Home / ubuntu / Questions / 135496
Accepted
mgd
Asked: 2012-05-12 05:49:49 +0800 CST

bind mounting read-only using fstab on Ubuntu?

  • 772

I need to remount one directory (/src) as readonly in another location (/dst). This can be done like this:

$ sudo mount --bind /src /dst
$ sudo mount -o remount,ro /dst

However, I would like to use /etc/fstab to have the mount taking place at boot time and have seen different suggested solutions to this problem, e.g.

/src  /dst    none  bind            0 0
/src  /dst    none  remount,bind,ro 0 0

which unfortunately leaves the directory mounted read/write on my system and this

/src  /dst    none  bind            0 0
/dst  /dst    none  remount,bind,ro 0 0

which will issue an error when trying to mount /dst:

mount: /dst not mounted already, or bad option

The above solutions supposedly works on different distros, but unfortunately not on Ubuntu 10.04.4 LTS (kernel 2.6.32-41-server).

Any ideas how to accomplish this apart from placing the mount commands into /etc/rc.local?

fstab mount read-only

2 Answers

  1. According to this LWN article, this behaviour snuck into the Kernel around version 2.6.25. In short if the target filesystem is rw, binding something on top can't convert it to ro.

    In 2.6.26 they partially fixed things so you can trigger a remount (as you've discovered) but there's still no way to do that from within fstab.

    Here's what I was trying in fstab:

    /home/oli/Desktop/testmount  /mnt none bind,ro

    After firing a mount -a, /mnt was mounted but I could still create files. After then firing off sudo mount -o remount /mnt, it became read-only.

    So yes, I think the cleanest method is to either have a line in /etc/rc.local or write a super-simple Upstart script that starts on the mountall event (so it happens immediately).

    • 6
  2. Best Answer

    On older kernels, mount --bind cannot create a read-only view of a read-write filesystem. The kernel stores the read-write status of the filesystem in a single place which is not duplicated by the bind mount. Newer kernels allow this but still require a separate mount step: first bind, then make read-only. There is a kernel patch to change that, and some distributions (such as Debian) have applied it, but Ubuntu hasn't (at least not as of 12.04).

    One solution is to create the read-only view from a boot script instead from /etc/fstab, as Oli explains.

    Otherwise, you can use bindfs instead. This is a FUSE filesystem. Going through FUSE is slightly slower as it introduces an additional layer of indirection. You also lose support for extended file metadata such as ACLs. On the flip side, the read-only view will have a recognizable filesystem type, making it easy to exclude from filesystem traversals (such as locate and backups).

    The fstab entry looks like this:

    bindfs#/src  /dst  fuse perms=a=rX
    • 6