ostree /boot on a separate partition

We're using OSTree on an embedded Linux board, with rootfs produced by Yocto using meta-updater, and U-Boot as a bootloader. Now we need to encrypt root partition with LUKS, meaning that boot artifacts have to reside on a separate boot partition (since root partition will be encrypted).

However I can't figure out what is the proper way make OSTree work with /boot on another partition. Apparently it has to do something with symlinks, or so it seems from PR #2149 and also ostree-prepare-root.c file, but I don't quite get it.. Manually mounting boot partition under /sysroot/boot inside initrd seems to work but looks like an ugly workaround, or?

Jan 03 '23 21:01 vnd

Hi, https://github.com/ostreedev/ostree/pull/2705 should help a lot with this. Can you give it a try?

Jan 12 '23 01:01 cgwalters

Hi @vnd, did you manage how to move the /boot directory under another partition? I have the same setup and same requirements and I'm struggling finding a way to do this... Seems to me that to have the separate boot part, the ostree filesystem has to be prepared with /boot mounted from a separated boot part...but for good reasons meta-updater prepares the ostree filesystem with /boot and /ostree on same partition

Sep 20 '23 14:09 msalvinik

@msalvinik we ended up with this:

copy data from ostree 'boot' folder to the boot partition at the end of board flashing process
mount boot partition to '/sysroot/boot' inside initramfs, just before 'ostree-prepare-root /sysroot'

Sep 20 '23 15:09 vnd

thanks for sharing that @vnd, works like a charm

Sep 21 '23 13:09 msalvinik

@vnd I would add just another little bit of information. Also the following setup works:

copy data from ostree 'boot' folder to the boot partition at the end of board flashing process, AND remove the ostree 'boot' folder
mount boot partition to /boot during init system startup using /etc/fstab, instead of doing it in initramfs

Sep 25 '23 09:09 msalvinik