LinkedIn Sourceforge Twitter

Vincent's Blog

Pleasure in the job puts perfection in the work (Aristote)

Build a Read only system with OpenBSD

Posted on 2016-07-12 12:06:00 from Vincent in OpenBSD Firewall Nas

When you have machines that must run 24x7, you must take into account the problem of powercut. To my eyes there is 2 possible solutions:

  • use an UPS
  • have a readonly operating system

In this post, I'll describe how you can easily transform your OpenBSD machine into a Read-only system.

In my cases I'm doing such installations on small USB sticks. At least 4GB is perfect for that.
Please note that in this case, we will use the whole USB disk.

Let's see the different steps

Step 1:

Erase and format your USB stick with, at least, 1 OpenBSD slices. If you needed it, you could have other slices with VFAT filesystem in order to exchanges files with other Operating systems.
In a next post I'll explain how to have such second slice with VFAT on it.

In my case, my USB stick is known by my OpenBSD desktop as: sd3.
So, to erase all existing layout on the USB stick, I perform: fdisk -iy sd3
Now unplug your USB stick from the machine.

Step 2:

Reboot your main machine by using the bsd.rd installed on his main hard drive (check if you need more details).
But before lauching bsd.rd, plug your USB stick in your machine.

Step 3:

Perform a standard installation on your USB disk (should be sd3) with some little changes for the disk part: use the whole disk for OpenBSD

You will have something like this:

:~#fdisk sd3
Disk: sd3       geometry: 1946/255/63 [31266816 Sectors]
Offset: 0       Signature: 0xAA55
            Starting         Ending         LBA Info:
#: id      C   H   S -      C   H   S [       start:        size ]
0: 00      0   0   0 -      0   0   0 [           0:           0 ] unused      
1: 00      0   0   0 -      0   0   0 [           0:           0 ] unused      
2: 00      0   0   0 -      0   0   0 [           0:           0 ] unused      
*3: A6      0   1   2 -   1945 254  63 [          64:    31262426 ] OpenBSD

Partition your USB disk with “a:” having at least 4GB. If you have more space, you can put the rest of the disk space into a i: partition.

Thus, do not accept the “auto layout” and make sure that you have “a:” mounted as “/”.

You will have something like this:

16 partitions:
#              size           offset  fstype [fsize bsize  cpg]
a:          8401920               64  4.2BSD   2048 16384    1 # /
c:         31266816                0  unused                   
i:         22860480          8401984  4.2BSD   2048 16384    1 # /data

(/data is optional)

You can select the “sets” you want to install, but in most of my cases, I do not take “game”, “X” and “comp” sets.

Step 4:

Once the installation is finished, reboot your machine with the USB stick in it so that you will boot from your USB disk. Please note that your bios must be configured to allow boot from USB drives.

Step 5:

Edit the /etc/fstab.

a) put your “/” mount option to “ro” instead of “rw”. Usually this is on the first line.

b) optionally add your “i:” slice in “rw”, but with “noauto”

<your duid>.i /data ffs rw,noauto 1 1

c) then add the 3 following lines:

swap        /var mfs rw,-P=/cfg/var,-s=800m 0 0
swap        /dev mfs rw,-P=/cfg/dev,-s=32m  0 0
swap        /tmp mfs rw,-s=64m  0 0

I suggest you to read the man pages of mfs. But in short, we create 3 memory filesystems with 800MB of ram for /var, 32MB of ram for /dev and 64MB of ram for /tmp.
Please adapt those value to your needs and to the memory available on your targeted machine.

Files and directories use to populate those memory file systems are referenced by “-P”. We will later how to build such /cgr/var and /cfg/dev directories.

You should finally have something like this:

obsd-fw:~#more /etc/fstab
36bef1aa0754d0b2.a / ffs ro 1 1
36bef1aa0754d0b2.i /data ffs rw,noauto 1 2
swap   /var mfs rw,-P=/cfg/var,-s=800m 0 0
swap   /dev mfs rw,-P=/cfg/dev,-s=32m 0 0
swap   /tmp mfs rw,-s=64m 0 0

(/data is optional)

Step 6:

Copy required files on /cfg.

mkdir /cfg
cp -Rp /var /cfg/
cp -Rp /dev /cfg/

Step 7:

Create a script which will facilitate the updates of /cfg/var

obsd-fw:~#more /root/

echo "update /cfg/var"
mount -uw /
cp -Rp /var/ /cfg/
mount -ur /

chmod +x ./

Personally, I add this small script to my /etc/daily.local
and/or to /etc/rc.shutdown

obsd-fw:~#more /etc/rc.shutdown

echo "rc.shutdown ..."

This will assure you have a correct sync between the /var in memory and the one on disk (in /cfg/var)

That's it !!!!!

Now, you can reboot on your read-only USB stick having OpenBSD has Operating system.

After reboot you will finally have something like this:


/dev/sd0a on / type ffs (local, read-only)
mfs:22943 on /var type mfs (asynchronous, local, size=1638400 512-blocks)
mfs:31666 on /dev type mfs (asynchronous, local, size=65536 512-blocks)
mfs:12284 on /tmp type mfs (asynchronous, local, size=131072 512-blocks)

obsd-fw:~#df -h

Filesystem     Size    Used   Avail Capacity  Mounted on
/dev/sd0a      3.9G    1.3G    2.4G    36%    /
mfs:22943      775M    210M    526M    28%    /var
mfs:31666     30.9M   32.0K   29.3M     0%    /dev
mfs:12284     61.9M   83.0K   58.7M     0%    /tmp

(in this case the “a:” slice has taken 4G, but you can see that “2G” is enough)

Every time you want to edit a file, you just have to perform mount -uw /.
Once all your changes are made, please restore your filesystem into a readonly system by doing: mount -ur /

Setp 8:

To avoid difficulties if you move this USB stick on different hardware (for example in case of hardware failure), I strongly suggest you to keep a copy of all binary drivers for your OS

For the release 5.9 of OpenBSD you can get all of them by performing the following:

wget -r --no-parent

So, later, if you are missing a driver you could installed via the fw_update command:
fw_update -p ./

Setp 9:

Do not forget that /var is volatile. Execute the scrip evey time you change the content of /var and want to keep it (for example after a powercut).

A usual mistake is to forget to copy /var after you perform some pkg_add.
In such case I re-install the package and accept all warnings.

Lessons learned

Personally, I have such readonly system for several of my systems: Firewall, Hifi and NAS. (I'll provide more details in next posts)

All those machines are backing up their config files every night on my NAS. This facilitate the re-install. So, all included, the upgrade to the new OpenBSD release, every 6 months, takes less than 2 hours.

Moreover, such systems on USB stick allow me to easily plays with "business continuity". Indeed I always keep a second USB sticks with the older configs and older OS.

NOTE: A similar read only system exist in flashrd. But this include much much more functionalities.

72, 58
displayed: 11816

What is the second letter of the word Python?