above. # # examples: # * overlayroot_cfgdisk="LABEL=OROOTCFG" # * overlayroot_cfgdisk="/dev/vdb" # # Note: if you enable this setting, then you must be careful to be sure # that no filesystems are created that match this without your # knowledge. This is because code on that filesystem is executed # as root in the initramfs environment. # # Notes: # * This file is managed by dpkg as a conffile, so changes to it # will force dpkg config file prompts on package updates that contain a # change. Instead of putting changes here, put them in # /etc/overlayroot.local.conf # * you can pass the same 'overlayroot=' parameters on the kernel # command line, and they will override any values set here. # This includes 'overlayroot=' or 'overlayroot=disabled' to disable # a value set in this file. # * if you specify crypt:dev=/dev/vdb, then DATA WILL BE LOST # on /dev/vdb. A safer value would be to use # crypt:dev=/dev/vdb,pass=somepassword,mkfs=0 # However, you would then have to have previously set up the luks device. # Do that like the following: # $ MAPNAME="secure"; DEV="/dev/vdg"; PASSWORD="foobar" # $ sudo wipefs -a $DEV # $ printf "%s" "$PASSWORD" | # sudo cryptsetup luksFormat "${$DEV}" --key-file - # $ printf "%s" "$PASSWORD" | # sudo cryptsetup luksOpen "${DEV}" "${MAPNAME}" --key-file - # $ sudo mke2fs -t "ext4" "/dev/mapper/${MAPNAME}" # # Security Note: # IT IS INSECURE TO SET THIS PASSWORD HERE IN THIS CLEARTEXT CONFIGURATION # FILE OR ON THE KERNEL COMMAND LINE. # Randomly generated passwords are more secure, but you won't be able to # read your encrypted disk on reboot. # Randomly generated passwords are generated by calculating the sha512sum # of a concatenation of: # - stat -L /dev/* /proc/* /sys/* # + some unpredictability of access/modify times of a number of kernel # files, directories, and block devices # - /proc/sys/kernel/random/boot_id # + 16-bytes uuid, consider this a 'salt' # - /proc/sys/kernel/random/uuid # + 16-bytes uuid, consider this psuedo randomness # - /dev/urandom # + 4096-bytes of psuedo randomness # - $DEV # + 4096-bytes from the head of the disk # + security-paranoid users can write 4096-bytes of randomness to # this device and specify mkfs=1 before rebooting into an # crypt+overlayroot setup # The result is stored in r-------- /dev/.initramfs/overlayroot.XXXXXXX, # which is a tmpfs in memory. overlayroot_cfgdisk="disabled" overlayroot=""