in/blog/ro-root.md

   1 title: Read Only Root
   2 linktitle: ro-root
   3 parent: 2012-08
   4 ctime: 2012-08-02
   5 mtime: 2012-08-02
   6
   7 For GNU/Linux desktop installations, I prefer to have the root filesystem, which
   8 mounts to /, be mostly read-only.  This means /home (user data), /var (variable
   9 data) and /tmp (temporary data) should be mounted elsewhere.  The benefits of
  10 this approach are several, but two in particular stand out for desktop use
  11 cases.
  12
  13  * It is much easier to do a clean install the OS.  User data in /home, and
  14    in some cases application data in /var, need not be backed up and restored
  15    in the process.  Of course recent backups should still be available.
  16  * A root fs that is rarely written to is a good candidate for SSD (solid state
  17    disk) storage.  This allows one the performance benefit of SSD while
  18    mitigating a critical deficiency.  Current SSD technology is not nearly
  19    as reliable as mechanical disk in read/write environments, so reducing
  20    writes to SSD is a productive strategy.
  21
  22 Placing /home on a separate partition is easy, and GNU/Linux desktop installers
  23 have supported this for some time.  And thanks to the recent introduction of
  24 /run (see [here](http://lwn.net/Articles/436012/) to learn more), migrating
  25 /var to a separate filesystem is now pretty easy for desktop installs.
  26
  27 Of course, with multiple partitions, there is the issue of what to do if one of
  28 them fills up.  A common solution is to use LVM.  Volumes are given minimal
  29 practical sizes, and then incrementally grown as required.  LVM works fine on
  30 the desktop, but requires a bit more knowledge and effort to administer.
  31
  32 [[!pquote text="A simpler solution is to use bind mounts"]]
  33
  34 A simpler solution is to use bind mounts.  By bind mounting /var from /home/var
  35 and /tmp from /home/tmp, all user, variable and temporary data are on a single
  36 partition.  The root partition will be nearly static in content and size.  I
  37 currently use a 25 GB root partition on desktop installs, and that filesystem is
  38 generally only about 25% full, even with a large number of development tools
  39 installed.  A swap partition is present of course, and the rest of the available
  40 hard drive storage space is assigned to the home partition, which now holds the
  41 contents of /var and /tmp.  Essentially, /home, /var and /tmp share a common
  42 large pool of storage, so there is less need for a volume manager.  I am finding
  43 this configuration to be quite optimal for developer desktops at my company.
  44
  45 # Using bind mounts in a new installation
  46
  47 These notes assume Xubuntu 12.04 desktop i386 installation, but a similar
  48 process should work for other distributions and versions.
  49
  50  * Boot from the xubuntu 12.04 desktop CD
  51  * Run the installation
  52  * Use a custom configuration when asked
  53  * At least three partitions are required: root, swap and home
  54  * Proceed with installation until the installer asks to reboot to continue
  55
  56 Before rebooting, access a shell and type the following commands
  57
  58     cd target # where the new root filesystem is currently mounted
  59     cp -a var home/var # copy var to its new storage location
  60     mv var var.old # can remove later
  61     mkdir var # Need some dirs and symlinks during boot for some OSes
  62     ln -s /run var/run
  63     ln -s /run/lock var/lock
  64     cp -a tmp home/tmp # copy tmp to its new storage location
  65     mv tmp tmp.old
  66     mkdir tmp
  67     vi etc/fstab # add the following 2 bind mounts to end of /etc/fstab
  68         /home/var /var bind defaults,bind,noatime,mode=0755 0 0
  69         /home/tmp /tmp bind defaults,bind,noatime,mode=1777 0 0
  70     sync
  71
  72 Now allow the installer to reboot.  The system should boot up using the bind
  73 mounts for /var and /tmp, so their contents will actually be stored in the home
  74 partition at locations /home/var and /home/tmp, respectively.  Once the system
  75 appears to be working OK, you may remove the /var.old and /tmp.old directories.
  76
  77 # Upgrading to use bind mounts
  78
  79 First, boot from a recovery or live CD, then run commands like the following
  80 commands.
  81
  82     mkdir /mnt
  83     mount /dev/sda1 /mnt # replace /dev/sda1 with dev for your root
  84     mount /dev/sda2 /mnt/home # replace /dev/sda2 with dev for your home
  85     cd /mnt
  86     cp -a var home/var # copy /var to its new storage location
  87     mv var var.old # can remove later
  88     mkdir var # Need some dirs and symlinks during boot for some OSes
  89     ln -s /run var/run
  90     ln -s /run/lock var/lock
  91     cp -a tmp home/tmp # copyt /tmp to its new storage location
  92     mv tmp tmp.old # can remove later
  93     mkdir tmp
  94     vi etc/fstab # add the following 2 bind mounts to end of /etc/fstab
  95         /home/var /var bind defaults,bind,noatime,mode=0755 0 0
  96         /home/tmp /tmp bind defaults,bind,noatime,mode=1777 0 0
  97     sync
  98
  99 Now remove the CD and reboot.  You should be using bind mounts.  Once the system
 100 appears to be working OK, you may remove the /var.old and /tmp.old directories.