Hi, I'm a little late to the party, missed this for me very important topic.
On Thu, 15 Nov 2018 15:26:03 +0100 jean-yves boisiaud <jean-yves.boisi...@alcor-consulting.fr> wrote: > Now, OpenBSD needs root FS mounted RW. And, from 6.4, even if fstab > says root fs to be mounted RO, it stays RW and it is not possible to > remount it RO manually. And lsof has been retired... You can still mount rootfs RO. The trick is not to specify it as RO in fstab, but to create script in rc.conf.local which will periodically check if reorder_kernel script has finished its job, and only then remount partitions RO. More details on my [WARNING!BLATANT-SELF-PROMOTION-BELOW!] blog: [https://www.mimar.rs/blog/how-to-increase-openbsds-resilience-to-power-outages] BUT, as I wrote there, there are problems with above setup on 6.4. I noticed tcpdump won't work when /etc is mounted RO. There is already patch available for testing, but I haven't yet found the time to get to it: [https://marc.info/?l=openbsd-bugs&m=154056998503006&w=2] I have an information that even if this patch was accepted, it won't be released as syspatch for 6.4, as it is not security-related. I am reluctant to install RO 6.4 on my production firewalls because I don't know if tcpdump is the only thing affected by unveil bug, or there are also other components of the system that will behave badly because of RO file systems. Finally, RO rootfs is unsupported by OpenBSD, but I sincerely hope devs will consider the fact that some users depend on it, and try not to break it completely down the road. Regards, -- Before enlightenment - chop wood, draw water. After enlightenment - chip wood, draw water. Marko Cupać https://www.mimar.rs/
