Differences between revisions 54 and 55
Revision 54 as of 2015-02-20 19:24:10
Size: 242
Editor: ?ColbyHighv
Comment:
Revision 55 as of 2015-02-20 19:54:49
Size: 12575
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
Hi there! :) My name is Stormy, I'm a student studying Neuroscience from Sandnes, Norway.<<BR>><<BR>>
<<BR>><<BR>>
Here is my page :: [[http://www.prensadigitalpr.com/?option=com_k2&view=itemlist&task=user&id=5542|online dating services]]
#language en
The File Hierarchy Standard ([[FilesystemHierarchyStandard|FHS]]) permits mounting parts of the filesystem readonly. This has some advantages like fewer filesystem checks on bootup or no need to check the whole filesystem after a crash.

<<TableOfContents()>>

= Preconditions =

The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.

Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.

For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it's prefered to use its own filesystem. An example can look like this:

||Device file||Filesystem||Mount point|| RO/RW ? ||
||/dev/sda1||ext2||/|| RO ||
||/dev/sda2||ext3||/var|| RW ||
||—||tmpfs||/tmp|| RW ||
||/var/local/home||bind mount||/home|| RW ||
||/var/local/srv||bind mount||/srv|| RW ||

You can use a filesystem without a journal for /, because you don't write there and you don't need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with {{{mke2fs -t ext4 -O ^has_journal /dev/sda1}}} or remove the journal with {{{tune2fs -O ^has_journal /dev/sda1}}}.

= Special files in /etc =

You have to take care for some files in /etc. These are

== adjtime ==

because it's modified on boot up; see bug Bug:156489

Solution: Create a symlink from /etc/adjtime to /var/local/adjtime and

(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/hwclockfirst.sh and /etc/init.d/hwclock.sh

or

(2) fix /etc/init.d/hwclockfirst.sh by replacing -f by -L in “if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then”; see Bug:520606.

== alsa: init.d/alsa-utils ==

All versions before alsa-utils/1.0.27.2-1 (@2013-10-25 concerns wheezy version) of DebianPkg:alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.

Relevant bug: DebianBug:712980

== blkid.tab ==

because it's modified at runtime by DebianPkg:libblkid1

Solution: You can't create a symlink from /etc/blkid.tab to /var/local/blkid.tab because, unfortunately, DebianPkg:libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/blkid.tab. You should do this in /etc/environment to set the variable for everybody who might do mounting.

== courier imap ==

Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups if running as a mail server for virtual mailboxes (The default configuration of authenticating against pam is unaffected by this).

If using virtual mailboxes with shared accounts the file will need to be moved elseware, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.

Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .

See http://www.courier-mta.org/imap/README.sharedfolders.html for information upstream provide about this setting.

== cups ==

CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.

Relevant bug: DebianBug:549673

== lvm ==

Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.

Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.

Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.

Relevant bugs: DebianBug:372207 DebianBug:562234 (for etckeeper behavior WRT LVM files see DebianBug:462355)

== mtab ==

used by mount

Solution: Create a symlink from /etc/mtab to /proc/self/mounts

mount.cifs (before DebianPkg:smbfs 2:3.4.3-1) doesn't honour this symlink and replace it with a real file; see Bug:408394

mtab is in /etc for historical reasons as per FHS 2.3.

== network/run ==

Used by ifupdown up to Squeeze

Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.
{{{
 rm -rf /etc/network/run
 dpkg-reconfigure ifupdown
}}}

Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)

Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.

Relevant bug: DebianBug:389996

== nologin ==

modified on boot up by the initscripts bootmisc.sh and rmnologin

This should already be a symlink to /var/lib/initscripts/nologin

In wheezy the init scripts directly modify /var/lib/initscripts/nologin

== resolv.conf ==

If you have only a static nameserver configuration, then there's no problem. Otherwise you should use the package DebianPkg:resolvconf.

== passwd, shadow ==

These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write before using these tools. Otherwise you might think about using NIS or LDAP.

== samba/dhcp.conf ==

If the DebianPkg:dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.

Relevant bug: DebianBug:629406

== suck ==

DebianPkg:suck puts files in /etc/suck which are modified by suck at runtime; see Bug:206631 To work around this problem, you have to

 * move /etc/suck/sucknewsrc* to a new directory /var/local/suck,
 * create a symlink /etc/suck/suckkillfile to /var/local/suck/suckkillfile
 * and set etcdir in get-news.conf to /var/local/suck (this sets the -dd option of suck)

== udev ==

If the DebianPkg:udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.

