Mailinglist Archive: opensuse-factory (608 mails)

< Previous Next >
Re: [opensuse-factory] [PLEASE SPEAK UP] Disabling legacy file systems by default?
On 1/30/19 2:28 PM, Per Jessen wrote:
Martin Wilck wrote:

On Wed, 2019-01-30 at 20:05 +0100, Per Jessen wrote:
Martin Wilck wrote:

SUSE will blacklist a number of legacy and/or less frequently used
file systems by default on SLES for security reasons.

The proposed list can be seen here:


https://github.com/openSUSE/suse-module-tools/pull/5/commits/8cb42fb6658f210cb8c955d584a65f7b041c0575

The question is now whether we should do the same for openSUSE.
I figure that while the above list is probably not controversial
for
enterprise customers, openSUSE users may have objections to some
items on the list. Please speak up if you do.
In any case, note that even if we do this, you can re-enable the
filesystems you need by simply commenting out lines in the
blacklist
file.

As long as we can continue using those filesystems during an
installation (not necessarily YaST supported), I see no issue.

Which of these would you want to use during installation?

Sorry, I should have been specific. jfs is the only one.

The proposed config file have nothing to do with YaST, they'd
generally disable autoloading of filesystem modules.

Right, that's how I understood it too.

If you wanted to use this during installation, you'd need to use a
DUD, or hand-edit the modprobe configuration during installation.

What we do is PXE boot a network install system, access by ssh, then
format whatever we need manually, then start up yast. As long as jfs
would be available at that point, I'm happy.

This only affects module autoloading, so if you're already in a shell
environment and creating file systems by hand, just 'modprobe jfs'
first. That doesn't consult the blacklist and will load the module
normally. Then, before reboot, modify the blacklist and rebuild the
initrd. This is assuming you're using it as a root fs. If it's not the
root, it'll be enough to modify the blacklist.

At least that's how it would work with my PR.

Martin and I were talking offline about how to take into account some of
the criticisms and suggestions on this thread. The solution we came up
with was to use one file per blacklist entry, where removing the
blacklist entry would mean just truncating the file or commenting its
comments. We discussed a postinstall script doing that automatically
for file systems in /proc/filesystems (ie: modules already loaded). So,
if that works out, the only changes required to your workflow would be
to modprobe the jfs module manually before the first mount after mkfs.

-Jeff

--
Jeff Mahoney
SUSE Labs
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups