Once upon a time, Havoc Pennington hp@redhat.com said:
A possibly related discussion; we've been wondering if we can make the OS image read-only (mounting it that way, or via selinux).
I run with /usr read-only already, and if I didn't have users in /etc/passwd I could mount / read-only.
Then have /tmp and probably /var in RAM (or wiped on boot), and have home directories and server/app data such as web pages to be served on network mounts.
/var needs to continue across reboots, as that is where logs are (and not everything can do network logging, nor do you want to log to an NFS mount). I don't see you being able to get away from having some local writable storage.