Weblog entry #1 for endecotp

Making root filesystem read-only : lost HowTo?
Posted by endecotp on Fri 4 May 2007 at 00:06
Tags: none.
Once upon a time I'm sure there used to be a "how to make your (Debian?) root filesystem read-only" document. As I recall, the guy responsible for it had submitted quite a few bugs / patches to move everything that prevented the root filesystem from being read-only into /var.

Now that I come to look for it, I can't find it.

If anyone knows what I'm talking about, please point me in the right direction. Thanks!


 

Comments on this Entry

Posted by Steve (80.68.xx.xx) on Fri 4 May 2007 at 15:22
[ View Steve's Scratchpad | View Weblogs ]

This search seems to have a couple of good results.

Steve

[ Parent | Reply to this comment ]

Posted by endecotp (86.6.xx.xx) on Fri 4 May 2007 at 15:39
[ View Weblogs ]
Steve - google("read only root filesystem linux") is naturally the first thing I tried. The document that I remember is not listed.

[ Parent | Reply to this comment ]

Posted by Steve (80.68.xx.xx) on Fri 4 May 2007 at 15:42
[ View Steve's Scratchpad | View Weblogs ]

There might be more specific guides that you're thinking of which I've not spotted, but most of the steps seemed to be included in the gentoo guide at the top of the results.

It would be nice to have a guide to follow, but I'd guess that it would be a simple enough process. Maybe you could even write it up afterwards ;)

I think most of it will be fairly basic steps, things like /etc/mtab, et al. Probably the easiest approach is to mount / read-only, reboot, and see what fails!

Steve

[ Parent | Reply to this comment ]

Posted by endecotp (86.6.xx.xx) on Fri 4 May 2007 at 16:08
[ View Weblogs ]
Right, I have poked around in bugs.debian.org and I'm pretty confident that the author of the document that I recall was Thomas Hood, and indeed the Gentoo document that google finds says that it is based on his document for Debian. Some more searching found this URL:

http://panopticon.csustan.edu/thood/readonly-root.html

It was linked to from Debian Weekly News in 2003. But that 404s, and there's nothing in web.archive.org because it has a robots.txt that prevents crawling.

It looks like it is really lost.


[ Parent | Reply to this comment ]

Posted by Wayne (82.144.xx.xx) on Fri 4 May 2007 at 20:20
[ View Weblogs ]
Voyage Linux (Debian based) runs read only as it was developed to run on WRAP and Soekris boards with CF cards. Maybe their scripts can help you

http://linux.voyage.hk/

[ Parent | Reply to this comment ]

Posted by Anonymous (129.138.xx.xx) on Mon 14 May 2007 at 23:34
This website is pretty much based on text written by Thomas Hood for the Debian distribution.
http://gentoo-wiki.com/HOWTO_Read-only_root_filesystem

[ Parent | Reply to this comment ]

Posted by Anonymous (82.170.xx.xx) on Fri 20 Jun 2008 at 12:11
I used to maintain a file in which I summarized all I knew about running Debian with a read-only root filesystem. I took the file offline when I decided to stop maintaining it. I was not aware that anyone else was reading it. :)

Since there is interest here, I post the last version, dated 20 December 2005. I assume that some things have changed since then.

-- Thomas Hood

                    read-only root filesystem

News
----
Last updated: 20 December 2005
  * sysvinit is now more rorfs-friendly
  * hotplug is replaced by udev

Introduction
------------
  This file summarizes what has been done, what remains to be done, and
  what can be done locally to make Debian work correctly with a root
  filesystem that is mounted read-only.  It is a work in progress.
  Please send corrections.