= Enable readonly root =

To make your root filesystem is mounted readonly you must edit your /etc/fstab and set the mount option ''ro''.

{{{
# /etc/fstab: static file system information.
#
# <file system> <mount point> <type> <options> <dump> <pass>
/dev/hda1 / ext2 defaults,noatime,ro,errors=remount-ro 0 1
/dev/hda4 /var ext3 defaults 0 2
}}}

The option ''noatime'' is useful while the disk is mounted read/write while updates.

= Enable readonly root during installation =

Note: Tested with Debian Squeeze build from 2010-10-20

In the Debian installer, when configuring the filesystem and mountpoint for a partition, once can also select extra flags for the mount. If you want a readonly root then you can select that there and the installer will create the fstab corretcly for you. This gives you a system that almost works.

You will have to correct /etc/mtab, ifupdown and, if you have no /tmp partition, add tmpfs to /etc/fstab to get a clean boot. Do that at the shell prompt at the second console (Ctrl-Alt-F2) in the installer or first before any other fixes from above and reboot. Before you fix ifupdown you will have no networking so don't go this way when installing remote.

After the second boot you might get an error from exim4 that the panic log isn't empty. This is because the network didn't come up on the first boot (you fixed ifupdown now, right?). Check that it is just that, remove the file (see <file:///usr/share/doc/exim4/README.Debian.html>, section 2.5.1. “The daily cron job”, esp. logrotate -f /etc/logrotate.d/exim4-paniclog) and restart exim4.

= Tips and tricks =

== Make apt-get remount / if needed ==

To make apt-get remounts the filesystem automatically read/write before calling dpkg and remounting it readonly after dpkg finished, put these lines in /etc/apt/apt.conf

{{{
DPkg {
    // Auto re-mounting of a readonly /
    Pre-Invoke { "mount -o remount,rw /"; };
    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro / || true"; };
};
}}}

The environment variable NO_APT_REMOUNT can be set to yes to prevent apt remounting the filesystem read-only. This is handy, if you plan to configure the installed package or make other changes in /etc.

== Find processes blocking the remount readonly ==

After an upgrade of packages you might be faced with the problem that mount refuses to remount the filesystem readonly telling you “/ is busy.” This is caused by deleted files they are still used by a process. To find out which processes use deleted files use the tool [[DebianMan:1/checkrestart|checkrestart(1)]] from the package DebianPkg:debian-goodies or use the following command. Often these are daemons using upgraded libraries. You have to restart them to make the files are released.

{{{
% {lsof +L1; lsof|sed -n '/SYSV/d; /DEL\|(path /p;'} |grep -Ev '/(dev|home|tmp|var)'
COMMAND PID USER FD TYPE DEVICE SIZE NLINK NODE NAME
login 1546 root 4r REG 3,3 1331 0 66165 /etc/passwd (deleted)
startx 1587 joerg 10r REG 3,3 4491 0 295122 /usr/bin/startx
xinit 1609 joerg txt REG 3,3 19084 0 295565 /usr/bin/xinit
zsh-beta 5058 joerg txt REG 3,3 628968 0 458849 /bin/zsh-beta
zsh-beta 5058 joerg 12r REG 3,3 174728 0 205450 /usr/share/zsh-beta/functions/Completion.zwc
zsh-beta 5058 joerg 13r REG 3,3 2221256 0 205405 /usr/share/zsh-beta/functions/Completion/Unix.zwc
zsh-beta 5058 joerg 14r REG 3,3 237528 0 205398 /usr/share/zsh-beta/functions/Completion/Base.zwc
udevd 458 root mem REG 3,3 131417 /lib/libnss_files-2.7.so (path inode=140638)
udevd 458 root mem REG 3,3 131431 /lib/libnss_nis-2.7.so (path inode=140653)
udevd 458 root mem REG 3,3 131389 /lib/libnsl-2.7.so (path inode=140616)
udevd 458 root mem REG 3,3 131401 /lib/libnss_compat-2.7.so (path inode=140623)
udevd 458 root mem REG 3,3 131212 /lib/libdl-2.7.so (path inode=140598)
udevd 458 root mem REG 3,3 131159 /lib/libc-2.7.so (path inode=140581)
udevd 458 root mem REG 3,3 131089 /lib/ld-2.7.so (path inode=140572)
syslog-ng 1406 root mem REG 3,3 131417 /lib/libnss_files-2.7.so (path inode=140638)
syslog-ng 1406 root mem REG 3,3 131431 /lib/libnss_nis-2.7.so (path inode=140653)
syslog-ng 1406 root mem REG 3,3 131389 /lib/libnsl-2.7.so (path inode=140616)
syslog-ng 1406 root mem REG 3,3 131401 /lib/libnss_compat-2.7.so (path inode=140623)
syslog-ng 1406 root mem REG 3,3 131159 /lib/libc-2.7.so (path inode=140581)
syslog-ng 1406 root mem REG 3,3 131089 /lib/ld-2.7.so (path inode=140572)
}}}

