Michael Tautschnig <m...@debian.org> writes:
> [...]
>> ⢠Read-only root
>>
>> Depends on /run. Having /run will allow remaining writable files
>> under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters).
>> Identifying and fixing/removing packages writing to /etc during
>> their normal operation would be a worthy release goal.
>>
>> This will make Debian more secure to run, easier to deploy in a
>> cluster or netboot environment (no writable image overlay required),
>> keeping dpkg-managed filesystems completely read-only during normal
>> operation (other than /var).
>>
> [...]
>
> Here's an obviously incomplete list of such files, from a fairly comprehensive
> desktop installation. I've taken these from my integrit configuration for a
> lenny (!) system - I'd love not to be in need for such a list of exceptions.
I'm running a small server with squeeze (some beta but it won't have
become worse) with read-only / instaled that way from DI. Only needed
minimal fixes to work properly. Namely:
> /etc/mtab
link to /proc/mounts (manually)
I think this is going to be the default in the future but for some
reason wasn't added before squeeze froze.
> /etc/motd
> /etc/adjtime
> /etc/resolv.conf
No problems with those three. Network is configured static so dhcp-client
doesn't rewrite resolv.conf. The resolvconf package fixes the
resolv.conf write problem with dhcp-client and read-only /, right?
> /etc/network/run/ifstate
linked to /dev/shm (automatic if /dev/shm exists during install, so
purge + reinstall of ifupdwon fixes this)
Patch to use /lib/init/rw unconditionally on new installs is pending (as
seen on irc today).
> /etc/lvm/cache/.cache
Configurable in /etc/lvm/lvm.conf. If /run is adapted in debian then
changing the default location shouldn't be a problem.
> /etc/blkid.tab
> /etc/blkid.tab.old
hmm, don't have a problem with that. Shouldn't using lvm trigger that?
While read-only / does not (yet) quite work out of the box it is already
easily configurable that way. At least for a simple server.
I think it would be a worthy release goal to have it work out of the box
and even have a read-only / as a default template in Debian-Installer.
Other than the above one additional config is verry usefull:
$ cat /etc/apt/apt.conf.d/00read-only
DPkg {
// Auto re-mounting of a readonly /usr
Pre-Invoke { "mount -o remount,rw /"; };
Pre-Invoke { "mount -o remount,rw /usr"; };
Post-Invoke { "mount -o remount,ro /usr || true"; };
Post-Invoke { "mount -o remount,ro / || true"; };
};
> /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)
Don't have that. Fix denyhosts to link that to /var/ (or /run when we
have it).
> Hope this helps,
> Michael
MfG
Goswin
--
To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/87d3l8s1w7.fsf@frosties.localnet
