Install arch on a read-only filesystem

pabloski · 2011-02-16 16:17:03

Hi to all, I have an idea about installing arch in a particular way, a way that makes the system more secure.

I want to install a host archlinux system on a hard disk or ssd but I want no data can be written to the storage. The host system will have a predefined set of programs and should use a ramdisk to store temporary data. It is something very similar to a ISO.

The real computation will be handled through a series of virtualbox instances of linux ( the virtualbox images will be stored on an external hard disk, a read/write volume ).

How could I achieve this? Through unionfs? AUFS? or some other thing?

Last edited by pabloski (2011-02-16 16:18:11)

ANOKNUSA · 2011-02-16 16:28:51

I can't really tell you how to do this, but I can tell you that the benefits are likely going to be minimal at best, the setup's gonna be tedious to the point of frustration, and the system's gonna run much slower than your average PC (a vm running through a vm running through a vm reading from one hard disk and writing to another? Really?). If I were you, I'd start digging real deep through Google trying to find someone who's done this before, just to make sure it's worth the effort.

pabloski · 2011-02-16 21:03:09

I must clarify my idea.

I want to install a host OS that is immutable, so no malware/shit can get in. I have found squashfs that is able to create an image file that is read-only. The only problem is that a lot of linux services need to write somewhere, so I thought to use unionfs to create an area where the processes that need to write data can go.

But I have read some tutorials and they talk about using unionfs to create a directory where you can write files. I want that directory to be mapped in memory, so we the machine shuts down all the changes are lost. It is just how normal ISO images work.

Then I want to install virtualbox + linux guest on top of the host os. The machine is a core i5 750 with 8 gb ram, so I'm confident it is fast enough ( I'm running windows virtualized and it works very well ).

Dieter@be · 2011-02-16 21:05:10

why not use apparmor to restrict all your applications?

lilsirecho · 2011-02-16 21:52:17

Arch is available on read-only with CTKArchLive which is persistent and can be run cp2ram. Originally in french but has boot english option.

some-guy94 · 2011-02-17 02:14:37

Write your own initcpio hooks that uses aufs2 and mounts '/' ro and some-where-mounted-tmpfs rw at /

pabloski · 2011-02-17 10:08:50

It seems the preferred way should be to use aufs/unionfs. What is the difference between the two? Aufs is a fork of unionfs, but unionfs is not a dead project. I must read their feature list to choose one

From what I have read the best way is to use a squashfs image and then combine it with a live filesystem in ram using aufs/unionfs.

I must figure out how to say unionfs/aufs to put the rw filesystem in ram, but it should be simple ( I hope ).

Also I have an important question. What is the footprint of squashfs/aufs? How much cpu load I should expect and how much ram it will consume in respect to a conventional filesystem? I see that livecds work on machines withe 1 gb or less, so the footprint is very low right? ok it will be slower but I think we are talking of about 10-15% right?

Last edited by pabloski (2011-02-17 10:11:29)

pabloski · 2011-02-17 14:57:07

Wow I have searched around and there are people out there using squashfs to increase performance!!!

So it seems performance isn't a problem. However I have not understood what unionfs/aufs really do. I have a squashfs image. I mount it as a loopback device and I have my filesystem with /bin, /boot, /usr and so on. This filesystem is read-only. Then I create a mount-point in the filesystem and use unionfs to mount a read-write volume onto this mount-point.

But I don't understand how unionfs transforms a single mount-point in a replica will all the directories of the main filesystem.

wideeye · 2011-02-17 22:12:54

aufs and unionfs make a layer between a target dir and 2 other dirs, your squashfs is mounted to one as ro, something like tmps or a normal filesystem is mounted as rw. it will read from the ro directory until a file is modified, then it copies that file to the other directory and will keep track that it is modified. reading unmodified files is fast, modfied files take more time.

the old school method is to mount the just the directories you need to be rw, such as /tmp some in /var/ /root and so on. there are many old howtos for this as it was common to do a decade ago. So you can find a list of the needed directories.

carbonjiao · 2011-03-01 02:04:54

There is a way to meet your request, see details in https://bbs.archlinux.org/viewtopic.php?id=114331
Be put in dustbin, haha

Any way, you need to change hook scripts, and the loop create method.

I also will take some time to develop this, and will put this solution in my live system...

Last edited by carbonjiao (2011-03-01 02:06:51)

carbonjiao · 2011-03-02 04:11:06

As for the link was removed... You can see below for details. need make some changes:

*** duplicate content removed ***

Last edited by jasonwryan (2011-03-02 04:19:34)

jasonwryan · 2011-03-02 04:18:27

carbonjiao - you have been told about this three times now: if you post it again, you will be banned.

kaos · 2012-02-21 19:29:40

I want to mount my sda2 read-only and union it with a tmpfs, so the machine is secure and the file system is the same every boot.
I installed aufs3 with 3.2.6-1-aufs_friendly, I made a hook (as some-guy94 adviced), but it doesn't work.
The code is:

1. mkdir -p /root/ro /root/rw
2. mount /dev/sda2 /root/ro
3. mount -t tmpfs root.rw /root/rw
4. mount -t aufs -o "dirs=/root/rw=rw:/root/ro=ro" root.union /

At 2. it says: "mount: mounting /dev/sda2 on /root/ro failed: No such file or directory" Both files exist - I can list them just before the mount.
3. & 4. work, but it doesn't matter as sda2 gets mounted rw on / right after (by initramfs's init, I gues).

Can you help me with this, or point some useful howtos?

Btw: is there a better way of debugging a hook, other than making the image and rebooting each change?

Update: This is how they did it in larch: http://git.berlios.de/cgi-bin/gitweb.cg … cpio/hooks
mount -t ext3 /dev/sda2 /root/ro works now.
I used exec /sbin/switch_root as in larch3 hook and for loop from /lib/initcpio/init:109 to move /proc /dev /sys /run to the new root
So the union mount works just fine now, my sda2/sbin/init & sda2/etc/rc.sysinit run, but the latter fails with following:
* Mounting Root Read-Only - this is actually quite acceptable
* Starting UDev Daemon
* Loading Modules
* Remounting Root Read/Write - acceptable as well

After boot X opens and system freezes immediately (no reaction to keyboard, doesn't ping). No useful information in logs. I don't think system can run well without udev/modules. So this is udev not liking / mounted rw (as tmpfs is rw) or maybe /dev /proc /sys /run fault.

I tried to make union mount only in rc.sysinit when /dev/sda2 is already mounted on /, but mount --move / other-dir fails.

Any ideas what can be wrong?

My code:

run_hook ()
{
	read -p "Union mount root (y/N)? " answer
	if [[ "$answer" == "y" ]]; then
		modprobe aufs

		ro="/root/ro"
		rw="/root/rw"
		un="/root/un"
		rob="${un}/ro"
		rwb="${un}/rw"

		mkdir -p $ro $rw $un
		
		mount -t ext3 /dev/sda2 $ro
		mount -t tmpfs -o "size=20%" root.rw $rw
		mount -t aufs -o "dirs=${rw}=rw:${ro}=ro" root.union $un
	
		mkdir -p $rob $rwb

		mount --bind $ro $rob
		mount --bind $rw $rwb

		mkdir ${un}/media
		mkdir ${un}/sys
		mkdir ${un}/proc
		mkdir ${un}/dev

		/bin/mknod ${un}/dev/console c 5 1

		echo "rootfs / rootfs rw 0 0" >${un}/etc/mtab
	
		[ -z "${init}" ] && init="/sbin/init"
		if [ -e "${un}/${init}" ]; then
			mount 
			read
			
			for d in proc sys dev run; do
				if [ -d ${un}/${d} ]; then
			        	mount --move /${d} ${un}/${d}
				else
					umount /${d}
				fi  
			done
			exec /sbin/switch_root -c /dev/console ${un} ${init} ${CMDLINE}
		fi
	fi
}

Last edited by kaos (2012-02-22 17:14:18)

kaos · 2012-02-23 13:35:07

SOLVED. The answer was in /lib/initcpio/hooks/net.

Script:

# vim: set ft=sh:

run_hook () {
        # rootmnt - boot option
        if [ "${rootmnt}" = 'aufs' ]; then
                mount_handler="aufs_mount_handler"
        fi
}

aufs_mount_handler() {
        msg ":: Mounting aufs on / with tmpfs=rw, ${root}=ro ..."
        modprobe aufs

        ro="/root/ro"
        rw="/root/rw"
        un="$1"
        rob="${un}/ro"
        rwb="${un}/rw"

        fstype=$(blkid -u filesystem -o value -s TYPE -p "${root}")

        mkdir -p $ro $rw $un
        mount -t "${fstype}" "${root}" $ro
        mount -t tmpfs -o "size=20%" root.rw $rw
        mount -t aufs -o "dirs=${rw}=rw:${ro}=ro" root.union $un

        mkdir -p $rob $rwb
        mount --bind $ro $rob
        mount --bind $rw $rwb

        # comment root in fstab so it doesn't get checked
        sed -i "s|^${root}|#${root}|" "${un}/etc/fstab"
        # Only needed to suppress an error message from /etc/rc.sysinit
        echo "rootfs / rootfs rw 0 0" >"${un}/etc/mtab"
}

Hook:

#!/bin/bash
 
build() 
{
        MODULES="ext3 aufs"
        SCRIPT="unionmount"
        add_binary /bin/sed
}
 
help() 
{
        cat <<HELPEOF
Union mount on / with tmpfs=rw and ${root}=ro
HELPEOF
}

Last edited by kaos (2012-02-28 13:35:07)

Arch Linux

#1 2011-02-16 16:17:03

Install arch on a read-only filesystem

#2 2011-02-16 16:28:51

Re: Install arch on a read-only filesystem

#3 2011-02-16 21:03:09

Re: Install arch on a read-only filesystem

#4 2011-02-16 21:05:10

Re: Install arch on a read-only filesystem

#5 2011-02-16 21:52:17

Re: Install arch on a read-only filesystem

#6 2011-02-17 02:14:37

Re: Install arch on a read-only filesystem

#7 2011-02-17 10:08:50

Re: Install arch on a read-only filesystem

#8 2011-02-17 14:57:07

Re: Install arch on a read-only filesystem

#9 2011-02-17 22:12:54

Re: Install arch on a read-only filesystem

#10 2011-03-01 02:04:54

Re: Install arch on a read-only filesystem

#11 2011-03-02 04:11:06

Re: Install arch on a read-only filesystem

#12 2011-03-02 04:18:27

Re: Install arch on a read-only filesystem

#13 2012-02-21 19:29:40

Re: Install arch on a read-only filesystem

#14 2012-02-23 13:35:07

Re: Install arch on a read-only filesystem

Board footer