On Mon, 9 Jul 2012 10:51:11 +0200 Tom Gundersen <teg@jklm.no> wrote:
[...]
What should work (but might not!): /etc and /usr (and /lib, /sbin, /bin) should be able to be mounted read-only. I expect you'll have to figure out how to deal with /etc/resolv.conf, I wonder if NetworkManager has learnt how to deal with this gracefully since I last checked...
This has been working for quite some time on all my machines. The only real problem is cups which wants to write to /etc/cups and upstream refuses to fix this. Debian has some patches which offer only a partial solution. I solved it by recompilation with --sysconfig=/var/lib/cups. Assuming DHCP, the resolv.conf file can be protected in two ways: (i) For dhcpcd, use "nohook resolv.conf" in dhcpcd.conf and use a predefined DNS server (like 192.168.1.1 or any public dns provider); also works with netcfg. (ii) For other DHCP clients (dhclient perhaps) one can replace /etc/resolv.conf with a symlink to /run/resolv.conf. This was a discussion on gnome dev ML sometime ago, and I don't know whether this fix was accepted "officially" anywhere or remained a folk story. AFAIK, but this can be wrong, the real problem with NM is not having read-only resolv.conf, but protecting /etc/hosts... However, having NM on a serevr sounds like a bad idea to start with.
What will not work: as Rodrigo said, you'll still need /var to be mounted read-write, the point of /var is for applications to be able to write to it. Moreover, /var must be unique to each installation, and cannot be shared (you can put it on an NFS share though, just make sure you have one for each machine). Moreover, even if /etc/ is mounted read-only, you probably want one per machine. You might get away with sharing it, but then all your hostnames will be the same for instance. Importantly: you don't want /etc/machine-id to be shared by different machines (as it needs to be unique). If you do decide to share /etc, you can replace /etc/machine-id by an empty file and systemd will create a random one at every boot (in /run) and use that instead, so you should be fine in this respect.
HTH,
Tom
-- Leonid Isaev GnuPG key: 0x164B5A6D Fingerprint: C0DF 20D0 C075 C3F1 E1BE 775A A7AE F6CB 164B 5A6D