OpenBSD and readonly FileSystems v1.1

This is my experience in transforming an OpenBSD firewall in a machine with all filesystems mounted readonly, so, in case of power failure, at the next start, the machine is ready to serve your LAN without errors regarding filesystem integrity, like a commercial modem or firewall.

It's possibile to use a Compact Flash drive instead of an Hard Disk!

The machine will use a memory filesystem for all the read/write activities.

Before starting to work, you need the bsd.rd file. When you are ready, reboot.

The first step is to boot with the ramdisk. So:

boot wd0a:/bsd.rd

When the kernel is loaded and ask you what to do, press S to run the shell.

Now you need to mount all bsd partitions of the system in /mnt. For example, in my machine I have only / and /usr. So I:

mount /dev/wd0a /mnt
mount /dev/wd0d /mnt/usr

Now, we chroot in the real / with:

/mnt/usr/sbin/chroot /mnt

and export some shell variables to use correctly the system:

export TERM=vt220
export HOME=/

Now we can start modify /etc/fstab.

vi /etc/fstab

The first thing to do is add the line:

swap /mfs mfs rw,nosuid,noatime,-P=/skel,-s=XXX 0 0

and switch all bsd partitions to readonly (ro).

For example, this is my fstab:

/dev/wd0a / ffs ro,softdep 1 1
swap /mfs mfs rw,nosuid,-P=/skel,-s=102400 0 0
/dev/wd0d /usr ffs ro,nodev,softdep 1 2

The -s=XXX is the number of the 512-byte blocks that the memory filesystem should contain. In my fstab (((102400 * 512)/1024)/1024) = 50 MB.

Now, we have to make the directory that will stay in RAM. I choose the /mfs directory. You can use what you like, but remember to update the fstab and change all the links!

mkdir /mfs

Now, we have written in fstab that the content of /skel (-P=/skel) directory must be copied in /mfs at boot. So, now, all the files will be stored in /skel. Start doing:

mkdir /skel
mkdir /skel/dev

The first step is to move all ptyp* and ttyp* files from /dev to /skel/dev

This is needed because, when we will use ssh to access the machine remotely, the system must change owner and permission of these files. Putting them in the /mfs/dev directory that is in ram (and is read/write), and making a simbolic link, will solve all problems.

mv /dev/ptyp* /dev/ttyp* /skel/dev/

Now we can make the rights link, but first we make a symbolic link to the real path:

cd /mfs
ln -s /skel/dev/ .

And then:

cd /dev/
for i in /mfs/dev/* ; do ln -s $i . ; done

Now we can delete the /mfs/dev link:

rm -rf /mfs/dev

Now that the devices are ok, we must move the /root directory:

mv /root /skel/
cd /
ln -s /mfs/root .

The /tmp directory will be in a readonly filesystem, so we can't use it. We have to make another tmp directory in /skel called tmp2 and make a symlink. The name tmp2 is choosen because in /var there is another tmp directory. We need both, so one must be called differently.

mv /tmp /skel/tmp2
ln -s /mfs/tmp2 /tmp

Move these dirs in /skel:

/var/backups
/var/cron
/var/db
/var/empty
/var/log
/var/mail
/var/msgs
/var/named
/var/run
/var/spool
/var/tmp

and make a symlink in /var for each one:

ln -s /mfs/backups /var
ln -s /mfs/cron /var
ln -s /mfs/db /var
ln -s /mfs/empty /var
...

Now the system is perfect and it will be ready to serve you.

One last note: if you plan to acces the system with the keyboard, please comment all lines in /etc/fbtab or you will get stupid errors every time you log. (the system try to change owner and permissions of the keyboard device but that file is on a readonly filesystem.)