Read Only Raspbian

From SoMakeIt
Jump to: navigation, search


Sometimes you need a raspberry pi to be hardened against unclean shutdowns, or pulling the SD card out, or you're just sick of the card getting corrupted. These are instructions for ruggedising your raspbian image so it's far lass likely to get messed up. Derived mostly from https://wiki.debian.org/ReadonlyRoot.

Contents

Install raspbian

Install Raspbian to an SD card as per the instructions, either the regular or lite image, then boot and log into your pi.

These instructions were written for debian jessie.

Ruggedise

Expand the Filesystem

Partitioning

We will create a new partition layout with the existing /boot, a slightly bigger / (root), and a new /var to hold any files that need to be writable.

Run

sudo fdisk /dev/mmcblk0

type p and hit return, write down the Start of /dev/mmcblk0p2:

Command (m for help): p
Disk /dev/mmcblk0: 7.5 GiB, 8068792320 bytes, 15759360 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6f92008e

Device         Boot   Start      End Sectors  Size Id Type
/dev/mmcblk0p1         8192   131071  122880   60M  c W95 FAT32 (LBA)
/dev/mmcblk0p2       131072  13019679 13150751 1.3G 83 Linux

Delete partition 2 (yea, really) by typing these letters (remember to press enter after each one).

d
2

Now make a new partition 2 in the same starting location but bigger, replace <these sections> with the correct number:

n
p
2
<The exact number from Start before (131072 for me)>
+<Half the size of your SD card (eg '4' for an 8GB card)>G

Now print the table again with p and write down the End of /dev/mmcblk0p2

Now make a new partition 3 in the rest of the space:

n
p
3
<The End of partition 2, PLUS ONE>
<just press return to let it use the rest of the SD card>

Now if that all went well type w and press enter to save the new partition table. Otherwise press q to forget everything you just did and try again.

Expand the root filesystem in partition 2

sudo partprobe
sudo resize2fs /dev/mmcblk0p2

Make the new filesystem in partition 3

sudo mke2fs -t ext4 /dev/mmcblk0p3

Mount the new filesystem and move things into it

sudo mount /dev/mmcblk0p3 /mnt/

Copy the content of /var into it

sudo cp -rp /var/* /mnt/

Make a new place to keep /srv

sudo mkdir -p /mnt/local/srv

Copy home into the new location.

sudo cp -rp /home /mnt/local/

There are now some special files in /etc that programs want to write, we solve these as so..

Link mtab to dynamic copy

sudo rm /etc/mtab
sudo ln -s /proc/self/mounts /etc/mtab

Link resolv.conf to a writable location

sudo apt-get install resolvconf
sudo mv /etc/resolv.conf /mnt/local/resolv.conf
sudo ln -s /var/local/resolv.conf /etc/resolv.conf

Remove /etc/network/run and reconfigure ifupdown

sudo rm /etc/network/run
sudo dpkg-reconfigure ifupdown

Modify fstab

Now we modify the filesystem table.

use your favourite text editor to open /etc/fstab and make it look like this:

proc            /proc           proc    defaults          0       0
/dev/mmcblk0p1  /boot           vfat    defaults,ro          0       2  # added 'ro' to /boot options
/dev/mmcblk0p2  /               ext4    defaults,noatime,ro  0       1  # added 'ro' to / options
# a swapfile is not a swap partition, no line here  # You probably don't want swap if you're looking to ruggedise your pi, if you want one, use a swap file at /var/swap
#   use  dphys-swapfile swap[on|off]  for that
tmpfs		/tmp		tmpfs	nodev,nosuid,size=100M	0	0  # /tmp is a RAMdisk, here we dedicate 100MB of our RAM to /tmp
/dev/mmcblk0p3	/var		ext4	defaults,noatime	0	2  # this is /var
/var/local/srv	/srv		none	bind  # this is /srv, which is actually a directory in /var
/var/local/home	/home		none	bind  # this is /home, which is actually a directory in /var

Reboot

Now reboot and you will be in read only mode:

sudo reboot

Making changes

If you need to make changes, like installing new packages, you can do it like so:

Enter read/write mode:

sudo mount -o remount,rw /
sudo mount -o remount,rw /boot

Make your changes, eg:

sudo raspi-config
sudo apt-get install vim

Return to read-only mode:

sudo mount -o remount,ro /boot
sudo mount -o remount,ro /

Installing your own code

If you run software on your pi that you wrote, like something that runs in your home directory, or a cloned git repo; you probably want it to be protected by read only mode. Your home is no good as it is read/write. Follow these guidelines to make your software rugged too:

  • Copy your project to a directory in /opt, like /opt/bracken/my-project/my-project.py (remember to go to read/write mode to do this).
  • If it's a git repository, clone it in /opt
  • If your program writes files you want to keep, put them in /var, like /var/my-project/database.db
  • If your program writes temporary files put them in /tmp, this doesn't write to the SD card at all.
  • Put your logs in /var somewhere. Or better yet, use the system logger. Research 'syslog' in whatever programming language you use. Or start your program using a systemd service file, this will put anything you print into the system log.
Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox
Donate