From a9a7f700816bb30590a619815c3d296f7b2eb9b2 Mon Sep 17 00:00:00 2001 From: Andrew Walker Date: Fri, 22 Sep 2023 13:55:14 -0700 Subject: [PATCH] Make more filesystem paths readonly * Add new default dataset for /root * Make /opt readonly * Make / readonly --- truenas_install/__main__.py | 3 +++ truenas_install/fhs.py | 6 ++++++ 2 files changed, 9 insertions(+) diff --git a/truenas_install/__main__.py b/truenas_install/__main__.py index f2f2b214..4df2e85a 100644 --- a/truenas_install/__main__.py +++ b/truenas_install/__main__.py @@ -702,6 +702,9 @@ def main(): run_command(["zfs", "set", f"mountpoint={mp}", this_ds]) run_command(["zfs", "set", 'org.zectl:bootloader=""', this_ds]) + run_command(["zfs", "set", "readonly=on", dataset_name]) + run_command(["zfs", "snapshot", f"{dataset_name}@pristine"]) + except Exception: if old_bootfs_prop != "-": run_command(["zpool", "set", f"bootfs={old_bootfs_prop}", pool_name]) diff --git a/truenas_install/fhs.py b/truenas_install/fhs.py index 18367ed4..2f219f71 100644 --- a/truenas_install/fhs.py +++ b/truenas_install/fhs.py @@ -119,7 +119,13 @@ }, { 'name': 'opt', + 'options': ['NOSUID', 'NOACL', 'RO'], + 'snap': True + }, + { + 'name': 'root', 'options': ['NOSUID', 'NOACL'], + 'mode': 0o700, 'snap': True }, {