Make a read-only machine with OpenBSD
Posted on 2024-08-18 22:17:00 from Vincent in OpenBSD
In a post of 2016 I explained how to build a Read-Only OpenBSD machine.
Because in the recent OpenBSD systems we have new components, this post will update the situation.
I remind that a read-only machine is a machine where most filesystems are read-only. As consequence you can cut power of the machine without damaging the filesystems.
Personally, I'm using such system for my firewalls and my hifi OpenBSD system.
Introduction
Despite the filesystem used by OpenBSD is quite resistant and support easily power cuts, I do not want to see some of my machines not been able to restart after a power cut. I do not have frequent power cuts at home, but for machines running 24x7 those power cuts are the main reasons for restart of those machines.
It means that I have more power cuts per years that I have OpenBSD upgrade ;)
Most of those power cuts are cuts of few seconds. So when you are not at home, you did not notice them. But machines running 24x7, this is too long cut and they restart with a filesystem check which mostly required a manual intervention. Annoying when I'm abroad.
More over, having a read-only filesystem allow you to put the whole OpenBSD on an USBkey. Fewer write, longer will run such USBkey. In the past, with spinning disks, this was an economy of few watt. Now with ssd and NVMe this is less relevant.
What are the steps to build such Read-Only system
Step 1: prepare your disk
You have to clean you targeted disk. It can be an USBKey or SDD or spinning disk, ...
From an OpenBSD running machine, plug in your targeted disk.
Verify via dmesg which disk driver has been assigned to him. In my case this is sd3
# fdisk -iy sd3
Then unplug it from your machine.
Step 2: install OpenBSD
What I usually do is to reboot my laptop with bsd.rd.
So, verify you have well the file /bsd.rd on your OpenBSD machine. And reboot it.
Once you arrive to the "boot prompt", just enter "bsd.rd" and hit enter.
Before following the installation steps, just plugin your USBkey or the targeted disk on your USB slot.
Once at the step to select the installation disk, be VERY CAREFUL and select you USB disk. Do not select your internal disk, this will erase your laptop/desktop setup.
Except this, follow the normal installation steps and reboot the machine. Personally, I do not install X related packages and unselect the "game" package. It's up to you.
In my case I use a custom filesystem layout with only 1 filesystem where all files will reside. You are not forced to do that, but this explain why in the next steps here bellow you will only see "/" in /etc/fstab
I recommend to remove the USB disk so that you will not execute the firmware update and "firstrun" from this machine. It's better to perform such 1st run on the targeted machine.
You can find a bit more details on this step on my old blog post
Step 3: add memory filesystems
Plugin this new disk on your targeted machine and boot it. So, /etc/rc.firsttime will be executed on this new OpenBSD setup.
Please note that you will have to configure network elements, so, be sure to have screen and keyboard connected to him to finalize the installation steps.
Just follow the step5 of my old blog post.
In short, you should have something like this in your /etc/fstab:
hifi:~# more /etc/fstab
36bef1aa0754d0b2.a / ffs ro,wxallow 1 1
swap /var mfs rw,-P=/cfg/var,-s=800m 0 0
swap /dev mfs rw,-P=/cfg/dev,-s=32m 0 0
swap /tmp mfs rw,-s=64m 0 0
Those mfs are memory filesystems.
This is the filesystem where read and write will occurs.
To populate those new filesystems, we have to perform the followin actions:
hifi:~# mkdir /cfg
hifi:~# cp -Rp /var /cfg
hifi:~# cp -Rp /dev /cfg
Step 4: configure this new machine
Here you have to configure the network element of your system.
I will not explain what you can find in the OpenBSD FAQ - Networking, but basically I adapt few files:
I adapt /etc/hostname.if where "if" is the interface of your machine.
I adapt /etc/mygate
To verify that those steps are correct, you can execute the following command and perform some tests
hifi:~# sh /etc/netstart
hiti:~# ping <where you want>
Step 5: Adapt few networking systems
There are few systems using /etc in read and write. We need to perform few adaptations for them.
I'll point 2 of them, but depending on your setup you could have more.
/etc/random.seed
This file is updated at each reboot process. So, the solution I propose is the following:
hifi:~# mkdir /var/etc-rw
hifi:~# cp /etc/random.seed /var/etc-rw
hifi:~# rm /etc/random.seed
hifi:~# ln -s /var/etc-rw/random.seed /etc/random.seed
/etc/resolf.conf
This file is constantly updated by the process called resolvd. Like for random.seed, I propose to symlink it to /var
hifi:~# rcctl stop resolvd
hifi:~# cp /etc/resolv.conf /var/etc-rw
hifi:~# cp /etc/resolv.conf.tail /var/etc-rw
hifi:~# rm /etc/resolv.conf
hifi:~# rm /etc/resolv.conf.tail
hifi:~# ln -s /var/etc-rw/resolv.conf /etc/resolv.conf
hifi:~# ln -s /var/etc-rw/resolv.conf.tail /etc/resolv.conf.tail
hifi:~# rcctl start resolvd
keep /cfg/var uptodate
Like previously described in my step 7, we have to create a script called "/root/var_to_cfg.sh"
hifi:~# cat /root/var_to_cfg.sh
#!/bin/sh
logger "update /cfg/var"
mount -uw /
cp -Rp /var/ /cfg/
sync
mount -ur /
hifi:~# chmod +x /root/var_to_cfg.sh
You can execute this script every time you want. Specifically after a pkg_add
But I recommend to put in /etc/rc.shutdown:
hifi:~# cat /etc/rc.shutdown
/root/var_to_cfg.sh
Complementary note
You have to look at every process using /etc in read-write. Based on your setup this could be more than what I've just described.
To help you to identify which process are writing somewhere else than /var or /tmp, I propose to use fstat
If you have installed your system on more filesystems (than just "/" like me), do not forget to adapt /etc/fstab accordingly and to adapt /root/var_to_cfg.sh so it mut all of your filesystem in read-only.
Conclusions
Thanks to such read-only systems, I do not fear that a machine is incorrectly shutdown.
Specifically for my Hifi OpenBSD machine which can be powered cut together with the other hifi components.
Please be award that links to /var/etc-rw will have to be rebuild after each upgrade os OpenBSD :(.
An alternative I've not tested is to put /etc in mfs (like for /var and /dev), and to sync it to /cfg at each reboot.
It will be the scope of another post on this blog ;)