Building a Read-Only Linux System With a Writable Layer in RAM

OK, so I do have a working read-only system on an SD card that allows the read/write switch to be set to read-only mode. I'm going to answer my own question, since I have a feeling I'll be looking here again for the steps, and hopefully this will help someone else out.

While setting various directories in /etc/fstab as read-only on a Red Hat Enterprise Linux 6.6 system, I found the file /etc/sysconfig/readonly-root. This piqued my interest in what this file was used for, as well as any ancillary information regarding it. In short, this file contains a line that states, "READONLY=no". Changing this line automatically loads most of the root file system as read-only while preserving necessary write operations on various directories (directories and files are loaded as tmpfs). The only changes I had to make were to set /home, /root, and a few other directories as writable through the /etc/rwtab.d directory and modify /etc/fstab to load the root file system as read-only (changed "defaults" to "ro" for root). Once I set "READONLY=yes" in the /etc/sysconfig/readonly-root file, and set my necessary writable directories through /etc/rwtab.d, as well as the fstab change, I was able to get the system to load read-only, but have writable directories loaded into RAM.

For more information, these are the resources that I used:

• http://www.redhat.com/archives/rhl-devel-list/2006-April/msg01045.html (specifies how to create files in the /etc/rwtab.d/ directory to load files and directories as writable)
• http://fedoraproject.org/wiki/StatelessLinux (more information on readonly-root file and stateless Linux)
• http://warewolf.github.io/blog/2013/10/12/setting-up-a-read-only-rootfs-fedora-box/
• And, of course, browsing through /etc/rc.d/rc.sysinit shows how files and folders are mounted read-only. The readonly-root file is parsed within the rc.sysinit, for those who are looking for how readonly-root is used in the init process.

Also, I did a quick verification on Red Hat Enterprise Linux 7.0, and this file is still there and works. My test environment was CentOS 6.6 and 7.0 in a virtual machine as well as RHEL 6.6 and 7.0 on a VME single-board computer.

NOTE: Once the root is read-only, no changes can be made to the root system. For example, you cannot use yum to install packages and have them persist upon reboot. Therefore, to break the read-only root, I added a grub line that removes rhgb and quiet (this is only for debugging boot issues, you can leave them if you want), and added "init=/bin/bash". This allowed me to enter into a terminal. Once at the terminal, I typed, "mount - / -oremount,rw" to have the system writable. Once writable, I modified (using vim) /etc/sysconfig/readonly-root to say "READONLY=no" and rebooted the system. This allows me to perform maintenance on the system by turning off read-only. If you are using an SD card like I am, then the read/write switch on the SD card needs to be set to writable.

Yes, this is like what a Live CD does. It's done using a special filesystem driver that's designed to overlay multiple filesystems on top of one another - in this case, a read-only file system with a RAM disk.

There are lots of different choices of overlay filesystems - try searching around for UnionFS, aufs, and overlayfs to get an idea of what your choices are, and what the tradeoffs between them might be.