Re: Stateless Arch

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Mon, 9 Jul 2012 10:51:11 +0200
Tom Gundersen <teg@xxxxxxx> wrote:

>[...]
> 
> What should work (but might not!): /etc and /usr (and /lib, /sbin,
> /bin) should be able to be mounted read-only. I expect you'll have to
> figure out how to deal with /etc/resolv.conf, I wonder if
> NetworkManager has learnt how to deal with this gracefully since I
> last checked...

This has been working for quite some time on all my machines.

The only real problem is cups which wants to write to /etc/cups and upstream
refuses to fix this. Debian has some patches which offer only a partial
solution. I solved it by recompilation with --sysconfig=/var/lib/cups.

Assuming DHCP, the resolv.conf file can be protected in two ways: (i) For
dhcpcd, use "nohook resolv.conf" in dhcpcd.conf and use a predefined DNS
server (like 192.168.1.1 or any public dns provider); also works with netcfg.
(ii) For other DHCP clients (dhclient perhaps) one can
replace /etc/resolv.conf with a symlink to /run/resolv.conf. This was a
discussion on gnome dev ML sometime ago, and I don't know whether this fix was
accepted "officially" anywhere or remained a folk story.

AFAIK, but this can be wrong, the real problem with NM is not having read-only
resolv.conf, but protecting /etc/hosts... However, having NM on a serevr
sounds like a bad idea to start with.

> 
> What will not work: as Rodrigo said, you'll still need /var to be
> mounted read-write, the point of /var is for applications to be able
> to write to it. Moreover, /var must be unique to each installation,
> and cannot be shared (you can put it on an NFS share though, just make
> sure you have one for each machine). Moreover, even if /etc/ is
> mounted read-only, you probably want one per machine. You might get
> away with sharing it, but then all your hostnames will be the same for
> instance. Importantly: you don't want /etc/machine-id to be shared by
> different machines (as it needs to be unique). If you do decide to
> share /etc, you can replace /etc/machine-id by an empty file and
> systemd will create a random one at every boot (in /run) and use that
> instead, so you should be fine in this respect.
> 
> HTH,
> 
> Tom



-- 
Leonid Isaev
GnuPG key: 0x164B5A6D
Fingerprint: C0DF 20D0 C075 C3F1 E1BE  775A A7AE F6CB 164B 5A6D

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux