首页　| 　博文目录　| 　关于我

博客访问： 1213788
博文数量： 404
博客积分： 10011
博客等级：上将
技术积分： 5382
用户组：普通用户
注册时间： 2008-09-03 16:29

文章分类

全部博文（404）

嵌入式系统开发（（17）
ARM技术（转载）（4）
Bootloader（转载（1）

VIVI（0）
Linux应用程序（（2）
Linux基础（转载（2）
交叉编译（转载）（8）
嵌入式C语言基础（6）
Linux设备驱动（（115）

Platform Device（9）

LDD3（22）

Linux复杂设备驱（11）

Linux网络设备驱（16）

Linux块设备驱动（3）

Linux字符设备驱（11）

Linux设备驱动理（38）

Linux总线驱动（5）
Linux内核（转载（14）
学习&&工作（73）

门禁（4）

IPCamera（0）

DVR（0）

DVS（0）

嵌入式视频监控（0）

Linux测试（20）

CUnit（4）

Embest 2410（3）

LINUX下C应用编程（11）

测试技术（3）

Linux驱动开发（7）

嵌入式系统开发（20）
其他（2）
未分配的博文（160）

文章存档

2010年（40）

2009年（140）

2008年（224）

我的朋友

any_wind

How-To Make the root filesystem read-only

From openSUSE

[]

Introduction

There are several reasons why you might want to make your root file system read only. I wanted to have a system on a flash disk, and since flash disks are damaged after repeated read-write circles the read-only root is a very nice solution. Other reasons why you would want to make your root partition read only include:

If you want maximum security for your server, and want it to boot from a read only medium (i.e. a CD-ROM)
If you want to make your own live-cd
To avoid that power loss or system crash damage the root partition.
If you want to mount the same nfsroot on several thin clients

The following procedure is what i did to turn my SuSE 10.1 root file system to read-only. It should work on both earlier and later versions but i haven't tested it yet. There could be better/more elegant solutions, if you think that something is missing please fill free to edit this howto.

[]

Acknowledgments

Some of the information on this howto where found .

[]

Prerequisites

You need to have root permissions on the system you want to change
Since some folders that need to be writable have to be moved into the ramdrive, make sure you have enough memory.

The procedure in this article was written and tested with version openSuSE linux 10.1

Whilst there is no guarantee, it should be applicable to later versions. If you find this to be incorrect, please help to update this article.

[]

Procedure

There are two files in the /etc directory that need to be writable. These are:

/etc/mtab
/etc/resolv.conf

Also there are several files (logs etc) in /var which need to be writable, and of-cource /tmp. We will use /dev/shm ramfs to keep these files. In order to do that we need to edit some of the boot-scripts in /etc/init.d

delete /etc/mtab
link /proc/mounts to /etc/mtab

# ln -s /proc/mounts /etc/mtab

move /etc/resolv.conf to /dev/shm/resolv.conf

# mv /etc/resolv.conf /dev/shm

link /dev/shm/resolv.conf to /etc/resolv.conf

# ln -s /dev/shm/resolv.conf /etc/resolv.conf

create an archive of /var which will be extracted on the /dev/shm fs on boot.

# tar -zcvf /var.tgz /var/*

move /var to /dev/shm

# mv /var /dev/shm

create a link from /dev/shm/var to /var

# ln -s /dev/shm/var /var

You could create links only for the folders inside /var that need to be writable (i.e /var/log,etc) and save some memory by not copying libraries and other read-only files located under /var into memory. Here for simplicity, we just copy everything into /dev/shm.

delete /tmp and create a directory /dev/shm/tmp
create a link from /dev/shm/tmp to /tmp

# ln -s /dev/shm/tmp /tmp

edit /etc/init.d/boot.rootfsck :

After the fsck the script remounts the root file system as read-write. Find every line that remounts and change it like this:

from: 
mount -n -o remount,rw /
to:
mount -n -o remount,ro /

Find the line that deletes /etc/mtab* and comment it out.

#rm -f /etc/mtab*

Bellow that line add the following:

touch /dev/shm/resolv.conf # creates the /dev/shm/resolv.conf file.
mkdir /dev/shm/tmp
tar -C /dev/shm -zxf /var.tgz

edit /etc/init.d/boot.localfs and comment out the following line:

#rm -f /etc/nologin /nologin /fastboot /forcefsck /success

edit /etc/pam.d/login to remove the module that logs the login of a user.

comment out the line:
# session  required       pam_lastlog.so nowtmp

edit /etc/fstab and set mount option on / to be ro, for example:

line:
/dev/sda2       /       reiserfs        acl,user_xattr 1 1
is changed to:
/dev/sda2       /       reiserfs        ro,acl,user_xattr 1 1

remount the root filesystem to read-only

# mount -o remount,ro /

[]

Conclusions

If everything worked, your system has now a read only root filesystem. Note that each time you need to install extra software or run online update, etc, you must first remount your root partition to be writable.

# mount -o remount,rw /

Note that keeping all the tmp files in memory for systems that have a long uptime can be a problem. You can add a cronjob to periodically delete /tmp/* and maybe store the logs of /var/log to a persistent location and then delete them. This way you can avoid problems coused by a full /dev/shm fs.

阅读(1067) | 评论(0) | 转发(0) |

上一篇：Linux系统内核性能评测

下一篇：How-To Make the root filesystem read-only

给主人留下些什么吧！~~

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6