Red Hat Summit Red Hat SummitSupportConsoleDéveloppeursCommencer un essaiContact

Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 21. Setting read-only permissions for the root file system

Sometimes, you need to mount the root file system (/) with read-only permissions. Example use cases include enhancing security or ensuring data integrity after an unexpected system power-off.

For the system to function properly, some files and directories need to retain write permissions. When the root file system is mounted in read-only mode, these files are mounted in RAM using the tmpfs temporary file system.

The default set of such files and directories is read from the /etc/rwtab file. Note that the readonly-root package is required to have this file present in your system. 

dirs	/var/cache/man
dirs	/var/gdm
<content truncated>

empty	/tmp
empty	/var/cache/foomatic
<content truncated>

files	/etc/adjtime
files	/etc/ntp.conf
<content truncated>
Copy to Clipboard Toggle word wrap

Entries in the /etc/rwtab file follow this format: 

copy-method    path
Copy to Clipboard Toggle word wrap

In this syntax:

  • Replace copy-method with one of the keywords specifying how the file or directory is copied to tmpfs.
  • Replace path with the path to the file or directory.

The /etc/rwtab file recognizes the following ways in which a file or directory can be copied to tmpfs:

empty

An empty path is copied to tmpfs. For example: 

empty /tmp
Copy to Clipboard Toggle word wrap
dirs

A directory tree is copied to tmpfs, empty. For example: 

dirs /var/run
Copy to Clipboard Toggle word wrap
files

A file or a directory tree is copied to tmpfs intact. For example: 

files /etc/resolv.conf
Copy to Clipboard Toggle word wrap

The same format applies when adding custom paths to /etc/rwtab.d/.

With this procedure, the root file system is mounted read-only on all following boots.

Procedure

  1. In the /etc/sysconfig/readonly-root file, set the READONLY option to yes to mount the file systems as read-only: 

    READONLY=yes
    Copy to Clipboard Toggle word wrap

  2. Add the ro option in the root entry (/) in the /etc/fstab file: 

    /dev/mapper/luks-c376919e...  /  xfs  x-systemd.device-timeout=0,ro  1  1
    Copy to Clipboard Toggle word wrap

  3. Enable the ro kernel option: 

    # grubby --update-kernel=ALL --args="ro"
    Copy to Clipboard Toggle word wrap

  4. Ensure that the rw kernel option is disabled: 

    # grubby --update-kernel=ALL --remove-args="rw"
    Copy to Clipboard Toggle word wrap

  5. If you need to add files and directories to be mounted with write permissions in the tmpfs file system, create a text file in the /etc/rwtab.d/ directory and put the configuration there.

    For example, to mount the /etc/example/file file with write permissions, add this line to the /etc/rwtab.d/example file: 

    files /etc/example/file
    Copy to Clipboard Toggle word wrap
    Important

    Changes made to files and directories in tmpfs do not persist across boots.

  6. Reboot the system to apply the changes.

Troubleshooting

  • If you mount the root file system with read-only permissions by mistake, you can remount it with read-and-write permissions again using the following command: 

    # mount -o remount,rw /
    Copy to Clipboard Toggle word wrap
Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat