Today I decided to protect all my Raspberry Pi SD cards from unproper shutdown and also prevent SD card premature end of life. This means protect them from power outage or just unplugging the power while the Pi is running.

Edit :
April 2016 to works on Jessie and Raspberry PI 3
January 2017 Fix SSH access problem after reboot / moved resolv.conf to tmpfs

Why ?

Most of the time you won’t see or have any incidences when the shutdown is not clean, but depending on what is doing the Pi at this time, you can start to have unpredictable results or data corruption. Also, sometime, applications have really verbose logging and continuously writing log to the SD will for sure bring it to death quicker than expected. SD corruption is not really simple to detect, because sometime it works and sometimes Pi is crashing/blocking and you don’t know why. You have these “hazardous” problems until you decide to change the SD. the worst, is that you were just thinking you done something wrong and searched what you done wrong ? Get time, in doubt, change your SD card first. This is my own experience and as today, I’m on 3 dead SD card.

How ?

Well, the 1st thing I’ve done was to set some folder into temp file system (log file for example) and write the log files to the SD only every hour (a example). It’s working fine but  I wanted to go deeper and have more protection, so searched over Internet people doing with read-only filesystem. I found lot of interesting article with different methods and decided to start with this one from k3a, really thanks to him.

Requirement, do it or not ?

Using a read-only file system is mostly used for Pi working 24H/7 a day and with console mode only, so if you’re using X11 or graphic interface, I won’t recommend this method because it won’t work. May be there are some other but it’s not on this article scope. So when you want you’re Pi in read-only mode it’s acting like a server but some server applications are not compatible with read only file system. Mainly database.

So if you’re running a database on your Pi, don’t use read-only filesystem. May be again there are some specific build or database to minimize write to SD, but once again it’s not in today’s scope. I see more and more people using mySQL database on Pi claiming it works fine. Sure it works, until you’ll start to face on SD corruption, and I hope they all have a good backup, because we know all, admins always have backup ;).

May be I’m the only one claiming that except if you change only few data a day, you shouldn’t use a RPi as a 24/7 database engine. For a pretty rock solid database, use a clouded one or one on a NAS like a Synology with redundant hard disk. It will go so much faster and you’ll get a real reliability. More over you will be able to use your Pi to do action and manage this database, just host your database elsewhere, just my 2 cents.

Let’s do it

Okay, I’ve done nothing yet, I’m writing this article while setting my Ambilight hyperion Rpi in read only mode and following the K3A article. You need to connect to your Pi with ssh to run the following commands, I’m connecting as root so you won’t see any sudo command (I know, I’m a bad boy!)

Get to latest current version

Reboot in case of bootloader or kernel version change

Wait for reboot and connect back with SSH.

Remove unwanted package and services files

The original article removed cron and fake-hwclock, I decided to let it working assuming my Pi will have the correct date (I never had a problem with date) and also have a date at bootup that is more the last known than 1970 year. fake-hwclock will be written at logout and every day

Replace log management with busybox one

This will put log into circular memory buffer, you will able to see log using

Disable swap and filesystem check and set it to read-only.

edit the file
and add the three words
fastboot noswap ro
at the end of the line

mine were (your can be different depending on several options) :

and now looks like :

Move some system files to temp filesystem

On Raspberry PI 3, move some lock file to temp Files System

Thanks to @harlock for the trick

and be sure to change the line with


Full file should now looks something like that (on my Jessie Lite on RPI3).

On Debian jessie move randomseed  file to writable location

remove existing file

link the random-seed file to tmpfs location

Since file is on tmpfs it will not be created upon, reboot, but we can do it with a kind of magic of systemd system service, this is so powerfull.

To create file on the tmp area at bootup before starting random-seed service, just edit the file service file to add a pre-command to execute :

add the line   ExecStartPre=/bin/echo “” >/tmp/randomseed  under service section, should now looks like this

Do not use touch instead of echo, it won’t work because checking RO filesystem

Execute following to tell systemd we made changes

Setup the Internet clock sync

I think this one is not needed because on new Raspbian version, the ntp daemon already do the job, but just in case

and be sure to configure your time zone, with raspi-config tool

then go to menu “Internationalisation Options”  then “Change Timezone” and select your time zone.

Edit the hourly cron script that save clock every hour
and change it to allow saving clock. It sould become

Edit the the file /etc/ntp.conf  to set redirect driftfile  to writable zone  /var/tmp . My file was like this

I changed to this, thanks to Gregor for the tip.


Remove some startup scripts

Now time to tell the mounted filesystem that we’re in read-only mode

Add “,ro” flag to both block devices in
to tell the system to mount them read-only:

edit the file
mine was :

And after modifications it is :

We done, reboot

That’s it, you should now be able to reboot your Pi

If all went fine, it should boot. Well, on mine it rebooted fine and ambilight was still working, then I ssh’ed onto and issued

you can see root is ro mode

and /boot (fat part of the SD) is also ro mode, great !!!

In case of problem, look at syslog (or logread) and try to find out why. You can try to fix plugging the SD card in a different computer.