= Read only Root The AUFS Way =
maybe this is also of interest:
https://help.ubuntu.com/community/aufsRootFileSystemOnUsbFlash

The File Hierarchy Standard (FHS) permits mounting parts of the filesystem readonly. This has some advantages like fewer filesystem checks on bootup or no need to check the whole filesystem after a crash.

Preconditions

The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.

Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.

For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it's prefered to use its own filesystem. An example can look like this:

Device file

Filesystem

Mount point

RO/RW ?

/dev/sda1

ext2

/

RO

/dev/sda2

ext3

/var

RW

tmpfs

/tmp

RW

/var/local/home

bind mount

/home

RW

/var/local/srv

bind mount

/srv

RW

You can use a filesystem without a journal for /, because you don't write there and you don't need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with mke2fs -t ext4 -O ^has_journal /dev/sda1 or remove the journal with tune2fs -O ^has_journal /dev/sda1.

Special files in /etc

You have to take care for some files in /etc. These are

adjtime

because it's modified on boot up; see bug 156489

Solution: Create a symlink from /etc/adjtime to /var/local/adjtime and

(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/hwclockfirst.sh and /etc/init.d/hwclock.sh

or

(2) fix /etc/init.d/hwclockfirst.sh by replacing -f by -L in “if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then”; see 520606.

alsa: init.d/alsa-utils

All versions before alsa-utils/1.0.27.2-1 (@2013-10-25 concerns wheezy version) of alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.

Relevant bug: 712980

blkid.tab

because it's modified at runtime by libblkid1

Solution: You can't create a symlink from /etc/blkid.tab to /var/local/blkid.tab because, unfortunately, libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/blkid.tab. You should do this in /etc/environment to set the variable for everybody who might do mounting.

courier imap

Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups if running as a mail server for virtual mailboxes (The default configuration of authenticating against pam is unaffected by this).

If using virtual mailboxes with shared accounts the file will need to be moved elseware, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.

Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .

See http://www.courier-mta.org/imap/README.sharedfolders.html for information upstream provide about this setting.

cups

CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.

Relevant bug: 549673

lvm

Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.

Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.

Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.

Relevant bugs: 372207 562234 (for etckeeper behavior WRT LVM files see 462355)

mtab

used by mount

Solution: Create a symlink from /etc/mtab to /proc/self/mounts

mount.cifs (before smbfs 2:3.4.3-1) doesn't honour this symlink and replace it with a real file; see 408394

mtab is in /etc for historical reasons as per FHS 2.3.

network/run

Used by ifupdown up to Squeeze

Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.

 rm -rf /etc/network/run
 dpkg-reconfigure ifupdown

Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)

Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.

Relevant bug: 389996

nologin

modified on boot up by the initscripts bootmisc.sh and rmnologin

This should already be a symlink to /var/lib/initscripts/nologin

In wheezy the init scripts directly modify /var/lib/initscripts/nologin

resolv.conf

If you have only a static nameserver configuration, then there's no problem. Otherwise you should use the package resolvconf.

passwd, shadow

These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write before using these tools. Otherwise you might think about using NIS or LDAP.

samba/dhcp.conf

If the dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.

Relevant bug: 629406

suck

suck puts files in /etc/suck which are modified by suck at runtime; see 206631 To work around this problem, you have to

  • move /etc/suck/sucknewsrc* to a new directory /var/local/suck,
  • create a symlink /etc/suck/suckkillfile to /var/local/suck/suckkillfile
  • and set etcdir in get-news.conf to /var/local/suck (this sets the -dd option of suck)

udev

If the udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.

Enable readonly root

To make your root filesystem is mounted readonly you must edit your /etc/fstab and set the mount option ro.

# /etc/fstab: static file system information.
#
# <file system>     <mount point>   <type>  <options>               <dump>  <pass>
/dev/hda1           /               ext2    defaults,noatime,ro,errors=remount-ro       0 1
/dev/hda4           /var            ext3    defaults                0 2

The option noatime is useful while the disk is mounted read/write while updates.

Enable readonly root during installation

Note: Tested with Debian Squeeze build from 2010-10-20

In the Debian installer, when configuring the filesystem and mountpoint for a partition, once can also select extra flags for the mount. If you want a readonly root then you can select that there and the installer will create the fstab corretcly for you. This gives you a system that almost works.

You will have to correct /etc/mtab, ifupdown and, if you have no /tmp partition, add tmpfs to /etc/fstab to get a clean boot. Do that at the shell prompt at the second console (Ctrl-Alt-F2) in the installer or first before any other fixes from above and reboot. Before you fix ifupdown you will have no networking so don't go this way when installing remote.

After the second boot you might get an error from exim4 that the panic log isn't empty. This is because the network didn't come up on the first boot (you fixed ifupdown now, right?). Check that it is just that, remove the file (see <file:///usr/share/doc/exim4/README.Debian.html>, section 2.5.1. “The daily cron job”, esp. logrotate -f /etc/logrotate.d/exim4-paniclog) and restart exim4.

Tips and tricks

Make apt-get remount / if needed

To make apt-get remounts the filesystem automatically read/write before calling dpkg and remounting it readonly after dpkg finished, put these lines in /etc/apt/apt.conf

DPkg {
    // Auto re-mounting of a readonly /
    Pre-Invoke { "mount -o remount,rw /"; };
    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro / || true"; };
};

The environment variable NO_APT_REMOUNT can be set to yes to prevent apt remounting the filesystem read-only. This is handy, if you plan to configure the installed package or make other changes in /etc.

Find processes blocking the remount readonly

After an upgrade of packages you might be faced with the problem that mount refuses to remount the filesystem readonly telling you “/ is busy.” This is caused by deleted files they are still used by a process. To find out which processes use deleted files use the tool checkrestart(1) from the package debian-goodies or use the following command. Often these are daemons using upgraded libraries. You have to restart them to make the files are released.

% {lsof +L1; lsof|sed -n '/SYSV/d; /DEL\|(path /p;'} |grep -Ev '/(dev|home|tmp|var)'
COMMAND     PID     USER   FD   TYPE DEVICE    SIZE NLINK   NODE NAME
login      1546     root    4r   REG    3,3    1331     0  66165 /etc/passwd (deleted)
startx     1587    joerg   10r   REG    3,3    4491     0 295122 /usr/bin/startx
xinit      1609    joerg  txt    REG    3,3   19084     0 295565 /usr/bin/xinit
zsh-beta   5058    joerg  txt    REG    3,3  628968     0 458849 /bin/zsh-beta
zsh-beta   5058    joerg   12r   REG    3,3  174728     0 205450 /usr/share/zsh-beta/functions/Completion.zwc
zsh-beta   5058    joerg   13r   REG    3,3 2221256     0 205405 /usr/share/zsh-beta/functions/Completion/Unix.zwc
zsh-beta   5058    joerg   14r   REG    3,3  237528     0 205398 /usr/share/zsh-beta/functions/Completion/Base.zwc
udevd       458       root  mem       REG        3,3              131417 /lib/libnss_files-2.7.so (path inode=140638)
udevd       458       root  mem       REG        3,3              131431 /lib/libnss_nis-2.7.so (path inode=140653)
udevd       458       root  mem       REG        3,3              131389 /lib/libnsl-2.7.so (path inode=140616)
udevd       458       root  mem       REG        3,3              131401 /lib/libnss_compat-2.7.so (path inode=140623)
udevd       458       root  mem       REG        3,3              131212 /lib/libdl-2.7.so (path inode=140598)
udevd       458       root  mem       REG        3,3              131159 /lib/libc-2.7.so (path inode=140581)
udevd       458       root  mem       REG        3,3              131089 /lib/ld-2.7.so (path inode=140572)
syslog-ng  1406       root  mem       REG        3,3              131417 /lib/libnss_files-2.7.so (path inode=140638)
syslog-ng  1406       root  mem       REG        3,3              131431 /lib/libnss_nis-2.7.so (path inode=140653)
syslog-ng  1406       root  mem       REG        3,3              131389 /lib/libnsl-2.7.so (path inode=140616)
syslog-ng  1406       root  mem       REG        3,3              131401 /lib/libnss_compat-2.7.so (path inode=140623)
syslog-ng  1406       root  mem       REG        3,3              131159 /lib/libc-2.7.so (path inode=140581)
syslog-ng  1406       root  mem       REG        3,3              131089 /lib/ld-2.7.so (path inode=140572)

Read only Root The AUFS Way

maybe this is also of interest: https://help.ubuntu.com/community/aufsRootFileSystemOnUsbFlash