- How to make rootfs read-only?
- Исправление Read-Only File System в Linux
- Ошибки файловой системы и опция remount-ro
- Read-only файловая система в виртуальных машинах
- read only root filesystem
- When can Linux boot with a Read-Only Root Filesystem
- 1 Answer 1
- Read only root on Linux
- Mounting the root filesystem with read-only flags
- Using aufs/overlayfs
- Making changes
How to make rootfs read-only?
I try to make my rootfs read-only. I thought that I better use overlay filesystem for this purpose (I don’t have other alternatives now). Yet, after many trials and changing fstab, I can’t manage to find any fstab which manage to start ubuntu with rootfs as readonly. I also googled itm but found no examples. This is what I tried, and I also tried many variations (options column), but still get error in overlay mount. As you can see, the main changes are adding «ro» to the rootfs, and adding overlay for /etc /var and /home.
# /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # # / was on /dev/sda1 during installation UUID=075d905c-5c56-4eae-9402-5a880d108a8c / ext4 ro,errors=remount-ro 0 1 /dev/sdb /media/store ext4 defaults 1 1 # swap was on /dev/sda5 during installation UUID=e190d8d1-5490-4ef5-9547-a38aefa44b3e none swap sw 0 0 /root/myswapfile swap swap defaults 0 0 overlay /var overlay rw,noatime,lowerdir=/var,upperdir=/media/store /1,workdir=/media/store /11 0 2 overlay /etc overlay rw,noatime,lowerdir=/etc,upperdir=/media/store /2,workdir=/media/store /22 0 2 overlay /home overlay rw,noatime,lowerdir=/home,upperdir=/media/store /3,workdir=/media/store /33 0 2
Overlay is supported in my kernel, and things does works if I change my rootfs option in ftab from ro to writebale, but I need it read-only! Thanks for any idea, ranran
Исправление Read-Only File System в Linux
21.10.2022
itpro
CentOS, Linux, Ubuntu
Один комментарий
В некоторый случаях файловая система в Linux может перейти в состояние read-only, при котором вы можете только читать данные с диска, а при попытке записи любых изменение или создании нового файла появдляется ошибка Read-only file system.
Ошибки файловой системы и опция remount-ro
Проверьте параметры монтирования дисков при загрузке Linux. Настройки монтирования файловых систем при загрузке задаются в файле /etc/fstab.
Обратите что в fstab есть строка монтирования корневой директории вида:
UUID=aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa / ext4 errors=remount-ro 0 1
Параметр errors=remount-ro означает, что данная директория будет смонтирована в режиме чтения, если на файловой системе устройства обнаружены проблемы. В этом случае нужно выполнить проверку диска с помощью FSCK.
Обычные файловые системы такие как EXT4/BTRFS/XFS можно монтировать как в режиме записи, так и только для чтения (в отличии от файловых систем ISO или SquashFS, которые доступны только для чтения).
В случае обнаружения ошибок на диске вы можете использовать одну из трех опций errors=[continue|remount-ro|panic]
- continue – игнорировать ошибки,
- remount-ro – перемонтировать диск в режиме только для чтения
- panic – остановить загрузку системы
Вы можете вывести соответствие между UUID диска и именем устройства:
В данном примере вы получили, что вашему UUID соответствует устройство /dev/sda3.
Также можно имена устройства и точки монтирования с помощью команды:
Т.к. в данном примере ошибки обнаружены в корневой директории которая является точкой монтирования, вы сможете выполнить ее проверку только загрузившись с LiveCD. Для исправления ошибок файловой системы используется команда:
$ sudo fsck –y UUID=aaaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa
Если вы не можете прямо сейчас выполнить проверку диска, и вы хотите немедленно вывести файловую систему из режима read-only, нужно выполниться команду:
Read-only файловая система в виртуальных машинах
Файловая система раздела Linux на виртуальной машине можете перейти в read-only в случае недоступность системы хранения данных (СХД). Самый простой способ восстановить работу ОС – выполнить сброс виртуальной машины (фактически перезапуск с параметрами по умолчанию).
Может оказаться, что ВМ с Linux вообще не загружается и вам доступна только командная строка initramfs с предупреждениями:
UNEXPECTED INCONSISTENCY: RUN fsck MANUALLY. Fsck exitrd with code 4. The root file system of /dev/sdx requires a manual fsck.
Initramfs это начальная файловая система в оперативной памяти, которая основана на tmpfs, которая содержит утилиты и скрипты, необходимые для работы с дисками, файловыми системами и тд. После запуска initramfs отобразится проблемная ситуация.
Если же ошибок нет – просто вводим exit. Иначе выполняем проверку диска:
Здесь указан том (в данной случае /dev/sda1), для которого требуется выполнить ручную проверку. С помощью следующей команды можно проверить все подключенные файловые системы:
После этого перезагрузите ВМ.
Предыдущая статья Следующая статья
read only root filesystem
Somehow my Debian went to read only in root file system. I have no idea how this could have happened.
For example when I am in /root folder and type command nano and after that press Tab to list possible file in that folder I get the message:
root@debian:~# nano -bash: cannot create temp file for here-document: Read-only file system
root@debian:~# cd /home -bash: cannot create temp file for here-document: Read-only file system
I also have problems with software like apt and others. Can’t even apt-get update. I have a lot of errors like this:
Err http ://ftp.de.debian.org wheezy-updates/main Sources 406 Not Acceptable W: Not using locking for read only lock file /var/lib/apt/lists/lock W: Failed to fetch http ://ftp.de.debian.org/debian/dists/wheezy/Release rename failed, Read-only file system (/var/lib/apt/lists/ftp.de.debian.org_debian_dists_wheezy_Release -> /var/lib/apt/lists/ftp.de.debian.org_debian_dists_wheezy_Release). W: Failed to fetch http ://security.debian.org/dists/wheezy/updates/main/source/Sources 404 Not Found W: Failed to fetch http ://security.debian.org/dists/wheezy/updates/main/binary-amd64/Packages 404 Not Found W: Failed to fetch http ://ftp.de.debian.org/debian/dists/wheezy-updates/main/source/Sources 406 Not Acceptable E: Some index files failed to download. They have been ignored, or old ones used instead. W: Not using locking for read only lock file /var/lib/dpkg/lock
I have a lot of problems in the system. Is it possible to fix that? How can I check what happened? What should I look for in the logs? I know it could be because of the line in /etc/fstab file:
/dev/mapper/debian-root / ext4 errors=remount-ro 0 1
but what is the problem? I can’t find nothing or maybe I don’t know where to look. Edit: I did search messages logs and found only this:
kernel: [ 5.709326] EXT4-fs (dm-0): re-mounted. Opts: (null) kernel: [ 5.977131] EXT4-fs (dm-0): re-mounted. Opts: errors=remount-ro kernel: [ 7.174856] EXT4-fs (dm-2): mounted filesystem with ordered data mode. Opts: (null)
I guess it’s correct, because I have the same entries on other debian machines. I found something in dmesg (I cut that output a bit because was a lot standard ext4 things)
root@gs3-svn:/# dmesg |grep ext4 EXT4-fs error (device dm-0) in ext4_reserve_inode_write:4507: Journal has aborted EXT4-fs error (device dm-0) in ext4_reserve_inode_write:4507: Journal has aborted EXT4-fs error (device dm-0) in ext4_dirty_inode:4634: Journal has aborted EXT4-fs error (device dm-0): ext4_discard_preallocations:3894: comm rsyslogd: Error loading buddy information for 1 EXT4-fs warning (device dm-0): ext4_end_bio:250: I/O error -5 writing to inode 133130 (offset 132726784 size 8192 starting block 159380) EXT4-fs error (device dm-0): ext4_journal_start_sb:327: Detected aborted journal
When can Linux boot with a Read-Only Root Filesystem
Additional Question: Which udev/systemd magic mounts the root fs?
1 Answer 1
At boot, you are supposed to check your filesystems to see if the system was shut down properly or if it crashed, and perform the necessary recovery actions in the latter case. On modern journaled filesystems, this usually means a simple and quick journal recovery operation that can be done automatically.
Root filesystem checking and mounting is normally done by initramfs/initrd, but on an embedded system you might or might not have it.
If you are not using initramfs, then the traditional way would be to have the kernel always mount the root filesystem initially as read-only (with boot options root=/dev/ ro , and the start-up scripts would then first run fsck on it (assuming it’s necessary for the filesystem type used) and then remount the root filesystem into read/write mode before doing anything else.
If initramfs did not check the root filesystem (perhaps because it’s not being used), then the standard systemd service name for running a filesystem check on the root filesystem is named systemd-fsck-root.service . I could not find out the name of the service responsible for remounting the root filesystem with systemd after it’s been checked.
If a boot-time root filesystem check needs to modify the root filesystem, it typically triggers another reboot afterwards, because the modification may have affected something the kernel has already read and is caching, and would now be inconsistent after a correction was made on the disk by fsck .
Read only root on Linux
In many cases, it is required to run a system in such a way that it is tolerant of uncontrolled power losses, resets, etc. After such an event occurs, it should atleast be able to boot up and connect to the network so that some action can be taken remotely.
There are a few different ways in which this could be accomplished.
Mounting the root filesystem with read-only flags
Most parts of the linux root filesystem can be mounted read-only without much problems, but there are some parts which don’t play well. This debian wiki page has some information about this approach. I thought this approach would not be very stable, so did not try it out completely.
Using aufs/overlayfs
aufs is a union file system for linux systems, which enables us to mount separate filesystems as layers to form a single merged filesystem. Using aufs, we can mount the root file system as read-only, create a writable tmpfs ramdisk, and combine these so that the system thinks that the root filesystem is writable, but changes are not actually saved, and don’t survive a reboot.
I found this method to be most suitable and stable for my task, and have been using this for the last 6 months. This system mounts the real filesytem at mountpoint /ro with read-only flag, creates a writable ramdisk at mountpoint /rw , and makes a union filesystem using these two at mountpoint / .
The steps I followed for my implementation are detailed below. These are just a modified version of the steps in this ubuntu wiki page. I am using Debian in my implementation.
- Install debian using live cd or your preferred method.
- After first boot, upgrade and configure the system as needed.
- Install aufs-tools .
- Add aufs to initramfs and setup this script to start at init.
# echo aufs >> /etc/initramfs-tools/modules # wget https://cdn.rawgit.com/srijan/383a8d7af6860de6f9de/raw/ -O /etc/initramfs-tools/scripts/init-bottom/__rootaufs # chmod 0755 /etc/initramfs-tools/scripts/init-bottom/__rootaufs
- Edit grub settings in /etc/default/grub and add aufs=tmpfs to GRUB_CMDLINE_LINUX_DEFAULT , and regenerate grub.
Making changes
To change something trivial (like a file edit), just remount the /ro mountpoint as read-write, edit the file, and reboot.
To do something more complicated (like install os packages), press e in grub menu during bootup, remove aufs=tmpfs from the kernel line, and boot using F10 . The system will boot up normally once.
Another method could be to use a configuration management tool (puppet, chef, ansible, etc.) to make the required changes whenever the system comes online. The changes would be lost on reboot, but it would become much easier to manage multiple such systems.
Also, if some part of the system is required to be writable (like /var/log ), that directory could be mounted separately as a read-write mountpoint.