CentOS - Dec 2016 - Can't delete or move /home on 7.3 install

On Fri, Dec 16, 2016 at 10:17:21AM -0800, Glenn E. Bailey III
wrote:
> This is a base install. If you deploy an instance in ec2 or GCE (ec2
> you can do the free tier) it's easily repeatable. Even on a RHEL 7.3
> instance. Note you'll need to allow root and password logins via SSH
> before attempting.
I can confirm this.

The culprit?  NetworkManager has /home open.  I can't figure out
*WHY*.

# systemctl start NetworkManager.service
# rmdir /home
rmdir: failed to remove ?/home?: Device or resource busy
# systemctl stop NetworkManager.service
# rmdir /home
rmdir: failed to remove ?/home?: Device or resource busy
# systemctl stop NetworkManager.service
# rmdir /home
rmdir: failed to remove ?/home?: Device or resource busy
# systemctl kill NetworkManager.service
# rmdir /home
rmdir: failed to remove ?/home?: Device or resource busy
# rmdir /home

So it takes some time for all the parts of NetworkManager to die, but
eventually, they do and you can remove /home.

Unfortunately, I don't see any reason why /home would be in use by
NM.   Very odd.

-- 
Jonathan Billings <billings at negate.org>

Confirmed as well, thanks! What's really odd is I didn't see
*anything* having a lock on /home, nada, zilch. We have a work-around
in place for this but I was beating my head against the wall trying to
figure it out.

On Fri, Dec 16, 2016 at 11:29 AM, Jonathan Billings <billings at
negate.org> wrote:
> On Fri, Dec 16, 2016 at 10:17:21AM -0800, Glenn E. Bailey III wrote:
>> This is a base install. If you deploy an instance in ec2 or GCE (ec2
>> you can do the free tier) it's easily repeatable. Even on a RHEL
7.3
>> instance. Note you'll need to allow root and password logins via
SSH
>> before attempting.
>
> I can confirm this.
>
> The culprit?  NetworkManager has /home open.  I can't figure out
> *WHY*.
>
> # systemctl start NetworkManager.service
> # rmdir /home
> rmdir: failed to remove ?/home?: Device or resource busy
> # systemctl stop NetworkManager.service
> # rmdir /home
> rmdir: failed to remove ?/home?: Device or resource busy
> # systemctl stop NetworkManager.service
> # rmdir /home
> rmdir: failed to remove ?/home?: Device or resource busy
> # systemctl kill NetworkManager.service
> # rmdir /home
> rmdir: failed to remove ?/home?: Device or resource busy
> # rmdir /home
>
> So it takes some time for all the parts of NetworkManager to die, but
> eventually, they do and you can remove /home.
>
> Unfortunately, I don't see any reason why /home would be in use by
> NM.   Very odd.
>
> --
> Jonathan Billings <billings at negate.org>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
"replicants are like any other machine. They're either a benefit or a
hazard. If they're a benefit, it's not my problem."

On Fri, Dec 16, 2016 at 02:29:28PM -0500, Jonathan Billings
wrote:
> The culprit?  NetworkManager has /home open.  I can't figure out
> *WHY*.
NetworkManager.service has 'ProtectHome=read-only', which keeps NM from
writing there. I presume namespacing /home in this way counts against
unmounting it. This is a good security protection for everyone running
NM, so I can see it being worth the tradeoff vs. being able to move or
remove /home on a live system.

(It also has ProtectSystem=true, which mounts /usr and /boot read-only
as well.)

If you wanted to change this, drop ProtectHome=false into
/etc/systemd/system/NetworkMananger.service.d/override.conf (possibly
by using sudo systemctl edit foo NetworkMananger).

-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader

Yup, verified those options are *not* set in 7.2. For a quick test I
simply removed them from
/usr/lib/systemd/system/NetworkManager.service, did a systemctl
daemon-reload, restarted NetworkManager, logged back in as root, and
was able to whack /home (7.3).

On Tue, Dec 20, 2016 at 11:07 AM, Matthew Miller <mattdm at mattdm.org>
wrote:
> On Fri, Dec 16, 2016 at 02:29:28PM -0500, Jonathan Billings wrote:
>> The culprit?  NetworkManager has /home open.  I can't figure out
>> *WHY*.
>
> NetworkManager.service has 'ProtectHome=read-only', which keeps NM
from
> writing there. I presume namespacing /home in this way counts against
> unmounting it. This is a good security protection for everyone running
> NM, so I can see it being worth the tradeoff vs. being able to move or
> remove /home on a live system.
>
> (It also has ProtectSystem=true, which mounts /usr and /boot read-only
> as well.)
>
> If you wanted to change this, drop ProtectHome=false into
> /etc/systemd/system/NetworkMananger.service.d/override.conf (possibly
> by using sudo systemctl edit foo NetworkMananger).
>
> --
> Matthew Miller
> <mattdm at fedoraproject.org>
> Fedora Project Leader
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos


-- 
"replicants are like any other machine. They're either a benefit or a
hazard. If they're a benefit, it's not my problem."

On Tue, Dec 20, 2016 at 02:07:03PM -0500, Matthew Miller
wrote:
> If you wanted to change this, drop ProtectHome=false into
> /etc/systemd/system/NetworkMananger.service.d/override.conf (possibly
> by using sudo systemctl edit foo NetworkMananger).
Sorry, no "foo" ? that was a cut-paste error. And as Jonathan says,
make sure to spell NetworkManager right. :)

  sudo systemctl edit NetworkManager



-- 
Matthew Miller
<mattdm at fedoraproject.org>
Fedora Project Leader