On Sat, Apr 13, 2013 at 10:09:19AM -0400, Darrel wrote: > > I have a specific goal and am seeking opinions. The goal is to > make small, readily-reproducible read-only routing devices. The > device will serve either as a gateway or bridge with main functions > such as filtering traffic, vpn, potential to graph traffic and the > like.
> cd-rom is familiar yet some folks are using usb sticks and perhaps > even other media that I have not considered yet. I'm doing something similar here (albeit with a different goal) with read-only thin client images. Don't use CD-ROM but have used variously USB flash drives, CompactFlash and disk on modules (essentially tiny SSDs). One thing I'll say straight away is that you do want something read-write at least for development and probably even for production even if the ultimate aim is for read-only operation - the ability to remount the root read-write, make some changes and reboot is essential. I begun with essentially a regular install onto a USB drive - it wasn't even read-only to begin with - and got the normal site- and system- dependent stuff out of the way - network, NIS and Kerberos, packages etc - as you would for any other system. >From memory the additional steps to go read-only are: Sort out an MFS /var and symlink /tmp to /var/tmp. /var does need to be populated at start up which I do from a tarball in an rc.d script. The contents are from the existing /var but I trimmed out the packages stuff - /var/db/pkg and /var/db/pkg.refcount - since it gets quite large quite quickly and isn't needed except when performing package maintainence. The root filesystem image retains a real /var so I can boot single-user to do that kind of stuff in a persistent manner, the MFS /var is simply mounted over the top of it to give a read-write /var when the root is read-only. Since my application was thin clients those naturally get rebooted and reset regularly (they are powered off at the end of the day) which solves the problem of log files filling up the MFS /var, but for your kind of application which is likely to be long-running you'll probably need some kind of log file trimming thing going on. Clear out /dev apart from the MAKEDEV script so the kernel creates an MFS /dev on boot Stop any unneeded and problematic stuff from starting. The notes I have here say to delete /etc/rc.d/postfix and /etc/rc.d/swap2 Finally adjust /etc/fstab to mount the root readonly at boot. Watch out for any console messages or log entries from things complaining they can't do any writes - there probably are things I've forgotten about. I do have a directory supposedly with all modified files from a standard installation here which I've tarred up and put at http://andrews.freeshell.org/mail/20130416.netbsd-users/fs-mods.tar.gz That may well serve as a useful starting point although it isn't as complete as it is supposed to be. You'll need to go through those with a certain amount of discretion since it's a mixture of what is needed for read-only operation and site-specific configuration. -- Andrew Smallshaw [email protected]
