Debian wiki describes how to configure a read-only rootfs and how to
run apt and unattended-upgrades in such a filesystem:
https://wiki.debian.org/ReadonlyRoot

I would like to report that I am having considerable success with the
following simple command sequence:

sudo su -l
unshare -m
# in the new namespace, remount all
# filesystems writable that apt upgrade
# would want to write to
mount --bind /boot /boot
mount -o remount,rw /boot
mount --bind /usr /usr
mount -o remount,rw /usr
apt upgrade
exit

In particular, this avoids all problems with remounting back to
read-only afterwards, because processes in the original mount
namespace never get to see a writable filesystem.

The whole story is rather trivial, but anyways I wrote a small script
to make this more comfortable: https://github.com/smitsohu/rofairy

The script also verifies that remounting in the new mount namespace
does not inadvertently create writable locations in the original mount
namespace.

Maybe it helps someone. Also let me know if you hate it.
Thanks!

-- 
PGP: FF815935D964B268656B43DCB8037830D522909E

Reply via email to