Hi @SplitIce ,
That is a good question. I’m afraid I don’t have an obvious answer.
Have you tried to remove the remount to see what breaks? If nothing breaks, it could be leftover from original dev/debug work. Although, I suspect it could be a requirement before moving the mount and using pivot_root.
But I don’t see an obvious reason why it can’t be remounted as read-only just before the exec into systemd.
When the OS runs, this mount becomes /mnt/sysroot/active. And is indeed left as read-write.
While the OS container itself is mounted in / and is read-only.
Secure boot has come up in the past quite a few times.
Can you please elaborate a bit more about your approach and how you are going about prototyping it?