Readonly filesystem on OpenBSD

Please bear in mind that (I believe) a readonly filesystem is all or mostly or at least somewhat unsupported by the project. That said, there are probably several ways to do this. I do the same for my firewall/gateway (APU2) and also a Raspberry Pi 3. My RPi3 example follows:

Note: on these machines, I configure the drive with only a single partition: /

First, configure machine as desired, then edit /etc/fstab:

9f09af6a8851443a.a / ffs rw,wxallowed 1 1
swap /dev mfs rw,-P=/mfs/dev,-s=8192,-i=128,noexec,nosuid 0 0
swap /etc mfs rw,-P=/mfs/etc,-s=204800 0 0
swap /home mfs rw,-P=/mfs/home,-s=409600 0 0
swap /tmp mfs rw,-s=409600 0 0
swap /var mfs rw,-P=/mfs/var,-s=409600,noexec,nosuid 0 0

The -P and -s options are described in mount_mfs. You might want to play around with other mount options (nodev, nosuid, etc.) to tighten up the above example.

Prepare /mfs/dev:

mkdir -p /mfs/dev
cp -p /dev/MAKEDEV /mfs/dev
cd /mfs/dev

The above fstab will cause the new memory file systems to be populated with items found in /mfs, so copy them to /mfs:

cp -RPp /etc /mfs
cp -RPp /home /mfs
cp -RPp /var /mfs

The final piece is to create or edit /etc/rc.local and place the following line at the top:

mount -r /

Then reboot. My experience is that this provides a safe (?) and very durable configuration. There are some things to consider:

Changes made anywhere in /etc, /home, and /var that you wish to make permanent will need to be copied into the corresponding directory in /mfs. This includes records of pkg_add, pkg_delete, syspatch, and perhaps other actoins (which are stored in /var as far I can tell).

mount -w /

And then copy your changes to the appropriate /mfs directory. Then set back to readonly:

mount -r /

Changes to /etc/fstab will often need to be reflected in the original /etc location. In this case, you might need to remove the card or drive from your machine and mount it elsewhere and edit the original /etc/fstab and then also copy those changes into /mfs/etc. I hope I am making sense.

As for logs and such, either ship them off to a different machine, or on some schedule that makes you comfortable, do something like:

mount -w /
cp -RPp /var/log /mfs/var
mount -r /

There may be other logs you wish to keep as well, but the above should work for a minimally configured firewall/gateway.

I have noticed one instance during which syspatch would not apply a patch given the above configuration. The solution was to undo the mfs changes to (the orignal) /etc/fstab (which I had to do after mounting the drive on another machine), booted the drive, ran syspatch, re-copied /var back into /mfs, and finally re-applied the mfs entries in /etc/fstab, and then rebooted.

While I have good success with this configuration, there does seem to be a hackish quality about it. Please use with caution. And, remember, this is almost certainly not supported by the project.