How-To Make the root filesystem read-only

Introduction

There are several reasons why you might want to make your root file system read only. I wanted to have a system on a flash disk, and since flash disks are damaged after repeated read-write circles the read-only root is a very nice solution. Other reasons why you would want to make your root partition read only include:

  • If you want maximum security for your server, and want it to boot from a read only medium (i.e. a CD-ROM)
  • If you want to make your own live-cd
  • To avoid that power loss or system crash damage the root partition.
  • If you want to mount the same nfsroot on several thin clients

The following procedure is what i did to turn my SuSE 10.1 root file system to read-only. It should work on both earlier and later versions but i haven’t tested it yet. There could be better/more elegant solutions, if you think that something is missing please fill free to edit this howto.

Acknowledgments

Some of the information on this howto where found here.

Prerequisites

You need to have root permissions on the system you want to change
Since some folders that need to be writable have to be moved into the ramdrive, make sure you have enough memory.

Procedure

There are two files in the /etc directory that need to be writable. These are:

/etc/mtab
/etc/resolv.conf

Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d

  • delete /etc/mtab
  • link /proc/mounts to /etc/mtab
# ln -s /proc/mounts /etc/mtab
  • move /etc/resolv.conf to /dev/shm/resolv.conf
# mv /etc/resolv.conf /dev/shm
  • link /dev/shm/resolv.conf to /etc/resolv.conf
# ln -s /dev/shm/resolv.conf /etc/resolv.conf
  • create an archive of /var which will be extracted on the /dev/shm fs on boot.
# tar -zcvf /var.tgz /var/*
  • move /var to /dev/shm
# mv /var /dev/shm
  • create a link from /dev/shm/var to /var
# ln -s /dev/shm/var /var

You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.

  • delete /tmp and create a directory /dev/shm/tmp
  • create a link from /dev/shm/tmp to /tmp
# ln -s /dev/shm/tmp /tmp
  • edit /etc/init.d/boot.rootfsck :

After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this:

from:

mount -n -o remount,rw /

to:

mount -n -o remount,ro /

Find the line that deletes /etc/mtab* and comment it out.

rm -f /etc/mtab*

Bellow that line add the following:

touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file.
mkdir /dev/shm/tmp
tar -C /dev/shm -zxf /var.tgz
  • edit /etc/init.d/boot.localfs and comment out the following line:
#rm -f /etc/nologin /nologin /fastboot /forcefsck /success
  • edit /etc/pam.d/login to remove the module that logs the login of a user.
comment out the line:
# session  required       pam_lastlog.so nowtmp
  • edit /etc/fstab and set mount option on / to be ro, for example:
line:
/dev/sda2       /       reiserfs        acl,user_xattr 1 1

is changed to:

/dev/sda2       /       reiserfs        ro,acl,user_xattr 1 1
  • remount the root filesystem to read-only
# mount -o remount,ro /

Conclusions

If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable.

# mount -o remount,rw /

Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.

5 Comments

  1. WhatsInaName

    I wonder if quotas work on shm?
    Also one could just turn loggin off.
    But var and tmp seem like a generally bad idea in ram.

    But as you might have surmised from how little you had to do, there really isn’t much writing happening on the system directories.

    swap with low mem is the usb key killer. You could run 24/7 on a modern usb key and not have it fail before you have to retire the system.

    Either turn swap off, or put it on a small and ironic swap file in shm

    • leenoux leenoux

      you’re right, it was messed, in real production server i’m using shm/ramfs only for non critical temporary folder that need fast read/write response.

  2. john

    really nice tutorial.
    i am running my own on squeeze and it has postfix and asterisk. i would like to ask if you know which folders to make writable, please?

  3. Mike

    Have you done this on Ubuntu? I am trying to build a custom Ubuntu Server install and Ubuntu doesn’t have boot.rootfsck or boot.localfs.

    Any help would be appreciated!

    Thanks,
    Mike

  4. Mike

    forgot to check the notification boxes 😉

Leave a Reply

Your email address will not be published. Required fields are marked *