On Mon, 9 Jul 2012 10:51:11 +0200
Tom Gundersen <email@example.com> wrote:
> What should work (but might not!): /etc and /usr (and /lib, /sbin,
> /bin) should be able to be mounted read-only. I expect you'll have to
> figure out how to deal with /etc/resolv.conf, I wonder if
> NetworkManager has learnt how to deal with this gracefully since I
> last checked...
This has been working for quite some time on all my machines.
The only real problem is cups which wants to write to /etc/cups and upstream
refuses to fix this. Debian has some patches which offer only a partial
solution. I solved it by recompilation with --sysconfig=/var/lib/cups.
Assuming DHCP, the resolv.conf file can be protected in two ways: (i) For
dhcpcd, use "nohook resolv.conf" in dhcpcd.conf and use a predefined DNS
server (like 192.168.1.1 or any public dns provider); also works with netcfg.
(ii) For other DHCP clients (dhclient perhaps) one can
replace /etc/resolv.conf with a symlink to /run/resolv.conf. This was a
discussion on gnome dev ML sometime ago, and I don't know whether this fix was
accepted "officially" anywhere or remained a folk story.
AFAIK, but this can be wrong, the real problem with NM is not having read-only
resolv.conf, but protecting /etc/hosts... However, having NM on a serevr
sounds like a bad idea to start with.
> What will not work: as Rodrigo said, you'll still need /var to be
> mounted read-write, the point of /var is for applications to be able
> to write to it. Moreover, /var must be unique to each installation,
> and cannot be shared (you can put it on an NFS share though, just make
> sure you have one for each machine). Moreover, even if /etc/ is
> mounted read-only, you probably want one per machine. You might get
> away with sharing it, but then all your hostnames will be the same for
> instance. Importantly: you don't want /etc/machine-id to be shared by
> different machines (as it needs to be unique). If you do decide to
> share /etc, you can replace /etc/machine-id by an empty file and
> systemd will create a random one at every boot (in /run) and use that
> instead, so you should be fine in this respect.