Deep Freeze like soft for Arch

coolguy21 · 2016-07-05 16:23:39

Hey guys,

I need to be able to lock down some of my partitions. Debian has something called bilibob. Is there an equivalent for Arch?
https://packages.debian.org/sid/admin/bilibop-lockfs

Thanks.

GSF1200S · 2016-07-06 15:34:47

coolguy21 wrote:

Hey guys,
I need to be able to lock down some of my partitions. Debian has something called bilibob. Is there an equivalent for Arch?
https://packages.debian.org/sid/admin/bilibop-lockfs
Thanks.

I cannot give you a software recommendation that does exactly what you want, but have you considered BTRFS? Using snapshots any malicious malware or attack could be reversed by restoring a snapshot.

This does not take into account malware that would be designed with BTRFS in mind (where it deletes all your snapshots). That would be a very sophisticated piece of malware with root level access that could auto mount subvolid=0 etc etc, and we certainly havent seen anything like that yet.

Just tossing it out there..

alphaniner · 2016-07-06 17:36:36

Can you be more specific about what you're trying to do? It doesn't look to me like security is the primary purpose of bilibop*. Would simply mounting partitions ro and using overlayfs be enough?

* Which I originally read as 'bilibob' and wondered what hillbillies have to do with filesystem locking :S

TheChickenMan · 2016-07-06 18:34:50

What about just writing a script that executes at login and deletes everything from ~/ then copies back a set of backup dotfiles?

cmdrsweeper · 2016-07-08 21:13:10

You can also achieve the same thing if you decide to run ZFS.
ZFS have the same snapshot capabillity as ZFS, it may also be a little bit easier to use than BTRFS command wise.

Awebb · 2016-07-09 00:05:29

TheChickenMan wrote:

What about just writing a script that executes at login and deletes everything from ~/ then copies back a set of backup dotfiles?

Or maybe OP should read this link OP posted. What OP is looking for is in there.

EDIT: Okay, maybe not directly in an obvious way. I'm thinking about overlayfs+tmpfs.

Last edited by Awebb (2016-07-09 00:08:10)

coolguy21 · 2016-07-10 13:12:13

the aim is to try and setup computers for an internet cafe which should wipe all customers personal messages/files/etc from the disks after rebooting and revert back as a clean partition. Will this work with ZFS?

GSF1200S · 2016-07-10 17:33:31

coolguy21 wrote:

the aim is to try and setup computers for an internet cafe which should wipe all customers personal messages/files/etc from the disks after rebooting and revert back as a clean partition. Will this work with ZFS?

Im sure something could be setup with ZFS or btrfs to do this. In fact, this would be extremely easy as you wouldnt have to snapshot the whole OS- just the home directory. You could update the OS as normal (which would affect the root subvolume but not home subvolume).

Before shutdown, have a systemd unit run a bash script which deletes the home subvolume, then takes a snapshot of your "cleanhome" subvolume as the new home subvolume.

Occasionally you might need to take a new "cleanhome" snapshot (so that updates to browser addons or .config changes remain), but that could be done on your own time.

Further, ZFS or btrfs would allow snapshots of root as well which would be great for temporarily getting out of update breakage, etc.

Please note ZFS requires a little more knowledge with linux (since it isnt natively included in the kernel and requires work to get working), and as well requires significantly more ram. That said, its been around longer than btrfs and is a stable and mature project. Choice is yours...

**EDIT** I notice you say "wipe" all data from the disks- do you mean like protect against forensics being able to recover their data from the disks, or just that you dont want a mass of their files and such building up and home (basically "deleting" them)? There is a difference between wipe and delete, so specify that to us if necessary. Wiping for forensics purposes would require a more complicated approach- non-journaled filesystem like ext2, using wipe or shred to delete data, etc..

