compatibility between ostree and fscrypt

[ramcq]

I am experimenting with fscrypt integrated into Endless OS (endlessos.com), an ostree (https://ostree.readthedocs.io/en/latest/) managed Linux system. When booted by the ostree module in the initrd, a root filesystem is selected from /ostree/deploy/yada... and ends up being bind mounted as / (typically read-only) and the original filesystem / is copied to /sysroot.

In many cases ostree uses a symlink from / to /var or /sysroot for things like /home and /root which are expected to be mutable and persist across OS deployments, so my first idea was to add a .fscrypt symlink to sysroot/.fscrypt - which works provided I have invoked setup on the /sysroot path - however if I have not, and I attempt to call setup on / with a dangling symlink, it tries to set up in / and fails due to the path existing (as a dangling symlink).

So; two possible approaches - in the case of a dangling symlink, follow to the target and go there to create the dir - or detect ostree booted systems by checking for /run/ostree-booted and switching the metadata path for / to /sysroot automatically. Any thoughts/preferences?

[ebiggers]

I've implemented the solution where /.fscrypt can be a symlink that points to a writable location: #150. Does this work for you?

[ramcq]

Reading through the code, this looks ideal. Thanks for your help on this and your work on fscrypt in general! Much appreciated. I'll add testing it to my todo list - understandably it's a little precarious to do so on my normal system.

[ramcq]

I've tested in a VM, this works great. Thanks!