Most embedded devices use a read-only root filesystem. This can make them more resilient to unexpected shutdowns that could otherwise cause data corruption. Depending on your application, you might consider your Pi to be an embedded system. This can also help with some issues that can come from SD card unreliability.
Full instructions and explanations are obtained from this link but you can run these commands directly. I modified some of the instructions for personal convenience.
Login with default username and password: (ArchLinux Arm: alarm, alarm, Raspbian: pi, raspberry)
nano /etc/ssh/sshd_config
Add "PermitRootLogin yes" to the Authentication section after "#PermitRootLogin prohibit-password" then save
Restart the SSH service systemctl restart sshd
(or systemctl restart ssh
) if you're on Raspbian.
Log in as root, or preface the following with sudo
if you've configured sudo.
ArchLinux Arm: pacman -Syu
Raspbian: sudo apt-get update && sudo apt-get upgrade
On ArchLinux Arm, you might run into a little fun:
- Delete certs if you see a message like "/etc/ssl/certs/ca-certificates.crt exists in filesystem" then rerun pacman -Syu rm /etc/ssl/certs/ca-certificates.crt
- May be needed if the pacman version has changed during the update: pacman-db-upgrade
- Optional if you want to clear the cache - pacman -Sc. Clearing the cache may help to detect problems.
It's recommended to do any configuration at this point, such as setting your hostname, timezone, etc as that will require a reboot anyway.
reboot
ln -sf /var/run/resolv.conf /etc/resolv.conf
Edit /etc/resolvconf.conf and change it to write it's file to /run/resolv.conf
Putting resolvconf in /tmp doesn't work, for some reason I haven't cared to investigate. /var/run does.
If you're on ArchLinux Arm, systemd-timesyncd (the out of box default) works fine, so no action is needed.
If you're on Raspbian, systemd-timesyncd will not work. Instead, install the ntp
package and enable it, then disable systemd-timesyncd:
systemctl disable systemd-timesyncd
systemctl enable ntp
If you want to be pedantic, you can also edit /etc/ntp.conf and change the location of the drift file to someplace like /run. This doesn't appear to be necessary, however.
Your fstab may look a little different than what's here. You should adjust it accordingly by adding a "ro" option to each filesystem you want read-only (which is /boot and /). ArchLinux has only one partition listed for /boot, which Raspbian has both / and /boot. Update all that apply.
Comment out the original lines and copy them before you edit them. This makes it easier to step back if something goes awry.
Your fstab on ArchLinux arm would look something like this:
#/dev/mmcblk0p1 /boot vfat defaults 0 0
/dev/mmcblk0p1 /boot vfat defaults,ro,errors=remount-ro 0 0
Redirect places that are expected to be writeable to /tmp by adding the following to your fstab:
tmpfs /var/log tmpfs nodev,nosuid 0 0
tmpfs /var/tmp tmpfs nodev,nosuid 0 0
On ArchLinux Arm, there's an extra step to mount / read-only:
- Install uboot-tools
- nano /boot/boot.txt and replace the "rw" flag with the "ro" flag right after the root= parameter.
- sudo /boot/mkscr
nano /etc/systemd/journald.conf
Uncomment the line that says "Storage=" and change it to "Storage=none"
- systemd-random-seed
- systemd-hostnamed
- systemd-readahead-collect
printf "mount -o remount,rw /\nmount -o remount,rw /boot" > writeenable.sh
printf "mount -o remount,ro /\nmount -o remount,ro /boot" > readonly.sh
chmod 500 writeenable.sh
chmod 500 readonly.sh
I suggest taking these further and adding a shebang to them (#!/bin/sh) to the top of the scripts, then moving them to /usr/sbin.
"passwd root" or "passwd alarm"
history -c -w
sudo systemctl disable dphys-swapfile
- Optionally, remove the swapfile /var/swap. I'd recommend making sure your system runs correctly before doing this.
reboot
To enable read-write temporarily to do say an update, just run ./writeenable.sh