Using NetworkManager with Readonly rootfs

Support
1

I’m using AlmaLinux 9.2, and I would like to have the rootfs mounted readonly. I have found two issues with NetworkManager, that appear to be unrelated.

/etc/NetworkManager/system-connections/*.nmconnection
I want to be able to edit these files, so I have put them on another partition, and made /etc/NetworkManager a symlink to e.g. /data/etc/NetworkManager (or /etc/NetworkManager/system-connections as a symlink to /data/etc/NetworkManager/system-connections - it doesn’t appear to change my issue.) That works well as long as SELinux is permissive. Once I make it enforcing - NetworkManager refuses to follow the symlink. I have tried to set the selinux context, but still no luck.

/etc/resolv.conf
At startup, NetworkManager will parse the system-connections files, and try to create create an /etc/resolve.conf file for the DNS. If the rootfs is readonly, this will obviously fail. So I made /etc/resolve.conf a symlink to /data/etc/resolv.conf - but that doesn’t work either, as NetworkManager will try to create a temporary file in /etc/ and then try to rename it to /etc/resolve.conf, which will fail.

Does anyone have any ideas of what to try next?

2

First a note. Alternative to symlink is bind-mount. Example fstab-entry:

/data/etc/NetworkManager/system-connections  /etc/NetworkManager/system-connections  none  bind  0 0

That does not resolve the SELinux.
You need proper SELinux contexts on the files in /data/etc/NetworkManager/system-connections
Since files will be accessed only via /etc/NetworkManager/system-connections it might be enough to:

restorecon -rv  /etc/NetworkManager/system-connections

(Not sure whether symlink and mount behave the same.)

NetworkManager can be told to not touch the /etc/resolve.conf.
See options dns and rc-manager from man NetworkManager.conf

1 Like
3

Thanks!

I’ll give it a try with a bindmount instead of symlinks!

I completely missed the manpage of NetworkManager.conf. Thanks for the heads-up! That solves the problem of the /etc/resolv.conf at least.

4

I’m finally coming back to this, after over a month working on other issues. But I’m asking it as a separate question, as I have narrowed it down further.