Rationale
---------
  The effort to make Debian easier to use with a read-only root
  filesystem was discussed at some length on the debian-devel mailing
  list in the spring of 2003 in threads with the following subject
  headings:
    * ifupdown writes to /etc... a bug?
    * /run and read-only /etc
    * Nameserver-pushing mechanism
    * /run/, resolvconf and read-only root

  One might want to mount the root filesystem read-only if, e.g.,
  * one's root filesystem is currently a cramfs
  * one wants to run from a root filesystem on a CD-ROM
  * one has multiple hosts that share a NFS-mounted root filesystem
    and one wants to minimize the number of symlinks that have to
    be set up on each machine
  * one wants to put /etc/ under version control
  * one wants the security benefit of a configuration directory
    that can't be changed (... unless the cracker can remount
    the filesystem read-write, of course ...)

HOWTO
-----

/
  * Choose an appropriate filesystem type
    * A read-only root filesystem doesn't need a journal, for example.
  * fsck
    * Needless to say, if the root filesystem needs to be fsck'ed then
      this should be done by the administrator before the filesystem is
      put into normal use mounted read-only.  After that it shouldn't
      ever need fscking... in theory.
  * sysvinit
    * Make sure that neither the /fastboot nor the /forcefsck file
      exists, and don't use shutdown's "-f" or "-F" options.  These
      options cause the so named files to be created in the root
      directory which prevent or force, respectively, fsck on boot.

/dev/
  Several programs manipulate the permissions and ownership of files in
  /dev/ .  Some of those changes are not strictly needed (e.g., fixing
  the permissions of /dev/log, /dev/xconsole and /dec/initctrl) and
  the rest can be ignored on systems with limited physical access (e.g.,
  changing the permissions of /dev/cdrom).  If only trusted persons can
  log in to the console then you can use a read-only /dev/.  Changing
  the permissions of ttys and pseudo ttys is a security measure required
  on multi user systems.  For pseudo-ttys you can use the devptsfs.  For
  ttys, some other solution is required.  If you have a 2.6 kernel then
  you can put /dev/ on a tmpfs and use udev.  If you have a 2.4 kernel
  then you can use devfs.  Either of the latter is a complete solution
  to the problem.

/tmp/
  Many programs write temporary files to /tmp/ .  Therefore, if the
  root filesystem is to be read-only then /tmp/ has to be a separate,
  writable, filesystem.  One may choose to make /tmp/ either a disk
  filesystem or a tmpfs filesystem.

/etc/
  The remaining problem is that if / is mounted read-only then no
  program can write to files in /etc/ .  Variable files must be stored
  elsewhere.  (In the present context, "variable" information is
  information that changes during the normal operation of a system,
  not just when the system is administered.  It is the same sense of
  'variable' as is used in the Linux Filesystem Hierarchy Standard
  (FHS).)

  Among the files in /etc/ are the password and shadow password files.
  These files can be regarded as static for the purposes of normal use.
  If one wants to update these files dynamically on a ROR system then
  he could consider using something like LDAP.

  Here is how to deal with other packages which are known to write
  variable files to /etc/ .

  * bind
    * Put the db files for any zones you are master for in /etc/bind/
      (perhaps even in a subdirectory structure depending on complexity);
      specify the full pathnames to these files in the named.conf file.
      Any zones you are secondary for should be configured in named.conf
      with simple filenames (no path); these files will then be stored
      by named in its working directory, /var/cache/bind/ .  Ditto for
      any zones that are updated via DHCP.
  * hotplug
    * See TODO section
  * ifupdown
    * Make /etc/network/ifstate a symlink to a writable location such as
      /dev/shm/network/ifstate.  Releases of the ifupdown package of
      version 0.6.4-4.10 or later create this symlink for you on
      installation.
  * libc6 (/etc/resolv.conf)
    * Install the resolvconf package version 1.8 or later and configure
      it as described below
  * resolvconf
    * Make sure that /etc/resolvconf/run is a symlink to
      /dev/shm/resolvconf/.
  * lvm
    * Use a recent lvm which doesn't egregiously write to files in
      /etc/lvm/
  * mount
    * See TODO section
  * samba
    * Upgrade to the latest version available
    * Use the 'smb passwd file' option in smb.conf to put the smbpasswd
      file outside /etc/ , or use tdbsam instead of smbpasswd.
  * suck
    * See TODO list
  * sysvinit
    * See TODO list
  * util-linux
    * See TODO list

