Readonly filesystem on OpenBSD
Please bear in mind that (I believe) a readonly filesystem is all or mostly or at least somewhat unsupported by the project. That said, there are probably several ways to do this. I do the same for my firewall/gateway (APU2) and also a Raspberry Pi 3. My RPi3 example follows:
Note: on these machines, I configure the drive with only a single partition: /
First, configure machine as desired, then edit /etc/fstab:
9f09af6a8851443a.a / ffs rw,wxallowed 1 1 swap /dev mfs rw,-P=/mfs/dev,-s=8192,-i=128,noexec,nosuid 0 0 swap /etc mfs rw,-P=/mfs/etc,-s=204800 0 0 swap /home mfs rw,-P=/mfs/home,-s=409600 0 0 swap /tmp mfs rw,-s=409600 0 0 swap /var mfs rw,-P=/mfs/var,-s=409600,noexec,nosuid 0 0
The -P and -s options are described in mount_mfs. You might want to play around with other mount options (nodev, nosuid, etc.) to tighten up the above example.
mkdir -p /mfs/dev cp -p /dev/MAKEDEV /mfs/dev cd /mfs/dev ./MAKEDEV all
The above fstab will cause the new memory file systems to be populated with items found in /mfs, so copy them to /mfs:
cp -RPp /etc /mfs cp -RPp /home /mfs cp -RPp /var /mfs
The final piece is to create or edit /etc/rc.local and place the following line at the top:
mount -r /
Then reboot. My experience is that this provides a safe (?) and very durable configuration. There are some things to consider:
Changes made anywhere in /etc, /home, and /var that you wish to make permanent will need to be copied into the corresponding directory in /mfs. This includes records of pkg_add, pkg_delete, syspatch, and perhaps other actoins (which are stored in /var as far I can tell).
mount -w /
And then copy your changes to the appropriate /mfs directory. Then set back to readonly:
mount -r /
Changes to /etc/fstab will often need to be reflected in the original /etc location. In this case, you might need to remove the card or drive from your machine and mount it elsewhere and edit the original /etc/fstab and then also copy those changes into /mfs/etc. I hope I am making sense.
As for logs and such, either ship them off to a different machine, or on some schedule that makes you comfortable, do something like:
mount -w / cp -RPp /var/log /mfs/var mount -r /
There may be other logs you wish to keep as well, but the above should work for a minimally configured firewall/gateway.
I have noticed one instance during which syspatch would not apply a patch given the above configuration. The solution was to undo the mfs changes to (the orignal) /etc/fstab (which I had to do after mounting the drive on another machine), booted the drive, ran syspatch, re-copied /var back into /mfs, and finally re-applied the mfs entries in /etc/fstab, and then rebooted.
While I have good success with this configuration, there does seem to be a hackish quality about it. Please use with caution. And, remember, this is almost certainly not supported by the project.