LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware > Slackware - ARM
User Name
Password
Slackware - ARM This forum is for the discussion of Slackware ARM.

Notices


Reply
  Search this Thread
Old 10-03-2016, 04:17 AM   #1
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Rep: Reputation: 43
Anyone else interested in running some of their ARM devices with root mounted read only ?


I like to run devices that are left on 24x7 from read only root.

Recently I had-to revisit the way I do it, but this time I took better notes of what I did, in the hope to make it a less time consuming thing for the future.

I've addressed things like:
  • enabling it when "sysro" is passed to kernel via append
  • have an automated means of setting up /var related stuff to write to tmpfs
  • have an automated means of rolling back to standard /var

If there is any interest in this I'll make an article on docs.slackware
 
Old 10-03-2016, 02:19 PM   #2
Linux.tar.gz
Senior Member
 
Registered: Dec 2003
Location: Paris
Distribution: Slackware forever.
Posts: 2,382

Rep: Reputation: 91
Could be an extension/update to the famous Slackware hardening article.
 
Old 10-04-2016, 03:18 AM   #3
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
I suppose it has some security implications too (as you can't write until you escalate root privileges to do the remount) ... but my primary objective in running the system RO is making the system 100% power failure proof. Sometimes a power failure may request interactive fsck when the system comes back up again ... that won't happen on a RO system.
 
Old 10-15-2016, 06:26 AM   #4
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
Even a RW mode NAS would benefit from a ro root IMO?
 
Old 10-16-2016, 05:04 AM   #5
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
Quote:
Originally Posted by SCerovec View Post
Even a RW mode NAS would benefit from a ro root IMO?
IMO: Although having the OS running the NAS in good health at all times is a good thing there are other important aspects to consider too.

On your NAS chances are that at least the volumes that you export will need to be in RW mode hence the NAS might still hang while booting asking for iterative fsck on the exported volumes. You could mark the exported volumes not to get fsck at boot time (in fstab) but then repeated power failures could gradually introduce crap in your inode and block lists to the point where you really start to get bad effects.
On a NAS where the exported data is mostly static it's unlikely that you run into inconsistencies in block and inode lists.
If your NAS's OS runs off rotating mass storage who cares how mane times blocks get re-writtren you're not going to have the blocks ware out like on flash devices. The most important factor that drove me to running some of my systems with root RO was indeed the flash storage ware. (*)

I think the best thing would be to have the NAS (or any other thing that needs to have permanent data saved to RW volumes) under UPS.

I see the RO root thing as most useful for things that have basically static data (except for rare occasions where you might briefly remount root RW mode) on flash storage ... thins like access points, routers, firewalls, dhcp servers, print servers and other similar stuff ... or at least that's my opinion.

(*): I've some blogs where I do some rambling on flash ware: linux and persistence on live systems running on flash storage some thoughts on unning linux off flash mass storage
 
Old 10-16-2016, 10:23 AM   #6
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
While I generally agree, there are other ways:

The base system could be run RO, while the PAYLOAD could be non-OS managed:

After the OS has booted, the rc.local gives control to an dedicated app:
1. sophisticated fsck
2. maybe even basic crc check of data
3. connectivity check and assurance (WiFi, LAN, BT, tty-s etc)
4. data mounted locally and
5. data exported for sharing (nfs,smb/cifs,ftp,tftp,ssh etc)

And the rw critical stuff can always be linked to a dedicated var partition on the mass storage (spun or solid) which would be on overlay over an fail-var partition on the OS carrier media (MMC or USB eprom storage)

Not to mention fs overlays now that we have live OS "in house" whit Alien BOB's live Slackware?

What gives?
 
Old 10-16-2016, 12:08 PM   #7
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
Sorry I should not have digressed ... after all this thread is for finding how many are interested on running their Slackware systems root mounted RO.
Two is not that many
I might end up just sharing some scripts instead of writing an article about it.
 
Old 10-16-2016, 04:59 PM   #8
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
Well, You didn't:

Both Your post was on topic

as well as You didn't post any scripts, either ?

I surely love to review scripts and snippets! B-]
 
Old 10-17-2016, 02:04 AM   #9
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
Well I suppose that maybe showing the unfinished form that I'm using right now could still be interesting:

What follows is my rc.ro that's called from a slightly modified rc.S and/or used to set things up for the first time.
Code:
#!/bin/bash

#this creates directories and files in /run (tmpfs) for the links in /var  
create_tmpfs_dirs ()
{ for dir in log tmp etc spool/atjobs spool/atspool dbus nscd lib/dhcpcd
  do
    /usr/bin/mkdir -p /run/$dir
  done
  /usr/bin/chmod a+rwxt /run/tmp
  /usr/bin/touch /run/spool/atjobs/.SEQ
  /usr/bin/chmod 600 /run/spool/atjobs/.SEQ
  /usr/bin/chown -R daemon:daemon /run/spool/at*
  /usr/bin/chmod ug+rwxt /run/spool/at*
  
  for file in ld.so.cache resolv.conf
  do
    /usr/bin/touch /run/etc/$file
  done
  
  for file in messages syslog debug secure cron maillog spooler dmesg btmp faillog lastlog wtmp
  do
    /usr/bin/touch /run/log/$file
  done
  /usr/bin/chmod 640 /run/log/*
}

#this sets up al places in /var that need to be rw to be linked in /run (tmpfs)
setup_var4ro ()
{ pushd /etc >/dev/null
    rm -f ld.so.cache ; ln -s ../run/etc/ld.so.cache ld.so.cache
    rm -f mtab ; ln -s ../proc/mounts mtab
  popd  >/dev/null
  pushd /var/log >/dev/null
    rm -f wtmp ; ln -s ../../run/log/wtmp wtmp
    rm -f spooler ; ln -s ../../run/log/spooler spooler
    rm -f debug ; ln -s ../../run/log/debug debug
    rm -f cron ; ln -s ../../run/log/cron cron
    rm -f secure ; ln -s ../../run/log/secure secure
    rm -f syslog ; ln -s ../../run/log/syslog syslog
    rm -f lastlog ; ln -s ../../run/log/lastlog lastlog
    rm -f dmesg ; ln -s ../../run/log/dmesg dmesg
    rm -f maillog ; ln -s ../../run/log/maillog maillog
    rm -f messages ; ln -s ../../run/log/messages messages
    rm -f btmp ; ln -s ../../run/log/btmp btmp
    rm -f faillog ; ln -s ../../run/log/faillog faillog
  popd >/dev/null
  pushd /var/spool >/dev/null
    rm -rf atjobs ; ln -s ../../run/spool/atjobs atjobs
    rm -.f atspool ; ln -s ../../run/spool/atspool atspool
  popd >/dev/null
  pushd /var/lib >/dev/null
    rm -rf dhcpcd ; ln -s ../../run/lib/dhcpcd dhcpcd
  popd >/dev/null
  pushd /var >/dev/null
    rm -rf tmp ; ln -s ../run/tmp tmp
    rm -rf run ; ln -s ../run run
  popd >/dev/null
  pushd /
    rm -rf tmp ; ln -s ../run/tmp tmp
  popd
}

#this does not restore your log files but will put 
#/var back to what it was excluding the data inside the files
rolback_var ()
{ pushd /etc >/dev/null
    rm -f ld.so.cache ; touch ld.so.cache ; ldconfig &
    rm -f mtab ; touch mtab ; mount -f -ra
  popd  >/dev/null
  pushd /var/log >/dev/null
    rm -f wtmp ; touch wtmp
    rm -f spooler ;  touch spooler
    rm -f debug ;  touch debug
    rm -f cron ;  touch cron
    rm -f secure ;  touch secure
    rm -f syslog ;  touch syslog
    rm -f lastlog ;  touch lastlog
    rm -f dmesg ;  touch dmesg
    rm -f maillog ;  touch maillog
    rm -f messages ;  touch messages
    rm -f btmp ;  touch btmp
    rm -f faillog ; touch faillog
  popd >/dev/null
  pushd /var/spool >/dev/null
    rm -rf atjobs ; mkdir atjobs
    rm -.f atspool ; mkdir atspool
    touch atjobs/.SEQ
    chmod 600 atjobs/.SEQ
    chown -R daemon:daemon at*
    chmod ug+rwxt at*
  popd >/dev/null
  pushd /var/lib >/dev/null
    rm -rf dhcpcd ; mkdir dhcpcd
  popd >/dev/null
  pushd /var >/dev/null
    rm -rf tmp run ; mkdir tmp run
    chmod a+rwxt tmp
  popd >/dev/null
  pushd /
    rm -rf tmp ; mkkdir tmp ; chmod a+rwxt tmp
  popd
}