TODO
----
  It would be better if the standard Debian system made it easier to
  mount the root filesystem read-only.  The main difficulty at present
  is presented by base programs that store variable files under /etc/.
  Those programs fall into two classes: first, programs that have to
  write to files before network filesystems are mounted; second, those
  that do not have to write to files before network filesystems are
  mounted.  There should be little difficulty in changing the programs
  of the "late" class to store their variable files under /var/.  The
  programs of the "early" class do present a difficulty because on some
  systems /var/ is mounted across a network; hence the programs need
  to write files somewhere but can write neither to /etc/ (which is
  mounted read-only) nor to /var/ (which isn't mounted yet) nor to
  /tmp/ (which programs may not use to store information across program
  invocations).  The proposed solution is that the programs of the
  "early" class continue to write to the current location in /etc/,
  but to do so in such a way that they will operate correctly if there
  is a symlink at this location.

  Packages containing programs of the "late" class:

  * suck
    # 158563, 189652, 206631: Please don't store variable files under /etc/
      - OKed by maintainer, but nothing has been done about it
  * base-files, util-linux
    # 156489: Move adjtime out of /etc/
      - OKed by maintainer, but nothing has been done about it
      - In the meantime, /etc/adjtime can be symlinked to a writable
        location such as /var/lib/hwclock/adjtime (the location 
	mandated by FHS 2.2)

  Packages containing programs of the "early" class:

  * mount
    # 154438: mount should write to non-/proc/mount symlinks
      - LIMBO.  A patch was sent upstream but the maintainer hasn't
        done anything about it in over a year.
      - Workaround #1: Make /etc/mtab a symlink to a writable location
        First you have to patch the mount program so that it works
	with a symlink.  The patch is available at:
          http://panopticon.csustan.edu/thood/readonly-root.html
      - Workaround #2: Make /etc/mtab a symlink to /proc/mounts
        This can cause problems in some cases (e.g., with loop devices)
        because not all the information that mount normally stores in
        /etc/mtab is reported in /proc/mounts .  Read the comment
	about symlinking /etc/mtab to /proc/mounts in mount(8).  (As of
	this writing the comment is the last paragraph of the
	DESCRIPTION.)
    * See also the debian-devel mailing list thread entitled "Get rid
      of /etc/mtab ?" starting here:
        http://lists.debian.org/debian-devel/2002/debian-devel-200206/msg 01831.html
      and jumping to here:
        http://lists.debian.org/debian-devel/2002/debian-devel-200207/msg 00001.html
      An old summary of the problem: http://www.xss.co.at/sysinfo/mounts.html
    * See also the comment that the maintainer of the mount program,
      Andries Brouwer, made in a posting to the linux-kernel mailing
      list and which was covered in kernel-traffic #278:
        http://www.kerneltraffic.org/kernel-traffic/kt20041019_278.html#6 

  To support read-only root filesystem mounting we may want to enhance
  some of the initscripts.  Some ideas from #186892 may be useful.  I
  haven't looked into this deeply enough though.

