Thank you for visiting!
My little window on internet allowing me to share several of my passions
Categories:
- OpenBSD
- FreeBSD
- Nas
- DragonflyBSD
- fapws
- Alpine Linux
- OpenBSD
- Openbox
- Desktop
- Security
- nvim
- yabitrot
- nmctl
- Tint2
- Firewall
- vdcron
- VPN
- Project Management
- Hifi
- Alarm
Most Popular Articles:
Last Articles:
Build a Read only system with OpenBSD
Posted on 2016-07-12 12:06:00 from Vincent in OpenBSD Firewall Nas
When you have machines that must run 24x7, you must take into account the problem of powercut. To my eyes there is 2 possible solutions:
- use an UPS
- have a readonly operating system
In this post, I'll describe how you can easily transform your OpenBSD machine into a Read-only system.
In my cases I'm doing such installations on small USB sticks. At least 4GB is perfect for that.
Please note that in this case, we will use the whole USB disk.
Let's see the different steps
Step 1:
Erase and format your USB stick with, at least, 1 OpenBSD slices. If you needed it, you could have other slices with VFAT filesystem in order to exchanges files with other Operating systems.
In a next post I'll explain how to have such second slice with VFAT on it.
In my case, my USB stick is known by my OpenBSD desktop as: sd3.
So, to erase all existing layout on the USB stick, I perform: fdisk -iy sd3
Now unplug your USB stick from the machine.
Step 2:
Reboot your main machine by using the bsd.rd installed on his main hard drive (check openbsd.org if you need more details).
But before lauching bsd.rd
, plug your USB stick in your machine.
Step 3:
Perform a standard installation on your USB disk (should be sd3) with some little changes for the disk part: use the whole disk for OpenBSD
You will have something like this:
:~#fdisk sd3
Disk: sd3 geometry: 1946/255/63 [31266816 Sectors]
Offset: 0 Signature: 0xAA55
Starting Ending LBA Info:
#: id C H S - C H S [ start: size ]
-------------------------------------------------------------------------------
0: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
1: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
2: 00 0 0 0 - 0 0 0 [ 0: 0 ] unused
*3: A6 0 1 2 - 1945 254 63 [ 64: 31262426 ] OpenBSD
Partition your USB disk with “a:” having at least 4GB. If you have more space, you can put the rest of the disk space into a i:
partition.
Thus, do not accept the “auto layout” and make sure that you have “a:” mounted as “/”.
You will have something like this:
16 partitions:
# size offset fstype [fsize bsize cpg]
a: 8401920 64 4.2BSD 2048 16384 1 # /
c: 31266816 0 unused
i: 22860480 8401984 4.2BSD 2048 16384 1 # /data
(/data is optional)
You can select the “sets” you want to install, but in most of my cases, I do not take “game”, “X” and “comp” sets.
Step 4:
Once the installation is finished, reboot your machine with the USB stick in it so that you will boot from your USB disk. Please note that your bios must be configured to allow boot from USB drives.
Step 5:
Edit the /etc/fstab.
a) put your “/” mount option to “ro” instead of “rw”. Usually this is on the first line.
b) optionally add your “i:” slice in “rw”, but with “noauto”
<your duid>.i /data ffs rw,noauto 1 1
c) then add the 3 following lines:
swap /var mfs rw,-P=/cfg/var,-s=800m 0 0
swap /dev mfs rw,-P=/cfg/dev,-s=32m 0 0
swap /tmp mfs rw,-s=64m 0 0
I suggest you to read the man pages of mfs. But in short, we create 3 memory filesystems with 800MB of ram for /var, 32MB of ram for /dev and 64MB of ram for /tmp.
Please adapt those value to your needs and to the memory available on your targeted machine.
Files and directories use to populate those memory file systems are referenced by “-P”. We will later how to build such /cgr/var and /cfg/dev directories.
You should finally have something like this:
obsd-fw:~#more /etc/fstab
36bef1aa0754d0b2.a / ffs ro 1 1
36bef1aa0754d0b2.i /data ffs rw,noauto 1 2
swap /var mfs rw,-P=/cfg/var,-s=800m 0 0
swap /dev mfs rw,-P=/cfg/dev,-s=32m 0 0
swap /tmp mfs rw,-s=64m 0 0
(/data is optional)
Step 6:
Copy required files on /cfg.
mkdir /cfg
cp -Rp /var /cfg/
cp -Rp /dev /cfg/
Step 7:
Create a script which will facilitate the updates of /cfg/var
obsd-fw:~#more /root/var_to_cfg.sh
#!/bin/sh
echo "update /cfg/var"
mount -uw /
cp -Rp /var/ /cfg/
sync
mount -ur /
chmod +x ./var_to_cfg.sh
Personally, I add this small script to my /etc/daily.local
and/or to /etc/rc.shutdown
obsd-fw:~#more /etc/rc.shutdown
echo "rc.shutdown ..."
/root/var_to_cfg.sh
This will assure you have a correct sync between the /var in memory and the one on disk (in /cfg/var)
That's it !!!!!
Now, you can reboot on your read-only USB stick having OpenBSD has Operating system.
After reboot you will finally have something like this:
obsd-fw:~#mount
/dev/sd0a on / type ffs (local, read-only)
mfs:22943 on /var type mfs (asynchronous, local, size=1638400 512-blocks)
mfs:31666 on /dev type mfs (asynchronous, local, size=65536 512-blocks)
mfs:12284 on /tmp type mfs (asynchronous, local, size=131072 512-blocks)
obsd-fw:~#df -h
Filesystem Size Used Avail Capacity Mounted on
/dev/sd0a 3.9G 1.3G 2.4G 36% /
mfs:22943 775M 210M 526M 28% /var
mfs:31666 30.9M 32.0K 29.3M 0% /dev
mfs:12284 61.9M 83.0K 58.7M 0% /tmp
(in this case the “a:” slice has taken 4G, but you can see that “2G” is enough)
Every time you want to edit a file, you just have to perform mount -uw /
.
Once all your changes are made, please restore your filesystem into a readonly system by doing: mount -ur /
Setp 8:
To avoid difficulties if you move this USB stick on different hardware (for example in case of hardware failure), I strongly suggest you to keep a copy of all binary drivers for your OS
For the release 5.9 of OpenBSD you can get all of them by performing the following:
wget -r --no-parent http://firmware.openbsd.org/firmware/5.9/
So, later, if you are missing a driver you could installed via the fw_update command:
fw_update -p ./firmware.openbsd.org/firmware/5.9/
Setp 9:
Do not forget that /var is volatile. Execute the scrip var_to_cfg.sh
evey time you change the content of /var and want to keep it (for example after a powercut).
A usual mistake is to forget to copy /var after you perform some pkg_add.
In such case I re-install the package and accept all warnings.
Lessons learned
Personally, I have such readonly system for several of my systems: Firewall, Hifi and NAS. (I'll provide more details in next posts)
All those machines are backing up their config files every night on my NAS. This facilitate the re-install. So, all included, the upgrade to the new OpenBSD release, every 6 months, takes less than 2 hours.
Moreover, such systems on USB stick allow me to easily plays with "business continuity". Indeed I always keep a second USB sticks with the older configs and older OS.
NOTE: A similar read only system exist in flashrd. But this include much much more functionalities.