├── README.md
└── install.site
/README.md:
--------------------------------------------------------------------------------
1 | # OpenBSD-rofs
2 | Create a full read-only OpenBSD system for your firewall, appliance.
3 |
4 | Why use this ?
5 | - Really simple (KISS), you just need siteXX.tgz, nothing else
6 | - No third software added except rsync
7 |
8 | What does the script do ?
9 | - create a binary update-disk, this will enable you to write into the slice / and update /var
10 | - Install rsync package
11 | - Allocate in RAM 400 MB for /var
12 | - Allocate in RAM 40 MB for /tmp
13 | - Allocate in RAM 4 MB for /dev
14 | - Enable read-only for / and /var
15 |
16 | You need :
17 | - RAM 1GB minimum
18 | - Install OpenBSD on a 3GB partition / without swap, at install, please remove -x* -g* -c* +s* sets
19 |
20 | How to install ?
21 | Just import the install.site script in a set called siteXX.tgz. For more information, look at OpenBSD FAQ : Customizing the install process
22 |
23 | Enjoy!
24 |
25 | Use openbsd-rofs entirely at your own risk. No one will help you.
26 |
--------------------------------------------------------------------------------
/install.site:
--------------------------------------------------------------------------------
1 | #!/bin/ksh
2 |
3 | # Debug mode
4 | # set -x
5 |
6 | # Create update-disk script
7 | cat <<'EOF'>> /mnt/usr/local/sbin/update-disk
8 | #!/bin/ksh
9 |
10 | # Enable write on / slice
11 | /sbin/mount -uw /
12 |
13 | # push the old seed into the kernel
14 | dd if=/var/db/host.random of=/dev/random bs=65536 count=1 status=none
15 | chmod 0600 /var/db/host.random
16 | # ... and create a future seed
17 | dd if=/dev/random of=/var/db/host.random bs=65536 count=1 status=none
18 | # and create a seed file for the boot-loader
19 | dd if=/dev/random of=/etc/random.seed bs=512 count=1 status=none
20 | chmod 0600 /etc/random.seed
21 |
22 | # Patch /etc/motd.
23 | if [[ ! -f /etc/motd ]]; then
24 | install -c -o root -g wheel -m 664 /dev/null /etc/motd
25 | fi
26 | if T=$(mktemp /tmp/_motd.XXXXXXXXXX); then
27 | sysctl -n kern.version | sed 1q >$T
28 | echo "" >>$T
29 | sed '1,/^$/d' >$T
30 | cmp -s $T /etc/motd || cp $T /etc/motd
31 | rm -f $T
32 | fi
33 |
34 | # Sync /var
35 | /usr/local/bin/rsync -vhaz --delete -f "- *.sock" /var/ /mfs/var/
36 |
37 | # Go back to Read-Only
38 | /sbin/mount -ur /
39 | EOF
40 |
41 | # Permissions on update-disk
42 | chmod 0555 /mnt/usr/local/sbin/update-disk
43 | chown root:bin /mnt/usr/local/sbin/update-disk
44 |
45 | # Fix installpath variable to be able to add packages
46 | [ -f /mnt/etc/pkg.conf ] || echo installpath=ftp2.fr.openbsd.org > /mnt/etc/pkg.conf
47 |
48 | # Run at startup
49 | cat <<'EOF'>>/mnt/etc/rc.firsttime
50 | # Add rsync
51 | pkg_add rsync--
52 |
53 | # Enable Read-only file system for /
54 | T=/tmp/fstab.$RANDOM
55 | mkdir $T
56 | sed 's/ffs rw/ffs ro/' /etc/fstab > $T/fstab
57 | rm /etc/fstab
58 | cp $T/fstab /etc
59 | chmod 0644 /etc/fstab
60 | chown root:wheel /etc/fstab
61 | rm -rf $T
62 | EOF
63 |
64 | cp -p /mnt/etc/examples/rc.local /mnt/etc
65 | echo "mount | grep -v mfs | grep ro > /dev/null 2>&1" >>/mnt/etc/rc.local
66 | echo "[ \$? == 1 ] && mount -ur /" >> /mnt/etc/rc.local
67 |
68 | # Create TEMP folder
69 | TMP_FOLDER=/tmp/rofs.$RANDOM
70 | mkdir $TMP_FOLDER
71 |
72 | # Create /mfs
73 | mkdir -p /mnt/mfs/{dev,var}
74 |
75 | # Populate /mfs/var
76 | (cd /mnt/var && tar -cpf - . | tar -xpf - -C /mnt/mfs/var)
77 | rm -rf /mnt/var/*
78 |
79 | # Populate /mfs/dev
80 | cp -p /mnt/dev/MAKEDEV /mnt/mfs/dev
81 | cd /mnt/mfs/dev && /mnt/dev/MAKEDEV all
82 |
83 | # /var, allocate 400 MB
84 | echo "swap /var mfs rw,-P=/mfs/var,-s400m,nodev 0 0" >> /mnt/etc/fstab
85 |
86 | # /dev, allocate 4 MB
87 | echo "swap /dev mfs rw,-P=/mfs/dev,-s4m,-i128,nosuid,noexec 0 0" >> /mnt/etc/fstab
88 |
89 | # /tmp, allocate 40 MB
90 | echo "swap /tmp mfs rw,-s40m,nodev,nosuid,noexec 0 0" >> /mnt/etc/fstab
91 |
92 | # Install rc.shutdown script
93 | cp -p /mnt/etc/examples/rc.shutdown /mnt/etc
94 |
95 | # Add update-disk script to rc.shutdown
96 | echo /usr/local/sbin/update-disk >> /mnt/etc/rc.shutdown
97 |
98 | # Fix write on /dev at shutdown to avoid error like "init: /etc/fstab: chmod(/dev/console): Read-only file system"
99 | echo "mount -uw /" >> /mnt/etc/rc.shutdown
100 |
101 | # sync every 2 hours
102 | echo "* */2 * * * /usr/local/sbin/update_disk >/dev/null 2>&1" >> /mnt/mfs/var/cron/tabs/root
103 |
104 | rm -rf $TMP_FOLDER
105 |
--------------------------------------------------------------------------------