[clug] Partitioning for fun and benefit
Rodney Peters
rodneyp at iinet.net.au
Thu Oct 17 10:42:49 UTC 2019
see below
Rod
On 2019-10-17 16:55, steve jenkin via linux wrote:
> George,
>
> <snip>
> These days, with MBR or GPT, you can throw everything into a single volume / partition and have it Just Work.
> Running MBR, especially with GRUB, you need a separate “/boot” partition AFAIK.
>
> <snip>
not quite correct. A separate "/boot" is required, with either
disk-label, only if the boot-loader can't read the file system of the
"/" partition. GRUB can now read most filesystems.
AFAIK, GPT requires that the ESP (or on BIOS, partition containing
/boot) have a partition number <4
OTOH, for a home system, I find a separate "/home" is quite useful. If
you need to reinstall, then leave the "/home" as is. Be certain to
delete any sub-volume for it in a BTRFS file-system and define "/home"
to /etc/fstab. All your settings will be in place on the new installation.
> I’ve not built a system with GPT & UEFI BIOS - I understand they don’t require a boot-loader (eg GRUB) because UEFI scans partitions.
>
> <snip>
Although UEFI does scan for ESP partitions (and must have one), it still
requires a boot-loader somewhere. GRUB can serve that purpose.
"bootctl" is cleaner and can have much simpler config file - it is not
compatible with BIOS. It might be installed, without being implemented,
on some distro - is is on openSUSE. see "man bootctl"
> ===========
>
> <snip>
>
> HTH
> steve
>
>> On 16 Oct 2019, at 12:15, George at Clug via linux <linux at lists.samba.org> wrote:
>>
>> Partitioning for fun and benefit
>>
>> Hi,
>>
>> I would like to discuss and get your opinions about using multiple partitions when installing Linux.
>>
>> I am not sure if it is even worth doing, though lots of security web pages advocate the practice (in various ways).
>>
>> A site that had a good explanation of why ...
>> http://www.daniloaz.com/en/the-importance-of-properly-partitioning-a-disk-in-linux/
>> "I am a strong supporter of simplicity and the principle that less is more, but as far as security and performance of information systems is concerned, we must be able to strike a balance between keeping things simple and exposing ourselves as little as possible to potential threats while trying to obtain the maximum performance of all system elements involved."
>>
>> The site that I found most useful...
>> http://www.softpanorama.org/Commercial_linuxes/Security/protective_partitioning_of_the_system.shtml
>> "Note: Questionable recommendations. should be taken with the grain of salt."
>>
>> I read that security that is controlled and/or circumvented by fstab/remounting is not that much security, but I guess any "security hardening" that does not stop your computer/server doing its job is a "good thing"?
>>
>> For performance I would like to have root on a [consumer] SSD as read only (and any other partitions that I could), but I don't know how to do this, and it also creates more work for applying updates. The security benefit to effort might not be worth the effort. (yet many more hours of research, I guess)
>>
>> Talking about "that does not stop your computer/server doing its job", well many web security sites suggests adding noexec to your /var partition, but I found that this broke Debian's package installation. I could run with this enabled, then remove it when applying updates, but that sounds like too much hard work.
>>
>> Well whatever your personal thoughts are, you are welcome to comment on the results of my testing or question my sanity.
>>
>> Notes:
>> 1) "/var/lib/mysql", "/var/www" are only for testing, and implementation depends on what your servers uses.
>> 2) I have tested upgrading from Debian Jessie, through to Buster, and installing qemu-kem, then Mate GUI and Virt-Manager. In practice, I usually make "/var/lib/libvirt/images" a separate partition/drive.
>> 3) Testing so far has been very limited, no postfix, dovecot/Courier IMAP, no chroot testing, no web site CGI/PHP, etc.
>> 4) No testing with docker or lcx.
>> 5) I was considering using a 8TB HD, I experimented with the below partition sizes which seem to suite the needs of my servers.
>> 6) After many configuration changes, and much retesting of partitioning, I may have got confused on some things.
>> 7) I discovered "Linux limits the partitions per drive to 15 partitions..." - https://www.debian.org/releases/potato/i386/ch-partitioning.en.html
>> 8) Time might not be a finite resource, but it is a limited resource.
>>
>> 50GB / ext4 noatime,errors=remount-ro
>> 1GB /boot ext4 noatime,nodev,nosuid,noexec
>> 50GB /home ext4 noatime,nodev,nosuid,noexec
>> 2GB /opt ext4 noatime,nodev,nosuid
>> 2GB /srv ext4 noatime,nodev,nosuid,noexec (I do not have Service Data to test with)
>> 10GB /tmp ext4 relatime,nodev,nosuid (I think noatime broke something, but relatime worked)
>> 20GB /usr ext4 noatime,nodev (I increased /usr from inital 10GB to 20GB)
>> 2GB /usr/local ext4 noatime,nodev
>> 10GB /var ext4 noatime,nodev,nosuid (Will nosuid break chrooted email systems ?)
>> 2GB /var/lib/mysql ext4 noatime,nodev,nosuid,noexec (Example only. Size of production databases?)
>> 2GB /var/log ext4 noatime,nodev,nosuid,noexec
>> 2GB /var/log/audit ext4 noatime,nodev,nosuid,noexec
>> 2GB /var/tmp ext4 relatime,nodev,nosuid
>> 2GB /var/www ext4 noatime,nodev,nosuid,noexec (Example only. Size of production web files?)
>>
>>
>> ---------------------------------------------------------
>>
>> # df -h
>> Filesystem Size Used Avail Use% Mounted on
>> udev 4.9G 0 4.9G 0% /dev
>> tmpfs 1000M 9.1M 991M 1% /run
>> /dev/vda2 46G 589M 43G 2% /
>> /dev/vda6 9.1G 4.0G 4.7G 47% /usr
>> tmpfs 4.9G 0 4.9G 0% /dev/shm
>> tmpfs 5.0M 4.0K 5.0M 1% /run/lock
>> tmpfs 4.9G 0 4.9G 0% /sys/fs/cgroup
>> /dev/vda8 9.1G 22M 8.6G 1% /tmp
>> /dev/vda4 1.9G 2.9M 1.7G 1% /opt
>> /dev/vda5 1.9G 2.9M 1.7G 1% /srv
>> /dev/vda9 9.1G 694M 7.9G 8% /var
>> /dev/vda10 1.9G 2.9M 1.7G 1% /var/lib/mysql
>> /dev/vda11 1.9G 37M 1.7G 3% /var/log
>> /dev/vda13 1.9G 2.9M 1.7G 1% /var/tmp
>> /dev/vda7 1.9G 2.9M 1.7G 1% /usr/local
>> /dev/vda15 46G 4.3G 40G 10% /home
>> /dev/vda1 922M 81M 778M 10% /boot
>> /dev/vda12 1.9G 2.9M 1.7G 1% /var/log/audit
>> /dev/vda14 1.9G 2.9M 1.7G 1% /var/www
>> tmpfs 1000M 20K 1000M 1% /run/user/1000
>> /dev/sr0 3.8G 3.8G 0 100% /media/cdrom0
>> ---------------------------------------------------------
>> # mount | grep "/dev/v"
>> /dev/vda2 on / type ext4 (rw,noatime,errors=remount-ro)
>> /dev/vda6 on /usr type ext4 (rw,nodev,noatime)
>> /dev/vda1 on /boot type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda15 on /home type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda9 on /var type ext4 (rw,nosuid,nodev,noatime)
>> /dev/vda14 on /var/www type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda7 on /usr/local type ext4 (rw,nodev,noatime)
>> /dev/vda8 on /tmp type ext4 (rw,nosuid,nodev,relatime)
>> /dev/vda5 on /srv type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda10 on /var/lib/mysql type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda11 on /var/log type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda13 on /var/tmp type ext4 (rw,nosuid,nodev,relatime)
>> /dev/vda12 on /var/log/audit type ext4 (rw,nosuid,nodev,noexec,noatime)
>> /dev/vda4 on /opt type ext4 (rw,nosuid,nodev,noatime)
>> ---------------------------------------------------------
>>
>>
>>
>> Sites that I found useful...
>> http://www.softpanorama.org/Commercial_linuxes/Security/protective_partitioning_of_the_system.shtml
>> "Note: Questionable recommendations. should be taken with the grain of salt."
>>
>> https://www.cyberciti.biz/tips/linux-security.html
>> "21. Separate Disk Partitions For Linux System
>> Separation of the operating system files from user files may result into a better and secure system."
>>
>> https://access.redhat.com/discussions/641923
>> "Our practice is to isolate /var/tmp & /var/log to independent LVs.
>> In our environment, we make separate logical volumes for /tmp/ /var/ /var/log and /var/log/audit .
>> We place /var/log/audit in it's own logical volume especially on tomcat or web servers.
>> Ideally you should be mounting /var with noexec and nosuid flags."
>>
>> https://www.tecmint.com/linux-server-hardening-security-tips/
>> "2. Disk Partitions
>> Make sure you must have following separate partitions and sure that third party applications should be installed on separate file systems under /opt."
>>
>> https://wiki.archlinux.org/index.php/Fstab#Field_definitions
>> "Note: noatime implies nodiratime. You do not need to specify both."
>>
>> https://www.cloudberrylab.com/resources/blog/linux-server-hardening-guide/
>> "Partitioning"
>>
>> https://buildmedia.readthedocs.org/media/pdf/simp/latest/simp.pdf
>> "Disk Partitioning"
>>
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/installation_guide/s2-diskpartrecommend-x86
>> https://docs.fedoraproject.org/en-US/Fedora/13/html/Installation_Guide/s2-diskpartrecommend-x86.html
>>
>> https://tomthorp.me/blog/moving-docker-data-directory
>>
>> https://www.thegeekstuff.com/2010/09/linux-file-system-structure/
>>
>> https://access.redhat.com/discussions/641923
>> "There is a commonly held wisdom that /var should by default be seperated from the root partition (for example https://access.redhat.com/site/articles/10332)."
>>
>> https://www.cyberciti.biz/tips/linux-security.html
>> "21. Separate Disk Partitions For Linux System"
>>
>> https://wiki.debian.org/ReadonlyRoot
>>
>>
>>
>>
>>
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
> --
> Steve Jenkin, IT Systems and Design
> 0412 786 915 (+61 412 786 915)
> PO Box 38, Kippax ACT 2615, AUSTRALIA
>
> mailto:sjenkin at canb.auug.org.au http://members.tip.net.au/~sjenkin
>
More information about the linux
mailing list