Mount a filesystem read-only, and redirect writes to RAM?

It is possible using a union filesystem layer like aufs.

Demo:

Create a filesystem image

# dd if=/dev/zero of=/tmp/image bs=1024 count=1024
1024+0 records in
1024+0 records out
1048576 bytes (1.0 MB) copied, 0.0028428 s, 369 MB/s
# mke2fs /tmp/image 
...

Mount it, populate it

# mkdir /tmp/imgmnt
# mount -o loop /tmp/image /tmp/imgmnt
# echo hello > /tmp/imgmnt/hello.txt
# umount /tmp/imgmnt

Mount it read-only

# mount -o loop,ro /tmp/image /tmp/imgmnt
# echo blah > /tmp/imgmnt/hello.txt 
-su: /tmp/imgmnt/hello.txt: Read-only file system

A small RAM filesystem

# mkdir /tmp/rammnt
# mount -t tmpfs -o size=1M none /tmp/rammnt

Combine both

# mkdir /tmp/combined
# mount -t aufs -o br:/tmp/rammnt:/tmp/imgmnt=ro none /tmp/combined

That mount option to create a new "branch" (br) by stacking /tmp/rammnt (read-write) on top of /tmp/imgmnt (read-only). This "branch" is made visible as a (read-write) filesystem on /tmp/combined.

(See the aufs(5) man page for all the details.)

Now all that's done, here's what you have:

# ls /tmp/combined
hello.txt  lost+found
# cat /tmp/combined/hello.txt 
hello
# echo bye > /tmp/combined/hello.txt 
# cat /tmp/combined/hello.txt 
bye

# cat imgmnt/hello.txt 
hello
# cat rammnt/hello.txt 
bye

So the writes "stop" in the tmpfs filesystem, they do not attempt to propagate back to the loop-mounted image file.

You could have used a plain directory (on a read/write filesystem), or possibly a directory under /dev/shm if that works for you, instead of creating a specific tmpfs for that.

This technique (or variations thereof) is used by some distribution LiveCD. The Wikipedia aufs entry lists a few.


Update:

It seems there are 2 other simpler ways to do this on Ubuntu (at least the later versions):

  1. sudo apt-get install overlayroot followed by setting overlayroot="tmpfs:swap=1,recurse=0" in /etc/overlayroot.local.conf.

  2. sudo apt-get install fsprotect followed by passing fsprotect as a kernel parameter

I finally figured out how to do this with the root filesystem (in Ubuntu 11.04)!

The steps for making a system bootable are simple. I used this guide in combination with this guide and a bunch of web searches to figure out how to get it working properly, without bugs.

Summary:

  1. Run:

    sudo apt-get install fsprotect apparmor-utils

  2. Save this to /etc/initramfs-tools/scripts/init-bottom/__rootaufs. I don't think the name actually matters, but the beginning __ might be used for ordering purposes, so if you change the name, you might want to keep the underscores. (This is a copy of this file.)

    #!/bin/sh -e

case $1 in
  prereqs)
    exit 0
    ;;
esac

for x in $(cat /proc/cmdline); do
  case $x in
    root=*)
      ROOTNAME=${x#root=}
      ;;
    aufs=*)
      UNION=${x#aufs=}
    case $UNION in
      LABEL=*)
        UNION="/dev/disk/by-label/${UNION#LABEL=}"
        ;;
      UUID=*)
        UNION="/dev/disk/by-uuid/${UNION#UUID=}"
        ;;
    esac    
      ;;
  esac
done

if [ -z "$UNION" ]; then
    exit 0
fi

# make the mount points on the init root file system
mkdir /aufs /ro /rw

# mount read-write file system
if [ "$UNION" = "tmpfs" ]; then
  mount -t tmpfs rw /rw -o noatime,mode=0755
else
  mount $UNION /rw -o noatime
fi

# move real root out of the way
mount --move ${rootmnt} /ro

mount -t aufs aufs /aufs -o noatime,dirs=/rw:/ro=ro

# test for mount points on union file system
[ -d /aufs/ro ] || mkdir /aufs/ro
[ -d /aufs/rw ] || mkdir /aufs/rw

mount --move /ro /aufs/ro
mount --move /rw /aufs/rw

# strip fstab off of root partition
grep -v $ROOTNAME /aufs/ro/etc/fstab > /aufs/etc/fstab

mount --move /aufs /root

exit 0

  3. In /etc/default/grub, find the line that starts with GRUB_CMDLINE_LINUX_DEFAULT, and inside the quotes that follow, add the parameter aufs=tmpfs.

    Bonus: If you need to occasionally turn off the redirection temporarily, simply remove this argument from the kernel parameter list. You can probably do this by holding the Shift key when the system is booting, to show the GRUB menu; then press e to edit the parameters, and just erase the aufs=... parameter from the list.

  4. Append these lines to /etc/sysctl.conf. (Warning: Potential security risk.)

    kernel.yama.protected_nonaccess_hardlinks = 0
kernel.yama.protected_sticky_symlinks = 0

  5. Run these lines:

    sudo aa-complain dhclient3
sudo chmod 0755 /etc/initramfs-tools/scripts/init-bottom/__rootaufs
sudo update-initramfs -k all -u
sudo update-grub

If everything went well, when you reboot, you will be doing so into a temporary file system. The RAM part will be at /rw, and the disk image will be at /ro, but of course it will be read-only.

Nevertheless, if you have booted into a temporary system but need to make a permanent change, you can re-mount the /ro file system by saying

sudo mount -o remount,rw /ro

to make it writable, and then you can make whatever modifications needed to that directory.


Yes, by unionfs, see unionfs.filesystems.org. You have mount first read-only filesystem, and as second read-write RAM filesystem through unionfs.

In Ubuntu you can find the unionfs-fuse package, which is another implementation of the same things, but in user space, not as a kernel module.

Tags:

Linux

Ubuntu

Filesystems

Readonly

Recent Posts