Linux with / mounted read-only 2.0

November 15th, 2009

(This is a new version of a previous post updated to work with Ubuntu 9.10 (karmic).)

I wondered why you usually mount / (the root file system) read-write in Linux and decided to do some experiments to find out if it is possible to have it mounted read-only.

So why do you want to do that? Perhaps you have the root file system on a read-only media, such as CD-ROM. Or on a writable media which can only handle a limited number of writes, such as a CD-RW or flash disk. It would also increase security since it will be more difficult (though not impossible) for some malware to infect your system.

I found out that it is possible to mount / read-only, but only after some tweaking. Here is how I did it in Ubuntu 9.10 (karmic) desktop.

The first obvious step is to change the mount options to “ro” for / in /etc/fstab and reboot. But the tweaking has to be done first, so don’t reboot yet!

There are some locations in the file system which has to be writeable, the solution is to mount them as tmpfs. After some experiments, I found out that I had to mount the following locations as tmpfs (assuming that /dev is already mounted in an appropriate way):

  • /tmp
  • /media
  • /var/run
  • /var/lock
  • /var/tmp
  • /var/crash
  • /var/log
  • /var/lib/xkb
  • /var/lib/gdm
  • /var/lib/dhcp3 (only if you use DHCP client)
  • /var/lib/nfs (only if you use NFS)
  • /var/spool/cups

Ubuntu mounts /var/run and /var/lock as tmpfs by default. This is done by the mountall tool.

Add this to /etc/fstab:

none /tmp             tmpfs mode=1777,nodev,exec,nosuid 0 0
none /media           tmpfs mode=0755,nodev,noexec,nosuid 0 0
none /var/tmp         tmpfs mode=1777,nodev,noexec,nosuid 0 0
none /var/crash       tmpfs mode=0755,nodev,noexec,nosuid 0 0
none /var/spool/cups  tmpfs mode=0710,nodev,noexec,nosuid,gid=lp 0
none /var/log         tmpfs mode=0755,nodev,noexec,nosuid 0 0
none /var/lib/dhcp3   tmpfs mode=0755,nodev,noexec,nosuid 0 0
none /var/lib/xkb     tmpfs mode=0755,nodev,noexec,nosuid 0 0
none /var/lib/gdm     tmpfs mode=0775,nodev,noexec,nosuid,gid=gdm 0 0
none /var/lib/nfs     tmpfs mode=0755,nodev,noexec,nosuid 0 0

And add this to /etc/rc.local:

mkdir /var/log/apt

There are some files in /etc which have to be writeable:

  • /etc/mtab
  • /etc/resolv.conf (only if you use DHCP client and let it set DNS configuration)

I handle /etc/mtab by symlink it to /proc/mounts, that has some minor side-effects but I can live with it. I handle /etc/resolv.conf by symlinking it to /var/lib/dhcp3/resolv.conf. In order for this to work, you have to patch the DHCP client (dhcp3-client) accodring to this bug report (use the new version of the patch).

You also have to mount /home read-write somewhere, and I would not recommend using tmpfs. You can use a separate hard disk partition or NFS.

It is a bit tricky to get this to work with NFS. You have to set the NFS mount points in /etc/fstab as noauto and add these lines to /etc/init/statd.conf just before status portmap...

mkdir /var/lib/nfs/sm
mkdir /var/lib/nfs/sm.bak
mkdir /var/lib/nfs/rpc_pipefs

Then mount the NFS shares in /etc/gdm/PostLogin/Default. For some reason it did not work to do it from /etc/rc.local, perhaps due to delay in DHCP lookup.

Finally it might be a good idea to set a password for the root account, this enables you to switch to a virtual console (Ctrl-Alt-F1) and login as root if something goes wrong.

If you then do want to change anything, such as edit a file in /etc or install or upgrade a package, you can just remount / as read-write temporary (assuming that the media actually is writeable):
sudo mount -o rw,noatime,remount /

and revert to read-only when finished:
sudo mount -o ro,noatime,remount /

Note that this setup is for a desktop or laptop system, it’s probably not appropriate for a server.