Switching from Read-Only mode to Read-Write and vice-versa

Now you’re in read only mode it’s fine and safe, but if you need to install, write or modify files, upgrade, or whatever that need write access, you need to be able to do it, we’ll add this possibility and in visual mode

To set system to Read-Write use
mount o remount,rw /
and to set it back to Read-Only
mount o remount,ro /
but I do not remember this tricky syntax and decided to improve things a little. I want to have two simple commands like
for setting mode to read only and
to enable read write mode. I also wanted to know on which mode I am on command prompt.

Add fancy indicating features

Ok for all users just edit the file
and at the end add the following lines

Execute this new file and look at the magic, the prompt has also changed and show up file system state

Use logout to save history and force Read-Only mode

To be sure to avoid setting back to Read-Only at logout, add the following line to the file
(may be you need to create it)

If you want to have your bash history file saved and last known good date, also, put these lines instead

Of course you can also enhance the system like changing colors and/or set file system to read only after a certain amount of time. It’s just the way I’m using it.

PS : depending on your configuration, you may have set prompt elsewhere after /etc/bash.bashrc is executed ( ~/.bashrc for example), that would cause overriding the settings of  /etc/bash.bashrc. So if it does not work, test by putting the lines at the end of the user ~/.bashrc  profile file ( /root/.bashrc for root)

Bonus : health check using Watchdog

If you follow my blog, you probably know that I’m using micro-controller day by day. I love the watchdog feature they have and reading original K3A post, I saw we can do the same on Raspberry, so I decided to give it a try of course.

It’s for advanced users, be sure knowing what you do if you don’t want your Pi going into reset loop, most users don’t need this.

Set system to Read-Write before executing these commands, you sure remember this ?

Enable watchdog module :

Edit the file and
add the following lines at the end of the file

On raspbian before jessie (old system init.d) set the watchdog to start at boot and start it now:

On Jessie edit the file /lib/systemd/system/watchdog.service  and in section [Install]  add the following

Always on Jessie, enable it by

In addition to the watchdog, you should set up reboot after a kernel panic. This is done by editing
. Add this line:

This will cause to wait 10 seconds after a kernel panic, then automatically safely reboot the box.

Last test and validation

As last operation, set back to Read-Only and reboot the Pi


Has I already said, I followed the original author (K3A) and just added some features I needed. Now that I have one Pi in this mode, I will update all my Pi and may be I need to add some modifications or enhancement not seen yet. If this the case I will update this post, so stay tuned.

If you want to see more precise explanations, I strongly suggest to read the excellent original K3A article located here

Thank’s to Raspbian France for providing this article image.

2017 has been a banner year for SpaceX, and this morning, the spaceflight
company added to their success by launching their 14th Falcon 9 rocket of
the year.

The SpaceX rocket launch took place at Vandenberg Air Force Base in
California with a payload of 10 Iridium satellites bound for orbit. The
Falcon 9’s first-stage rocket booster was recovered shortly after the
launch, landing safely on SpaceX’s Just Read the Instructions drone ship in the Pacific.

This marked the third mission SpaceX has undertaken for the satellite
company. More launches are on the way to complete Iridium’s NEXT satellite network, which will cover the entire surface of Earth using low-Earth orbit satellites.

SpaceX rocket launch
Image Credit: SpaceX
SpaceX plans to attempt another Falcon 9 launch on October 11. This SpaceX rocket launch, a joint venture with EchoStar and SES, will take place at Kennedy Space Center in Florida and will utilize a refurbished Falcon 9 first stage.

If successful, the October 11 launch will be another example of SpaceX’s
ability to operate missions in quick succession, which will help to lower
costs and continue to boost accessibility to space.

SpaceX has a total of eight more planned missions anticipated before the endof the year.

The printing in chromebook is always a problem for a printer which does not support google cloud print. A possible solution is using a windows based chrome browser as a bridge to link between chromebook and the local printer, but the disadvantage is the windows computer must be always on.

I had a HP printer linked to a raspberry pi 3 running Raspbian, and there is a solution to make RPi as a google cloud printer connector.  Followings are steps installing the converter on raspbian (Debian Jessie). For more information, please refer to the website:

In order to install the connector, Go 1.5.2 is required, however, Raspbian (Debian Jessie) only provides version 1.3?. New version of go can be installed as below (It’s tricky that version 1.5 can not be installed directly, version 1.4 should be installed first) :

  1. Install go 1.4
    $ git clone ~/go1.4
    $ cd ~/go1.4/src
    $ git checkout go1.4.3
    $ ./all.bash
  2. Install go 1.5
    $ git clone ~/go1.5
    $ cd ~/go1.5/src
    $ git checkout go1.5.2
    $ ./all.bash
  3. Config go –
    set work space
    $ echo 'export GOPATH=$HOME/go' >> ~/.bashrc
    set go install path
    $export GOROOT=$HOME/go1.5/go1.5
    $ echo 'PATH="$PATH:$GOROOT/bin"' >> ~/.bashrc
    $ source ~/.bashrc
    $ go version
    go version go1.5.2 linux/arm
  4. Build
    run command in ~/folder 
    $go get
  5. In folder ~/go/bin you should have two new binaries gcp-cups-connector and gcp-connector-util
  6. Create an unprivileged gcp system user:
    sudo useradd -s /usr/sbin/nologin -r -M cloud-print-connector

