Re: Bits from the Release Team - Kicking off Wheezy

To: debian-devel@lists.debian.org
Subject: Re: Bits from the Release Team - Kicking off Wheezy
From: Goswin von Brederlow <goswin-v-b@web.de>
Date: Thu, 31 Mar 2011 00:02:16 +0200
Message-id: <[🔎] 87d3l8s1w7.fsf@frosties.localnet>
In-reply-to: <[🔎] 20110330194521.GK12748@l04.local> (Michael Tautschnig's message of "Wed, 30 Mar 2011 20:45:22 +0100")
References: <20110329095102.GX37987@feta.halon.org.uk> <[🔎] 20110330190917.GG20813@codelibre.net> <[🔎] 20110330194521.GK12748@l04.local>

Michael Tautschnig <mt@debian.org> writes:

> [...]
>> â?¢ Read-only root
>> 
>>   Depends on /run.  Having /run will allow remaining writable files
>>   under /etc to be moved (/etc/mtab, LVM2 cache, CUPS for starters).
>>   Identifying and fixing/removing packages writing to /etc during
>>   their normal operation would be a worthy release goal.
>> 
>>   This will make Debian more secure to run, easier to deploy in a
>>   cluster or netboot environment (no writable image overlay required),
>>   keeping dpkg-managed filesystems completely read-only during normal
>>   operation (other than /var).
>> 
> [...]
>
> Here's an obviously incomplete list of such files, from a fairly comprehensive
> desktop installation. I've taken these from my integrit configuration for a
> lenny (!) system - I'd love not to be in need for such a list of exceptions.

I'm running a small server with squeeze (some beta but it won't have
become worse) with read-only / instaled that way from DI. Only needed
minimal fixes to work properly. Namely:

> /etc/mtab

link to /proc/mounts (manually)

I think this is going to be the default in the future but for some
reason wasn't added before squeeze froze.

> /etc/motd
> /etc/adjtime
> /etc/resolv.conf

No problems with those three. Network is configured static so dhcp-client
doesn't rewrite resolv.conf. The resolvconf package fixes the
resolv.conf write problem with dhcp-client and read-only /, right?

> /etc/network/run/ifstate

linked to /dev/shm (automatic if /dev/shm exists during install, so
purge + reinstall of ifupdwon fixes this)

Patch to use /lib/init/rw unconditionally on new installs is pending (as
seen on irc today).

> /etc/lvm/cache/.cache

Configurable in /etc/lvm/lvm.conf. If /run is adapted in debian then
changing the default location shouldn't be a problem.

> /etc/blkid.tab
> /etc/blkid.tab.old

hmm, don't have a problem with that. Shouldn't using lvm trigger that?

While read-only / does not (yet) quite work out of the box it is already
easily configurable that way. At least for a simple server.

I think it would be a worthy release goal to have it work out of the box
and even have a read-only / as a default template in Debian-Installer.

Other than the above one additional config is verry usefull:

$ cat /etc/apt/apt.conf.d/00read-only 
DPkg {
    // Auto re-mounting of a readonly /usr
    Pre-Invoke { "mount -o remount,rw /"; };
    Pre-Invoke { "mount -o remount,rw /usr"; };
    Post-Invoke { "mount -o remount,ro /usr || true"; };
    Post-Invoke { "mount -o remount,ro / || true"; };
};

> /etc/hosts.deny (written by denyhosts, hence that one is a bit hard to fix)

Don't have that. Fix denyhosts to link that to /var/ (or /run when we
have it).

> Hope this helps,
> Michael

MfG
        Goswin

Reply to:

Follow-Ups:
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Henrique de Moraes Holschuh <hmh@debian.org>

References:
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Roger Leigh <rleigh@codelibre.net>
- Re: Bits from the Release Team - Kicking off Wheezy
  - From: Michael Tautschnig <mt@debian.org>

Prev by Date: Re: Bits from the Release Team - Kicking off Wheezy
Next by Date: Re: Bits from the Release Team - Kicking off Wheezy
Previous by thread: Re: Bits from the Release Team - Kicking off Wheezy
Next by thread: Re: Bits from the Release Team - Kicking off Wheezy
Index(es):
- Date
- Thread