Hi,
A bit off-topic, but I’m about to set up a remote Linux server
for Rails, with postgres and probably Lighttpd.
The server has two 120GB hard drives, one of which will just be
for nightly backups of the other.
I don’t intend to have any untrusted user accounts on the server.
The server will be dedicated to my own applications.
I’ll want to support lots of www clients, with pretty heavy database
access.
Currently, I’m planning to just make a single partition for
everything, aside from the small /boot and swap partitions.
Does this seem reasonable? Or are there reasons I’d be better off
with multiple partitions, such as maybe the postgres database files
in their own partition?
Just figured I’d ask in case there were any “gotcha’s” I should be
aware of when putting everything in one partition.
Thanks for any thoughts,
Regards,
Bill
On Dec 20, 2005, at 5:00 PM, Bill K. wrote:
Just figured I’d ask in case there were any “gotcha’s” I should be
aware of when putting everything in one partition.
Thanks for any thoughts,
Regards,
Bill
Bill-
It sounds good to me. One thing I highly recommend though is to
make /tmp its own partition and mount it as noexec nosetsuid. This
will keep any malicious folks from exploiting a vulnerabilty
somewhere and uploading files to your /tmp dir and running exploits
from there. I have dealt with these type of attacks before and
hardening /tmp is a big step to quashing these attack vectors.
Cheers-
-Ezra Z.
WebMaster
Yakima Herald-Republic Newspaper
[email protected]
509-577-7732
Hi Ezra,
From: “Ezra Z.” [email protected]
It sounds good to me. One thing I highly recommend though is to
make /tmp its own partition and mount it as noexec nosetsuid. This
will keep any malicious folks from exploiting a vulnerabilty
somewhere and uploading files to your /tmp dir and running exploits
from there. I have dealt with these type of attacks before and
hardening /tmp is a big step to quashing these attack vectors.
Thanks for the tip !!!
I’ll do that. I’ll also be using a grsecurity kernel patch, which
among other things pretty much refuses to execute a program or
script unless it has the same owner/group as its containing directory,
and both the program file and the directory are chmod go-w.
( http://www.grsecurity.net/ )
Thanks again,
Regards,
Bill
Bill K. wrote:
Just figured I’d ask in case there were any “gotcha’s” I should be
aware of when putting everything in one partition.
Hi There,
Here are my suggestions for partitioning. I use these for my own
servers. My recommendations are most relevant for linux.
- I recommend using logical volume management. Make /boot and swap
partitions and put the rest in LVM. LVM allows you to more easily resize
your storage volumes.
- give /tmp, /var/log and your database files their own
partitions/volumes. Any other fast-changing data folders should have
their own volume. This will keep your root/main volume from getting
fragmented. In addition it keeps your system functioning in case of DoS
of similar attacks.
If /tmp, /var/log, or the db partition fill up, you might have problems,
but if the root volume gets full,you won’t be able to login and fix
things.
for /tmp and /var/log, I recommend a minimum of 2GB each. more if you
have high-traffic sites.
If you do use LVM, leave about 10% of your disk unallocated, that leaves
you room to expand volumes or create new ones for things that you didn’t
expect.
I hope this helps.
Sincerely,
Jason E.
On Wed, 2005-12-21 at 10:41 -0500, Jason E. wrote:
I don’t intend to have any untrusted user accounts on the server.
in their own partition?
Just figured I’d ask in case there were any “gotcha’s” I should be
aware of when putting everything in one partition.
Geez, yeah that could be a long OT topic. EVMS is a good alternative to
LVM. Just in terms of partitioning, I’d throw /tmp (maybe /var/tmp?) on
a ramdisk, and be sure rails sessions are being thrown there. A /boot
is sort of unnecessary, unless you plan not to mount it by default. I
might make /var a separate EVMS partition, since it’s where you’ll
(ideally) be putting all of your app’s data (And thus the most likely to
need to grow in the future). Giving / (minus /var) ~5 Gigs is plenty
generous, the rest could go toward /var.
It’s sort of unlikely file-systems and partitions will be your apps
performance limit in the short term, I wouldn’t worry too much.
I would GET EVERYTHING ON A RAID-1 ARRAY. Just Do It. Hard drive
crashes will happen, and murphy’s law says it will be the only copy of
your code, and your biggest client will need it that day 
–
-Matthew B.
[email protected] :: 607 227 0871
Resume and Portfolio @ http://madhatted.com