Thanks, sigsegv, but the question was about what do do after that
. Mounting / read-only makes /dev read-only, which messes up lots of things. This used to be solvable by union-mounting /dev and re-creating the necessary devices but that doesn't work as of 3.8.
A solution follows if anyone's interested. Basically, instead of mfs-union-mounting the whole of /dev, mfs-mount only the pieces that need to be read-write, create the necessary devices there, and create symlinks in /dev to point at the new devices. For example:
Add the following line to /etc/fstab (and also make / ro):
swap /dev/write mfs rw,noatime,-s=12000 0 0
Create the symlinks:
# mkdir /dev/write
# cd /dev/write
# /dev/MAKEDEV wscons pty0
# for x in *; do rm /dev/$x; ln -s /dev/write/$x /dev; done
And add the following line to /etc/rc to create these devices at boot after the filesystem checks:
( cd /dev/write; /dev/MAKEDEV wscons pty0; cd - ) > /dev/null 2>&1
Note that: (a) depending on your situation, you might also need to make some files in /etc read-write, (b) as written, this will disallow root logins (since ttys will be symlinks and hence won't be recognized as secure), so you'll need to su or sudo, and (c) if it's security you're after, system-immutable flags (see the manpages for chflags(1)) are almost as good as all this stuff and a lot easier and safer.