If you have plenty of RAM (such as at least 1 GB), then you can also mount /var/cache/apt as tmpfs. That helps if you have limited free space on / and want to do a distribution upgrade.

Add this to /etc/fstab:

none /var/cache/apt   tmpfs mode=0755,nodev,noexec,nosuid 0 0

And add this to /etc/rc.local:

mkdir -p /var/cache/apt/archives/partial

Posted in Linux | 4 Comments »

How to get microphone to work un Ubuntu 9.04

September 18th, 2009

I finally got the microphone input on my Acer Veriton X270 to work un Ubuntu 9.04.

The trick is to uninstall PulseAudio and use ALSA only.

It even works in Skype.

Posted in Linux, hardware | 1 Comment »

java.util.Map is broken in Java 5

August 13th, 2009

Java 5 added generics. The collection classes was modified to make use generics to provide compile-time type-safe collections. Sadly, this was not done properly.

The worst problem is in the interface java.util.Map:

public interface Map<K,V> {
    // more methods...

    V get(Object key);
    V remove(Object key);
    boolean containsKey(Object key);
    boolean containsValue(Object key);
}

The key parameters to these methods ought to be declared to be K and not Object. Now we don’t get any type-safety for those methods. If you create a HashMap<String,String> and then by mistake try to use an int as key when looking up a value, you will not get any compile-time error. Worse yet, you will not even get any run-time error, it will just appear as if there is no value with that key (which in some sense is correct).

This can cause hard to find bugs like this:

public class MapTest {
    private Map<String,String> map = new HashMap<String,String>();

    public void setFoo(int i, String s) {
        map.put(String.valueOf(i), s);
    }

    public String getFoo(int i) {
        return map.get(i); // OOPS, should have been String.valueOf(i)
    }
}

(Yes, this code is pretty stupid, but it’s only a simple example.)

There are similar problems in java.util.Collection (contains and remove methods) and some other interfaces, but that’s less serious since they are not used very often. However, it’s very serious in java.util.Map since you always use the get method.

Posted in Java | 1 Comment »

Misuse of HTTP GET is a cardinal sin

July 17th, 2009

According to the RESTful style, you should make use of the four HTTP methods GET, POST, PUT and DELETE. However, in many cases only GET and POST is used, and POST is used when you really should use PUT or DELETE. I consider this as a quite minor issue.

However, using GET instead of POST (or PUT or DELETE) is much worse.

The current HTTP 1.1 specfication (RFC-2616) clearly states that a GET request must be safe, i.e. not have any significant side-effect on the server. So in order to change anything on the server, you must use POST (or PUT or DELETE). The older HTTP 1.0 specification (RFC-1945) from 1996 said the same.

This is important because the HTTP protocol supports caching, both in the client and in intermediate proxies. This caching may result in that GET requests will not get through to the server all the time. If you use GET to perform some action on the server, it will not work reliably unless you do ugly workarounds to circumvent the caching.

Public specifications of the HTTP protocol has made this clear for more than 12 years now. Misuse of the GET method in a web application, web service or any other application of HTTP is a cardinal sin.

Posted in web | 5 Comments »

Running Ubuntu Linux on Acer Veriton X270

July 3rd, 2009

I recently brought an Acer Veriton X270.

Ubuntu Linux 8.04 works well except for sound. Basic stereo sound output works, but sound input (microphone) and some advanced 3D and surround sound does not work. The front headphone jack does not work correctly either. (All this works in Windows, so it’s not a hardware problem.)

Apart from the poor sound support in Linux, I am quite happy with this computer. It’s small (though not super small like Mac Mini or Fujitsu ESPRIMO Q), quiet, has all features you need and works out of the box. And it has a compelling price.

An odd detail is that it has HDMI instead of DVI for digital video output (it has VGA too, but who wants to use that nowadays?). But with a cheap HDMI-DVI adapter, you can connect a regular DVI display.