Also, its important to note that there are other ways to do this even with other filesystems (like ext4, xfs, etc); you could have a script run at shutdown that runs rm -r /home/user, and then runs rsync to copy over a clean /home/user from another drive or partition. This gives you the benefit of a stable filesystem option thats easy to use, but requires a more complicated disk setup or external drive. Actually, there are at least 5 ways I can think of that you could do this, and im sure the guys here will have even better ways (im not a sysadmin- just a btrfs/desktop user). Personally, I think ZFS/BTRFS is a more simple, eloquent and painless solution for your needs.

Last edited by GSF1200S (2016-07-10 17:42:14)

coolguy21 · 2016-07-14 12:54:56

actually i want it to be able to do a little more than just del & restore the ~home dir. I want to ensure that in the event of potentially malicious changes made to any critical system files and/or partitions (despite not having access to them) I can revert it back to the clean state it was setup as.

and yes i prefer to wipe/shred all data changes.

coolguy21 · 2016-07-14 13:31:29

alphaniner wrote:

Can you be more specific about what you're trying to do? It doesn't look to me like security is the primary purpose of bilibop*. Would simply mounting partitions ro and using overlayfs be enough?
* Which I originally read as 'bilibob' and wondered what hillbillies have to do with filesystem locking :S

Alphaniner, can you pls help explain in simple steps how i would go about setting this up (if it will work as stated above).

alphaniner · 2016-07-14 14:52:38

Now that I have a better understanding of what you want to do, I think liveroot would be ideal. Despite my intentions I've never used it, but if I understand correctly it automates the process of setting up overlayfs+tmpfs at boot time so all writes are to RAM. Similar to the install ISO environment but it's backed by normal filesystems so it can be easily modified when needed. Check out the thread and the readme on the git page.

coolguy21 · 2016-07-16 10:06:29

alphaniner wrote:

Now that I have a better understanding of what you want to do, I think liveroot would be ideal..

This is perfect. Got it working. However I have one problem - this code doesn't seem to remove persistence from my other partitions like /home for ex. I need to be able to apply this oroot to my separate /home partition any ideas? @bluerider seems inactive for a while...

Awebb · 2016-07-16 10:50:30

Look into overlayfs and especially mounting a tmpfs over a normal folder. It will always have static content available, but all changes will (if done correctly) go to the tmpfs.

https://wiki.archlinux.org/index.php/Overlay_filesystem
https://wiki.archlinux.org/index.php/Tmpfs

EDIT: By the way: I got this idea from the link you posted in your OP.

Last edited by Awebb (2016-07-16 10:50:57)

coolguy21 · 2016-07-17 08:38:18

Ok I tried to setup my /home dir to tmpfs by adding the following in /etc/fstab

/tmpfs /home/user-folder tmpfs nosuid,node,noexec,mode=0755,size=3G 0,0

when I boot into it I see that the folder /home/user-folder is mounted to tmp but it's always empty. If i comment out /home part in fstab it doesn't boot into the folder. I read somewhere that i may have to create a rsync init script on boot to copy the contents of /home/user-folder to /tmp each time. I dont mind this but I kinda hoped it would all work and tie in together with the way oroot works for the sake of ease and teaching others how to use and/or modify it.

I've also tried overlay with no success, which i found a little confusing..

(/etc/fstab)
overlay /merged overlay noauto,x-systemd.automount,lowerdir=/home/user-folder,upperdir=/upper,workdir=/merged 0 0

I created folder merged upper and lower as above but it will not mount after reboot. if i # out /home part entry it does not load into the user home dir saying it does not exist. If i uncomment it, it boots in but overlay does nothing...

can someone help me set this up easy & right please?

