noauto option ignored in /etc/fstab?

Josef Wolf jw at raven.inka.de
Wed Dec 6 09:58:54 UTC 2017 

On Tue, Dec 05, 2017 at 12:40:31PM -0500, Tom H wrote:
> > I understand that grub wants to remember that the last boot was successful.
> >
> > But:
> > 1. It stores only an empty /boot/grub/grubenv (1024 bytes of '#' characters)
> > 2. shouldn't it undo what it have done? When it needs to mount an unmounted
> >    partition, it should umount this partition again when done.
> 
> I disable grub-common on my Ubuntu and Debian systems, so I don't
> really care what/where/how.

I thought grub is mandatory? How do you boot without grub? The days of lilo
are gone...

> I suspect that the great majority of Ubuntu installations "/boot" is
> always mounted, even if it's a separate filesystem but you could file
> an RFE to take your use-case into account.

My use-case is a completely encrypted laptop. Since /boot can't be encrypted,
I've implemented the following strategy to detect whether the boot partitions
were manipulated:

1. The following script is run regularly by cron:

   #! /bin/sh
   
   DIR=/m/md5log
   TMP=md5log-$$.tmp
   
   mkdir -p $DIR
   cd $DIR
   
   md5sum /dev/sda[123] >$TMP
   
   LASTFILE=`ls md5log-*T* | tail -1`
   
   if cmp -s "$LASTFILE" "$TMP" ; then
       rm $TMP
   else
       mv $TMP md5log-`date -Iseconds`
   fi

2. Before booting, I check whether somebody messed with the boot partitions.
   I do this by booting a live-CD, cryptsetup+mount the partition with the
   logs, and running the following script:

   #! /bin/sh

   DIR=`dirname "$0"`
   FILE=`find "$DIR" -name 'md5log-*' | sort | tail -1`

   md5sum /dev/sda[123] | diff -qs -- - "$FILE"


Since the log files with the original md5sum's are on an encrypted FS, nobody
can mess with the unencrypted partitions without me to notice it.

But this works only, when the /boot partition is normally not mounted. This is
because mounting/umounting the partition will modify it.


Do you think this use case is considered to be "sane" by the Ubuntu-Gurus? Or
will they just call me paranoid ;-)

> >> [You might want to add "x-systemd.auto" to the "/boot" line in
> >> ?etc/fstab". "/boot" will be automounted when it's needed.]
> >
> > Will this umount the partition again when it's no longer needed?
> 
> You can add "x-systemd.idle-timeout=xxx" too.

I really see only one use case for /boot to be mounted: Upgrade of
grub/kernel/initrd. There's really no reason for /boot to remain mounted all
the time. When some script (in this case grubenv) wants to mount it, this
script should undo what it has done.

-- 
Josef Wolf
jw at raven.inka.de

More information about the ubuntu-users mailing list