How do people remount /usr read-only after apt-get?
On a couple of Woody systems I put together recently I followed advice
I'd seen that recommended mounting /usr as read-only. I haven't seen a
security patch yet that has left me able to remount /usr read-only,
which is quite annoying. I've configured a Dpkg Post-Invoke step to
remount /usr ro. It never works. Today I found that using lsof to
identify the processes, I could restart them and release their hold on
the /usr partition.
1) How do people normally deal with this situation? Is it a manual
process or can it be automated?
2) This makes me wonder why we don't restart affected processes after
applying security patches. For instance, today's OpenSSL patch seemed
to affect ssh and bind. Well, I had to restart them as part of remount
/usr ro. Presumably those processes were still using a vulnerable
version of the library. Ssh was doubly annoying as I had to log out and
log back in ;)