Awebb · 2016-07-17 08:54:23

The merged folder needs to be the one you end up loading your user home from. So, the overlay needs to point at /home/$USER, $USER being whatever the username is. So, you need to:

1. Mount the /home partition as /home.
2. Have a "lower" folder for the user, maybe use /home/$USER-lower.
3. Populate /home/$USER-lower with everything required to load that user. .profile, .bashrc, whatever you need to get the user going.
4. Have an "upper" folder mounted as tmpfs, maybe create and mount /home/$USER-upper as tmpfs. This is where all user changes will go while the user is active.
5. Mount the overlay with $USER-lower as lower and $USER-upper as upper (who would have guessed? :-D) to the actual user home, /home/$USER.
6. Make sure those folders all actually exist in /home, no matter if they are being mounted virtually or not. Mount points are always "some source" going to an existing folder.

coolguy21 · 2016-07-17 12:46:56

Awebb,

Pls see my /etc/fstab and advise where i've gone wrong: (work is my $user ex)

overlay /home/work overlay noauto,x-systemd.automount,lowerdir=/home/work-lower,upperdir=/home/work-upper,workdir=/home/work-upper 0 0

/tmpfs /home/work-upper tmpfs rw,nodev,nosuid,noexec,mode=0755,size=4G 0 2

I have copied the entire contents of /home/work to /home/work-lower to include all profiles etc.

upon boot gdm gui appears but when i try to log in it has a long hard think and then reverts back to the gnome login screen. I can login to work via another tty which takes me directly to /home/work

df -h doesn't show overlay is it supposed to?

/tmpfs is shown mounted to /home/work-upper

Last edited by coolguy21 (2016-07-17 12:49:49)

Awebb · 2016-07-17 12:52:28

Try mounting the tmpfs before you mount the overlay.

I also suggest you make some dry runs with simple folders no login process depends upon, so you can understand the process more easily.

EDIT: I'm not entirely sure whether upper can be the same as the workdir.
EDIT: You should really practice the scenario with the mount command before you put it in the fstab. workdir != upperdir

Last edited by Awebb (2016-07-17 13:03:21)

coolguy21 · 2016-07-17 15:29:36

mount -t overlay overlay -o lowerdir=/home/work-lower,upperdir=/home/work-upper,workdir=/home/work-upper /home/work

overlayfs: workdir and upperdir must be seperate subtrees

what does this mean?

EDIT: I've tried mounting workdir seperately ie . /home/work/dirx

Last edited by coolguy21 (2016-07-17 16:10:29)

Awebb · 2016-07-17 17:04:09

I already told you, that the work dir may not be the same as the upper dir. It also mustn't be the lower dir. You need three directories, lower, upper and work (the name is up to you). The workdir may not be inside one of the other dirs and all three dirs may not be inside whatever folder you want the overlay to be mounted to, so you need a fourth dir, lower, upper, work, and mount_target.

/home/username-lower
/home/username-upper
/home/username-work
/home/username

If you can't handle tmpfs right now, write a script that deletes the content of upper before every login or after every logout, or during boot or shutdown.

Hydranix · 2016-07-17 17:24:29

OP for the problem you presented, the internet café thing, I believe the solution of locking down each workstation is the wrong way to proceed.

Why?
- You will require extra hardware that will cost more.
- - Hard drives fail often and will be costly to replace.
- You will have to effectively maintain each individual machine, and that will be costly and time consuming.
- - You will have unique problems for each machine
- You will have to control and monitor each machine individually which will be difficult.

2 alternative solutions which are better.
The idea behind both is "No Disks = No Need To Wipe"

1) If your users require powerful hardware (gaming or image/video manipulation)
Set up a central server, which will PXE boot all the client machines to a single Linux image.
Have the client machines force a reboot when a users ends session.

2) If users will only use simple web browser/email applications
Set up a central virtualization server (this just means fast disks, powerful XEON cpu, and lots of RAM server)
Set up barebones thin client machines for clients. (processor, ram, ethernet only. can even be ARM architecture, doesn't matter)
Serve virtual OS to clients. ("Bonus" is you can use any OS on the fly. Windows license for this will cost you about the same as 4 servers though.)
KVM + spice works very well for this.

