Debian wiki describes how to configure a read-only rootfs and how to run apt and unattended-upgrades in such a filesystem: https://wiki.debian.org/ReadonlyRoot
I would like to report that I am having considerable success with the following simple command sequence: sudo su -l unshare -m # in the new namespace, remount all # filesystems writable that apt upgrade # would want to write to mount --bind /boot /boot mount -o remount,rw /boot mount --bind /usr /usr mount -o remount,rw /usr apt upgrade exit In particular, this avoids all problems with remounting back to read-only afterwards, because processes in the original mount namespace never get to see a writable filesystem. The whole story is rather trivial, but anyways I wrote a small script to make this more comfortable: https://github.com/smitsohu/rofairy The script also verifies that remounting in the new mount namespace does not inadvertently create writable locations in the original mount namespace. Maybe it helps someone. Also let me know if you hate it. Thanks! -- PGP: FF815935D964B268656B43DCB8037830D522909E
