To create a read only root file system we need to know which processes access which files and which files must be accessible. So here is a list of files to take care of. Everything below \/var is assumed of being accessible as it makes no sense from my point of view to restrict access for everything, which could nevertheless also be achieved by following this instructions.<\/p>\n
There are already some special file systems available in a standard linux installation, so we do not need to take care about:<\/p>\n
So we finally will have:<\/p>\n
\/\u00a0 root as extended fs read only mounted<\/p>\n
\/var as exteneded fs mounted read writable<\/p>\n
\/tmp as temp fs ounted read writable<\/p>\n
And now to the tricks. We need to take care about \/etc as there are some files which need special preparation:<\/p>\n
adjtime – should be linked to somewhere beyond \/var; \/etc\/init.d\/hwclockfirst.sh and hwclock.sh should be adjusted to show the option –noadjtime<\/p>\n
<\/p>\n
blkid.tab – should be linked to somewhere beyond \/var; the environement variable BLKID_FILE must be set to\u00a0 \/var\/local\/blkid.tab in \/etc\/environment<\/p>\n
<\/p>\n
mtab – Create a symlink from \/etc\/mtab to \/proc\/self\/mounts<\/p>\n
<\/p>\n
network\/run – ifupdown links \/etc\/network\/run to \/dev\/shm\/network in postinst if \/dev\/shm exists and \/etc\/network\/run does not; my installation was not successful without an existing network\/run\/ifstates, so I copied the complete directory once the network was up and running.<\/p>\n
<\/p>\n
nologin – This should already be a symlink to \/var\/lib\/initscripts\/nologin<\/p>\n
<\/p>\n
resolv.conf – no problem with static nameserver configurations<\/p>\n
<\/p>\n
passwd, shadow – may be modified by user interaction<\/p>\n
<\/p>\n
apt-get could be modified to remount before installing anything:<\/p>\n
DPkg {\n \/\/ Auto re-mounting of a readonly \/\n Pre-Invoke { \"mount -o remount,rw \/\"; };\n Post-Invoke { \"test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro \/ || true\"; };\n};\n\nUse lsof to find processes blocking the readonly mount.\n\n\nThere are some additional tricks to check:\n<\/pre>\n<\/p>\n","protected":false},"excerpt":{"rendered":"
To create a read only root file system we need to know which processes access which files and which files must be accessible. So here is a list of files to take care of. Everything below \/var is assumed of being accessible as it makes no sense from my point of view to restrict access … Continue reading linux read only root filesystem<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[10],"tags":[35,44,46,51,54,58,73,79,111,116],"class_list":["post-161","post","type-post","status-publish","format-standard","hentry","category-sniplets","tag-administration","tag-boot","tag-config","tag-debian","tag-dockstar","tag-file-system","tag-install","tag-linux","tag-root","tag-server"],"_links":{"self":[{"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=\/wp\/v2\/posts\/161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=161"}],"version-history":[{"count":0,"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=\/wp\/v2\/posts\/161\/revisions"}],"wp:attachment":[{"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/olkn.myvnc.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}