The File Hierarchy Standard (FHS) permits mounting parts of the filesystem readonly. This has some advantages like fewer filesystem checks on bootup or no need to check the whole filesystem after a crash.


The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.

Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.

For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it's prefered to use its own filesystem. An example can look like this:

Device file


Mount point














bind mount




bind mount



You can use a filesystem without a journal for /, because you don't write there and you don't need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with mke2fs -t ext4 -O ^has_journal /dev/sda1 or remove the journal with tune2fs -O ^has_journal /dev/sda1.

Special files in /etc

You have to take care for some files in /etc. These are


because it's modified on boot up; see bug 156489

Solution: Create a symlink from /etc/adjtime to /var/local/adjtime and

(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/ and /etc/init.d/


(2) fix /etc/init.d/ by replacing -f by -L in “if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then”; see 520606.

alsa: init.d/alsa-utils

All versions before alsa-utils/ (@2013-10-25 concerns wheezy version) of alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.

Relevant bug: 712980

because it's modified at runtime by libblkid1

Solution: You can't create a symlink from /etc/ to /var/local/ because, unfortunately, libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/ You should do this in /etc/environment to set the variable for everybody who might do mounting.

courier imap

Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups if running as a mail server for virtual mailboxes (The default configuration of authenticating against pam is unaffected by this).

If using virtual mailboxes with shared accounts the file will need to be moved elseware, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.

Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .

See for information upstream provide about this setting.


CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.

Relevant bug: 549673


Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.

Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.

Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.

Relevant bugs: 372207 562234 (for etckeeper behavior WRT LVM files see 462355)


Used by ifupdown up to Squeeze

Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.

 rm -rf /etc/network/run
 dpkg-reconfigure ifupdown

Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)

Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.

Relevant bug: 389996


modified on boot up by the initscripts and rmnologin

This should already be a symlink to /var/lib/initscripts/nologin

In wheezy the init scripts directly modify /var/lib/initscripts/nologin


If you have only a static nameserver configuration, then there's no problem. Otherwise you should use the package resolvconf.

passwd, shadow

These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write before using these tools. Otherwise you might think about using NIS or LDAP.


If the dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.

Relevant bug: 629406


suck puts files in /etc/suck which are modified by suck at runtime; see 206631 To work around this problem, you have to


If the udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.

Enable readonly root

To make your root filesystem is mounted readonly you must edit your /etc/fstab and set the mount option ro.

# /etc/fstab: static file system information.
# <file system>     <mount point>   <type>  <options>               <dump>  <pass>
/dev/hda1           /               ext2    defaults,noatime,ro,errors=remount-ro       0 1
/dev/hda4           /var            ext3    defaults                0 2

The option noatime is useful while the disk is mounted read/write while updates.

Enable readonly root during installation

Note: Tested with Debian Squeeze build from 2010-10-20

In the Debian installer, when configuring the filesystem and mountpoint for a partition, once can also select extra flags for the mount. If you want a readonly root then you can select that there and the installer will create the fstab corretcly for you. This gives you a system that almost works.

You will have to correct /etc/mtab, ifupdown and, if you have no /tmp partition, add tmpfs to /etc/fstab to get a clean boot. Do that at the shell prompt at the second console (Ctrl-Alt-F2) in the installer or first before any other fixes from above and reboot. Before you fix ifupdown you will have no networking so don't go this way when installing remote.

After the second boot you might get an error from exim4 that the panic log isn't empty. This is because the network didn't come up on the first boot (you fixed ifupdown now, right?). Check that it is just that, remove the file (see <file:///usr/share/doc/exim4/README.Debian.html>, section 2.5.1. “The daily cron job”, esp. logrotate -f /etc/logrotate.d/exim4-paniclog) and restart exim4.

Tips and tricks

Make apt-get remount / if needed

To make apt-get remounts the filesystem automatically read/write before calling dpkg and remounting it readonly after dpkg finished, put these lines in /etc/apt/apt.conf

DPkg {
    // Auto re-mounting of a readonly /
    Pre-Invoke { "mount -o remount,rw /"; };
    Post-Invoke { "test ${NO_APT_REMOUNT:-no} = yes || mount -o remount,ro / || true"; };

The environment variable NO_APT_REMOUNT can be set to yes to prevent apt remounting the filesystem read-only. This is handy, if you plan to configure the installed package or make other changes in /etc.

apt-daily / unattended-upgrades

The unattended-upgrades periodically checks for upgradable packages. These are stored in /var/lib/apt/periodic and additionally the lock file /var/lib/apt/daily_lock is used. In order to allow temporary write access, pre- and post-execute hooks can be assigned to the apt-daily-upgrade service by running systemctl edit apt-daily-upgrade and entering the following lines:

ExecStartPre=-mount -o remount,rw /
ExecStartPost=-sh -c 'if [ "${NO_APT_REMOUNT:-no}" != yes ]; then mount -o remount,ro /; fi'

Find processes blocking the remount readonly

After an upgrade of packages you might be faced with the problem that mount refuses to remount the filesystem readonly telling you “/ is busy.” This is caused by deleted files they are still used by a process. To find out which processes use deleted files use the tool checkrestart(1) from the package debian-goodies or use the following command. Often these are daemons using upgraded libraries. You have to restart them to make the files are released.

% { lsof +L1; lsof | sed -n '/SYSV/d; /DEL\|(path /p;'; } | grep -Ev '/(dev|home|tmp|var)'
login      1546     root    4r   REG    3,3    1331     0  66165 /etc/passwd (deleted)
startx     1587    joerg   10r   REG    3,3    4491     0 295122 /usr/bin/startx
xinit      1609    joerg  txt    REG    3,3   19084     0 295565 /usr/bin/xinit
zsh-beta   5058    joerg  txt    REG    3,3  628968     0 458849 /bin/zsh-beta
zsh-beta   5058    joerg   12r   REG    3,3  174728     0 205450 /usr/share/zsh-beta/functions/Completion.zwc
zsh-beta   5058    joerg   13r   REG    3,3 2221256     0 205405 /usr/share/zsh-beta/functions/Completion/Unix.zwc
zsh-beta   5058    joerg   14r   REG    3,3  237528     0 205398 /usr/share/zsh-beta/functions/Completion/Base.zwc
udevd       458       root  mem       REG        3,3              131417 /lib/ (path inode=140638)
udevd       458       root  mem       REG        3,3              131431 /lib/ (path inode=140653)
udevd       458       root  mem       REG        3,3              131389 /lib/ (path inode=140616)
udevd       458       root  mem       REG        3,3              131401 /lib/ (path inode=140623)
udevd       458       root  mem       REG        3,3              131212 /lib/ (path inode=140598)
udevd       458       root  mem       REG        3,3              131159 /lib/ (path inode=140581)
udevd       458       root  mem       REG        3,3              131089 /lib/ (path inode=140572)
syslog-ng  1406       root  mem       REG        3,3              131417 /lib/ (path inode=140638)
syslog-ng  1406       root  mem       REG        3,3              131431 /lib/ (path inode=140653)
syslog-ng  1406       root  mem       REG        3,3              131389 /lib/ (path inode=140616)
syslog-ng  1406       root  mem       REG        3,3              131401 /lib/ (path inode=140623)
syslog-ng  1406       root  mem       REG        3,3              131159 /lib/ (path inode=140581)
syslog-ng  1406       root  mem       REG        3,3              131089 /lib/ (path inode=140572)

Read only Root The AUFS Way

maybe this is also of interest: