[clug] Partitioning for fun and benefit
George at Clug
Clug at goproject.info
Wed Oct 16 01:15:36 UTC 2019
Partitioning for fun and benefit
Hi,
I would like to discuss and get your opinions about using multiple partitions when installing Linux.
I am not sure if it is even worth doing, though lots of security web pages advocate the practice (in various ways).
A site that had a good explanation of why ...
http://www.daniloaz.com/en/the-importance-of-properly-partitioning-a-disk-in-linux/
"I am a strong supporter of simplicity and the principle that less is more, but as far as security and performance of information systems is concerned, we must be able to strike a balance between keeping things simple and exposing ourselves as little as possible to potential threats while trying to obtain the maximum performance of all system elements involved."
The site that I found most useful...
http://www.softpanorama.org/Commercial_linuxes/Security/protective_partitioning_of_the_system.shtml
"Note: Questionable recommendations. should be taken with the grain of salt."
I read that security that is controlled and/or circumvented by fstab/remounting is not that much security, but I guess any "security hardening" that does not stop your computer/server doing its job is a "good thing"?
For performance I would like to have root on a [consumer] SSD as read only (and any other partitions that I could), but I don't know how to do this, and it also creates more work for applying updates. The security benefit to effort might not be worth the effort. (yet many more hours of research, I guess)
Talking about "that does not stop your computer/server doing its job", well many web security sites suggests adding noexec to your /var partition, but I found that this broke Debian's package installation. I could run with this enabled, then remove it when applying updates, but that sounds like too much hard work.
Well whatever your personal thoughts are, you are welcome to comment on the results of my testing or question my sanity.
Notes:
1) "/var/lib/mysql", "/var/www" are only for testing, and implementation depends on what your servers uses.
2) I have tested upgrading from Debian Jessie, through to Buster, and installing qemu-kem, then Mate GUI and Virt-Manager. In practice, I usually make "/var/lib/libvirt/images" a separate partition/drive.
3) Testing so far has been very limited, no postfix, dovecot/Courier IMAP, no chroot testing, no web site CGI/PHP, etc.
4) No testing with docker or lcx.
5) I was considering using a 8TB HD, I experimented with the below partition sizes which seem to suite the needs of my servers.
6) After many configuration changes, and much retesting of partitioning, I may have got confused on some things.
7) I discovered "Linux limits the partitions per drive to 15 partitions..." - https://www.debian.org/releases/potato/i386/ch-partitioning.en.html
8) Time might not be a finite resource, but it is a limited resource.
50GB / ext4 noatime,errors=remount-ro
1GB /boot ext4 noatime,nodev,nosuid,noexec
50GB /home ext4 noatime,nodev,nosuid,noexec
2GB /opt ext4 noatime,nodev,nosuid
2GB /srv ext4 noatime,nodev,nosuid,noexec (I do not have Service Data to test with)
10GB /tmp ext4 relatime,nodev,nosuid (I think noatime broke something, but relatime worked)
20GB /usr ext4 noatime,nodev (I increased /usr from inital 10GB to 20GB)
2GB /usr/local ext4 noatime,nodev
10GB /var ext4 noatime,nodev,nosuid (Will nosuid break chrooted email systems ?)
2GB /var/lib/mysql ext4 noatime,nodev,nosuid,noexec (Example only. Size of production databases?)
2GB /var/log ext4 noatime,nodev,nosuid,noexec
2GB /var/log/audit ext4 noatime,nodev,nosuid,noexec
2GB /var/tmp ext4 relatime,nodev,nosuid
2GB /var/www ext4 noatime,nodev,nosuid,noexec (Example only. Size of production web files?)
---------------------------------------------------------
# df -h
Filesystem Size Used Avail Use% Mounted on
udev 4.9G 0 4.9G 0% /dev
tmpfs 1000M 9.1M 991M 1% /run
/dev/vda2 46G 589M 43G 2% /
/dev/vda6 9.1G 4.0G 4.7G 47% /usr
tmpfs 4.9G 0 4.9G 0% /dev/shm
tmpfs 5.0M 4.0K 5.0M 1% /run/lock
tmpfs 4.9G 0 4.9G 0% /sys/fs/cgroup
/dev/vda8 9.1G 22M 8.6G 1% /tmp
/dev/vda4 1.9G 2.9M 1.7G 1% /opt
/dev/vda5 1.9G 2.9M 1.7G 1% /srv
/dev/vda9 9.1G 694M 7.9G 8% /var
/dev/vda10 1.9G 2.9M 1.7G 1% /var/lib/mysql
/dev/vda11 1.9G 37M 1.7G 3% /var/log
/dev/vda13 1.9G 2.9M 1.7G 1% /var/tmp
/dev/vda7 1.9G 2.9M 1.7G 1% /usr/local
/dev/vda15 46G 4.3G 40G 10% /home
/dev/vda1 922M 81M 778M 10% /boot
/dev/vda12 1.9G 2.9M 1.7G 1% /var/log/audit
/dev/vda14 1.9G 2.9M 1.7G 1% /var/www
tmpfs 1000M 20K 1000M 1% /run/user/1000
/dev/sr0 3.8G 3.8G 0 100% /media/cdrom0
---------------------------------------------------------
# mount | grep "/dev/v"
/dev/vda2 on / type ext4 (rw,noatime,errors=remount-ro)
/dev/vda6 on /usr type ext4 (rw,nodev,noatime)
/dev/vda1 on /boot type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda15 on /home type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda9 on /var type ext4 (rw,nosuid,nodev,noatime)
/dev/vda14 on /var/www type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda7 on /usr/local type ext4 (rw,nodev,noatime)
/dev/vda8 on /tmp type ext4 (rw,nosuid,nodev,relatime)
/dev/vda5 on /srv type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda10 on /var/lib/mysql type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda11 on /var/log type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda13 on /var/tmp type ext4 (rw,nosuid,nodev,relatime)
/dev/vda12 on /var/log/audit type ext4 (rw,nosuid,nodev,noexec,noatime)
/dev/vda4 on /opt type ext4 (rw,nosuid,nodev,noatime)
---------------------------------------------------------
Sites that I found useful...
http://www.softpanorama.org/Commercial_linuxes/Security/protective_partitioning_of_the_system.shtml
"Note: Questionable recommendations. should be taken with the grain of salt."
https://www.cyberciti.biz/tips/linux-security.html
"21. Separate Disk Partitions For Linux System
Separation of the operating system files from user files may result into a better and secure system."
https://access.redhat.com/discussions/641923
"Our practice is to isolate /var/tmp & /var/log to independent LVs.
In our environment, we make separate logical volumes for /tmp/ /var/ /var/log and /var/log/audit .
We place /var/log/audit in it's own logical volume especially on tomcat or web servers.
Ideally you should be mounting /var with noexec and nosuid flags."
https://www.tecmint.com/linux-server-hardening-security-tips/
"2. Disk Partitions
Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt."
https://wiki.archlinux.org/index.php/Fstab#Field_definitions
"Note: noatime implies nodiratime. You do not need to specify both."
https://www.cloudberrylab.com/resources/blog/linux-server-hardening-guide/
"Partitioning"
https://buildmedia.readthedocs.org/media/pdf/simp/latest/simp.pdf
"Disk Partitioning"
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86
https://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s2-diskpartrecommend-x86.html
https://tomthorp.me/blog/moving-docker-data-directory
https://www.thegeekstuff.com/2010/09/linux-file-system-structure/
https://access.redhat.com/discussions/641923
"There is a commonly held wisdom that /var should by default be seperated from the root partition (for example https://access.redhat.com/site/articles/10332)."
https://www.cyberciti.biz/tips/linux-security.html
"21. Separate Disk Partitions For Linux System"
https://wiki.debian.org/ReadonlyRoot
More information about the linux
mailing list