Setting Up a Read-Only Root Filesystem

TL;DR

To set up a read-only root filesystem on Debian 13, follow these concise steps:

Backup Your Data: Always start by backing up your important data to avoid any loss during the process.
Modify the Filesystem: Remount the root filesystem as read-only. Use the following command:
```
sudo mount -o remount,ro /
```
Edit /etc/fstab: Change the root filesystem entry to ensure it mounts as read-only on boot. Open the file with:
```
nano /etc/fstab
```
Modify the line for the root filesystem to include ro:

   UUID=your-uuid / ext4 ro,errors=remount-ro 0 1

Create a Writable Overlay: To allow temporary writes, set up an overlay filesystem. Install the necessary package:
```
sudo apt update && sudo apt install overlayroot
```
Configure Overlayroot: Edit the configuration file:
```
nano /etc/overlayroot.conf
```
Add the following line to specify the overlay:
```
overlayroot="tmpfs:rw"
```
Reboot the System: After making these changes, reboot your server to apply the new settings:
```
reboot
```
Verify the Setup: After rebooting, check that the root filesystem is mounted as read-only:
```
sudo mount | grep ' / '
```

Cautions: Ensure that all necessary services can operate correctly in a read-only environment. Some applications may require write access to certain directories. Test your configuration in a safe environment before deploying it to production.

Safe Defaults: Always keep a recovery method available, such as a live USB, to revert changes if needed.

Understanding Read-Only Filesystems

A read-only filesystem is a critical security measure that helps protect the integrity of the operating system by preventing unauthorized modifications to system files. In a read-only root filesystem, all files are mounted in a way that they cannot be altered, which is particularly useful in environments where stability and security are paramount, such as servers or embedded systems.

When setting up a read-only root filesystem, the initial step is to ensure that the filesystem is configured correctly. This typically involves using a combination of the initramfs and specific mount options. The initramfs is a temporary filesystem used during the boot process, and it can be configured to mount the root filesystem as read-only.

To create a read-only root filesystem, you can modify the /etc/fstab file to include the ro option. Here’s how to do it:

sudo nano /etc/fstab

## Modify the root filesystem entry to include 'ro'
UUID=your-root-uuid / ext4 ro,errors=remount-ro 0 1

Replace your-root-uuid with the actual UUID of your root partition. The errors=remount-ro option ensures that if the filesystem encounters errors, it will remount as read-only to prevent further damage.

Caution is advised when implementing a read-only filesystem. Certain applications may require write access to specific directories, such as /var/log for logging or /tmp for temporary files. To accommodate this, you can create a writable overlay filesystem or use a separate writable partition mounted at these locations.

Service Compatibility Notes:

Logging services (rsyslog, journald): Require write access to /var/log. Use tmpfs overlay or separate writable partition.
Package managers (apt, dpkg): Cannot install/update packages with read-only root. Temporarily remount as read-write for updates.
Cron jobs: Jobs that write to root filesystem will fail. Ensure cron jobs write to writable overlays only.
SSH: May have issues with host keys or authorized_keys if /etc is read-only. Use overlayfs for /etc/ssh.
Database services (MySQL, PostgreSQL): Require separate writable data directories outside root filesystem.

For example, to create a writable overlay for /var/log, you can use:

## Create a writable directory for logs
sudo mkdir /var/log-writable

## Mount it as a writable overlay
sudo mount -o bind /var/log-writable /var/log

Always ensure that you have a reliable backup and recovery plan in place before making these changes, as misconfigurations can lead to an unbootable system.

Preparing the System

To prepare your Debian 13 system for a read-only root filesystem, follow these steps to ensure a smooth transition while maintaining system integrity.

First, ensure your system is fully updated. This is crucial for security and stability:

sudo apt update && sudo apt upgrade -y  # Update package lists and upgrade installed packages

Next, install the necessary packages for managing filesystems and boot configurations:

sudo apt install -y util-linux  # Install util-linux for filesystem utilities

Now, create a backup of your current system configuration. This step is vital in case you need to revert changes:

sudo cp -a /etc/fstab /etc/fstab.bak  # Backup the fstab file

Next, check your current filesystem type. You will need to ensure that your root filesystem is on a supported type, such as ext4. Use the following command:

df -T /  # Display the filesystem type of the root partition

If your root filesystem is not ext4, consider migrating to it before proceeding.

To prepare for the read-only setup, you will need to modify the /etc/fstab file. Open it with your preferred text editor:

sudo nano /etc/fstab  # Edit the fstab file

Setting Up DNS over HTTPS on Debian 13
Learn how to set up DNS over HTTPS on Debian 13 for enhanced privacy
Encrypted Swap and Temp Directories
Learn how to enhance security on Debian 13 by setting up encrypted swap
Setting Up OpenSMTPD as Lightweight Secure MTA
Learn to set up and secure OpenSMTPD on Debian 13 with this comprehensive guide, covering installation, configuration, testing, and troubleshooting.
[Setting Up Split-Horizon DNS for Internal + External Views](/posts/setting-up-split-horizon-dns-for-internal-external-views/)
Learn how to set up Split-Horizon DNS on Debian 13 for efficient internal
Setting Up UFW and Fail2ban on Debian
Configure UFW firewall and Fail2ban intrusion prevention on Debian 13

Verification

Verify Root Filesystem is Read-Only (Post-Reboot)

## Check if root is mounted read-only
sudo mount | grep ' / '
## Expected: root filesystem with 'ro' option

## Alternative verification
findmnt -no OPTIONS /
## Expected: ro in the options list

## Verify /etc/fstab configuration
grep ' / ' /etc/fstab
## Expected: ro option in root filesystem entry

Test Write Protection

## Attempt to create a file on root filesystem (should fail)
sudo touch /test-write-fail
## Expected: Read-only file system error

## Verify /tmp is writable (if using tmpfs)
touch /tmp/test-write-success
ls -l /tmp/test-write-success
## Expected: File created successfully

## Verify /var/log is writable (if using overlay)
sudo touch /var/log/test-write-success
ls -l /var/log/test-write-success
## Expected: File created successfully

Verify Overlayfs Configuration (if using overlayroot)

## Check overlayroot status
cat /etc/overlayroot.conf
## Expected: overlayroot="tmpfs:rw" or similar

## Verify overlay mounts
sudo mount | grep overlay
## Expected: Overlay mounts for writable directories

## Check which directories are overlayed
df -h | grep overlay
## Expected: tmpfs or overlay filesystems

Verify Critical Services After Reboot

## Check SSH service
sudo systemctl status ssh
## Expected: active (running)

## Check system logging
sudo systemctl status rsyslog
## Expected: active (running)

## Check cron service
sudo systemctl status cron
## Expected: active (running)

## Verify network connectivity
ping -c 4 8.8.8.8
## Expected: Successful ping responses

Verify Disk Space and System Health

## Check available disk space
df -h
## Expected: Root filesystem shows correct usage

## Check system boot messages for errors
sudo dmesg | grep -i 'read-only\|remount'
## Expected: Messages confirming read-only mount

## Review system logs for issues
sudo journalctl -p err..alert --since "10 minutes ago"
## Expected: No critical errors related to read-only filesystem

Rollback Procedure

If you need to revert these changes:

1. Boot into Recovery Mode or Live USB

If system is unbootable, boot from a live USB or use recovery mode to access the filesystem.

2. Remount Root Filesystem as Read-Write

## From recovery mode or live environment
sudo mount -o remount,rw /dev/sdXY /mnt
## Replace sdXY with your root partition (e.g., sda1)

3. Restore Original /etc/fstab

## Restore from backup
sudo cp /mnt/etc/fstab.bak /mnt/etc/fstab

## Verify restored configuration
cat /mnt/etc/fstab
## Expected: Root filesystem without 'ro' option

4. Remove Overlayroot Configuration (if used)

## Edit overlayroot config
sudo nano /mnt/etc/overlayroot.conf

## Comment out or remove the overlayroot line
# overlayroot="tmpfs:rw"

## Or uninstall overlayroot entirely
sudo chroot /mnt apt remove overlayroot

5. Reboot System

## Unmount and reboot
sudo umount /mnt
sudo reboot

## After reboot, verify root is writable
sudo mount | grep ' / '
## Expected: rw (read-write) option

## Test write capability
sudo touch /test-write-success
ls -l /test-write-success
## Expected: File created successfully

## Remove test file
sudo rm /test-write-success

TL;DR#

Understanding Read-Only Filesystems#

Preparing the System#

Related Guides#

Verification#

Rollback Procedure#

Related AI Development Guides

Configuring ModSecurity with Nginx

TL;DR

Blocking Bad Bots with Nginx Map

TL;DR

How to Configure HAProxy for SSL Termination

TL;DR

How to Use login.defs and PAM for Account Lockouts

TL;DR

Secure SFTP-Only User Accounts

TL;DR

Securing Node.js / Python Apps Behind Nginx Reverse Proxy

TL;DR

TL;DR

Understanding Read-Only Filesystems

Preparing the System

Related Guides

Verification

Rollback Procedure