Bogus Link

Repartitioning Linux Servers

  • Server Security
  • Linux
  • CentOS
  • Server Management

Introduction

I recently found myself in need of a procedure to repartition a newly installed Linode server. The server was a fresh install of CentOS 7, with the default root and swap partitions. I had recently become aware of the possibility to set extra security options on partitions, and wanted to implement this while setting up a new server. I also wanted to contain disk usage for separate areas of the system.

So I found myself in a difficult situation. I wasn't clear on how to go about this, and didn't have a thorough understanding of how partitioning and mounting worked on Linux, particularly with it being integrated within Linode's setup. As it turned out, it was all very simple, but it took a bit of research to find that out. This article shares what I learned, including a simple procedure for mounting and defining your modified partitioning. If you just want the procedure, please go right to it or give the background a quick skim first.

Usage on Other Hosts

The majority of the procedure described here could be used with other hosts, and any part specific to Linode clearly references that. If you are repartitioning system directories, or other parts of the system which could be in use, you would need some way to access the server in single user mode, which means no SSH. Linode provide this through their Lish feature which offers console access, and that is what is used here.

You would also need to have a way to create the devices for assigning to the partitions. Linode provide this through their configuration manager. You could use utilities like fdisk and mkfs which are not covered here, or your host may provide options for this. It depends on your server setup. I use Linode so that is what is covered here. Please let us know how you get on in the comments, to help others and I will also consider adding more information to the article to cover other setups.

Background

There are two essential features to mounting partitions on Linux that are worth understanding. These are mounting filesystems and defining them for the system to mount. It is worth understanding the system utility mount (its companion umount) and fstab (the syntac for the /etc/fstab file). I strongly suggest you read at least the first part of the man pages for mount, umount and fstab to improve your understanding of how these features of the system operate. Here is the introduction to fstab from fstab(5):

The file fstab contains descriptive information about the various filesystems. fstab is only read by programs, and not written; it is the duty of the system administrator to properly create and maintain this file. Each filesystem is described on a separate line; fields on each line are separated by tabs or spaces. Lines starting with '#' are comments, blank lines are ignored. The order of records in fstab is important because fsck(8), mount(8), and umount(8) sequentially iterate through fstab doing their thing.

A fresh CentOS 7 install on Linode will have something like this as the default /etc/fstab file:

# /etc/fstab
# Created by anaconda on Thu Feb 2 14:49:35 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

/dev/sda    /        ext4    defaults 1 1
/dev/sdb    swap     swap    defaults 0 0

This defines a single root partition to contain everything, and a swap partition. This is not desirable. The reason is that there is no way to set different options for areas of the system that can benefit from them. The main benefits are security and containing expansion so one area of the system can't cause another to run out of disk space. You can find some links discussing options for this at the end of this article.

My chosen partitioning scheme, mostly for security on this web and email server, was to separate things out as follows:

/
/home
/var        nosuid
/var/log    nosuid,nodev,noexec
/var/www    nosuid,nodev
/tmp        nosuid,nodev,noexec
/var/tmp    nosuid,nodev,noexec

If you're wondering what "nosuid", "nodev" and "noexec" mean, then you didn't go and read the man pages for mount now, did you? Well here's what you missed:

nosuid

Do not allow set-user-identifier or set-group-identifier bits to take effect.

nodev

Do not interpret character or block special devices on the file system.

noexec

Do not allow direct execution of any binaries on the mounted filesystem. (Until recently it was possible to run binaries anyway using a command like /lib/ld*.so /mnt/binary. This trick fails since Linux 2.4.25 / 2.6.0.)

I also wanted to set some extra security on /dev/shm over and above the default provided by CentOS 7, and make /tmp and /var/tmp server from the same partition. More on that later.

In other situations it would have been sensible for me to set nosuid and nodev on the /home partition, but in this case nobody will have access to log in to the server except technicians, so it is better to keep home the directories open.

