From a31af91592fdcc3d96abc951fac4770468760033 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 18 Jun 2024 15:56:56 -0400
Subject: [PATCH] coreos-ignition-setup-user: remount /usr rw if needed

systemd v256 now runs the initrd with `ProtectSystem=yes`, which makes
`/usr` read-only:

https://github.com/systemd/systemd/blob/07748c53df5a72111d8b3eef49d275210d6018cd/NEWS#L168-L175

This breaks coreos-ignition-setup-user which wants to copy the Ignition
config to `/usr/lib/ignition`.

I think the right fix for this is to have Ignition learn to also source
from `/etc` and `/run`, which is the standard nowadays:

https://github.com/coreos/ignition/issues/1891

But for now at least, we can safely remount `/usr` read-write ourselves
without affecting the rest of the system since we're already running
with `MountFlags=slave`.
---
 .../35coreos-ignition/coreos-ignition-setup-user.sh        | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.sh b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.sh
index efc8cc7612..a48dc1e6b3 100755
--- a/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.sh
+++ b/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-ignition-setup-user.sh
@@ -14,6 +14,13 @@ copy_file_if_exists() {
 destination=/usr/lib/ignition
 mkdir -p $destination
 
+# systemd v256 now runs the initrd with ProtectSystem=yes, which makes /usr
+# read-only. Just remount it rw until we have:
+# https://github.com/coreos/ignition/issues/1891
+if [ ! -w /usr ]; then
+    mount -o rw,remount /usr
+fi
+
 if is-live-image; then
     # Live image. If the user has supplied a config.ign via an appended
     # initrd, put it in the right place.