This is my experience in transforming an OpenBSD firewall in a machine
with all filesystems mounted readonly, so, in case of power failure,
at the next start, the machine is ready to serve your LAN without errors
regarding filesystem integrity, like a commercial modem or firewall.
It's possibile to use a Compact Flash drive instead of an Hard Disk!
The machine will use a memory filesystem for all the read/write activities.
Before starting to work, you need the bsd.rd file. When you are ready, reboot.
The first step is to boot with the ramdisk. So:
boot wd0a:/bsd.rd
When the kernel is loaded and ask you what to do, press S to run the shell.
Now you need to mount all bsd partitions of the system in /mnt. For example, in my machine I have only / and /usr. So I:
mount /dev/wd0a /mnt
mount /dev/wd0d /mnt/usr
Now, we chroot in the real / with:
/mnt/usr/sbin/chroot /mnt
and export some shell variables to use correctly the system:
export TERM=vt220
export HOME=/
Now we can start modify /etc/fstab.
vi /etc/fstab
The first thing to do is add the line:
swap /mfs mfs rw,nosuid,noatime,-P=/skel,-s=XXX 0 0
and switch all bsd partitions to readonly (ro).
For example, this is my fstab:
/dev/wd0a / ffs ro,softdep 1 1
swap /mfs mfs rw,nosuid,-P=/skel,-s=102400 0 0
/dev/wd0d /usr ffs ro,nodev,softdep 1 2
The -s=XXX is the number of the 512-byte blocks that the memory filesystem should contain. In my fstab (((102400 * 512)/1024)/1024) = 50 MB.
Now, we have to make the directory that will stay in RAM. I choose the /mfs directory. You can use what you like, but remember to update the fstab and change all the links!
mkdir /mfs
Now, we have written in fstab that the content of /skel (-P=/skel) directory must be copied in /mfs at boot. So, now, all the files will be stored in /skel. Start doing:
mkdir /skel
mkdir /skel/dev
The first step is to move all ptyp* and ttyp* files from /dev to /skel/dev
This is needed because, when we will use ssh to access the machine remotely,
the system must change owner and permission of these files. Putting them in
the /mfs/dev directory that is in ram (and is read/write), and making a
simbolic link, will solve all problems.
mv /dev/ptyp* /dev/ttyp* /skel/dev/
Now we can make the rights link, but first we make a symbolic link to the real path:
cd /mfs
ln -s /skel/dev/ .
And then:
cd /dev/
for i in /mfs/dev/* ; do ln -s $i . ; done
Now we can delete the /mfs/dev link:
rm -rf /mfs/dev
Now that the devices are ok, we must move the /root directory:
mv /root /skel/
cd /
ln -s /mfs/root .
The /tmp directory will be in a readonly filesystem, so we can't use it.
We have to make another tmp directory in /skel called tmp2 and make a symlink.
The name tmp2 is choosen because in /var there is another tmp directory.
We need both, so one must be called differently.
mv /tmp /skel/tmp2
ln -s /mfs/tmp2 /tmp
Move these dirs in /skel:
/var/backups
/var/cron
/var/db
/var/empty
/var/log
/var/mail
/var/msgs
/var/named
/var/run
/var/spool
/var/tmp
and make a symlink in /var for each one:
ln -s /mfs/backups /var
ln -s /mfs/cron /var
ln -s /mfs/db /var
ln -s /mfs/empty /var
...
Now the system is perfect and it will be ready to serve you.
One last note: if you plan to acces the system with the keyboard, please comment all lines in /etc/fbtab or you will get stupid errors every time you log. (the system try to change owner and permissions of the keyboard device but that file is on a readonly filesystem.)
0 comments:
Post a Comment