Ubuntu – The best way to create a root filesystem, split between read only and writable

14.04etcfilesystemoverlayfsread-only

My aim is to create a system where the main parts of the root filesystem are stored on a read-only SD card, with writeable parts located on an SSD set to rw. This is to be done with a view to keeping the root filesystem free from tampering and corruption, and make updating and other maintenance a case of swapping in a pre-configured SD card. I'm using Ubuntu 14.04 LTS.

I'm happy with regular partitioning and mounting to take care of /home, /var and the like, but it becomes a lot more tricky when dealing with /etc.
I know some parts of /etc must be writable, such as mtab, and am also aware that /etc is accessed during boot. I have the feeling that it's also advisable to have some parts of /etc persist between boots.

I'm leaning towards using overlayfs, only on /etc, with the upperdir only containing those files which I want to persist. Anything that only needs to be read from /etc will come through from the lowerdir. The upperdir will be writable with new files, though these will only persist through boots, if identified in a whitelist. A script should run on shutdown to copy these files from the upperdir to the whitelist, and the opposite directly after boot (or during if necessary).

EDIT

The whitelist aims to stop any new files written to the upperdir and persisting between boots. I'll use permissions to manage this too.

Is this a good way to achieve the result I want, and what are the issues I should be aware of?

I've read into using mount –bind, but understand that it has issues of it's own, I'm also aware of the method of symlinking /etc/mtab to /proc/mounts/ and am wary of this approach too.

Any help would be greatly appreciated, I've read a lot in the forums and through general web searching, details on implementing overlayfs are very scarce indeed. Please feel free to let me know if I'm greatly over-complicating things, or if there is a better approach.
Also this is my first question so be kind please!!

EDIT

I've realised I've made a bit of a nebulous, opinion-based type of question, so thought I might re-phrase my question.

Is there any other useful way setting up this kind of system, other than a union mount?

Best Answer

aufs ( eventually UnionFS) is old and overlayfs in new solution for this in Ubuntu. This script for overlayfs worked fluently for me with 14.04.1

So you need to copy the script to /etc/initramfs-tools/scripts/init-bottom/root-ro, then 

#make the script executable
cmdod 755 /etc/initramfs-tools/scripts/init-bottom/root-ro

#add the module overlayfs to initramfs
echo overlayfs >> /etc/initramfs-tools/modules

#update initramfs
update-initramfs -u
update-grub

Reboot to give it a try. Then issue mount, you should have output:

overlayfs-root on / type overlayfs (rw)

You'll find /mnt/root-rw and /mnt/root-ro directories for the "lower" and "upper" layers of your overlayfs.

You can also add to grub menu ability to load without overlayfs:

echo overlayfs >> /etc/initramfs-tools/modules
cp root-ro /etc/initramfs-tools/scripts/init-bottom/root-ro
chmod 755 cp /etc/initramfs-tools/scripts/init-bottom/root-ro

#########################GRUB#########################
cat /etc/grub.d/10_linux|sed  s/'linux_entry "${OS}" "${version}" simple'/'linux_entry "RW: ${OS}" "${version}" simple'/ |sed  s/'"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"'/'"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} disable-root-ro=true"'/ >/etc/grub.d/11_custom

sed -i.orig -e \
"/{GRUB_DISABLE_RECOVERY}\" != \"xtrue\" ]; then/s/^.*$/    \
if [ 0 ]; then/" \
/etc/grub.d/11_custom

sed -i.orig -e \
"/in_submenu=:/s/^.*$/    \
/" \
/etc/grub.d/11_custom

sed -i.orig -e \
"/\"Previous Linux versions/s/^.*$/    \
if [ 0 ]; then/" \
/etc/grub.d/11_custom

rm /etc/grub.d/11_custom.orig
#########################GRUB#########################

chmod 777 /etc/grub.d/11_custom
Related Question