I am trying to create an image with a read only file system based on your yocto/openembedded guide.
I have built core-image-minimal for MACHINE = "colibri-imx6" and added EXTRA_IMAGE_FEATURES += "read-only-fs" to local.conf. However when booting the resulting image (installed via the Toradex Easy Installer) it isn’t read-only, I can still create files anywhere (everywhere I tried at least). As far as I can tell read-only-rootfs has made no difference.
This question has been already discussed in our community forum a couple of times. I will link them below and please kindly have a look if they are relevant to your situation.
I have seen these 2, but couldn’t find an answer. I have tried core-image-minimal and console-tdx-image, no LXDE in sight as far as I can tell. The build runs successfully, no indication that something might not work with the read-only-fs. I just end up with a root fs that is still writable.
Thanks again for your update, I only recently noticed that you have included EXTRA_IMAGE_FEATURES += "read-only-fs" instead of read-only-rootfs.
There exists no flag named “read-only-fs”.
Was it a typo on the question or perhaps it could be the reason for the writable rootfs?
Hello @saijanani.tx ,
Oops, that was a mistake typing this up. I use read-only-rootfs. I also built the same image (that sets EXTRA_IMAGE_FEATURES_append = " read-only-rootfs") for a different machine and it works there.
This time I built using the image using BSP 2.8 for a custom machine based on the colibri-imx6. The only differences being that the custom machine sets a custom device tree and selects linux-toradex-rt as the default kernel. This image however is based on the non-RT kernel (overidden in local.conf), since we had issues with the RT kernel.
Thank you for your patience. We have been able to reproduce the same issue at our side and we are currently looking into why it happens and what could be a possible workaround.
We will keep you updated on the developments promptly.
It seemsro is passed to the kernel, but it seems to ignore it.
No, initially the root file system always gets mounted read-only and systemd will subsequently re-mount it read/write. To avoid this I believe fstab needs adjusting as well. Did you do that?
Can you specify what exactly does not work? What is expected from your side? Are you talking about run time or build time?
Our Reference Images contain some configurations that are put in place at first boot rather than at build time.
Furthermore, there exists a systemd remount service, which may or may not be enabled in the presence of read-only rootfs. The service is called systemd-remount-fs.service.
“Furthermore, there exists a systemd remount service, which may or may not be enabled in the presence of read-only rootfs.”
What does this mean? “may or may not” seems rather vague.
"As @marcel.tx pointed out, you need to adapt the file /etc/fstab … We will also investigate why this is not set by the option EXTRA_IMAGE_FEATURES_append = " read-only-rootfs".
What was the result of this investigation? I ask because - as of 5.6.0 - it’s still not automatically changed as a result of specifying read-only-rootfs
“It seems ro is passed to the kernel, but it seems to ignore it.”
In my testing “ro” is passed to kernel (/proc/cmdline) regardless of whether “read-only-rootfs” is specified in EXTRA_IMAGE_FEATURES_append.
In fact I can’t figure out what - if anything - passing “read-only-rootfs” to the build achieves. Either way it is required to manually change fstab to “,ro”. After changing fstab I see the same read only root behavior regardless of whether or not I specify “read-only-rootfs”. For either build (with/without read-only-rootfs") if I change / to be ‘ro’ in fstab, I get 3 new overlay filesystems created automatically, for /var/cache, /var/lib and /var/spool.
Looking in the build log for with and without “read-only-rootfs” I see no difference.
The demo-images that Toradex provides are built as a reference and are not including all functionality. As this specific feature is not integrated into the reference image you’re right that it is still not automatically changed.
The fact is that our demo image is ignoring the IMAGE_FEATURE, while still doing the rest so that you are able to enable it manually. Like seen in the previous answer:
You can also try to build a poky-image and see its behavior there.
Out of curiosity could you state which image you’re exactly trying to build and for which module?
Furthermore, could you post your build log here for me to have a look at it?