Last edited by Hydranix (2016-07-17 17:30:18)

Hydranix · 2016-07-17 17:28:20

If you really want to use a "deep freeze" type situation, use the same method as archiso (or build an archiso with mkarchiso scripts, its easy as pie)

You can easily set up a full desktop OS in an archiso.

coolguy21 · 2016-07-20 08:39:22

Have it working ok now with the script. Thanks all.

thanks hydranix i will look into those suggestions.

taorg · 2016-07-21 21:01:01

Hello coolguy

I'm also looking similar solution for an embedded device,
would it be possible to share the script you've developed?

Thank you very much in advance.

coolguy21 · 2016-07-23 11:08:51

taorg wrote:

Hello coolguy
I'm also looking similar solution for an embedded device,
would it be possible to share the script you've developed?
Thank you very much in advance.

Hi Taorg,

I used https://aur.archlinux.org/packages/liveroot/ (liveroot) and added a basic bash script to wipe the "upper" filesystem (folder) for my /home partition upon boot with systemd.

see https://wiki.archlinux.org/index.php/Sy … process.3F .

Last edited by coolguy21 (2016-07-23 11:10:12)

taorg · 2016-07-23 16:50:37

Hello coolguy,

Thanks for your answer, very kind of you

Yes, Liverooot is fine overlayFS solution, almost perfect.

The only lack of functionality a miss from liveroot, is a way deactivate overlayFS after reboot.
I'm working on a script to allow it.
I would like to upgrade the kernel of some embedded devices but, there is no easy way to do it.
You can't access de lowerFS and grub fails when you try to upgrade its configuration grub-mkconfig -o /boot/grub/grub.cfg

Anyway I'm glad to know you also have chosen liveroot.

If I find a suitable solution I'll uploaded to github and post a comment here.

See you

Arch Linux

#1 2016-07-05 16:23:39

Deep Freeze like soft for Arch

#2 2016-07-06 15:34:47

Re: Deep Freeze like soft for Arch

#3 2016-07-06 17:36:36

Re: Deep Freeze like soft for Arch

#4 2016-07-06 18:34:50

Re: Deep Freeze like soft for Arch

#5 2016-07-08 21:13:10

Re: Deep Freeze like soft for Arch

#6 2016-07-09 00:05:29

Re: Deep Freeze like soft for Arch

#7 2016-07-10 13:12:13

Re: Deep Freeze like soft for Arch

#8 2016-07-10 17:33:31

Re: Deep Freeze like soft for Arch

#9 2016-07-14 12:54:56

Re: Deep Freeze like soft for Arch

#10 2016-07-14 13:31:29

Re: Deep Freeze like soft for Arch

#11 2016-07-14 14:52:38

Re: Deep Freeze like soft for Arch

#12 2016-07-16 10:06:29

Re: Deep Freeze like soft for Arch

#13 2016-07-16 10:50:30

Re: Deep Freeze like soft for Arch

#14 2016-07-17 08:38:18

Re: Deep Freeze like soft for Arch

#15 2016-07-17 08:54:23

Re: Deep Freeze like soft for Arch

#16 2016-07-17 12:46:56

Re: Deep Freeze like soft for Arch

#17 2016-07-17 12:52:28

Re: Deep Freeze like soft for Arch

#18 2016-07-17 15:29:36

Re: Deep Freeze like soft for Arch

#19 2016-07-17 17:04:09

Re: Deep Freeze like soft for Arch

#20 2016-07-17 17:24:29

Re: Deep Freeze like soft for Arch

#21 2016-07-17 17:28:20

Re: Deep Freeze like soft for Arch

#22 2016-07-20 08:39:22

Re: Deep Freeze like soft for Arch

#23 2016-07-21 21:01:01

Re: Deep Freeze like soft for Arch

#24 2016-07-23 11:08:51

Re: Deep Freeze like soft for Arch

#25 2016-07-23 16:50:37

Re: Deep Freeze like soft for Arch

Board footer