Re: /boot partition changes when it should not

On one of the hardware platforms that I support, namely running Debian in
a virtual machine under z/VM (s390/s390x architecture) there is a
very simple solution to this whole problem: make the /boot partition
a read-only minidisk. That way, the hypervisor (the CP component
of z/VM) does not allow ANY write operations. Period. No exceptions.
Even root cannot write to it. If you try to remount the filesystem
read-write, you get I/O errors. The only way to write to it is to
tell the hypervisor to re-link it read/write. And you can prevent
that too, if you like, via security mechanisms in the hypervisor.
Also, the only supported boot loader for this architecture, zipl,
uses the "list of sectors" method, rather than "mounting" the filesystem,
in order to locate and load the kernel image and the initial RAM disk
image.

Unfortunately, that does not help *you*. But I wonder if some type
of x86 virtualization hypervisor could do something similar.
That's a lot of overhead if safeguarding the /boot partition is
all you want to do, but it is one possibility you might want to
look at, at least to *find* the problem. I'm afraid I don't know much
of anything about x86-based hypervisors; so I won't be of any help there.

If you can't figure out how to make grub use the "list of sectors"
method, I once again suggest that you switch to lilo. I switched to lilo
on my squeeze box for its "vga" option that allows me to get a different
hardware-level text mode than 80x25. grub version 1 (used by Lenny)
supports that, but grub version 2 (used by Squeeze) does not.
(Although I think I remember seeing a recent post to this list
that indicated that grub version 2 had recently been enhanced to support
the equivalent of the vga option.)

Anyway, I switched to lilo;
it solved my problem; and I was happy. I've never looked back.
I'll probably continue to use lilo unless and until I have a
compelling reason to switch to something else. For me, it "just works".

--
.''`. Stephen Powell <zlinuxman@xxxxxxxxxx>
: :' :
`. `'`
`-


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx
Archive: http://lists.debian.org/1287348563.18397681268326473400.JavaMail.root@xxxxxxxxxxxxxxxxxxxx

Relevant Pages

  • Re: 2.6.23-rc8-mm2
    ... duplicate filename 'switch' can not be created ... 2000-2006 Netfilter Core Team ... # IPVS transport protocol load balancing support ... # Device Drivers ...
    (Linux-Kernel)
  • Re: Pomposity, thy name is Berlinski
    ... scam outfit. ... since the ID perps started running the bait and switch on their own ... but only after the ID perps lost in Dover. ... creationist support base, and that would have been the time to get ...
    (talk.origins)
  • Re: Pomposity, thy name is Berlinski
    ... scam outfit. ... How many Discovery Institute fellows have disavowed intelligent design ... since the ID perps started running the bait and switch on their own ... creationist support base, and that would have been the time to get ...
    (talk.origins)
  • RE: Step by Step skips large chunks of code
    ... In project properties page, switch to tab, and check if the ... has been correctly complied into assembly code. ... Microsoft Online Community Support ... where an initial response from the community or a Microsoft Support ...
    (microsoft.public.vsnet.debugging)
  • Re: Pomposity, thy name is Berlinski
    ... scam outfit. ... since the ID perps started running the bait and switch on their own ... creationist support base, and that would have been the time to get ... Well, of course there's Behe. ...
    (talk.origins)