noauto option ignored in /etc/fstab?

[Tom H]

On Wed, Dec 6, 2017 at 4:58 AM, Josef Wolf <jw at raven.inka.de> wrote:
> On Tue, Dec 05, 2017 at 12:40:31PM -0500, Tom H wrote:


>>> I understand that grub wants to remember that the last boot was successful.
>>>
>>> But:
>>> 1. It stores only an empty /boot/grub/grubenv (1024 bytes of '#' characters)
>>> 2. shouldn't it undo what it have done? When it needs to mount an unmounted
>>>    partition, it should umount this partition again when done.
>>
>> I disable grub-common on my Ubuntu and Debian systems, so I don't
>> really care what/where/how.
>
> I thought grub is mandatory? How do you boot without grub? The days of lilo
> are gone...

If I have grub installed, I disable the grub-common boot script but
grub isn't mandatory.

You can use syslinux on both BIOS and EFI.

You can use refind on EFI.

You can use systemd-boot on EFI. This is what I use, even on systems
where I'm booting with sysvinit or upstart. AFAIK, Ubuntu hasn't
integrated it so you have to grab the executable from
"/usr/lib/systemd/boot/efi/systemd-bootx64.efi" and set up the menu
entries manually. It can only read vfat filesystems; that's why my ESP
is mounted at "/boot" and why "/boot" is formatted as vfat.


>> I suspect that the great majority of Ubuntu installations "/boot" is
>> always mounted, even if it's a separate filesystem but you could file
>> an RFE to take your use-case into account.
>
> My use-case is a completely encrypted laptop. Since /boot can't be encrypted,
> I've implemented the following strategy to detect whether the boot partitions
> were manipulated:
>
> 1. The following script is run regularly by cron:
>
>    #! /bin/sh
>
>    DIR=/m/md5log
>    TMP=md5log-$$.tmp
>
>    mkdir -p $DIR
>    cd $DIR
>
>    md5sum /dev/sda[123] >$TMP
>
>    LASTFILE=`ls md5log-*T* | tail -1`
>
>    if cmp -s "$LASTFILE" "$TMP" ; then
>        rm $TMP
>    else
>        mv $TMP md5log-`date -Iseconds`
>    fi
>
> 2. Before booting, I check whether somebody messed with the boot partitions.
>    I do this by booting a live-CD, cryptsetup+mount the partition with the
>    logs, and running the following script:
>
>    #! /bin/sh
>
>    DIR=`dirname "$0"`
>    FILE=`find "$DIR" -name 'md5log-*' | sort | tail -1`
>
>    md5sum /dev/sda[123] | diff -qs -- - "$FILE"
>
> Since the log files with the original md5sum's are on an encrypted FS, nobody
> can mess with the unencrypted partitions without me to notice it.
>
> But this works only, when the /boot partition is normally not mounted. This is
> because mounting/umounting the partition will modify it.
>
> Do you think this use case is considered to be "sane" by the Ubuntu-Gurus? Or
> will they just call me paranoid ;-)

This is an interestingly paranoid use-case :)

But this isn't what I meant. I meant that your use-case was not to
have "/boot" mounted and that your RFE would be to unmount "/boot" at
the end of the grub-common execution if "/boot" was previously
unmounted. I'm not sure whether they'd care why you want "/boot"
unmounted; it was a common MO years ago but it seems to have been
forgotten these days. It comes down to whether the grub maintainer
wants to write and maintain the extra scripting.


>>>> [You might want to add "x-systemd.auto" to the "/boot" line in
>>>> ?etc/fstab". "/boot" will be automounted when it's needed.]
>>>
>>> Will this umount the partition again when it's no longer needed?
>>
>> You can add "x-systemd.idle-timeout=xxx" too.
>
> I really see only one use case for /boot to be mounted: Upgrade of
> grub/kernel/initrd. There's really no reason for /boot to remain mounted all
> the time. When some script (in this case grubenv) wants to mount it, this
> script should undo what it has done.

It would allow you to avoid the RFE. You could set
"x-systemd.idle-timeout=60" (for example) and "/boot" would be
unmounted 60 seconds after the end of grub-common's execution.