How-To Make the root filesystem read-only
From openSUSE
Contents[
The procedure in this article was written and tested with version openSuSE linux 10.1
Whilst there is no guarantee, it should be applicable to later versions. If you find this to be incorrect, please help to update this article.
[
edit
]
Procedure
There are two files in the /etc directory that need to be writable. These are:
/etc/mtab
/etc/resolv.conf
Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d
delete /etc/mtab
link /proc/mounts to /etc/mtab
# ln -s /proc/mounts /etc/mtab
move /etc/resolv.conf to /dev/shm/resolv.conf
# mv /etc/resolv.conf /dev/shm
link /dev/shm/resolv.conf to /etc/resolv.conf
# ln -s /dev/shm/resolv.conf /etc/resolv.conf
create an archive of /var which will be extracted on the /dev/shm fs on boot.
# tar -zcvf /var.tgz /var/*
move /var to /dev/shm
# mv /var /dev/shm
create a link from /dev/shm/var to /var
# ln -s /dev/shm/var /var
You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.
delete /tmp and create a directory /dev/shm/tmp
create a link from /dev/shm/tmp to /tmp
# ln -s /dev/shm/tmp /tmp
edit /etc/init.d/boot.rootfsck :
After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this:
from:
mount -n -o remount,rw /
to:
mount -n -o remount,ro /
Find the line that deletes /etc/mtab* and comment it out.
#rm -f /etc/mtab*
Bellow that line add the following:
touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file.
mkdir /dev/shm/tmp
tar -C /dev/shm -zxf /var.tgz
edit /etc/init.d/boot.localfs and comment out the following line:
#rm -f /etc/nologin /nologin /fastboot /forcefsck /success
edit /etc/pam.d/login to remove the module that logs the login of a user.
comment out the line:
# session required pam_lastlog.so nowtmp
edit /etc/fstab and set mount option on / to be ro, for example:
line:
/dev/sda2 / reiserfs acl,user_xattr 1 1
is changed to:
/dev/sda2 / reiserfs ro,acl,user_xattr 1 1
remount the root filesystem to read-only
# mount -o remount,ro /
[
edit
]
Conclusions
If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable.
# mount -o remount,rw /
Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.
|
|小黑屋|最新主题|手机版|微赢网络技术论坛
( 苏ICP备08020429号 )