How-To Make the root filesystem read-only

From openSUSE

Contents []

Introduction

There are several reasons why you might want to make your root file system read only. I wanted to have a system on a flash disk, and since flash disks are damaged after repeated read-write circles the read-only root is a very nice solution. Other reasons why you would want to make your root partition read only include:

• If you want maximum security for your server, and want it to boot from a read only medium (i.e. a CD-ROM)
• If you want to make your own live-cd
• To avoid that power loss or system crash damage the root partition.
• If you want to mount the same nfsroot on several thin clients

The following procedure is what i did to turn my SuSE 10.1 root file system to read-only. It should work on both earlier and later versions but i haven't tested it yet. There could be better/more elegant solutions, if you think that something is missing please fill free to edit this howto.

Acknowledgments

Some of the information on this howto where found .

Prerequisites

You need to have root permissions on the system you want to change

Since some folders that need to be writable have to be moved into the ramdrive, make sure you have enough memory.

The procedure in this article was written and tested with version openSuSE linux 10.1 Whilst there is no guarantee, it should be applicable to later versions. If you find this to be incorrect, please help to update this article.

Procedure

There are two files in the /etc directory that need to be writable. These are:

/etc/mtab
/etc/resolv.conf

Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d

• delete /etc/mtab
• link /proc/mounts to /etc/mtab

# ln -s /proc/mounts /etc/mtab

• move /etc/resolv.conf to /dev/shm/resolv.conf

# mv /etc/resolv.conf /dev/shm

• link /dev/shm/resolv.conf to /etc/resolv.conf

# ln -s /dev/shm/resolv.conf /etc/resolv.conf

• create an archive of /var which will be extracted on the /dev/shm fs on boot.

# tar -zcvf /var.tgz /var/*

• move /var to /dev/shm

# mv /var /dev/shm

• create a link from /dev/shm/var to /var

# ln -s /dev/shm/var /var

You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.

• delete /tmp and create a directory /dev/shm/tmp
• create a link from /dev/shm/tmp to /tmp

# ln -s /dev/shm/tmp /tmp

• edit /etc/init.d/boot.rootfsck :

After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this:

from: 
mount -n -o remount,rw /
to:
mount -n -o remount,ro /

Find the line that deletes /etc/mtab* and comment it out.

#rm -f /etc/mtab*

Bellow that line add the following:

touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file.
mkdir /dev/shm/tmp
tar -C /dev/shm -zxf /var.tgz

• edit /etc/init.d/boot.localfs and comment out the following line:

#rm -f /etc/nologin /nologin /fastboot /forcefsck /success

• edit /etc/pam.d/login to remove the module that logs the login of a user.

comment out the line:
# session  required       pam_lastlog.so nowtmp

• edit /etc/fstab and set mount option on / to be ro, for example:

line:
/dev/sda2       /       reiserfs        acl,user_xattr 1 1
is changed to:
/dev/sda2       /       reiserfs        ro,acl,user_xattr 1 1

• remount the root filesystem to read-only

# mount -o remount,ro /

Conclusions

If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable.

# mount -o remount,rw /

Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.