Posted in Linux, hardware | 2 Comments »

Type safe JSP and JSTL

April 23rd, 2009

When using JavaServer Pages, you want to use JSTL to be able to to flow-control (iterations and conditionals) in a reasonable way. And the recommended way to use JSTL is to use the Expression Language (EL).

However, using EL is not a good idea at all. Contrary to Java and plain JSP, EL lacks static typing. This means that many errors which the compiler can catch is not detected until runtime when using EL. And even worse, EL doesn’t even do proper type checking at runtime. In many cases you just end up with an empty string when it in fact is a type error.

Proponents of dynamic languages usually say that static typing is not necessary since you should have automated testing of your code anyway, and that will catch any errors. However, automated testing of web pages is difficult and awkward. And reasonable dynamic languages (such as Python and Ruby) at least do type checking at runtime and generate a visible runtime error.

Fortunately, there is a feature of JSTL called rtexpvalue which makes it possible to use JSTL without EL and keep the static typing.

First you have to use alternative versions of the JSTL tag libraries:

<%@ taglib uri="http://java.sun.com/jstl/core_rt" prefix="c" %>
<%@ taglib uri="http://java.sun.com/jstl/fmt_rt" prefix="fmt" %>
<%@ taglib uri="http://java.sun.com/jstl/xml_rt" prefix="x" %>
<%@ taglib uri="http://java.sun.com/jstl/sql_rt" prefix="sql" %>

Then you use plain JSP expressions instead of EL:

<jsp:useBean scope="request" id="fuits" class="java.util.List"/>
<jsp:useBean scope="request" id="foo" class="com.acme.Foo"/>

<c:if test="<%= foo.isBar() %>">
	<p>Foo is bar since <fmt:formatDate type="time" value="<%= foo.getDate() %>"/></p>
</c:if>
<c:forEach items="<%= fruits %>" var="fruit">
	  <jsp:useBean id="fruit" class="com.acme.model.Fruit"/>
	      <tr>
	        <td><%= fruit.getColor() %></td>
	        <td><%= fruit.getTaste() %></td>
              </tr>
</c:forEach>

As you see, you have to declare the variables using <jsp:useBean>.

This makes the syntax a bit more clumsy, but that’s a price worth to pay to get the static typing.

To get the full benefit of the static typing, you should compile all your JSP pages offline before deploying the web application. The best way to do this is to integrate JSP compilation in your build process so that JSP pages is compiled at the same time as your regular Java code is compiled. If you use Maven, you can use this plugin.

Posted in Java, JavaEE, web | 1 Comment »

java -classpath *.jar

April 23rd, 2009

It’s quite annoying that you cannot use wildcards in the -classpath command line option to java and javac. Quite often you want to include all .jar files in one directory.

Here is a way to get that effect:

java -classpath `echo lib/*.jar | sed -e “s/ /:/g”` org.foo.MyApp

You can even include all .jar files in a whole hierarchy of directories:

java -classpath `find repository -name *.jar -printf %p:` org.foo.MyApp

In general it’s better to use Ant or Maven for compiling and Java Service Wrapper for running, they have built-in support for wildcards. But they require some upfront setup, so my solution is useful for ad-hoc usage.

This works in Linux and probably in Solaris and other UNIX systems. If you use Windows, you need to install cygwin or similar.

Posted in Java | 1 Comment »

Things you might want to change in Ubuntu 8.04 (hardy) desktop, part 2

January 22nd, 2009

After installing Ubuntu 8.04 (hardy) desktop, there are some things you might want to change. This article focus on user configuration (mostly editing dot files in your home directory) and do not require superuser access. Some of this changes requires that you log out to take effect.