case $1 in
  mkdirs) create_tmpfs_dirs ;;
  setup) setup_var4ro ;; 
  rollback) rolback_var ;;
esac
Don't have the time now to look ar the diff to show the minor changes I made in rc.S rc.M and rc.6 ... that's postponed to ASAP
 
Old 10-17-2016, 06:23 AM   #10
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
I like it, no need to be script-shy

now the patches
 
Old 10-17-2016, 08:41 AM   #11
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
I've attached the patch. I forgot to remove an old copy of rc.local from the original rc scripts ... please ignore the rc.local part in the patch.
I use my DDI thing to do network initialization so you might want to also ignore the changes regarding rc.inet*
Attached Files
File Type: txt ro_init.patch.txt (8.7 KB, 13 views)

Last edited by louigi600; 10-17-2016 at 08:54 AM.
 
Old 10-17-2016, 10:48 AM   #12
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
Talking

Just've read the patch,

You have a pretty neath thingy going on there (random seed o.O ).

And I like Your cases on the docu-wiki

Last edited by SCerovec; 10-17-2016 at 10:49 AM. Reason: clerance
 
Old 04-25-2017, 06:52 AM   #13
briselec
Member
 
Registered: Jun 2013
Location: Ipswich, Australia
Distribution: Slackware
Posts: 68

Rep: Reputation: Disabled
In the past I've created industrial systems where I've taken steps to minimize writing to the storage device because of the power failure issue and storage wear. So that makes one more interested in your patch.
 
Old 04-26-2017, 02:39 AM   #14
louigi600
Member
 
Registered: Dec 2013
Location: Italy
Distribution: Slackware
Posts: 480
Blog Entries: 13

Original Poster
Rep: Reputation: 43
Two is a small number ... but we're a small community so it's a number anyway but probably still to small to get Stuart to look into this thingy.
If anyone is going to use the patches I posted above pleas take care that the random seed carried across reboots does not get written do some location on the SD that would make a mess of your file-system in the case your first partition starts before sector 2048 (some of the older fdisk did that).
And if you often reboot you might want to deal with id differently as I'm targeting always the same sector .... this is fine for a system that should be running 24x7 but is less then optimal for a system that often reboots.

I've not been active in a while on the forum as I've been silently working on a thing I like to call "Geek Watch": an Arduino Nano based watch that can display time in Decimal (for the ungeek), Octal (for the UNIX nerds) and Hexadecimal (for the geek) with a micro cron like alarm system. Definitely off topic but I'm thinking about writing a series of small articles about it starting with how to keep reasonably accurate time without writing crazy compensation functions ... then moving on to a real world button debounceing (where you're not allowed to stop doing everything else while waiting for the button to be released) ... and so on up to intermittent buzzing without writing extra code to toggle buzzer status.
 
Old 05-05-2017, 08:41 AM   #15
SCerovec
Senior Member
 
Registered: Oct 2006
Location: Cp6uja
Distribution: Slackware on x86 and arm
Posts: 1,160
Blog Entries: 2

Rep: Reputation: 166Reputation: 166
There is an fairly accurate time source in GPS receivers, FWIW, and they become increasingly smaller and less power demanding?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware ARM -current & 'Kirkwood' devices - must read drmozes Slackware - ARM 5 11-14-2014 11:54 PM
Removable devices auto-mounted as read-only ( not desirable ) William (Dthdealer) Debian 5 06-04-2010 03:34 AM
Removable devices auto-mounted as read-only ( not desirable ) William (Dthdealer) Linux - Software 2 05-30-2010 08:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Slackware > Slackware - ARM

All times are GMT -5. The time now is 05:30 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration