Re: mounting /usr read-only -- didn't this *used* to work?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Robert P. J. Day wrote:

  once upon a time, after i set up my fedora system, i had a habit of
re-mounting the entire /usr filesystem read-only so that, even as
root, i couldn't do something indescribably stupid and destroy
valuable files.  (theoretically, this remounting should be fine since,
according to the FHS, the contents of /usr should be static and
shareable.)

  all i would do (and demo to students in class, as well, since they
thought it was tres cool), was to use mount with the remount option:

    # mount -oro,remount /usr

  if i try that nowadays, though, i get:

  # mount -oro,remount /usr
  mount: /usr is busy

i can certainly do the above with one of my currently unused
partitions like, say, /opt, but i'm not sure why the /usr filesystem
is considered "busy."

  i'm unsure of the semantics of remounting a FS as read-only -- will
it fail if some file is currently opened with write access?  i've
used "fuser" to (apparently) verify that nothing like that seems to be
happening.  thoughts?  does anyone else remember doing this on earlier
fedora systems, and does it work on your latest version of fedora?
thanks.


Your enemies are software updates and prelink, coupled with long-
running processes that are keeping old, now deleted, files open.
The files system cannot be made read-only until the space for those
deleted files has been released.  You can see some of that with
"lsof /usr | grep -i del", but there will be some deleted library
files that won't show up.

You can mount /usr read-only after a reboot (I include "ro" in the
options for /usr in /etc/fstab), or after restarting any currently
running processes holding deleted files on /usr.  Getting all
those processes out of the way may require bringing the system
down to runlevel 1 plus killing off any stray background processes
that didn't get stopped automatically.

WARNING:  If you're going to have /usr mounted read-only you must
disable the automatic daily execution of prelink.  The way I did
that is by adding a line at top of /etc/sysconfig/prelink:

     /usr/bin/tty -s || exit    # Don't let cron run this

That lets me run /etc/cron.daily/prelink manually while I have
/usr mounted read-write.  You could replace that test with a check
on whether /usr was writable.

--
Bob Nichols     "NOSPAM" is really part of my email address.
                Do NOT delete it.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux