Why CoreOS has /usr as read only ? is this only because to make auto-update work fine ?
17 views
Skip to first unread message
Parag Gupta
Oct 23, 2019, 6:47:32 AM10/23/19
to CoreOS Dev
Do we have any other reason and advantage to make /usr as read-only?
I know this is read-only to make auto-update work smoothly?
What are the other reasons for the same ?
Nick Stielau
Oct 23, 2019, 8:34:45 AM10/23/19
to coreo...@googlegroups.com
Mounting /usr read-only, and generally as much of the disk as possible, reduces security surface area and the possibility for configuration-drift across a fleet of servers.
See [1] for an example of a security vulnerability that was mitigated by the read-only disk.
--
You received this message because you are subscribed to the Google Groups "CoreOS Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-dev+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/coreos-dev/4b26331d-852d-4bf8-be2d-c3ed85d14bb2%40googlegroups.com.
-----
Nick StielauHe - Him - His
SFO, OpenShift
Reply all
Reply to author
Forward
0 new messages