DONE
----
  * alsa-utils
    # 106244: asound.state should be stored in /var/lib
      - DONE in 1.0.3-1
  * cupsys
    # 187954: Move printcap.cups under /var/
      - DONE in 1.1.19candidate4-1
    * Writes to /etc/cups/certs
      - DONE in 1.1.15-1
  * dhcpcd
    * Don't use files in /etc/dhcpc/ to pass information to scripts
      - DONE in 1.3.22pl4-8
  * ifupdown
    * Writes ifstate to /etc/network/
      - DONE in 0.6.4-4.10 and 0.6.4-4.10exp3.  These versions of
        ifupdown store the ifstate file in /dev/shm/network/.
  * laptop-net
    * Do not use /etc/ for generating temporary files
      - DONE in 2.20-1
  * linuxlogo
    # 292740: Please do not store files in /etc
      - DONE in 4.10-1
  * ppp
    # 187756: Tolerate read-only /etc/
      - DONE partially in 2.4.1.uus2-2.  If resolvconf is installed
        then the package's /etc/ppp/ip-up.d/0000usepeerdns script
	won't write to /etc/resolv.conf
      - DONE finally in 2.4.2+20040428-6 -- pppd won't complain any
        more if /etc/ppp/resolv.conf isn't writable
  * pppconfig
    # 187810: Support read-only /etc/
      - DONE in 2.2.0
    # 187651: Make resolv.conf futzing optional
      - DONE in 2.2.0
  * resolvconf
    * Manage resolver configuration so that /etc/resolv.conf can
      more easily be a symlink
      - DONE (http://packages.debian.org/resolvconf)
  * sysvinit, initscripts
    # 150355: [Handle motd as symlink]
      - DONE in 2.85-4
    # 188087: Move ioctl.save out of /etc ?
      - DONE in 2.85-1
    # 191041: Follow /etc/nologin symlink
      - DONE in 2.85-4
    * Writes motd and nologin files to /etc/
      - DONE in 2.86.ds1-8

Author
  Thomas Hood 

Contributors
  Bernd Eckenfels
  Jörg Sommer

[ Parent | Reply to this comment ]

Posted by Anonymous (217.6.xx.xx) on Fri 20 Jun 2008 at 12:54
i read this document several months ago. this week i set up debian on a soekris box with a cf card. i followed what i could remember from the document combined with the gentoo how to (http://gentoo-wiki.com/HOWTO_Read-only_root_filesystem) based on thomas document.

i did the following:
1.) install debian, selecting no tasks (e.g. webserver) during the installation process using one single root (/) partition
2.) install all applications i would need
3.) created a tarball containing /var and placed it as var.tar.gz in /
4.) replaced /tmp with a symlink to /dev/shm/tmp, created the directory /dev/shm/tmp first
5.) reboot the system, after the reboot checked what files in /etc/ where modified during boot (find /etc -newer /etc/mtab)
6.) replaced these files with a symlink to /dev/shm/..., first created the files there

now during boot you must touch all the files that are linked to in /dev/shm and extract the var tarball to /dev/shm. therefore i did the last step.

7.) modified /etc/init.d/checkroot.sh and placed the following lines below "remount root to final mode". should be about line 333.
------------------------
mkdir /dev/shm/tmp
touch /dev/shm/resolv.conf
touch /dev/shm/resolv.conf.dhclient-new
touch /dev/shm/ifstate
tar -C /dev/shm -zxf /var.tgz
------------------------


i also put some more files from /etc to /dev/shm and created a link, but this is depending on your configuration so here i only posted the files i found after a clean install using the above mentioned find command. following this procedure i think it should be possible to get a read only root without too much trouble. of course the procedure may vary in detail because different configurations lead to different files that need to be put out of /etc. but this should be easily to find out using the above mentioned find command or reading some error messages during the boot process.


-- Fabian Stietzel <fabian@schnitz-online.de>

[ Parent | Reply to this comment ]

Posted by Anonymous (213.84.xx.xx) on Sat 1 Aug 2009 at 17:40
Link update: http://www.gentoo-wiki.info/HOWTO_Read-only_root_filesystem
(Posted by Mr <Bill AAAAT STSX DOOOT ORG> Sat Aug 1 18:38:30 CEST 2009)

[ Parent | Reply to this comment ]

Posted by Anonymous (89.174.xx.xx) on Thu 29 Apr 2010 at 20:23
If you need this, I've written some scripts that automate the creation of Debian images that boot with read-only root filesystem. The scripts for Debian are here: http://www.guciek.net/en/gpl/debcreate and here's some information I've written on the subject: http://www.guciek.net/en/read_only_root_filesystem

[ Parent | Reply to this comment ]