[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bits from the Release Team - Kicking off Wheezy

Michael Tautschnig <mt@debian.org> writes:

> [...]
>> â?¢ Read-only root
>>   Depends on /run.  Having /run will allow remaining writable files
>>   under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters).
>>   Identifying and fixing/removing packages writing to /etc during
>>   their normal operation would be a worthy release goal.
>>   This will make Debian more secure to run, easier to deploy in a
>>   cluster or netboot environment (no writable image overlay required),
>>   keeping dpkg-managed filesystems completely read-only during normal
>>   operation (other than /var).
> [...]
> Here's an obviously incomplete list of such files, from a fairly comprehensive
> desktop installation. I've taken these from my integrit configuration for a
> lenny (!) system - I'd love not to be in need for such a list of exceptions.

I'm running a small server with squeeze (some beta but it won't have
become worse) with read-only / instaled that way from DI. Only needed
minimal fixes to work properly. Namely:

> /etc/mtab

link to /proc/mounts (manually)

I think this is going to be the default in the future but for some
reason wasn't added before squeeze froze.

> /etc/motd
> /etc/adjtime
> /etc/resolv.conf

No problems with those three. Network is configured static so dhcp-client
doesn't rewrite resolv.conf. The resolvconf package fixes the
resolv.conf write problem with dhcp-client and read-only /, right?

> /etc/network/run/ifstate

linked to /dev/shm (automatic if /dev/shm exists during install, so
purge + reinstall of ifupdwon fixes this)

Patch to use /lib/init/rw unconditionally on new installs is pending (as
seen on irc today).

> /etc/lvm/cache/.cache

Configurable in /etc/lvm/lvm.conf. If /run is adapted in debian then
changing the default location shouldn't be a problem.

> /etc/blkid.tab
> /etc/blkid.tab.old

hmm, don't have a problem with that. Shouldn't using lvm trigger that?

While read-only / does not (yet) quite work out of the box it is already
easily configurable that way. At least for a simple server.

I think it would be a worthy release goal to have it work out of the box
and even have a read-only / as a default template in Debian-Installer.

Other than the above one additional config is verry usefull:

$ cat /etc/apt/apt.conf.d/00read-only 
DPkg {
    // Auto re-mounting of a readonly /usr
    Pre-Invoke { "mount -o remount,rw /"; };
    Pre-Invoke { "mount -o remount,rw /usr"; };
    Post-Invoke { "mount -o remount,ro /usr || true"; };
    Post-Invoke { "mount -o remount,ro / || true"; };

> /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)

Don't have that. Fix denyhosts to link that to /var/ (or /run when we
have it).

> Hope this helps,
> Michael


Reply to: