bergernet research - Debian Linux with readonly root FS

Debian Linux with readonly root FS

I was researching for a solution to run Linux on a small computer like an Igel Thinclient (or Raspberry Pi) in an environment where the power could be cut anytime.

At first I thought about a small tool that remounts the root filesystem writeable for updates and changes. During this research I realised that there are much more elegant solutions around to address this challenge.

It can be solved by having an writeable overlay filesystem on top of the read only root filesystem. Therefore all writes will be lost at shutdown, but we can prevent any inconsistencies of the file system during unscheduled power downs. Theoretically, a journaled file system should prevent that anyway, but I wanted the filesystem to be mounted read only.

This functionality has been packed into the Debian package overlayroot.

Package description

This package adds functionality to an initramfs built by initramfs-tools. When installed and configured, the initramfs will mount an overlayfs filesystem on top of a read-only root volume.

Installation

sudo apt-get update
sudo apt-get install overlayroot

sudo nano /etc/overlayroot.conf

At the end of the file change the line "overlayroot=

overlayroot=&quottmpfs"

sudo reboot

If you need to update the system or change a configuration, you need to enter an environment where you can change files on your root filesystem. This can be done by executing:

sudo overlayroot-chroot

then comment out the line overlayroot=&quottmpfs" in /etc/overlayroot.conf and reboot by exiting the chroot with exit and the execute

sudo reboot

After the system update/config change, revert the change in /etc/overlayroot.conf and reboot again, then overlayfs should be active again.

Caution

Be aware that /boot or /boot/efi (depending on using legacy or EFI boot) is still mounted writable.If you perform apt upgrade while overlayfs is active, and the kernel gets upgraded, this will very likely result in a broken system.

Further thoughts

Ideally, writes to the ram backed overlayfs should be limited, as the system can use about 1/2 of the available memory. Therefore, it would make sense to limit the logged information to the log files.

If you like, you can clean your logs before activating the overlayfs:

user@host$ sudo find /var/log -type f -exec truncate -s 0 {} \;
user@host$ sudo journalctl --vacuum-time=1s

Excerpt of my df output:

user@host:~$ df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 3.6G 1.7G 1.8G 48% /media/root-ro
tmpfs-root 932M 18M 915M 2% /media/root-rw
overlayroot 932M 18M 915M 2% /

There are a lot more options documented in /etc/overlayroot.conf.