I am looking at having a read only box, it will not use a swap partition. Any recommendations? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100 - - +1 (443) 269-1555 x333 Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited.
> I am looking at having a read only box, it will not use a swap partition. > Any recommendations?Why bother with a hard drive at all? Customize a Live CD/DVD and remove the hard drive alltogether. Barry
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron <jpyeron at pdinc.us> wrote:> I am looking at having a read only box, it will not use a swap partition. > Any recommendations?You'll need to break out your hard drive into multiple partitions, as there are certain portions of the file system that need to be writable such as /var and /home. I setup systems in this manner to make them more difficult to subvert, I'd suggestion searching for topics such as "linux file system hardening". When you do need to do maintenance, such as package management, you'll need to remount the root file system as writable which will likely require a reboot. Brett
On Fri, May 2, 2008 at 12:16 AM, Jason Pyeron <jpyeron at pdinc.us> wrote:> I am looking at having a read only box, it will not use a swap partition. > Any recommendations?Here is a slide deck from a presentation Rick Troth has done on read only root file systems. http://linuxvm.org/present/SHARE110/S9216rt.pdf Might be some helpful bits of information in there for you. Good luck! Jeffrey
Responding to a question posted earlier this month, Centos 5.1 includes
configuration files for enabling the read-only root filesystem.
Actually, all filesystems can be mounted read-only with particular files
and directories mounted on a read-write tmpfs (in RAM). This capability
comes directly from the upstream provider.
You can have your Centos system running read-only root in two
easy steps:
1. Edit /etc/sysconfig/readonly-root and change READONLY=no to
READONLY=yes
2. Reboot
When your computer comes back up, the root and any other system
partitions will be mounted read-only. All the files and directories
listed in /etc/rwtab will be mounted read-write on a tmpfs filesystem.
You can add additional files and directories to rwtab to make them
writable after reboot.
Note that this system is stateless. When you reboot again, everything
written to the tmpfs filesystem vanishes and the system will be exactly
as it was the last time it was booted. You could add a writable
filesystem on disk or NFS for writing files you want to retain after
rebooting.
Take a look at /etc/rc.d/rc.sysinit to see how the magic is done.
This capability is a "technology preview" (beta) and is buggy. Note
that
/etc/mtab and thus "mount" do not show the complete list of
filesystems
because the /etc directory is on a read-only filesystem. /proc/mounts
always shows the correct mount information. You could update /etc/mtab
from /proc/mounts to correct it both after boot and after running the
mount or umount commands to change mounts.
Run "fgrep -v rootfs /proc/mounts >/etc/mtab" to correct /etc/mtab.
Note that mounting or symlinking /proc/mounts to /etc/mtab causes other
problems such as breaking the df command.
You can change your read-only root filesystem to read-write mode
immediately with this command run by the root user:
mount -n -o remount,rw /
- Fred
On Saturday 24 May 2008 12:05:30 Fred Noz wrote:> Responding to a question posted earlier this month, Centos 5.1 > includes configuration files for enabling the read-only root > filesystem. Actually, all filesystems can be mounted read-only with > particular files and directories mounted on a read-write tmpfs (in > RAM). This capability comes directly from the upstream provider.> When your computer comes back up, the root and any other system > partitions will be mounted read-only. All the files and directories > listed in /etc/rwtab will be mounted read-write on a tmpfs filesystem. > You can add additional files and directories to rwtab to make them > writable after reboot. > > Note that this system is stateless. When you reboot again, everything > written to the tmpfs filesystem vanishes and the system will be > exactly as it was the last time it was booted. You could add a > writable filesystem on disk or NFS for writing files you want to > retain after rebooting.This is very interesting. Thanks for the sharing Fred. So, it's somekind of Live CD on a disk? I can't think of a practical benefit of using such system, is it to protect it from unwanted modification? Fajar Priyanto | Reg'd Linux User #327841 | Linux tutorial ----- Fajar, There are many practical reasons why one would want to run a Linux system, whether it be desktop or server, with a read-only root. One reason is for ease of maintenance, especially when there are many systems to maintain. You might be administering computers in a classroom, internet access point, or library and you want to be certain that after reboot, the system is exactly as it was the last time it was rebooted, even if the users mess with the system accidentally or on purpose. For example, if a user fills up the /tmp filesystem and causes the system to crash, after booting, the system will have an empty /tmp filesystem. It will not require that fsck to be run because the other filesystems were mounted read-only. This implies no risk of filesystem corruption (except due to physical failures on the disk). Not needing fsck saves time on boot. You could use read-only root on embedded systems where there is no way an administrator could get to the system to fix it. Read-only root is beneficial on a system running on flash media because this avoids having recurring writes wear out some sectors on the media. This is a practical way to run a large group of diskless systems. A single read-only root filesystem can be made available on a network from an NFS server. Many diskless clients can use this readonly-root simultaneously. Of course, this is a way to implement a live CD. In addition to easy maintenance, readonly-root adds a layer of security. The security is broken if someone gains access to the root user, but then many security protections are lost if someone gains root. Even a Database server can benefit from being run on read-only root. The data disk would certainly be mounted read-write, but there is no reason why the operating system and database application software need to be on disks mounted read-write. When an administrator wants to perform an update, upgrade, software, installation. or other system change, the administrator sets the readonly filesystems to read-write using a simple mount command. After the administrator finishes making the changes, a simple mount command (or reboot) sets the readonly filesystems back to read-only. Of course, on systems where the root and system filesystems have no physical write capability, such as on a live CD, they cannot be set to read-write. - Fred --------- Fred Noz Fred at Noz.net
Reasonably Related Threads
- VPAT for centos 7 - section 508 compliance statement
- VPAT for centos 7 - section 508 compliancestatement
- DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC
- I am confused. Chmod / chown issues?
- DoD approval of Centos Was RE: Firefox fails to authenticate .mil sites with New DoDCAC