    Create /opt/cloud-print-connector:

    sudo mkdir /opt/cloud-print-connector

    Move the binaries to /opt/cloud-print-connector:

    sudo mv ~/go/bin/gcp-cups-connector /opt/cloud-print-connector
    sudo mv ~/go/bin/gcp-connector-util /opt/cloud-print-connector
  7. Make sure the binaries are executable:
    sudo chmod 755 /opt/cloud-print-connector/gcp-cups-connector
    sudo chmod 755 /opt/cloud-print-connector/gcp-connector-util

    Change the owner of the binaries to gcp:

    sudo chown cloud-print-connector:cloud-print-connector /opt/cloud-print-connector/gcp-cups-connector
    sudo chown cloud-print-connector:cloud-print-connector /opt/cloud-print-connector/gcp-connector-util
  8. Make a gcp config:
    sudo /opt/cloud-print-connector/gcp-connector-util init
  9. Make a gcp config:
    sudo /opt/cloud-print-connector/gcp-connector-util init

    Example configuration:

    "Local printing" means that clients print directly to the connector via local subnet,
    and that an Internet connection is neither necessary nor used.
    Enable local printing?
    "Cloud printing" means that clients can print from anywhere on the Internet,
    and that printers must be explicitly shared with users.
    Enable cloud printing?
    Retain the user OAuth token to enable automatic sharing?
    User or group email address to share with:
    Proxy name for this GCP CUPS Connector:
    Visit, and enter this code. I'll wait for you.
    Acquired OAuth credentials for robot account
    The config file /home/pi/gcp-cups-connector.config.json is ready to rock.
    Keep it somewhere safe, as it contains an OAuth refresh token.

    Move the gcp config to /opt/cloud-print-connector/:

    sudo mv ~/gcp-cups-connector.config.json /opt/cloud-print-connector/

    Change the file permissions of the gcp config:

    sudo chmod 660 /opt/cloud-print-connector/gcp-cups-connector.config.json

    Change the owner of the gcp config to gcp:

    sudo chown cloud-print-connector:cloud-print-connector /opt/cloud-print-connector/gcp-cups-connector.config.json
  10. run $/opt/cloud-print-connector/gcp-cups-connector -config-filename /opt/cloud-print-connector/gcp-cups-connector.config.json
  11. In chromebook, add google cloud printer in setting – > advance
  12. done!

There are seven life processes that tell us that animals are alive. To help us remember them we have found a friend to remind you – Mrs Nerg. Although her name sounds a bit strange, the letters in it stand for the life processes – movement, reproduction, sensitivity, nutrition, excretion, respiration and growth.

Mrs Nerg To find out more about Mrs Nerg and the seven life processes select one of the links below.




处于安全考虑个人网站可以把http服务改成 https服务,网络上有很多方法来自己做数字签名。但是浏览器在连接该网站时候会报不安全连接,有些浏览器会因此拒绝连接,比如IE。chrome则问很多问题再三确认是否继续连接。这个会让使用者很厌烦。产生这个问题原因是个人生成的数字签名不被浏览器认可,因为数字签名没有被有关机构认证。

网上有很多收费提供https签名认证服务的网站,但价格还是有些高,对于个人网站来说,没有必要交付这个费用。现在有一个免费提供签名的网站,Let’s Encrypt。通过它提供的签名,任何浏览器都可以正常访问自己的https网站了。安装过程很简单,我在自己的树莓派上的操作过程如下:

  • 首先可以ssh到自己的网站,当然这个要求很好满足,我的树莓派就在手边。但对于在其他网站上的个个人网页服务,有些可能不能提供这个服务。对于无法ssh的问题,不在本文考虑之内,请参考其他网站。
  • 有自己的域名,这个当然也是必须的,签名认证就是认证域名。我自己的是在changeip免费注册的域名。
  • 一个正在运行的apache网页服务器。在安装过程中,务必保证服务保持运行状态。
  • 说一下我的软硬件,树莓派3,运行raspbian Jessie,安装了apache2。自己作过数字签名,但如以上原因,通常会被报不安全连接。
  • 安装过程,参考 , 下面根据我的操作一步一步来:
  • 首先安装jessie-backports,由于raspbian包里没有backports软件,需要在/etc/apt的list里加上源:

1) Add the line ‘deb jessie-backports main contrib non-free’.

2) apt-get update

3) apt-get install python-certbot-apache -t jessie-backports



  • 运行命令

certbot –apache


  • 安装完成后,重起apache 服务, 安装到此结束。现在已经是安全连接的https的网站了。


  • 由于自己曾经做过个人数字签名,所以需要把原来sites-enable目录的其他原来配置删除(或者移到其他目录保存)。刚才安装过程中已经重新生成了基于新数字签名的apache2 服务配置文件。
  • 因为需要redirect所有http (80)请求到https (443),需要修改自动生成的sites-enable里的配置文件,我是把原来这部分的配置拷贝过来了。