Read-only Raspberry PI with Jessie
A step-by-step tutorial to get Debian Jessie up and running in RO mode on a Raspberry PI (v3 tested). Never lose our installation due to power-related SD card corruption again!
- Get Jessie and copy it it to your SD card
– you may have a problem extracting the file on Mac, for those instances do not use unzip but use the following:ditto -x -k 2016-05-27-raspbian-jessie.zip . # flash contents to SD card (just example what I did on my mac): diskutil unmountdisk /dev/disk3 pv 2016-05-27-raspbian-jessie.img | sudo dd of=/dev/disk5 bs=1m - Boot up, find out IP address from your router and SSH in, then run:
sudo su apt-get update apt-get upgrade reboot # run raspi-config to make sure the root partition fills the whole SD card sudo raspi-config reboot # clean up unwanted packages sudo su apt-get remove --purge wolfram-engine triggerhappy cron logrotate dbus dphys-swapfile xserver-common lightdm fake-hwclock apt-get autoremove --purge # replace log management with busybox, you can read the logs with logread apt-get install busybox-syslogd; dpkg --purge rsyslog # just for convenience apt-get install vim - Disable swap and start read-only FS
I’ve added fastboot noswap ro at the end of the line.$ cat /boot/cmdline.txt dwc_otg.lpm_enable=0 console=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline fsck.repair=yes rootwait fastboot noswap ro - Move spool
# move spool rm -rf /var/spool ln -s /tmp /var/spool - Make sure SSH works – I had to disable UsePrivilegeSeparation, for me it says:
vim /etc/ssh/sshd_config ... UsePrivilegeSeparation no ... - Make edits to the fstab
Last 3 lines and RO flag for /dev/mmcblk0p* are new additions.root@raspberrypi:/home/pi# cat /etc/fstab proc /proc proc defaults 0 0 /dev/mmcblk0p1 /boot vfat defaults,ro 0 2 /dev/mmcblk0p2 / ext4 defaults,noatime,ro 0 1 # a swapfile is not a swap partition, no line here # use dphys-swapfile swap[on|off] for that tmpfs /var/log tmpfs nodev,nosuid 0 0 tmpfs /var/tmp tmpfs nodev,nosuid 0 0 tmpfs /tmp tmpfs nodev,nosuid 0 0 - Move dhcpd.resolv.conf to tmpfs
touch /tmp/dhcpcd.resolv.conf rm /etc/resolv.conf ln -s /tmp/dhcpcd.resolv.conf /etc/resolv.conf
Optional steps
Enable easy way to switch back and forth:
(place the below at the end of your /etc/bash.bashrc)
# set variable identifying the filesystem you work in (used in the prompt below)
fs_mode=$(mount | sed -n -e "s/^.* on \/ .*(\(r[w|o]\).*/\1/p")
# alias ro/rw
alias ro='mount -o remount,ro / ; fs_mode=$(mount | sed -n -e "s/^.* on \/ .*(\(r[w|o]\).*/\1/p")'
alias rw='mount -o remount,rw / ; fs_mode=$(mount | sed -n -e "s/^.* on \/ .*(\(r[w|o]\).*/\1/p")'
# setup fancy prompt
export PS1='\[\033[01;32m\]\u@\h${fs_mode:+($fs_mode)}\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
# aliases for mounting boot volume
alias roboot='mount -o remount,ro /boot'
alias rwboot='mount -o remount,rw /boot'(Thanks to Vittorio for fix)
Enable watchdog
# enter RW mode
rw
# enable watchdog
modprobe bcm2708_wdog; apt-get install watchdog
# add bcm2708_wdog in to /etc/modules to load it at boot time
$ cat /etc/modules
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
bcm2708_wdog
# edit watchdog config /etc/watchdog.conf and enable (uncomment) following lines:
watchdog-device = /dev/watchdog
max-load-1
# start watchdog at system start and start right away
insserv watchdog; /etc/init.d/watchdog start
# http://raspberrypi.stackexchange.com/questions/33850/pi-b-raspbian-jessie-watchdog-doesnt-start-at-boot
# additional settings needed on Jessie, edit /lib/systemd/system/watchdog.service and add:
[Install]
WantedBy=multi-user.target
# now it should be enabled properly
systemctl enable watchdog
# setup automatic reboot after kernel panic in /etc/sysctl.conf (add to the end)
kernel.panic = 10
# finish and reboot
ro
rebootCredits:
http://hallard.me/raspberry-pi-read-only/
http://k3a.me/how-to-make-raspberrypi-truly-read-only-reliable-and-trouble-free/