If you want to see what is currently mounted, simply enter mount on the command line to get a full list. But you already knew that from reading the man page for mount.

Defining Linode Disk Partitions

In order to provide the disk partitions themselves, so they are available to be mounted, Linode provide a great system. It is simply a case of logging in to your Linode Manager and going to the dashboard for your Linode. You can define a configuration for your disk space and also reuse it on multiple servers. All of the details for that can be found in their article:

Disks and Configuration Profiles
https://www.linode.com/docs/...

Topics covered:

  • Getting Started
  • Finding Your Way Around
  • Disks
  • Creating a Disk with a Linux Distribution Installed
  • Creating a Blank Disk
  • Resizing a Disk
  • Duplicating a Disk
  • Removing a Disk
  • Configuration Profiles
  • Creating a Configuration Profile
  • Editing a Configuration Profile
  • Selecting and Using a Configuration Profile
  • Removing a Configuration Profile
  • Cloning Disks and Configuration Profiles
  • Potential Uses

Of particular interest for defining devices to mount is the section Creating a Configuration Profile, but you will need to create disks first in order to assign them within your configuration profile.

Securing the Temporary Filesystem

The temporary filesystem on CentOS 7 runs with nosuid and nodev options configured. The only world-writable area it is used for is /dev/shm. I wanted to add noexec to /dev/shm and also use all three options for /tmp and /var/tmp. Configuring /tmp and /var/tmp was simply a case of adding them to the list of partitions to be configured, with both serving from the same partition, which can be done using the bind option provided by mount. Details for this soon. Securing /dev/shm is a slightly different case, since it is using the temporary file sysetm, tmpfs.

Although /dev/shm is not shown in the default /etc/fstab file, it is being configured automatically anyway. So to make changes to that configuration, it is simple a case of adding an entry with the options specified. All of the option have to be specified, and not just the ones that are wanted to be added. Here is the entry I added to /etc/fstab to ensure all three options were in place:

tmpfs      /dev/shm      tmpfs      nosuid,nodev,noexec 0 0

With this in place, and of course after a reboot, executing the mount command in the shell clearly showed that /dev/shm now had all three options enabled. Great!

tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,noexec)

New fstab Configuration

So my new configuration for /etc/fstab needed to look like this:

# /etc/fstab
# Created by anaconda on Thu Feb  2 14:49:35 2017
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info

/dev/sda    /           ext4    defaults 1 1
/dev/sdb    swap        swap    defaults 0 0
tmpfs       /dev/shm    tmpfs   nosuid,nodev,noexec 0 0
# suid and dev are allowed for /home because only
# technicians are allowed to log in to this server
/dev/sdc    /home       ext4    defaults 1 2
/dev/sdd    /var/www    ext4    defaults,nosuid,nodev 1 2
/dev/sde    /var        ext4    defaults,nosuid 1 2
/dev/sdf    /var/log    ext4    defaults,nosuid,noexec,nodev 1 2
/dev/sdg    /var/tmp    ext4    defaults,nosuid,nodev,noexec 1 2
# /tmp is bound to /var/tmp
/var/tmp    /tmp        none    bind 1 2

The first three entries we have already looked at. They are the two default entries and the configuration of the temporary filesystem for /dev/shm. The options for the root filesystem, and therefore anything not placed in its own partition, are left as the default with everything enabled. Anything that needs restricting must then be added below on its own partition.

The rest of the file contains the partition setup I intended to implement. It includes separate partitions for /home, /var/www, /var itself, /var/log and the two world-writable temporary directories /var/tmp and /tmp.

I wanted to use the same partition for the temporary directories, so I made use of the bind feature provided by mount. Here are the relevant details from the man pages for mount:

The bind mounts.
Since Linux 2.4.0 it is possible to remount part of the file hierarchy somewhere else. The call is
        mount --bind olddir newdir
or shortoption
        mount -B olddir newdir
or fstab entry is:
        /olddir /newdir none bind

After this call the same contents is accessible in two places.

...

