On Mon, 9 Jul 2012 10:51:11 +0200 Tom Gundersen <t...@jklm.no> wrote:
>[...] > > What should work (but might not!): /etc and /usr (and /lib, /sbin, > /bin) should be able to be mounted read-only. I expect you'll have to > figure out how to deal with /etc/resolv.conf, I wonder if > NetworkManager has learnt how to deal with this gracefully since I > last checked... This has been working for quite some time on all my machines. The only real problem is cups which wants to write to /etc/cups and upstream refuses to fix this. Debian has some patches which offer only a partial solution. I solved it by recompilation with --sysconfig=/var/lib/cups. Assuming DHCP, the resolv.conf file can be protected in two ways: (i) For dhcpcd, use "nohook resolv.conf" in dhcpcd.conf and use a predefined DNS server (like 192.168.1.1 or any public dns provider); also works with netcfg. (ii) For other DHCP clients (dhclient perhaps) one can replace /etc/resolv.conf with a symlink to /run/resolv.conf. This was a discussion on gnome dev ML sometime ago, and I don't know whether this fix was accepted "officially" anywhere or remained a folk story. AFAIK, but this can be wrong, the real problem with NM is not having read-only resolv.conf, but protecting /etc/hosts... However, having NM on a serevr sounds like a bad idea to start with. > > What will not work: as Rodrigo said, you'll still need /var to be > mounted read-write, the point of /var is for applications to be able > to write to it. Moreover, /var must be unique to each installation, > and cannot be shared (you can put it on an NFS share though, just make > sure you have one for each machine). Moreover, even if /etc/ is > mounted read-only, you probably want one per machine. You might get > away with sharing it, but then all your hostnames will be the same for > instance. Importantly: you don't want /etc/machine-id to be shared by > different machines (as it needs to be unique). If you do decide to > share /etc, you can replace /etc/machine-id by an empty file and > systemd will create a random one at every boot (in /run) and use that > instead, so you should be fine in this respect. > > HTH, > > Tom -- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D
signature.asc
Description: PGP signature
