We have had a lot of internal discussion, so I will try to summarize things a bit here.
The basic problem is that in the initrd, [email protected] (whether generated by dracut or by systemd-import-generator) pulls images into /run/machines [1]. Then, depending on the exact command line, dracut or systemd-fstab-generator creates sysroot.mount which is setup as a bind mount of /run/machines/root to /sysroot. That means /sysroot inherits the mount options of /run, which includes nosuid etc. We obviously do not want to change the mount options of /run just to accommodate this, so that means /sysroot needs to be remounted after the initial bind mount to drop nosuid etc. For now, we decided this should be addressed in dracut with a oneshot service. Long term, we hope to find a better fix in systemd -- it's just not obvious how this should be done exactly, and will likely involve coordination between a couple systemd generators to handle rd.systemd.pull=, root=, rootflags=, etc. [1] NOTE: outside of the initrd, systemd-import-generator would use /var/lib/machines instead. The choice of pulling images into /run is deliberate, because it survives the switch root, whereas /var/lib does not. ** Changed in: systemd (Ubuntu) Status: New => Triaged ** Changed in: systemd (Ubuntu) Importance: Undecided => Medium ** Changed in: systemd (Ubuntu) Assignee: (unassigned) => Nick Rosbrook (enr0n) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2146342 Title: cloud-initramfs-rooturl: Root filesystem mounted with `nosuid` in dracut port, breaking `setuid` binaries like `sudo` To manage notifications about this bug go to: https://bugs.launchpad.net/dracut/+bug/2146342/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
