Jane Dogalt (jdogalt(a)yahoo.com) said:
> However, one of the downsides of this approach is it
(essentially) makes
> the whole root filesystem read-write, which loses some of the benefits
> of readonly-root (and makes it a whole lot easier to DoS yourself.)
This is basically just an alternate implementation of unionfs.
It's not 100% the same, though - with dm, you're operating at the
block device level, so you have to add the copy-on-write device for the whole
block device (i.e., the entire filesystem.)
Since unionfs is a filesystem, it can theoretically be spliced in
at any level of the tree you want, thereby keeping most of the
filesystem truly read-only.
Bill