How to run OpenSuse from a read-only rootfs (e.g. on a USB stick with the write-protection switch enabled)
This guide will also apply to other distributions, possibly with small modifications.
With thanks to my friend who developed this procedure. Can be freely copied.
Benefit:
- during normal use the USB stick is write protected (e.g. while surfing on the internet) and the system cannot be changed (intrusion protection)
- the Linux distribution can be setup as desired and additional packages can be added
- compared to a typical Live distribution which runs its entire rootfs from a ramdisk, this solution uses less memory
- compared to a typical Live distribution which runs its entire rootfs from a ramdisk, this solution makes it easy to install new and updated packages, and change program settings
Procedure:
[ul]
[li]insert your USB stick with the write protection functionality disabled (for now, so we can install) [/li][li]start a regular distribution install but instead of installing on a harddrive install to the USB stick [/li][li]at the partitioning section change the regular procedure:[/li][LIST]
[li]select a file system (fs) without journaling to reduce the wear of the USB stick, use e.g. ext2[/li]or ext4 and change options (e.g. in SuSe: no Journal, noatime)
or remove the journal later with: tunefs -O ^has_journal /dev/sdxX
[li]if your entire disk device will be read-only (e.g. USB stick with write switch): allow no swap partition [/li][li]mount no other partition (e.g. /home) [/li][/ul]
[li]at the GRUB setup ensure that the boot manager needs to be in the MBR of the USB stick (select → install boot code in MBR) [/li][li]finish installation and set your preferences in the programs you intend to use (to store them on the USB stick for later use) [/li][li]you can now boot from the USB stick installation but it will still be in write-enabled mode, so you can make the changes you want. [/li][/LIST]
After installation further measures to prepare working in readonly mode and reducing the wear of the USB stick should be made. You can also do this by mounting the USB stick (still in write-mode) on another Linux device.
[ul]
[li]in /etc/fstab[/li][LIST]
[li]change: UUID=… / ext2 acl, user_xattr 1 1 [/li]to UUID=… / ext2 acl, user_xattr,noatime,nodiratime 1 1
[li]add:[/li]tmpfs /tmp tmpfs nodev,nosuid 0 0
tmpfs /var/log tmpfs nodev,nosuid 0 0
tmpfs /var/tmp tmpfs nodev,nosuid 0 0
tmpfs /home tmpfs nodev,nosuid 0 0
[li]If your system needs any other directories to be writable, add similar tmpfs lines for those locations as well. [/li][/ul]
[/LIST]
[ul]
[li] in /etc/rc.d/boot.local (or /etc/init.d/boot.local)[/li][LIST]
[li]add:[/li]if [ -z “$(ls /home)” ]; then
cp -a /var/user /home
fi
[i]# the home-folder used, now depends on fstab and whether the tmpfs is used or not (tmpfs is allways fresh and therefore empty)
this means you need to copy your real /home/user-folder to /var to make it available for this command. This should be done after you adjusted all your settings (e.g. in web browsers or e-mail programs) and before you reboot with the USB write protection switch set to read only
the copying is done by 1) cd /home 2) cp -a user /var
replace “user” by your user account name
[/i]
[/ul]
[li] Copy the contents of /home/user to /var/user as per the instructions above, replacing “user” with your actual username. [/li][/LIST]
Now you can enable the write-protection switch on your USB stick and boot from it in read-only mode.
NOTE: all changes to tmpfs directories are lost at shutdown! To save any files mount a w/r medium (e.g. another USB stick) and store data there.
If you want to update your system, change settings or add programs, you need to first switch the write-protection off again, and then mount the USB stick in another Linux system to edit fstab. Comment out all the lines starting with tmpfs. Then boot from the USB stick, you will have your system in r/w mode again. Remember to synchronize any changes you make in /home/user with the copy of your home directory in /var/user.
Note: if you try to boot from the USB stick with the write-protection turned on, but the tmpfs lines are missing or commented out from /etc/fstab, then your system will not boot because it needs to be able to write to /tmp, /var/log, /var/tmp and /home.
Possible issues:
My system had access to the local network and could reach the router but not the internet. Fixed it with:
root# ip route add default via 192.168.x.y
where 192.168.x.y is the gateway / router address; check with “ip route” whether the command was successful
Optional change:
To speed up booting (reduce wait time for the Grub2 boot menue and allow only the system on the USB stick)
change in /etc/default/grub the following three lines as root:
[i]GRUB_DEFAULT=0
…
GRUB_TIMEOUT=1
…
GRUB_DISABLE_OS_PROBER=true
[/i]Save the file and to update grub.cfg by running the appropriate command for your system:
grub2-mkconfig -o /boot/grub2/grub.cfg (openSUSE w/ Bios)
grub2-mkconfig -o /boot/grub2-efi/grub.cfg (openSUSE w/ EFI)
update-grub (Debian and Ubuntu)
grub2-mkconfig -o /etc/grub2.cfg (Fedora w/ Bios)
grub2-mkconfig -o /etc/grub2-efi.cfg (Fedora w/ EFI)