Page 3 of 5 FirstFirst 12345 LastLast
Results 21 to 30 of 48

Thread: Read Only Root disk

  1. #21
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-04 17:36, berryvansleeuwen wrote:
    >
    > Why would it be hard to mount /var? The /var is a seperate partition,
    > just as /tmp and /srv. So we can just mount that on the var directory in
    > the read-only /.


    Because something is written to the system to register the mount.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  2. #22
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-04 17:36, berryvansleeuwen wrote:
    >
    > OK, look at it the other way, why would the / disk be mounted read-only
    > at boot, only to remount it writable later on?


    That is the normal process of things. First R/O. then R/W.

    > Indeed, an update for whatever reason is impossible. That's the goal.
    > Whenever an update is required it is changed once in the baseline and
    > then distributed in a controlled way. Changes are only allowed after
    > testing and approval. This way we can ensure only a tested configuration
    > will be enrolled and we can provide proof to auditors for that. As a
    > bonus, migrations are so much easier this way.


    The live CD is such a R/O system, but modifications are done to it so that
    the system doesn't need to write to it, or writes are done in memory. You
    can not directly use a R/O image, AFAIK.

    > In a way this is technical security. On the one hand prevent someone to
    > gain (root)access to the machine. But if someone does, either by
    > accident or on purpose, make sure he can't do any harm anyway.


    It is the first time I hear of such a procedure.

    > Indeed, the best way would be to have as few root users in the system
    > as possible. But some groups do not agree, even some software vendors do
    > not agree.


    There is only one root user.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  3. #23
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    If fsck is working on the partition then why are there extentions on fsck, such as fsck.ext2, fsck.ext3 etc. I'd think that would mean it's working on the filesystem (too).

    Well, anyway, one can turn off the fsck so that's what I have done. No need for an fsck on read-only disks.

    Regards, Berry.

  4. #24
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Yes, indeed, a change then requires a reboot in such a setup. Or rather, when enrolling a new release, with multiple fixes or even a new version, the old root disk will be replaced by a new one. So shutdown with the old disk, boot with the new disk. Downtime only seconds. A fallback in case if a failed migration, once again only seconds since the old disk is still available.

    Regards, Berry.

  5. #25
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,663
    Blog Entries
    14

    Default Re: Read Only Root disk

    I still don't see the point. Any of the measures taken are against things that require root access anyway, and like Henk already said, "touching" the disk as root is easily done. Maybe you should search in the virtualization areas. That way you could maintain images, leave the host as default as possible, the VM for the user.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  6. #26
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    Indeed, a mount would write in /etc/mtab, it links to /proc/self/mounts. The /proc is a virtual filesystem and therefore not read-only.

    Regards, Berry.

  7. #27
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk

    We are running the concept in virtual systems. So we do know that it works in virtual systems. Indeed, in virtual systems the disk is actually linked read-only. Now we'd like to see if we can do it in host systems too, or in any case something similar to it.

    Regards, Berry.

  8. #28
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Read Only Root disk

    On 2012-05-04 23:06, berryvansleeuwen wrote:
    >
    > If fsck is working on the partition then why are there extentions on
    > fsck, such as fsck.ext2, fsck.ext3 etc. I'd think that would mean it's
    > working on the filesystem (too).


    It works on two levels. The filesystem is mounted read only, so that no
    files are altered, nothing can get altered. This is done so that fsck can
    write to the filesystem, in the knowledge that nothing else writes to it.

    It is mounted R/O, yes, but writes are not forbidden to the kernel. Only to
    the filesystem.

    And if fsck reports that it changed something, it has to reboot, can not
    continue.


    Had you read the bugzilla comment, you would have read that even when
    mounting R/O a filesystem the kernel can write the journal to the disk. It
    is not R/O strictly. This is a problem for forensics, for example.

    > Well, anyway, one can turn off the fsck so that's what I have done. No
    > need for an fsck on read-only disks.


    As I said, you have to do some serious modifications to the system - did
    you think of auditing your own modifications? Because you are altering the
    system :-)

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  9. #29
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,663
    Blog Entries
    14

    Default Re: Read Only Root disk

    Please also take a look at Welcome – SUSE Studio It's one of the things that makes openSUSE/SUSE more than just a linux distro. You can create and maintain your own appliances, add files, Testdrive, even alter things through ssh when in testdrive. Not completely off topic, but could open new options for you
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  10. #30
    Join Date
    Jan 2009
    Location
    Nederland
    Posts
    36

    Default Re: Read Only Root disk


    > That is the normal process of things. First R/O. then R/W.


    True, when running the default system. Then it mounts ro to do the fsck and then mounts rw. But why is there a kernel parameter ro? I would think that instructs the kernel to not mount rw during boot. And it has been for several SLES versions. Only now I'm trying to do the same with OpenSuse and it fails.


    > The live CD is such a R/O system, but modifications are done to it so that
    > the system doesn't need to write to it, or writes are done in memory. You
    > can not directly use a R/O image, AFAIK.


    Too bad, but that was what I wanted to find out. So we can conclude that there is no way to have a truly read-only root disk.


    > It is the first time I hear of such a procedure.


    It's standard operating procedure in the systems I work with. It has been so for years. Basically: secure your system to prevent harm, expect that doesn't help and configure accordingly.


    > There is only one root user.


    Quite right, unfortunately. And to be able to do something other than 'normal' user behavior, most demand access to root. Usually just because root can do anything.

    Regards, Berry.

Page 3 of 5 FirstFirst 12345 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •