How-To Make the root filesystem read-only
From openSUSE
Contents[] |
Introduction
There are several reasons why you might want to make your root file system read only. I wanted to have a system on a flash disk, and since flash disks are damaged after repeated read-write circles the read-only root is a very nice solution. Other reasons why you would want to make your root partition read only include:
- If you want maximum security for your server, and want it to boot from a read only medium (i.e. a CD-ROM)
- If you want to make your own live-cd
- To avoid that power loss or system crash damage the root partition.
- If you want to mount the same nfsroot on several thin clients
The following procedure is what i did to turn my SuSE 10.1 root file system to read-only. It should work on both earlier and later versions but i haven't tested it yet. There could be better/more elegant solutions, if you think that something is missing please fill free to edit this howto.
Acknowledgments
Some of the information on this howto where found .
Prerequisites
- You need to have root permissions on the system you want to change
- Since some folders that need to be writable have to be moved into the ramdrive, make sure you have enough memory.
Procedure
There are two files in the /etc directory that need to be writable. These are:
/etc/mtab /etc/resolv.conf
Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d
- delete /etc/mtab
- link /proc/mounts to /etc/mtab
# ln -s /proc/mounts /etc/mtab
- move /etc/resolv.conf to /dev/shm/resolv.conf
# mv /etc/resolv.conf /dev/shm
- link /dev/shm/resolv.conf to /etc/resolv.conf
# ln -s /dev/shm/resolv.conf /etc/resolv.conf
- create an archive of /var which will be extracted on the /dev/shm fs on boot.
# tar -zcvf /var.tgz /var/*
- move /var to /dev/shm
# mv /var /dev/shm
- create a link from /dev/shm/var to /var
# ln -s /dev/shm/var /var
You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.
- delete /tmp and create a directory /dev/shm/tmp
- create a link from /dev/shm/tmp to /tmp
# ln -s /dev/shm/tmp /tmp
- edit /etc/init.d/boot.rootfsck :
After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this:
from: mount -n -o remount,rw / to: mount -n -o remount,ro /
Find the line that deletes /etc/mtab* and comment it out.
#rm -f /etc/mtab*
Bellow that line add the following:
touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file. mkdir /dev/shm/tmp tar -C /dev/shm -zxf /var.tgz
- edit /etc/init.d/boot.localfs and comment out the following line:
#rm -f /etc/nologin /nologin /fastboot /forcefsck /success
- edit /etc/pam.d/login to remove the module that logs the login of a user.
comment out the line: # session required pam_lastlog.so nowtmp
- edit /etc/fstab and set mount option on / to be ro, for example:
line: /dev/sda2 / reiserfs acl,user_xattr 1 1 is changed to: /dev/sda2 / reiserfs ro,acl,user_xattr 1 1
- remount the root filesystem to read-only
# mount -o remount,ro /
Conclusions
If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable.
# mount -o remount,rw /
Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.