Customize the bash shell

By default, bash save all commands in a history file. This can be quite annoying when you run several instances of the shell in parallel, and may also be a security concern. Add this line at the beginning of ~/.bashrc to only keep command in memory until you exit the shell:

unset HISTFILE
Customize the nano editor

Add this to ~/.nanorc:

unset backup
unset historylog
set nowrap
set quickblank
set tabsize 4
set morespace
Customize xterm

I prefer to use xterm instead of the default GNOME terminal. xterm does not look so good by default, by using this you can get it to look almost like GNOME terminal, but faster and with smaller memory footprint. Add this to ~/.Xresources:

XTerm*faceName: monospace
XTerm*faceSize: 10
XTerm*vt100.Background: white
XTerm*vt100.Foreground: black
XTerm*vt100.metaSendsEscape: true

xterm*saveLines: 1000
xterm*vt100.translations: #override \n\
                 <BtnUp>: select-end(PRIMARY, CLIPBOARD, CUT_BUFFER0) \n

Then open “Perferred Applications” in “Preferences” in the System menu, open the “System” tab and select “Standard XTerminal”.

See also part 1.

Posted in Linux | 1 Comment »

How to setup PPTP VPN in Linux

January 19th, 2009

1. Create a file /etc/ppp/peers/name:

pty "pptp host --nolaunchpppd"
name username
remotename PPTP
require-mppe-128
file /etc/ppp/options.pptp
ipparam name

2. Add this line to the file /etc/ppp/chap-secrets:

username PPTP password *

3. Create a file /etc/ppp/ip-up.d/tunnel

#!/bin/sh

if [ "${PPP_IPPARAM}" = "name" ]; then
route add -net RemoteNetworkWithNetmask dev ${PPP_IFACE}
fi

RemoteNetworkWithNetmask is the network on the remote side you want to access via the VPN tunnel, e.g. 172.16.0.0/12.

Connect by running sudo pon name
Disconnect by running sudo poff
Check what happends by running plog

You can setup several VPN connections with different names, but I’m not sure if it’s possible to connect to more than one at the same time.

This is tested in Ubuntu desktop 8.04 (hardy) desktop.

Posted in Linux | 2 Comments »

Things you might want to change in Ubuntu 8.04 (hardy) desktop, part 1

January 16th, 2009

After installing Ubuntu 8.04 (hardy) desktop, there are some things you might want to change. This article focus on system configuration (mostly editing in /etc) and requires superuser access (using sudo). Some of this changes requires reboot to take effect.

Fix terminal font rendering bug

There is a bug which gives bad font rendering in the terminal window. Fix it by doing this in a terminal:

cd /etc/fonts/cond.d
sudo unlink 10-hinting-medium.conf
sudo ln -s ../conf.avail/10-hinting-full.conf
Fix bug in DHCP client

Fix a bug in the DHCP client described here.

Use GNU nano as default console text editor instead of vi

Add this line to /etc/profile:

export EDITOR=nano
Mount /tmp as tmpfs if you have plenty of RAM

Add this to /etc/init.d/mountkernfs.sh:

32a33,35
>       domount tmpfs "" /tmp -omode=1777,nodev,exec,nosuid
>       # this is necessary to avoid that files are removed later in the boot process
>       touch /tmp/.clean

And add this to /etc/init.d/mtab.sh:

100a101,101
>       domtab tmpfs /tmp "tmp" -omode=1777,nodev,exec,nosuid
Increase the limit of number of open files

Add this to /etc/security/limits.conf:

42a43,44
> *               hard    nofile          65536
> *               soft    nofile          65536
Setup some useful NTP servers and sync clock at each login

Setup some useful NTP servers in /etc/default/ntpdate.

Create a file /etc/X11/gdm/PostLogin/Default:

#!/bin/sh
#
# This script will be run before any setup is run on behalf of the user and is
# useful if you for example need to do some setup to create a home directory
# for the user or something like that.  $HOME, $LOGIN and such will all be
# set appropriately and this script is run as root.

ntpdate-debian -s
if [ $? -gt 0 ];
then
        logger -p user.err "ntpdate failed"
        zenity --warning --text "ntpdate failed"
else
        logger -p user.info "ntpdate successful"
fi

See also packages you might want to remove.

Posted in Linux | 1 Comment »

« Older Entries