Note that the filesystem mount options will remain the same as those on the original mount point.

Implementation Procedure

Now that we have been through all the preparation for implementing changes to the partitioning, and the partitions have been configured in the Linode manager, the procedure for carrying out the changes was as follows. I will give you the procedure first, and then explain the steps.

/dev/sdX is the block device configured for the partition.
/XXX is the directory to mount the partition on.

  1. init 1 (warning: access to the server will stop)
  2. Log in through Lish
  3. mv /XXX /XXX.old
  4. mkdir /XXX
  5. mount /dev/sdX /XXX
  6. cp -ax /XXX.old/* /XXX
  7. Add entry to /etc/fstab
  8. reboot

If you keep Lish open when you reboot, your connection to the server will remain open and the server boot process will be visible when it starts, allowing you to log in again once complete and issue init 1 from there.

Explanation of the Procedure

The first step is to drop the operating system to single user mode. This will stop all access to the server except through the console. This means you will no longer be able to access the server through SSH and will have to make use of the Linode Shell feature, called Lish, to access the server. This is only necessary for parts of the filesystem that already exist and are in use by the system. In my case, I only needed to do this for /var and /var/log. The other areas, /home, /var/www and the temporary directories were all empty and not in use (it being a fresh install), so they could be changed over without dropping to single user mode.

I recommend following the whole procedure through for one partition at a time, and checking each one carefully before moving on to the next. You can check the current situation by issuing a mount command to check all current mounts that are active, or I like to use df -h to see all filesystems including their mount points.

The procedure is simply to rename the existing directory to a new location (appending ".old"). Now create an empty copy of the directory ready to be mounted on. It needs to exist, and it needs to be empty, since anything that is in it would not be visible after the partition is mounted there. The partition is then mounted to its new location and the contents copied over to it. Steps 3 to 6. Easy.

The permanent mounting is then done by adding the entry to the /etc/fstab file and rebooting. Steps 7 and 8. When you feel happy with it, you can delete the ".old" location.

Conclusion

And that's about it. I hope the information in the article is useful. If there is anything that is unclear, I would love to help and that will in turn help me to improve the article. Please use the comments form below, indicating if you would prefer the comment to be private, or use one of the other contact options available.

Updates

18 March 2017. A section was added to the introduction explaining how the procedure can be used on other hosts. An info box was added at the top drawing attention to the procedure for those in a hurry.

19 March 2017. Added info below the procedure, explaining that Lish can be kept open.


References

Disclaimer

The information in this article is provided "as is" and is not a substitute for your own competence. If you do not know what you are doing, and do not fully understand what the advice in this article is explaining and its implications, please do not make use of it without further research and training yourself, or seeking the help of a professional. The consequences of any actions you take, that are in any way informed by advice in this article, are your own to bear.

Professional Assistance

If you are in need of professional assistance to carry out a procedure similar to that outlined in this article, or have another system administration issue you need help with, please contact us and we will be happy to discuss options for assisting you.

Linode Referral

The links to Linode contained in this article include a referral code so that I will get some benefit if you should decide to sign up after using one of those links. Here is a referral link to the Linode homepage should you wish to use it.

Comments

We would love to hear from you about your experiences relating to the information in this article. If you have seen something here that needs correcting, please let us know so we can improve the information.

About Comments You Submit

Comments can be made using the form above, and will be posted here if appropriate for us to do so. Please let us know in your comment if you would prefer us not to publish it, in which case we will of course honour that request. Your email address will only be used to contact you regarding your comment, and will not be passed on to third parties or used in any other way. Any web address you provide will be used as a link from your name introducing your comment, if appropriate for us to do so.

Copyright and Republishing

This article is copyright Nigel Peck 2017. All rights reserved. Please contact us if you would like to republish this article, in whole or in part, and we will be happy to discuss options for that. Quoting from the article is permitted. Please provide a link back to the article, adjacent to the quote, and clearly indicate any modifications. Quoting anything more than two or three sentences should be discussed with us first.