LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Setting up a read-only Debian system? (https://www.linuxquestions.org/questions/linux-newbie-8/setting-up-a-read-only-debian-system-910072/)

fantod 10-25-2011 11:51 AM

Setting up a read-only Debian system?
 
Greetings

I have a Seagate Dockstar (1.2 GHZ ARM processor, 128 MB RAM, boots Debian squeeze from a usb flash drive). It's used as a NAS.

I have been trying to make the boot flash drive read-only using the method described here:

http://www.logicsupply.com/blog/2009...-linux-system/

The method entails moving the root filesystem to an aufs filesystem so that the boot drive is read-only and there's a writeable layer in RAM. This is done by adding a hook file to /etc/initramfs-tools/hooks

Code:

#!/bin/sh

PREREQ=''

prereqs() {
  echo "$PREREQ"
}

case $1 in
prereqs)
  prereqs
  exit 0
  ;;
esac

. /usr/share/initramfs-tools/hook-functions
manual_add_modules aufs
manual_add_modules tmpfs
copy_exec /bin/chmod /bin

adding an init-bottom script to /etc/initramfs-tools/scripts/init-bottom

Code:

#!/bin/sh

PREREQ=''

prereqs() {
  echo "$PREREQ"
}

case $1 in
prereqs)
  prereqs
  exit 0
  ;;
esac

# Boot normally when the user selects single user mode.
if grep single /proc/cmdline >/dev/null; then
  exit 0
fi

ro_mount_point="${rootmnt%/}.ro"
rw_mount_point="${rootmnt%/}.rw"

# Create mount points for the read-only and read/write layers:
mkdir "${ro_mount_point}" "${rw_mount_point}"

# Move the already-mounted root filesystem to the ro mount point:
mount --move "${rootmnt}" "${ro_mount_point}"

# Mount the read/write filesystem:
mount -t tmpfs root.rw "${rw_mount_point}"

# Mount the union:
mount -t aufs -o "dirs=${rw_mount_point}=rw:${ro_mount_point}=ro" root.union "${rootmnt}"

# Correct the permissions of /:
chmod 755 "${rootmnt}"

# Make sure the individual ro and rw mounts are accessible from within the root
# once the union is assumed as /.  This makes it possible to access the
# component filesystems individually.
mkdir "${rootmnt}/ro" "${rootmnt}/rw"
mount --move "${ro_mount_point}" "${rootmnt}/ro"
mount --move "${rw_mount_point}" "${rootmnt}/rw"

# Make sure checkroot.sh doesn't run.  It might fail or erroneously remount /.
rm -f "${rootmnt}/etc/rcS.d"/S[0-9][0-9]checkroot.sh

and then rebuilding the initramfs

Code:

# update-initramfs -u
and rebooting.

I have done this procedure on a test system: a Dell Mini 9 netbook (Intel Atom processor) that boots Debian squeeze from an external usb hard disk. It works: the system comes up read-only. I can create a text file in my home directory, then reboot and the text file is gone. Just what I want.

I do the same thing on the Dockstar and it boots OK but is not read-only. I looked at dmesg on the Dockstar and see the following:

Code:

[  12.960395] aufs: module is from the staging directory, the quality is unknown, you have been warned.
[  12.993986] aufs 2-standalone.tree-32-20100125
[  13.003956] aufs test_add:218:mount[124]: unsupported filesystem, /root.ro (rootfs)

but on the Dell Mini 9, the corresponding lines from dmesg are

Code:

[    7.884717] aufs: module is from the staging directory, the quality is unknown, you have been warned.
[    7.897495] aufs 2-standalone.tree-32-20100125
[    7.898237] aufs test_add:248:exe[371]: uid/gid/perm /root.ro 0/0/0755, 0/0/01777

As I said, both of these systems are running up-to-date Debian squeeze. One works and the other doesn't.

Any idea why this is? Troubleshooting this is a bit beyond my current knowledge level, but I would love to get this working. Any help is appreciated.

replica9000 10-26-2011 06:09 PM

Debian has a package in the repository that does this. fsprotect. All you should have to do is install it, and add a line to your grub's kernel entry:

example from my Grub 2 USB install:
Code:

linux  /boot/vmlinuz-3.0.0-2-amd64 root=UUID=7bbe90bc-7793-4a60-87e7-cbb6cfb7ec25 ro quiet fsprotect=1G
You can change the 1G to another size if you wish.

fantod 10-27-2011 08:57 AM

Quote:

Originally Posted by replica9000 (Post 4509217)
Debian has a package in the repository that does this. fsprotect. All you should have to do is install it, and add a line to your grub's kernel entry:

example from my Grub 2 USB install:
Code:

linux  /boot/vmlinuz-3.0.0-2-amd64 root=UUID=7bbe90bc-7793-4a60-87e7-cbb6cfb7ec25 ro quiet fsprotect=1G
You can change the 1G to another size if you wish.


Ok - very good. I'll try that - it looks like it does what I want.

FWIW, the Dockstar uses uboot instead of grub 2 so I'll have to figure out how to set the fsprotect kernel parameter for uboot.

Thanks again


All times are GMT -5. The time now is 07:02 PM.