bind mounting read-only using fstab on Ubuntu?

Solution 1:

On older kernels, mount --bind cannot create a read-only view of a read-write filesystem. The kernel stores the read-write status of the filesystem in a single place which is not duplicated by the bind mount. Newer kernels allow this but still require a separate mount step: first bind, then make read-only. There is a kernel patch to change that, and some distributions (such as Debian) have applied it, but Ubuntu hasn't (at least not as of 12.04).

One solution is to create the read-only view from a boot script instead from /etc/fstab, as Oli explains.

Otherwise, you can use bindfs instead. This is a FUSE filesystem. Going through FUSE is slightly slower as it introduces an additional layer of indirection. You also lose support for extended file metadata such as ACLs. On the flip side, the read-only view will have a recognizable filesystem type, making it easy to exclude from filesystem traversals (such as locate and backups).

The fstab entry looks like this:

bindfs#/src  /dst  fuse perms=a=rX

Solution 2:

According to this LWN article, this behaviour snuck into the Kernel around version 2.6.25. In short if the target filesystem is rw, binding something on top can't convert it to ro.

In 2.6.26 they partially fixed things so you can trigger a remount (as you've discovered) but there's still no way to do that from within fstab.

Here's what I was trying in fstab:

/home/oli/Desktop/testmount  /mnt none bind,ro

After firing a mount -a, /mnt was mounted but I could still create files. After then firing off sudo mount -o remount /mnt, it became read-only.

So yes, I think the cleanest method is to either have a line in /etc/rc.local or write a super-simple Upstart script that starts on the mountall event (so it happens immediately).